USB Blocking Mass Storage Devices using GPO


  • I am attempting to use GPO in order to block USB mass storage devices for certain OUs inside a domain.  I currently have this configured on a hybrid testbed system (VM & Physical).  I currently have 2 GPOs configured for allow and deny.  In each, I have the USBstor  Start Reg Key set to 3 and 4.  I also have lines in there to configure the USBstor inf and pnf files Explicitly allowing and denying OUs (Note that these have the same permissions for each GPO).  I then have these GPOs linked to the various OUs on my domain to allow or deny access to GPO.  In my testbed (Server 2008R2, server 2012, and win 7) this seems to function correctly.  However, when I implement these GPOs on my running domain, this is not the case.  I am able to block usb that has previously been installed.  However, I cannot stop the running of newly installed usb devices.  uPNP seems to overwrite my GPO and force install.  On my testbed, if I try to install a new usb device, I will install the driver, but will also force the USB to remain inactive.  When navigating to device manager, I can see the USB mass device with a yellow notice symbol on it (as it should be).  Any idea what could be configured differently on my running domain that is allowing the uPNP feature to run new usb drives???  In the end, I would just like some OUs to have full usb access, while other OUs are fully restricted from using any form of USB mass storage.  Note: I have gone through all measures to disable the uPNP services both locally and in reg.  
    Monday, August 24, 2015 6:23 PM


All replies