Chapter 15 – Device Control (USB, Bluetooth, Camera & Removable Storage)
Windows Server Group Policy (GPO) Master Handbook
Chapter 15 – Device Control (USB, Bluetooth, Camera & Removable Storage)
Learning Objectives
Learn how to secure endpoint devices using Group Policy by controlling USB storage, Bluetooth, cameras, microphones, personal hotspots, Internet Connection Sharing (ICS), and device installation.
1. Why Device Control Matters
Device control reduces the risk of malware, data theft, unauthorized peripherals, and accidental data leakage. It is commonly required by ISO 27001, PCI DSS, HIPAA, and other security standards.
2. USB Storage Control
GPO Path: Computer Configuration → Administrative Templates → System → Removable Storage Access. Configure policies to deny read, write, or all access to removable storage devices.
3. Allow Keyboard & Mouse but Block USB Drives
Use Device Installation Restrictions together with Removable Storage Access to allow standard HID devices while preventing USB mass storage devices.
4. Device Installation Restrictions
GPO Path: Computer Configuration → Administrative Templates → System → Device Installation → Device Installation Restrictions. Restrict installation by device IDs, device classes, or removable devices.
5. Bluetooth Control
Disable Bluetooth through Group Policy or device installation restrictions where organizational policy requires it.
6. Camera & Microphone
Disable camera and microphone using Administrative Templates and App Privacy policies when devices are not required.
7. Personal Hotspot & Internet Connection Sharing
Disable Internet Connection Sharing (ICS) and prevent users from sharing mobile data connections in managed environments.
8. BitLocker To Go
Require BitLocker encryption for approved removable drives before allowing write access.
9. PowerShell
Get-PnpDevice
Get-Disk
Get-Volume
Get-BitLockerVolume
Disable-PnpDevice (use carefully)
Enable-PnpDevice
10. Troubleshooting
Verify GPO scope, run gpupdate /force, review gpresult /h, check Device Manager, confirm policy precedence, review Event Viewer, and validate hardware IDs.
11. Best Practices
Allow only approved USB devices, use BitLocker To Go, audit device usage, document approved exceptions, and review policies regularly.
12. Enterprise Scenario
A finance department allows only encrypted USB drives, blocks Bluetooth file transfers, disables webcams on shared desktops, and prevents Internet Connection Sharing on company laptops.
13. Interview Questions
How do you block USB storage but allow keyboard and mouse? What is the difference between Device Installation Restrictions and Removable Storage Access? How do you disable personal hotspots using GPO?
14. Practical Lab
Create a Device Control GPO, block USB storage, allow keyboards and mice, disable Bluetooth, force policy update, and verify using Device Manager and gpresult.
Common Device Control Policies
Policy | Recommended | GPO Path |
All Removable Storage Classes | Deny All Access | System > Removable Storage Access |
Removable Disks: Deny Write | Enabled | System > Removable Storage Access |
Device Installation Restrictions | Enabled | System > Device Installation |
Prevent Installation of Removable Devices | Enabled | Device Installation Restrictions |
Disable Bluetooth | As Required | Device Installation / Vendor Policy |
Disable Camera | As Required | Windows Components > Camera |
Disable Microphone | As Required | Windows Components > App Privacy |
Disable Internet Connection Sharing | Enabled | Network > Network Connections |
Microsoft Learn References
Comments
Post a Comment