|
| 1 | +--- |
| 2 | +# required metadata |
| 3 | + |
| 4 | +title: Restrict USB devices using administrative templates in Microsoft Intune |
| 5 | +description: Use Administrative templates in Microsoft Intune to restrict USB devices, including thumb drives, flash drives, USB cameras, and more. Use other settings to allow specific USB devices on Windows 10/11 devices. |
| 6 | +keywords: |
| 7 | +author: MandiOhlinger |
| 8 | +ms.author: mandia |
| 9 | +manager: dougeby |
| 10 | +ms.date: 03/30/2022 |
| 11 | +ms.topic: how-to |
| 12 | +ms.service: microsoft-intune |
| 13 | +ms.subservice: configuration |
| 14 | +ms.localizationpriority: high |
| 15 | +ms.technology: |
| 16 | + |
| 17 | +# optional metadata |
| 18 | + |
| 19 | +#ROBOTS: |
| 20 | +#audience: |
| 21 | + |
| 22 | +ms.reviewer: mikedano, kufang |
| 23 | +ms.suite: ems |
| 24 | +search.appverid: MET150 |
| 25 | +#ms.tgt_pltfrm: |
| 26 | +ms.custom: intune-azure |
| 27 | +ms.collection: M365-identity-device-management |
| 28 | +--- |
| 29 | + |
| 30 | +# Restrict USB devices and allow specific USB devices using Administrative Templates in Microsoft Intune |
| 31 | + |
| 32 | +Many organizations want to block specific types of USB devices, such as USB flash drives or cameras. You may also want to allow specific USB devices, such as a keyboard or mouse. |
| 33 | + |
| 34 | +You can use Administrative Templates (ADMX) templates to configure these settings in a policy, and then deploy this policy to your Windows devices. For more information on Administrative Templates, and what they are, see [Use Windows 10/11 templates to configure group policy settings in Microsoft Intune](administrative-templates-windows.md). |
| 35 | + |
| 36 | +This article shows you how to create an ADMX policy with USB settings, and use a log file to troubleshoot devices that shouldn't be blocked. |
| 37 | + |
| 38 | +Applies to: |
| 39 | + |
| 40 | +- Windows 11 |
| 41 | +- Windows 10 |
| 42 | + |
| 43 | +## Create the profile |
| 44 | + |
| 45 | +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). |
| 46 | +2. Select **Devices** > **Configuration profiles** > **Create profile**. |
| 47 | +3. Enter the following properties: |
| 48 | + |
| 49 | + - **Platform**: Select **Windows 10 and later**. |
| 50 | + - **Profile type**: Select **Templates** > **Administrative Templates**. |
| 51 | + |
| 52 | +4. Select **Create**. |
| 53 | +5. In **Basics**, enter the following properties: |
| 54 | + |
| 55 | + - **Name**: Enter a descriptive name for the profile. For example, enter **Restrict USB devices**. |
| 56 | + - **Description**: Enter a description for the profile. This setting is optional, but recommended. |
| 57 | + |
| 58 | +6. Select **Next**. |
| 59 | +7. In **Configuration settings**, configure the following settings: |
| 60 | + |
| 61 | + - **Prevent installation of devices not described by other policy settings**: Select **Enabled** > **OK**: |
| 62 | + |
| 63 | + :::image type="content" source="media/administrative-templates-restrict-usb/prevent-installation-of-devices-not-described-setting.png" alt-text="In Intune and Endpoint Manager, set the Prevent installation of devices not described by other policy settings setting to Enabled."::: |
| 64 | + |
| 65 | + - **Allow installation of devices using drivers that match these device setup classes**: Select **Enabled**. Then, add the [class GUID of the device classes](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) you want to allow. |
| 66 | + |
| 67 | + In the following example, the **Keyboard**, **Mouse**, and **Multimedia** classes are allowed: |
| 68 | + |
| 69 | + :::image type="content" source="media/administrative-templates-restrict-usb/allow-installation-of-devices-using-drivers-setting.png" alt-text="In Intune and Endpoint Manager, set the Allow installation of devices using drivers that match these device setup classes setting, and add your class GUIDs."::: |
| 70 | + |
| 71 | + Select **OK**. |
| 72 | + |
