Posted on December 17, 2015 · Posted in Group Policies

How to Disable USB Drives using Group Policy

After connecting a new USB device to a computer, the system automatically detects the device and installs an appropriate driver allowing a user to use a USB-device or a drive connected practically at once. In some organizations, the use of USB-devices (flash drives, USB HDD, SD cards and so on) is disabled for safety reasons to prevent security leakage and virus infection. This article will tell how to disable the use of external USB-drives, prevent writing to them or run executable files using group policies (GPO).

USB device policy will work if an infrastructure complies with these requirements:

  1. Active Directory schema version — Windows Server 2008 or higher

    Note. The set of policies allowing to control the installation and use of removable drives has been only appeared in this AD version.

  2. Client OSs – Windows Vista, Windows 7 or higher

We are going to restrict the use of USB-drives for all computers in a certain container (OU). Let’s assume that we want to apply the policy to OU named Workstations. To do it, open the GPO management console (gpmc.msc), right-click on OU Workstations and create a new policy (Create a GPO in this domain and Link it here.)

Tip. In case of stand-alone computer, the USB-port usage restriction policy can be edited using a Local Group Policy Editor – gpedit.msc.

gpmc - Create a GPO in this domain and Link it

Name the policy “Disable USB Access”.

Policy Name: Disable USB Access

After that, edit its parameters (Edit).

Edit GPO

The settings of external devices restrictions located in the user and computer sections of the GPO:

  1. User Configuration-> Policies-> Administrative Templates-> System->Removable Storage Access
  2. Computer Configuration-> Policies-> Administrative Templates-> System-> Removable Storage Access

In our case, we want to disable USB-drives on the computer level so we need the second section. Expand it.

In Removable Storage Access section, there are some policies allowing to turn off the use of different types of storage devices — CD/DVDs, FDD, USB-devices, tapes and so on.

The “strongest” lockout policy — All Removable Storage Classes: Deny All Access – allows to deny the access to all types of external storage devices. To turn on the policy, open it and check Enable.

All Removable Storage Classes: Deny All Access

After enabling and updating the policy on customer computers (gpupdate /force), the system detects the external devices being connected and returns the following error message when trying to open them:

Location is not available

Drive is not accessible. Access is denied

Drive is not accessible. Access is denied

Tip. The same restriction can be set using the registry by creating Deny_All key of Dword-type with the value 00000001 in HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\RemovableStorageDevices branch

In this policy section, more flexible restriction to use external USB-drives can be configured.

For example, to prevent writing to USB flash drives and disks, you should only enable the policy Removable Disk: Deny write access.

USB Removable Disk: Deny write access

In this case, users will be able to read the data stored on a USB flash drive but if they try to write some information to it the following error message will appear:

Destination Folder Access Denied

You need permission to perform this action

USB media- write Access Denied

You can deny to run executable and script files stored on USB-drives using Removable Disks: Deny execute access policy.

Removable Disks: Deny execute access


Related Articles