Restrict USB Flash Drives with Group Policies

Last updated: Jan 31, 2021

In a Windows environment, virus can come from external USB Flash Drives so it could be interesting to control which devices you want to be allowed to be connected on your machines.

We will see here how to do it with group policies.

Group Policy

We will find everything we need to manage it in Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions

Windows GPO | Device Installation Restrictions

Rules

We can use two policies to manage our USB Flash Drives. Let's take a look at the main differences between them and how to set them up..

Prevent all removable media

If you want to prevent all removable devices you can enable the Prevent installation of removable devices policy :

Windows GPO | Prevent installation of removable devices

What it does ?
- Previously installed USB Flash drives : they will be still usable
- New USB Flash drives : they will be blocked
- Any others new devices : they will be available for installations
- Enable Allow administrators to override Device Installation Restriction policies policy : it won't bypass, new removable devices still be blocked
- Add ids in Allow installation of devices that match any of these device IDs policy : it won't bypass

Prevent new devices

We can prevent installation of new devices :

⚠️ Important to note is that it will prevent all new devices, not only USB Flash drives, so be careful in case of restoring the system to a new machine cause windows won't boot. ⚠️ Windows GPO | Prevent installation of devices not described by other policy settings

Windows GPO | Prevent installation of devices not described by other policy settings

What it does ?
- Previously installed USB Flash drives : they will still be usable
- New USB Flash drives : they will be blocked
- Any others new devices : they will be blocked
- Enable Allow administrators to override Device Installation Restriction policies policy : will bypass for administrators
- Add ids in Allow installation of devices that match any of these device IDs policy : will bypass

Add Exceptions

Contrary to the Prevent all removable media rule, here we can add exceptions (white list) of devices we want to be able to be used. To do that we can use the device IDs or the device instance IDs.

Exceptions with device IDs

From device manager, select your device and click Properties :

Windows Device Manager | Device properties

From Hardware Ids, copy the Ids value :

Edit Allow installation of devices that match any of these device IDs policy and paste the Id value :

Windows GPO | Allow installation of devices that match any of these device IDs, adding value

Exceptions with device instance IDs

From device manager, select your device and click Properties :

From Device instance path, copy the Ids value :

Edit Allow installation of devices that match any of these instance IDs policy and paste the Id value :

Remove Installed USB Devices

As seen above the previously installed USB Flash Drives will still be available despite the policies rules. So to avoid it, we need to remove the devices. To do so we have two possibility, from the Windows Device Manager Console or from the USBDview software.