Prevent connection of unauthorized USB-devices?

to get this you should have an encryption system in your environment connected across all your system, and it takes long time than what you really think

the easy way to prevent non-allowed USB is to disable the USB port itself from the device manager and you need to input your credentials there as an administrator to enable them again.

there are several vendors providing SW like what you are looking for but as my experience it's very complicated to manage and not friendly use.

Thank you. If I disable the USB-ports in BIOS can I enable connectivity on certain devices? We must be able to connect keyboard, mouse and authorized USB thumb drives.

For the requirements you have disableing the ports is not a solution.

Then you need special software to accomplish this.

Be aware that your users can bring an identical Thumbdrive (same brand, model and make) and this one will work too then. This kind of USB restriction software will usually look at device Vendor and ID and they are the same for the same product.

Ok. Is it possible to physically lock connected USB-devices like keyboard, mouse etc.?
If it is possible to disable the opportunity to save files from external devices and copy files to external devices via OS security that might be a better solution.

Locking ports can be done with this little thingy:

http://www.kensington.com/us/us/4483/k67720us/usb-port-lock-with-square-cable-guard#.VUiV1dS1Gko

Thank you all! I have enabled a GPO on the domain controller that deny access to all removable storage devices for a certain group of users. We will therefore not need any physical USB locks.

Also, to solve the need of using certain USB-devices I will set up a computer outside the domain that can be used with a USB storage device. This way we can control this kind of use when we have the need.

Hm, did you reach your goal? You didn't want to block all usb storage devices and now you do just that.
The GPOs cannot block based on a device ID but only based on a model, so there is no way using GPOs unless all devices that should be allowed are of the same make and model.
Blocking WPD devices (phones) succeeds with that policy? Test that, I am not so sure.

I will soon publish an article and link it here so you can see what is possible with win8.1's task scheduler with a little help of devcon.exe: all you wanted.