Disable USB via GPO RRS feed


  • Dear Customer,


    I understand your issue to be: You would like to know how to disable the USB Storage device via group policy. I therefore would like to provide the following information for your reference:


    There is no GPO to disable USB storage devices directly. However, you can try the following workarounds:


    Scenario 1: A USB Storage Device Is Not Already Installed on the Clients.


    If a USB storage device is not already installed on the clients, we can configure the group policy to deny access to the following files:


    - %SystemRoot%\Inf\Usbstor.pnf

    - %SystemRoot%\Inf\Usbstor.inf


    Then when a USB storage device is connected to the computer, the required driver files will be unable to access and as a result, the USB storage device cannot be used.


    To configure permissions to the Usbstor.pnf and Usbstor.inf files via Group Policy, please follow these steps:


    - Open the appropriate Group Policy on the domain controller.


    - Browse to:


    Computer Configuration\Windows Settings\Security Settings\File System


    - Right click "File System" and choose "Add file".


    - Input "%SystemRoot%\Inf\Usbstor.inf" (without the quotation marks).


    - Then a new window appears. Add the users group or user accounts into the Security list, and select the check box for "Full Control" on the "Deny" column. (Therefore, the related users group will be unable to access this file.)


    - Click OK twice to accept the default setting on the wizard.


    - Use the same steps to add "%SystemRoot%\Inf\Usbstor.pnf" and ensure Everyone will be unable to access this file.


    - Close the Group Policy window and restart the Windows 2000/XP client to apply this setting.


    - After rebooting, please ensure that the user cannot open the "%SystemRoot%\Inf\Usbstor.inf" file. If an "Access Is Denied" error appears, it indicates that the group policy has been applied successfully. Please connect a new USB storage device (that has never been connected to this computer before) to this client and check how it works.


    Scenario 2: A USB Storage Device Is Already Installed on the Clients.



    If a USB storage device is  already installed on the computer, we need to disable the "USB Mass Storage Driver" service. To do so, we can set the  "Start" value in the following registry key to 4:




    We can also use Group Policy to simply the operations:


    - Create a text file named USBSTOR.adm with the following content:







                KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"



                    VALUENAME "START"

                MIN 3 MAX 4 DEFAULT 4

                END PART

        END POLICY




    DISABLE="USBSTOR Start Value"

    USBSTOR_Start="USB Mass Storage"

    SET_USBSTOR_START="Disable USB Mass Storage Devices"

    USBSTOR_START_HELP="Setting this value to 4 will disable USB Mass Storage

    Devices. Setting it to 3 will enable them."


    - Open the appropriate Group Policy object on the DC.


    - Under Computer Configuration, right-click on Administrative Templates. Select Add/Remove templates and click Add.


    - Double-click on the USBSTOR.adm file and click Close.


    - On the View menu, uncheck "Show Policies Only".


    (Note: If the DC is Windows Server 2003, please use these steps: Select the Administrative Templates folder. Right-click on it and select View->Filtering. Uncheck the "Only show policy settings that can be fully managed" check box and click OK.)


    - Expand "Administrative Templates" and select "USB Mass Storage".


    - Double-click "Disable USB Mass Storage Devices".


    - Click "Enabled". The "Start Value" should default to 4. Click OK.


    - Close the GPO.


    Please connect a USB storage device (that has ever been connected to this computer before) and check how it works now.


    For more information, please refer to the following document:


    How to disable the use of USB storage devices



    I hope this helps. If you have any questions or concerns, please do not hesitate to let me know. I am happy to be of further assistance. Thank you for your time and cooperation!


    Tom Zhang

    Tom Zhang – MSFT
    2010年5月3日 上午 07:34