In this, you will learn everything about the USB Management feature found in the Client Management section of the Heimdal Dashboard.
1. USB Management view
2. USB Management settings
USB Management allows you to control the way the USB ports work inside your company. They can be restricted or allowed, depending on your preferences
USB MANAGEMENT view
The USB Management page displays all the information related to the USB devices that are plugged in after enabling the USB Management service. At the top, you see a statistic regarding the number of USB Detections.
The collected information is placed in the Standard view.
-
Standard
This view displays a table with the following details: Hostname, Username, Device name (Friendly name), Device ID (Device instance path), Hardware ID, Class ID (Class Guid), Action, and Timestamp. Selecting an entry will allow you to add the detected USB device to the Allowlist or to hide it from this view (by taking the Suppress action) and move it to the Show suppressed devices page. Adding a device to the Allowlist can be done based on the following criteria: Hardware ID, Class ID (Class Guid), or Device instance path. -
Show suppressed devices
This view displays a table that includes the hidden USB devices and the following details: Hostname, Username, Device name (Friendly name), Device ID (Device instance path), Hardware ID, Class ID (Class Guid), Action, and Timestamp. The devices that are disconnected and plugged in again will switch back to the Standard view.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard mode corresponding to each view. The Filters functionality allows you to filter entries by Resolution.
USB MANAGEMENT settings
Enabling USB Management will enable USB Management on the endpoints applying the Group Policy.
USB Management - turn ON/OFF the USB Management functionality;
Disable USB Ports - allows you to disable Removable Media Devices from being connected to a computer. A computer reboot is required to activate/deactivate this function.
USB restrictive mode - this functionality will disable ALL USB devices found on the computer, except those on the allowed list. A computer reboot is required to activate/deactivate this function. USB restrictive mode will allow you to add a device to an allowlist (based on either Class or Hardware ID), thus allowing it to run.
USB Reporting mode - this functionality will monitor all the plugged-in USB devices without taking any action. All detected USB devices will be listed on the USB Management page.
USB Allowlist
USB Allowlist - allows you to whitelist a USB device based on Hardware ID, Class ID (Glass Guid), or Device instance path. You can give a Friendly name to each entry, and you can also import an Allowlist from a CSV file. The Friendly Name field can be used to improve visibility and management of the USB devices by assigning custom, descriptive names to USB devices. This allows administrators to provide a meaningful, custom label for each USB device, improving identification across environments with multiple similar USB entries, while managing both visible and suppressed USB devices more efficiently. This capability aims to simplify USB tracking and reduce confusion when multiple devices share similar identifiers.
Predefined Class GUID provides a curated list of commonly used USB device classes, each displayed with the USB class name and a short descriptive label. When selecting a predefined class:
The Friendly Name field is automatically populated with the selected USB class name.
The Value field is automatically populated with the corresponding Class GUID.
After selecting, both fields remain fully editable, allowing administrators to customize entries as needed.
Any allowlisted USB entry can be removed at any time by deselecting it or by using the Remove option from the USB Allowlist grid.
IMPORTANT
1. The Hardware ID is different based on the brand/model of the USB Device. The top one is the most specifically identified, as shown below:
2. The Class ID (Class Guid in Windows) is being shared by all USB Devices of the same type, and this is how it can be found:
3. It's not enough to enable only a single hardware ID to enable a single USB thumb drive. The IT admin has to ensure that all the USB devices that are preceding the target one aren't blocked (meaning they are allowed) as well (all enumerations). Example 1: the following entries have to be allowed so that the plugged-in USB thumb drive can be allowed (to see this view, access View -> Device by connection):
- Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft) -> PCI\CC_0C03
- USB Root Hub (USB 3.0) -> USB\ROOT_HUB30
- Generic USB Hub -> USB\USB20_HUB
- USB Mass Storage Device
-
Generic Flash Disk USB Device
Example 2: USB devices are nested under each other in the PnP tree. See below how the enumeration of a USB drive looks in the Device Manager compared to the HEIMDAL Dashboard.
4. In some cases, a USB device may appear connected and accessible even if the partition entry shown in Device Manager isn’t explicitly whitelisted. This is because the partition will be registered under a different parent node in the device tree, allowing initial USB recognition to succeed without full whitelisting. However, as noted in the image above, it’s still strongly recommended to whitelist the partition entry as well (meaning all the enumerations). Certain Group Policy settings can block access to volumes that aren’t explicitly allowed, which may cause file access to silently fail, even if the device seems properly connected. These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't prevent any external/peripheral device from being installed on the machine. Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected to in the above list. Failing to do so could block a user from accessing his/her machine through HID devices.
The behavior of all USB devices can vary depending on the USB vendor, firmware, and controller design. As such, we can’t always guarantee identical behavior across all devices. Some sticks enumerate differently or present partitions in ways that require the partition to be whitelisted for full functionality.