How to Block Disable USB devices using Group Policy

Prajwal Desai
Posted by Prajwal Desai
How to Disable USB devices using Group Policy

In this post, you’ll learn how to disable USB devices using group policy. You can block USB devices on Windows computers using Group Policy.

In today’s modern workplace, every member of staff owns and uses at least one USB storage device. The USB stands for universal serial bus. USB’s are typically used to plug devices such as mice, keyboards, printers, and external hard disks into your computer.

One of the reason for popularity of the USB devices is they are the easy to connect to your computer. You can plug in any USB storage device and Windows has the capability to detect this device and make if functional for usage.

Risks Associated with Allowing USB Drives

One of the most common ways to prevent data theft is to disable USB storage devices. Since USB devices are portable and can be connected easily to the computers these devices pose very real security threats. Wrong usage of USB storage devices pose a significant security threat to an Organization.

USB devices are often used to transfer data from one device to another. However, this may lead to security risks. One way of preventing the risk is by blocking USB devices through Group Policy Objects.

An employee could plug in a USB drive to his laptop and may exfiltrate sensitive information or install unauthorized applications, which could lead to further security concerns.

Furthermore, the employee’s USB device could contain a malware or malicious code which may result in malware spreading to the company’s network.

Hence, many organizations do not allow USB devices to be connected to the computers, they disable the USB devices using group policy or block it using group policy.

Thankfully, Microsoft has made it relatively simple to block USB and the use of unauthorized USB storage devices. In this article, we’ll show how to use a Group Policy Object to block access to USB storage devices.

How to Disable USB devices using Group Policy

Group Policy Objects (GPOs) are a way to centrally manage settings across a Windows domain. GPO’s can be used to disable USB devices on the computer.

To block USB devices, you need to create a Group Policy Object and configure it with the desired settings. You can then link the Group Policy Object to an Active Directory container or site, or apply it to individual systems.

For example, you can create an OU in Active Directory and add few test computers in that OU. The Group Policy that we create to block USB devices will be linked to this OU.

How to disable USB devices using Group Policy
How to Disable USB devices using Group Policy

Let’s see how to disable USB device using Group Policy. To create a group policy object, you can either log in to a domain controller or a Windows Server installed with Group Policy Management tools.

Launch the Group Policy Management tool on the domain controller, right click Group Policy Objects, click New. Provide a name to the GPO such as Block USB Devices and click OK.

How to disable USB devices using Group Policy

Right-click the GPO and click Edit.  This will launch Group Policy Management Editor where you can define the settings to block USB devices for Windows computers.

In the Group Policy Management Editor, navigate to Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.

Removable Storage Access GPO Options

The Removable Storage Access contains the policies for a variety of storage devices and the policies include:

  • Set time (in seconds) to force reboot
  • CD and DVD: Deny execute access
  • CD and DVD: Deny read access
  • CD and DVD: Deny write access
  • Custom Classes: Deny read access
  • Custom Classes: Deny write access
  • Floppy Drives: Deny execute access
  • Floppy Drives: Deny read access
  • Floppy Drives: Deny write access
  • Removable Disks: Deny execute access
  • Removable Disks: Deny read access
  • Removable Disks: Deny write access
  • All Removable Storage classes: Deny all access
  • All Removable Storage: Allow direct access in remote sessions
  • Tape Drives: Deny execute access
  • Tape Drives: Deny read access
  • Tape Drives: Deny write access
  • WPD Devices: Deny read access
  • WPD Devices: Deny write access

Out of all the Removable Storage Access policies, we will configure a setting “All Removable Storage classes: Deny all access“.

All Removable Storage classes: Deny all access: This policy setting allows you to configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. If you enable this policy setting, no access is allowed to any removable storage class. If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes.

How to disable USB drives using Group Policy
All Removable Storage classes: Deny all access

Right-click on the policy setting All Removable Storage classes: Deny all access and click Edit. If you enable this policy, then it will block access to any removable storage class that you connect to the computer. Click Enabled and click Apply and then OK.

How to disable USB drives using Group Policy
Block Disable USB devices using Group Policy

The GPO to block USB devices is ready. We will apply this GPO to an OU that we created in the initial step. Right-click on the OU and click Link an Existing GPO.

How to disable USB drives using Group Policy
Block Disable USB devices using Group Policy

From the list of GPO’s select the policy Block USB Devices and click OK.

How to disable USB drives using Group Policy
Block Disable USB devices using Group Policy

Block USB Devices using Group Policy

In this section, we will test the GPO that blocks the USB drives on Windows devices. On the client computer, perform a group policy update using the command gpupdate /force.

Connect any USB device to the computer, and you should see the message as “Access is denied“. The error Drive not accessible, Access is denied indicates that a group policy has blocked the USB device successfully. The policy that we applied will prevent users from mounting any class of removable media.

How to disable USB drives using Group Policy
Block USB devices using Group Policy
Share This Article
Prajwal Desai
Posted by Prajwal Desai
Follow:
Prajwal Desai is a Microsoft MVP in Intune and SCCM. He writes articles on SCCM, Intune, Windows 365, Windows Server, Windows 11, WordPress and other topics, with the goal of providing people with useful information.
49 Comments