rss logo

How to Restrict USB Flash Drives Using Group Policies on Windows

Illustration of a security officer stopping unauthorized USB device usage with a red stop sign in the background.

To improve corporate IT security, it may be useful to be able to prohibit the connection of uncontrolled devices such as USB flash drives to user workstations. Viruses can originate from these devices if they have been used on unsecured computers. It may therefore be a good idea to be able to control the devices you wish to authorize to connect to your machines.

Some antivirus programs provide this feature, but it's also possible to do so via Windows Group Policies.

In this article, we'll look at how you can set this up in an Active Directory environment.

Group Policy

  • We'll find everything we need for device setup in Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions:
Screenshot of Group Policy editor showing Device Installation Restrictions settings under the Default Domain Policy.

GPO Rules

There are two rules we can use to manage our USB flash drives. Let's see the main differences between them and how to configure them…

Prevent all removable media

  • If you wish to prevent the installation of all removable media, you can activate the Prevent installation of removable devices policy:
Screenshot of Group Policy editor with 'Prevent installation of removable devices' setting enabled under Device Installation Restrictions.
  • What does this do?
    • USB flash drives that have already been installed: they will still be usable.
    • New USB flash drives: they will be blocked.
    • All other new devices: available for installation.
    • Enable the Allow administrators to override Device Installation Restriction policies policy: it will not be overridden, new removable devices will still be blocked.
    • Add ids to the Allow installation of devices that match any of these device IDs policy: this will not be bypassed.

Prevent installation of new devices

  • It is possible to prevent the installation of new devices:

⚠️It's important to note that this will prevent the installation of all new devices, not just USB sticks, so be careful when restoring the system from a backup to a new machine/device as Windows won't boot (as it won't be able to install drivers for new devices).⚠️

Screenshot of Group Policy editor with 'Prevent installation of devices not described by other policy settings' setting enabled under Device Installation Restrictions.
  • What does this do?
    • USB flash drives that have already been installed: they will still be usable.
    • New USB flash drives: they will be blocked.
    • All other new devices: they will be blocked
    • Enable the Allow administrators to override Device Installation Restriction policies policy: administrators will be able to install devices.
    • Add ids to the Allow installation of devices that match any of these device IDs policy: ids of specified devices will be installed.

Adding Exceptions

Unlike the Prevent all removable media rule, here we can add exceptions (whitelist) for devices we want to be able to use. To do this, we can use device IDs or device instance IDs.

Exceptions with device IDs
  • In the Device Manager, select your device and click on Properties:
Screenshot of device manager showing context menu for a USB Flash Disk with the 'Properties' option highlighted.
  • From the Hardware Ids section, copy the Ids value:
Screenshot of USB device properties window showing hardware IDs under the 'Details' tab for a Voyager GT 3.0 device.
  • Edit the Allow installation of devices that match any of these device IDs policy and paste the Id value:
Screenshot of Group Policy editor showing the 'Allow installation of devices that match any of these device IDs' window with a specific USB hardware ID entered and the OK button highlighted.
Exceptions with device instance IDs
  • In the Device Manager, select your device and click on Properties:
Screenshot of USB device properties window showing hardware IDs under the 'Details' tab for a Voyager GT 3.0 device.
  • In the Device instance path, copy the Ids value:
Screenshot of USB device properties window showing the 'Device instance path' under the 'Details' tab with a specific USB ID value displayed.
  • Edit the Allow installation of devices that match any of these instance IDs policy and paste the Id value:
Screenshot of Group Policy editor with 'Allow installation of devices that match any of these device instance IDs' window open, showing a specific USB instance ID and the OK button highlighted.

Remove installed USB Devices

As we saw above, previously installed USB drives will still be available despite the policy rules. To avoid this, we need to remove the devices. To do this, we have two options, from the Windows Device Manager console or from the USBDview software.

Windows Device Manager Console

  • Open the Windows Device Manager console:
Screenshot of the Windows Run dialog with 'devmgmt.msc' entered in the Open field and the OK button highlighted.
  • Show hidden devices:
Screenshot of Device Manager with the View menu open and 'Show hidden devices' option highlighted.
  • And remove devices already installed:
Screenshot of Device Manager showing the context menu for a USB Mass Storage Device with the 'Uninstall device' option highlighted and an arrow pointing to it.

USBDview

  • We can also use NirSoft's USBDeview tool, downloadable here https://www.nirsoft.net/. The main advantage is that you can remove several devices at the same time:
Screenshot of USBDeview tool showing a list of USB devices with the context menu open and the 'Uninstall Selected Devices' option highlighted.
  • We can also use it to get useful information, such as the instance id and serial number:
Screenshot of USBDeview showing detailed properties of a Voyager GT 3.0 USB device, including serial number, vendor ID, product ID, and driver details.
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address