Disable USB via Group Policy Server 2008R2 / 2012R2

Here, we are provided with a domain controller running on Windows Server 2012 R2 Datacenter edition and a client that is a part of the domain running Windows 7 Professional SP1 edition.

The use of USB-devices like (flash drives, USB HDD, SD cards and so on) are disabled in most organizations for safety reasons primarily to prevent virus infection

The group policy to disable USB devices will be created on the domain controller and we will be applying it on an OU containing the computer account WIN 7.

As shown in the figure, launch the Group Policy Management tool on the domain controller, right-click on the Group Policy Objects and then click New.

Provide a name to the GPO and click OK. In the image, the group policy is named as Block USB Devices

Edit the policy by right-clicking the policy and clicking edit.  This will open Group Policy Management Editor. Navigate to Computer Configuration\Policies\Administrative Templates\System\Removable Storage Access.

Here is the place where you find settings for Removable Storage Access devices. There are a lot of USB settings for multiple devices. But, we will configure a setting All Removable Storage classes: Deny all access.

Right click on the setting All Removable Storage classes: Deny all access and click Edit. Enabling this policy will block the access to any removable storage class that you connect to the computer. Click Enabled and click Apply and then OK.

So far, we are done with the creation of a group policy object. Now, the next step is to link the GPO to the OU containing the computer accounts for which the USB devices are to be blocked. Right click on the OU and click Link an Existing GPO.

From the list of GPO’s select the policy Block USB Devices and click OK

Perform a group policy update on the client using the command gpupdate /force. Connect any USB device to the computer and you should see the message as Access is denied.

The policy that we applied will prevent users from mounting any class of removable media.

 

By applying this policy, we can block all users or group of users’ access to USB.

Leave a Reply