Control USB storage devices using GPO

Introduction

I was recently asked a question about my entry on this post
https://community.spiceworks.com/topic/430901-usb-lockdown-thoughts-ideas?page=1 regarding the method I use to lock down USB storage but still allow devices, such as smart phones and tablets, to charge on the USB ports.

Steps (4 total)

1. Create security groups

Open Active Directory Users and Computers and create two appropriately name security groups.

It might be useful to locate these groups in a dedicated container for GPO linking purposes however we will be using item level targeting so this is not a mandatory requirement.

2. Create Group Policy objects

Open Group Policy Editor and create your GPO””s.

Name them appropriately such as USB_LOCK and USB_OPEN.

You can use either user or computer based settings for this to work and there are advantages and disadvantages for each.

Edit each of the policies and navigate to item level targeting. Assign each respective policy to the corresponding security group. (USB_LOCK group is selected in USB_LOCK GPO).

Add the following registry key to each of the policies as appropriate.

USB_LOCK:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUSBSTOR]
“Start”=dword:00000004

USB_OPEN:
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUSBSTOR]
“Start”=dword:00000003

3. Update Group Policy

You will need to either wait for GPUpdate to run in your environment, or force it to run before the settings take effect.

4. Control USB storage device access

To remove a users (or pc””s) access to USB storage devices, place the user (or computer) object to the LOCK security group you created in step 1.

To allow access, place the user object into the OPEN group.

Conclusion

The above guide provides a simple and zero cost solution to regain control of storage device access in almost all circumstances in a BYOD world.