Allow Company Approved USB Brand (Ex:Sandisk) and block all other Brand through GPO

Shashi Kiran R 1 Reputation point


Just a Quick question on How to allow Company approved USB Brand (for Ex: Sandisk) and prevent all other USB brands from accessing.

Upon Investigation, it is possible through hardware ID.

So if the hardware ID is "USB\VID_0781&PID_558C" which is specific to device. can we use just "USB\VID_0781" to have this vendor allowed and block all others.


Shashi Kiran R

Cybersecurity Engineer

Herbalife Ltd

A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,945 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vicky Wang 2,646 Reputation points

    In all versions of Windows, starting from Windows 7, you can flexibly manage access to external drives (USB, CD / DVD, floppy, tape etc.) using Group Policies (we are not considering a radical way to disable USB ports through BIOS settings). It is possible to programmatically block the use of only USB drives, without affecting such USB devices as a mouse, keyboard, printer, etc (which are not recognized as a removable disk).

    The USB device blocking policy will work if the infrastructure of your AD domain meets the following requirements:

    Active Directory schema version — Windows Server 2008 or newer;
    Note. The set of Group Policies allows to control the installation and use of removable media on Windows appeared only in the AD version 44.
    Desktop OSs –Windows 7 or newer.
    We are going to restrict the use of USB-drives for all computers in a certain AD container (OU). You can apply the USB block policy to the entire domain, but this will affect the servers and other technological devices. Let’s assume that we want to apply the policy to OU named Workstations. To do it, open the GPO management console (gpmc.msc), right-click on OU Workstations and create a new policy (Create a GPO in this domain and Link it here.)


    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
    Best wishes

    0 comments No comments

  2. Vicky Wang 2,646 Reputation points


    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    0 comments No comments