Forum Discussion
MDE Device Control Prevent installation of removable devices
Hello All,
We had configured a Device Control policy restricting removable device installations under Device Installation Restrictions > Prevent installation of removable devices (Enabled). This blocked new PnP device installations, including USB keyboards and mice.
We have since reverted the setting to Not Configured and removed all assignments. However, one device is still unable to install new USB keyboards/mice. A hunting script check in MDE shows no blocking alerts.
Could someone guide us on how to verify if any residual Device Control settings are still affecting the device? Is there a registry key where we can review and remove this setting locally?
Appreciate your assistance. Thanks.
3 Replies
Hi drivesafely!
The policy might not have been fully reverted.
To check if any residual Device Control settings are still affecting the device, you can try looking in the registry. Check the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor. If the value is set to 0, that would prevent USB devices from being installed. You can change it to 1 to allow installation. Also, make sure there are no other conflicting group policies or local security settings. After that, reboot the device and check again.
Hope it helps!
Hello luchete
Thanks for your response.
Can you please provide the name of which key value should be set to 1 to allow installation at the location "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor" ?
The value of "Start" key is 3, which mean it is allowed.
Thanks again.
Good morning drivesafely!
The key I'm referring to in the registry is the same you provided: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor, should have its Start value set to 3 to allow USB devices to be installed.
As you've mentioned if the Start key is already set to 3, then it is correct for allowing installation.
Since that it is ok, I would suggest verifying if there are any other policies or restrictions applied at the group policy or local security level that might be interfering with USB installations. Sometimes other settings, like "Prevent installation of devices not described by other policy settings," could also have an impact.
In case you don't know the location it would be:
Open the Group Policy Editor (Windows + R, type gpedit.msc,). From there, navigate to Computer Configuration, then Administrative Templates, followed by System, Device Installation, and finally Device Installation Restrictions. Look for the policy called "Prevent installation of devices not described by other policy settings". If it's enabled, change it to Not Configured or Disabled to allow USB devices. Once done, restart your computer or run gpupdate /force in Command Prompt to apply the changes.
Additionally, another thing that comes to my mind is that you can check if any other security software or endpoint protection solution is enforcing restrictions on USB devices.
For that you can look into the settings of any antivirus or endpoint protection software installed on the device. Open the security software’s main interface and look for any device control or USB management settings. These settings often allow or block USB devices based on predefined rules. If there are any restrictions in place, you can disable them or adjust the settings to allow USB devices. If you’re using a centralized endpoint protection solution, you might need to check with your IT team to ensure no policies are blocking USB devices in case you dont have access/permissions to do it.
Let me know how it goes or we can keep finding more ideas to resolve your issue,
Regards,
