PowerShell script not updating policies

Question

I am having this problem that I am being stuck for a couple of days now. I have a request to modify policies on Windows 10 21H2, using PowerShell script. To be more specific I am trying to use modify the policy to whitelist USB devices. I am NOT on the step to add the instanceId to the policy.

First thing I need to enable the policy but I am not able to do so.

Policy mention above:

https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DeviceInstallation::DeviceInstall_Classes_Allow

I am running the following command:

New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" -Force | Out-Null
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions" -Name "AllowDeviceClasses" -Value 1 -Type DWord -Force

gpupdate /force

The first command is creating the path on the registry editor, the second one is adding the value "1" to enable the policy, and the last one updating the policies.

The policy in question is the:

"Allow installation of devices using drivers that match these device setup classes"

Policy not update AFTER running the script

What I have tried so far, didn't help me. Not even ChatGPT could help me on this one. Hope some of you guys can help me.

Answer 1

Imho you have a wrong understanding of how GPOs and policies work.

The system behavior (with respect to configuration which is potentially subject to policy control) depends on registry settings found in hklm\software\policies or hkcu\software\policies. The gpedit/gpupdate GPO toolset is just one possible option for distributing such registry settings. Entering such settings via regedit or script will result in the same system behavior as distributing them via GPO, but you won't see such manual registry changes inversely in gpedit. gpupdate is pointless and will not do anything for registry settings not defined and distributed via GPO.

As already indicated by @stackprotector you just need to be aware of the tiebreaker rule: If you try modifying policy registry settings manually (regedit, script, ...), which are also configured in one of your GPOs, the GPO will always win and periodically overwrite your manual settings.