How to Disable USB Drives on Windows

When a new USB device is connected to a computer, Windows automatically detects it and installs the appropriate driver, allowing immediate use of the storage device. However, if your organization’s security policy requires prohibiting the use of portable USB storage devices (flash drives, USB HDDs, SD cards, etc.), you can block this behavior. This article explains how to block external USB storage devices in Windows, prevent data writing to connected flash drives, and restrict the execution of executable files using Group Policy Objects (GPO).

You can purchase original Windows Server product keys from our catalog from 10.80 €

Configuring Group Policy to Block USB Storage Devices in Windows

Windows allows flexible management of access to external storage devices (USB, CD/DVD, etc.) using Active Directory Group Policies. This approach does not require disabling USB ports via BIOS. Policies can block only USB storage devices while allowing other devices like mice, keyboards, printers, and USB adapters to remain functional.

In this example, we will demonstrate how to block USB storage devices on all computers in a domain Organizational Unit (OU) named Workstations. You can also apply the policy to the entire domain, but this will affect servers and other devices.

1. Open the Group Policy Management Console (gpedit.msc).

2. Locate the Workstations OU in the structure, right-click, and create a new policy (Create a GPO in this domain and Link it here).

3. Name the policy Disable USB Access.

4. Enter the GPO editing mode (Edit).

Settings for Blocking External Storage Devices in GPO

Settings for blocking external storage devices are available in both user and computer configuration sections:

– User Configuration > Policies > Administrative Templates > System > Removable Storage Access

– Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access

To block USB storage devices for all users on a computer, configure settings in the Computer Configuration section.

Policies for Blocking Device Classes

In the Removable Storage Access section, you will find several policies to disable access to different device classes:

– CD and DVD: Deny execute access – Prohibit execution

– CD and DVD: Deny read access – Prohibit reading

– CD and DVD: Deny write access – Prohibit writing

– Removable Disks: Deny execute access – Prohibit execution

– Removable Disks: Deny read access – Prohibit reading

– Removable Disks: Deny write access – Prohibit writing

– All Removable Storage Classes: Deny All Access – Completely block access to all external storage devices.

To fully block access to all external storage devices, set the All Removable Storage Classes: Deny All Access policy to Enabled.

These policies allow you to prohibit the execution of executable files (for virus protection), prevent data reading, and block writing/editing on external media.

The most restrictive policy, All Removable Storage Classes: Deny All Access, completely blocks access to all types of external storage devices. To enable it, open the policy and set it to Enabled.

All Removable Storage Classes: Deny All Access

After configuring the policy and updating GPO settings on clients (gpupdate /force), external storage devices (not only USB but any external storage) will be detected by the OS, but attempting to access them will result in an access error:

Location is not available
Drive is not accessible. Access is denied
USB Location is not available

Tip: You can apply the same restriction via the registry by creating a Deny_All key of type DWord with the value 00000001 in the branch HKEY_CURRENT_USER (or HKEY_LOCAL_MACHINE) \Software\Policies\Microsoft\Windows\RemovableStorageDevices.

In the same policy section, you can configure more flexible restrictions for USB storage devices. For example, to prohibit writing data to USB flash drives and other USB storage types, enable the Removable Disk: Deny write access policy.

Removable Disk: Deny write access

After this, users can read data from USB flash drives but will receive an access error when attempting to write data:

Destination Folder Access Denied
You need permission to perform this action
Destination Folder Access Denied

Using the Removable Disks: Deny execute access policy, you can prohibit running executable files and scripts from USB drives.

Blocking USB Storage Devices for Specific Users

Often, you may need to block USB storage devices for all users except administrators. This can be achieved using GPO Security Filtering.

1. Locate the Disable USB Access policy in the Group Policy Management Console.

2. In the Security Filtering section, add the Domain Admins group.

3. Go to the Delegation tab, click Advanced, and specify that the Domain Admins group is denied the application of this GPO (Apply group policy – Deny).

