locked
Block all Make/Model of USB devices except for One RRS feed

  • Question

  • Hi,

    The organisation I am doing work for would like to block write / execute  all USB devices except for one model which is a IronKey. They still want to be able to read existing devices for sake of copying photos of cameras etc. Does anyone have any idea how to do this I cannot for the life of me think of the correct combination based on the Windows 7 group policy objects to get it to block write to everything except one device.

    Thanks

    Dan 

    Thursday, February 24, 2011 8:27 AM

Answers

  • Hi,

     

    If all the clients are running Windows 7 or at least Windows Vista, you can choose to prevent installation of all devices except those specifically permitted by group policy.

     

    To create a list that allows specified devices, you must first enable a policy setting that prevents all device installations unless they are on the list. Then you can add the devices that you want to permit to the list, using either the hardware IDs or the device setup class GUID for the device.

     

    For more information, please refer to:

     

    Allowing Installation of Only Permitted Devices

    http://technet.microsoft.com/en-us/library/cc753119(WS.10).aspx

     

    Managing Hardware Restrictions via Group Policy

    http://technet.microsoft.com/en-us/magazine/2007.06.grouppolicy.aspx

     

    Hope it helps.

     

    Regards,

    Bruce

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Bruce-Liu Tuesday, March 29, 2011 9:18 AM
    Friday, February 25, 2011 9:15 AM

All replies

  • Hi,

     

    If all the clients are running Windows 7 or at least Windows Vista, you can choose to prevent installation of all devices except those specifically permitted by group policy.

     

    To create a list that allows specified devices, you must first enable a policy setting that prevents all device installations unless they are on the list. Then you can add the devices that you want to permit to the list, using either the hardware IDs or the device setup class GUID for the device.

     

    For more information, please refer to:

     

    Allowing Installation of Only Permitted Devices

    http://technet.microsoft.com/en-us/library/cc753119(WS.10).aspx

     

    Managing Hardware Restrictions via Group Policy

    http://technet.microsoft.com/en-us/magazine/2007.06.grouppolicy.aspx

     

    Hope it helps.

     

    Regards,

    Bruce

     


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Bruce-Liu Tuesday, March 29, 2011 9:18 AM
    Friday, February 25, 2011 9:15 AM
  • Hi Bruce,

    Thanks for the response unfortunatly it doesnt. Using the policies available im still not sure what combination will produce the results I am after. Specifically allowing read access to all USB drives except for the IronKeys which requre write access. If anyone has any expierence doing anythign like this please let me know.

    Thanks


    Dan

    Sunday, February 27, 2011 1:05 PM
  • You can find the PID or UID of the IronKeys. then deny all other USB device other than it. you need to read the articles above first.

    Wednesday, March 2, 2011 6:17 PM
  • Dan,

    I am looking to do the same thing and haven't found much help.  Have you found anything new that could be useful in doing this? It is easy enough to do what the ariticles above say but we still want to be able to only read USB sticks  and R/W to ironkeys, which nobody seems to cover.  It shouldn't be an impossible task I wouldn't think.

    Regards,

    Jeff


    • Edited by Chip_flyer1 Wednesday, December 21, 2011 4:16 PM
    Wednesday, December 21, 2011 4:07 PM