- SystoLOCK in review: Logging in to Active Directory with multi-factor authentication without passwords - Tue, Dec 5 2023
- New Group Policy settings in Windows 11 23H2 - Mon, Nov 20 2023
- Windows Server 2025 will support SMB over QUIC in all editions - Fri, Nov 17 2023
All kinds of removable devices, from USB sticks to external hard drives and cell phones to cameras, can be used by rogue employees as storage to siphon off confidential company data. Therefore, it is important to control peripherals through centralized management.
Windows' on-board tools are not as flexible in this respect as specialized tools for data leak prevention, but depending on the environment, they can meet the most important requirements.
Controlling access rights to external devices
Group policies provide for two different strategies: The settings under Administrative Templates > System > Removable Storage Access allow granular rights management (read, write, and execute) for different device classes. This allows users to access the devices they need for their work in a restricted manner.
Admins could, for example, grant users of the Marketing OU read-only access to cameras.
The disadvantage of this approach is that it is quite inflexible. It is practically impossible to implement whitelisting in this way because you can only configure restrictions, not exceptions. In addition, these policies apply only to a few types of devices.
Controlling the installation of devices
If you cannot implement the desired requirements for controlling peripheral devices in this way, the alternative is to manage device installation. This happens at the driver level, so that removable media can be excluded entirely. In this case, the devices do not appear in the system at all, and the assignment of permissions is neither possible nor necessary.
In contrast to the settings under Removable Storage Access, those for restricting device installation can, as expected, only be applied to computers and not to users. The respective container can be found under Computer Configuration > Policies > Administrative Templates > System > Device Installation.
There are two settings for each type of device: one to allow installation and one to block it. Nevertheless, it has so far been practically impossible to ban all memory sticks, for example, and exclude specific (approved) sticks from this restriction.A policy to prevent installation always prevailed over allowance, even if the latter was tailored to a specific device.
Changing the evaluation of settings
This changes with the 2021-08 cumulative update due to the new setting "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria".
Enabling this option changes the evaluation of policies. Thus, the more specific policies have a higher priority than the general ones. The hierarchy for applying the policies would then look like this:
Device instance IDs > Device IDs > Device setup class > Removable devices
Device Instance ID refers to a specific device and therefore has the highest priority. So you could, for example, enable the Prevent installation of removable devices setting, thereby excluding all such devices from installation.
Then you would use the Allow installation of devices that match one of the following device instance IDs option to exclude individual USB sticks from this rule.
Of course, all other feasible combinations are possible. For example, you could allow all devices in a class and exclude only those with a certain hardware ID.
Finding the properties of devices
The easiest way to determine the properties of the installed devices that you would need for these group policies is to use PowerShell:
Get-PnpDevice | Format-List -Property Name, DeviceID, ClassGuid, CompatibleID, HardwareID
DeviceID corresponds to the above-mentioned device instance ID. However, for the settings Allow installation of devices with these device IDs or Prevent installation of devices with these device IDs, you specify either CompatibleID or HardwareID.
The device installation class is one more level below during the evaluation. It is available as a GUID and is required for the Allow installation of devices using drivers that match these device setup classes setting (and the counterpart for preventing).
If you want to manage device classes for which you have not installed a device on your local computer, you can get the GUID from this overview on Microsoft Docs.
When applying the combinations of allow and prevent, you have to ensure (especially for USB devices) that you cover the whole path for the device class. It is not enough to allow only the respective devices via a GUID; you also have to make sure that the USB controllers or hubs to which they are connected are not blocked either.
If you roll out GPOs for device installation management only after various devices have already been set up on the PCs, you can still disable them later. For this purpose, all settings for preventing device installation also offer the option Also apply to matching devices that are already installed.
As a rule, only standard users should be prevented from adding devices; admins generally not. To exempt them from the restrictions, activate the setting Allow administrators to override policies under Device installation restrictions.
Finally, two settings can be used to customize the message that users see when the installation of a device is blocked.
Subscribe to 4sysops newsletter!
The new setting for changing the priority of settings allows for much more flexible control over device installation. It now allows whitelisting, in which all removable devices or a certain device class are blocked, but approved peripherals are permitted.