Blocking all USB devices is easy. The hard part is blocking everything except the devices your team actually needs. That's USB device whitelisting — the practice of maintaining an explicit list of approved USB devices and denying all others by default. It's the approach that lets your accounting team use their encrypted backup drives while still preventing a visitor's unknown flash drive from touching any machine on your network.
This guide covers how USB device whitelisting works at a technical level, the three identifiers you can filter on, the methods available for implementation, and the operational reality of maintaining a whitelist across a fleet of hundreds or thousands of endpoints.
Why Whitelisting Beats Blacklisting for USB Security
Most IT teams start with a blacklist mentality: block the known-bad devices and allow everything else. This approach has a fatal flaw — you can't blacklist devices that don't exist yet. A new USB attack tool, a novel hardware implant, or an unfamiliar device class will sail through a blacklist because it doesn't match any rule.
USB device whitelisting inverts the model. Nothing is allowed unless explicitly approved. This means:
- Unknown devices are blocked by default. A device that's never been seen before — whether it's a forgotten personal drive or a malicious implant — gets denied immediately.
- Your attack surface is defined, not assumed. You know exactly which devices can connect to your endpoints because you approved each one individually.
- Compliance audits become straightforward. When an auditor asks "which USB devices can connect to machines in your environment?" you hand them the whitelist. There's no ambiguity.
A blacklist says "we thought of these threats." A whitelist says "we approved these devices and nothing else." Auditors — and attackers — notice the difference.
The Three Identifiers: VID, PID, and Serial Number
Every USB device reports three identifiers to the host operating system during enumeration. Understanding these is essential for building an effective whitelist.
Vendor ID (VID)
A 16-bit identifier assigned by the USB Implementers Forum (USB-IF) to the device manufacturer. For example, Kingston Technology is 0951, SanDisk is 0781, and Logitech is 046D. Filtering by VID lets you allow all devices from a trusted manufacturer.
Product ID (PID)
A 16-bit identifier assigned by the manufacturer to a specific product model. Combined with the VID, this uniquely identifies a product line. For example, VID 0951 + PID 1666 identifies the Kingston DataTraveler 100 G3. Filtering by VID+PID lets you allow a specific product model without approving every device that manufacturer makes.
Serial Number
A string assigned by the manufacturer to an individual device unit. Not all USB devices have serial numbers — cheaper devices often share the same serial or report none at all. But enterprise-grade encrypted drives like IronKey, Apricorn Aegis, and Kingston Vault Privacy always include unique serial numbers. Filtering by serial number is the most granular level of whitelisting: you approve a specific physical device, not a product line.
| Filter Level | Granularity | Use Case | Risk |
|---|---|---|---|
| VID only | All devices from one manufacturer | Allow all Logitech peripherals | Any device from that vendor passes |
| VID + PID | All units of one product model | Allow Kingston DataTraveler 100 G3 drives | Any unit of that model passes |
| VID + PID + Serial | One specific physical device | Allow Jane's IronKey drive #A1B2C3 | Minimal — only that exact device |
For USB storage devices, always whitelist by serial number when possible. VID+PID whitelisting for storage is acceptable only for standardized, company-purchased drives where you control the supply chain. For peripherals (keyboards, mice, webcams), VID+PID is usually sufficient since the data exfiltration risk is lower.
How to Find USB Device Identifiers on Windows
Before you can build a whitelist, you need to know the VID, PID, and serial number of each device you want to approve. On Windows, there are several ways to get this information.
Device Manager
Plug in the device, open Device Manager, find the device under the appropriate category, right-click and select Properties, then go to the Details tab. Select "Hardware Ids" from the dropdown to see the VID and PID:
USB\VID_0951&PID_1666\E0D55EA573DCF450B6870E11The string after the second backslash is the serial number (if the device reports one).
