Disable Usb Drives Windows 10

How to Disable the Use of USB Storage Devices in Windows 10. If you want to prevent others from copying important materials/files from your computer through USB storage devices, it’s a good idea to disable the use of USB storage devices on your computer. To do this, you can simply restrict access to removable storage disks, or completely prevent removable storage devices from connecting to.

When connecting a new USB device to the computer, Windows automatically detects the device and installs an appropriate driver, which means that the user can almost immediately use a connected USB drive or device. In some organizations, the use of USB-devices (flash drives, USB HDDs, SD cards and so on) is blocked for security reasons to prevent security leakage of confidential data and the penetration of viruses into the internal corporate network. This article describes how to use the Group Policy (GPO) to disable external removable USB-drives, them from data writing or running executable files.

  1. Jun 10, 2019  I have two DVD-RW/CDR drives that will no longer recognize valid discs since the latest Windows 10 update. I upgraded from Win 7 just over a month ago, and they seemed to work fine. The system information shows that they are good drives, but they.
  2. Jan 15, 2016  Windows 10 GPO to disable access to all external disk drives and SD cards? This applies to USB thumb drives and is a partial solution. What about when someone plugs in a large USB hard disk that Windows sees as a fixed drive instead of a removable drive?
  3. Jun 27, 2018  In Windows, starting from Windows 7 / Vista, you can flexibly manage access to external drives (USB, CD / DVD, floppy, tape etc.) using Group Policies. You can programmatically block the use of USB drives, without affecting such USB devices as a mouse, keyboard, printer, etc.
  4. Restrict access to USB drives. Learn how to disable, enable USB Ports, USB mass storage in Windows 10/8/7 using Registry, Device Manager, Control Panel, Free Tools.
  5. Apr 17, 2018  Assume that you want to prevent users from connecting to a USB storage device that is connected to a computer that is running Windows XP, Windows Server 2003, or Windows 2000. This article discusses two methods that you can use to do this.

In Windows, starting from Windows 7 / Vista, you can flexibly manage access to external drives (USB, CD / DVD, floppy, tape etc.) using Group Policies. You can programmatically block the use of USB drives, without affecting such USB devices as a mouse, keyboard, printer, etc.

Download free full version games, over 1000+ free PC games to download. New PC game added every 60 Hours. Trusted and Safe downloads. Free graphics downloads for games. High graphic games free download for pc-hd games. High graphic games free download for pc-hd games!Our free High graphic pc games are downloadable for windows 7/8/10/xp/vista.If you fight with a bunch of enemies with fire – then you are in a shooting game. Graphics for games free download - CorelDraw Graphics Suite, CorelDRAW Graphics Suite, Intel Graphics Media Accelerator Driver, and many more programs. Download Free Games has been a trusted place to download games since 2002. Our goal is to have one of the most unique selections of quality and fun free game downloads on the Internet. Every Game is Free to Try or Totally Free. Games graphics free download - CorelDraw Graphics Suite, CorelDRAW Graphics Suite, Intel Graphics Media Accelerator Driver, and many more programs.

The USB device blocking policy will work if the infrastructure of your AD domain meets the following requirements:

  1. Active Directory schema version — Windows Server 2008 or higher.
    Note. The set of policies allows to control the installation and use of removable media on Windows appeared only in this AD version (version 44).
  2. Desktop OSs – Windows Vista, Windows 7 or higher.
Tip. In Windows XP Group Policies you can’t restrict access to external USB devices: to block access to external media, administrators had to use third-party tools, or to prevent certain device drivers (UsbStor, Cdrom, Flpydisk, Sfloppy) from running (using the value 0 of the parameter Start in the registry key HKLMSYSTEMCurrentControlSetServices). However, since 2014, Windows XP support has ended, and today it is quite rare in corporate networks.

Configuring GPO to Block USB drives and other External Storage Devices

We are going to restrict the use of USB-drives for all computers in a certain AD container (OU). You can apply the USB block policy to the entire domain, but this will affect the servers and other technological devices. Let’s assume that we want to apply the policy to OU named Workstations. To do it, open the GPO management console (gpmc.msc), right-click on OU Workstations and create a new policy (Create a GPO in this domain and Link it here.)

Tip. In case of stand-alone computer, the USB-device restriction policy can be edited using a Local Group Policy Editor – gpedit.msc. In the Windows Home editions local group editor is missing, but you can install it like this: How to enable gpedit.msc on Windows 10 Home

Name the policy “Disable USB Access”.

After that, edit its settings (Edit).

External storage devices blocking settings are located in the user and computer sections of the GPO:

  1. User Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.
  2. Computer Configuration -> Policies -> Administrative Templates -> System -> Removable Storage Access.

In the Removable Storage Access section, there are several policies allowing you to disable the use of different types of storage classes — CD/DVDs, FDD, USB-devices, tapes, etc.

  • CD and DVD: Deny execute access.
  • CD and DVD: Deny read access.
  • CD and DVD: Deny write access.
  • Custom Classes: Deny read access.
  • Custom Classes: Deny write access.
  • Floppy Drives: Deny execute access.
  • Floppy Drives: Deny read access.
  • Floppy Drives: Deny write access.
  • Removable Disks: Deny execute access.
  • Removable Disks: Deny read access.
  • Removable Disks: Deny write access.
  • All Removable Storage classes: Deny all access.
  • All Removable Storage: Allow direct access in remote sessions.
  • Tape Drives: Deny execute access.
  • Tape Drives: Deny read access.
  • Tape Drives: Deny write access.
  • Windows Portable Device – this class includes smartphones, tablets, players, etc.
  • WPD Devices: Deny write access.

As you can see, you can deny the launch of executable files for each device class (protect computers against viruses), prohibit reading data and writing / editing files on external media.

The “strongest” restrict policy — All Removable Storage Classes: Deny All Access – allows to deny the access to all types of external storage devices. To turn on the policy, open it and check Enable.

After enabling and updating the policy on client computers (gpupdate /force), the system detects the connected external devices (not only USB devices, but also any external drives) being connected and returns the following error message when user tries to open them:

Location is not available

Drive is not accessible. Access is denied

Tip. The same restriction can be set using the registry by creating DWORD parameter Deny_All with the value 00000001 in the registry key HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindowsRemovableStorageDevices.

In this policy section, more flexible restriction to use external USB-drives can be configured.

For example, to prevent writing data to USB flash drives and other types of USB drives, you should enable the policy Removable Disk: Deny write access.

In this case, users will be able to read the data stored on a USB flash drive, but when they attempt to write information to it, they will receive an access error:

Destination Folder Access Denied

You need permission to perform this action

You can deny to run executable and script files stored on USB-drives using Removable Disks: Deny execute access policy.

Note. In some cases, after updating policies on the client with the gpupdate /force command, access to removable USB devices is not immediately blocked. To apply USB blocking policies, you must restart the computer, enable the policy “Set time (in seconds) to force reboot” in the same GPO section. The computer will then force reboot.

GPO to Disable USB Drives for Certain Users

Quite often it is necessary to block USB drives for all users in the domain (except administrators).

The easiest way to do this is through the use of Security Filtering in the GPO. For example, to prevent the USB block policy from being applied to the Domain Admins group:

  1. In the Group Policy Management console, select your Disable USB Access policy.
  2. In the Security Filtering section, add the Domain Admins group.
  3. Go to the Delegation tab and click the Advanced in the security settings editor, specify that the Domain Admins group is not allowed to apply this GPO (Apply group policy – Deny).

Bitdefender for windows server. If the task is different: you need to allow USB drives to be used by all but a certain group of users, you need to add your user group in the security settings of the policy with read and apply GPO permissions, and leave only the read permissions for the Authenticated Users or Domain Computers groups (uncheck the Apply group policy option).

Blocking USB and Removable Devices via Registry and Group Policy Preferences

You can more flexibly control access to external devices by configuring the registry settings that are set by the policies discussed above through the Group Policy Preferences (GPP). All the above policies correspond to certain registry keys in the HKLM (or HKCU) SOFTWAREPoliciesMicrosoftWindowsRemovableStorageDevices (by default this registry key is missing).

To enable one of these policies, you must create a new subkey in the specified key with the name of the device class you want to block access to (column 2) and REG_DWORD parameter with constraint type (Deny_Read or Deny_Write). If the value of this parameter is equal to 1, the restriction is active, if 0 – the prohibition of using this class of devices doesn’t work.

