How to Disable or Enable USB Drives in Windows using Group Policy

When you connect a new USB device to your computer, Windows automatically detects the device and installs the appropriate driver. As a result, the user can use the connected USB drive or device almost immediately. If your organization’s security policy prohibits the use of portable USB storage devices (flash drives, USB hard drives, SD cards, etc.), you can block this behavior. In this article, we will show you how to block the use of external USB drives in Windows, prevent writing data to removable flash drives, or prevent executable files from running using Group Policy (GPO).

Disabling USB Removable Drives in Windows with Group Policy

In Windows, you can flexibly manage access to external drives (USB, CD / DVD, etc.) using Active Directory Group Policies (we do not consider a radical way to disable USB ports through BIOS settings). You can block only USB drives, while other types of USB devices (mouse, keyboard, printer, USB to COM port adapters) that are not recognized as a removable disk will be available to the user.

We are going to block USB drives on all computers in a domain OU named Workstations. You can apply the USB restriction policy to the entire domain, but this will affect the servers and other technological devices.

1. Open the GPO management console (gpmc.msc), find the Workstations container in the Organizational Unit structure, right-click on it, and create a new policy (Create a GPO in this domain and Link it here);
   Tip. You can configure a policy to restrict the use of USB ports on a standalone computer (home computer or workgroup computer) using the Local Group Policy Editor (gpedit.msc).
2. Set the GPO name “Disable USB Access”;
3. Switch to GPO edit mode (Edit).

There are settings for blocking external storage devices in both the User and Computer Configuration sections of the GPO editor:

• User Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.
• Computer Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.

In the Removable Storage Access section, there are several policies allowing you to disable the use of different types of storage classes: CD/DVDs, FDD, USB devices, tapes, etc.

• CD and DVD: Deny execute access.
• CD and DVD: Deny read access.
• CD and DVD: Deny write access.
• Custom Classes: Deny read access.
• Custom Classes: Deny write access.
• Floppy Drives: Deny execute access.
• Floppy Drives: Deny read access.
• Floppy Drives: Deny write access.
• Removable Disks: Deny execute access.
• Removable Disks: Deny read access.
• Removable Disks: Deny write access.
• All Removable Storage classes: Deny all access.
• All Removable Storage: Allow direct access in remote sessions.
• Tape Drives: Deny execute access.
• Tape Drives: Deny read access.
• Tape Drives: Deny write access.
• Windows Portable Device – this class includes smartphones, tablets, players, etc.
• WPD Devices: Deny write access.

As you can see, for each device class you can deny the launch of executable files (protect computers against viruses), prohibit reading data, and writing/editing files on external storage.

You can implement the “strongest” restrict policy All Removable Storage Classes: Deny All Access to completely disable the access to all types of external storage devices. To enable this policy, open its properties and change from Not Configured to Enabled.

After enabling and updating the GPO settings on client computers (gpupdate /force), the Windows will detect the connected external devices (not only USB devices, but also any external drives), but when trying to open them, an error will appear:

Location is not available
Drive is not accessible. Access is denied.

In the same policy section, you can configure more flexible restrictions on the use of external USB drives.

For example, to prevent writing data to USB flash drives and other types of USB removable storage, you should enable the policy Removable Disk: Deny write access.

In this case, users will be able to read the data from the USB flash drive, but when they attempt to write information to it, they will receive an access denied error:

Destination Folder Access Denied
You need permission to perform this action

You can prevent executable and script files from running from USB drives using the Removable Disks: Deny execute access policy.

Block USB Drives for Certain Users via GPO

Quite often it is necessary to block USB drives for all users in the domain except for administrators.

You can use the GPO Security Filtering to make an exception in a policy. For example, you want to prevent the USB blocking policy from being applied to the Domain Admins group

1. Select your Disable USB Access policy in the Group Policy Management console;
2. Add the Domain Admins group in the Security Filtering section;
3. Go to the Delegation tab and click the Advanced. In the security settings editor, specify that the Domain Admins group is not allowed to apply this GPO (Apply group policy – Deny).

There may be another task – you need to allow the use of external USB drives to everyone, except for a certain group of users. Create a security group “Deny USB” and add this group to the security settings of the GPO. For this group, set permissions to read and apply the GPO, and leave only read permission for the Authenticated Users or Domain Computers group (by unchecking the Apply group policy checkbox).

Add users to this AD group who need to block access to flash drives and removable USB disks.

Disable Access to USB Drives via Registry and Group Policy Preferences

You can more flexibly control access to external devices by configuring the registry settings that are set by the policies discussed above via the Group Policy Preferences (GPP). All the above policies correspond to certain registry keys in the HKLM (or HKCU) \SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices key (by default this registry key is missing).

1. To enable one of these policies, you must create a new subkey in the specified key with the GUID of the device class you want to block access to (column 2);
2. In the new registry key, you need to create a REG_DWORD parameter with the name of the restriction that you want to implement:
   Deny_Read — disable reading data from the media class;
   Deny_Write – disable data writing;
   Deny_Execute — denies running executable files from an external media class.
3. Set the parameter value:
   1 — block the specified type of access to devices of this class;
   0 – allow to use this class of devices.