| 73 | + - **Allow installation of devices that match any of these Device IDs**: Select **Enabled**. Then, add the device/hardware IDs for devices you want to allow: |
| 74 | + |
| 75 | + :::image type="content" source="media/administrative-templates-restrict-usb/allow-installation-of-devices-that-match-setting.png" alt-text="In Intune and Endpoint Manager, set the Allow installation of devices that match any of these Device IDs setting, and add your hardware IDs."::: |
| 76 | + |
| 77 | + To get the device/hardware ID, you can use Device Manager, find the device, and look at the properties. For the specific steps, see [find the hardware ID on a Windows device](/windows-hardware/drivers/install/hardware-ids). |
| 78 | + |
| 79 | + There's also some helpful device ID information at [Microsoft Defender for Endpoint Device Control Device Installation: Deploying and managing policy via Intune](/microsoft-365/security/defender-endpoint/mde-device-control-device-installation#deploying-and-managing-policy-via-intune). |
| 80 | + |
| 81 | + Select **OK**. |
| 82 | + |
| 83 | +8. Select **Next**. |
| 84 | +9. In **Scope tags** (optional), assign a tag to filter the profile to specific IT groups, such as `US-NC IT Team` or `JohnGlenn_ITDepartment`. For more information about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](../fundamentals/scope-tags.md). |
| 85 | + |
| 86 | + Select **Next**. |
| 87 | + |
| 88 | +10. In **Assignments**, select the device groups that will receive the profile. Select **Next**. |
| 89 | + |
| 90 | +11. In **Review + create**, review your settings. When you select **Create**, your changes are saved and the profile is assigned. |
| 91 | + |
| 92 | +## Verify on Windows devices |
| 93 | + |
| 94 | +After the device configuration profile is deployed to your targeted devices, you can confirm that it works correctly. |
| 95 | + |
| 96 | +If a USB device is blocked from installing, then you see a message similar to the following message: |
| 97 | + |
| 98 | +`The installation of this device is forbidden by system policy. Contact your system administrator.` |
| 99 | + |
| 100 | +In the following example, the iPad is blocked because its device ID isn't in the allowed device ID list: |
| 101 | + |
| 102 | +:::image type="content" source="media/administrative-templates-restrict-usb/device-status.png" alt-text="Device blocked by group policy."::: |
| 103 | + |
| 104 | +## A device is blocked but should be allowed |
| 105 | + |
| 106 | +Some USB devices have multiple GUIDs, and it's common to miss some GUIDs in your policy settings. As a result, a USB device that's allowed in your settings, might be blocked on the device. |
| 107 | + |
| 108 | +In the following example, in the **Allow installation of devices using drivers that match these device setup classes** setting, the Multimedia class GUID is entered, and the camera is blocked: |
| 109 | + |
| 110 | +:::image type="content" source="media/administrative-templates-restrict-usb/camera-blocked.png" alt-text="Windows can't find your camera message on a Windows device."::: |
| 111 | + |
| 112 | +:::image type="content" source="media/administrative-templates-restrict-usb/cam-blocked.png" alt-text="The camera is blocked by group policy message on a Windows device."::: |
| 113 | + |
| 114 | +**Resolution**: |
| 115 | + |
| 116 | +To find the GUID of your device, use the following steps: |
| 117 | + |
| 118 | +1. On the device, open the `%windir%\inf\setupapi.dev.log` file. |
| 119 | +2. In the file: |
| 120 | + |
| 121 | + 1. Search for **Restricted installation of devices not described by policy**. |
| 122 | + 2. In this section, find the `Class GUID of device changed to: {GUID}` text. This `{GUID}` needs added to your policy. |
| 123 | + |
| 124 | + In the following example, you see the `Class GUID of device changed to: {36fc9e60-c465-11cf-8056-444553540000}` text: |
| 125 | + |
| 126 | + ```log |
| 127 | + >>> [Device Install (Hardware initiated) - USB\VID_046D&PID_C534\5&bd89ed7&0&2] |
| 128 | + >>> Section start 2020/01/20 17:26:03.547 |
| 129 | + dvi: {Build Driver List} 17:26:03.597 |
