We haven't been able to get a result with different Microsoft engineers for a long time. We want to manage the USB control and permission processes connected to Defender for Endpoint.
We want all USB devices to be blocked, while only allowing an authorized USB flash drive to be loaded. I reached the following resource on this subject, but when I followed the steps in this resource, it did not work.
Source : https://learn.microsoft.com/en-us/windows/client-management/manage-device-installation-with-group-policy#scenario-5-prevent-installation-of-all-usb-devices-while-allowing-an-installation-of-only-an-authorized-usb-thumb-drive-1
The steps I tried ;
Step1: Open Group Policy Object Editor
Step2: Navigate to Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
Step3: Make sure all policies are disabled
Step4: Open Prevent installation of devices using drivers that match these device setup classes policy and select the ‘Enable’ radio button.
Step5: In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. Enter both USB classes GUID you found above with the curly braces:
Step6: Click OK
Step7: Click ‘Apply’ on the bottom right of the policy’s window
Step8: Open the Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria policy and enable it
Step9: Now Open Allow installation of devices that match any of these device IDs policy and select the ‘Enable’ radio button
Step10: Connect a USB thumb driveto your machine.
Step11: Open Device Manager and find the USB thumb-drive (connected to your machine) and select it.
For Example - Below screenshot for reference
Step12: Change View (in the top menu) to ‘Devices by connections.'
Step13: Double-click the USB thumb-drive(that you connected to your machine) and move to the ‘Details’ tab.
Step14: Hardware ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 (find the Hardware ID in your machine after connecting USB thumb drive)
Step15: In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. Enter the full list of USB device IDs as shown below
Step16: Click ‘OK’.
Step17: Click ‘Apply’ on the bottom right of the policy’s window.
Step18: To apply the ‘Prevent’ coverage of all currently installed USB devices – Open the Prevent installation of devices using drivers that match these device setup classes policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’.
By the end only these policies should be enabled in the Group policy object editor.