PowerShell
For scripting across multiple machines, PowerShell gives you structured data:
Get-PnpDevice -Class USB | Where-Object { $_.Status -eq 'OK' } |
Get-PnpDeviceProperty -KeyName 'DEVPKEY_Device_InstanceId' |
Select-Object -ExpandProperty DataOr for a cleaner output of connected USB storage devices:
Get-WmiObject Win32_DiskDrive | Where-Object { $_.InterfaceType -eq 'USB' } |
Select-Object Model, SerialNumber, PNPDeviceIDAudit Mode Discovery
The most practical approach for building an initial whitelist at scale is to deploy your USB control agent in audit (monitor-only) mode for one to two weeks. The agent logs every USB device that connects across your entire fleet, capturing VID, PID, serial number, device class, the machine it connected to, and the user who was logged in. You then review the collected inventory and approve the legitimate devices in bulk. This is far more reliable than manually inventorying devices machine by machine.
Implementation Methods: From GPO to Agent-Based Control
Method 1: Group Policy (Limited Whitelisting)
Windows Group Policy can restrict USB device installation by device setup class or device ID. The relevant settings are under Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions.
You can use "Allow installation of devices that match any of these device IDs" to create a whitelist. However, GPO-based whitelisting has significant limitations:
- No serial number filtering. GPO device IDs use hardware IDs (VID+PID) but don't natively support per-serial-number whitelisting.
- Policy refresh delays. Changes propagate on the GPO refresh cycle (90 minutes + random offset), not in real time.
- No centralized device inventory. You need to manually determine the hardware IDs of each device you want to whitelist.
- Applies at installation, not connection. If a device driver was previously installed, the device may still work even after you update the policy. You may need to uninstall existing device drivers for the policy to take effect.
GPO whitelisting is workable for small environments with simple requirements, but it breaks down quickly as your fleet and device inventory grow.
Method 2: Microsoft Defender for Endpoint (Enterprise)
If you're already running Defender for Endpoint (Plan 2), the device control feature supports USB device whitelisting with VID, PID, and serial number filtering. Policies are managed through Intune or the Defender portal. The main drawback is cost — Defender for Endpoint Plan 2 starts around $5.20/user/month and requires Microsoft 365 E5 or equivalent licensing. That's a steep price if USB device control is your primary need.
Method 3: Dedicated USB Device Control Agent
Purpose-built solutions like PortGuard focus specifically on USB device whitelisting and port control. The advantages over general-purpose endpoint security platforms:
- Granular whitelisting: Filter by VID, PID, serial number, device class, or any combination. Whitelist a specific device for a specific user on a specific machine, or broadly allow a product line across the fleet.
- Real-time policy updates: Add a device to the whitelist in the console and the policy takes effect on all endpoints within seconds — not on the next GPO refresh.
- Built-in audit mode: Deploy in monitor-only mode to discover every USB device across your fleet before you start enforcing policies.
- Driver-level enforcement: Devices are blocked before the OS mounts them, closing the timing window that GPO leaves open.
- Centralized device inventory: Every device that has ever connected to any endpoint is cataloged with full identifiers, making whitelist management a matter of clicking "approve" rather than manually entering hardware IDs.
Building Your Whitelist: A Practical Workflow
Step 1: Categorize by Device Class
Start with broad device-class rules before getting into per-device whitelisting. Most organizations use a structure like this:
- Always allowed: HID devices (keyboards, mice), audio devices, video devices (webcams). These pose minimal data exfiltration risk and blocking them creates unnecessary friction.
- Whitelist required: Mass storage, portable devices (MTP/PTP), network adapters. These can move data or change network topology, so they require explicit approval.
- Always blocked: Wireless adapters (rogue WiFi/Bluetooth), unknown device classes, composite devices that claim multiple classes.
Step 2: Run Audit Mode
Deploy your USB control solution in monitor-only mode across all endpoints. Run it for at least one full business cycle — two weeks is ideal. This captures:
- Every USB storage device employees are currently using
- Peripherals that connect via USB but aren't obvious (docking stations, specialty scanners, signature pads)
- Devices that connect intermittently (monthly backup drives, conference room presentation clickers)
Step 3: Review and Approve
Go through the discovered devices and make approve/deny decisions. Group common devices: if your company issues Kingston DataTraveler drives, you can whitelist by VID+PID to cover all units. For individual employee devices, whitelist by serial number. Flag any devices that shouldn't be there — personal drives, unauthorized wireless adapters, unknown devices with no serial number.
