This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is Instance ID = Device ID

I've been tasked to configure a peripheral control policy to stop people plugging in their own USB memory sticks, unless its one provided by the IT department, checking the exemptions list it only allows me to enforce by 'Model ID' and 'Instance ID', I know i can't use Model ID as people can easily buy the same type of memory stick we provide, but is instance ID the same as the unique device ID.

Regards

Darren

This thread was automatically locked due to age.

0 jak over 5 years ago
In Central, the following are shown for a device:

Model

Model ID

Instance ID

For example, in Central:

Model: Kingston DTLocker+G3 USB Device

Model ID: USBSTOR\DiskKingstonDTLocker+G3_____PMAP

Instance ID: USBSTOR\DISK&VEN_KINGSTON&PROD_DTLOCKER+G3&REV_PMAP\0018F30C9F50BE7171711871&0

At the endpoint, in Device Manager the properties of a device are:

Device instance path = USBSTOR\DISK&VEN_KINGSTON&PROD_DTLOCKER+G3&REV_PMAP\0018F30C9F50BE7171711871&0

Hardware ID = USBSTOR\DiskKingstonDTLocker+G3_____PMAP

Display name = Kingston DTLocker+G3 USB Device

Friendly name = Kingston DTLocker+G3 USB Device

Note: I'm not sure if the "Central" model is the Device Manager "Display name" or "Friendly name". I don't think that matters too much here.

When you make an exception for a device in Central you can see the resultant policy file at the endpoint here:

%ProgramData%\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\DEVCAdapterConfig

For example, allowing the above device by Model ID, will send down the "Hardware ID":

<devices>
<type value="opticalDrive" access="allowed" category="storage"/>
<type value="floppyDrive" access="allowed" category="storage"/>
<type value="modem" access="allowed" category="network"/>
<type value="encryptedStorage" access="allowed" category="storage">
<exemption deviceId="USBSTOR\DiskKingstonDTLocker+G3_____PMAP" instanceId="" access="allowed"/>
</type>
<type value="infrared" access="allowed" category="network"/>
<type value="wireless" access="allowed" category="network"/>
<type value="removableStorage" access="blocked" category="storage"/>
<type value="bluetooth" access="blocked" category="network"/>
<type value="mtp" access="allowed" category="media"/>
</devices>

Allowing by Instance ID will send the "Device instance path":
<devices>
<type value="opticalDrive" access="allowed" category="storage"/>
<type value="floppyDrive" access="allowed" category="storage"/>
<type value="modem" access="allowed" category="network"/>
<type value="encryptedStorage" access="allowed" category="storage">
<exemption deviceId="USBSTOR\DiskKingstonDTLocker+G3_____PMAP" instanceId="USBSTOR\DISK&VEN_KINGSTON&PROD_DTLOCKER+G3&REV_PMAP\0018F30C9F50BE7171711871&0" access="allowed"/>
</type>
<type value="infrared" access="allowed" category="network"/>
<type value="wireless" access="allowed" category="network"/>
<type value="removableStorage" access="blocked" category="storage"/>
<type value="bluetooth" access="blocked" category="network"/>
<type value="mtp" access="allowed" category="media"/>
</devices>

So in this case it expects to match on the full "Device instance path".

%ProgramData%\Sophos\Sophos Device Control\logs\DeviceControl.txt also logs these.

Does that help?

Regards,
Jak
- 0 Darren Tse over 5 years ago in reply to jak
  
  Thanks Jak, i've understand a bit more about the policy but will 2 different memory sticks have the same instance ID or is the ID unique to that device, we only want to allow particular memory sticks access.
  
  Regards
  
  Darren
  - 0 MEric over 5 years ago in reply to Darren Tse
    
    In theory yes the instance ID is specific to a device. Two memory sticks of the same model should have the same model IDs but different instance IDs. Just keep in mind that these IDs are provided to Device Manager by the device so if anyone is using a cheap unbranded USB, it is possible that the USBs present a different ID every time it is plugged in.
  - 0 jak over 5 years ago in reply to Darren Tse
    
    Well, if for example you bought a pack of 3 USB sticks, e.g.
    
    Then on 2 different PCs, Windows 10 at least you should still have the following three values:
    
    Pink
    
    USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.00\4C530000300117218560&0
    
    USBSTOR\DiskSanDisk_Cruzer_Blade____1.00
    
    Disk Cruzer Blade USB Device
    
    Purple
    
    USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.00\4C530000230117214294&0
    
    USBSTOR\DiskSanDisk_Cruzer_Blade____1.00
    
    SanDisk Cruzer Blade USB Device
    
    Green
    
    USBSTOR\DISK&VEN_SANDISK&PROD_CRUZER_BLADE&REV_1.00\4C530000280118218365&0
    
    USBSTOR\DiskSanDisk_Cruzer_Blade____1.00
    
    SanDisk Cruzer Blade USB Device
    
    So the Hardware ID would be the same for all 3 devices. I.e. USBSTOR\DiskSanDisk_Cruzer_Blade____1.00
    
    The Device Instance Path would be different for each device but the same across the 2 computers it was plugged into.
    
    So for tracking a specific device across multiple computers use the Device Instance Path. For the same model, the Hardware ID should be OK.
    
    In the registry you would see the layout:
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.00\4C530000230117214294&0]
    "FriendlyName"="SanDisk Cruzer Blade USB Device"
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.00\4C530000280118218365&0]
    "FriendlyName"="SanDisk Cruzer Blade USB Device"
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer_Blade&Rev_1.00\4C530000300117218560&0]
    "FriendlyName"="SanDisk Cruzer Blade USB Device"
    
    If you run the PowerShell command:
    
    Get-PnpDevice | where name -Match 'Sandisk' | select Present,DeviceID,InstanceID | Out-GridView
    
    ...the DeviceID and InstanceID values would be the same as above.
    
    Regards,
    Jak