Disk Management

How can I prevent users from writing to USB removable disks (USB flash drives) by using Group Policy (GPO)?

USB removable disks (also known as flash drives or “Disk on Key” and other variations) are quickly becoming an integral part of our electronic life, and now nearly everybody owns one device or another, in forms of small disks, external hard drives that come enclosed in cases, card readers, cameras, mobile phones, portable media players and more.

Portable USB flash drives are indeed very handy, but they can also be used to upload malicious code to your computer (either deliberately or by accident), or to copy confidential information from your computer and take it away.

Microsoft has introduced some changes into Windows XP Service Pack 2 that allow an administrator some control over how USB Removable Disks (or flash drives) are handled. A new storage device policy named WriteProtect makes it possible to prevent all removable USB drives from being written to. Users can still read from these devices, but are not longer able to write to them.

This tip is a variation of Disable Writing to USB Disks in XP SP2, you can prevent users from writing on to any portable USB removable disk or flash drive by using a custom .ADM file that can be imported into the Local Group Policy (thus effecting only the local computer) or by using Active Directory-based Group Policy Objects (also known as GPOs).

Sponsored Content

What is “Inside Microsoft Teams”?

“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts. Our next episode, “Polaris Inc., and Microsoft Teams- Reinventing how we work and play” will be airing on Oct. 28th from 10-11am PST.

Follow the steps outlined in the Adding New Administrative Templates to a GPO article on general instructions on how to add or remove an .ADM file from the Administrative Templates section in GPO.

It’s worth mentioning that in Windows Vista Microsoft has implemented a much more sophisticated method of controlling USB disks via GPO. If you have Windows Vista client computers in your organization you can use GPO settings edited from one of the Vista machines to control if users will be able to install and use USB disks, plus the ability to control exactly what device can or cannot be used on their machines.

Needless to say, as with any GPO setting, this option will only work on Windows 2000 operating systems or higher.

Download the USB_write_protect_ADM file (2kb)

After downloading the .ADM file, read Adding New Administrative Templates to a GPO.

You might also be interested in reading Disable USB Disks with GPO.

Note: In order to successfully view and configure the new .ADM file settings you will need to change the default filtering view for the GPO Editor (or GPedit.msc). Unless you change these settings, the right pane will appear empty, even though it has the settings in it.

Users trying to write to any USB Removable Disk will now get an Access Denied message.

Follow these steps:

  1. In GPEdit.msc (or any other GPO Editor window you’re using) click on View > Filtering.

  1. Click to un-select the “Only show policy settings that can be fully managed” check-box. Click Ok.

  1. Now you will be able to see the new settings in the right pane:

  1. You can now change the available settings:

Related articles

You may find these related articles of interest to you:

Links

Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers – 555324

Related Topics:

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

 
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: