Safelisting Defender Drives through Group Policies

You can configure the Group Policy settings on your domain to allow only Kanguru Defender drives to work on that computer while preventing other USB drives from working.

In order to restrict device access to Kanguru Defender drives, you must Enable three Group Policy settings as described below as well as know the Vendor ID (VID) Product ID (PID), and Serial Number of all devices.

The three policies that will need to be enabled are:

• Allow installation of devices that match any of these device IDs
• Allow installation of devices that match any of these device instance IDs
• Prevent installation of devices not described by other policy settings

Please Note: By performing the steps in this article you will be removing the ability to prevent the installation of new devices on your domain.  Existing devices may not be impacted by this.  Additionally, there is a chance that other new USB based devices such as Mice and Keyboards will not work until their VID, PID, and Serial Number are added to the policy in Step 7 and Step 8.

1. Open Device Manager and locate Kanguru Defender USB Device under DVD/CD-ROM drives.
2. Right click on Kanguru Defender USB Device and select Properties.
3. The Kanguru Defender USB Device Properties window opens. Click on the Details tab and then select Hardware IDs from the Property pull down menu. A list of hardware IDs for the Defender drive appears (see screen shot below). The top Hardware IDs will be needed for the policy Allow installation of devices that match any of these device IDs.
4. Change the option Hardware IDs to Last Known Parent from the Property pull down menu. Copy the value displayed as that will be needed for the policy Allow installation of devices that match any of these device instance IDs.
5. Open the Group Policy Manager and create a new Group Policy.
6. Once in Group Policy Manager Editor, in the left pane of the Group Policy Editor window, navigate to Computer Configuration > Policies > Administrative Templates: Policy definition (ADMX files) retrieved from the local computer > System > Device Installation > Device Installation Restrictions
7. Locate Allow installation of devices that match any of these device IDs and configure this as Enabled. After selecting Enabled, select Show and in the field provided, enter the information gathered in Step 3 then select OK. The pop-up will go away and you will then need to select Apply and OK to complete the configuration.  Note: If you have more items to add to this list you can add at any point.
8. Locate Allow installation of devices that match any of these device instance IDs and configure this as Enabled. After selecting Enabled, select Show and in the field provided, enter the information gathered in Step 4 then select OK. The pop-up will go away and you will then need to select Apply and OK to complete the configuration.  Note: If you have more items to add to this list you can add at any point.
9. Lastly, locate Prevent installation of devices not described by other policy settings and configure this as Enabled. After you will then need to select Apply and OK to complete the configuration.

 Note: The configuration may change depending on the OS and other policies in effect on the system.