none
creating exceptions for a specific USB stick brand

    Question

  • Hello;

    as far as I know, the "removable storage access" policies would work based on the "class GUID" of the removable storage device rather than the "Hardware ID".

    I want to setup a/some GPO so that the USB flash drives of brand A get read-only access while the USB flash drives of brand B get the full read/write access. lets say the corporate policy just approves a few "secure" USB sticks to have corporate data written to them, while considers the rest as "unsecure", good enough only to bring data into the corporate.

    if I go with class GUID, both brand A and B , which will have the same class GUID (DiskDrive ,{4....1036 or 1038 I don't remember}), will get the same policy.

    I want to somehow differentiate between the two based on Hardware ID. is this possible? I was kind a thinking of setting the read-only policy for the whole class, but create some exceptions for devices of the same class but with some specific Hardware ID; but don't know if this is supported.

    I'd appreciate any creative idea on this as well.

    Wednesday, May 06, 2015 1:57 AM

Answers

  • Use third party software. This allows for more granular access control.

    Regards

    Milos

    • Marked as answer by Sasi2 Wednesday, May 13, 2015 11:11 PM
    Wednesday, May 06, 2015 8:14 AM

All replies

  • Hello;

    as far as I know, the "removable storage access" policies would work based on the "class GUID" of the removable storage device rather than the "Hardware ID".

    I want to setup a/some GPO so that the USB flash drives of brand A get read-only access while the USB flash drives of brand B get the full read/write access. lets say the corporate policy just approves a few "secure" USB sticks to have corporate data written to them, while considers the rest as "unsecure", good enough only to bring data into the corporate.

    if I go with class GUID, both brand A and B , which will have the same class GUID (DiskDrive ,{4....1036 or 1038 I don't remember}), will get the same policy.

    I want to somehow differentiate between the two based on Hardware ID. is this possible? I was kind a thinking of setting the read-only policy for the whole class, but create some exceptions for

    Wednesday, May 06, 2015 1:56 AM
  • Use third party software. This allows for more granular access control.

    Regards

    Milos

    • Marked as answer by Sasi2 Wednesday, May 13, 2015 11:11 PM
    Wednesday, May 06, 2015 8:14 AM
  • Hi,

    It's been a while. How is it going? As far as I know, we can use group policy to restrict Read or Write access to removable storage devices based on these devices' Device Setup Class GUIDs but not device IDs. Here, I am not sure if you want to do this but we can use group policy to prevent the installation of removable storage devices via their device IDs.

    Regarding using group policy to manage devices, the following article can be referred to for more information.

    Device Management and Installation Step-by-Step Guide: Controlling Device Driver Installation and Usage with Group Policy

    https://technet.microsoft.com/en-us/library/cc731387(v=ws.10).aspx

    If you need further help regarding the question, please don't hesitate to let us know.

    Best regards,

    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, May 13, 2015 8:15 AM
    Moderator
  • Thank you both.

    yes I just have to tell my customer that. so far they have been using third party tool which allowed them to set policies based on Hardware IDs, so they could indeed have readonly policy for brand A and read/write policy for brand B.

    they want to dismiss that 3rd party software so they were asking for GPO replacements of that. so I guess I just have to tell them it is not possible.

    Wednesday, May 13, 2015 11:14 PM