USB Filter (Industry 8.1)

7/8/2014

Learn how to enable, disable, and configure USB Filter on your Windows Embedded 8.1 Industry (Industry 8.1) device.

USB Filter is a USB port and device base filter that you can use to allow trusted USB devices to connect to a system. USB Filter intercepts device connect requests and only allows USB devices with matching device product ID, device vendor ID, or device class ID set by administrator to be active and detectable.

How USB Filter works

After you enable USB Filter, USB Filter blocks access to all USB ports. You can add exceptions to permit certain USB ports or specific USB devices to function normally by adding entries to the permission entry list.

A USB device is defined by a specific combination of the following properties:

  • Device class ID   Indicates the general purpose of the device. Examples include IDs for printers, mass storage, wireless controllers, and so on. You can find a list of the class IDs at USB.org.
  • Device vendor ID   Indicates the vendor that developed the USB device.
  • Device product ID   Indicates the specific model of the USB device created by the vendor.

You can add permission entries to Gesture Filter to enable the following behaviors:

  • Enable a USB port to allow all USB devices to connect to it.
  • Enable a USB port to allow any USB device of a specific class ID to connect to it.
  • Enable a USB port to only allow a USB device with a specific class ID, vendor ID, and product ID to connect to it.

How USB Filter works with USB hubs

A USB hub enables several USB devices to connect to a single USB port. You can chain several USB hubs together, so the path to a USB device can pass through several USB hubs.

If a permission entry does not exist for a USB hub, USB Filter blocks all USB devices connected to that hub, even if permission entries exist for those devices.

Important

In order to allow a USB device to connect to the system when USB Filter is enabled, you must add permission entries for the USB device and any USB hub that the device is connected to.

Enable internal USB ports

Many devices contain internal USB ports and hubs that connect to common communication devices such as a keyboard, a touch screen, and a wireless network adapter. If you enable USB Filter and do not add permission entries for these devices, your device may become unusable after you restart the device.

We recommend that before you enable USB Filter, you initially configure USB Filter by attaching any USB devices that you want to allow to connect and adding permission entries for all connected devices. For more information, see Allow all connected USB devices.

Turn USB Filter on or off

By default, USB Filter is not turned on. You can turn USB Filter on or off for your Industry 8.1 device by using the following steps:

To turn USB Filter on or off by using Control Panel

  1. In Control Panel, click Programs and Features.

  2. On the Programs and Features window, click Turn Windows features on or off.

  3. In the Windows Features window, expand the Embedded Features node, and check or clear the checkbox for USB Filter.

To turn USB Filter on or off by using DISM

  1. Open a command prompt with administrator rights.

  2. At the command prompt, type the following command to turn on USB Filter:

    Dism /online /Enable-Feature /FeatureName:ISKU-USBFilter
    

    -or-

    Type the following command to turn off USB Filter:

    Dism /online /Disable-Feature /FeatureName:ISKU-USBFilter
    

Turning on USB Filter requires that you restart your device. After you restart the device, you must then enable USB Filter.

Enable or disable USB Filter

By default, USB Filter is not enabled. You can enable or disable USB Filter by calling the USBF_Filter.Enable or the USBF_Filter.Disable methods in Windows Management Instrumentation (WMI) class USBF_Filter.

If you enable USB Filter, USB Filter automatically blocks all USB device access to all ports except for the USB devices that match the criteria specified in the permission entry list.

USB Filter does not immediately block USB devices that are already connected when USB Filter is enabled; however, connected USB devices that do not have a corresponding entry in the permission entry list will be blocked the next time the OS enumerates the attached USB devices. Attaching or removing any USB device from a USB hub causes the OS to enumerate the USB devices on the hub.

Configure USB Filter

To configure USB Filter, you must use the USB Filter Windows Management Instrumentation (WMI) provider. You can use the USB Filter WMI provider directly in a Windows PowerShell script or by using the WMI providers in a custom application.

Configuration changes take effect immediately and only affect devices that are connected after a configuration change. Any devices that are already connected must be removed and reconnected for configuration changes to take effect.

You can also configure USB Filter at a detailed USB controller port level, where you can dedicate a specific USB port for designated devices and tasks.

For more information about how to configure USB Filter, see USB Filter WMI provider reference.

See Also

Concepts

Lockdown features