In this post, you’ll learn how to disable USB devices using group policy. You can block USB devices on Windows computers using Group Policy.
In today’s modern workplace, every member of staff owns and uses at least one USB storage device. The USB stands for universal serial bus. USB’s are typically used to plug devices such as mice, keyboards, printers, and external hard disks into your computer.
One of the reason for popularity of the USB devices is they are the easy to connect to your computer. You can plug in any USB storage device and Windows has the capability to detect this device and make if functional for usage.
Risks Associated with Allowing USB Drives
One of the most common ways to prevent data theft is to disable USB storage devices. Since USB devices are portable and can be connected easily to the computers these devices pose very real security threats. Wrong usage of USB storage devices pose a significant security threat to an Organization.
USB devices are often used to transfer data from one device to another. However, this may lead to security risks. One way of preventing the risk is by blocking USB devices through Group Policy Objects.
An employee could plug in a USB drive to his laptop and may exfiltrate sensitive information or install unauthorized applications, which could lead to further security concerns.
Furthermore, the employee’s USB device could contain a malware or malicious code which may result in malware spreading to the company’s network.
Hence, many organizations do not allow USB devices to be connected to the computers, they disable the USB devices using group policy or block it using group policy.
Thankfully, Microsoft has made it relatively simple to block USB and the use of unauthorized USB storage devices. In this article, we’ll show how to use a Group Policy Object to block access to USB storage devices.
How to Disable USB devices using Group Policy
Group Policy Objects (GPOs) are a way to centrally manage settings across a Windows domain. GPO’s can be used to disable USB devices on the computer.
To block USB devices, you need to create a Group Policy Object and configure it with the desired settings. You can then link the Group Policy Object to an Active Directory container or site, or apply it to individual systems.
For example, you can create an OU in Active Directory and add few test computers in that OU. The Group Policy that we create to block USB devices will be linked to this OU.
Let’s see how to disable USB device using Group Policy. To create a group policy object, you can either log in to a domain controller or a Windows Server installed with Group Policy Management tools.
Launch the Group Policy Management tool on the domain controller, right click Group Policy Objects, click New. Provide a name to the GPO such as Block USB Devices and click OK.
Right-click the GPO and click Edit. This will launch Group Policy Management Editor where you can define the settings to block USB devices for Windows computers.
In the Group Policy Management Editor, navigate to Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.
Removable Storage Access GPO Options
The Removable Storage Access contains the policies for a variety of storage devices and the policies include:
- Set time (in seconds) to force reboot
- CD and DVD: Deny execute access
- CD and DVD: Deny read access
- CD and DVD: Deny write access
- Custom Classes: Deny read access
- Custom Classes: Deny write access
- Floppy Drives: Deny execute access
- Floppy Drives: Deny read access
- Floppy Drives: Deny write access
- Removable Disks: Deny execute access
- Removable Disks: Deny read access
- Removable Disks: Deny write access
- All Removable Storage classes: Deny all access
- All Removable Storage: Allow direct access in remote sessions
- Tape Drives: Deny execute access
- Tape Drives: Deny read access
- Tape Drives: Deny write access
- WPD Devices: Deny read access
- WPD Devices: Deny write access
Out of all the Removable Storage Access policies, we will configure a setting “All Removable Storage classes: Deny all access“.
All Removable Storage classes: Deny all access: This policy setting allows you to configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. If you enable this policy setting, no access is allowed to any removable storage class. If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes.
Right-click on the policy setting All Removable Storage classes: Deny all access and click Edit. If you enable this policy, then it will block access to any removable storage class that you connect to the computer. Click Enabled and click Apply and then OK.
The GPO to block USB devices is ready. We will apply this GPO to an OU that we created in the initial step. Right-click on the OU and click Link an Existing GPO.
From the list of GPO’s select the policy Block USB Devices and click OK.
Block USB Devices using Group Policy
In this section, we will test the GPO that blocks the USB drives on Windows devices. On the client computer, perform a group policy update using the command gpupdate /force.
Connect any USB device to the computer, and you should see the message as “Access is denied“. The error Drive not accessible, Access is denied indicates that a group policy has blocked the USB device successfully. The policy that we applied will prevent users from mounting any class of removable media.
For Windows based PCs connected with Windows AD with Group policy, we want to block USB phone tethering options. And we have tried following things which seems to be working for some people but not us.
We have applied computer policy to block device installation
System/Device Installation/Device Installation Restrictions > Prevent installation of devices that match any of these device IDs
Device ID “USB\class_e0”
I am just not sure whether device ID “USB\class_e0” is the correct one or not?
Also, I check hardware IDs of few phones and all of them have distinct IDs like
device 1 USB\VID_22D9&PID_276A&REV_0404&MI_00 USB\VID_22D9&PID_276A&MI_00
device 2 USB\VID_2717&PID_FF80&REV_0404&MI_00 USB\VID_2717&PID_FF80&MI_00
device 3 USB\VID_04E8&PID_6863&REV_0400&MI_00 USB\VID_04E8&PID_6863&MI_00
Can I do block all devices together using something like “USB\VID”?
Can we block selective USB devices and allow specific one?
in client side usb drive working
I do all step but client also use pen drive
Can u help
gpupdate /force
use that command
how to enable removable storages acess to particular user who are in domain???
if i want to enable it for a user or 2 what should i do
hi every body. i have 175 client but they arent in a domain . how disable all client usb exept mouse and keyboard by policy from active directory dhcp?