| 130 | + … |
| 131 | + dvi: {Build Driver List - exit(0x00000000)} 17:26:03.645 |
| 132 | + dvi: {DIF_SELECTBESTCOMPATDRV} 17:26:03.647 |
| 133 | + dvi: Default installer: Enter 17:26:03.647 |
| 134 | + dvi: {Select Best Driver} |
| 135 | + dvi: Class GUID of device changed to: {36fc9e60-c465-11cf-8056-444553540000}. |
| 136 | + dvi: Selected Driver: |
| 137 | + dvi: Description - USB Composite Device |
| 138 | + dvi: InfFile - c:\windows\system32\driverstore\filerepository\usb.inf_amd64_9646056539e4be37\usb.inf |
| 139 | + dvi: Section - Composite.Dev |
| 140 | + dvi: {Select Best Driver - exit(0x00000000)} |
| 141 | + dvi: Default installer: Exit |
| 142 | + dvi: {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 17:26:03.664 |
| 143 | + dvi: {Core Device Install} 17:26:03.666 |
| 144 | + dvi: {Install Device - USB\VID_046D&PID_C534\5&BD89ED7&0&2} 17:26:03.667 |
| 145 | + dvi: Device Status: 0x01806400, Problem: 0x1 (0xc0000361) |
| 146 | + dvi: Parent device: USB\ROOT_HUB30\4&278ca476&0&0 |
| 147 | + !!! pol: The device is explicitly restricted by the following policy settings: |
| 148 | + !!! pol: [-] Restricted installation of devices not described by policy |
| 149 | + !!! pol: {Device installation policy check [USB\VID_046D&PID_C534\5&BD89ED7&0&2] exit(0xe0000248)} |
| 150 | + !!! dvi: Installation of device is blocked by policy! |
| 151 | + ! dvi: Queueing up error report for device install failure. |
| 152 | + dvi: {Install Device - exit(0xe0000248)} 17:26:03.692 |
| 153 | + dvi: {Core Device Install - exit(0xe0000248)} 17:26:03.694 |
| 154 | + <<< Section end 2020/01/20 17:26:03.697 |
| 155 | + <<< [Exit status: FAILURE(0xe0000248)] |
| 156 | + ``` |
| 157 | +
|
| 158 | +3. In the device configuration profile, go to the **Allow installation of devices using drivers that match these device setup classes** setting, and add the class GUID from the log file. |
| 159 | +4. If the issue continues, repeat these steps to add the other class GUIDs until the device is successfully installed. |
| 160 | +
|
| 161 | + In our example, the following class GUIDs are added to the device profile: |
| 162 | +
|
| 163 | + - USB Bus devices (hubs and host controllers): `{36fc9e60-c465-11cf-8056-444553540000}` |
| 164 | + - Human Interface Devices (HID): `{745a17a0-74d3-11d0-b6fe-00a0c90f57da}` |
| 165 | + - Camera devices: `{ca3e7ab9-b4c3-4ae6-8251-579ef933890f}` |
| 166 | + - Imaging devices: `{6bdd1fc6-810f-11d0-bec7-08002be2092f}` |
| 167 | +
|
| 168 | +## Common class GUIDs to allow USB devices |
| 169 | +
|
| 170 | +- **Keyboard and mouse**: Add the following GUIDs to the device profile: |
| 171 | +
|
| 172 | + - Keyboard: `{4d36e96b-e325-11ce-bfc1-08002be10318}` |
| 173 | + - Mouse: `{4d36e96f-e325-11ce-bfc1-08002be10318}` |
| 174 | +
|
| 175 | +- **Cameras, headphones and microphones**: Add the following GUIDs to the device profile: |
| 176 | +
|
| 177 | + - USB Bus devices (hubs and host controllers): `{36fc9e60-c465-11cf-8056-444553540000}` |
| 178 | + - Human Interface Devices (HID): `{745a17a0-74d3-11d0-b6fe-00a0c90f57da}` |
| 179 | + - Multimedia devices: `{4d36e96c-e325-11ce-bfc1-08002be10318}` |
| 180 | + - Camera devices: `{ca3e7ab9-b4c3-4ae6-8251-579ef933890f}` |
| 181 | + - Imaging devices: `{6bdd1fc6-810f-11d0-bec7-08002be2092f}` |
| 182 | + - System devices: `{4D36E97D-E325-11CE-BFC1-08002BE10318}` |
| 183 | + - Biometric devices: `{53d29ef7-377c-4d14-864b-eb3a85769359}` |
| 184 | + - Generic software devices: `{62f9c741-b25a-46ce-b54c-9bccce08b6f2}` |
| 185 | +
|
| 186 | +- **3.5 mm headphones**: Add the following GUIDs to the device profile: |
| 187 | +
|
| 188 | + - Multimedia devices: `{4d36e96c-e325-11ce-bfc1-08002be10318}` |
| 189 | + - Audio endpoint: `{c166523c-fe0c-4a94-a586-f1a80cfbbf3e}` |
| 190 | +
|
| 191 | +> [!NOTE] |
| 192 | +> The actual GUIDs may be different for your specific devices. |
| 193 | +
|
| 194 | +## Next steps |
| 195 | +
|
| 196 | +[Learn more about ADMX templates in Microsoft Intune](administrative-templates-windows.md) |
0 commit comments