Skip to content

TechDirectArchive

Hands-on IT, Cloud, Security, Veeam & DevOps

  • Home
  • About
  • Advertise With US
  • Reviews
  • Contact
  • Toggle search form

Deny Execute Access: Restrict Access to USB Drives on Windows [Part 1]

Posted on 05/11/201913/12/2024 IT Expert By IT Expert No Comments on Deny Execute Access: Restrict Access to USB Drives on Windows [Part 1]
  1. Home
  2. Windows
  3. Deny Execute Access: Restrict Access to USB Drives on Windows [Part 1]
Restrict Access to USB Drives

In this article, we shall discuss “Deny execute access: Restrict Access to USB Drives on Windows”. A USB flash drive is a data storage device that includes flash memory with an integrated USB interface. I will be performing this demonstration using the Local Group Policy. In subsequent tutorials, I will cover the implementation using the Group Policy Management Console which can affect numerous PCs. Please see How to restrict access to removable Storage Drives, How to prevent installation of removable devices, and how to Restrict IP Address Range on Windows PC.

Note: Most at times, when a USB device is connected to the computer. Windows automatically detects the device, and installs all needed drivers automatically. This implies that a USB can be readily used thereby leading to a security breach.

Because of this, I will be blocking execute access to USB. Thereby preventing security leakage of confidential data and also the possible attacks of viruses into the network. Please see how to restrict access to removable Storage Drives [Part 2]

Also, see how to Disable and Enable USB Usage for Certain Users in Windows, how to link a removable media to a Deployment Share: Replicate Deployment share to a removable device, and steps to Creating a WinPE USB Drive: Fixing System Boot Issues.

Blocking access to USB on Windows

Type run in the Windows Search box as shown below. Click on the Run App

USB drive access control

In the Run dialog window, type in “gpedit.msc” as shown below and click on ok

Restricting USB drive access

Device Installation Restriction

This will open up the Local Group Policy Windows Editor and follow the steps list below to open up the “Device Installation Restriction” List as shown below.

Click on the User Configuration, then Administrative Template to expand the menu. Click on System, and click on Removable Storage Access

removable storage access

In the Removable Storage Access list, there are numerous policies allowing you to block the use of different types of storage classes as shown below. You are free to choose what policy you want from this list.

- CD and DVD: Deny execute access.
- CD and DVD: Deny read access.
- CD and DVD: Deny write access.
- Custom Classes: Deny read access.
- Custom Classes: Deny write access.
- Floppy Drives: Deny execute access.
- Floppy Drives: Deny read access.
- CD and DVD: Deny execute access.
- CD and DVD: Deny read access.
- CD and DVD: Deny write access.
- Custom Classes: Deny read access.
- Custom Classes: Deny write access.
- Floppy Drives: Deny execute access.
- Floppy Drives: Deny read access.
- Floppy Drives: Deny write access.
- Removable Disks: Deny execute access.
- Removable Disks: Deny read access.
- Removable Disks: Deny write access.
- All Removable Storage classes: Deny all access.

- All Removable Storage: Allow direct access in remote sessions.
- Tape Drives: Deny execute access.
- Tape Drives: Deny read access.
- Tape Drives: Deny write access.
- Windows Portable Device – this class includes smartphones, tablets, players, etc.
- WPD Devices: Deny write access.

Here is a screenshot of the steps below. The most powerful restrict policy below highlighted in red “All Removable Storage Classes”: Deny All Access .

This policy allows you to deny access to all types of external storage devices. As you can see, there is currently no restriction configured.

USB drive permissions

However, To enforce the restriction, double-click or right-click on any of your desired policy. You can also use “ Removable Disks: Deny execute access ” policy to disable execute access to USB drive or all types of removable storages.

Note: In addition, the “Removable Disks: Deny execute access” policy setting in Windows is a security measure that prevents executable files from running on removable storage devices like USB drives. When this policy is enabled, any attempt to execute a program or script from a removable disk will be blocked.

Removable Disks: Deny execute access

For me, I will be double clicking on the Removable Disks: Deny execute access. Click on Enabled and finally, and click on Okay.

Furthermore, To ensure the GPO takes effect immediately, run gpupdate /update from the CLI.

Please see How to Disable and Enable USB Usage for Certain Users in Windows, What is GPO and how can it be launched in Windows, and Group Policy GPUpdate Commands.

