Many organizations put security at the forefront and will never allow external devices like USB connections without going through access approval. When you connect a USB device to your computer. The system will detect the device and go ahead to install the required drivers and you will both be able to copy from and copy into the USB. But if there is a USB usage security policy in place then you will be prohibited from using it on the enterprise network. It is very possible to block everyone from the use of USB on the official network but there could be times when you just need to disable certain individuals and allow access to others. In this guide, I will be showing you How to Disable and Enable USB Usage for Certain Users.
You may find the following articles useful: How to Restrict Access to USB Drives. Also, see how to link a removable media to a Deployment Share: Replicate Deployment Share to a removable device, and how to restrict access to removable Storage Drives.
Steps to Disable Usage for All and Certain Users
What is Universal Serial Bus (USB)? The name “universal serial bus” stems from its historical beginnings as a specification designed to provide a mechanism for connector standardisation – basically it was a descriptor for the specification.
You can read more articles on USB like this on How to Create a Windows 10 or 11 bootable USB with UEFI support and How to Download the files needed to create a Lenovo USB Recovery key, How to create Windows 11 Bootable USB drive with the Media Creation Tool, How to Create a Multiboot USB with Multiple OS ISOs
Disabling USB Removable Drives in Windows with Group Policy
1: Run gpmc.msc to Open the GPO management console.
2. On the Group Policy Management right-click your Workstation OU and Create a GPO.
3. Set the New GPO name to “Disable USB Access”
4. Right-click on the New GPO and select Edit.
5. There are two configuration settings for blocking external storage devices in both the User and Computer:
Note: If you want to block USB access for all computer users, you will need to configure the settings for “Computer Configuration”.
6. In the Computer Configuration section navigate here:
Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
In the Removable Storage Access section you will see different policies allowing you to disable the use of different types of storage classes but our focus is on All Removable Storage classes: Deny all access.
Note: This policy setting takes precedence over any individual removable storage policy settings. If you enable this policy setting no access is allowed to any removable storage class.
7. Select Enabled and click OK.
8. After enabling and updating the GPO by running this command gpupdate /force. Windows will detect any external device connected but you will not be able to access it, instead, you will see the below message:
Disable USB Usage for Certain Users via GPO
There are always exceptions to some policies or rules. For example your Domain Admins will always need access to USB, so using the GPO Security Filtering will relax the policy and will not applied to these users.
1: Select your Disable USB Access policy in the Group Policy Management console and in the Security Filtering section add the Domain Admins.
2. Click on the Delegation tab and click the Advanced. In the security settings section select Domain Admins. Under the Permissions for Domain Admins, check Deny for Apply group policy and click OK.
This configuration will deny the application of the Disable USB Access for the Domain Admins.
Please see how to Enable or Disable SuperFetch in Windows 11, how to Check and Reset Network Data Usage in Windows 11, How to prevent installation of removable devices, and how to stop Outlook from opening links in Edge Browser
FAQs on How to Disable and Enable USB Usage for Certain Users
1. Open the Group Policy Management Console
2. Select Disable USB Access policy in the Group Policy Management console and in the Security Filtering section add the Domain Admins
3. Click on the Delegation tab and click the Advanced. In the security settings section select Domain Admins. Under the Permissions for Domain Admins, check Deny for Apply group policy and click OK.
This is just the process of allowing a list of USB’s access to the computer system of an official network.
I hope you found this blog post on how to Disable and Enable USB Usage for Certain Users Interesting and helpful. In case you have any questions do not hesitate to ask in the comment section.