Blocking USB storage in the domain while having a white list of devices

Question

Blocking USB storage in the domain while having a white list of devices

Mateusz Nowakowski 40

Hello,

Recently a need appeared to have the external storage blocked in our domain. The problem is, a hard block like “All Removable Storage classes: Deny all access“ is not a good option for us. We would like to have a white list of devices that we are able to connect to the computers, and to have the rest blocked. Is it achieveable through group policies? Addidionally, would it be possible to, for example, for an administrator access prompt to appear every time someone tries to connect an external storage?

Accepted answer

1 additional answer

Your answer

Answer 1

Hello Mateusz Nowakowski ,

Thank you for posting in Q&A forum.

To my knowledge, in a domain environment, if you want to restrict the use of removable storage devices but need to whitelist certain devices, it can indeed be achieved through group policy. But the use of storage devices can only be allowed or denied based on their hardware ID.

The following are the basic steps to implement whitelist control for removable storage devices through group policy:

Open the Group Policy Editor (for example, by running gpedit.msc).
Navigate to Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions.
Enable the policy to "Prevent installation of devices not described by other policy settings," and add the Hardware IDs of the devices you wish to allow.
Enable the policy to "Allow administrators to override device installation restriction policies," so that administrators can intervene when someone attempts to install an unauthorized device.

If you're hoping to "require administrator access to install a pendrive," unfortunately, this cannot be achieved through GPO.

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Mateusz Nowakowski 40 Reputation points

2024-01-10T09:08:13.07+00:00

Do you know of something else than GPO that could control the USB access?
Anonymous

2024-01-15T08:04:51.8866667+00:00

Hello GUIDO ROSSI, To my knowledge, there are no other applications or programs within the operating system that can control USB devices. You can use some popular third-party USB control applications or software on the network. You can search and filter these applications on the internet according to your own situation. But these applications may be insecure, and caution should be exercised when using these tools. If it is in the enterprise, it is usually necessary to collaborate with the IT department or security team to ensure the correct implementation of security policies. I hope the information above is helpful. If you have any questions or concerns, please feel free to let us know. Best Regards, Daisy Zhou

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 2

Thameur-BOURBITA 36,261 Moderator

Hi @Mateusz Nowakowski •

Yes It's possible to specify a white list through GPO or registre key. I invite you read the following article to get mor details:

Allow Only Specific USB Storage Devices in your Organization Using Group Policy

Allow installation of devices that match any of these device IDs

Please don't forget to accept helpful answer

Mateusz Nowakowski 40 Reputation points

2024-01-09T14:56:33.31+00:00

Won't that affect other USB devices? Meaning keyboards, or a mouse with internal storage?
Thameur-BOURBITA 36,261 Reputation points Moderator

2024-01-09T15:21:27.1966667+00:00

@Mateusz Nowakowski •

You should add them to white list , to avoid any problem after the reboot

Unfortunately, there is no GPO setting that only targets storage via USB ports.

Please don't forget to accept helpful answer
Mateusz Nowakowski 40 Reputation points

2024-01-09T15:53:33.57+00:00

That means we can't use this solution, there are simply too many devices to add, is there another way? For example requiring administrator access to install a pendrive?
Mateusz Nowakowski 40 Reputation points

2024-01-09T15:54:47.2333333+00:00

ministrator access to install a pendrive?
Thameur-BOURBITA 36,261 Reputation points Moderator

2024-01-09T16:27:47.5133333+00:00

@Mateusz Nowakowski •

Unfortunately , it's not possible through GPO.

Please don't forget to accept helpful answer and close this thread
Thameur-BOURBITA 36,261 Reputation points Moderator

2024-01-12T21:09:53.96+00:00

@Mateusz Nowakowski Just checking if there is a progress. Unfortunately , it's not possible to define a white list for USB storage through GPO. You should look another way.

---Please don't forget to accept helpful answer and close this thread

Share via

Blocking USB storage in the domain while having a white list of devices

1 additional answer

Your answer