none
Disable USB GPO Not Working with Windows 10 Pro N Edition RRS feed

  • Question

  • I have a Group Policy setting configured to Deny Read/Write access to USB drives on all computers.  It is applied to the correct OU's, it is not filtered out, and I can see via RSOP & gpresult that this setting is correctly applied to the PCs.  However, some Windows 10 PC's do not apply this setting and USB devices can still be accessed regardless of what the GPO settings are.

    Recently, somebody responded to a post I had made on another site and he was able to identify the issue. 

    As it turns out, the service, Portable Device Enumerator Service, is not installed on Windows 10 Pro N by default.  It is installed as part of the standalone Media Feature Pack that installs Windows Media Player.  Even the description of this service states:

    "Enforces group policy for removable mass-storage devices. Enables applications such as Windows Media Player and Image Import Wizard to transfer and synchronize content using removable mass-storage devices."

    I have deployed Windows 10 Pro N to our PC's because it is a cleaner version of W10 without Pandora, game ads, and other items that aren't necessary on a business PC. 

    I was able to verify this issue by opening a USB drive on a Windows 10 Pro N v1709 PC that has the GPO settings correctly applied to block USB access.  I then installed the Media Feature Pack, rebooted the PC, tried the USB drive again, and it was successfully blocked.

    Microsoft needs to update the USB services on Windows 10 Pro N PC's so Group Policy will successfully block USB drives on any version of Windows 10 regardless if that PC has Windows Media Player installed or not.  Or at the very least, have the Portable Device Enumerator Service installed on all versions of Windows 10 by default.  Each Feature update requires a different Media Feature Pack to re-install Windows Media Player and the service mentioned above.

    If this service is required to enforce Group Policies, why is it not included in every version of Windows 10?

    This is a severe security issue for a financial institution.  It is not feasible to re-install Windows Media Player on every computer after each bi-annual feature update. Currently, every time we push a feature update to our PC's it will break our USB access restrictions opening security risks for both our business and our customers.

    I need to ensure this Group Policy Object is working 100% of the time.

     
    Friday, September 7, 2018 4:04 PM

All replies

  • Hi,

    Thank you for your posting in our forum.

    First of all, I totally understand your situation and agree with your point for this issue.

    Secondly, I am very appreciated your kind feedback on this issue and shared your solution for this situation which will benefit the anyone other community members who encounters the similar issue.

     I am afraid that I am unable to make a test for your situation as of now due to lack of the Windows 10 N version. However, we will help to forward it to related department to improve. In addition, to this issue could be resolved as soon as possible, I suggest you to post your feedback to user voice of Microsoft. The link is as follow:

    https://microsoftteams.uservoice.com/forums/555103-public

    Thank you for your kind feedback.

    Best regards

    Julie


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 10, 2018 7:28 AM
    Moderator
  • Julie,
    Thank you for your response.  I posted this to the Microsoft teams User Voice forum as requested.  If there is anything I can do to help any department identify and correct this issue, please feel free to reach out to me. 

    Like I said, this issue creates a significant security concern for a financial institution and should be taken seriously by Microsoft.

    Here is a link to the User Voice post:
    https://microsoftteams.uservoice.com/forums/555103-public/suggestions/35374258-disable-usb-gpo-not-working-with-windows-10-pro-n


    Thank you again,
    Mark


    • Edited by McNollid12 Tuesday, September 11, 2018 2:54 PM Added link to other post
    Tuesday, September 11, 2018 2:42 PM
  • Hi,

    Thank you for your kind understanding and feedback. 

    Please rest assured that we will take your feedback to our consideration and improve it as soon as possible with our best effort. We are very appreciate that you will help us to correct this issue as well. 

    If anything else i could do for you, please feel free to let me know. 

    Best regards

    Julie 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 12, 2018 2:05 AM
    Moderator