Restrict USB Flash Drives with Group Policies

• Last updated: Jan 31, 2021

In a Windows environment, virus can come from external USB Flash Drives so it could be interesting to control which devices you want to be allowed to be connected on your machines.

We will see here how to do it with group policies.

Group Policy

• We will find everything we need to manage it in Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions

Rules

We can use two policies to manage our USB Flash Drives. Let's take a look at the main differences between them and how to set them up..

Prevent all removable media

• If you want to prevent all removable devices you can enable the Prevent installation of removable devices policy :

• What it does ?
• Previously installed USB Flash drives : they will be still usable
• New USB Flash drives : they will be blocked
• Any others new devices : they will be available for installations
• Enable Allow administrators to override Device Installation Restriction policies policy : it won't bypass, new removable devices still be blocked
• Add ids in Allow installation of devices that match any of these device IDs policy : it won't bypass

Prevent new devices

• We can prevent installation of new devices :

Important to note is that it will prevent all new devices, not only USB Flash drives, so be careful in case of restoring the system to a new machine cause windows won't boot.

• What it does ?
• Previously installed USB Flash drives : they will still be usable
• New USB Flash drives : they will be blocked
• Any others new devices : they will be blocked
• Enable Allow administrators to override Device Installation Restriction policies policy : will bypass for administrators
• Add ids in Allow installation of devices that match any of these device IDs policy : will bypass

Add Exceptions

Contrary to the Prevent all removable media rule, here we can add exceptions (white list) of devices we want to be able to be used. To do that we can use the device IDs or the device instance IDs.

Exceptions with device IDs

• From device manager, select your device and click Properties :

• From Hardware Ids, copy the Ids value :

• Edit Allow installation of devices that match any of these device IDs policy and paste the Id value :

Exceptions with device instance IDs

• From device manager, select your device and click Properties :

• From Device instance path, copy the Ids value :

• Edit Allow installation of devices that match any of these instance IDs policy and paste the Id value :

Remove Installed USB Devices

As seen above the previously installed USB Flash Drives will still be available despite the policies rules. So to avoid it, we need to remove the devices. To do so we have two possibility, from the Windows Device Manager Console or from the USBDview software.

Windows Device Manager Console

• Open Windows Device Manager Console :

• Show hidden devices :

• And remove already installed devices :

USBDview

• We can also use the USBDeview tool from NirSoft. The main advantage is to be able to remove several devices at the same time :

• We can also use it to get some good informations, as instance id and serial number :

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :