USB Blocking in Release Candidate 1

  • Article

One of the favorite enterprise features of Microsoft® Windows Vista™, USB device installations, gets even better in RC1. You may have heard stories of some IT departments going so far as to pour glue into USB ports in an attempt comply with data protection regulations, by preventing users from copying sensitive information onto external storage devices—or to protect from malicious software that could be on the device. In Windows Vista there’s a better, less messy way. You can use group policy to control what types of devices users can and cannot install. What makes it better in Windows Vista RC1 is that you can now display a custom error message to the user explaining why their device will not install, so they don't have to call the help desk.

Here’s how you set up the policy to do this.

First, you need to configure the policy to block all devices. This policy is located under Computer Configuration | Administrative Templates | System | Device Installation | Device Install Restrictions. Set the Prevent installation of devices not described by other policy setting to Enabled.

With this policy set, the user will be blocked from installing any new devices. Now that you have blocked all new devices, you can go back and use the other settings to block certain devices and allow others. Other new settings allow you to prevent users from reading or writing to removable storage devices.  With the right configuration, you can prevent data from inappropriately being put on this device while still using it for Windows ReadyBoost. (Note: If you are following along, you will not be able to block a device that has already been installed on the PC before. You will either have to try a different device, or remove the previous device from device manager.)

The next step is to set the custom message that the users will see. You can do this by configuring the “Display a custom error message...” settings.  

This is just one of the many data protection features in Windows Vista including BitLocker™ Drive Encryption and improvements in EFS.

- Alex Heaton