If I buy a new usb key or a usb plug-and-play device, Windows automatically begins to install whatever program or drivers necessary to recognize the device. I never get any warning to approve that a device is trying to install or make system changes. What’s worse is that even if I lock the computer and put in a brand new usb-key, Windows still will install that device in the background. If someone were able to get access to the machine while I’m at work and plug-in a usb key programmed to compromise my system, I really can’t see a way to stop it.
I have augmented the Windows System Applications predefined policy and the services.exe policy to ASK for Device Driver Installations. I suppose one could force Windows Systems Apps and services.exe to ask for approval to run any executable, but this could wreak havoc. How can I disable USB auto-installations (I’m not talking about auto-start, I mean the auto-install plug and play) without me being there to monitor and approve. I’ve heard disabling the plug-and-play services would work, but it is not a good idea.
I run Defense+ in Paranoid Mode, not trusting digitally signed vendors, and monitor all settings checked.