Policy nameDevice Class GUIDRegistry parameter name
Floppy Drives:
Deny read access		{53f56311-b6bf-11d0-94f2-00a0c91efb8b}Deny_Read
Floppy Drives:
Deny write access		{53f56311-b6bf-11d0-94f2-00a0c91efb8b}Deny_Write
CD and DVD:
Deny read access		{53f56308-b6bf-11d0-94f2-00a0c91efb8b}Deny_Read
CD and DVD:
Deny write access		{53f56308-b6bf-11d0-94f2-00a0c91efb8b}Deny_Write
Removable Disks:
Deny read access		{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Deny_Read
Removable Disks:
Deny write access		{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Deny_Write
Tape Drives:
Deny read access		{53f5630b-b6bf-11d0-94f2-00a0c91efb8b}Deny_Read
Tape Drives:
Deny write access		{53f5630b-b6bf-11d0-94f2-00a0c91efb8b}Deny_Write
WPD Devices:
Deny read access		{6AC27878-A6FA-4155-BA85-F98F491D4F33}
{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}		Deny_Read
WPD Devices:
Deny write access		{6AC27878-A6FA-4155-BA85-F98F491D4F33}
{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}		Deny_Write

Thus, with the help of these registry keys and the ability to target GPP policies with Item-level targeting, you can flexibly apply policies that restrict the use of external storage devices to certain AD security groups, sites, OS versions, OUs and other computer characteristics (you can use even WMI queries). In this way, you can make sure that USB block policies are applied only to computers (users) that are included (or not included) to a certain AD group.

Note. Similarly, you can create your own policies for device classes that are not listed in this list. You can find the device class ID in the driver properties in the value of the Device Class GUID attribute.

How to Disable NTLM Authentication in Windows Domain?

September 24, 2019

Managing Microsoft Office Settings with GPO Administrative Templates

September 11, 2019

How to Show/Hide All User Accounts from Login..

August 30, 2019

Changing Desktop Background Wallpaper in Windows through GPO

August 21, 2019

Configuring Windows Firewall Settings and Rules with Group..

August 16, 2019

How often have you witnessed blocked Pen drive or USB drive access in your workplace or college or school? I believe many times; in fact, every time you try to use the USB drive, you are not allowed, simply because the administrator has disabled USB drive detection on your Windows 10/8/7 system. Again, how often has your data been stolen because someone connected an unauthorized USB to your computer and copied your files? Well, you don’t need to worry because the solution to disable or enable USB Ports is pretty simple.

Restrict access to USB drives

There are five ways an administrator can prevent using of USB Drives

They are:

  1. Altering registry values for USB Mass Storage Devices.
  2. Disabling USB Ports from Device Manager.
  3. By Uninstalling the USB Mass Storage Drivers
  4. Using third-party freeware
  5. Using Microsoft Fix It.

Lets us look at how we can fix these problems and enable USB on a Windows PC.

Disable Usb Drives Windows 10 Drivers

1] Enable, Disable USB Drives & Mass Storage Devices using Registry

If the administrator is smart, then he would definitely do this to ensure a tight blockade. He would alter the settings through regedit command on Run console. Now how do you unlock it? You have to go right into where the administrator has been. Here is how.

Block Usb Flash Drive Windows 10

Remove usb drive windows 10
  1. Go to Start > Run, type “regedit” and press enter to open the registry editor
  2. Navigate to the following key

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUSBSTOR

In the right pane, select Start and change the value to 3. (The value 4 will disable USB Storage). Click OK. This will re-enable USB Ports and allow you to use USB or Pen drives.

2] Disable USB Ports from Device Manager

If you still don’t find your USB drive working, you may have to look into the Device Manager. The Administrator could have possibly disabled the USB port here. Check out for any possibility in the Device Manager and enable the disabled port by right-clicking on selected one and click Enable.

3] Uninstall USB Mass Storage Drivers

If the authorities are really worried about security in the school, they will take the extreme step of uninstalling the USB Mass Storage Drivers. To make things work, just install the device drivers. Here is how you do it.

As when you plug-in your USB drive, Windows will check for drivers, if not found Windows will prompt you to install the driver. This would definitely unlock the Pen drive at your School or office.

4] Use USB Drive Disabler/Enabler

You can download and use a free tool USB Drive Disabler/Enabler which will allow you to easily enable or disable USB drives on your Windows computer. www.intelliadmin.com to download it.

5] Prevent users from connecting USB

If a USB storage device is already installed on your Windows computer, you can edit the Windows Registry to ensure sure that the USB does not work when anyone connects it to the PC, using this Microsoft Fix it 50061 [This has been taken down by Microsoft now]. Check first if it applies to your version of the Windows operating system.

Please let us know if you have any questions or observations.

Disable Usb Drives Windows 10 Download

TIP: Download this tool to quickly find & fix Windows errors automatically

Group Policy Disable Usb Drives Windows 10

Related Posts: