After connecting a new USB device to a computer, the system automatically detects the device and installs an appropriate driver allowing a user to use a USB-device or a drive connected practically at once. In some organizations, the use of USB-devices (flash drives, USB HDD, SD cards and so on) is disabled for safety reasons to prevent security leakage and virus infection. This article will tell how to disable the use of external USB-drives, prevent writing to them or run executable files using group policies (GPO).
USB device policy will work if an infrastructure complies with these requirements:
- Active Directory schema version — Windows Server 2008 or higherNote. The set of policies allowing to control the installation and use of removable drives has been only appeared in this AD version.
- Client OSs – Windows Vista, Windows 7 or higher
We are going to restrict the use of USB-drives for all computers in a certain container (OU). Let’s assume that we want to apply the policy to OU named Workstations. To do it, open the GPO management console (gpmc.msc), right-click on OU Workstations and create a new policy (Create a GPO in this domain and Link it here.)
Name the policy “Disable USB Access”.
After that, edit its parameters (Edit).
The settings of external devices restrictions located in the user and computer sections of the GPO:
- User Configuration-> Policies-> Administrative Templates-> System->Removable Storage Access
- Computer Configuration-> Policies-> Administrative Templates-> System-> Removable Storage Access
In our case, we want to disable USB-drives on the computer level so we need the second section. Expand it.
In Removable Storage Access section, there are some policies allowing to turn off the use of different types of storage devices — CD/DVDs, FDD, USB-devices, tapes and so on.
The “strongest” lockout policy — All Removable Storage Classes: Deny All Access – allows to deny the access to all types of external storage devices. To turn on the policy, open it and check Enable.
After enabling and updating the policy on customer computers (gpupdate /force), the system detects the external devices being connected and returns the following error message when trying to open them:
Drive is not accessible. Access is denied
In this policy section, more flexible restriction to use external USB-drives can be configured.
For example, to prevent writing to USB flash drives and disks, you should only enable the policy Removable Disk: Deny write access.
In this case, users will be able to read the data stored on a USB flash drive but if they try to write some information to it the following error message will appear:
You need permission to perform this action
You can deny to run executable and script files stored on USB-drives using Removable Disks: Deny execute access policy.
7 comments
Have you test it on Windows 10?
I have tested it on Windows 10 Pro, but it is not work. The policy is applied but the USB is not denied.
AD is Windows Server 2008 r2 and Windows 10 admx is installed.
I have not tested this policy on clients Windovs 10.
Can you check that the policy is working correctly on older clients (Win 7, 8.1)?
I configured the GPO but it is not working on Win7. DC is 2008 R2.
The policy is applied but the USB is not denied.
Can you teach how to limit to which user log-in to disable USB mass storage drive?
You can use GPO Security Filtering or GPO Delegation to allow/deny some users or group to apply this policy
A domain administrator disable usb access in GPO. How can i Enable in a local computer
Do you have local admin permissions on your workstation?