none
Restricting USB drives on the desktop

    Question

  • Hi,

    I have been asked by management to create a group policy to restrict the use of USB storage devices to only a couple that I would control.  We don't want staff to be able to copy files to any old USB stick but want them to be able to check out a stick from me if they have a business need to take a presentation with them to a conference for example.

    I do have to keep in mind that our computers primarily use USB keyboards and mice and some of our managers have USB printers in their offices.  I don't want to block those devices.

    So to start with I created a new Group Policy and linked it to a test OU that contains a test computer.

    I set the policy up as such so far:

    Computer Configuration | Policies | Administrative Templates | System | Device Installation | Device Installation Restrictions

    Prevent installation of devices that match any of these device IDs: Enabled w/Device ID: USBSTOR\Disk as the device ID

    Prevent installation of devices not described by other policy settings: Enabled

    Allow administrators to override Device Installation Restriction policies: Enabled

    This worked with my standard test user account but to block install and therefore access to all USB devices I plugged in.  But it is also preventing the domain administrator account from accessing USB devices as well, which I don't want to do.  Did I miss something in my configuration?

    Next my plan was to find the more specific device ID of my USB sticks and set them up in the Allow installation of devices that match any of these device IDS policy. 

    Any tips or suggestions?

    Thanks in advance,

    Linn

    Friday, February 5, 2016 5:07 PM

All replies

  • Hello,

    With policy "Allow administrators to override Device Installation Restriction policies" Enabled, the device installation restriction policies you apply to a computer should not affect members of the Administrators group.

    By default, a device installation restriction policy affects all users of the computer, including members of the local Administrators group. By enabling this policy, you exempt administrators from the effects of the policy, and allow them to do the device installation tasks they need to do.

    I would like to suggest you check whether the policy is applied well, and you may try to insert one USB devices and check whether admin account can use it.

    In addition, please refer to the link below about Step-By-Step Guide to Controlling Device Installation Using Group Policy:

    https://msdn.microsoft.com/en-us/library/bb530324.aspx

    Hope this helps.

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 8, 2016 5:49 AM
    Moderator
  • Hi Yan Li,

    Thanks for the information.  Here is what I've learned from working through the guide you referenced and through experimentation. 

    Once I enabled "Allow administrators to override Device Installation Restriction policies" I found I could install USB drives but had to install the drivers manually.  This wasn't a big deal, I simply select "Update Driver Software" from within Device Manager.  Not exactly what I expected from the description of the policy but I can live with it I guess.

    Then I obtained the hardware ID and entered it into "Allow installation of devices that match any of these device IDs" policy.  Ran gpupdate /force and logged in as a test user.  Now I am able to read/write to my USB device but when I tried other devices they were blocked by policy.  Ok, so far so good.

    Now I have a second USB stick, same brand and capacity, bought them at the same time.

    When I plug it in I don't get the message that it was blocked by policy but then again, I can't use it either.  Even logging in as the administrator it doesn't work.  But it works fine on other computers.

    I tried entering it's hardware ID into the policy but that doesn't help.  When I look at the device manager I see it listed under Disk Drives and there's an Unknown device listed under Other devices.

    I did use the top most device ID because I wanted to be as specific as possible.  But the IDs for the two devices look the same, not sure why it is not treating them as the same though.  I've contemplated trying the second ID listed, figuring it would be a little more general, but I'm afraid then that anyone could just buy the same brand device and work around my security.

    Any thoughts?

    Thanks,

    Linn

    Tuesday, February 9, 2016 7:06 PM
  • Hello,

    Sorry for the late reply.

    According to my understanding, you have one device with the same hardware ID, but it was treated as blocked device. Would you please open your device manager to check each USB device, or you may change to use another USB interface for the new device and check whether it is blocked.

    In addition, please check your event logs for related information.

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, February 17, 2016 4:40 AM
    Moderator
  • Hi,

    Yes, I have two devices, same make, model and capacity and they seem to have the same ID's.  One works fine the other doesn't mount.  The top most ID string for both is USBSTOR\DiskKingstonDataTraveler_3.0PMAP.  The second ID string is USBSTOR\DiskKingstonDataTraveler_3.0 and modified my policy to use that key, same results.  I can post screen shots of the IDs if you'd like to see them. 

    All tests performed as domain administrator with Allow administrators to override Device Installation Restriction policies set to Enabled.

    Another disturbing fact, I set all three policy settings to Not configured but that didn't help.  I still can't mount any device but the first one.  Even after gpupdate /force and multiple reboots.

    Thanks,

    Linn

    Wednesday, February 17, 2016 4:35 PM
  • Hello,

    How about adding both of the two IDs into the allow policy?

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, February 22, 2016 8:19 AM
    Moderator
  • Hi Yan,

    Sorry for the delay, got pulled off to other projects.  I tried putting both IDs in and that didn't make any difference.

    I think I just realized something, these policies only control installation of device drivers.  Once the drivers are installed for a USB device anyone can use that USB device on that computer.  So this won't accomplish what we want except on new computers.

    Anyone with an existing computer who has a USB device already installed will be able to continue to use it unless I uninstall the drivers.  Which I think would be nearly impossible.

    Correct me if I'm wrong.  Or if you know of another way to regulate which USB devices can be used.

    Thanks,

    Linn

    Tuesday, March 1, 2016 10:14 PM