Share via

How to block USB storage in a domain network?

Anonymous
2023-08-30T07:34:01+00:00

Hello,

In a Windows domain network, I want to block the USB storage and prevent users from connecting to a USB storage device, but mouse, keyboard and other devices work.

What is the best solution? A solution that work in the safe mode too.

Thank you.

Windows for business Windows Server Networking Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-08-30T11:10:56+00:00

    To block USB storage devices while allowing other USB devices like mice and keyboards in a Windows domain network, you can use Group Policy settings. Here's how you can achieve this:

    Note: Before proceeding, make sure you have administrative access to the Active Directory domain and the Group Policy management console.

    1. Open Group Policy Management: Press Win + R, type gpmc.msc, and press Enter. This will open the Group Policy Management Console.
    2. Create a New Group Policy Object:
      • In the left pane, expand your domain and right-click on "Group Policy Objects."
      • Select "New" and give your new GPO a name like "USB Storage Restriction."
    3. Edit the Group Policy Object:
      • Right-click on the newly created GPO and select "Edit."
    4. Navigate to the Policy Settings:
      • In the Group Policy Management Editor, navigate to Computer Configuration -> Administrative Templates -> System -> Removable Storage Access.
    5. Configure USB Device Restrictions:
      • In the right pane, you'll see various policies related to removable storage devices.
      • The policy you want to configure is likely named "All Removable Storage classes: Deny all access."
      • Double-click on this policy to edit it.
    6. Enable the Policy:
      • In the policy properties window, select the "Enabled" radio button.
      • Click on the "Show" button next to "Removable Disks: Deny Execute access" to configure exceptions.
      • Add the following exceptions for USB devices that should still be allowed:
        • HIDClass (for keyboards and mice)
        • KeyboardClass
        • MouseClass
    7. Apply and Save:
      • After configuring the policy and exceptions, click "OK" to save the changes.
    8. Link the GPO to the Desired Organizational Unit (OU):
      • Close the Group Policy Management Editor.
      • In the Group Policy Management Console, right-click on the desired organizational unit (OU) where you want to apply this USB restriction.
      • Select "Link an Existing GPO" and choose the "USB Storage Restriction" GPO you just created.
    9. Force Group Policy Update:
      • On the client computers, you can open a command prompt and run the following command to force an immediate Group Policy update: 
          bashCopy codegpupdate /force
    10. Testing:
      • Test the policy by plugging in various USB devices. USB storage devices should be denied access while mice and keyboards should work as expected.
    11. Safe Mode Consideration:
      • The Group Policy settings generally apply even in Safe Mode. However, keep in mind that users with administrative privileges might still be able to modify some settings or potentially bypass restrictions.

    Always thoroughly test any Group Policy changes in a controlled environment before applying them to your production network. Additionally, Group Policy settings can vary based on Windows versions, so the steps may slightly differ depending on the version you are using.

    PLEASE NOTE: This is a response generated by the community program ''Open AI Dialog'', take care to carefully identify the information contained therein as it may contain risks and recommendations.

    7 people found this answer helpful.
    0 comments