Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Group Policies / How to Block USB Drives in Windows using Group Policy?

September 3, 2020 Group PoliciesWindows 10Windows Server 2016

How to Block USB Drives in Windows using Group Policy?

When connecting a new USB device to the computer, Windows automatically detects the device and installs an appropriate driver. As a result, the user can almost immediately use a connected USB drive or device. In some organizations, the use of USB storage devices (flash drives, USB HDDs, SD cards and so on) is blocked for security reasons to prevent leakage of sensitive data and infecting computers. This article describes how to use the Group Policy (GPO) to disable external removable USB-drives.

Contents:
  • Configuring GPO to Disable USB Storage Devices on Domain Computers
  • Disabling USB Drives via GPO for Specific Users
  • Blocking USB and Removable Devices via Registry and Group Policy Preferences
  • Disable the USB Storage Driver via Registry
  • Allow Only a Specific USB Storage Device to be Connected

Configuring GPO to Disable USB Storage Devices on Domain Computers

In all versions of Windows, starting from Windows 7, you can flexibly manage access to external drives (USB, CD / DVD, floppy, tape etc.) using Group Policies (we are not considering a radical way to disable USB ports through BIOS settings). It is possible to programmatically block the use of only USB drives, without affecting such USB devices as a mouse, keyboard, printer, etc (which are not recognized as a removable disk).

The USB device blocking policy will work if the infrastructure of your AD domain meets the following requirements:

  • Active Directory schema version — Windows Server 2008 or newer;
    Note. The set of Group Policies allows to control the installation and use of removable media on Windows appeared only in the AD version 44.
  • Desktop OSs –Windows 7 or newer.

We are going to restrict the use of USB-drives for all computers in a certain AD container (OU). You can apply the USB block policy to the entire domain, but this will affect the servers and other technological devices. Let’s assume that we want to apply the policy to OU named Workstations. To do it, open the GPO management console (gpmc.msc), right-click on OU Workstations and create a new policy (Create a GPO in this domain and Link it here.)

Tip. In case of stand-alone computer, the USB-device restriction policy can be edited using a local Group Policy Editor – gpedit.msc. Local Group  Policy Editor is no available in the Windows Home editions, but you can install it like this: How to enable gpedit.msc on Windows 10 Home.

gpmc - Create a GPO in this domain and Link it

Set the GPO name “Disable USB Access”.

Policy Name: Disable USB Access

Modify the GPO settings (Edit).

Edit GPO

The settings for blocking external storage devices are available in both the User and Computer sections of the GPO:

  • User Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.
  • Computer Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.
If you want to block USB storage devices for all computer users, you need to configure the settings in the “Computer Configuration” section.

In the Removable Storage Access section, there are several policies allowing you to disable the use of different types of storage classes — CD/DVDs, FDD, USB-devices, tapes, etc.

  • CD and DVD: Deny execute access.
  • CD and DVD: Deny read access.
  • CD and DVD: Deny write access.
  • Custom Classes: Deny read access.
  • Custom Classes: Deny write access.
  • Floppy Drives: Deny execute access.
  • Floppy Drives: Deny read access.
  • Floppy Drives: Deny write access.
  • Removable Disks: Deny execute access.
  • Removable Disks: Deny read access.
  • Removable Disks: Deny write access.
  • All Removable Storage classes: Deny all access.
  • All Removable Storage: Allow direct access in remote sessions.
  • Tape Drives: Deny execute access.
  • Tape Drives: Deny read access.
  • Tape Drives: Deny write access.
  • Windows Portable Device – this class includes smartphones, tablets, players, etc.
  • WPD Devices: Deny write access.

As you can see, you can deny the launch of executable files for each device class (protect computers against viruses), prohibit reading data and writing /editing files on external media.

Removable Storage Access settings in GPO

The “strongest” restrict policy — All Removable Storage Classes: Deny All Access – allows to completely disable the access to all types of external storage devices. To turn on the policy, open it and check Enable.

All Removable Storage Classes: Deny All Access

After enabling and updating the policy on client computers (gpupdate /force), the OS detects the connected external devices (not only USB devices, but also any external drives), but when trying to open them, an error is appeared:

Location is not available
Drive is not accessible. Access is denied.

Drive is not accessible. Access is denied

Tip. The same restriction can be set using the registry by creating DWORD parameter Deny_All with the value 00000001 in the registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices.

