How to Block USB Drives in Windows using Group Policy?

When connecting a brand new USB gadget to the pc, Windows routinely detects the gadget and installs an acceptable driver. As a consequence, the person can nearly instantly use a linked USB drive or gadget. In some organizations, using USB storage gadgets (flash drives, USB HDDs, SD playing cards and so forth) is blocked for safety causes to forestall leakage of delicate information and infecting computer systems. This article describes how to use the Group Policy (GPO) to disable exterior detachable USB-drives.

Configuring GPO to Disable USB Storage Devices on Domain Computers

In all variations of Windows, ranging from Windows 7, you possibly can flexibly handle entry to exterior drives (USB, CD / DVD, floppy, tape and many others.) using Group Policies (we aren’t contemplating a radical method to disable USB ports by ). It is feasible to programmatically block using solely USB drives, with out affecting such USB gadgets as a mouse, keyboard, printer, and many others (which aren’t acknowledged as a ).

The USB gadget blocking coverage will work if the infrastructure of your AD area meets the next necessities:

We are going to limit using USB-drives for all computer systems in a sure AD container (OU). You can apply the USB block coverage to all the area, however this may have an effect on the servers and different technological gadgets. Let’s assume that we wish to apply the coverage to OU named Workstations. To do it, open the GPO administration console (gpmc.msc), right-click on OU Workstations and create a brand new coverage (Create a GPO in this area and Link it right here.)

Tip. In case of stand-alone pc, the USB-device restriction coverage could be edited using a neighborhood Group Policy Editor – gpedit.msc. Local Group  Policy Editor is not any obtainable in the Windows Home editions, however you possibly can set up it like this: .

Set the GPO title “Disable USB Access”.

Modify the GPO settings (Edit).

The settings for blocking exterior storage gadgets can be found in each the User and Computer sections of the GPO:

  • User Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.
  • Computer Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.

If you need to block USB storage gadgets for all pc customers, you want to configure the settings in the “Computer Configuration” part.

In the Removable Storage Access part, there are a number of insurance policies permitting you to disable using various kinds of storage lessons — CD/DVDs, FDD, USB-devices, tapes, and many others.

  • CD and DVD: Deny execute entry.
  • CD and DVD: Deny learn entry.
  • CD and DVD: Deny write entry.
  • Custom Classes: Deny learn entry.
  • Custom Classes: Deny write entry.
  • Floppy Drives: Deny execute entry.
  • Floppy Drives: Deny learn entry.
  • Floppy Drives: Deny write entry.
  • Removable Disks: Deny execute entry.
  • Removable Disks: Deny learn entry.
  • Removable Disks: Deny write entry.
  • All Removable Storage lessons: Deny all entry.
  • All Removable Storage: Allow direct entry in distant classes.
  • Tape Drives: Deny execute entry.
  • Tape Drives: Deny learn entry.
  • Tape Drives: Deny write entry.
  • Windows Portable Device – this class consists of smartphones, tablets, gamers, and many others.
  • WPD Devices: Deny write entry.

As you possibly can see, you possibly can deny the launch of executable information for every gadget class (shield computer systems in opposition to viruses), prohibit studying information and writing /enhancing information on exterior media.

The “strongest” limit coverage — All Removable Storage Classes: Deny All Access – permits to fully disable the entry to all kinds of exterior storage gadgets. To activate the coverage, open it and verify Enable.

After enabling and updating the coverage on consumer computer systems (gpupdate /power), the OS detects the linked exterior gadgets (not solely USB gadgets, but in addition any exterior drives), however when making an attempt to open them, an error is appeared:

Location is just not obtainable
Drive is just not accessible. Access is denied.

Tip. The identical restriction could be set using the registry by creating DWORD parameter Deny_All with the worth 00000001 in the registry key HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsRemovableStorageDevices.

In the identical coverage part, you possibly can configure extra versatile restrictions on using exterior USB drives.

For instance, to forestall writing information to USB flash drives and different kinds of USB drives, you need to allow the coverage Removable Disk: Deny write entry.

In this case, customers might be in a position to learn the info from the USB flash drive, however once they try to write data to it, they may obtain an entry denied error:

Destination Folder Access Denied
You want permission to carry out this motion

You can forestall executable and script information from working from USB-drives using the Removable Disks: Deny execute entry coverage.

Disabling USB Drives by way of GPO for Specific Users

Quite typically it’s vital to block USB drives for all customers in the area besides directors.

The simplest way to do that is to use the Security Filtering in the GPO. For instance, to forestall the USB block coverage from being utilized to the Domain Admins group:

  1. Select your Disable USB Access coverage in the Group Policy Management console;
  2. In the Security Filtering part, add the Domain Admins group;
  3. Go to the Delegation tab and click on the Advanced. In the safety settings editor, specify that the Domain Admins group is just not allowed to apply this GPO (Apply group coverage – Deny).

There could also be one other activity – you want to enable using exterior USB drives for everybody besides a sure group of customers. Create a safety group “Deny USB” and add this group in the safety settings of the GPO. For this group, set permissions to learn and apply the GPO, and depart solely learn permission for the Authenticated Users or Domain Computers group (by unchecking the Apply group coverage checkbox).

