How can I prevent users from writing to USB removable disks (USB flash drives)?
USB removable disks (also known as flash drives or “Disk on Key” and other variations) are quickly becoming an integral part of our electronic life, and now nearly everybody owns one device or another, in forms of small disks, external hard drives that come enclosed in cases, card readers, cameras, mobile phones, portable media players and more.
Portable USB flash drives are indeed very handy, but they can also be used to upload malicious code to your computer (either deliberately or by accident), or to copy confidential information from your computer and take it away.
Microsoft has introduced some changes into Windows XP Service Pack 2 that allow an administrator some control over how USB Removable Disks (or flash drives) are handled. A new storage device policy named WriteProtect makes it possible to prevent all removable USB drives from being written to. Users can still read from these devices, but are not longer able to write to them.
This tweak will only work in Windows XP SP2 and above.
What is “Inside Microsoft Teams”?
“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.
You can also Disable Writing to USB Disks with GPO.
Block writing to USB Removable Disks
To block your computer’s ability to use USB Removable Disks follow these steps:
- Open Registry Editor.
- In Registry Editor, navigate to the following registry key:
- Create the following value (DWORD):
and give it a value of 1.
Note: As always, before making changes to your registry you should always make sure you have a valid backup. In cases where you’re supposed to delete or modify keys or values from the registry it is possible to first export that key or value(s) to a .REG file before performing the changes.
- Close Registry Editor. You do not need to reboot the computer for changes to apply.
Users trying to write to any USB Removable Disk will now get an Access Denied message.
Enable writing to USB Removable Disks
To return to the default configuration and enable your computer’s ability to use USB Removable Disks follow these steps:
- Go to the registry path found above.
- Locate the following value:
and give it a value of 0.
You can download a .REG file that configure this setting right HERE (1kb).
You may find these related articles of interest to you:
- Adding New Administrative Templates to a GPO
- Controlling IE cache size via GPO
- Disable USB Disks
- Disable USB Disks with GPO
- Disable Writing to USB Disks with GPO
- Download GPMC
- Download Group Policy ADM Files for All Microsoft Operating Systems
- Download Group Policy Settings Reference
- Download Office 2000 Reskit Tools
- Download Office System 2003 Reskit Tools
- Download Office System 2003 SP2 ADMs and Explain Text Update
- Download Office XP Reskit Tools
- Event logs archiving with GPO
- Understanding Administrative Templates in GPO