In the same policy section, you can configure more flexible restrictions on the use of external USB drives.

For example, to prevent writing data to USB flash drives and other types of USB drives, you should enable the policy Removable Disk: Deny write access.

USB Removable Disk: Deny write access

In this case, users will be able to read the data from the USB flash drive, but when they attempt to write information to it, they will receive an access denied error:

Destination Folder Access Denied
You need permission to perform this action

USB media- write Access Denied

You can prevent executable and script files from running from USB-drives using the Removable Disks: Deny execute access policy.

Removable Disks: Deny execute access

Disabling USB Drives via GPO for Specific Users

Quite often it is necessary to block USB drives for all users in the domain except administrators.

The easiest way to do this is to use the Security Filtering in the GPO. For example, to prevent the USB block policy from being applied to the Domain Admins group:

  1. Select your Disable USB Access policy in the Group Policy Management console;
  2. In the Security Filtering section, add the Domain Admins group;block usb policy - security filtering
  3. Go to the Delegation tab and click the Advanced. In the security settings editor, specify that the Domain Admins group is not allowed to apply this GPO (Apply group policy – Deny).

There may be another task – you need to allow the use of external USB drives for everyone except a certain group of users. Create a security group “Deny USB” and add this group in the security settings of the GPO. For this group, set permissions to read and apply the GPO, and leave only read permission for the Authenticated Users or Domain Computers group (by unchecking the Apply group policy checkbox).

deny gpo applying to authenticated users

Blocking USB and Removable Devices via Registry and Group Policy Preferences

You can more flexibly control access to external devices by configuring the registry settings that are set by the policies discussed above via the Group Policy Preferences (GPP). All the above policies correspond to certain registry keys in the HKLM (or HKCU) \SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices key (by default this registry key is missing).

To enable one of these policies, you must create a new subkey in the specified key with the name of the device class you want to block access to (column 2) and REG_DWORD parameter with constraint type (Deny_Read, Deny_Write or Deny_Execute). If the value of this parameter is equal to 1, the USB restriction is active, if 0 – there are no recstrcition on this device class.

Policy name Device Class GUID Registry parameter name
Floppy Drives:
Deny read access
{53f56311-b6bf-11d0-94f2-00a0c91efb8b} Deny_Read
Floppy Drives:
Deny write access
{53f56311-b6bf-11d0-94f2-00a0c91efb8b} Deny_Write
CD and DVD:
Deny read access
{53f56308-b6bf-11d0-94f2-00a0c91efb8b} Deny_Read
CD and DVD:
Deny write access
{53f56308-b6bf-11d0-94f2-00a0c91efb8b} Deny_Write
Removable Disks:
Deny read access
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Deny_Read
Removable Disks:
Deny write access
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Deny_Write
Tape Drives:
Deny read access
{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} Deny_Read
Tape Drives:
Deny write access
{53f5630b-b6bf-11d0-94f2-00a0c91efb8b} Deny_Write
WPD Devices:
Deny read access
{6AC27878-A6FA-4155-BA85-F98F491D4F33}
{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}
Deny_Read
WPD Devices:
Deny write access
{6AC27878-A6FA-4155-BA85-F98F491D4F33}
{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}
Deny_Write

You can manually create the specified registry keys and parameters. In the screenshot below, I’ve created a RemovableStorageDevices key, and a subkey named {53f5630d-b6bf-11d0-94f2-00a0c91efb8b}. With the help of REG_DWORD parameters, I prohibited writing and running executable from USB drives.

RemovableStorageDevices set USB write and execute restrictions via registry

Disabling USB storage will take effect immediately after the policy is applied (no need to restart your computer). If a USB flash drive is connected to the computer, it will be available until it is reconnected.

You can use these registry keys and GPP’s Item-level targeting to flexibly apply policies that restrict the use of external USB storage devices. You can apply policies to specific AD security groups, sites, OS versions, OUs (you can use even WMI filters). For example, you can create the Storage-Devices-Restrict domain group and add the computer accounts for which you want to restrict the use of USB drives. This group is specified in your GPP policy in the Item Level Targeting -> Security Group section with the Computer in Group option. This will apply the USB blocking policy to computers that are added to this AD group.

gpp targeting to security group

Note. Similarly, you can create your own policies for device classes that are not listed in this list. You can find out the device class ID in the driver properties in the value of the Device Class GUID attribute.

Disable the USB Storage Driver via Registry

You can completely disable the USBSTOR (USB Mass Storage Driver) driver, which is required to correctly detect and mount USB storage devices.

On a stand-alone computer, you can disable this driver by changing the value of the Start registry parameter from 3 to 4. You can do this through PowerShell:

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\services\USBSTOR" -name Start -Value 4

disable usbstor service in registry

Restart your computer and try to connect your USB storage device. Now it shouldn’t appear in File Explorer or Disk Management console, and in Device Manager you will see a device driver installation error.

Note. This is the only way to disable USB drives in outdated Windows XP/Windows Server 2003, since in these versions there are no separate Group Policy settings to restrict access to external USB devices.

You can disable the USBSTOR driver from running on domain computers using Group Policy Preferences. To do this, you need to make changes to the registry through the GPO.

These settings can be deployed to all domain computers. Create a new Group Policy, link it to the OU with computers and in the Computer Configuration -> Preferences -> Windows Settings -> Registry section, create a new parameter with the values:

  • Action: Update
  • Hive: HKEY_LOCAK_MACHINE
  • Key path: SYSTEM\CurrentControlSet\Services\USBSTOR
  • Value name: Start
  • Value type: REG_DWORD
  • Value data: 00000004

gpo to disable usbstor driver on domain computers

Allow Only a Specific USB Storage Device to be Connected

You can use a certain registry setting to allow a specific (approved) USB storage drive to connect to your computer. Let’s take a quick look at how this can be configured.

When you connect any USB storage device to the computer, the USBSTOR driver installs the device and creates a separate registry key under the  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR. This registry key contains information about the USB drive (for example, Disk & Ven_Kingstom & Prod_DT_1010_G2 & Rev_12.00).

usbstor registry key

You can list the USB drives that have ever been connected to your computer with the following PowerShell command:

Get-ItemProperty –Path HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*| select FriendlyName

usbstor - usb devices connection history in registry

You can delete all registry keys for previously connected USB flash drives, except for those you need.

Then you need to change the permissions on the USBSTOR registry key so that everyone (including SYSTEM and administrators) has only read permissions. As a result, when you connect any USB drive, except the allowed one, Windows won’t be able to install the device.

 

15 comments
5
Facebook Twitter Google + Pinterest
previous post
How to Fix the ‘Too Many Open Files’ Error in Linux?
next post
Fix: VPN not Working on Windows 10

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

How to Shadow (Remote Control) a User’s RDP...

February 22, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

15 comments

jack September 12, 2016 - 7:18 pm

Have you test it on Windows 10?
I have tested it on Windows 10 Pro, but it is not work.  The policy is applied but the USB is not denied.
AD is Windows Server 2008 r2 and Windows 10 admx is installed.

Reply
admin September 20, 2016 - 5:11 am

I have not tested this policy on clients Windovs 10.
Can you check that the policy is working correctly on older clients (Win 7, 8.1)?

Reply
Ravinder Jaiswal October 10, 2016 - 10:47 am

I configured the GPO but it is not working on Win7. DC is 2008 R2.
The policy is applied but the USB is not denied.

Reply
Olrudy November 20, 2018 - 2:38 pm

Avez-vous pensé à désinstaller le périphérique USB au préalable ?

Reply
Mohammed Alshambaty September 21, 2020 - 7:03 am

By mistake i made the same but i evoked the policy but the USB is still blocked im also using win server 2008R2

Reply
Gary February 2, 2017 - 5:22 am

Can you teach how to limit to which user log-in to disable USB mass storage drive?

Reply
admin February 22, 2017 - 7:01 am

You can use GPO Security Filtering or GPO Delegation to allow/deny some users or group to apply this policy

Reply
amir August 23, 2017 - 5:00 am

A domain administrator disable usb access in GPO. How can i Enable in a local computer

Reply
admin August 30, 2017 - 4:40 am

Do you have local admin permissions on your workstation?

Reply
Jennifer November 27, 2018 - 2:42 pm

Hi, I applied this policy to the entire domain and added the administrators group as a deny as instructed above. When I go to test the usb as an administrator I can not access the usb.
What am I doing wrong?

Reply
admin December 4, 2018 - 12:50 pm

Do you linked the “Disable USB Access” policy to an OU with computers or users? Which GPP section is configured?

Reply
John Ree February 8, 2019 - 12:55 am

We’re using ThreatLocker in our company. It’s easy to manage and allows creating organization, groups and computer policies for blocking USB devices, DVD/BD, etc. It also helps with permitting or denying path access to our fileservers and application whitelisting.

Reply
phan anh July 23, 2019 - 1:09 pm

how to configure deny virtua usb

Reply
Roobeen Chummun July 25, 2019 - 6:17 am

Hello

i followed your steps above and it worked perfectly

however, lets say i have a user named John Smith and want to grant access only to John smith and all other are blocked

how do i proceed??

Reply
MR MUSTASHE September 11, 2019 - 2:54 am

Hi!…    
.
Does “Network Discovery”… whether On or Off!… apply to Folders and/ or Files within one’s USB/ Flash Drive, or just Folders and/ or Files within one’s Hard Drive? And if the answer be the latter, then how can Folders and/ or Files within one’s USB/ Flash Drive be shielded from EXTERNAL NETWORK DISCOVERY (i.e., EXTERNAL to one’s LOCALLY NETWORKED computer/ computers) when one is interprocessing data between one’s USB/ Flash Drive and one’s Hard Drive, or between another LOCALLY CONNECTED USB/ Flash Drive, or other USBs/ Flash Drives connected to one’s LOCALLY NETWORKED computer/ computers?… and, whether– and for example– adding or removing Folders and/ or Files, or copying and/ or pasting Folders and/ or Files to and/ or from one’s Hard Drive(s), or to and/ or from another LOCALLY CONNECTED USB/ Flash Drive or other USBs/ Flash Drives.
.
Further, unless one has downloaded material from a “Web source” to one’s USB… the which, may result in one receiving a “hidden algorithm (e.g., a cookie)” that will “Discover” other personal content on one’s USB/ Flash Drive (like a “trojan algorithm” that/ which can “open one’s USB door” afterupon its entry into one’s system)… I can see no way that a web source should be able to “Discover” other content within one’s USB(s)/ Flash Drive(s) when one is “PASSIVELY USING” one’s USB/ Flash Drive in association with one’s Hard Drive (i.e., adding or removing NEUTRAL Folders and/ or Files, or copying and/ or pasting NEUTRAL Folders and/ or Files!… i.e., those “NONPROPRIETARILY TAGGED”, from PROPRIETARY DOWNLOADS). Nevertheless, if “Network Discovery” does not generally apply to USBs/ Flash Drives, then even PASSIVE FOLDERS AND FILES within one’s USB(s)/ Flash Drive(s) may be routinely Discovered hundreds, or even thousands of miles away (and within seconds) by any number of Web sources. And, unbeknown to hapless netizens.
.
In my case, I want to deny EXTERNAL NETWORK DISCOVERY by way of an EXTERNAL WEB SOURCE’s USB(s)/ Flash Drive(s), of any data/ content within my USB(s)/ Flash Drive(s) LOCALLY CONNECTED to my locally networked computer/ computers, and any data/ content within another LOCALLY CONNECTED USB/ Flash Drive, or other USBs/ Flash Drives… in contrast to denying a permitted LOCALLY CONNECTED USB/ Flash Drive or other USBs/ Flash Drives locally networked to my computer/ computers, set up to accesss data/ content within my locally networked computer’s/ computers’ Hard Drive(s), or within a locally networked USB/ Flash Drive or USBs/ Flash Drives. In other words, I want an allowed LOCALLY CONNECTED USB/ Flash Drive that/ which is connected to my locally networked computer/ computers to locally process data/ content (whether on a HDD/ HDDs, or on another LOCALLY CONNECTED USB/ Flash Drive or other USBs/ Flash Drives), but not an EXTERNAL WEB SOURCE’s USBs/ Flash Drives that/ which are not a part of my LOCALLY NETWORKED computer/ computers!
.
No emails please!

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021
  • How to Move (Clone) Windows to a New Hard Drive (HDD/SSD)?

    February 4, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Updating List of Trusted Root Certificates in Windows 10/8.1/7
  • Allow RDP Access to Domain Controller for Non-admin Users
  • How to Show/Hide All User Accounts from Login Screen in Windows 10?
  • Reset Local Group Policy Settings in Windows
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Changing Desktop Background Wallpaper in Windows through GPO
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top