How to configure Media management settings for Windows devices?

Configuring media management settings for managed devices is crucial to ensure controlled access to external media and storage devices. This can help prevent unauthorized data transfer and protect sensitive information. IT administrators can enable or disable device’s permissions to execute, read, and write data from/to various external media, such as removable disks, optical disks, floppy disks, tape drives, etc. This doc helps you configure different settings for Windows media management.

Configure Windows media management settings

To configure media management settings using Hexnode UEM, follow these steps:

1. Login to your Hexnode UEM portal.
2. Navigate to Policies > New Policy. Assign a suitable name and description (optional) for the policy. You can also choose to continue with an existing policy.
3. Go to Windows > Security > Media Management. Click Configure.

   

   Configure external media access settings

   • Allow use of all external media:

   Enable this option to permit the use of all external media devices.

   • Allow use of specific external media:

   Enable this option to restrict usage to specific external media devices. This option will only be visible if “Allow use of all external media” is disabled.

   • Specify device ID:

   Enter the hardware ID of the external media devices you want to permit. This option will only be visible if “Allow use of specific external media” is enabled.

   Notes:

   • You must enable either “Allow use of all external media” or “Allow use of specific external media” in order to configure other media management settings.
   • You can find the hardware ID of an external media device through the Device Manager in Windows.
     • Open Device Manager by pressing Win + X and selecting Device Manager from the menu.
     • In Device Manager, expand the Disk drives section. But for Windows Portable Devices, expand the Portable Devices section.
     • Right-click the external media you want to get the hardware ID for and select Properties.
     • In the Properties window, go to the Details tab.
     • From the Property dropdown, select Hardware Ids.

     You will see a list of hardware IDs for the selected external media.

   Removable Disks

   You can manage settings to control access to removable storage devices, such as USB drives.

   Settings	Description
   Allow execute access	Enable this option to allow devices to run executable files (e.g., .exe, .bat, .com) from removable media.
   Allow read access	Enable this option to allow devices to read data from removable disks. When disabled, access to open removable disks will be prohibited
   Allow write access	Enable this option to allow devices to write data to removable disks. This includes creating, modifying, and deleting files.

   Optical Disks

   You can manage settings to control access to optical storage devices such as CDs, DVDs, and Blu-ray disks.

   Settings	Description
   Allow execute access	Enable this option to allow devices to run executable files from optical disks.
   Allow read access	Enable this option to allow devices to read data from optical disks. When disabled, access to open optical disks will be prohibited.
   Allow write access	Enable this option to allow devices to write data to optical disks. This includes creating, modifying, and deleting files.

   Windows Portable Devices (WPD)

   You can manage settings to control access to Windows Portable Devices such as digital cameras, smartphones, and portable media players.

   Settings	Description
   Allow read access	Enable this option to allow devices to read data from Windows Portable Devices. When disabled, access to open Windows Portable Devices will be prohibited.
   Allow write access	Enable this option to allow devices to write data to Windows Portable Devices. This includes creating, modifying, and deleting files.

   Floppy Drives

   You can manage settings to control access to floppy disk drives.

   Settings	Description
   Allow execute access	Enable this option to allow devices to run executable files from floppy disks.
   Allow read access	Enable this option to allow devices to read data from floppy disks. When disabled, access to open floppy disks will be prohibited.
   Allow write access	Enable this option to allow devices to write data to floppy disks. This includes creating, modifying, and deleting files.

   Tape Drivers

   You can manage settings to control access to tape backup drives.

   Settings	Description
   Allow execute access	Enable this option to allow devices to run executable files from tape drives.
   Allow read access	Enable this option to allow devices to read data from tape drivers. When disabled, access to open tape drives will be prohibited.
   Allow write access	Enable this option to allow devices to write data to tape drives. This includes creating, modifying, and deleting files.

4. Click Save.

Associating the policy with devices

If the policy has not yet been saved:

1. Navigate to Policy Targets.
2. Select the target of the policy (Devices, Device Groups, Users, User Groups, Domain).
3. Click on +Add Devices.
4. Select the devices you want to apply the policy to and click OK.
5. Click Save to apply the policies to the selected devices.

If the policy has already been saved:

1. Go to the Policies tab.
2. Select the policy you want to associate with devices.
3. Click on Manage > Associate Targets.
4. Select the devices or device groups to which you want to apply the policy.
5. Click Associate to apply the policy to the selected devices.

What happens at the device end?

Once the policy is deployed, Windows devices will only be able to access external drives based on the permissions set in the policy—whether for reading, writing, or executing. If a device doesn’t have the necessary permissions, an error will be displayed accordingly.

For example, if read access to removable disks is disabled, attempting to open the disk will result in the following error message: