Hey everyone! I'm setting up a new Windows Server environment and need some help configuring a Group Policy Object (GPO) for USB storage devices. My goal is to establish a strict policy that allows only pre-approved USB storage devices for users while blocking all other unapproved devices. I also want to make sure that standard USB input devices, like keyboards and wireless mice, can still function without issues.
I've been diving into the Group Policy Management Editor under Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions. I've tried using settings to allow specific device IDs and prevent installation of unauthorized devices but I just can't seem to get it right. I specifically want to whitelist devices by Vendor ID, Product ID, or GUID and block all others effectively.
If anyone has successfully implemented a similar policy or can provide step-by-step instructions or specific GPO settings, it would be a huge help! Thanks in advance for your insights!
3 Answers
It sounds like you're on the right track. For your needs, you should really focus on the Hardware IDs (HWID) and Compatible IDs (CID) for the devices you want to whitelist. You can use the PowerShell command `Get-PnPDevice | Format-List -Property Name, DeviceID, ClassGuid, CompatibleID, HardwareID` to find the necessary IDs for the approved devices. This will help you set up your GPO to allow specific USB storage devices while blocking others. Just make sure to set your GPO to allow device installations based on those IDs. And yes, you can blanket-allow keyboards and mice using Device Installation Class to avoid them being affected by your other restrictions.
Instead of using just GPOs, we shifted to using an endpoint security solution which gave us more flexibility in controlling USB devices. It might be worth looking into some dedicated software for device control. Just a thought!
I appreciate the suggestion! Definitely considering alternatives if I can't get GPOs to work.
Vendor IDs and GPOs can be tricky! In my last job, we switched to managing device control through an endpoint security suite where we only whitelisted specific serial numbers we trust. It worked much better for us than trying to manage it all through GPO. Just a heads up if you face too many hurdles with GPO configurations!
Thanks for the tips! I’ll check out that PowerShell command. Sounds like a smart approach.