Remove From My Forums

Block USB drive via Group Policy but keyboard, mouse, printers and USB Datacard work

问题
0

登录进行投票

Hi

We are using Windows Server 2008 R2 Std Edition and on client XP, Win07 & Win Vista

We want to block USB Storage via Group Policy and allow keyboard, mouse, printers and USB Data card works. Please suggest me any freeware software or group policy seeings which can I manage centrally.

Any suggestion will appreciate.

regards

Mayur Gandhi

2012年8月15日 14:59

答案

0

登录进行投票
Hi,

You need to modify the Start value in following registry key to 4(Original is 3):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
This will block the USB storage devices but the usb mouse, keyboard etc will remain enabled. Please refer to this KB:
How can I prevent users from connecting to a USB storage device?
http://support.microsoft.com/kb/823732

You can use GPP or some logon script to update the registry value centrally.
Configure a Registry Item
http://technet.microsoft.com/en-us/library/cc753092.aspx

Regards,
Cicely
- 已建议为答案 VenkatSP 2012年8月16日 15:07
- 已标记为答案 Cicely Feng 2012年8月20日 4:53
2012年8月16日 4:14
0

登录进行投票
HI, By using a group policy you can modify the UsbStor key. If you need simple instructions to create and deploy an ADM file through gpo, please follow the below article. You can also download the adm file from the below link.

http://www.petri.co.il/disable_usb_disks_with_gpo.htm
Regards,
Rahul A
MCITP: MS SQL 2008 Development, MCITP: Enterprise Admin, MCTS: Windows vista, Windows 2008, MCSA Windows server 2003 security, ITIL Foundation V3
My blog
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights
- 已标记为答案 Cicely Feng 2012年8月20日 4:53
2012年8月16日 7:10
0

登录进行投票
Hi Mayur,

You can restrict permissions on USBSTOR.PNF and USBSTOR.INF files via Group Policy.

In 2008 you can use the below GPO.
User Configuration \ Administrative Templates \ System \ Removable Storage Access \ All Removable Storage classes: Deny all access.

But this will restrict all USB access except the keyboard and mouse.

If you need to grand access only to Data cards, configure the GPO settings to allow users install some specific devices to achieve the target.

Device Management

Prevent users from installing any device.
Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it.
Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it.
Deny read or write access to users for devices that are themselves removable, or that use removable media, such as CD and DVD burners, floppy disk drives, external hard drives, and portable devices such as media players, smart phones, or Pocket PC devices.

Device Management and Installation Step-by-Step Guide: Controlling Device Driver Installation and Usage with Group Policy
http://technet.microsoft.com/en-us/library/cc731387(WS.10).aspx

How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?
http://www.petri.co.il/disable_usb_disks_with_gpo.htm

Deny All Access to Removable Devices or Media
http://technet.microsoft.com/en-us/library/cc772540(v=WS.10).aspx

Regards,
Rafic

If you found this post helpful, please give it a "Helpful" vote.
If it answered your question, remember to mark it as an "Answer".
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
- 已建议为答案 VenkatSP 2012年8月16日 15:07
- 已标记为答案 Cicely Feng 2012年8月20日 4:53
2012年8月16日 7:39

全部回复

0

登录进行投票
Hi,

You need to modify the Start value in following registry key to 4(Original is 3):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
This will block the USB storage devices but the usb mouse, keyboard etc will remain enabled. Please refer to this KB:
How can I prevent users from connecting to a USB storage device?
http://support.microsoft.com/kb/823732

You can use GPP or some logon script to update the registry value centrally.
Configure a Registry Item
http://technet.microsoft.com/en-us/library/cc753092.aspx

Regards,
Cicely
- 已建议为答案 VenkatSP 2012年8月16日 15:07
- 已标记为答案 Cicely Feng 2012年8月20日 4:53
2012年8月16日 4:14
0

登录进行投票
HI, By using a group policy you can modify the UsbStor key. If you need simple instructions to create and deploy an ADM file through gpo, please follow the below article. You can also download the adm file from the below link.

http://www.petri.co.il/disable_usb_disks_with_gpo.htm
Regards,
Rahul A
MCITP: MS SQL 2008 Development, MCITP: Enterprise Admin, MCTS: Windows vista, Windows 2008, MCSA Windows server 2003 security, ITIL Foundation V3
My blog
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights
- 已标记为答案 Cicely Feng 2012年8月20日 4:53
2012年8月16日 7:10
0

登录进行投票
Hi Mayur,

You can restrict permissions on USBSTOR.PNF and USBSTOR.INF files via Group Policy.

In 2008 you can use the below GPO.
User Configuration \ Administrative Templates \ System \ Removable Storage Access \ All Removable Storage classes: Deny all access.

But this will restrict all USB access except the keyboard and mouse.

If you need to grand access only to Data cards, configure the GPO settings to allow users install some specific devices to achieve the target.

Device Management

Prevent users from installing any device.
Allow users to install only devices that are on an "approved" list. If a device is not on the list, then the user cannot install it.
Prevent users from installing devices that are on a "prohibited" list. If a device is not on the list, then the user can install it.
Deny read or write access to users for devices that are themselves removable, or that use removable media, such as CD and DVD burners, floppy disk drives, external hard drives, and portable devices such as media players, smart phones, or Pocket PC devices.

Device Management and Installation Step-by-Step Guide: Controlling Device Driver Installation and Usage with Group Policy
http://technet.microsoft.com/en-us/library/cc731387(WS.10).aspx

How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?
http://www.petri.co.il/disable_usb_disks_with_gpo.htm

Deny All Access to Removable Devices or Media
http://technet.microsoft.com/en-us/library/cc772540(v=WS.10).aspx

Regards,
Rafic

If you found this post helpful, please give it a "Helpful" vote.
If it answered your question, remember to mark it as an "Answer".
This posting is provided "AS IS" with no warranties and confers no rights! Always test ANY suggestion in a test environment before implementing!
- 已建议为答案 VenkatSP 2012年8月16日 15:07
- 已标记为答案 Cicely Feng 2012年8月20日 4:53
2012年8月16日 7:39
0

登录进行投票

Hi All,

I have Windows 2k8 Enterprise DC, and XP,WIN 7 ,WIN 8 Clients.

The USB storage policy works properly for windows 7 & 8 but didn;t work for xp pc,

Pls assist me

2016年1月16日 7:42
0

登录进行投票

> The USB storage policy works properly for windows 7 & 8 but didn;t work

> for xp pc,

XP doesn't support it, thats all...

2016年1月18日 10:38
0

登录进行投票

who ever reads this - this fails, if you connect the USB BEFORE starting the machine :-( key will be reset to 3

2016年6月6日 8:38
0

登录进行投票

Hi Rafic & Team,

I go through the above given settings but still i am facing the issue. What i need is I have to blocked all USB storage access and want to allow only USB keyboard, mouse & single/ specific USB storage device.

Regards
Deepak Bahuguna

2017年10月12日 9:51

产品

Resources

Solutions

更新

试用版

相关站点

培训

认证

其他资源

产品支持

其他支持

不是 IT 专业人员？

积极答复者

Block USB drive via Group Policy but keyboard, mouse, printers and USB Datacard work

问题

答案

全部回复