Block USB Drives Using Group Policy

You can easily block access to any Removable Drive, including USB drives, that users may connect to Windows 10/11 devices. Blocking USB drive access is a must for every organization, as it can prevent data theft.

If users access confidential information from the device that can be saved and then copied to external storage, it could be a security breach. To prevent this security breach, the use of removable storage must be blocked on all corporate domain-joined devices.

Reasons to Restrict USB Drive Access

If USB Drive Access is enabled, users can copy the organization data onto the drive and move it to another computer, which could be the user’s personal computer.

One way to prevent it is by blocking access to it completely, which will block all access, including read access, on the USB drive. Alternatively, you could deny write access on the USB drives using the Removable Disks: Deny write access policy setting.

External USB drives are not considered secure, as they may contain malware or viruses that could compromise your device and lead to the theft of confidential information. Such malware can also spread across your network of devices. Another reason for disabling USB drive access on domain-joined devices.

Ways to Block USB Drives on Corporate Devices

There are multiple methods to block USB drives on corporate devices. Corporate devices, which are company-owned, may be either domain-joined or Entra hybrid-joined.

I have provided a list of all the methods below. However, this blog post will focus on demonstrating how to block USB drives using the Active Directory Group Policy. Let’s check the different methods below:

1. Block USB Drives using a Group Policy Object – You can easily block USB drive access by creating a Group Policy Object for Active Directory Domain-joined computers.

2. Block USB Drives using Group Policy Preferences (GPP) – You can use GPP to create necessary Registry Entries that block USB drive access. For details about which registry entries to create, refer to the post: Registry Key Information.

3. Block USB Drives using Intune – If your Windows 10 or Windows 11 devices are Entra hybrid joined or Entra Joined, you can use Intune Policies to block USB drives. Here are three ways to do so.

4. Block USB Drives using Intune Remediations – This method also utilizes Intune but involves using PowerShell scripts to create the necessary registry keys and entries, effectively blocking USB drives. For more details, refer to the step-by-step guide: Block USB Drives access on Windows using Intune remediations.

5. Block USB Drives using Powershell script – You can create and deploy a PowerShell script using Group Policy or Intune to block USB drives. I have created PowerShell scripts that generate registry entries to block USB access. For more details, refer to the post: Powershell scripts.

6. Block USB Drives using Registry – The Windows registry editor can create necessary registry entries to block USB Drive access. Refer to the link: Registry Key Information.

Disable/Block USB Drive Access using Group Policy

We will log in to a domain controller and create a Group Policy Object (GPO) in Active Directory to disable or block USB drive access. Let’s check the steps:

Step 1 – Create an Organizational Unit (OU)

• Login to the domain controller using domain administrator rights.
• Press Windows + R to open the Run dialog box.
• Type dsa.msc Press Enter to open Active Directory Users and computers.
• Create a new Organizational Unit (OU) and move your Windows 10/11 devices into It.

Please note that you can also use an existing Organizational Unit (OU) that contains the devices on which you want to apply this policy to block USB drives. The creation of a new OU is not mandatory.

We are creating a new OU and moving test computers into this OU to ensure that this policy gets applied only to our test devices first before we link the GPO to an OU which contains Production devices.

Note

Step 2 – Create a Group Policy Object

The next step is to create a Group Policy Object in Active Directory using the Group Policy Management Console. Let’s check the steps:

• Login to the domain controller using domain administrator rights.
• Press Windows + R to open the Run dialog box.
• Type gpmc.msc Press Enter to open the Group Policy Management Console.
• Right-click on the Group Policy Objects folder and select New.

• Provide a name for the Group Policy Object; for example, Block USB Drives, and press OK.
• Right-click on the GPO and select Edit.

• Navigate to Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access. You will find the following Policies on the right-hand side:
  • Set time (in seconds) to force reboot
  • CD and DVD: Deny execute access
  • CD and DVD: Deny read access
  • CD and DVD: Deny write access
  • Custom Classes: Deny read access
  • Custom Classes: Deny write access
  • Floppy Drives: Deny execute access
  • Floppy Drives: Deny read access
  • Floppy Drives: Deny write access
  • Removable Disks: Deny execute access
  • Removable Disks: Deny read access
  • Removable Disks: Deny write access
  • All Removable Storage classes: Deny all access
  • All Removable Storage: Allow direct access in remote sessions
  • Tape Drives: Deny execute access
  • Tape Drives: Deny read access
  • Tape Drives: Deny write access
  • WPD Devices: Deny read access
  • WPD Devices: Deny write access

• We will choose All Removable Storage classes: Deny all access to deny Read and Write access to all removable storage classes, including the USB storage class.

• However, if you want to allow Read access to the USB drive, you can only block write access by enabling the policy setting: Removable Disks: Deny write access.

This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class.

If you enable this policy setting, no access is allowed to any removable storage class.

If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes.

About All Removable Storage classes: Deny all access GPO setting

• Right-click on All Removable Storage classes: Deny all access policy and select Edit.

• Select Enable to block any removable Storage classes, including USB drives. Click on the OK button to save the changes. Close the Group Policy Management Editor.

Step 3 – Link Block USB Drives GPO with Block USB Drives OU

Now that our Group Policy Object has been created successfully, it will not apply until it’s linked to an Organizational Unit (OU) that contains Windows devices. We had previously created an OU called Block USB Drives, including the Cloudinfra-Win11 computer. Let’s link the Block USB Drives GPO with this OU.

• Login to the domain controller using domain administrator rights.
• Press Windows + R to open the Run dialog box.
• Type gpmc.msc Press Enter to open the Group Policy Management Console.
• Right-click on the Block USB Drives GPO and select “Link an Existing GPO…“

• Select Block USB Drives GPO and press OK to link this GPO with Block USB Drives OU.

• Now that the Group Policy Object (GPO) has been linked successfully with an Organizational Unit (OU) that contains Windows devices let’s test this policy and confirm if it has been applied successfully.

End-User Experience

Group Policy updates happen regularly on client devices. However, if you want to speed up the testing and apply this Group Policy more quickly, you can open a command prompt as an administrator and run the command gpupdate /force.

After that, you can try to plug any USB drive into one of the devices on which you have applied this GPO. Try to access this USB drive, and you will see a pop-up message <Drive:> is not accessible. Access is denied. This concludes our blog post and confirms the successful application of the GPO on Windows devices to block USB drive access.