How to disable USB devices using Group Policy In this post we will see the steps on how to disable USB devices using group policy. In today’s world almost everyone owns one or more USB devices, USB (universal serial bus) connections are typically used to plug devices such as mice, keyboards, scanners, printers, webcams, digital cameras, mobile phones, and external hard disks into your computer. One of the reason for popularity of the USB devices is they are easiest devices that can be connected to your computer. The first time you connect a device that plugs into a USB port, Windows automatically identifies the device and installs a driver for that device. Since USB devices are portable and can be connected easily to the computers these devices pose very real security threats. Some organizations do not allow USB devices to be connected to the computers, they disable the USB devices using group policy or block it using group policy. We will now look at the steps on how to disable USB devices using group policy.
How to disable USB devices using Group Policy
In this post we have a domain controller running on Windows Server 2012 R2 Datacenter edition and a client that is a part of domain running Windows 7 Professional SP1 edition. The group policy to disable USB devices will be created on domain controller and we will be applying it on a OU containing the computer account WIN7.
Launch the Group Policy Management tool on the domain controller, right click Group Policy Objects, click New. Provide a name to the GPO and click OK. In this example I have named the group policy as Block USB Devices.
Right click the policy and click Edit. This will open Group Policy Management Editor. Navigate to Computer ConfigurationPoliciesAdministrative TemplatesSystemRemovable Storage Access. This is the place where you find settings for Removable Storage Access devices. There are lot of USB settings for multiple devices, however we will configure a setting All Removable Storage classes: Deny all access.
Right click on the setting All Removable Storage classes: Deny all access and click Edit. If you enable this policy then it will block access to any removable storage class that you connect to the computer. Click Enabled and click Apply and then OK.
So far we have created a group policy object, the next step is to link the GPO to the OU containing the computer accounts for which the USB devices are to be blocked. Right click on the OU and click Link an Existing GPO.
From the list of GPO’s select the policy Block USB Devices and click OK.
Perform a group policy update on the client using the command gpupdate /force. Connect any USB device to the computer and you should see the message as Access is denied. The policy that we applied will prevent users from mounting any class of removable media.
