These types of USB devices are hard to source and, depending on your device requirements, might be impossible to find. If possible, restrict the devices in your environment to those that accept only signed firmware updates, are FIPS 140-2 Level 3-certified, and do not support any kind of field-updatable firmware. In addition, educate your employees to ensure that they do not connect devices from unknown sources. If possible, keep track of a chain of custody for the USB devices. Be sure that you can trust your supply chain. You can use group policy settings to activate or deactivate USB redirection for specific devices.īefore you activate USB redirection for specific devices, make sure that you trust the physical devices that are connected to client machines in your enterprise. In these cases, you cannot deactivate access to all USB devices. For example, a doctor might have to use a Dictaphone USB device to record patients' medical information. Some users might have to redirect specific locally-connected USB devices so that they can perform tasks on their remote desktops or applications.