nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

How to configure Device control where all of USB devices are blocked unless whitelisted by its hardware ID.

Issue:

How to configure Device control where all the USB devices are blocked unless whitelisted by its hardware ID or InstanceID?

Resolution:

You can make rules of various USB Classes where you can set the access level to Block and than make a whitelist rule to allow the specific USB devices by the Instance ID.

To know various Class please check this page,

https://en.wikipedia.org/wiki/USB (Scroll down and find Device Classes)

Once you have blocked it make another rule to whitelist the specific devices with the instance ID and Hardware ID.

For Elements Endpoint Protection for Computers and Servers you can set restrictions on how users can access USB devices (for example, web cams and hard disks) and whether removable mass storage devices are allowed to execute installers.

To set up Elements Endpoint Protection Device control to disallow all USB mass storage devices:

Log in to the Elements Security Center portal: https://elements.withsecure.com
Navigate to the Security configurations > Profiles page
Select the profile that is in use on the devices
Go to the Device control settings page
Turn Device control on.
- Note: If Device control is on, all devices that are connected to the computer are visible on the device page under Connected devices on the Environment > Devices page
Scroll down to the Device access rules table and on the USB Mass Storage Devices row, click on the Access to device column and set it as Block
Scroll up to the Device filtering rules table and click Add rule and add the Instance ID of the USB storage device you want to allow.
1. You can run with Powershell Get-PnpDevice -class USB | Select name, InstanceID, HardwareID command to get the necessary IDs what you can allow.
Click Save profile

If you only want to block write or executable access for USB mass storage devices, in the Removable mass storage devices section in the profile settings you can turn off one of the following options:

Allow write access - when this option is off, users cannot copy files to a removable mass storage device. Removable mass storage devices can only read data.
Allow executables to run - when this option is off, executing files from removable mass storage devices is prevented.

Note: For USB devices, Device ID can also be viewed with the Windows Device Manager:

Device Manager > Disk Drives > USB partition

The reason for checking USB partition because is when you insert USB device into a PC it is not necessarily detected as as a single device in Windows, because of the possibility of partitions. So, if some flash drive has several partitions on it, it will be detected as both "USB Mass Storage Device", with every partition presented as a separate 'device' under Disk Drive. This is reflected in Policy Manager alerts and Elements Security Events.

For Business Suite Client Security and Server Security:

To block USB mass storage devices:

Log in to the Policy Manager Console
Select a host or policy domain from the domain tree
Go to the Settings tab
Go to the Windows > Device control settings page
Enable Device Control by checking the box for Device control enabled
Scroll down to the Device access rules table
In the USB Mass Storage Devices row, change the Access level column to be Blocked

To allow a specific USB device:

Click Add on the right side of the Device access rules table
Set the rule as Active
Enter a Display name for the rule
Enter the InstanceID of the USB device to the Hardware ID column
1. You can run with Powershell Get-PnpDevice -class USB | Select name, InstanceID, HardwareID to get the necessary IDs.
Set the Access level for the rule to be Full access
Distribute the policy (Ctrl+D)

Devices can also report device IDs to the Policy Manager:

Log in to the Policy Manager Console
Select a host or policy domain from the domain tree
Go to the Settings tab
Go to the Windows > Device control settings page
Enable Report installed devices
Distribute the policy (Ctrl+D)

Now when you select the specific host from the policy domain tree, you can click on the View devices link in the Windows > Device control settings page to view a list of devices.

Article no: 000012859