2

I have a Web form where I put the serial numbers of all USB flash drives that are permitted in my Network. Dynamically, my Ubuntu hosts consult, by a script, this list and block or permit the USB flash drives to be mounted. In Linux platform I used the UDEV services to trigger this script.

I know that in Microsoft platform there are the policies and in registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowInstanceIDs, it could be typed something like USB\COMPOSITE\7891011121314151617181920.

So, consider the steps:

1 - I already have the serial numbers, but in 1234567890 format in a web page;

2 - I know that it is possible to update a list with a command like >iwr http://my_form_serial_numbers.html -OutFile C:\Users%USER%\AppData\Local\serial.txt;

The questions are:

How to allow only the listed serial numbers mentioned above to mount?

How to update the serial list in Active Directory dynamically?

Improve this question
10
  • Anderson, who is updating the allowable USB dev ids in the Linux solution? The list is not dynamic is it or does it take human interaction to add to it or to remove from it. I assume you are not looking for "dynamic" with this respect, correct? You just want to be able to tell the Windows OS to allow only the USB UUIDs or whatever you have in your list to be the ONLY allowable devices to mount and such? If there's a policy, there is a way to script it to apply to add to applicable registry keys, etc. GPO could run at startup and you could potentially even trigger on USB plugin event too. Ideas
    – Vomit IT - Chunky Mess Style
    Commented Aug 17, 2021 at 2:36
  • This subject is treated in depth in this Microsoft article and especially in the section of Steps for allowing users to install only authorized devices. This is a rather old document, but please check if it still applies to your setup.
    – harrymc
    Commented Aug 17, 2021 at 9:42
  • @VomitIT-ChunkyMessStyle, many question... so by steps: 1 - Yes, I update the new serialNumbers in a web form. It generate a web page and update a list of serialNumbers like: >iwr my_form_serial_numbers.html -OutFile C:\Users%USER%\AppData\Local\serial.txt; 2- Yes, but sometimes I will to insert or delete the new ones SerialNumbers stick memories in a webform. And the Policy list, or whatever, need to be update too. 3 - I want to allow the ONLY listed devices to mount.
    – Anderson Fidelis
    Commented Aug 17, 2021 at 11:09
  • @AndersonFidelis Here's a link that gives the correlated registry path for this feature (admx.help/…). Are you able to get this setup on a test machine with 2 USB drives, only allow 1 via the registry settings, and then test to see if this prevents the 1 you did not allow from installing and being mounted. You have to defined this one too though: admx.help/…
    – Vomit IT - Chunky Mess Style
    Commented Aug 17, 2021 at 12:03
  • @VomitIT-ChunkyMessStyle, I already know these techinique, but my list is 1234567890 format. In this case I need to type USB\COMPOSITE\1234567890, or something like this. I need to consult the list, independent if will be in dynamic or static mode. And it could to impact in linux aplication, already implemented. WHATEVER, I WILL TO TEST BEFORE TO CLOSE A IDEA. PLEASE, STILL HELPS ME
    – Anderson Fidelis
    Commented Aug 17, 2021 at 14:49

1 Answer 1

Reset to default
1

The simplest solution would be to use the Task Scheduler to schedule a task that will at a determined time (for example on boot or on login) either:

  • Download and execute a .reg file,
  • Download and execute a script containing REG commands.

To allow installation of devices that match any of these device IDs, use the following registry keys:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions
Value Name: AllowDeviceIDs
Type: REG_DWORD
Value Data: 0 - Disable, 1 – Enable

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceIDs
Value Name: 1 (ascending series, followed by 2, 3 etc.)
Type: REG_SZ
Value Data: "Hardware ID of the Device"

Note that the AllowDeviceIDs policy is described by Microsoft as:

This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled.

Other policy settings that prevent device installation take precedence over this one.

If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting).

If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.

Improve this answer
3
  • ,, I tested, and I have some constations: 1 - the memory stick only can be mount if I already had installed before to apply the policy; 2 - if I restart the machine, with the pendrive plugged it mount independent of the allowed serial Numbers.
    – Anderson Fidelis
    Commented Aug 19, 2021 at 18:56
  • 1
    You mean that a device that is plugged-in before the computer was rebooted is still mounted and usable? If so, is the the policy "Prevent installation of devices not described by other policy settings" enabled?
    – harrymc
    Commented Aug 19, 2021 at 20:07
  • It still not coming in a easy way. I dont know why, but the computers policies don't work well in my active directory :(.
    – Anderson Fidelis
    Commented Aug 26, 2021 at 21:00

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .