none
Windows 7 GPO - Disable All Removable Media then Re-enable, now CD/DVD drive is inaccessible

    Question

  • Ok, this might be better placed in the Windows 7 forum, but we're having some issues with limiting access to removable media via GPO.

    We've set up a GPO for Computer Policy, Admin Templates, System, Removable Storage Access, All Removable Storage classes: Deny all access - Enabled

    After finding that this was a bit too restrictive we reset it back to Not Configured (and later Disabled to try and force it) but it seems to break our DVD drives on all Win7 x64 machines (the gpo is limited to apply only to these machines).  Instead of the usual icon in my computer it shows a description of the CD/DVD in the drive and the usual "unknown file type" icon.  if you take the cd out it shows the usual cd rom icon, but still gives "access denied"

    There is one workaround, and that is to set the GPO back to not configured and manually remove the CD/DVD device via device manager, restart, and allow windows to re-install the device drivers.

    This is 100% repeatable by applying the same local computer policy (All Removable Storage classes: Deny all access - Enabled" and restarting the machine. 

    Has anyone else run into this problem before?  And how can we fix it without having to go to every machine to remove the DVD drive from device manager? 

    Thanks,

    -Nick

    Tuesday, March 20, 2012 10:07 PM

Answers

  • Hi ,

    Apply this hotfix and see how it works. Thanks.

    Users cannot access removable devices after you enable and then disable a Group Policy setting in Windows Vista, in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2
    http://support.microsoft.com/kb/2738898


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Tillersen Friday, November 15, 2013 11:45 AM
    • Marked as answer by -Nick Friday, August 15, 2014 2:32 PM
    Monday, November 04, 2013 3:29 PM

All replies

  • Hi,


    I'd like to confirm you had run gpupdate /force or restart the computer to test.


    but we're having some issues with limiting access to removable media via GPO.


    >> we can use RSOP.msc to verify whether there is a related  policy setting(logon as an admin) to block the access.


    In addition, please try to verify the registry key: HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices is not set to Deny_all


    For details: all Removable Storage classes: Deny all access (http://gpsearch.azurewebsites.net/default.aspx?policyid=2282&ref=1)

    all Removable Storage classes: Deny all access (http://gpsearch.azurewebsites.net/default.aspx?policyid=2281&ref=1)


    Hope this helps!


    Best Regards
    Elytis Cheng


    Elytis Cheng

    TechNet Community Support



    Wednesday, March 21, 2012 7:55 AM
    Moderator
  • Hi Elytis,

    Yes, we tried gpupdate /force and also restarting, however some setting does not reverse and the DVD drive remains inaccessible.

    the registry keys you referenced were still set to Deny after removing the GPO, running gpupdate /force, and restarting.  I changed them back to allow, but no difference in access to the DVD drive even after a restart.  The machine is able to see the DVD, and displays its title in "My Computer" but does not allow access.

    User policies were not configured, just machine policy.

    The issue has come up several times from our customers, so we've put out an FAQ article for our Technical Support to go ahead and remove the device, then reboot. 

    If there's a way to reverse this problem with something a bit more graceful than a device uninstall I'd be very interested in trying it out.  The problem is repeatable by applying the local or domain policy to "All Removable Storage classes: Deny All Access" - enable, reboot, and turn the policy back to not configured or disabled, and reboot again.

    Wednesday, March 21, 2012 3:33 PM
  • You might check
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage for a Value
    named "Hotplugsecuritydescriptor". If present, delete it and you might
    be done...
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, March 21, 2012 8:53 PM
  • Hi Martin,

    That value was present. I was able to delete it, no changes observed.  I restarted the computer and still received "access denied".  When I went to the registry that value was back.

    There was also a "Deny_Execute" dword set to 1.  I changed it to 0 and deleted the HotplugSecurityDescriptor again with the same results before and after reboot.  the value reverted to 1 and the HotplugSecurityDescriptor was back again.

    After applying the workaround (remove the device and scan for new devices) I was able to access the device again.  The above values remained the same.

    Definitely a strange situation.  Luckily we don't yet have a large population of windows 7 machines, so we're just having our support knock them out as the customers call in and we've proactively fixed the problem for our VIPs.  It would still be nice to push out a fix though, if one exists.  Thanks for the assistance!

    -Nick

    Wednesday, March 21, 2012 11:57 PM
  •  
    > That value was present. I was able to delete it, no changes observed. 
    > I restarted the computer and still received "access denied".  When I
    > went to the registry that value was back.
     
    That's interesting - any idea where it came back from? It "should" not
    be there by default...
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Thursday, March 22, 2012 11:25 AM
  • Hello,

    I've similar issue.

    When I enable GPO for Disabel CD/DVD Access, it works fine (the user cannot access to CD/DVD device)

    But if I want enable access to this resource again, it doesn't work IN THE SAME MACHINE. If user access in another computer, he have access to CD/DVD device.

    Any suggestion.. ???

    Regards,

    Wednesday, May 16, 2012 9:45 AM
  • Ah!

    I remember that with USB Devices had this issue, and enable service "WPDBusEnum" works fine, but no with CD...

