none
GPO to block writing to USB not fully effective

    Question

  • We have a GPO to block writing to USB media and it appears to work when using Windows Explorer.  There is an error when trying to copy files to USB through the GUI.

    However, I noticed that it seems to be ignored by command line.

    What can be done to enforce this more effectively?

    Thursday, February 12, 2015 4:49 PM

All replies

  • I am not familiar with anyone managing to restrict access to USB drives without using 3rd party software. If you are using Symantec Endpoint Protection that can be configured to block access to USB drives.
    Thursday, February 12, 2015 4:56 PM
  • There is a standard GPO for blocking writing to external media that we are using.  No third party software is required for this, but it seems to miss writing using command line.

    Computer Configuration Administrative Templates System/Removable Storage Access  Removable Disks: Deny write access.


    • Edited by MyGposts Thursday, February 12, 2015 6:11 PM
    Thursday, February 12, 2015 6:10 PM
  • Hi MyGposts,

    Please check if the value of USBSTOR was set to 4 (=disabled) in following registry path.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

    Please also refer to following article and restrict access to USBSTOR.INF and USBSTORE.PNF via group policy, then check if this issue still exist.

    How to disable USB sticks and limit access to USB storage devices on Windows systems

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    If any update, please feel free to let us know.

    Best regards,

    Justin Gu


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Sunday, February 15, 2015 2:15 AM
    Moderator
  • The policy is applied and in effect because it blocks writing via Windows Explorer.  

    However, there may be a hole in the policy, because it allowed access to write via command line.

    Monday, February 23, 2015 3:59 PM