We are currently using Symantec Endpoint Protection's Device Control
Policies to block use of unapproved USB devices on our computers. We'll be
switching to a different antivirus program soon, so I need to replace the
device control functionality.
I've begun testing the Device Installation Restrictions group policy
settings, but it's not working quite as well as I'd hoped. The goal is to
block all USB devices except those that are whitelisted by hardware ID or
device setup class. I've enabled the settings for:
- Allow administrators to override Device Installation Restriction
policies
- Allow installation of devices using drivers that match these device
setup classes
- Allow installation of devices that match any of these device IDs
- Prevent installation of devices not described by other policy settings
The 2 'allow installation' settings are configured with a list of hardware
ID's and device setup classes which should be allowed.
In testing, I found that the policies are blocking installation of all
devices, including those which I believe should be allowed.
Some devices I expect to be allowed because they should fall under a
whitelisted device setup class. For example, I added device setup
class {745a17a0-74d3-11d0-b6fe-00a0c90f57da} to the allow list, which
should allow all HID devices. But when I plug in a USB keyboard,
installation is blocked. If I allow that specific keyboard's hardware ID,
it will be installed, and then changes to appear in device manager as an
HID device, which is allowed automatically.
If a device is whitelisted by hardware ID, the initial detection of that
device and hardware ID will be allowed, but then another device appears in
device manager with a different hardware ID (obviously the same hardware,
but detected a bit differently) and that device gets blocked. If I add
that new hardware ID to the whitelist, then another new device appears and
is blocked... In some cases I got about 4-5 layers deep before the device
was fully installed and available for use. It doesn't seem like I should
have to individually allow the hardware ID's listed at each subsequent
level of device detection. Still, while that would be a big pain, it is
possible. My bigger concern here is that the later devices detected &
whitelisted were using very generic hardware ID's, and that by whitelisting
those generic ID's I might end up allowing other devices which do not have
the same hardware ID, but do fit the same generic hardware ID.
Is anyone using these Device Installation Restriction policies in their
environment? If so, did you run into these issues? How did you deal with
them?
Thanks,
Steve Whitcher
