Goal
Use the Windows USB Policy to control USB storage access and USB device installation on Windows endpoints. With this policy you can:
Block all removable storage (USB flash drives, external HDD/SSD, SD-card readers, smartphones in Mass Storage mode, etc.).
Allowlist specific USB devices by hardware ID (VID/PID).
Allowlist whole device setup classes (for example, imaging devices / scanners).
Optionally prevent installation of any USB device that is not explicitly allowlisted.
This helps stop data exfiltration, malware sideloading, and unauthorized peripherals while still allowing business‑critical devices such as check scanners, printers, or card readers.
1. Prerequisites
Requirement | Details |
Supported editions | Windows 10 or later |
Minimum Windows SKUs | Windows 10 Pro, Enterprise, Education, SE, IoT Enterprise / IoT Enterprise LTSC (10+) |
Minimum for allowlisting | Some settings additionally require Windows 10 version 1809+ or Windows 11 (see fields below) |
BYOD limitation | Intended for company‑owned Windows devices |
Swif Agent | v1.102+ (auto‑updates) |
Local rights | No end‑user admin rights required; the Swif MDM service enforces policy |
2. Add the Windows USB Policy
Go to Device Management ▸ Policies.
Click Add Policy.
Select Windows USB Policy ▸ Configure.
(Optional) Give the policy a clear Name and Description (for example: “USB – Block All Except Check Scanners”).
Adjust the settings described below.
Click Continue, assign the policy to devices or groups (for example, finance laptops, kiosks, or a specific machine), and Publish.
3. Available settings
3.1 Block the Removable Disk
Field name in API: removableStorageClassesDenyAllAccess2
UI label: Block the Removable Disk
Type: Boolean (True / False)
Minimum Windows:
Windows 10 Pro / Enterprise / Education / SE / IoT Enterprise 10+
What it does
True – Disables Windows’ removable‑storage class driver. Newly attached USB mass‑storage devices are rejected, and existing removable drives are ejected.
False – Allows removable drives as normal.
This targets Windows’ USBSTOR driver and Storage class GUIDs. It does not block:
USB keyboards and mice
Webcams
USB network adapters
Security dongles
USB charging (power only)
Refresh behavior
Policy is refreshed every ~15 minutes or on reboot.
No reboot is required to start blocking removable storage.
If you later unblock removable storage on a device that was actively using a USB drive, a reboot may be required for Windows to fully re‑enable the driver.
3.2 Allowed Device Hardware IDs
Field name: allowedDeviceIDs
UI label: Allowed Device Hardware IDs
Type: List of strings
Value format: USB\VID_xxxx&PID_yyyy (for example: USB\VID_04E6&PID_5116)
Minimum Windows:
Windows 10 version 1809+
Windows 10 Enterprise / Education
Windows 10 IoT Enterprise / IoT Enterprise LTSC
What it does
A list of Plug and Play hardware IDs for devices that Windows is allowed to install. Use this to allowlist specific USB peripherals while keeping other devices blocked.
Typical use cases:
Allow a Chase bank check scanner on a teller’s PC while blocking other USB storage.
Allow a specific USB smart‑card reader for authentication.
Allow a particular USB printer on a kiosk or front‑desk machine.
If combined with blocking/removal or installation‑prevention rules, Windows will:
Permit devices whose hardware ID matches one of the entries.
Apply the broader block to everything else (depending on other settings).
How to find a device’s hardware ID
On a Windows device where the peripheral is allowed to install:
Open Device Manager.
Find the device (for example, under Imaging devices, Universal Serial Bus controllers, or the relevant category).
Right‑click the device ▸ Properties.
Go to the Details tab.
From the Property dropdown, select Hardware Ids.
Copy one of the full values (for example,
USB\VID_04E6&PID_5116&REV_0200).In Swif, paste the value up to VID and PID, e.g.:
USB\VID_04E6&PID_5116
Add this string to the Allowed Device Hardware IDs list in the policy.
3.3 Allowed Device Setup Classes
Field name: allowedDeviceSetupClasses
UI label: Allowed Device Setup Classes
Type: List of strings
Value format: Device setup class GUIDs surrounded by curly braces.
Example:
{6bdd1fc6-810f-11d0-bec7-08002be2092f}– Imaging devices
Minimum Windows:
Windows 10 version 1809+
Windows 10 Enterprise / Education
Windows 10 IoT Enterprise / IoT Enterprise LTSC
What it does
A list of device setup class GUIDs that Windows is allowed to install. Use this to allowlist entire categories of devices, such as:
All imaging devices (scanners, some cameras).
All printers of a particular class.
This is useful when:
You want to allow a broad set of business devices (for example, all scanners used in your branches).
You don’t want to maintain a long allowlist of individual hardware IDs.
How to find a device’s setup class GUID
On a Windows device, open Device Manager.
Right‑click the device ▸ Properties.
Go to the Details tab.
From Property, select Class GUID.
Copy the GUID, for example:
{6bdd1fc6-810f-11d0-bec7-08002be2092f}.Add this GUID as an entry in Allowed Device Setup Classes.
3.4 Prevent Installation of Non‑Allowlisted Devices
Field name: preventInstallationOfNonDescribedDevices
UI label: Prevent Installation of Non‑Allowlisted Devices
Type: Boolean (True / False)
Default: false
Minimum Windows:
Windows 10 version 1809+
Windows 10 Enterprise / Education
Windows 10 IoT Enterprise / IoT Enterprise LTSC
What it does
When set to True, Windows blocks installation of any device that is not explicitly described by an allow rule (for example, by hardware ID or setup class).
Use together with Allowed Device Hardware IDs and/or Allowed Device Setup Classes.
