Script to Uninstall Nonpresent USB devices from device manager

[Maswasnos]

Hey guys,

I'm trying to implement a GPO that will prevent all USB Mass Storage devices from being used on domain systems, except for ones that are specifically allowed.

The specific GPOs are "Allow installation of devices that match any of these device IDs" and "prevent installation of devices not described by other policies" under
computer config>admin templates>system>device installation>restrictions


The problem is that if a device was installed prior the the implementation of the GPO, the GPO won't block it and the user can still use it.


To solve this, I need to uninstall both present and non-present USB Mass Storage Devices from the system. I found that going through device manager manually will work (with a little manipulation to get nonpresent devices to show up), but it isn't practical for large scale deployment.



Is there a way to create a script using powershell or regular CMD commands that will uninstall these devices in the same manner that device manager does (on Windows 7 systems)?


I've tried devcon.exe, but it doesn't remove nonpresent devices. I've also tried pnputil.exe, but that doesn't work in the way I want either.


Any help would be appreciated, and I can provide more info if necessary.


Thanks

 

[Elixer]

Looking at this, http://blogs.technet.com/b/wincat/a...owershell-cmdlets-sample-an-introduction.aspx it seems it can be done.
*edit.. whoops.. you already tried Devcon.
You can also use Devcon, https://support.microsoft.com/en-us/kb/311272 (which might be a bit easier)
*edit 2, seems that findall is what you want to use, since that can find devices including those that are not present.
*edit 3, http://www.robvanderwoude.com/devcon.php has example scripts as well... Like the RenewUSB.bat one.

 

[sm625]

Check out usbdeview

http://nirsoft.net/utils/usb_devices_view.html

There is a command /remove_all_disconnected
There is also /remove_by_class

 

[Maswasnos]

Looking at this, http://blogs.technet.com/b/wincat/ar...roduction.aspx it seems it can be done. *edit.. whoops.. you already tried Devcon. You can also use Devcon, https://support.microsoft.com/en-us/kb/311272 (which might be a bit easier) *edit 2, seems that findall is what you want to use, since that can find devices including those that are not present. *edit 3, http://www.robvanderwoude.com/devcon.php has example scripts as well... Like the RenewUSB.bat one.

Thanks for the reply! The main problem I found with Devcon was that, while the findall command would show nonpresent devices, the remove command wouldn't be able to remove them.

Check out usbdeview http://nirsoft.net/utils/usb_devices_view.html There is a command /remove_all_disconnected There is also /remove_by_class

Thanks to you as well, and I'll look into this program either tonight or tomorrow. It looks promising!

 

[Maswasnos]

Check out usbdeview http://nirsoft.net/utils/usb_devices_view.html There is a command /remove_all_disconnected There is also /remove_by_class

Thanks sm625, USBDeview seems to work quite well. The /remove_by_class command was perfect for what I wanted to do. I can even remove devices remotely from a central management console, and the GUI is nice to have also. This was so much more helpful than the Microsoft technet forums!