How to disable USB devices using Group Policy

How to disable USB devices using Group Policy In this post we will see the steps on how to disable USB devices using group policy. In today’s world almost everyone owns one or more USB devices, USB (universal serial bus) connections are typically used to plug devices such as mice, keyboards, scanners, printers, webcams, digital cameras, mobile phones, and external hard disks into your computer. One of the reason for popularity of the USB devices is they are easiest devices that can be connected to your computer. The first time you connect a device that plugs into a USB port, Windows automatically identifies the device and installs a driver for that device. Since USB devices are portable and can be connected easily to the computers these devices pose very real security threats. Some organizations do not allow USB devices to be connected to the computers, they disable the USB devices using group policy or block it using group policy. We will now look at the steps on how to disable USB devices using group policy.

How to disable USB devices using Group Policy

In this post we have a domain controller running on Windows Server 2012 R2 Datacenter edition and a client that is a part of domain running Windows 7 Professional SP1 edition. The group policy to disable USB devices will be created on domain controller and we will be applying it on a OU containing the computer account WIN7.

How to disable USB devices using Group Policy

Launch the Group Policy Management tool on the domain controller, right click Group Policy Objects, click New. Provide a name to the GPO and click OK. In this example I have named the group policy as Block USB Devices.

How to disable USB devices using Group Policy

Right click the policy and click Edit.  This will open Group Policy Management Editor. Navigate to Computer ConfigurationPoliciesAdministrative TemplatesSystemRemovable Storage Access. This is the place where you find settings for Removable Storage Access devices. There are lot of USB settings for multiple devices, however we will configure a setting All Removable Storage classes: Deny all access.

How to disable USB drives using Group Policy

Right click on the setting All Removable Storage classes: Deny all access and click Edit. If you enable this policy then it will block access to any removable storage class that you connect to the computer. Click Enabled and click Apply and then OK.

How to disable USB drives using Group Policy

So far we have created a group policy object, the next step is to link the GPO to the OU containing the computer accounts for which the USB devices are to be blocked. Right click on the OU and click Link an Existing GPO.

How to disable USB drives using Group Policy

From the list of GPO’s select the policy Block USB Devices and click OK.

How to disable USB drives using Group Policy

Perform a group policy update on the client using the command gpupdate /force. Connect any USB device to the computer and you should see the message as Access is denied. The policy that we applied will prevent users from mounting any class of removable media.

How to disable USB drives using Group Policy

You might also like

32
Leave a Reply

avatar
25 Comment threads
7 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
newest oldest most voted
Ayman Nady
Guest
Ayman Nady

any way to do it per user

Greg M
Guest
Greg M

Though disabling USB devices by using group policies if effective, it is not the most user-friendly or easy way to go about it. Nor is it the most secure and effective method. CurrentWare AccessPatrol is an endpoint security software that allows administrators to set endpoint device policies on their network. This software applies to more than just USB devices, as it can be used to block or allow smart phones, sound cards, adapters, bluetooth devices and much more. From one central console, administrators can apply endpoint security policies and they can even run reports to see endpoint activity in their… Read more »

Jason Martis
Guest
Jason Martis

is there a way for the admin to use the usb port without disabling the policies

Catalin
Guest
Catalin

We’re using ThreatLocker in our company. It’s easy to manage and allows blocking USB devices, DVD/BD, etc. It also helps with permitting or denying path access to our fileservers and application whitelisting.

bro
Guest
bro

right clicking on the group policy objects and clicking new will not create the thing you’ve made a screenshot of … next time before you jump over a few steps, please decide if you make a step by step tutorial for the average user or for yourself. (the latter doesn’t need a tutorial)

Nick
Guest
Nick

Thanks for the article. Do you know if there is a way to allow only a group of USB sticks (based maybe on hardware ID) on user’s computers and block all other USB drives? Maybe a company can buy a number of USB corporate sticks which can be allowed to work on user’s computers but all other USB sticks should be denied.

Thanks

Tiara
Guest
Tiara

i done try this, but still enable usb access, you know why?

Imran
Guest
Imran

hi I applied the policy and it was applied I could see that using gpresult /r but when I insert usb I am able to copy to and from usb. in this case I was loged on server 2012r2 as regular user I see all other policy are applied and working but usb deny is not working eventhough it is applied

Bibek Goswami
Guest
Bibek Goswami

Thank you Sir. I am very new to Server environment. I am thankful to you for valuable posts.

Mohamed
Guest
Mohamed

any one explain me how to re enable of USB storage foe specific users.

Imran
Guest
sivasubramaniyan k
Guest
sivasubramaniyan k

dear sir,
We having win2008r2 server now we are planning to implement sccm . how we can configure sccm suggest the license details also
thankyou

Umesh
Guest
Umesh

I need help for disable Bluetooth via GPO
Please suggest

Umesh
Guest
Umesh

How to disable Bluetooth via gpo

Iqbal Nuralih
Guest
Iqbal Nuralih

Hi Prajwal, I am a junior network administrator, my boss wants keyboard port delete in disabled, can mr help me?

pru
Guest
pru

It was blocking remaining drives too (D: ,E:) when apply the above policy. HELP me pls

pru
Guest
pru

It was blocking remaining drives too (D: ,E:) when apply the above policy. HELP me pls

Gary Tan
Guest
Gary Tan

So far we have created a group policy object, the next step is to link the GPO to the OU containing the computer accounts for which the USB devices are to be blocked. Right click on the OU and click Link an Existing GPO.

I am at this stage but all i see is my “Block USB” object is in “Group Policy Object” Thus, i cant right click and Link an Existing GPO.

Bob
Guest
Bob

Did this and it blocked access to the CD and DVD drive too.

Lon
Guest
Lon

Good instructions thanks Prajwal. I have implemented this successfully but was wondering how to enable USB storage for a group of users on the USB disabled PCs. I thought I could simply copy this GPO but select disabled instead of enabled and then move it up the list when linking the GPO so it takes precedence. So far not working. Any ideas? Thanks, Lon

Abhijeet Dalal
Guest
Abhijeet Dalal

Hi Prajwal, excellent article. Well I am new to Group Policies. My question is that configuring this policy will also disable the usb mouse and keyboard ?

ワージントンクリス
Guest
ワージントンクリス

It won’t because the GPO only affects removable storage, not the USB ports themselves.

rath
Guest
rath

Sorry disable administrator or disable all users, because when i do this it disable only admin not user

James Vincent
Member
James Vincent

Hi Rath, could you post the question here – http://prajwaldesai.com/community/

Zaid khan
Guest
Zaid khan

Hi thanx for the wonderful information , i am new to system admin so i am working for a organisation where we have 100 computers connected to a network with windows server 2012 i don’t have any security for network so want to know for antivirus which is best for a network i heard we get antivirus server what is that and how do i access users remotely which software usually companies uses to access systems remotely for issues.

James Vincent
Member
James Vincent

Hi Zaid, could you be a part of the forums – http://prajwaldesai.com/community/

Kichu
Guest
Kichu

From the link for how to block USB access using GPO. If in an organization we are applying this policy to all the users(including BYOD users) and If the BYOD users use their systems outside the network, will it be possible to use USB even logging with domain account.

Please confirm if any alternate way is available.

James Vincent
Member
James Vincent

Hi Kichu, could you be a part of the forums – http://prajwaldesai.com/community/

James Vincent
Member
James Vincent

@Kurt – You mean you want to create a policy where users are allowed to set simple passwords for their accounts ?

kurt
Guest
kurt

yes ..

kurt
Guest
kurt

How to create simple passwords for users using group policy

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More