• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Join the HP Community Solve‑a‑thon | Help Others & Share Your Solutions | Live on Zoom | 2:30 PM to 2:30 AM IST | Every Wednesday Click here to know more
Locked

‎08-17-2025 12:16 PM

HP Recommended
Operating System: Microsoft Windows 11

Hi,

 

to block the use of USB drives on our company desktops I just enabled "Only allow keyboard and mouse" option in BIOS. When I start Windows 11 and test front USB ports with an USB drive, there is no access, as expected. On rear USB ports it's the same - with one exception: When I pull out the HP keyboard from it's rear USB port and plug in my USB test drive to this port, I have access to it.

 

Computer is an HP Pro SFF 400 G9, latest BIOS.

 

This seems like an easy way to cheat, right? Any idea?

 

Thanks

Stefano

1 ACCEPTED SOLUTION

Accepted Solutions

‎08-18-2025 08:09 PM - edited ‎08-18-2025 10:15 PM

HP Recommended

Greetings @StefanoFereri 

 

Welcome to the HP Forum. Sawadee Krap 🙏 (Hello)!

 

I've been out of the IT security game since 2007.

 

I'm intrigued by your sleuthing. Very interesting findings.

 

Do you see any additional BIOS options available to enhance USB access restrictions?

 

Windows may be mapping unrestricted access to a USB port having an active: keyboard or mouse connection. The OS can't differentiate dissimilar USB devices connected to an "open" USB port within an active Windows session.

 

I would think Microsoft might have thought this through. There should be a Windows OS solution. Or you have discovered a Windows USB access  security flaw.

 

I don't know. Maybe you need to look at Windows Group Policy Settings to further harden USB access.

 

There should be a Windows way to lock down all USB ports to specific USB devices.

 

Regards 

View solution in original post

1 person found this reply helpful
Was this reply helpful? Yes No
3 REPLIES 3

‎08-18-2025 08:09 PM - edited ‎08-18-2025 10:15 PM

HP Recommended

Greetings @StefanoFereri 

 

Welcome to the HP Forum. Sawadee Krap 🙏 (Hello)!

 

I've been out of the IT security game since 2007.

 

I'm intrigued by your sleuthing. Very interesting findings.

 

Do you see any additional BIOS options available to enhance USB access restrictions?

 

Windows may be mapping unrestricted access to a USB port having an active: keyboard or mouse connection. The OS can't differentiate dissimilar USB devices connected to an "open" USB port within an active Windows session.

 

I would think Microsoft might have thought this through. There should be a Windows OS solution. Or you have discovered a Windows USB access  security flaw.

 

I don't know. Maybe you need to look at Windows Group Policy Settings to further harden USB access.

 

There should be a Windows way to lock down all USB ports to specific USB devices.

 

Regards 

1 person found this reply helpful
Was this reply helpful? Yes No

‎08-19-2025 09:06 AM

HP Recommended

Hi,

 

thanks for input! I wasn't aware that such settings were possible (and much more granular) in Windows using GPOs. So I created a corresponding GPO.


The settings at the BIOS level are obviously very vague and allow a port if it has been recognized as HID, leaving it open for everything. This should be preventable with the Windows GPO settings (testing still pending).


Best regards,

Stefano

1 person found this reply helpful
Was this reply helpful? Yes No

‎08-19-2025 09:56 AM

HP Recommended

Greetings @StefanoFereri 

 

My pleasure.

 

Let the Forum know how USB security testing goes.

 

Regards

Was this reply helpful? Yes No
Warning
Be alert for scammers posting fake support phone numbers and/or email addresses on the community.
If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.
Didn't find what you were looking for? Ask the community
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.