Allow Company Approved USB Brand (Ex:Sandisk) and block all other Brand through GPO

Shashi Kiran R 1 Reputation point
2020-12-11T08:50:19.207+00:00

Hello,

Just a Quick question on How to allow Company approved USB Brand (for Ex: Sandisk) and prevent all other USB brands from accessing.

Upon Investigation, it is possible through hardware ID.

So if the hardware ID is "USB\VID_0781&PID_558C" which is specific to device. can we use just "USB\VID_0781" to have this vendor allowed and block all others.

Thanks,

Shashi Kiran R

Cybersecurity Engineer

Herbalife Ltd

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,005 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vicky Wang 2,591 Reputation points
    2020-12-14T09:45:28.253+00:00

    In all versions of Windows, starting from Windows 7, you can flexibly manage access to external drives (USB, CD / DVD, floppy, tape etc.) using Group Policies (we are not considering a radical way to disable USB ports through BIOS settings). It is possible to programmatically block the use of only USB drives, without affecting such USB devices as a mouse, keyboard, printer, etc (which are not recognized as a removable disk).

    The USB device blocking policy will work if the infrastructure of your AD domain meets the following requirements:

    Active Directory schema version — Windows Server 2008 or newer;
    Note. The set of Group Policies allows to control the installation and use of removable media on Windows appeared only in the AD version 44.
    Desktop OSs –Windows 7 or newer.
    We are going to restrict the use of USB-drives for all computers in a certain AD container (OU). You can apply the USB block policy to the entire domain, but this will affect the servers and other technological devices. Let’s assume that we want to apply the policy to OU named Workstations. To do it, open the GPO management console (gpmc.msc), right-click on OU Workstations and create a new policy (Create a GPO in this domain and Link it here.)

    reference:http://woshub.com/how-to-disable-usb-drives-using-group-policy/

    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
    Best wishes
    Vicky

  2. Vicky Wang 2,591 Reputation points
    2020-12-17T09:36:37.543+00:00

    Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,
    Vicky