none
Windows 10 GPO to disable access to all external disk drives and SD cards?

    Question

  • I have already seen the policy to disable access to "removable" devices.  This applies to USB thumb drives and is a partial solution.

    What about when someone plugs in a large USB hard disk that Windows sees as a fixed drive instead of a removable drive?

    What about tablets and laptops that have built-in SD card slots?

    Can access to these other types of external media be disabled via Group Policy?

    We can disable the ports completely, but we still need users to be able to use the USB ports for other things such as mouse and keyboard.





    • Edited by MyGposts Saturday, January 16, 2016 5:53 PM
    Saturday, January 16, 2016 5:49 PM

All replies

  • Hi,
     
    Am 16.01.2016 um 18:49 schrieb MyGposts:
    > What about when someone plugs in a large USB hard disk that Windows sees
    > as a fixed drive instead of a removable drive?
     
    It will work, thats it. End of story. GPOs can not handle this.
     
    Try hot glue, Polyurethan foam, duct tape or 3rd Party Software.
     
    Even 3rd Party software can not disable all.
    - external SATA? there is no possibility to recognize the difference to
    an internal device, because there is only SATA.
    - Diable USB at all? What about keyboard and mouse? what about USB
    sticks that are recognized as "keyboard"(possible USB port hack)?
    - What about Onedrive, Dropbox, 1000 different free filehosters?
     
    The annswer is: GPO can do some simple things, but you need 3rd party to
    cover the mosst scenarios and even then, you will not reach 100%,
    probably 95%.
     
    95% to 99% is probably if you run an exect whitelist of allowed devices
    identified by firmware/serialnumbers etc. and a connect to a database to
    centralize them. Getting a view percent, payed with a huge
    administrative overhead
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Saturday, January 16, 2016 6:25 PM
  • OneDrive, Drop Box etc.. are non issues since the PCs will not have browsers enabled.

    They will be Windows 10 systems configured with most settings disabled so they end up working similarly to a thin client.  The users will only have Remote Desktop and VPN and will not be able to save data locally and will not administrator access.

    They need to be able to use a USB mouse and keyboard, but not read or write to any external media.

    So, can we create a GPO to whitelist any standard USB keyboard and mouse?

    Saturday, January 16, 2016 9:15 PM
  • Hi
     
    Am 16.01.2016 um 22:15 schrieb MyGposts:
    > So, can we create a GPO to whitelist any standard USB keyboard and mouse?
     
    As is said before: No, GPO can not handle this.
    Policy can only "deny" specific devices, but the problem on the
    blacklist is, you do not know possible devices.
     
    It´s like deny sol.exe, but what about the billion other games?
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Sunday, January 17, 2016 9:48 AM
  • Am 17.01.2016 um 10:48 schrieb Mark Heitbrink [MVP]:
    > It´s like deny sol.exe, but what about the billion other games?
     
    Give it a try, how much you can cover by using userdefined classes,
    removable and WPD.
     
    Mark
     
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Sunday, January 17, 2016 10:08 AM
  • I found this old article about blocking USB storage (not just removable media) on XP.

    https://support.microsoft.com/en-us/kb/823732

    Should the same thing work with Windows 10?  If so, we could use GPP or maybe our A/V to block access to those files required to load USB storage while still allowing USB mice and keyboards to work.

    Sunday, January 17, 2016 4:11 PM
  • Am 17.01.2016 um 17:11 schrieb MyGposts:
     
    You can handle file permissions with GP Security Settings\Files
    Should work on Windows 10 aswell.
     
    But Look at your own question: What about SD Cards?
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Monday, January 18, 2016 11:34 AM
  • Shouldn't SD cards fall under a policy to block access to removable media?  Can't we block both removable media and also block access to loading drivers for USB storage?

    Monday, January 18, 2016 3:28 PM
  • Hi MyGposts,

    try this one


    Justin

    Monday, January 18, 2016 4:38 PM
  • Am 18.01.2016 um 16:28 schrieb MyGposts:
    > [...] Can't we block both removable media and also block access to
    > loading drivers for USB storage?
     
    You will always find excludes, that are not covered.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Monday, January 18, 2016 5:35 PM
  • Am 18.01.2016 um 16:28 schrieb MyGposts:
    > [...] Can't we block both removable media and also block access to
    > loading drivers for USB storage?
     
    You will always find excludes, that are not covered.
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Some systems have a setting in the BIOS to completely disable the SD card slot, but for the ones that don't, would we be able to just block the SD card slot driver from loading in Windows?
    Monday, January 18, 2016 5:41 PM
  • Am 18.01.2016 um 18:41 schrieb MyGposts:
    > [...]but for the ones that don't, would we be able to just block
    > the SD card slot driver from loading in Windows?
     
    I do not know, if loading SD drivers is handled the same way or with the
    same files like usbstor
     
    Mark
     
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Tuesday, January 19, 2016 8:11 AM
  • I've been trying to do something similar, create a locked down laptop with no write access to externals and no network connections. Here are the steps I'm taking now, I think a lot of what you want can be done in the BIOS

    Add “NoCDBurning” to registry

    Deny removable disks write access in Local Group Policy editor

    BIOS (already password protected) à unlock with password,

    System Configuration à drives à uncheck all drives but SATA-1 or M.2 PCIe SSD-0 (this locks out writing to SATA drives)

    System Configuration à Integrated NIC à disable

    System Configuration à miscellaneous devices à uncheck camera, uncheck enable SD card

    Wireless à uncheck all boxes under wireless

     

     

    Add “NoCDBurning” to registry and Deny removable disks write access in Local Group Policy editor

    1. Hold the Windows Key, then press “R” to bring up the Run dialog box.
    2. Type “regedit“, then press “Enter. This will open the registry editor.
    3. Navigate to the following registry key:
      • HKEY_LOCAL_MACHINE for all users, or HKEY_CURRENT_USER for the currently logged in user.
      • Software
      • Microsoft
      • Window
      • CurrentVersion
      • Policies
      • Explorer
    4. Look for a key called “NoCDBurning”. If it does not exist, you can create a new DWORD value under the Explorer folder by performing the following steps:
      • Click “Edit” > “New” > “DWORD Value“.
      • Name it “NoCDBurning” without quotes. Press “Enter” to save.
    5. Double-click on “NoCDBurning” and you can set the value to “1” to disable CD burning or set it to “0” to enable it.

    Log off the current user, then log back in. The ability to drag and drop files to the CD or DVD drive will be disabled.

     

     

    1. Open Local Group Policy Editor

    2. In the left pane, click on User Configuration, Administrative Templates, System, and Removable Storage Access.

    3. In the right pane, right click on Removable Disks: Deny write access and click on Properties

    4. Select (dot) Enabled and click on OK.​

    Wednesday, March 28, 2018 1:35 PM