Saturday , June 24 2017

Control Removable Storage Devices via Group Policy

  • Scenario 1 – Deny all type of Storage devices.
  • Scenario 2 – Deny all type of Storage devices but allow specific devices with Administrator.
  • Scenario 3 – Deny all type of Storage devices but allow specific device IDs
  • Scenario 4 – Deny all type of Storage devices but allow iPhone only
  • Scenario 5 – Deny write Access to IPhone only or any other phone type

Scenario 1 – Deny all type of Storage devices 

Within the Group Policy Editor, navigate to

\Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.

  • All Removable Storage Classes : Deny All Access 

Choose Enabled

clip_image002

This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class.

If you enable this policy setting, no access is allowed to any removable storage class.

If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes. Its Recommended for Workstations which doesn’t have internet Access and to lock down completely.

· Blocks/Deny all type of Storage Devices (Tested with Thumb Drives and Phones)

Scenario 2 – Deny all type of Storage devices but allow specific devices with Administrator

Policy Type

\Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions

  • Allow Administrators to Override Device Installation restriction Policies
  • Prevent Installation of devices not described by other policy settings

Choose Enabled.

clip_image004

clip_image006

If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device and start using it.

· Blocks all type of Storage Devices (Tested with Thumb Drives and Phones)

· Doesn’t Allow Charging of Phones

Scenario 3 – Deny all type of Storage devices but allow specific device IDs 

Policy Type

\Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions

  • Allow Installation of Devices that match any of the Device IDs
  • Prevent Installation of devices not described by other policy settings

Choose Enabled . For Matching Device IDs Policy , See how you can add device ID for a Thumb Drive as below.

clip_image008

Open Device Manager , Check Properties of Device Drives , Details tab. in the drop down choose Hardware IDs

In my Case Take the Top value like – Example – USBSTOR\DiskImation_Ridge___________PMAP

image

Enter the Hardware ID in the Policy

clip_image012

Allows Imation Pen Drive but not the iPhone as expected.

image

Even administrator Rights cannot override.

clip_image014

· Blocks all type of Storage Devices except IMATION Brand (Tested with Thumb Drives and Phones)

· Doesn’t Allow Charging of Phones

Scenario 4 – Deny all type of Storage devices but allow iPhone only

Policy Type

\Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions

  • Allow Installation of Devices that match any of the Device IDs
  • Prevent Installation of devices not described by other policy settings

Choose Enabled . For Matching Device IDs Policy , See how you can add device ID for a Thumb Drive as below.

clip_image008

Open Device Manager , Check Properties of the device, Details tab. in the drop down choose Hardware IDs

In my Case Take the Top value like – Example – USB\VID

Note  that for every Iphone version Hardware ID differs like 6,6s

image

Enter the Hardware ID in the Policy

image

image

· Blocks all type of Storage Devices (Tested with Thumb Drives and Phones)

· Allows only IPhone for Charging and data Transfer

 

Good to know –

iPhone version Hardware ID differs 6,6S

iPhone 6S – USB\VID_05AC&PID_12A8&REV_0801

iPhone 6 – USB\VID_05AC&PID_12A8&REV_0702

Scenario 5 – Deny write Access to IPhone only or any other phone type

– Deny write access to iPhone only or any other phone type

Ideally Phone is considered as a storage Class so we can’t differentiate phone or USB drive when it comes to denying write access

Option Available – Deny all write access on Removable storage Access (Cannot override with specific Devices in this Case)

clip_image021

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in Supporting/Deploying/Designing Microsoft Exchange for some years. Extensive experience on Microsoft Technologies.

Check Also

SCCM Updates and Services Keep Downloading

Log Files Location – C:\Program Files\Microsoft Configuration Manager\Logs\dmpdownloader.log — Logs –  Failed to call Initialize. ...

Leave a Reply

Your email address will not be published.