![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 4%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
12,039 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
As you’ve noted, the built-in policy doesn’t offer a direct "allow specific devices" option. You should be able to narrow down the devices that can install while blocking others by combining more granular device installation restrictions in Group Policy, with a focus on mass storage devices specifically.
- Device Installation Restrictions with Exception Rules
Configure Device Installation Restrictions:
- Use
Computer Configuration -> Administrative Templates -> System -> Device Installation -> Device Installation Restrictions. - Enable "Allow installation of devices that match any of these device IDs". You can create a whitelist of device IDs (VID, PID, etc.) for the USB mass storage devices you want to allow. This requires obtaining the specific IDs for the devices you want to allow.
- You can explicitly block all USB storage devices by enabling the following:
-
Prevent installation of devices not described by other policy settings - Disable automatic installation of mass storage devices (through other related settings).
-
- Use the "Device Setup Classes" for USB Mass Storage
To block USB mass storage devices while allowing others (like Bluetooth or keyboard/mouse devices), focus on the
Device Setup Classespolicy.
- Use
Computer Configuration -> Administrative Templates -> System -> Device Installation -> Device Installation Restrictions. - Enable "Allow installation of devices using drivers that match these device setup classes". Add
USB(or more specificallyUSB\VID_xxxx&PID_xxxxfor the devices you wish to allow) to the allowed device setup class.
For blocking mass storage devices, you can block the USB mass storage class and create exceptions for specific IDs.
- Block USB Mass Storage Devices
- Use
Computer Configuration -> Administrative Templates -> System -> Removable Storage Access. - Enable "All Removable Storage classes: Deny all access" to prevent unauthorized USB mass storage devices from being used on your systems.
- Use USB Device Filtering
If you are able to identify the devices you want to allow (e.g., by hardware ID, serial number, or manufacturer), you can specify these devices in a Group Policy Preference or Device Installation Policy to allow them while blocking others.
You can also set up Group Policy Preferences for registry keys to specifically block USB mass storage devices while excluding devices you know and want to allow.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin