GPO settings to allow encrypted USB Storage devices only. Non encrypted Storage devices should be Blocked. RRS feed

  • Question

  •   Hi All,

    We have requirement  from customer to Block USB storage devices and only encrypted USB Storage devices can be accessed by user.

    do we have solution for the same by using GPO or any other thing.

    Ravindra Bhosale.

    Thursday, March 10, 2016 2:03 PM


  • Hi Ravindra,

    GPO would work for your scenario if you have a “whitelist” which listed the IDs of encrypted USB Storage devices. Each USB device has a unique ID which the OS uses to determine which type of device it is. After obtaining the USB devices’ ID list, then you could set policies in Windows to restrict which device IDs are allowed to connect.

    The following article describes the detail steps about how to get the USB devices’ ID and which group policy to be configured based on different requirements, please take a look:

    Step-By-Step Guide to Controlling Device Installation Using Group Policy


    If you have not the whitelist, I would suggest you turn on BitLocker for users, and then you will find the related group policy settings which enable you to deny write access to drives not encrypted with BitLocker and to deny write access to encrypted drives that don't belong to your organization. Please see the detail group policy settings from : https://technet.microsoft.com/en-us/library/jj679890.aspx



    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Wendy Jiang Thursday, March 24, 2016 2:38 AM
    • Marked as answer by Yan Li_ Friday, March 25, 2016 7:07 AM
    Friday, March 11, 2016 5:11 AM