Whether you operate In a business environment or have a shared home network up and running, It's Inevitable that users will plug their devices (USB or otherwise) Into your computers, and perform tasks accordingly thereafter. For the security & safety of your overall setup, It's Important to only allow devices that you trust, hence In this tutorial, I will show you how to prevent specific devices from running on your PC.
What you're about to read, applies to devices of all types, but for the purpose of this article, I will be referencing a USB Stick, also known as a USB Flash Drive. The fact Is, you never know for sure If a given device that's Inserted Into your computer, Is malicious-free. All It takes, Is one nasty virus to Infect your entire network, thus compromising your critical files to the point of losing access to the lot- all due to a particular user Inserting their Infected USB Flash Drive.
Moreover, anyone can copy your data onto their device, and use the Information against your wishes. As such, to minimize the risk of loss or exposure of sensitive material, It's crucial to Implement a removable media policy, whereby you make a list of devices, and prevent those you don't want accessing your systems.
I will demonstrate how to do this, by using the good old Group Policy Editor. Do note that the GPE Is only available In Windows 10 Pro, Enterprise and Education editions. If you're running either of these, then this tutorial will certainly fulfill your needs. So without further delay, let's get this started.
Step One:When you've made a list of the devices that you want to block, head over to Device Manager by opening the Run menu, entering devmgmt.msc and hitting OK.
Step Two:Next, select the device by right-clicking It and choosing Properties. In my case, I will prevent my USB Stick from running on my PC.
Step Three:Now click on the Details tab and via the drop-down menu, select Class GUID. Under value, copy & paste It Into your favorite text editor. Each device will have It's own GUID, thereby separating It from the rest.
Step Four:Time to access the Group Policy Editor. Open the Run menu, enter gpedit.msc and hit OK.
Step Five:The Group Policy Editor will now open, so navigate to the following directory.
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions
Then on the right pane, double-click on Prevent installation of devices using drivers that match these setup classes.
Step Six:To the left of the Window, click the Enabled radio button, hit the checkbox as outlined In orange and then click the Show button.
Step Seven:Now In the Value field, enter the GUID of the device(s) that you copied In Step Three above. When done, hit OK.
Step Eight:To finalize the process, simply click Apply > OK.
Last Step:Plug In the device(s) that you've blocked Into any USB port, and you'll find that they're not recognized by the operating system, thus not functional. As you can see In the Image below, I've tried accessing my USB Stick and an unavailable error message has been returned. Perfect!
Final Thoughts:Given that the GUID Is unique to every device, preventing access using this methodology Is very effective Indeed. As mentioned at the beginning of this article, you never know for sure whether a particular device Is malicious-free, hence I strongly suggest plugging unknown devices Into a test computer and grabbing the GUID thereafter.
To reverse the change and have the device functioning as per It's original state, refer to Step Six above, click the Enabled radio button and hit OK.