KB2203171 - USBSecure Best Practice procedures

March-17-2022

This article explains some "Best Practice" procedures about USBSecure 5.

Refers to: USBSecure Enterprise 5, USBSecure OT 5
 

Determine deactivated devices

There are numerous ways to discover devices that have been disabled by USBSecure and then unlock them. The safest method is to look in Windows Device Manager (devmgmt.msc) to see which device is disabled (black arrow pointing down). Copy the vid/pid identifier to the clipboard (device instance path) and paste it in the USBSecure admin. Further possibilities are: look in DeviceTool, look in logfile USBSecure.log, look in logfile DeactivetedUsbDevices.log.

Always allow "harmless devices" in AllUsers

Harmless devices such as keyboards, mice, printers, scanners, etc. should - if possible - always be shared in the AllUsers section. This reduces the administrative effort and ensures that the devices are already available at the Windows logon. Keep in mind that a wireless keyboard that you allow only for a specific user is not yet available before logging in. If, for operational reasons, you do not want to allow the keyboard for all users but only for individuals, it should definitely be allowed for the computer and not for the user (entry [host:PC1234]).

Find out if USBSecure is responsible

There are always situations when a USB device does not work. Then the question arises whether it has something to do with USBSecure. The safest way to find out is to temporarily disable the USBSecure service on the local computer (services.msc). With the USBSecure service disabled, you can then turn devices on and off in Device Manager to see if they work. Basically, if there are no disabled devices in Device Manager (small down arrow), it has nothing to do with USBSecure.

Location of USBSecure-Admin.exe

The admin GUI USBSecure-Admin.exe can be located locally on the admin machines or centrally in the devices$ folder in a larger, centrally managed USBSecure environment. It has proven useful to place the USBSecure-Admin.exe centrally in the devices$ folder. In the event of an upgrade, only this one file then needs to be replaced.

Access permissions for USBSecure administrators

It is important that standard users have read-only rights to files in the central \\MyServer\devices$ folder (more precisely, the Everyone group needs read-only rights). USBSecure administrators, on the other hand, should be able to edit the usb.cfg, bluetooth.cfg, etc. configuration files. So, with NTFS permissions, make sure that only USBSecure administrators have the right to modify the configuration files.

 

KnowledgeBase Home  |  What's new?