Restrict USB Flash Drives with Group Policies

In a Windows environment, virus can come from external USB Flash Drives so it could be interesting to control which devices you want to be allowed to be connected on your machines.

We will see here how to do it with group policies.

Group Policy

Windows GPO | Device Installation Restrictions

Rules

We can use two policies to manage our USB Flash Drives. Let's take a look at the main differences between them and how to set them up..

Prevent all removable media

Windows GPO | Prevent installation of removable devices

Prevent new devices

Important to note is that it will prevent all new devices, not only USB Flash drives, so be careful in case of restoring the system to a new machine cause windows won't boot. Windows GPO | Prevent installation of devices not described by other policy settings

Add Exceptions

Contrary to the Prevent all removable media rule, here we can add exceptions (white list) of devices we want to be able to be used. To do that we can use the device IDs or the device instance IDs.

Exceptions with device IDs
Windows Device Manager | Device properties Windows Device Manager | Device properties Windows GPO | Allow installation of devices that match any of these device IDs, adding value
Exceptions with device instance IDs
Windows Device Manager | Device properties Windows Device Manager | Device properties Windows GPO | Allow installation of devices that match any of these device IDs, adding value

Remove Installed USB Devices

As seen above the previously installed USB Flash Drives will still be available despite the policies rules. So to avoid it, we need to remove the devices. To do so we have two possibility, from the Windows Device Manager Console or from the USBDview software.

Windows Device Manager Console

Windows | Run, devmgmt.msc Windows | Device managers, show hidden divices Windows | Device managers, show hidden divices

USBDview

USBDeview | Uninstall devices USBDeview | Device Properties
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :