In this article, we will learn how to block USB devices using group policy. Group Policy (GPO) explains how to disable the use of external USB drives in Windows, the writing of data to removable flash drives, and the execution of executable files. Every employee in the modern workplace possesses and uses at least one USB storage device. USB is the code name for the universal serial interface. Typically, USBs are used to connect equipment such as controllers, keyboards, printers, and external hard drives to a computer.
One of the reasons why USB devices are so popular is that they are simple to connect to a computer. Windows is capable of detecting and enabling any USB storage device that is plugged in.
Table of Contents
Risks Involved in Allowing USB Drives
Disabling USB storage devices is a common method for avoiding data hijacking. Because USB devices are portable and can be easily connected to computers, they pose serious security risks. Bad use of USB storage devices poses a serious security risk to an organization.
USB devices are frequently used to transfer data between devices. This may, however, pose security risks. Blocking USB devices through Group Policy Objects is one method for avoiding the risk.
Microsoft has made it easy to block USB and stop people from using unauthorized USB storage devices. In this article, we’ll show you how to block access to USB storage devices via a Group Policy Object.
Block USB Devices using Group Policy
Group Policy Objects, or GPOs, are a way to manage settings for all computers in a Windows domain from one place. With GPOs, USB devices on the computer can be turned off.
To disable USB devices from working, you have to create a Group Policy Object and set it up with the settings you want. The Group Policy Object can then be linked to an Active Directory container or site, or it can be applied to a single machine.
Open server manager, select the tools tab, and click on Active Directory users and computers.
For example, in Active Directory, you need to Create an OU and add a few systems for testing to it. This OU will be linked to the Group Policy that we will make to block USB devices.
Create a Group Policy to Disable USB Device
Let’s look at how to apply Group Policy to turn off a USB device. You can log in to a domain controller or a Windows Server with Group Policy Management tools installed and create a group policy object.
Open Group Policy Management on your domain controller, right click on Group Policy Objects, and click New.
Enter a name for the GPO, such as Block USB Port, and click OK.
Right-click on the newly created GPO and click Edit. This will open the Group Policy Management Editor, where you can configure settings to block USB devices on Windows-based machines.
In the Group Policy Management Editor, go to.
Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access
Removable Storage Access GPO Options
The Removable Storage Access Policy includes policies for a variety of storage devices, such as:
Set time (in seconds) to force reboot
CD and DVD: Deny execution access
CD and DVD: Deny read access
CD and DVD: Deny write access
Custom Classes: Deny read access
Custom Classes: Deny write access
Floppy Drives: Deny execute access
Floppy Drives: Deny read access
Floppy Drives: Deny write access
Removable Disks: Deny execute access
Removable Disks: Deny read access
Removable Disks: Deny write access
All Removable Storage Classes: Deny all access
All Removable Storage: Allow direct access in remote sessions
Tape Drives: Deny execute access
Tape Drives: Deny read access
Tape Drives: Deny write access
WPD Devices: Deny read access
WPD Devices: Deny write access
We will configure “All Removable Storage Classes: Deny all access” as one of the Removable Storage Access policies.
All Removable Storage Classes: Deny all access: This policy setting lets you configure access to all classes of removable storage. This policy setting has precedence over any individual policy settings for removable storage. If you enable this policy setting, no removable storage class is accessible. If you disable or do not configure this policy setting, all removable storage classes will allow read and write access.
Open the setting “All Removable Storage Classes: Deny all access.
If you enable this policy, it will disable access to any removable storage class that you connect to the system. Click Enabled, then Apply and OK.
Link an Existing GPO
The group policy to block USB ports is ready. This GPO will be applied to an OU that was created in the first stage. Right-click on this OU and choose Link an Existing GPO.
From the list of GPOs, choose the policy Block USB Devices and click ok.
Update Group Policy
In this part, we’ll try the GPO that stops Windows devices from using USB drives. Use the command gpupdate /force to update the group policy on the client computer.
Connect any USB device to the PC and try to open a removable disk.
You will get this error message: “Access is denied.” The error “Drive not accessible, Access is denied” means that the USB device has been blocked by a group policy. Because of the strategy we put in place, users won’t be able to mount any kind of removable media.
How to Disable USB Storage Devices Completely in Windows?
You can completely block the “USBSTOR (USB Mass Storage)” driver, which is needed to detect and mount USB storage devices correctly.
You can disable this driver on a standalone computer by modifying the value of the Start registry parameter from 3 to 4. Go to
HKLM\SYSTEM\CurrentControlSet\services\USBSTOR
Open start
Type 4 under Value Data and click OK.
Try to connect your USB storage device after you restart your computer. Now, it shouldn’t show in either File Explorer or the Disk Management panel, and Device Manager will tell you that there was a problem installing the driver.
Disable USBSTOR Driver to Block USB Port
Applying Group Policy Preferences, you can disable the USBSTOR driver on domain computers. To accomplish this, you must modify the registry via the GPO.
These configurations can be deployed to all computers in the domain. Create a new GPO, link it to the organization unit with computers.
Computer Configuration/Preferences/Windows Settings/Registry
Right-click on Registry, click New, and select a registry item.
Create a parameter with the following values.
Action: Update
Hive: HKEY_LOCAK_MACHINE
Key path: SYSTEM\CurrentControlSet\Services\USBSTOR
Value name: Start
Value type: REG_DWORD
Value data: 00000004
Refer to this article for more information on how to disable USB devices.
