Getting Started with PortGuard

Go from zero to enforced USB policies in under 10 minutes. Follow these six steps to secure your endpoints.

Windows 10/11 Server 2016+ Under 4 MB No reboot required

Quick Links

📡
API Reference
REST endpoints, authentication, response formats
FAQ
Common questions and troubleshooting tips
📬
Contact Support
Email us at support@portguard.tech

Setup Steps

1

Create Your Account

Sign up for a free 7-day trial at app.portguard.tech/register. No credit card required to start.

  • Enter your work email address and choose a password.
  • Check your inbox for a verification email and click the confirmation link.
  • Log in at app.portguard.tech/login to access the console.

Note: Use your work email domain — PortGuard groups licenses by organization domain automatically.

2

Download the Agent

The PortGuard Agent is a lightweight Windows service that monitors USB activity and enforces your policies in real time.

  • Under 4 MB — no heavy runtime dependencies.
  • Digitally signed executable.
  • Communicates outbound only over MQTT (port 8883).
⬇ Download Agent (Windows)
3

Install the Agent

Run the downloaded installer on each endpoint you want to protect. Administrator privileges are required.

  • Double-click portguard-agent.exe and follow the prompts.
  • The installer registers the agent as a Windows service (PortGuardAgent) that starts automatically on boot.
  • On first run, the agent registers itself with PortGuard via AWS IoT Core — no manual configuration needed.
  • The machine will appear in your web console within 30 seconds.

Tip: For mass deployment, run the installer silently with portguard-agent.exe /S. GPO and SCCM deployment guides are available on request.

4

Configure Policies

Use the web console to define which USB storage devices are allowed or blocked on each machine.

  • Navigate to Machines in the console and click a machine name.
  • Click Devices to see all USB devices that have connected.
  • Set each device to Allow or Block using the toggle.
  • Policies are pushed to the agent instantly over MQTT — no polling, no delay.

You can also set a default stance per machine: allow-by-default (permissive) or block-by-default (strict). Block-by-default is recommended for high-security environments.

5

Run Your First Scan

Once installed, the agent immediately discovers all USB storage devices currently connected to the endpoint.

  • Connect a USB drive to the endpoint.
  • Within seconds it appears in the console under Devices with vendor name, product ID, and serial number.
  • Review the device list and set policies before enabling enforcement.

Recommended: Run in monitor-only mode for 24–48 hours first to identify all devices in use before enforcing blocks.

6

Enable Enforcement

When you are satisfied with your policy configuration, enable enforcement to activate real-time blocking.

  • In the console, go to Machines and select a machine.
  • Toggle Enforcement to On.
  • From this point, any USB storage device not explicitly allowed will be blocked immediately on insertion.
  • Blocked attempts are logged in the Events tab with timestamp, device info, and username.

You're protected. Repeat steps 4–6 for each machine, or use the API to automate policy deployment at scale.

System Requirements

The PortGuard Agent supports the following operating systems and network environments.

Requirement Details
Operating System Windows 10 (64-bit), Windows 11, Windows Server 2016, 2019, 2022
Architecture x86-64 (AMD64)
Disk Space Under 4 MB for agent binary
Memory < 30 MB RAM at idle
Network — Outbound MQTT over TLS, port 8883 to *.iot.us-east-1.amazonaws.com
Network — HTTPS Port 443 outbound to api.portguard.tech
Privileges Local Administrator required for installation only
Firewall No inbound ports required — outbound only

Frequently Asked Questions

Does the agent require a reboot after installation?

No. The agent starts as a Windows service immediately after installation. No reboot is required on any supported OS version.

What happens if the agent loses internet connectivity?

Policies are cached locally on each endpoint. The agent continues to enforce the last-known policy while offline. Events are queued and synced when connectivity is restored.

Can I deploy to hundreds of machines at once?

Yes. The installer supports silent mode (/S flag) and is compatible with GPO software deployment, SCCM, Intune, and other MDM tools. Use the REST API to manage policies programmatically.

Does PortGuard block non-storage USB devices?

No. PortGuard targets USB mass storage devices (drives, flash cards, external HDDs). Keyboards, mice, webcams, and other device classes are unaffected.

How do I get support?

Email support@portguard.tech. We typically respond within one business day. Enterprise plans include priority support with a 4-hour SLA.