M1034: Limit Hardware Installation
Prevent unauthorized users or groups from installing or using hardware, such as external drives, peripheral devices, or unapproved internal hardware components, by enforcing hardware usage policies and technical controls. This includes disabling USB ports, restricting driver installation, and implementing endpoint security tools to monitor and block unapproved devices. This mitigation can be implemented through the following measures:
Disable USB Ports and Hardware Installation Policies:
- Use Group Policy Objects (GPO) to disable USB mass storage devices: - Navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access. - Deny write and read access to USB devices. - Whitelist approved devices using unique serial numbers via Windows Device Installation Policies.
Deploy Endpoint Protection and Device Control Solutions:
- Use tools like Microsoft Defender for Endpoint, Symantec Endpoint Protection, or Tanium to monitor and block unauthorized hardware. - Implement device control policies to allow specific hardware types (e.g., keyboards, mice) and block others.
Harden BIOS/UEFI and System Firmware:
- Set strong passwords for BIOS/UEFI access. - Enable Secure Boot to prevent rogue hardware components from loading unauthorized firmware.
Restrict Peripheral Devices and Drivers:
- Use Windows Device Manager Policies to block installation of unapproved drivers. - Monitor hardware installation attempts through endpoint monitoring tools.
Disable Bluetooth and Wireless Hardware:
- Use GPO or MDM tools to disable Bluetooth and Wi-Fi interfaces across systems. - Restrict hardware pairing to approved devices only.
Logging and Monitoring:
- Enable logging for hardware installation events in Windows Event Logs (Event ID 20001 for Device Setup Manager). - Use SIEM solutions (e.g., Splunk, Elastic Stack) to detect unauthorized hardware installation activities.
*Tools for Implementation*
USB and Device Control:
- Microsoft Group Policy Objects (GPO) - Microsoft Defender for Endpoint - Symantec Endpoint Protection - McAfee Device Control
Endpoint Monitoring:
- EDRs - OSSEC (open-source host-based IDS)
Hardware Whitelisting:
- BitLocker for external drives (Windows) - Windows Device Installation Policies - Device Control
BIOS/UEFI Security:
- Secure Boot (Windows/Linux) Firmware management tools like Dell Command Update or HP Sure Start
Analyst context for executives and security teams
Limiting hardware installation is a practical control against data loss and physical access paths: removable drives, unauthorized peripherals, rogue internal components, Bluetooth/Wi‑Fi devices, and remote access hardware can bypass network-centric defenses. For leaders, this matters most where sensitive data, disconnected or air-gapped systems, shared workstations, or operational environments depend on tight control of what can be plugged in or installed.
Executive priority
Prioritize this mitigation where removable media or physical peripherals could affect business continuity, regulated data protection, or incident containment. It directly supports defenses against ATT&CK techniques for exfiltration over physical media/USB, removable-media replication, hardware additions, remote access hardware, and input injection. Executives should ask whether device-control policy is actually enforced, whether exceptions are approved and auditable, and whether SOC/IR teams can prove when unauthorized hardware was connected or blocked.
Technical view
ATT&CK provides this as a mitigation, not a detection, so validation should focus on policy enforcement and evidence. Confirm endpoint/device-control policies restrict USB mass storage, unapproved drivers, unauthorized peripherals, Bluetooth/Wi‑Fi pairing, and hardware installation. Where Windows controls are used, validate GPO removable storage restrictions, Windows Device Installation Policies, Device Manager policy behavior, BIOS/UEFI passwording, Secure Boot, and logging such as Windows Device Setup Manager Event ID 20001. Tie testing to the related techniques: T1052/T1052.001 data exfiltration via physical media or USB, T1091 removable-media replication, T1200 hardware additions, T1219/T1219.003 remote access tools or hardware, and T1674 input injection via HID-like devices.
Likely telemetry
- Endpoint device-control allow/block events
- Operating system hardware installation logs, including Windows Device Setup Manager events where applicable
- Driver installation and device installation policy events
- USB/removable storage connection and read/write access logs
- Bluetooth and Wi‑Fi interface or pairing events where these controls are managed
Detection direction
- Because official ATT&CK detection text is not provided, treat this as control validation rather than a guaranteed analytic.
- Baseline approved hardware types, serial-number allowlists, and business exceptions; alert on deviations and repeated blocked attempts.
- Tune carefully for legitimate keyboards, mice, support devices, approved external drives, and authorized remote access hardware to avoid excessive false positives.
