This following article will show you how to block all other USB devices except for the drives you whitelist. For references a list of Device IDs for Datalocker devices are found HERE.


In this example we will apply the changes using the local group policy editor. Please refer to Microsoft or your Windows Admin before deploying these changes network wide as an incorrect GPO can cause a major impact to your domain. 


Open your local Group Policy Editor by running gpedit.msc


The Policies that we will be modifying are under COMPUTER CONFIGURATION >  ADMINISTRATIVE TEMPLATES> SYSTEM> DEVICE INSTALLATION > DEVICE INSTALLATION RESTRICTIONS



The first Policy that we will enable is "Prevent installation of devices not described by other policy settings"


image

 

You will just need to select "Enabled" then hit "OK"


The next policy is "Display a custom message when installation is prevented by a policy setting." This policy is optional but will help recognize when a device is blocked with the group policy.


image


Select Enable and enter the text that you want displayed when the policy blocks a device. 


The final group policy is "Allow installation of devices that match any of these device IDs"


select "Enabled" and then click "Show..." below.


This is where you will enter the class IDs for the devices that you would like to allow. In this example the Sentry 3.0 is whitelisted. You will need all three lines to whitelist the Sentry 3.0. Most devices will need more than one entry for full compatibility. Put all the Device IDs you want to whitelist in this box.


You can use Device Manager to find the HardWare ID's. The top Hardware ID is what is needed. This screenshot shows one of the Hardware IDs for the Sentry 2.0 FIPS. 

image


The best practice to make sure you get all the Hardware IDs is to enable the above group policies on a new computer that hasn't been connected to the device you want to whitelist. Then go through device manager and whitelist everything that gets blocked. This video goes through one such example:



You will need to repeat this process for all your SafeConsole Ready devices as well as ALL other devices you want to allow in your policy.