You can create the specified registry keys and parameters manually. In the screenshot below, I’ve created a RemovableStorageDevices key, and a subkey named {53f5630d-b6bf-11d0-94f2-00a0c91efb8b}. Using the REG_DWORD parameters, I prevented writing and running executable files from USB drives.

To quickly block reading and writing data to USB drives in Windows, you can run the following PowerShell script:

$regkey='HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
$exists = Test-Path $regkey
if (!$exists) {
New-Item -Path 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices' -Name '{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Force | Out-Null
}
New-ItemProperty -Path $regkey -Name 'Deny_Read -Value 1 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path $regkey -Name 'Deny_Write' -Value 1 -PropertyType 'DWord' -Force | Out-Null

In a domain environment, you can deploy these registry parameters to user computers using Group Policy Preferences.

You can use these registry keys and GPP’s Item-level targeting to flexibly apply settings that restrict the use of external USB storage devices. You can apply policies to specific AD security groups, sites, OS versions, OUs (you can use even WMI filters).

For example, you can create the Storage-Devices-Restrict domain group and add the computer accounts for which you want to restrict the use of USB drives. This group must be specified in your GPP policy in the Item Level Targeting -> Security Group section with the Computer in Group option. This will apply the USB blocking policy to computers that are added to this AD group.

How to Completely Disable USB Storage Devices in Windows?

You can completely disable the USBSTOR (USB Mass Storage) driver, which is required to properly detect and mount USB storage devices.

On a standalone computer, you can disable this driver by changing the value of the Start registry parameter from 3 to 4. You can do this through PowerShell:

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\services\USBSTOR" -name Start -Value 4

Restart your computer and try to connect your USB storage device. Now it shouldn’t appear in File Explorer or Disk Management console, and you will see a device driver installation error in Device Manager.

You can disable the USBSTOR driver from running on domain computers using Group Policy Preferences. To do this, you need to make changes to the registry through the GPO.

These settings can be deployed to all domain computers. Create a new Group Policy, link it to the OU with computers and in the Computer Configuration -> Preferences -> Windows Settings -> Registry section, create a new parameter with the values:

• Action: Update
• Hive: HKEY_LOCAK_MACHINE
• Key path: SYSTEM\CurrentControlSet\Services\USBSTOR
• Value name: Start
• Value type: REG_DWORD
• Value data: 00000004

History of Connected USB Drives in Windows

When troubleshooting USB media blocking policies, you need to get the information about the history of connecting USB drives to a computer.

To list the USB drives currently connected to the computer, use the following PowerShell command:

Get-PnpDevice -PresentOnly | Where-Object { $_.deviceId -match '^USBSTOR' }

Status OK indicates that this USB drive is connected and working properly.

The Windows event log allows you to track events of connecting/ejecting USB drives.

1. You can find these events in Event Viewer -> Application and Services Logs -> Windows -> Microsoft-Windows-DriverFrameworks-UserMode -> Operational;
2. By default, Windows doesn’t save a history of USB storage connections. So you will have to enable it manually (Enable Log) or via GPO;
3. Now you can use the EventID 2003 (Pnp or Power Management operation to a particular device) to get information about when the USB drive was connected and Event ID 2102 (Pnp or Power Management operation to a particular device) about the ejection of the flash drive:

   Forwarded a finished Pnp or Power operation (27, 2) to the lower driver for device SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_UFD_2.0&PROD_SILICON-POWER16G&REV_PMAP#89283229E6C10D23CE7200A2&2#{12234567-B6BF-11D0-2233-00A0AFBB3321F} with status 0x0.

You can also use the free USBDriveLog tool from Nirsoft, which allows you to display the entire history of connecting USB drives to the user’s computer (displays information about the device, serial number, manufacturer, connection/disconnection time, and device id).

Allow Only Specific USB Storage Devices in Windows

On Windows, you can only allow certain (approved) USB drives to connect to your computer.

When you connect any USB storage device to the computer, the USBSTOR driver installs the device and creates a separate registry key under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR. This registry key contains information about the USB drive (for example, Disk & Ven_Kingstom & Prod_DT_1010_G2 & Rev_12.00).

Delete all entries for previously connected USB flash drives, except for the ones you need. Then you need to change the permissions on the USBSTOR registry key so that all users, including SYSTEM and administrators, have only read permissions. As a result, if you connect any USB drive other than the allowed one, Windows won’t be able to install the device.

You can also run a specific command/script when a USB connecting EventID appears in the Event Viewer (here is a detailed example of how to run a process when a specific event occurs). For example, you can make a simple PowerShell script that automatically ejects any USB drives if the serial number doesn’t match the one given in the script:

$usbdev = get-wmiobject win32_volume | where{$_.DriveType -eq '2'}
If ($usbdev.SerialNumber –notlike “31DF1233BKAD”)
{
$usbdev.DriveLetter = $null
$usbdev.Put()
$usbdev.Dismount($false,$false) | Out-Null

Thus, you can perform the simplest check of USB flash drives connected to the computer.