17 C
Dubai
Monday, December 23, 2024

Control Removable Storage Devices via Group Policy

  • Scenario 1 – Deny all type of Storage devices.
  • Scenario 2 – Deny all type of Storage devices but allow specific devices with Administrator.
  • Scenario 3 – Deny all type of Storage devices but allow specific device IDs
  • Scenario 4 – Deny all type of Storage devices but allow iPhone only
  • Scenario 5 – Deny write Access to IPhone only or any other phone type

Scenario 1 – Deny all type of Storage devices

Within the Group Policy Editor, navigate to

\Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.

  • All Removable Storage Classes : Deny All Access

Choose Enabled

clip_image002

This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class.

If you enable this policy setting, no access is allowed to any removable storage class.

If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. Its Recommended for Workstations which doesn’t have internet Access and to lock down completely.

· Blocks/Deny all type of Storage Devices (Tested with Thumb Drives and Phones)

Scenario 2 – Deny all type of Storage devices but allow specific devices with Administrator

Policy Type

\Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions

  • Allow Administrators to Override Device Installation restriction Policies
  • Prevent Installation of devices not described by other policy settings

Choose Enabled.

clip_image004

clip_image006

If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device and start using it.

· Blocks all type of Storage Devices (Tested with Thumb Drives and Phones)

· Doesn’t Allow Charging of Phones

Scenario 3 – Deny all type of Storage devices but allow specific device IDs

Policy Type

\Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions

  • Allow Installation of Devices that match any of the Device IDs
  • Prevent Installation of devices not described by other policy settings

Choose Enabled . For Matching Device IDs Policy , See how you can add device ID for a Thumb Drive as below.

clip_image008

Open Device Manager , Check Properties of Device Drives , Details tab. in the drop down choose Hardware IDs

In my Case Take the Top value like – Example – USBSTOR\DiskImation_Ridge___________PMAP

image

Enter the Hardware ID in the Policy

clip_image012

Allows Imation Pen Drive but not the iPhone as expected.

image

Even administrator Rights cannot override.

clip_image014

· Blocks all type of Storage Devices except IMATION Brand (Tested with Thumb Drives and Phones)

· Doesn’t Allow Charging of Phones

Scenario 4 – Deny all type of Storage devices but allow iPhone only

Policy Type

\Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions

  • Allow Installation of Devices that match any of the Device IDs
  • Prevent Installation of devices not described by other policy settings

Choose Enabled . For Matching Device IDs Policy , See how you can add device ID for a Thumb Drive as below.

clip_image008

Open Device Manager , Check Properties of the device, Details tab. in the drop down choose Hardware IDs

In my Case Take the Top value like – Example – USB\VID

Note  that for every Iphone version Hardware ID differs like 6,6s

image

Enter the Hardware ID in the Policy

image

image

· Blocks all type of Storage Devices (Tested with Thumb Drives and Phones)

· Allows only IPhone for Charging and data Transfer

 

Good to know –

iPhone version Hardware ID differs 6,6S

iPhone 6S – USB\VID_05AC&PID_12A8&REV_0801

iPhone 6 – USB\VID_05AC&PID_12A8&REV_0702

Scenario 5 – Deny write Access to IPhone only or any other phone type

– Deny write access to iPhone only or any other phone type

Ideally Phone is considered as a storage Class so we can’t differentiate phone or USB drive when it comes to denying write access

Option Available – Deny all write access on Removable storage Access (Cannot override with specific Devices in this Case)

clip_image021

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?