How to disable USB devices using Group Policy

Everyone owns one or more USB devices. USB connections are typically used to plug devices such as mice, keyboards, scanners, mobile phones, external hard drives, printers, and more into your computer. When you connect a device to your computer it automatically identifies the device and installs the driver for it. USB devices are portable and have a very high security threat. Some organizations do not allow USB devices for this reason. Here is the steps to do that for your organization using group policy.

We will be starting with the Windows Server 2012 R2 domain controller and a client that is running Windows 7 Professional. The group policy to disable USB devices will be created on the domain controller, and then will be applied to the OU containing the users computer.

1. Launch the Group Policy Management tool on the domain controller.


2. Right click Group Policy Objects and click New.

a.  Name the group policy as Block USB Devices, and click OK


3. Right click on the new policy and click Edit.3

4. Group Policy Management Editor window appears, Navigate to Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.4

5. Now on the right pane you will see a list of Removable Storage Access devices. We will be disabling all of them. Find the All Removable Storage classes: Deny all access, right click on it, and click Edit.5

6. If you enable this policy it will block access to any removable storage device that may get connected to the computer. Click Enabled, always leave a note for the next person, and click OK when done.6


Now we have created the policy to deny access to the USB devices. The next step is to link the GPO to the OU. For this I created an OU called Block USB Devices.

7. Once you have closed the Group Policy Management Editor it will bring you back to the Group Policy Management. Here you will want to pick the OU with the computers that you want to have the USB disabled. Right click on the OU and click Link an Existing GPO.7

8. Select GPO will appear, from the list of GPO’s select the policy Block USB Devices, and click OK.8

9. You can manually go to each computer and type gpupdate /force or you can wait 90 min for the system to automatically do it. The automatically could take up to 45 days, but this allows you to warn the clients before hand.

10. Once the GPO has been updated you can test to see if everything worked by connecting a USB device into the computer. If you receive a message like this. You have successfully created a policy to disable USB devices. 9



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s