(imported topic written by SystemAdmin)
Hello,
I want to disable all usb devices and only want to allow kingston usb’s to work. Can any one tell what fixlet will I write for this?
(imported topic written by SystemAdmin)
Hello,
I want to disable all usb devices and only want to allow kingston usb’s to work. Can any one tell what fixlet will I write for this?
(imported comment written by trekuhl91)
I am not sure about the fixlet. what i have used in the past and may be an easier solution may be to use GPO to push a policy allowing only specific hardware IDs of USB devices to be used. assuming you use a windows domain. If you are not, then they could also simply overwrite local GPO with admin rights at any rate, depending on how savvy your users are.
(imported comment written by bxk)
Since the GPO modifies registry keys, it’s pretty easy to write a fixlet to do this and enforce that the settings don’t get change. A GPO would only re-evaluate these keys at it’s reapplication interval and it would require all machines to be in AD.
To make the fixlet, I’d suggest doing the following:
Once we’ve set the local computers restriction and tested them, export the registry keys the mmc actually modifies. Some quick editing showed it to be HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions
Use the TEM Windows registry wizard. Follow the prompts and have it use the .reg file that you saved when exporting the registry keys.
Create relevance that will re-evaluate as true, if any of the keys do not exist or are not set to the correct value
Deploy the action to another test machine and ensure it relevances to false when the keys are applied correctly.
Deploy the action as a policy that reapplies the action when it becomes relevance again.