Step 4: Define the Exception Process
Before switching to enforcement mode, document how employees request USB device access. A solid exception process includes:
- Employee submits a request with the business justification and the device they need to use
- IT or security reviews the request (is the device type appropriate? is there an approved alternative?)
- If approved, the device's serial number is added to the whitelist for that user's machine(s)
- Approval is logged with who approved it, when, and why — this is the audit trail compliance requires
Step 5: Enforce and Monitor
Switch from audit mode to enforcement. Monitor blocked-device logs closely for the first week to catch legitimate devices that were missed during the audit phase. After the first week, establish a regular review cadence — weekly for the first month, then monthly.
USB Device Whitelisting in 10 Minutes
PortGuard makes USB device whitelisting simple: deploy the lightweight Windows agent, run audit mode to discover your device inventory, then approve devices with a click. Serial number filtering, real-time policy updates, and a complete audit trail — all from a single console. Free for up to 5 devices, with plans starting at $2/device/month.
Start your free trial at portguard.techCommon Whitelisting Pitfalls (And How to Avoid Them)
Devices Without Serial Numbers
Cheap USB drives and some older peripherals don't report unique serial numbers. You can't whitelist by serial number if there's no serial number to whitelist. Options: require employees to use company-issued devices that have serial numbers, or whitelist by VID+PID with the understanding that any unit of that product model will be allowed. For high-security environments, mandate encrypted drives from manufacturers that guarantee unique serial numbers.
USB Hubs and Docking Stations
Docking stations and USB hubs enumerate as their own device, and the devices plugged into them enumerate separately. Your whitelist needs to account for both — allow the dock itself (VID+PID) and separately whitelist the devices connected through it. Some agents handle this transparently; others require you to whitelist the hub and its downstream devices independently.
Whitelist Sprawl
Over time, whitelists grow as employees request exceptions. Old approvals for employees who left the company, devices that were lost or retired, and temporary approvals that were never revoked accumulate into a whitelist full of stale entries. Schedule quarterly whitelist reviews. Match active approvals against current employee and device inventories. Remove entries for departed employees immediately during offboarding.
VID/PID Spoofing
It's technically possible for an attacker to program a malicious USB device to report the same VID, PID, and even serial number as a whitelisted device. This is why whitelisting alone isn't sufficient for high-security environments — it should be paired with USB activity monitoring that flags unusual behavior even from whitelisted devices, such as rapid bulk file transfers or access to sensitive directories.
Whitelisting and Compliance
USB device whitelisting directly addresses requirements in most major compliance frameworks:
- HIPAA (164.312(c)(1)): Integrity controls — implement mechanisms to prevent unauthorized alteration or destruction of ePHI. A USB whitelist prevents unauthorized devices from accessing endpoints that process health data.
- PCI DSS (Requirement 9.9): Protect devices that capture payment card data from tampering and substitution. Whitelisting ensures only approved devices can connect to POS and payment processing endpoints.
- CMMC (AC.L2-3.1.21): Limit use of portable storage devices on external systems. USB whitelisting is the technical enforcement mechanism for this control.
- SOC 2 (CC6.1): Logical and physical access controls. USB device whitelisting provides both — logical control over which devices can connect and a physical audit trail of every connection attempt.
In each case, the whitelist itself plus the logs of allowed and blocked connections form the evidence package that auditors need. Having a documented exception process with approvals and business justifications closes the loop.
The Bottom Line
USB device whitelisting is the only USB security approach that gives you both protection and flexibility. Blocking all USB ports is safe but operationally hostile. Allowing all USB devices is convenient but indefensible. Whitelisting — allowing only explicitly approved devices while denying everything else — is the middle ground that security teams, compliance auditors, and end users can all live with.
The implementation effort is front-loaded: build the initial whitelist, define the exception process, and communicate the change. After that, ongoing maintenance is incremental — approving new devices and pruning old ones. If you start with an audit phase, you'll catch 90% of legitimate devices before enforcement begins, and the remaining 10% will surface in the first week of blocked-device logs.
The tools have caught up with the requirement. You no longer need to choose between "GPO that can't whitelist by serial number" and "enterprise DLP suite that costs $50/user/month." Dedicated USB device control gives you granular whitelisting, real-time enforcement, and centralized management at a price point that works for teams of any size.