Today I was working at a booth on a Partner Event. I was explaining how we can block the installation of USB devices by using Group Policies. I also showed how we can change the default message a user gets when he tries to install such a device. I talked about the fact that we can allow the installation of specific devices like mouse and keyboards. Now one of the customers had a question about can I allow only this specific USB Memory stick. I never thought about it before. So I wanted to find out if you can do that. So I have two identical memory sticks "USB Mini Cruzers" and I want to be able to use one of them and block the other.
How does it work? First you need to find out the Hardware ID's. Open the device manager and scroll to the "Mini Cruzer Disk drive" you will this under "Disk Drive" or under the "Other Devices" section. Double click on the USB memory stick and select the Details tab. Then select the Hardware ID's option in the properties section.
On the above screenshots you can see that we have the same device's but there is only one difference and that is the "USBSTOR\DiskSanDisk_Cruzer_Mini_____0.1_" or the "USBSTOR\DiskSanDisk_Cruzer_Mini_____0.2_" ID. We will use the "USBSTOR\DiskSanDisk_Cruzer_Mini_____0.1_" to allow the installation of this device.
If you want to install for example all Sandisk Cruzer Mini USB sticks you could select the "USBSTOR\DiskSanDisk_Cruzer_Mini_____" hardware ID.
Now we have our Hardware ID we can start configuring the Group Policies to block the USB device installation. Let me explain what I mostly do to apply the policies, I open the Group Policies (gpedit) console and I go to the following location, Computer Configuration\Administrative Templates\System\Device Installation Restrictions.
The above screenshot shows you the options you have to edit. I edited the following items:
Display a custom message when installation is prevented by by policy - balloon text: Here I specify that the company blocked the installation of such devices and redirect the user to the IT Helpdesk
Display a custom message when installation is prevented by by policy - balloon title: Here I specify the title of the custom message
Allow the installation of devices that match any of these device ID's: Here I added the following key "USBSTOR\DiskSanDisk_Cruzer_Mini_____0.1_"
Prevent the installation of devices not described by other policy settings: I just enabled this option, this makes it possible to override the installation prevention for certain device ID's
With these settings configured I block the installation of all USB devices except the one memory stick that matches the in the Group Policy defined Hardware ID.
This is a great feature for many companies who want to protect their infrastructure. Know what do you think about this is this clear or should I create a screencast on how to block USB devices, let me know.