Blocking USB and Removable Devices by way of Registry and Group Policy Preferences

You can extra flexibly management entry to exterior gadgets by configuring the registry settings which can be set by the insurance policies mentioned above by way of the Group Policy Preferences (GPP). All the above insurance policies correspond to sure registry keys in the HKLM (or HKCU) SOFTWAREPoliciesMicrosoftWindowsRemovableStorageDevices key (by default this registry secret is lacking).

To allow considered one of these insurance policies, you could create a brand new subkey in the required key with the title of the gadget class you need to block entry to (column 2) and REG_DWORD parameter with constraint kind (Deny_Read, Deny_Write or Deny_Execute). If the worth of this parameter is equal to 1, the USB restriction is lively, if zero – there aren’t any recstrcition on this gadget class.

Policy title Device Class GUID Registry parameter title
Floppy Drives:
Deny learn entry
Deny_Read
Floppy Drives:
Deny write entry
Deny_Write
CD and DVD:
Deny learn entry
Deny_Read
CD and DVD:
Deny write entry
Deny_Write
Removable Disks:
Deny learn entry
Deny_Read
Removable Disks:
Deny write entry
Deny_Write
Tape Drives:
Deny learn entry
Deny_Read
Tape Drives:
Deny write entry
Deny_Write
WPD Devices:
Deny learn entry
Deny_Read
WPD Devices:
Deny write entry
Deny_Write

You can manually create the required registry keys and parameters. In the screenshot beneath, I’ve created a RemovableStorageDevices key, and a subkey named . With the assistance of REG_DWORD parameters, I prohibited writing and working executable from USB drives.

Disabling USB storage will take impact instantly after the coverage is utilized (no want to restart your pc). If a USB flash drive is linked to the pc, it will likely be obtainable till it’s reconnected.

You can use these registry keys and GPP’s Item-level focusing on to flexibly apply insurance policies that limit using exterior USB storage gadgets. You can apply insurance policies to particular AD safety teams, websites, OS variations, OUs (you should utilize even ). For instance, you possibly can create the Storage-Devices-Restrict area group and add the pc accounts for which you need to limit using USB drives. This group is specified in your GPP coverage in the Item Level Targeting -> Security Group part with the Computer in Group choice. This will apply the USB blocking coverage to computer systems which can be added to this AD group.

Note. Similarly, you possibly can create your personal insurance policies for gadget lessons that aren’t listed in this checklist. You can discover out the gadget class ID in the motive force properties in the worth of the Device Class GUID attribute.

Disable the USB Storage Driver by way of Registry

You can fully disable the USBSTOR (USB Mass Storage Driver) driver, which is required to appropriately detect and mount USB storage gadgets.

On a stand-alone pc, you possibly can disable this driver by altering the worth of the Start registry parameter from three to four. You can do that by PowerShell:

"HKLM:SYSTEMCurrentControlSetservicesUSBSTOR" -name Start -Value four

Restart your pc and take a look at to join your USB storage gadget. Now it shouldn’t seem in File Explorer or Disk Management console, and in Device Manager you will note a tool driver set up error.

Note. This is the one method to disable USB drives in Windows XP/Windows Server 2003, since in these variations there aren’t any separate Group Policy settings to limit entry to exterior USB gadgets.

You can disable the USBSTOR driver from working on area computer systems using Group Policy Preferences. To do that, you want to make .

These settings could be deployed to all area computer systems. Create a brand new Group Policy, hyperlink it to the OU with computer systems and in the Computer Configuration -> Preferences -> Windows Settings -> Registry part, create a brand new parameter with the values:

  • Action: Update
  • Hive: HKEY_LOCAK_MACHINE
  • Key path: SYSTEMCurrentControlSetServicesUSBSTOR
  • Value title: Start
  • Value kind: REG_DWORD
  • Value information: 00000004

Allow Only a Specific USB Storage Device to be Connected

You can use a sure registry setting to enable a selected (authorised) USB storage drive to join to your pc. Let’s take a fast have a look at how this may be configured.

When you join any USB storage gadget to the pc, the USBSTOR driver installs the gadget and creates a separate registry key below the  HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR. This registry key accommodates details about the USB drive (for instance, Disk & Ven_Kingstom & Prod_DT_1010_G2 & Rev_12.00).

You can checklist the USB drives which have ever been linked to your pc with the next PowerShell command:

Get-ItemProperty –Path HKLM:SYSTEMCurrentControlSetEnumUSBSTOR**| choose FriendlyName

You can delete all registry keys for beforehand linked USB flash drives, apart from these you want.

Then you want to change the permissions on the USBSTOR registry key so that everybody (together with SYSTEM and directors) has solely learn permissions. As a consequence, whenever you join any USB drive, besides the allowed one, Windows gained’t find a way to set up the gadget.

 

Check Also

CHKDSK: How to Check and Repair Hard Drive Errors in Windows 10?

CHKDSK.exe (test disk) is a classical built-in Windows software for checking exhausting drives for errors. …

Leave a Reply

Your email address will not be published. Required fields are marked *