We needed to disable read/write access to USB drives on several machines that aren’t joined to a domain.
The obvious way to do this is with group policy, using the following:
Computer Configuration > Administrative Templates > System > Removable Storage Access
In that section, the following policies define removable storage access:
- Removable Disks: Deny Execute Access
- Removable Disks: Deny Read Access
- Removable Disks: Deny Write Access
Those policies are self-explanatory and in a domain environment, that’s the only thing to set. In a non-domain environment, set the registry keys associated with each policy.
These are set under the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
The GUID is the same on all versions of Windows and represents the Removable Disk type.
Then, set a DWORD to 1 for each type. The listing below contains the values to disable all access to USB drives:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}] "Deny_Write"=dword:00000001 "Deny_Read"=dword:00000001 "Deny_Execute"=dword:00000001