    Regards,

    Wednesday, May 16, 2012 9:47 AM
  • http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/67074e93-431e-4213-ad06-a2f6ba37a5dc
    • Proposed as answer by pvelasco Friday, May 25, 2012 12:19 PM
    Friday, May 25, 2012 12:19 PM
  • Hi,

    I am also facing this issue, CD/DVD Read access is ok but unable to write anything.  ( After reverting the GPO to normal).

    I have done few steps to resolve this i.e. Unjoined from domain , Uninstall /Re-install CD/DVD Drive.

    Please help on this issue to resolve.

    Regards.


    IT Guy

    Friday, January 11, 2013 4:00 PM
  • Hi,

    Some times we cant able to access CD even if we disable Restricting storage device policy, for this no need to rejoin the machine to domain.

    Just do this simple steps

    open disk management, right click on the CD/DVD drive and open Properties,

    click on the Hardware tab,

    click the properties command button,

    click on the driver tab, and uninstall the driver.

    Then click on the Disk Management Action menu, click on Re scan Disks,

    it re-adds the drive and the error is gone!!

    Thanks

    Jerry


    Jerry

    Tuesday, January 22, 2013 7:24 AM
  • Hi,

    after looking on many pages for a solution i always found the same workarounds - but for me deleting the device is no option because you aren't allowed to delete devices without administrative rights. Also I can't expect that our users always have to reinstall the device.

    So i analyzed whats going on in the registry when the key "Deny_All" for blocking RemovableStorageAccess is set to 1 - with the running of gpupdate i realized that Windows is writing a registry key to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\Device\ named "security". The problem is that windows doesn't delete this key after setting the key "Deny_All" back to 0. Only sometimes it will be deleted, for example when you apply the policy for blocking devices and reverse this setting immediatly without a restart of windows.

    I made a little script which I integrated in the user-gpo (as logon script) for granting access to the removable storage devices:

    '****SCRIPT START****

    ' this script searches for all "security"-keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\ and deletes them

    Option Explicit
    Const HKEY_LOCAL_MACHINE = &H80000002
    Dim oReg : Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
    Dim oShell : Set oShell = CreateObject("WScript.Shell")
    Dim sPath, aSub, sKey, aSubToo, sKeyToo, dwValue

    ' Get all keys within sPath
    sPath = "SYSTEM\CurrentControlSet\Enum\IDE"
    oReg.EnumKey HKEY_LOCAL_MACHINE, sPath, aSub

    ' Loop through each key
    For Each sKey In aSub
        'Get all subkeys within the key 'sKey'
        oReg.EnumKey HKEY_LOCAL_MACHINE, sPath & "\" & sKey, aSubToo
        For Each sKeyToo In aSubToo

            oReg.deleteValue HKEY_LOCAL_MACHINE, sPath & "\" & sKey & "\" & sKeyToo , "Security"
            if Err.Number<>0 then
                Err.Clear
            end if
        Next
    Next

    '****SCRIPT END****

    The policy for giving access to removable storage looks like this now:

    - a logon script is executed which searches for all "security"-keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE\ and deletes them

    - the setting "All Removable Storage classes: Deny all access" ist set to "Disabled"


    I hope this helps...

    Regards

    Swanson

    • Proposed as answer by DonSwanson Friday, January 25, 2013 1:08 PM
    Friday, January 25, 2013 10:48 AM
  • Sounds good. I'll give it a try.

    Thank you!

    Friday, January 25, 2013 12:55 PM
    • Edited by CCraddock Wednesday, April 17, 2013 1:12 PM
    • Proposed as answer by CCraddock Monday, November 04, 2013 3:55 PM
    Tuesday, April 16, 2013 5:11 PM
  • Hi ,

    Apply this hotfix and see how it works. Thanks.

    Users cannot access removable devices after you enable and then disable a Group Policy setting in Windows Vista, in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2
    http://support.microsoft.com/kb/2738898


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Tillersen Friday, November 15, 2013 11:45 AM
    • Marked as answer by -Nick Friday, August 15, 2014 2:32 PM
    Monday, November 04, 2013 3:29 PM
  • HotFix positive for me
    Friday, November 15, 2013 10:31 AM
  • it works for me also  so who ever have same problem as mentioned above

    i.e hot fix link works ....:)




    Friday, November 29, 2013 8:31 AM
  • thanks :) :) problem resolved
    Tuesday, December 10, 2013 9:00 AM
  • I can also confirm this Hotfix (KB2738898) worked for me, after reboot (per instructions). I feel this should be considered the correct answer as all other solutions were workarounds. Modifying registry to fix a Group Policy error, as well as uninstalling and rescanning for hardware because of a Group Policy that does not work correctly are not good solutions in large scale enviornments.

    Thanks for the link, Tillersen!

    Thursday, July 17, 2014 9:31 PM
  • agreed, however this thread was open for 20 months before the hotfix was posted. I wasn't going to wait 20 months to resolve the problem in any size environment!  The hotfix seems to work though, thanks!
    Friday, August 15, 2014 2:41 PM
  • thankyou verymuch

    Vivendo e aprendendo xD

    Friday, September 09, 2016 6:50 PM
  • Is this supposed to be run on the workstations the server?
    Wednesday, November 02, 2016 8:08 PM
  • Thanks Bro..its working
    Tuesday, May 23, 2017 9:03 AM