I need to allow only specific Authorized USB storage device to connect to client machine other USB storage device should get blocked. How I can set Group Policy for this configuration in Windows Server 2012 Active Directory?
2 Answers
Group Policy magic.
Copy and paste from:
https://msdn.microsoft.com/en-us/library/bb530324.aspx#grouppolicydeviceinstall_topic6
Allow users to install only authorized devices
This scenario builds upon the first scenario, Prevent installation of all devices, where you prevented the installation of any device. In this scenario, you add a list of allowed devices to the policy and include the hardware ID for your USB memory drive.
So you first prevent the installation of all USB devices using one GPO setting, then you use another GPO setting to allow only certain ones. The latter setting will take precedence, effectively creating "exceptions."
- 55,011
- 9
- 138
- 197
-
but it will restrict from installation of drivers only. I have three USB storage sticks I want to allow only that three sticks accessible and in the Group Policy there is only Deny Policies are there for USB storage no specific Allow policy so How can I achieve this? – Rohit Jul 09 '15 at 19:09
-
No, `Computer Configuration\Administrative Templates\System\Removable Storage Access` controls all access to removable storage, not just whether you can install drivers or not. – Ryan Ries Jul 09 '15 at 22:32
AFAIK you can only block USB device types - not specific devices, and only during driver installation.
You might be able to find a 3rd-party utility, but I couldn't find one anywhere.
Also, there seem to be no unique ID for USB drives, so even writing something on your own would prove difficult.
In conclusion, the closest thing would be writing some event-triggered script that would look for some semaphore file that you put earlier, and if the file doesn't exist it will eject the USB drive, but that is quite easy to tamper with.
-
This is incorrect. The registry stores HW IDs of USBs. You could freeze it either by locking those keys to read only or through Group Policy, as the other answer describes. – Michael Bailey Jul 09 '15 at 17:32
-
@MichaelBailey I think you've misread what I wrote and what Rohit wrote... He wanted to block all devices except for one specific drive (and not a specific type of USB drives). Also, my answer includes (1st paragraph) what what Ryan wrote... – EliadTech Jul 12 '15 at 05:44
-