Creates an allowlist‑only environment for USB device installation.
Typical use cases:
A tightly controlled workstation (for example, a bank teller station) where only a check scanner and a PIN pad should work.
Shared kiosks where any new USB device should be denied unless pre‑approved.
If this is True and you have not defined any allow rules, most new USB devices will be prevented from installing.
3.5 Enable Installation Policy Layering
Field name: enableInstallationPolicyLayering
UI label: Enable Installation Policy Layering
Type: Boolean (True / False)
Default: false
Minimum Windows:
Windows 10 version 1809 with KB5005102+
Windows 10 version 2004+
Windows 11 21H2+
What it does
Enables a layered evaluation order for allow and prevent device‑installation policies.
More specific matches override broader ones.
Evaluation order (from most specific to least):
Device instance ID
Device hardware ID
Device setup class
In practice this means:
A specific device (by hardware ID) can be allowed even if the overall class of devices is blocked.
This is recommended when you use allowlisting to make exceptions to a broad block.
Example scenario:
You set
preventInstallationOfNonDescribedDevices = true(block everything not described).You add several
allowedDeviceIDs(specific check scanners).You turn Enable Installation Policy Layering = true so those precise device rules take precedence over the general block.
4. Example configurations
4.1 Simple “No USB Storage” policy
Goal: Block all removable storage (USB flash drives, external HDD/SSD, etc.) on finance laptops, but still allow keyboards, mice, webcams, and charging.
Recommended settings:
Block the Removable Disk = True
Allowed Device Hardware IDs = (leave empty)
Allowed Device Setup Classes = (leave empty)
Prevent Installation of Non‑Allowlisted Devices = False
Enable Installation Policy Layering = False
Assign this policy to a “Finance – No USB” device group.
4.2 Allow a single authorized check scanner on one machine
Goal: For device PF61CWL5, block all removable storage but allow a specific Chase check scanner used at the branch.
Steps:
On PF61CWL5 (or a test machine), plug in the scanner and allow it to install.
In Device Manager, find the scanner, then copy its Hardware Id (e.g.
USB\VID_04E6&PID_5116).In Swif, create or edit a Windows USB Policy with:
Block the Removable Disk = True
Allowed Device Hardware IDs =
["USB\VID_04E6&PID_5116"]Prevent Installation of Non‑Allowlisted Devices = True (optional, for stricter control)
Enable Installation Policy Layering = True (recommended when using allowlists)
Assign this policy only to:
Device group that contains PF61CWL5, or
Directly to the PF61CWL5 endpoint.
Expected behavior:
The bank check scanner installs and works as normal.
USB flash drives and other unapproved USB devices remain blocked.
4.3 Allow an entire class (e.g., all imaging devices)
Goal: Let all imaging devices (scanners, certain cameras) work, while blocking USB storage.
Settings:
Block the Removable Disk = True
Allowed Device Setup Classes =
["{6bdd1fc6-810f-11d0-bec7-08002be2092f}"]
(Imaging devices class GUID)Prevent Installation of Non‑Allowlisted Devices = True (to block everything else)
Enable Installation Policy Layering = True
Expected behavior:
Any device in the Imaging Devices class is allowed.
USB flash drives and other devices outside those allowlists are blocked.
5. What the user sees
When the policy blocks USB storage:
Inserting a blocked USB drive will show an “Access denied” style error, and the drive letter will not mount.
Swif Desktop may show a toast notification such as:
“USB removable storage is blocked by your organisation.”
Allowlisted devices (hardware IDs or setup classes you’ve added) will install and function normally.
6. Verifying enforcement
6.1 In Swif
Go to Inventory ▸ Devices.
Open the specific device.
Check the Policies tab:
The Windows USB Policy should show Applied (and Compliant if checks pass).
6.2 On the endpoint (for removable‑storage block)
For the removable‑storage block, you can confirm the Windows driver state:
Open PowerShell as Administrator.
Run:
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR"Check the value of
Start:4indicates the USBSTOR driver is disabled (removable storage blocked).Other values indicate the driver is enabled.
You can also plug in:
A USB flash drive (expected behavior: blocked).
An allowlisted device (expected behavior: installs and works).
7. Best‑practice scenarios
Scenario | Recommendation |
Sensitive laptops (finance, HR, execs) | Create a “No‑USB” policy with Block = True, assign to a dedicated group. |
Branch device with a single approved scanner | Use Allowed Device Hardware IDs + Prevent Non‑Allowlisted + Layering. |
Kiosks / shared terminals | Combine removable‑storage blocking with strict allowlists. |
Mixed OS environment | Combine with Swif’s macOS and Linux USB policies for uniform posture. |
Audit / logging needs | Pair with Windows Tracking Policy to log plug/unplug events. |
Temporary exception for a single user | Temporarily flip Block = False for that device, ask user to reboot, then revert. |
8. Troubleshooting
Symptom | Possible cause / fix |
USB storage still mounts after ~30 minutes | Device may be offline. Check last check‑in time; ask user to connect to VPN/Internet and wait for sync. |
User sees BitLocker recovery prompt on a drive | Expected if the drive was BitLocker‑encrypted before the block. Instruct user to cancel if the drive is not needed. |
Business‑critical device is being blocked | Confirm its Hardware Id or Class GUID is listed in your allowlist entries and that layering is enabled. |
Allowlisted device does not override a general block | Ensure Enable Installation Policy Layering = True and Windows meets the minimum version requirements. |
Need granular per‑drive serial allowlist | Current policy controls are by VID/PID or class, not per individual serial. Consider AppLocker/DLP tools if needed. |
If you need additional help, chat with us in‑product or email support@swif.ai.