GPO – Disable USB via Group Policy

How to block existing USB Storage Devices

To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type SYSTEM\CurrentControlSet\Services\UsbStor into the Key Path field then type Startinto the Value Name field and 4 in the Value Data field and click OK.

 

If you want to prevent the installation of USB storage device then we use Group Policy to set the security on the driver files to prevent then from installing.

Key: HKLM\SYSTEM\CurrentControlSet\Services\UsbStor
Value: Start
Data: 4 (hex) = Disabled
Data: 3 (hex) = Enabled

 

How to block new USB Storage Devices

 

This time edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System. Then click on “Action” menu and then “Add File”. Navigate to C:\Windows\Inf and select “Usbstor.inf” and press “OK”. Now click on “Users” in the security tab and then click in the “Deny” “Full Control” tick box then click OK.

 

Note: Alternatively you could just add the name of the user or group you want to prevent from using USB storage devices.

Click “Yes” to the security warning.

Then click OK.

 

 

Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly to a file so we don’t need to worry about inheritance from this object.

 

Now repeat the steps above and this time select “C:\Windows\Inf\Usbstor.pnf”

You should see something like the images below in your group policy.

 

 

Now either way when users plug in a USB Storage devices into a computer it will prevent OS from seeing the device thus preventing the users from reading and writing to removable media.