Top menu

Using DeviceLock to control USB devices mapped to VMWare Workstation Virtual Machines

DESCRIPTION

When using VMWare Workstation on a host controlled by DeviceLock that is configured with the recommended "least-privilege" approach of the USB Port being locked down except for exception groups and whitelisted device models/IDs, users may find USB devices allowed by USB whitelisting only work on the physical host, but do not work on virtual machines on that host.

COMMENTS

This is caused by VMWare substituting the VID&PID of the USB device with their own reference information (USB\Vid_0E0F&Pid_0001) and appending the original unique device Serial Number (SN) to this identification string.

RECOMMENDATIONS

Devices which are desired to work on the physical host AND virtual machines created inside VMWare Workstation must be added to the USB Devices White List policy in both formats:
1) the manufacturer’s VID&PID\SN, for example
2) by the VMWare substitute VID&PID\+ the original manufacturer’s SN, i.e.

Note: If whitelisting by just make/model (VID&PID), be aware that ALL USB devices would then be allowed to mount into the virtual machines, since VMWare is applying a generic VID&PID to ALL USB devices.
If it is necessary to prevent USB devices being mapped from the host to VMs, be sure to block access at the USB Port and only whitelist by the manufacturer’s VID&PID.