After applying this method, will power charging devices over USB still be permitted?
Thanks
Yes
I would like to disable all removable media access, but this is not practical for business. Is there a way to disable all access, but allow the administrators to override so that someone can use a USB stick and had the admin allow it with their credentials?
Hi PRAJWAL, I cannot find such template in the standard administrative templates how to get it
quick question bro if we do gpupdate on each and every client machine it will take time. how can we perform gpupdate without client
Great Sharing Prajwal.. Is there any way to allow the USB Storage access only for Administrators in Windows 10 Work Group devices!
does his only apply to storage devices? are keyboards disabled?
only removable storage devices
Well but how can block Apple iphone which used iTunes to get access , this policy doesn’t work for iPhone;)
any way to do it per user
Though disabling USB devices by using group policies if effective, it is not the most user-friendly or easy way to go about it. Nor is it the most secure and effective method. CurrentWare AccessPatrol is an endpoint security software that allows administrators to set endpoint device policies on their network. This software applies to more than just USB devices, as it can be used to block or allow smart phones, sound cards, adapters, bluetooth devices and much more. From one central console, administrators can apply endpoint security policies and they can even run reports to see endpoint activity in their network. One of the most popular endpoint reports is the File Operations History report that shows all of the endpoint devices that were connected on the network and the files/programs that were copied, deleted, or moved from each specific device.
I’ve been using AccessPatrol to protect the network in my medical clinic to prevent data breaches since the medical data of my patients is critical to my business and it can not be exploited.
is there a way for the admin to use the usb port without disabling the policies
We’re using ThreatLocker in our company. It’s easy to manage and allows blocking USB devices, DVD/BD, etc. It also helps with permitting or denying path access to our fileservers and application whitelisting.
right clicking on the group policy objects and clicking new will not create the thing you’ve made a screenshot of … next time before you jump over a few steps, please decide if you make a step by step tutorial for the average user or for yourself. (the latter doesn’t need a tutorial)
Thanks for the article. Do you know if there is a way to allow only a group of USB sticks (based maybe on hardware ID) on user’s computers and block all other USB drives? Maybe a company can buy a number of USB corporate sticks which can be allowed to work on user’s computers but all other USB sticks should be denied.
Thanks
i done try this, but still enable usb access, you know why?
hi I applied the policy and it was applied I could see that using gpresult /r but when I insert usb I am able to copy to and from usb. in this case I was loged on server 2012r2 as regular user I see all other policy are applied and working but usb deny is not working eventhough it is applied
Thank you Sir. I am very new to Server environment. I am thankful to you for valuable posts.
any one explain me how to re enable of USB storage foe specific users.
dear sir,
We having win2008r2 server now we are planning to implement sccm . how we can configure sccm suggest the license details also
thankyou
To know more about SCCM licensing go through this link – https://www.microsoft.com/en-in/cloud-platform/system-center-configuration-manager-licensing
I need help for disable Bluetooth via GPO
Please suggest
How to disable Bluetooth via gpo
Hi Prajwal, I am a junior network administrator, my boss wants keyboard port delete in disabled, can mr help me?
It was blocking remaining drives too (D: ,E:) when apply the above policy. HELP me pls
It was blocking remaining drives too (D: ,E:) when apply the above policy. HELP me pls
So far we have created a group policy object, the next step is to link the GPO to the OU containing the computer accounts for which the USB devices are to be blocked. Right click on the OU and click Link an Existing GPO.
I am at this stage but all i see is my “Block USB” object is in “Group Policy Object” Thus, i cant right click and Link an Existing GPO.
Did this and it blocked access to the CD and DVD drive too.
Good instructions thanks Prajwal. I have implemented this successfully but was wondering how to enable USB storage for a group of users on the USB disabled PCs. I thought I could simply copy this GPO but select disabled instead of enabled and then move it up the list when linking the GPO so it takes precedence. So far not working. Any ideas? Thanks, Lon
Hi Prajwal, excellent article. Well I am new to Group Policies. My question is that configuring this policy will also disable the usb mouse and keyboard ?
It won’t because the GPO only affects removable storage, not the USB ports themselves.
Sorry disable administrator or disable all users, because when i do this it disable only admin not user
Hi Rath, could you post the question here – https://www.prajwaldesai.com/community/
apply this policy to the selective users group and not link to the existing groups… Apply individually to all groups
Hi thanx for the wonderful information , i am new to system admin so i am working for a organisation where we have 100 computers connected to a network with windows server 2012 i don’t have any security for network so want to know for antivirus which is best for a network i heard we get antivirus server what is that and how do i access users remotely which software usually companies uses to access systems remotely for issues.
Hi Zaid, could you be a part of the forums – https://www.prajwaldesai.com/community/
you can use it VNC
From the link for how to block USB access using GPO. If in an organization we are applying this policy to all the users(including BYOD users) and If the BYOD users use their systems outside the network, will it be possible to use USB even logging with domain account.
Please confirm if any alternate way is available.
Hi Kichu, could you be a part of the forums – https://www.prajwaldesai.com/community/
@Kurt – You mean you want to create a policy where users are allowed to set simple passwords for their accounts ?
yes ..
How to create simple passwords for users using group policy