Create a White List of USB Mass Storage devices permited in a GPO Active Directory with Serial Numbers
Solution 1:
The simplest solution would be to use the Task Scheduler to schedule a task that will at a determined time (for example on boot or on login) either:
- Download and execute a
.reg
file, - Download and execute a script containing REG commands.
To allow installation of devices that match any of these device IDs, use the following registry keys:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions
Value Name: AllowDeviceIDs
Type: REG_DWORD
Value Data: 0
- Disable, 1
– Enable
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceIDs
Value Name: 1
(ascending series, followed by 2
, 3
etc.)
Type: REG_SZ
Value Data: "Hardware ID of the Device"
Note that the AllowDeviceIDs
policy is described by Microsoft as:
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled.
Other policy settings that prevent device installation take precedence over this one.
If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting).
If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.