[PowerShell] Adding Values in Group Policy via PowerShell

[Requirements]

The business has a policy blocking USB sticks as default. For USB access, an user needs to raise a ticket, the system administrator should go to the Group Policy manage server and add exception USB device ID. This manual process requires time and effort thus the business wants this process automated.

- Figure out automation feasibility of adding device ID via PowerShell for automation

 

[OS] 

Windows 10

 

[Development Language]

PowerShell

 

[IDE]

PowerShell ISE

 

[Code]

"AddDeviceID.ps1"

# Device ID
$devID = "TESTbyJH"

# Get value name, last ID string number
$lastNum = [int](Get-GPRegistryValue -Name $gpoName -key $registryPath | select -Last 1).ValueName
$lastNum = $lastNum + 1

# Parameters set up
$params = @{
    Name = "_USB-ApprovedDevices"
    Key = "HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowInstanceIDs"
    Type = 'String'
    ValueName = $lastNum
    Value = $devID
}

# Create or open the registry key
$registryKey = New-Item -Path $registryPath -Force

# Add Device ID
Set-GPRegistryValue @params

 

[Test]

- Run the PowerShell script, "AddDeviceID.ps1"

DisplayName      : _USB-ApprovedDevices
DomainName       : Rotork.co.uk
Owner            : UK-BATH\Domain Admins
Id               : 8b869025-90c0-45f7-a257-ee9712395fb7
GpoStatus        : AllSettingsEnabled
Description      : 
CreationTime     : 13/09/2021 16:00:10
ModificationTime : 04/07/2023 05:46:18
UserVersion      : AD Version: 1, SysVol Version: 1
ComputerVersion  : AD Version: 129, SysVol Version: 129
WmiFilter        : Domain-joined Workstations

- Go to Group Policy and check whether device ID(TestbyJH) has been added

[Lesson Learned]

The hardest part was to find the registry key of the Group Policy exception list. The PowerShell intellisense helped.

 

Through Google search, I have found that the policy data is in the AD forest. In PowerShell ISE, available folders or files are shown with command "Get-ChildItem"

For the policy name is aleady known, "_USB-ApprovedDevices", get the policy ID(8b869025-90c0-45f7-a257-ee9712395fb7) then went to the folder.

Get-GPO -Name "_USB-ApprovedDevices"


DisplayName      : _USB-ApprovedDevices
DomainName       : Rotork.co.uk
Owner            : UK-BATH\Domain Admins
Id               : 8b869025-90c0-45f7-a257-ee9712395fb7
GpoStatus        : AllSettingsEnabled
Description      : 
CreationTime     : 2021-09-14 오전 12:00:10
ModificationTime : 2023-07-04 오후 1:46:18
UserVersion      : AD Version: 1, SysVol Version: 1
ComputerVersion  : AD Version: 129, SysVol Version: 129
WmiFilter        : Domain-joined Workstations

Then went to the folder with the help of PowerShell intellisense and found a file which may contain device ID

Get-ChildItem '\\rotork.co.uk\SYSVOL\Rotork.co.uk\Policies\{8B869025-90C0-45F7-A257-EE9712395FB7}\Machine\Registry.pol'

Opened the file with notepad and then UREKA! It looks like registry key!

Googled related PowerShell command below then taught myself how to manipulate them.

Get-GPRegistryValue (GroupPolicy) | Microsoft Learn

Get-GPRegistryValue (GroupPolicy)

 

Set-GPRegistryValue (GroupPolicy) | Microsoft Learn

Set-GPRegistryValue (GroupPolicy)