Share via

Restriction Policies

Anonymous
2024-11-23T07:52:17+00:00

Hello,

I have two scenarios I should deal with and I'mt trying to accomplish it by playing with policies group found with "gpedit.msc" utility..

First scenario: Disable all the USB devices (mouse, keyboard, pen drive, serial converter , ...)

Second scenario: Disable all the USB devices (like above) with the exception of all the USB drives.

For the first scenario, I thought to:

enable "Deny installation of removable devices" property

enable "Deny installation of devices not described by other policies" property

With this combination I'm basically blocking all.

For the second scenario I would like doing something like:

enable "Allow installation of removable devices" property

enable "Deny installation of devices not described by other policies"

The issue is that the "Allow" version for the removable devices does not exist.

How can I accomplish what I want? Are there any other methods? I thought about "Allow installation of devices that contain one of the ids" and provide the list as "USB/", but I'm not sure it's the best approach.

Can you help me finding best solution to do the job?

Thanks,

Marco.

*** Moved from Windows / Windows 10 / Devices and drivers ***

Windows for business | Windows Client for IT Pros | Directory services | Deploy group policy objects

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments
Accepted answer
  1. Anonymous
    2024-12-02T03:03:53+00:00

    Hello,

    Thank you for posting in the Microsoft Community Forums.

    To allow USB drives while blocking other USB devices, you can use device IDs. Here’s how:

    1. Determine the Device IDs for USB Drives:
      • Connect a USB drive to your computer.
      • Open Device Manager (Right-click Start, then select Device Manager).
      • Locate the USB drive under "Disk drives".
      • Right-click the USB drive and select "Properties".
      • In the Properties window, go to the "Details" tab.
      • Select "Hardware Ids" from the drop-down list.
      • Note the hardware IDs.
    2. Open Group Policy Editor:
      • Type gpedit.msc in the Run dialog (Win + R).
    3. Navigate to Computer Configuration -> Administrative Templates -> System -> Device Installation -> Device Installation Restrictions.
    4. Enable and configure "Allow installation of devices that match any of these device IDs":
      • Double-click on "Allow installation of devices that match any of these device IDs".
      • Select "Enabled".
      • Click the "Show" button.
      • Add the hardware IDs you noted earlier for USB drives.
      • Click "OK", then "Apply", and "OK".
    5. Enable "Prevent installation of removable devices":
      • Double-click on "Prevent installation of removable devices".
      • Select "Enabled".
      • Click "Apply" and "OK".
    6. Enable "Prevent installation of devices not described by other policy settings":
      • Double-click on "Prevent installation of devices not described by other policy settings".
      • Select "Enabled".
      • Click "Apply" and "OK".

    This configuration will allow USB drives to be installed while blocking other USB devices.

    Best regards

    Yanhong Liu

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-12-03T10:34:09+00:00

    Hello Yanhong Liu,

    this solution is valid. But you should have the list of USB devices. I want to allow any kind of USB mass storage. My solution was insertin as allow filter "USB/*". Not sure if there's a better approach.

    Thanks,

    Marco.

    0 comments
  2. Anonymous
    2024-12-03T23:38:57+00:00

    Hello,

    Thanks for your reply.

    I am glad that your problem has been solved.

    Thank you very much for your support of Microsoft products and your selfless sharing.

    Best regards

    Yanhong Liu

    0 comments