rss logo

How to Manage USB Flash Drive Access Using Group Policy in Windows

Illustration of a security officer stopping unauthorized USB device usage with a red stop sign in the background.

To enhance corporate IT security, it is essential to limit the use of unmanaged peripherals such as USB flash drives on workstations. These devices can carry viruses if previously connected to unsecured systems. Controlling which devices are authorized to connect is a key step toward reducing risks.

While some antivirus solutions offer this functionality, it is also possible to enforce such restrictions using Windows Group Policies.

This article explains how to configure these policies within an Active Directory environment.

Group Policy

  • To configure USB device restrictions, open the Group Policy Management Editor and navigate to: Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions:
Screenshot of Group Policy editor showing Device Installation Restrictions settings under the Default Domain Policy.

GPO Rules

To control USB flash drive access, two main Group Policy rules are available. The first blocks all removable media, while the second blocks any new devices not explicitly allowed. Below is a comparison of both and guidance on how to configure them effectively.

Prevent All Removable Media

  • To block the installation of all removable media, enable the Prevent installation of removable devices policy in Group Policy:
Screenshot of Group Policy editor with 'Prevent installation of removable devices' setting enabled under Device Installation Restrictions.
  • Effect of this policy:
    • Previously installed USB flash drives: remain functional.
    • New USB flash drives: installation is blocked.
    • Other new devices: installation is allowed.
    • Allow administrators to override Device Installation Restriction policies: this rule will still apply; administrators cannot bypass it.
    • Allow installation of devices that match any of these device IDs: not effective for this rule; exceptions won't apply.

Prevent Installation of New Devices

To block all new device installations—including USB flash drives—enable the Prevent installation of devices not described by other policy settings policy.

⚠️ Caution: This rule blocks all new hardware devices, not just USB drives. If you restore a system backup on different hardware, Windows may fail to boot due to missing drivers.

Screenshot of Group Policy editor with 'Prevent installation of devices not described by other policy settings' setting enabled under Device Installation Restrictions.
  • Effect of this policy:
    • Previously installed USB flash drives: still usable.
    • New USB flash drives: installation blocked.
    • All other new devices: installation blocked.
    • Allow administrators to override Device Installation Restriction policies: administrators can install devices if enabled.
    • Allow installation of devices that match any of these device IDs: allows whitelisting specific hardware.

Adding Exceptions

Unlike the “Prevent all removable media” rule, this policy supports exceptions. You can allow specific devices by defining either their hardware IDs or instance IDs.

Exceptions with Device IDs
  • Open Device Manager, right-click the device, and select Properties:
Screenshot of device manager showing context menu for a USB Flash Disk with the 'Properties' option highlighted.
  • Under the Details tab, select Hardware Ids and copy the desired value:
Screenshot of USB device properties window showing hardware IDs under the 'Details' tab for a Voyager GT 3.0 device.
  • Edit the policy Allow installation of devices that match any of these device IDs and paste the copied ID:
Screenshot of Group Policy editor showing the 'Allow installation of devices that match any of these device IDs' window with a specific USB hardware ID entered and the OK button highlighted.
Exceptions with Device Instance IDs
  • In Device Manager, open the device properties as before:
Screenshot of USB device properties window showing hardware IDs under the 'Details' tab for a Voyager GT 3.0 device.
  • Under Details, choose Device instance path and copy the ID:
Screenshot of USB device properties window showing the 'Device instance path' under the 'Details' tab with a specific USB ID value displayed.
  • Edit the policy Allow installation of devices that match any of these device instance IDs and paste the copied value:
Screenshot of Group Policy editor with 'Allow installation of devices that match any of these device instance IDs' window open, showing a specific USB instance ID and the OK button highlighted.

Remove Installed USB Devices

Even after applying Group Policy restrictions, previously installed USB flash drives will remain accessible. To fully enforce your policy, these devices must be manually removed from the system.

Method 1: Using Device Manager

  • Open the Device Manager console. You can do this by typing devmgmt.msc in the Run dialog:
Screenshot of the Windows Run dialog with 'devmgmt.msc' entered in the Open field and the OK button highlighted.
  • Enable Show hidden devices to display all previously connected USB drives:
Screenshot of Device Manager with the View menu open and 'Show hidden devices' option highlighted.
  • Locate the USB Mass Storage Devices, right-click on each, and select Uninstall device:
Screenshot of Device Manager showing the context menu for a USB Mass Storage Device with the 'Uninstall device' option highlighted and an arrow pointing to it.

Method 2: Using USBDeview (NirSoft)

An alternative and more efficient method is to use USBDeview from NirSoft, available at https://www.nirsoft.net/.

  • This tool allows you to list and remove multiple USB devices at once.
Screenshot of USBDeview tool showing a list of USB devices with the context menu open and the 'Uninstall Selected Devices' option highlighted.
  • It also displays detailed device information such as Instance ID and Serial Number:
Screenshot of USBDeview showing detailed properties of a Voyager GT 3.0 USB device, including serial number, vendor ID, product ID, and driver details.