The Windows 10 Hardening GPO contains a wide range of security settings that close potential security holes within Windows 10.
One of the potential issues that may arise from this is the ability for users to plug in external devices such as usb drives or usb optical drives.
While we would prefer to have these devices fully disabled, there will be times where a USB drive will be required for certain edge cases.
Therefore I have created a WMI filter that admins can add computers to, to prevent the full windows 10 hardening gpo from running temporarily until the user has finished using the external drive. (note at the time of writing this article, I have not yet tested copying all the data across to c:\ and executing from there, I'll update this guide once I have).
To add computers to the WMI filter follow these steps..
- Open Group Policy Management
- Look for WMI filters at the bottom of the left hand navigation window.
- Locate "Windows 10 Hardening Exclude Filter"
- Under the General Tab, click on the "Edit Filter" button.
- Click the "Edit" button
- Leave Namespace as default, add the following syntax, to the end of the line : AND Name != 'CYPLAPXXX'
- Click OK
- Click Save
- run : "gpupdate /force" on the target machine
This procedure should work on all 3 domain controllers across cyp, cyh and BAMA.
Reference
Here is the original query for the filter:
SELECT * FROM Win32_ComputerSystem WHERE Name != 'ComputerNameToExclude' AND Name != 'CYPLAP156'