none
Can I use GPO to block all USB devices except those explicitly allowed?

    Question

  • We're currently using Symantec Endpoint Protection for antivirus and are considering a switch to System Center Endpoint Protection.  One feature of SEP that we would need to replace is Device Control Policies.

    In SEP, we have configured it to block all USB devices by class, except for those we explicitly allow.  We then add to the policy's exception list the hardware ID of any device we wish to allow.  When a new USB device is plugged in to a computer, if its hardware ID doesn't match one on the exception list, the device is disabled and the user sees a popup informing them of this.  

    This is great for cases when a user brings in a flash drive from home and plugs it into their computer.  SEP disables the device and prevents access to the drive.  Some users really do need flash drives though, so we issue encrypted flash drives to those users.  Because we have set the policy to allow devices matching that specific hardware ID, when a user plugs in one of our encrypted flash drives the device is installed and operates normally. 

    I have been told that I can accomplish the same thing using group policy, but I'm not sure if that's correct.  As I look at the description of the relevant policies, it appears that a Deny rule takes precedence over an Allow rule.  That seems to prevent the "Block everything EXCEPT" method that we use currently. 

    Is there any way to achieve our goal using Group Policy?

    Tuesday, February 21, 2017 8:43 PM

Answers

  • On a subsequent reading, I see that there is also a setting for "Prevent installation of devices not described by other policy settings", which sounds like it may do what I need.  It won't let me get quite as granular as to block only devices of a specific class and exclude certain devices from blocking, but it looks like it's as close as I can get. 
    • Marked as answer by NeighborGeek Thursday, February 23, 2017 2:18 PM
    Wednesday, February 22, 2017 6:06 PM

All replies

  • Hi,
    As you said, instead of using allow rules for controlling the installation of devices, I would prefer to use deny rules for specific devices which are forbidden in your company, you could use group policy to prevent installation of devices that match those devices:
    • Prevent installation of devices that match these device IDs.
    This policy setting specifies a list of Plug and Play hardware IDs and compatible IDs for devices that users cannot install. If you enable this policy setting, users cannot install or update the driver for a device if its hardware ID or compatible ID matches one in this list. If you disable or do not configure this policy setting, users can install devices and update their drivers, as permitted by other policy settings for device installation.
    Note   This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device even if it matches another policy setting that would allow installation of that device.
    • Prevent installation of drivers matching these device setup classes.
    This policy setting specifies a list of Plug and Play device setup class GUIDs for devices that users cannot install. If you enable this policy setting, users cannot install or update devices that belong to any of the listed device setup classes. If you disable or do not configure this policy setting, users can install and update devices as permitted by other policy settings for device installation.
    Note   This policy setting takes precedence over any other policy settings that allow users to install a device. This policy setting prevents users from installing a device from being installed even if it matches another policy setting that would allow installation of that device.
    You could see more details and step-by-step guide from: https://msdn.microsoft.com/en-us/library/bb530324.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, February 22, 2017 3:40 AM
    Moderator
  • Thank you for the reply.  I'm not clear on why it would be preferable to deny only specific devices, as opposed to only allowing specific devices.  Can you explain?

    I couldn't possibly block every possible USB flash drive (other than our 'approved' model) or storage device by hardware ID.  It seems to me that without blocking all unapproved devices, there is a significant likelihood that someone will plug in and use a device which is not approved but hasn't been blocked.  That of course is a security risk both for the potential to spread malware as well as because of what data they might write to an unencrypted device.

    Wednesday, February 22, 2017 1:29 PM
  • On a subsequent reading, I see that there is also a setting for "Prevent installation of devices not described by other policy settings", which sounds like it may do what I need.  It won't let me get quite as granular as to block only devices of a specific class and exclude certain devices from blocking, but it looks like it's as close as I can get. 
    • Marked as answer by NeighborGeek Thursday, February 23, 2017 2:18 PM
    Wednesday, February 22, 2017 6:06 PM