USB blocking via GPO?

[Microsoft Punlic]

hi there,

Is it possible to prevent user access to USB devices via GPO?
Disabling via BIOS isn't an option since we want to allow access for certain
users?

Regards,
BP

[Dmitry Korolyov [MVP]]

If you mean USB removable drives, there is an opportunity (yet not very reliable).

 

HKLM\System\CurrentControlSet\Services\USBSTOR

 

Set "Start" value to 4 (disabled) with computer startup script - you can use regedit with /s switch to silently import .reg file. You can create a custom .adm template, but note that in this case the setting would be applied only once - since it will be interpreted as "preference", not policy, and will not be reapplied to the value you set in case of being changed to different value later.

 

Additionally, use Registry settings in the GP to cofigure permissions over the whole USBSTOR key. Configure them in a way so only SYSTEM has Full Control, and no other accounts (including administrators) have any access.

 

What does it achieve? After the policy has been applied (and the box in question restarted), the driver (and yes, that is the driver for removable usb drives) will no longer start, and therefore, no usb removable devices will be recognized by the system. Additionally, by removing all permissions except for SYSTEM account, we make it a little bit harder to reconfigure the driver and start it if a user gets administrative permissions. This configuration will not affect the ability to use usb mouses, keyboards, etc. However, it will not prevent usage of removable usb drives which install and use their own driver.

 

You can find the files used by the driver and restrict permissions on these files using File System setting of the GP to further harden your setup.

--
Dmitry Korolyov [d_...@removethispart.mail.ru]
MVP: Windows Server - Active Directory

 

 

"Microsoft Punlic" <ping...@pi.be> wrote in message news:eWZGeQG...@TK2MSFTNGP11.phx.gbl...