How to Block USB Drives in Windows

Some users need to know how to block a flash drive in the Windows operating system. There are various reasons for this, mostly relating to security and privacy issues.

Often, the management of enterprises requires to prohibit the use of a flash drive, so system administrators fulfill these requirements on the organization’s devices. A similar problem also occurs on home PCs, when, for example, you need to restrict the rights of another user or prohibit portable devices from connecting to the computer.

Is it possible to block a flash drive on a computer? Yes, this can be done with built-in Windows tools or with third party software.

It should be borne in mind that in addition to USB drives, other devices with a USB interface are used on the computer: a mouse, keyboard, camera, or other peripherals. We need to prevent the use of removable USB flash drives on the PC without affecting other peripherals, which will continue to work as usual.

In this article, we do not cover disabling USB devices in the BIOS (UEFI), in Device Manager, using Active Directory policies, corporate antiviruses, or special programs.

We will use the built-in Windows tools. You can perform this task in the Windows operating system using group policies or by making changes to the system registry.

In this guide, we will look at how to block USB or prevent the use of a USB flash drive on a computer. These instructions are suitable for different versions of Windows.

If you are interested in computer topics, you can subscribe to the Telegram channel “Computer – PC assemblies, programs, online services”. A lot of interesting information is published there with presented configurations for self-assembly of a PC, various life hacks, tips on programs and online services. You can go to the Telegram channel via a direct link (the Telegram application must be installed on your device)

How to block usb drives in Windows in group policy

In the corporate, educational and professional versions of the Windows operating system, there is a tool – the Local Group Policy Editor. With this built-in tool, we can change the system settings.

Windows Home does not have group policies, so users can use another option: using the Registry Editor.

Blocking USB flash drives using group policies (GPO) is performed as follows:

  1. Press the “Win” + “R” keys.
  2. The dialog box “Run” will open on the screen, in which you need to enter the command – “gpedit.msc”.
  3. Click on the “OK” button.
  4. In the “Local Group Policy Editor” window, follow the path:
Computer Configuration → Administrative Templates → System → Removable Storage Access

In addition to removable drives, here you can configure settings for working with floppy drives, DVDs, tape drives, WPD devices.

We are interested in the following settings:

  • Removable Drives: Deny Execution – Prevents the execution of operations from a USB drive, such as running an executable file or a script file.
  • Removable drives: Deny reading – prohibits reading from a USB drive.
  • Removable drives: Disable recording – prohibits recording to a USB flash drive.

Depending on the user’s requirements, you can enable one or all of the suggested policies. We will show how to do this using the example of blocking all storage devices.

  1. To completely block USB flash drives, highlight the item “Removable storage devices of all classes: Deny all access”, and then right-click on it.
  2. In the context menu, click “Edit”.
  3. In the “Removable storage devices of all classes: Deny all access” window, activate the “Enabled” option.
  4. Remove the USB flash drive if it was connected to the computer.
  5. After connecting the flash drive to the PC, you will see an unnamed removable disk in Explorer without displaying its size.
  6. When you try to open a USB drive, a flash drive error will appear – access to the device is denied. In the “Location not available” window, you will see “Access denied”.

How to block a usb drive on a computer in the registry editor

In all versions of the Windows operating system, including Home Edition, you can use the registry modification method. As a result of changes in the system registry, you will get the result – access to the flash drive is blocked.

You can use two methods to disable access to removable devices on your computer.

1 way:

  1. Open the registry editor on your PC in one of the convenient ways.
  2. In the “Registry Editor” window, follow the path:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
  1. Under the “Windows” section, create a section named “RemovableStorageDevices”.
  2. Right-click on the created section.
  3. In the open menu, first click “New”, and then “DWORD (32-bit) Value”.
  4. Name the parameter – “Deny_All”.
  5. Right click on it.
  6. In the context menu, select “Edit …”.
  7. In the parameter change window, in the “Value:” field, enter “1”, click “OK”.

In this way, we completely disable any access to removable storage devices.

If you want to fine-tune the rules for accessing USB flash drives, you can not create the “Deny_All” parameter, but select other settings. Go through the following steps after point 3 of this instruction:

  1. Under the “RemovableStorageDevices” section, create a subkey named “{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}”.
  2. Right-click on an empty space in the “{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}” section.
  3. From the context menu, select “New” and then “DWORD (32-bit) Value”.
  4. Name the parameter “Deny_Execute”.
  5. Click on the “Deny_Execute” option with the right mouse button.
  6. In the menu that opens, click “Edit …”.
  7. In the “Change DWORD (32-bit) Value” window, set the “Value:” field to “1”.
  8. Click us “OK” button.
  9. Create further similar parameters named “Deny_Read” and “Deny_Write” with value “1”.

These parameters are responsible for the functions:

  • Deny_Execute – prohibition of execution.
  • Deny_Read – prohibition of reading.
  • Deny_Write – prohibition of writing.

Changes take effect immediately if the flash drive is not connected to the computer. Otherwise, you need to disconnect the removable device first and then reconnect it to test the lock function.

In other cases, you can use the method to disable the USB Mass Storage Driver, which detects and mounts external portable devices. In this case, the USB flash drive will not be displayed in Explorer, and access to the device will be denied.

2 way:

  1. In the “Registry Editor” window, follow the path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR
  1. Highlight the “Start” option and then right-click on it.
  2. In the context menu, click on “Edit …”.
  3. In the “Change DWORD (32-bit) Value” window, set the value to “4”.

Access to the flash drive is denied, and it does not appear in Windows Explorer.

A similar action can be performed using Windows PowerShell. After launching the tool, enter the following command in the shell window, and then press the “Enter” key:

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" -name Start -Value 4

If the flash drive is locked: how to unlock

If the flash drive is blocked, what should the user do in this case? You need to undo changes on the computer that prevent the device from being used.

Depending on the previously used method of blocking removable media, you will need to perform some steps.

In the Local Group Policy Editor, follow the path:

Computer Configuration → Administrative Templates → System → Removable Storage Access

In the settings of the policy settings “Removable drives: Deny execution”, “Removable drives: Deny read”, “Removable drives: Deny write” or “Removable storage devices of all classes: Deny all access”, depending on what exactly you restricted, set the option to “Not configured”.

In the registry editor follow the path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ 

RemovableStorageDevices

In the parameters “Deny_All”, “Deny_Execute”, “Deny_Read”, “Deny_Write” set the value to “0”. You can completely remove the “RemovableStorageDevices” section if you do not further restrict the operation of flash drives on your computer.

If you used another method, then go to the following path in the registry editor:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

Set the “Start” parameter to “3”.

Article Conclusions

In some situations, it is necessary to prohibit the operation of flash drives on a computer, in particular, for security and privacy reasons. It is necessary to limit the use of removable storage devices on the PC. To solve this problem, you can use the built-in tools of the Windows operating system to completely block USB devices or to restrict their use.

Leave a Reply

Your email address will not be published.