Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive

Evren USTA 0 Reputation points
2023-09-01T11:57:26.38+00:00

We haven't been able to get a result with different Microsoft engineers for a long time. We want to manage the USB control and permission processes connected to Defender for Endpoint.

We want all USB devices to be blocked, while only allowing an authorized USB flash drive to be loaded. I reached the following resource on this subject, but when I followed the steps in this resource, it did not work.

Source : https://learn.microsoft.com/en-us/windows/client-management/manage-device-installation-with-group-policy#scenario-5-prevent-installation-of-all-usb-devices-while-allowing-an-installation-of-only-an-authorized-usb-thumb-drive-1

The steps I tried ;

Step1: Open Group Policy Object Editor

Step2: Navigate to Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions

Step3: Make sure all policies are disabled

Step4: Open Prevent installation of devices using drivers that match these device setup classes policy and select the ‘Enable’ radio button.

Step5: In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. Enter both USB classes GUID you found above with the curly braces:

{36fc9e60-c465-11cf-8056-444553540000}/ {88BAE032-5A81-49f0-BC3D-A4FF138216D6}

Step6: Click OK

Step7: Click ‘Apply’ on the bottom right of the policy’s window

Step8: Open the Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria policy and enable it

Step9: Now Open Allow installation of devices that match any of these device IDs policy and select the ‘Enable’ radio button

Step10: Connect a USB thumb driveto your machine.

Step11: Open Device Manager and find the USB thumb-drive (connected to your machine) and select it.

For Example - Below screenshot for reference

Step12: Change View (in the top menu) to ‘Devices by connections.'

Step13: Double-click the USB thumb-drive(that you connected to your machine) and move to the ‘Details’ tab.

Step14: Hardware ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 (find the Hardware ID in your machine after connecting USB thumb drive)

Step15: In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. Enter the full list of USB device IDs as shown below

Step16: Click ‘OK’.

Step17: Click ‘Apply’ on the bottom right of the policy’s window.

Step18: To apply the ‘Prevent’ coverage of all currently installed USB devices – Open the Prevent installation of devices using drivers that match these device setup classes policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’.

By the end only these policies should be enabled in the Group policy object editor.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,598 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,953 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 44,441 Reputation points
    2023-09-05T09:41:10.0933333+00:00

    Hello there,

    You can make use of prohibited & approved list.

    This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. https://learn.microsoft.com/en-us/windows/client-management/client-tools/manage-device-installation-with-group-policy

    The guide includes the following scenarios:

    Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it.

    Allow users to install only devices that are on an "approved" list. If a device isn't on the list, then the user can't install it.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.