How to Block Access to All Removable Storage

By default, a Windows user can access all removable storage with full permission. They can transfer data between their removable storage especially in the form of USB sticks and local drive or run application. The ease of use can cause security risks, it’s usually coming from USB sticks are a common source of malware. It’s possible to make your computer stop working or even able to encrypt all your files and folders.

To prevent unexpected things, we can block access to Removable Storage on both users and computers. Follow are the ways to Enable or Disable access to All Removable Storage.

  • For Workgroup

You can use the Local Group Policy to enable the policy.

From start Run -> gpedit.msc

Under Computer Configuration, locate to Administrative Templates/System/Removable Storage Access

Navigate to the setting All Removable Storage classes: Deny all access, edit and check Enabled and OK.

Similar to the Computer Configuration, under User Configuration/Administrative Templates/System/Removable Storage Access, navigate to the setting All Removable Storage classes: Deny all access, edit and check Enabled and OK.

Restart the computer to take effect. You will see the Access is denied prompt when attempting access to Removable Disk.

If you want to Disable this policy, simply to re-configure the setting to Not Configured.

  • For Domain

Create New GPO under the OU you wish to Block access.

Edit the GPO created. Setting up for User and Computer configuration as below:

Enable the setting All Removable Storage classes: Deny all access corresponding to User and Computer Configuration / Policies/Administrative Templates/System/Removable Storage Access

To force the computer to apply the policy immediately, let do gpupdate /force on the client or restart the computer.

Disable or exclude a user/computer out of this policy by using the GPO delegate option.

Open the domain Group Policy Management, navigate to your policy then right-click the click to Link Enable, your policy will grey-out, it means the policy will no longer affect under this OU.

Try to exclude the user test1, go to the Delegation tab on the Policy, access to Advanced

Add the user test1 to Security then set permission for test1 Apply group policy is Deny.

You may also add the computer account that user test1 is in use into this Security and set the same permission.

Force Group Policy update at the client computer.

The other way to Enable/Disable this setting by editing Windows Registry.

Enable the setting

Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices] "Deny_All"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices] "Deny_All"=dword:00000001

Disable the setting

Just change the dword value 1 -> 0

Save these lines as .reg file. Right-click then Merge.

That’s it. I hope it helps.

Leave a Reply

Notify of