USB drive restriction works on local gpo but does not on domain gpo

Question

Hello,

I'm currently in the process of configuring USB drive restrictions using the following gpo's:

On the "Allow installation of devices that match any of these devices IDs" gpo, I've whitelisted a specific USBs hardware ID.
I then plugin a USB that has not been installed on the device or whitelisted and I receive my configured block message.
Once I plugin my whitelisted USB, file explorer opens and I'm able to use the USB as expected.
Everything works as expected using this on local group policy.

However, once I configure the same policies on a domain environment, any USB device that is plugged in is blocked.
It appears the policy did take affect but the domain joined computer is not able to "read" the whitelisted hardware IDs.

Any help is appreciated.

Thank you.

Answer 1

Hi,

Please set the following GPO:

Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access

The Removable Storage Access contains the policies for a variety of storage devices and the policies include:

Removable Disks: Deny execute access
Removable Disks: Deny read access
Removable Disks: Deny write access

I hope this answers your question.

---------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

@Limitless Technology - I may be mistaken but should these policies be added on top of the policies I already have configured?
I'm reading the description of what you mentioned and it almost seems like these would deny removable disks and override the whitelisting I had created.
Does sound correct?

Thanks for the help.