Alternatively, if you need to allow USB storage devices for all users except a specific group, create a security group named “Deny USB” and add it to the policy’s security settings. Grant this group permissions to read and apply the GPO, while leaving only read permissions for the Authenticated Users or Domain Computers groups (uncheck Apply group policy).

Add users who need USB access blocked to the “Deny USB” AD group.

Blocking USB Storage Devices via Registry and GPO

You can manage USB device access through the registry. In the branch HKLM\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices, create a subkey with the device class name you want to restrict and add the following parameters:

– Deny_Read – Prohibit reading

– Deny_Write – Prohibit writing

– Deny_Execute – Prohibit execution

Set the value to 1 to block or 0 to allow access.

Below, we created the RemovableStorageDevices key with a subkey named {53f5630d-b6bf-11d0-94f2-00a0c91efb8b}. Using REG_DWORD parameters, we blocked writing and execution of executable files from USB storage devices.

Blocking USB storage devices takes effect immediately after the change (no reboot required). If a USB flash drive is connected, it remains accessible until reconnected.

To quickly block reading and writing to USB storage devices in Windows, use this PowerShell script:


$regkey='HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
$exists = Test-Path $regkey
if (!$exists) {
New-Item -Path 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices' -Name '{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Force | Out-Null
}
New-ItemProperty -Path $regkey -Name 'Deny_Read' -Value 1 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path $regkey -Name 'Deny_Write' -Value 1 -PropertyType 'DWord' -Force | Out-Null


Completely Disabling the USB Storage Driver in Windows

To completely disable the USBSTOR driver, modify the Start parameter in the registry branch:

HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR

Set the value to 4 to disable the driver:

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" -name Start -Value 4

Reboot the computer. Connected USB devices will no longer appear in File Explorer or Disk Management.

Using Group Policy Preferences, you can disable the USBSTOR driver on domain computers. Create a new Group Policy, assign it to the OU with computers, and in the section Computer Configuration > Preferences > Windows Settings > Registry, create a new parameter with the following values:

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key path: SYSTEM\CurrentControlSet\Services\USBSTOR
Value name: Start
Value type: REG_DWORD
Value data: 00000004

Tracking USB Storage Device Connection History in Windows

To analyze blocking policies, you may need information about USB storage devices connected to the computer.

1. To list currently connected USB storage devices, run the PowerShell command:

Get-PnpDevice -PresentOnly | Where-Object { $_.deviceId -match '^USBSTOR' }

2. To enable logging of USB device connection/disconnection events, navigate to Event Viewer > Application and Services Logs > Windows > Microsoft-Windows-DriverFrameworks-UserMode > Operational. Enable the log manually (Enable Log) or via GPO.

Events with EventID 2003 indicate connection times, and EventID 2102 indicate disconnection times of USB storage devices.

You can also use the free USBDriveLog utility from Nirsoft, which provides a convenient view of the USB flash drive and disk connection history, including device information, serial number, manufacturer, connection/disconnection times, and device ID.

Allowing Only Specific USB Flash Drives

You can allow only specific (approved) USB flash drives to connect. When a USB device is connected, the USBSTOR driver creates an entry in the registry at:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

This contains information about the storage device (e.g., Disk&Ven_Kingstom&Prod_DT_1010_G2&Rev_1.00).

To allow specific USB storage devices:

1. List previously connected USB devices with:

Get-ItemProperty –Path HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\* | select FriendlyName

2. Keep the entry for the desired device, delete the others, and modify write permissions in the registry branch to prevent other devices from being installed.

You can also use a PowerShell script to disable USB storage devices if their serial number does not match the approved one:


$usbdev = get-wmiobject win32_volume | where {$_.DriveType -eq '2'}
If ($usbdev.SerialNumber -notlike "32SM32846AD") {
$usbdev.DriveLetter = $null
$usbdev.Put()
$usbdev.Dismount($false, $false) | Out-Null
}


This provides a simple way to verify USB flash drives connected to the computer.