When connecting a new USB device to the computer, Windows automatically detects the device and installs an appropriate driver, which means that the user can almost immediately use a connected USB drive or device. In some organizations, the use of USB-devices (flash drives, USB HDDs, SD cards and so on) is blocked for security reasons to prevent security leakage of confidential data and the penetration of viruses into the internal corporate network. This article describes how to use the Group Policy (GPO) to disable external removable USB-drives, them from data writing or running executable files.
In Windows, starting from Windows 7 / Vista, you can flexibly manage access to external drives (USB, CD / DVD, floppy, tape etc.) using Group Policies. You can programmatically block the use of USB drives, without affecting such USB devices as a mouse, keyboard, printer, etc.
The USB device blocking policy will work if the infrastructure of your AD domain meets the following requirements:
- Active Directory schema version — Windows Server 2008 or higher. Note. The set of policies allows to control the installation and use of removable media on Windows appeared only in this AD version (version 44).
- Desktop OSs – Windows Vista, Windows 7 or higher.
Configuring GPO to Block USB drives and other External Storage Devices
We are going to restrict the use of USB-drives for all computers in a certain AD container (OU). You can apply the USB block policy to the entire domain, but this will affect the servers and other technological devices. Let’s assume that we want to apply the policy to OU named Workstations. To do it, open the GPO management console (gpmc.msc), right-click on OU Workstations and create a new policy (Create a GPO in this domain and Link it here.)
Name the policy “Disable USB Access”.
After that, edit its settings (Edit).
External storage devices blocking settings are located in the user and computer sections of the GPO:
- User Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.
- Computer Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.
In the Removable Storage Access section, there are several policies allowing you to disable the use of different types of storage classes — CD/DVDs, FDD, USB-devices, tapes, etc.
- CD and DVD: Deny execute access.
- CD and DVD: Deny read access.
- CD and DVD: Deny write access.
- Custom Classes: Deny read access.
- Custom Classes: Deny write access.
- Floppy Drives: Deny execute access.
- Floppy Drives: Deny read access.
- Floppy Drives: Deny write access.
- Removable Disks: Deny execute access.
- Removable Disks: Deny read access.
- Removable Disks: Deny write access.
- All Removable Storage classes: Deny all access.
- All Removable Storage: Allow direct access in remote sessions.
- Tape Drives: Deny execute access.
- Tape Drives: Deny read access.
- Tape Drives: Deny write access.
- Windows Portable Device – this class includes smartphones, tablets, players, etc.
- WPD Devices: Deny write access.
As you can see, you can deny the launch of executable files for each device class (protect computers against viruses), prohibit reading data and writing / editing files on external media.
The “strongest” restrict policy — All Removable Storage Classes: Deny All Access – allows to deny the access to all types of external storage devices. To turn on the policy, open it and check Enable.
After enabling and updating the policy on client computers (gpupdate /force), the system detects the connected external devices (not only USB devices, but also any external drives) being connected and returns the following error message when user tries to open them:
Drive is not accessible. Access is denied
In this policy section, more flexible restriction to use external USB-drives can be configured.
For example, to prevent writing data to USB flash drives and other types of USB drives, you should enable the policy Removable Disk: Deny write access.
In this case, users will be able to read the data stored on a USB flash drive, but when they attempt to write information to it, they will receive an access error:
You need permission to perform this action
You can deny to run executable and script files stored on USB-drives using Removable Disks: Deny execute access policy.
GPO to Disable USB Drives for Certain Users
Quite often it is necessary to block USB drives for all users in the domain (except administrators).
The easiest way to do this is through the use of Security Filtering in the GPO. For example, to prevent the USB block policy from being applied to the Domain Admins group:
- In the Group Policy Management console, select your Disable USB Access policy.
- In the Security Filtering section, add the Domain Admins group.
- Go to the Delegation tab and click the Advanced in the security settings editor, specify that the Domain Admins group is not allowed to apply this GPO (Apply group policy – Deny).
If the task is different: you need to allow USB drives to be used by all but a certain group of users, you need to add your user group in the security settings of the policy with read and apply GPO permissions, and leave only the read permissions for the Authenticated Users or Domain Computers groups (uncheck the Apply group policy option).
Blocking USB and Removable Devices via Registry and Group Policy Preferences
You can more flexibly control access to external devices by configuring the registry settings that are set by the policies discussed above through the Group Policy Preferences (GPP). All the above policies correspond to certain registry keys in the HKLM (or HKCU) \SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices (by default this registry key is missing).
To enable one of these policies, you must create a new subkey in the specified key with the name of the device class you want to block access to (column 2) and REG_DWORD parameter with constraint type (Deny_Read or Deny_Write). If the value of this parameter is equal to 1, the restriction is active, if 0 – the prohibition of using this class of devices doesn’t work.
| Policy name | Device Class GUID | Registry parameter name |
| Floppy Drives: Deny read access |
{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | Deny_Read |
| Floppy Drives: Deny write access |
{53f56311-b6bf-11d0-94f2-00a0c91efb8b} | Deny_Write |
| CD and DVD: Deny read access |
{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | Deny_Read |
| CD and DVD: Deny write access |
{53f56308-b6bf-11d0-94f2-00a0c91efb8b} | Deny_Write |
| Removable Disks: Deny read access |
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | Deny_Read |
| Removable Disks: Deny write access |
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} | Deny_Write |
| Tape Drives: Deny read access |
{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | Deny_Read |
| Tape Drives: Deny write access |
{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} | Deny_Write |
| WPD Devices: Deny read access |
{6AC27878-A6FA-4155-BA85-F98F491D4F33} {F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE} |
Deny_Read |
| WPD Devices: Deny write access |
{6AC27878-A6FA-4155-BA85-F98F491D4F33} {F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE} |
Deny_Write |
Thus, with the help of these registry keys and the ability to target GPP policies with Item-level targeting, you can flexibly apply policies that restrict the use of external storage devices to certain AD security groups, sites, OS versions, OUs and other computer characteristics (you can use even WMI queries). In this way, you can make sure that USB block policies are applied only to computers (users) that are included (or not included) to a certain AD group.
14 comments
Have you test it on Windows 10?
I have tested it on Windows 10 Pro, but it is not work. The policy is applied but the USB is not denied.
AD is Windows Server 2008 r2 and Windows 10 admx is installed.
I have not tested this policy on clients Windovs 10.
Can you check that the policy is working correctly on older clients (Win 7, 8.1)?
I configured the GPO but it is not working on Win7. DC is 2008 R2.
The policy is applied but the USB is not denied.
Avez-vous pensé à désinstaller le périphérique USB au préalable ?
Can you teach how to limit to which user log-in to disable USB mass storage drive?
You can use GPO Security Filtering or GPO Delegation to allow/deny some users or group to apply this policy
A domain administrator disable usb access in GPO. How can i Enable in a local computer
Do you have local admin permissions on your workstation?
Hi, I applied this policy to the entire domain and added the administrators group as a deny as instructed above. When I go to test the usb as an administrator I can not access the usb.
What am I doing wrong?
Do you linked the “Disable USB Access” policy to an OU with computers or users? Which GPP section is configured?
We’re using ThreatLocker in our company. It’s easy to manage and allows creating organization, groups and computer policies for blocking USB devices, DVD/BD, etc. It also helps with permitting or denying path access to our fileservers and application whitelisting.
how to configure deny virtua usb
Hello
i followed your steps above and it worked perfectly
however, lets say i have a user named John Smith and want to grant access only to John smith and all other are blocked
how do i proceed??
Hi!…
.
Does “Network Discovery”… whether On or Off!… apply to Folders and/ or Files within one’s USB/ Flash Drive, or just Folders and/ or Files within one’s Hard Drive? And if the answer be the latter, then how can Folders and/ or Files within one’s USB/ Flash Drive be shielded from EXTERNAL NETWORK DISCOVERY (i.e., EXTERNAL to one’s LOCALLY NETWORKED computer/ computers) when one is interprocessing data between one’s USB/ Flash Drive and one’s Hard Drive, or between another LOCALLY CONNECTED USB/ Flash Drive, or other USBs/ Flash Drives connected to one’s LOCALLY NETWORKED computer/ computers?… and, whether– and for example– adding or removing Folders and/ or Files, or copying and/ or pasting Folders and/ or Files to and/ or from one’s Hard Drive(s), or to and/ or from another LOCALLY CONNECTED USB/ Flash Drive or other USBs/ Flash Drives.
.
Further, unless one has downloaded material from a “Web source” to one’s USB… the which, may result in one receiving a “hidden algorithm (e.g., a cookie)” that will “Discover” other personal content on one’s USB/ Flash Drive (like a “trojan algorithm” that/ which can “open one’s USB door” afterupon its entry into one’s system)… I can see no way that a web source should be able to “Discover” other content within one’s USB(s)/ Flash Drive(s) when one is “PASSIVELY USING” one’s USB/ Flash Drive in association with one’s Hard Drive (i.e., adding or removing NEUTRAL Folders and/ or Files, or copying and/ or pasting NEUTRAL Folders and/ or Files!… i.e., those “NONPROPRIETARILY TAGGED”, from PROPRIETARY DOWNLOADS). Nevertheless, if “Network Discovery” does not generally apply to USBs/ Flash Drives, then even PASSIVE FOLDERS AND FILES within one’s USB(s)/ Flash Drive(s) may be routinely Discovered hundreds, or even thousands of miles away (and within seconds) by any number of Web sources. And, unbeknown to hapless netizens.
.
In my case, I want to deny EXTERNAL NETWORK DISCOVERY by way of an EXTERNAL WEB SOURCE’s USB(s)/ Flash Drive(s), of any data/ content within my USB(s)/ Flash Drive(s) LOCALLY CONNECTED to my locally networked computer/ computers, and any data/ content within another LOCALLY CONNECTED USB/ Flash Drive, or other USBs/ Flash Drives… in contrast to denying a permitted LOCALLY CONNECTED USB/ Flash Drive or other USBs/ Flash Drives locally networked to my computer/ computers, set up to accesss data/ content within my locally networked computer’s/ computers’ Hard Drive(s), or within a locally networked USB/ Flash Drive or USBs/ Flash Drives. In other words, I want an allowed LOCALLY CONNECTED USB/ Flash Drive that/ which is connected to my locally networked computer/ computers to locally process data/ content (whether on a HDD/ HDDs, or on another LOCALLY CONNECTED USB/ Flash Drive or other USBs/ Flash Drives), but not an EXTERNAL WEB SOURCE’s USBs/ Flash Drives that/ which are not a part of my LOCALLY NETWORKED computer/ computers!
.
No emails please!