Wisconsin Endpoint Management User Group

Hi,

   USB blocking policy is working on application base ya on registry base..

In the other word. If we can change in Registry of USBSTOR. USB will be enable or not..

Regard

Sumit

As per my knowledge it is Application based.

Change registry setting will not change USB blocking status,

I have also think the same but at our discuss with one of the technician, he told me that policy/registry will be change till heartbeat time.. He was a little bit confused on that time. So I want to clear..

Regard

Sumit

I apologise for maybe not understanding the question, but here's some things I do for USB;

I use application and device control, DEVICE control, to block all via a device definition:
*USBSTOR\Disk*
And add that under blocked devices.  I then create exceptions if needed, for devices we wish to allow.
Symantec has already defined things like HID - Human Interface Devices, but my definition above is only for STORAGE devices, like "thumbdrives" or USB sticks, or storage in phones, etc. This way no one can plug a USB stick into their computer and copy files to or from it.

You could use registry control in the APPLICATION control part of SEP's Application and Device control for similar, like they did in a rule set for blocking new Browser Helper Objects:
Create a ruleset and add registry access attempts. You can block or allow reads, block or allow writes, and so on. Here is what they used - they blocked writes to this key ->
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*\*

You can also use SNAC if you are so licensed.........

OR, you can manually, in regedit, or in a GPO, make a key or area read-only. Group Policies are a good way to manage the registry, and you can create custom policies and let your domain manage it for you.
 

I know it's good way to manage the "USB block policy" threw Group Policy but when We are change in the registry setting of USBSTOR. Pendrive will be accessible.

I want to confirm that same problem is in SEPM or not??

If the SEP USB policy is working threw USBSTOR Registry. So any of Engg can access the pen drive there..!!

Well, you can use Group Policy to block USB or to make USB read only.

Make sure you make 

: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\*

Read only using SEP Application Control.

If you block using application control the only way to allow USB would be to stop smc even domain admins cannot use USB if blocked by SEP.

I am also satisfy with your words but one of the technician told me that application is control by USB Registry..

If we can change the value of USBSTOR. Pendrive access till Next Heartbeat..

So I have raised this form for proper confirmation.

Which registry ?

UsbStor Registry

SEP works on OS Level not on registry level 

If you apply USB block policy via AD GPO then if users change it via registry 

If its done via SEP you cannot change it via Registry

Thanks a lot for the Confirmation..