Block USB Drives Using Group Policy

You can easily block access to any Removable Drives including USB drives that users may connect to Windows 10 and Windows 11 devices. Blocking USB drive access is a must for every organization as it can save the organization from data theft.

If users are accessing any confidential information from the device which can be saved and then copied to your external storage then it could be a security breach event. To prevent this security breach, the use of removable storage must be blocked on all corporate domain joined devices.

Reasons to Restrict USB Drive Access

If USB Drive Access is enabled for users, they can copy the organization data onto the drive and move it to another computer, which could be the user’s personal computer. This can lead to a Data Exfiltration event.

One way to prevent it is by blocking access to it completely, which will block all access, including read access, on the USB drive. Alternatively, you could also just deny write access on the USB drives using the “Removable Disks: Deny write access” policy setting.

External USB drives are not considered secure, as they may contain malware or viruses that could compromise your device and lead to the theft of confidential information. Such malware can also spread across your network of devices. Another reason for disabling USB drive access on domain-joined devices.

Ways to Block USB Drives on Corporate Devices

There are multiple methods to block USB drives on corporate devices. Corporate devices, which are company-owned, may be either domain-joined or Entra hybrid-joined.

I have provided a list of all the methods below. However, the focus of this blog post will be to demonstrate blocking USB drives using Active Directory Group Policy. Let’s check the different methods below:

  1. Block USB Drives using a Group Policy Object – By creating a Group Policy Object for Active Directory Domain-joined computers, you can easily block USB drive access.
  2. Block USB Drives using Group Policy Preferences (GPP) – You can use GPP to create necessary Registry Entries that block USB drive access. For details about which registry entries to create, refer to the post: Registry Key Information.
  3. Block USB Drives using Intune – If your Windows 10 or Windows 11 devices are Entra hybrid joined or Entra Joined, you can use Intune Policies to block USB drives. 3 Ways to Block USB Drives Using Intune
  4. Block USB Drives using Intune Remediations – This method also utilizes Intune but involves using PowerShell scripts to create the necessary registry keys and entries, effectively blocking USB drives. For more details, refer to the step-by-step guide: Block USB Drives access on Windows using Intune remediations.
  5. Block USB Drives using Powershell script – You can create a PowerShell script and deploy it either using Group Policy or Intune to block USB drives. I have already created PowerShell scripts that generate registry entries for blocking USB access. For more details, refer to the post: Powershell scripts
  6. Block USB Drives using Registry – You can use the Windows registry editor to create necessary registry entries that blocks USB Drive access. Refer to the link: Registry Key Information.

Disable/Block USB Drive Access using Group Policy

To disable or block USB drive access, we will log in to a domain controller and create a Group Policy Object (GPO) in Active Directory. Let’s check the steps:

Step 1 – Create an Organizational Unit (OU)

  • Login on the Domain Controller using domain administrator rights.
  • Press Windows + R to open the Run dialog box.
  • Type dsa.msc and press Enter to open Active Directory Users and computers.
  • Create a new Organizational Unit (OU) and move your Windows 10/11 devices into It.

Please note that you can also use an existing Organizational Unit (OU) that contains the devices on which you want to apply this policy to block USB drives. The creation of a new OU is not mandatory.

We are creating a new OU and moving test computers into this OU to ensure that this policy gets applied only to our test devices first before we link the GPO to an OU which contains Production devices.

Note
Disable/Block USB Drive Access using Group Policy
Disable/Block USB Drive Access using Group Policy

Step 2 – Create a Group Policy Object

The next step is to create a Group Policy Object in Active Directory using the Group Policy Management Console. Let’s check the steps:

  • Login on the Domain Controller using domain administrator rights.
  • Press Windows + R to open the Run dialog box.
  • Type gpmc.msc and press Enter to open the Group Policy Management Console.
  • Right-click on the Group Policy Objects folder and select New.
Disable/Block USB Drive Access using Group Policy
Disable/Block USB Drive Access using Group Policy
  • Provide a name for the Group Policy Object; for example, “Block USB Drives“, and press OK.
  • Right-click on the GPO and select Edit.
Disable/Block USB Drive Access using Group Policy
Disable/Block USB Drive Access using Group Policy
  • Navigate to Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access. You will find the following Policies on the right-hand side:
    • Set time (in seconds) to force reboot
    • CD and DVD: Deny execute access
    • CD and DVD: Deny read access
    • CD and DVD: Deny write access
    • Custom Classes: Deny read access
    • Custom Classes: Deny write access
    • Floppy Drives: Deny execute access
    • Floppy Drives: Deny read access
    • Floppy Drives: Deny write access
    • Removable Disks: Deny execute access
    • Removable Disks: Deny read access
    • Removable Disks: Deny write access
    • All Removable Storage classes: Deny all access
    • All Removable Storage: Allow direct access in remote sessions
    • Tape Drives: Deny execute access
    • Tape Drives: Deny read access
    • Tape Drives: Deny write access
    • WPD Devices: Deny read access
    • WPD Devices: Deny write access
  • We are going to choose “All Removable Storage classes: Deny all access” to deny Read and Write access to all removable storage classes, which includes the USB storage class as well.
  • However, if you want to allow Read access to the USB drive, then you can only block write access by enabling the policy setting: “Removable Disks: Deny write access“.

This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class.

If you enable this policy setting, no access is allowed to any removable storage class.

If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes.

About “All Removable Storage classes: Deny all access” GPO setting
  • Right-click on All Removable Storage classes: Deny all access policy setting and select Edit.
All Removable Storage classes: Deny all access GPO setting
All Removable Storage classes: Deny all access GPO setting
  • Select Enable to block any removable Storage classes including USB drives. Click on the OK button to save the changes. Close the Group Policy Management Editor.
Disable/Block USB Drive Access using Group Policy
Disable/Block USB Drive Access using Group Policy

Now that our Group Policy Object has been created successfully, it will not apply until it’s linked to an Organizational Unit (OU) that contains Windows devices. We had previously created an OU called “Block USB Drives” which contains the “Cloudinfra-Win11” computer. Let’s link the “Block USB Drives” GPO with this OU.

  • Login on the Domain Controller using domain administrator rights.
  • Press Windows + R to open the Run dialog box.
  • Type gpmc.msc and press Enter to open the Group Policy Management Console.
  • Right-click on the Block USB Drives GPO and select “Link an Existing GPO…
Link "Block USB Drives" GPO with "Block USB Drives" OU
Link “Block USB Drives” GPO with “Block USB Drives” OU
  • Select “Block USB Drives” GPO and press OK to link this GPO with “Block USB Drives” OU.
Link "Block USB Drives" GPO with "Block USB Drives" OU
Link “Block USB Drives” GPO with “Block USB Drives” OU
  • Now that the Group Policy Object (GPO) has been linked successfully with an Organizational Unit (OU) that contains Windows devices, let’s test this policy and confirm if it has been applied successfully.
Link "Block USB Drives" GPO with "Block USB Drives" OU
Link “Block USB Drives” GPO with “Block USB Drives” OU

End-User Experience

Group Policy updates happen regularly on client devices. However, if you want to speed up the testing and apply this Group Policy more quickly, you can open a command prompt as an administrator and run the command gpupdate /force.

After that, you can try to plug in any USB drive to one of the devices on which you have applied this GPO. Try to access this USB drive, and you will see a pop-up message “<Drive:> is not accessible. Access is denied“. This concludes our blog post and confirms the successful application of the GPO on Windows devices to block USB drive access.

End-User Experience

Leave a Comment