Group Policy - Banning most USB sticks

edhasted used Ask the Experts™
We are having problems fine tuning a solution.

Ideally we would like ban all but one make of USB stick on a domain. However if we enter a generic disallow such as "USBSTOR\DiskGen" and then allow the approved device on a specific Hardware ID it doesn't work as the Denies seem to take precedence over the Allows. Any ideas?

We are using SBS 2011 and Server 2012 with all workstations on Windows 7 Pro x64.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Windows 7 computers can use a Group Policy object setting to deny the installation of  USB drives.
If the driver you need fo the correct USB Drive, disallow further installations.

It provides a detailed method of controlling USB devices. With this method you will can detect the USB ID for the device.

The ID will then be used in the policy to control the USB device.

Either deny the USB device or allow the USB device. (guess stats where you got stuck)
You can create your own USB device matrix of what is allowed and what is denied.

For more information, please refer to the following link:   
For Windows 7 clients, you can also refer to the following policy:
[Computer Configuration\Administrative Templates\System\Removable Storage Access]

just to check your configuration

regards, W


Just what was required - many thanks.
my pleasure!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial