Administrating Device Policies Using Command Line Interface

Use usbsrvcmd.exe console program to configure device policies via command line interface.

Command line usbsrvcmd.exe file is created during the program installation. You can find it in USB for Remote Desktop program folder.

Command-line syntax cheat sheet

Notation	Example	Description
Text without brackets	command	Items which must be typed as shown.
Text in square brackets	[optional]	Optional parameter.
Text in angle brackets	<value>	Placeholder for user-provided values.
Text in curly braces	{ required_value =0\|=1 }	Group of required choices. At least one option must be included.
Pipe	option_1\|option_2	Divider between alternative options. Only one option can be selected.

Command Line Keys

policy use_only_local_storage [1 | 0]

Sets/displays value of "Use only local storage" setting.

Parameters:

[1] - "Use only local storage" setting.
If no parameter specified, the current value is displayed.

policy storage_update_timeout [n]

Sets/displays value of "Storage autoupdate timeout" setting.

Parameters:

[n] - Specifies auto-update interval value in minutes. By default it's 90 min. Max value is 64800 (45 days).
If no parameter specified, the current value is displayed.

policy [-y] [-d "domain.com"] [-u "domain2.com\user" [-p "pass"]] [-dc "dc.domain.com"] [-f "cmd file path"] [-delstor]

Starts policy configuration mode.

Parameters:

[-d "domain.com"] - Specifies storage in "domain.com" domain, otherwise local storage is used.
[-u "domain2.com\user" [-p "pass"]] - Specified authorization parameters (username and password), otherwise the current user account is used.
[-dc "dc.domain.com"] - Specifies domain controller, otherwise default domain controller is used.
[-f "cmd file path"] - Executes commands from file.
If not specified, console mode is enabled. In order to apply changes, the final "end" command should be called.
If cmd file is specified, the program executes commands from the file specified. The final "end" command should be called.
If any error occurred, no changes will be applied.
It's allowed to use '#' or 'rem' as comments.
[-delstor] - Removes storage and object structure.
[-y] - Use "yes" answer by default in every yes/no request.

Policy configuration commands

set dev [-y] {"dev name" | <id>} [-vid [0xFFFF]] [-pid [0xFFFF]] [-ser ["123abc"]] [-cls [0xFF]] [-scls [0xFF]] [-prot [0xFF]]

Configures device groups.

Parameters:

[-y] - Use "yes" answer by default in every yes/no request.
{"dev name" | <id>} - Device group identifier (name or numeric id)
[-vid [0xFFFF]]
[-pid [0xFFFF]]
[-ser ["123abc"]]
[-cls [0xFF]]
[-scls [0xFF]]
[-prot [0xFF]]

If device group not exists and some parameter is not specified, "any" value will be used.
If device group exists and some parameter is not specified, the value will not be changed.
If device group exists and some parameter is specified with empty value (e.g. "-vid []"), the value will be changed to "any".

del dev [-y] {"dev name" | <id>}

Deletes device groups.

Parameters:

[-y] - Use "yes" answer by default in every yes/no request.
{"dev name" | <id>} - Device group identifier (name or numeric id).

set pol [-y] {"dev name" | <id>} {"domain\account" | "sid" | <id>} {disable | allow | auto | force | deny}

Configures policies.

Parameters:

[-y] - Use "yes" answer by default in every yes/no request.
{"dev name" | <id>} - Device group identifier (name or numeric id).
{"domain\account" | "sid" | <id>} - Account or policy identifier.
{disable | allow | auto | force | deny} - The policy value.

del pol [-y] {"dev name" | <id>} ["domain\account" | "sid" | <id>]

Removes policies.

Parameters:

[-y] - Use "yes" answer by default in every yes/no request.
{"dev name" | <id>} - Device group identifier (name or numeric id).
{"domain\account" | "sid" | <id>} - Account or policy identifier. If not specified, all policies will be removed for the device group.

del all [-y]

Removes all device groups and policies from the storage..

Parameters:

[-y] - Use "yes" answer by default in every yes/no request.

list ["dev name" | <id>]

Displays the current policy configuration.

Parameters:

{"dev name" | <id>} - Device group identifier (name or numeric id).

end

Commits changes. In order to apply changes, it's needed to use this command at the end.

Usage Examples:

Example 1. Create device group named "My_Flash_Drive" for USB flash stick wich have the next parameters: VID:0x0951 PID:0x1667 serial:00190F0C02B2BF316965743B. Then create policy for this device group:
user1 - forbidden
user2 - autoconnect

usbsrvcmd.exe policy 

policy>set dev -y "My_Flash_Drive" -vid 0x0951 -pid 0x1667 -ser "00190F0C02B2BF316965743B"

policy>set pol -y "My_Flash_Drive" user1 deny
policy>set pol -y "My_Flash_Drive" user2 auto
policy>end

Example 2. Delete policy for user2 in the device group "My_Flash_Drive".

usbsrvcmd.exe policy

policy>del pol -y "My_Flash_Drive" user2
policy>end

Example 3. Delete the device group "My_Flash_Drive".

usbsrvcmd.exe policy

policy>del dev -y "My_Flash_Drive"
policy>end