- Validate that logs from endpoints and device-control tools reach the SIEM and retain enough detail to identify user, host, device type, serial number where available, and action taken.
- Pay special attention to blind spots on systems outside central management, air-gapped or disconnected systems, unmanaged Linux/macOS endpoints, and environments where physical access is loosely controlled.
Mitigation priorities
- Start with policy: define which device classes are allowed, who can approve exceptions, and how exceptions expire or are reviewed.
- Enforce technical controls for removable storage and hardware installation, including USB restrictions, approved-device allowlists, and driver installation limits.
- Harden firmware-level access using BIOS/UEFI passwords and Secure Boot where applicable.
- Disable or restrict Bluetooth, Wi‑Fi, and peripheral pairing where not required for business use.
- Deploy endpoint protection, EDR, host-based monitoring, or device-control tooling to monitor and block unapproved hardware.
Analyst notes and limits
The relationship context makes this mitigation relevant across exfiltration, initial access, lateral movement, command-and-control, and execution scenarios, especially where physical media or peripherals are plausible. The strongest business value is not just blocking USB drives; it is creating auditable control over physical device trust and reducing paths that bypass network monitoring.
The ATT&CK object lists no platforms or tactics for the mitigation itself and provides no official detection guidance. Platform references come from related techniques and implementation examples in the supplied description. Local architecture, endpoint management coverage, physical access controls, and exception processes determine actual effectiveness.
Limit Hardware Installation
Prevent unauthorized users or groups from installing or using hardware, such as external drives, peripheral devices, or unapproved internal hardware components, by enforcing hardware usage policies and technical controls. This includes disabling USB ports, restricting driver installation, and implementing endpoint security tools to monitor and block unapproved devices. This mitigation can be implemented through the following measures:
Disable USB Ports and Hardware Installation Policies:
- Use Group Policy Objects (GPO) to disable USB mass storage devices: - Navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access. - Deny write and read access to USB devices. - Whitelist approved devices using unique serial numbers via Windows Device Installation Policies.
Deploy Endpoint Protection and Device Control Solutions:
- Use tools like Microsoft Defender for Endpoint, Symantec Endpoint Protection, or Tanium to monitor and block unauthorized hardware. - Implement device control policies to allow specific hardware types (e.g., keyboards, mice) and block others.
Harden BIOS/UEFI and System Firmware:
- Set strong passwords for BIOS/UEFI access. - Enable Secure Boot to prevent rogue hardware components from loading unauthorized firmware.
Restrict Peripheral Devices and Drivers:
- Use Windows Device Manager Policies to block installation of unapproved drivers. - Monitor hardware installation attempts through endpoint monitoring tools.
Disable Bluetooth and Wireless Hardware:
- Use GPO or MDM tools to disable Bluetooth and Wi-Fi interfaces across systems. - Restrict hardware pairing to approved devices only.
Logging and Monitoring:
- Enable logging for hardware installation events in Windows Event Logs (Event ID 20001 for Device Setup Manager). - Use SIEM solutions (e.g., Splunk, Elastic Stack) to detect unauthorized hardware installation activities.
*Tools for Implementation*
USB and Device Control:
- Microsoft Group Policy Objects (GPO) - Microsoft Defender for Endpoint - Symantec Endpoint Protection - McAfee Device Control
Endpoint Monitoring:
- EDRs - OSSEC (open-source host-based IDS)
Hardware Whitelisting:
- BitLocker for external drives (Windows) - Windows Device Installation Policies - Device Control
BIOS/UEFI Security:
- Secure Boot (Windows/Linux) Firmware management tools like Dell Command Update or HP Sure Start
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1219.003 | Remote Access Hardware Sub-technique | Block the use of IP-based KVM devices within the network if they are not required. |
| Enterprise | T1674 | Input Injection | Limit the use of USB devices and removable media within a network. |
| Enterprise | T1091 | Replication Through Removable Media | Limit the use of USB devices and removable media within a network. |
| Enterprise | T1219 | Remote Access Tools | Block the use of IP-based KVM devices within the network if they are not required. |
| Enterprise | T1200 | Hardware Additions | Block unknown devices and accessories by endpoint security configuration and monitoring agent. |
| Enterprise | T1052.001 | Exfiltration over USB Sub-technique | Limit the use of USB devices and removable media within a network. |
| Enterprise | T1052 | Exfiltration Over Physical Medium | Limit the use of USB devices and removable media within a network. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 66919cafce04… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1034Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.