none
Disable Removable Storage classes doesn't work via GPO on Windows 7

    Question

  • Hello everybody, 

    Could you please help me with very strange situation:

    Test environment: DC - Windows Server 2012R2, Workstation - Windows 7 Professional N SP1

    Case: disable USB via Group Policy. 

    Normally, I go to Computer or User configuration -> Administrative templates -> System -> Removable storage access and set All Removable Storage classes and set this option to Enabled. 

    After gpupdate and rebooting Windows 7 client nothing happens, USB drive still available for usage. There is no any errors or warnings in event viewer, there is records saying that Group Policy was successfully applied. 

    Then I tried to edit Default Domain Controller Policy for DC and it worked! I was frustrated about that. After deep research I found registry key that are responsible for this policy: 

    HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices 

    and Deny_All key. On both Windows Server 2012R2 and Windows 7 it set to 1. But it works on 2012 and doesn't work on Windows 7. 

    Could you please hint me why this happening? Thank you in advance.

    Thursday, December 10, 2015 12:45 PM

Answers

  • Problem resolved. The issue was Portable Device Enumerator service were set to start up Manual on target computer but needs to be set to automatic. According to this KB article https://support.microsoft.com/en-us/kb/947294 
    Friday, December 11, 2015 6:07 PM

All replies

  •  On both Windows Server 2012R2 and Windows 7 it set to 1. But it works on 2012 and doesn't work on Windows 7. 

    Hi,

    For better troubleshooting, could you run gpresult .exe and post the result to us?



    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 11, 2015 8:09 AM
    Moderator
  • Hello, 

    thank you for your reply. For sure I can. Here it is.

    DC:

    PS C:\Users\Administrator> gpresult /r
    
    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    © 2013 Microsoft Corporation. All rights reserved.
    
    Created on 12/11/2015 at 3:23:39 PM
    
    
    RSOP data for SENATOR\Administrator on DC01 : Logging Mode
    -----------------------------------------------------------
    
    OS Configuration:            Primary Domain Controller
    OS Version:                  6.3.9600
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\Administrator
    Connected over a slow link?: No
    
    
    COMPUTER SETTINGS
    ------------------
        CN=DC01,OU=Domain Controllers,DC=senator,DC=local
        Last time Group Policy was applied: 12/11/2015 at 3:23:02 PM
        Group Policy was applied from:      DC01.senator.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        SENATOR
        Domain Type:                        Windows 2008 or later
    
        Applied Group Policy Objects
        -----------------------------
            Default Domain Controllers Policy
            Default Domain Policy
    
        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)
    
        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            BUILTIN\Pre-Windows 2000 Compatible Access
            Windows Authorization Access Group
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            DC01$
            Domain Controllers
            NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
            Authentication authority asserted identity
            Denied RODC Password Replication Group
            System Mandatory Level
    
    
    USER SETTINGS
    --------------
        CN=Administrator,CN=Users,DC=senator,DC=local
        Last time Group Policy was applied: 12/11/2015 at 3:23:20 PM
        Group Policy was applied from:      DC01.senator.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        SENATOR
        Domain Type:                        Windows 2008 or later
    
        Applied Group Policy Objects
        -----------------------------
            N/A
    
        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)
    
        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Administrators
            BUILTIN\Users
            BUILTIN\Pre-Windows 2000 Compatible Access
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Domain Admins
            Group Policy Creator Owners
            Enterprise Admins
            Schema Admins
            Authentication authority asserted identity
            Denied RODC Password Replication Group
            High Mandatory Level
            PS C:\Users\Administrator>
    

    Windows 7 Workstation:

    C:\Users\administrator>gpresult /r
    
    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
    Copyright (C) Microsoft Corp. 1981-2001
    
    Created On 12/11/2015 at 3:26:24 PM
    
    
    RSOP data for SENATOR\Administrator on CLIENT01 : Logging Mode
    ---------------------------------------------------------------
    
    OS Configuration:            Member Workstation
    OS Version:                  6.1.7601
    Site Name:                   Default-First-Site-Name
    Roaming Profile:             N/A
    Local Profile:               C:\Users\administrator
    Connected over a slow link?: No
    
    
    COMPUTER SETTINGS
    ------------------
        CN=CLIENT01,OU=Computers,OU=Senator,DC=senator,DC=local
        Last time Group Policy was applied: 12/11/2015 at 3:23:40 PM
        Group Policy was applied from:      DC01.senator.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        SENATOR
        Domain Type:                        Windows 2000
    
        Applied Group Policy Objects
        -----------------------------
            Block USB [COMPUTER]
            Default Domain Policy
    
        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)
    
        The computer is a part of the following security groups
        -------------------------------------------------------
            BUILTIN\Administrators
            Everyone
            BUILTIN\Users
            NT AUTHORITY\NETWORK
            NT AUTHORITY\Authenticated Users
            This Organization
            CLIENT01$
            Domain Computers
            System Mandatory Level
    
    
    USER SETTINGS
    --------------
        CN=Administrator,CN=Users,DC=senator,DC=local
        Last time Group Policy was applied: 12/11/2015 at 3:23:40 PM
        Group Policy was applied from:      DC01.senator.local
        Group Policy slow link threshold:   500 kbps
        Domain Name:                        SENATOR
        Domain Type:                        Windows 2000
    
        Applied Group Policy Objects
        -----------------------------
            N/A
    
        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Local Group Policy
                Filtering:  Not Applied (Empty)
    
            Default Domain Policy
                Filtering:  Not Applied (Empty)
    
        The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Users
            BUILTIN\Administrators
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            Domain Admins
            Group Policy Creator Owners
            Enterprise Admins
            Schema Admins
            Denied RODC Password Replication Group
            High Mandatory Level
    
    C:\Users\administrator>

    Friday, December 11, 2015 9:27 AM
  • You don't use the right key, for USB Removable Storage it is:

    "HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"

    Deny_All is also not a policy setting, you need to use Deny_Read, Deny_Write or Deny_Execute as DWORD.

    For finding the right keys and policies, you can make use of this website.


    | Branko Vucinec | MCSE, MCSA, MCPS
    Blog: blog.brankovucinec.com

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    • Edited by Branko Vučinec Friday, December 11, 2015 1:27 PM wrong copy pasta
    Friday, December 11, 2015 1:26 PM
  • Hi Branko, 

    thanks for your reply. I don't use registry settings in policy, I use removable storage policy from admin templates. And there I use Deny All removable devices which is works fine on Server 2012R2. 

    Also, if I will set up my key to 0 on Server, USB devices are allowed again. So it's only question why this setting doesn't work on Windows 7.

    Friday, December 11, 2015 3:05 PM
  • Problem resolved. The issue was Portable Device Enumerator service were set to start up Manual on target computer but needs to be set to automatic. According to this KB article https://support.microsoft.com/en-us/kb/947294 
    Friday, December 11, 2015 6:07 PM