Disable Access to Removable Storage Devices for All Users with Windows Registry

To do this, launch the Windows Registry Editor, and navigate to the following key, and Double-click on Deny_All and set the value data to 1 to disable access.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices

If not present. Create and set the "Deny_All"=dword:00000001

This approach is useful in preventing malware or unauthorized software from being run from external devices. Thereby enhancing the overall security of your system.

I hope you found this article on “Deny execute access: Restrict Access to USB Drives on Windows” very useful. Please feel free to leave a comment below.

5/5 - (1 vote)

Thank you for reading this post. Kindly share it with others.

  • Share on X (Opens in new window) X
  • Share on Reddit (Opens in new window) Reddit
  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Facebook (Opens in new window) Facebook
  • Share on Pinterest (Opens in new window) Pinterest
  • Share on Tumblr (Opens in new window) Tumblr
  • Share on Telegram (Opens in new window) Telegram
  • Share on WhatsApp (Opens in new window) WhatsApp
  • Share on Mastodon (Opens in new window) Mastodon
  • Share on Bluesky (Opens in new window) Bluesky
  • Share on Threads (Opens in new window) Threads
  • Share on Nextdoor (Opens in new window) Nextdoor
Windows Tags:disk, Microsoft Windows, USB, Windows 10, Windows 11, Windows Server 2016

Post navigation

Previous Post: How to perform vulnerability scan on Microsoft SQL Server
Next Post: Restrict access to removable Storage Drives [Part 2]

Related Posts

  • fxcgbnm
    How to export and import Windows Start layout Windows
  • How to create blue screen using the Not my Fault tool from Sysinternals
    How to create blue screen using the Not my Fault tool from Sysinternals Windows
  • Fix this PC cannot run Windows 11
    Bypass unsupported CPU and Processor by upgrading to Windows 11 via Windows Update Virtualization
  • Prevent the saving of RDP Credentials
    Prevent users from saving RDP Credentials on Windows 11 Windows
  • Featured image 4
    Focus on Tasks: Limit Distraction & Get Things Done on Windows Windows
  • screenshot 2020 04 22 at 23.28.23
    Remove saved RDP connections in Windows Windows

More Related Articles

fxcgbnm How to export and import Windows Start layout Windows
How to create blue screen using the Not my Fault tool from Sysinternals How to create blue screen using the Not my Fault tool from Sysinternals Windows
Fix this PC cannot run Windows 11 Bypass unsupported CPU and Processor by upgrading to Windows 11 via Windows Update Virtualization
Prevent the saving of RDP Credentials Prevent users from saving RDP Credentials on Windows 11 Windows
Featured image 4 Focus on Tasks: Limit Distraction & Get Things Done on Windows Windows
screenshot 2020 04 22 at 23.28.23 Remove saved RDP connections in Windows Windows

Leave a Reply Cancel reply

You must be logged in to post a comment.

Microsoft MVP

VEEAMLEGEND

vexpert-badge-stars-5

Virtual Background

GoogleNews

Categories

veeaam100

Veeam Vanguard

  • images 6
    Important Areas to Master on WSUS Windows Server
  • install git 1024x512 1
    How to install Git on macOS Version Control System
  • 785509289 780x439
    Integrate Pleasant Password Server with Active Directory Password Manager
  • apache ubuntu 20 04
    How to Install Apache HTTP Server on Ubuntu 20.04 LTS Linux
  • Fixing TPM Vulnerability
    How to fix a vulnerable Trusted Platform Module [TPM] Windows
  • veeaamAgent1
    Veeam Agent Vulnerability: Fix Veeam Agent vulnerability for Microsoft Windows  Backup
  • Resolvederror MBAM
    MBAM Policy was detected: Verify the OU used for pre-deployment does not apply MBAM policy Windows Server
  • uninstall installed Windows Update from Windows
    How to uninstall installed Windows Update Windows

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,785 other subscribers
  • RSS - Posts
  • RSS - Comments
  • About
  • Authors
  • Write for us
  • Advertise with us
  • General Terms and Conditions
  • Privacy policy
  • Feedly
  • Telegram
  • Youtube
  • Facebook
  • Instagram
  • LinkedIn
  • Tumblr
  • Pinterest
  • Twitter
  • mastodon

Tags

Active Directory Azure Bitlocker Microsoft Windows PowerShell WDS Windows 10 Windows 11 Windows Deployment Services Windows Server 2016

Copyright © 2025 TechDirectArchive

Loading Comments...

You must be logged in to post a comment.