This tutorial will show you how to configure group policy to disable USB write access on removable devices on Windows 2012 server.
This tutorial will also show how to disable the write access on CD or DVD.
This will help your computer environment achieve a higher security level.
The domain controller is running Windows 2012 R2.
The domain computers are running Windows 7 and 10.
Hardware List:
The following section presents the list of equipment used to create this Windows tutorial.
Every piece of hardware listed above can be found at Amazon website.
Windows Playlist:
On this page, we offer quick access to a list of videos related to Windows.
Don’t forget to subscribe to our youtube channel named FKIT.
Windows Related Tutorial:
On this page, we offer quick access to a list of tutorials related to Windows.
Tutorial – Creating the GPO to Disable USB Write Access
The following tasks were executed on a domain controller running Windows 2012 R2 with Active directory.
Click on the Start menu, locate and open the Group Policy Management tool.
On the Group Policy Management screen, locate the folder named Group Policy Objects.
Right-click the Group Policy Objects folder and select the New option.
Enter a name for your new policy.
In our example, the new GPO was named: DENY USB WRITE.
On the Group Policy Management screen, expand the folder named Group Policy Objects.
Right-click your new Group Policy Object and select the Edit option.
On the group policy editor screen, you will be presented to User configurations and Computer configurations.
We will change only the Computer configurations.
We don’t need to change any User configuration.
On the group policy editor screen, expand the Computer configuration folder and locate the following item.
• Computer Configuration > Administrative Templates > System > Removable Storage Access
On the right, the list of available configuration options will be presented.
First, let’s disable the write access to USB Storage devices.
Double click the configuration item named Removable Disks: Deny write access.
On the configuration item screen, you need to select the Enable option.
If you also want to disable the write access to CD and DVD.
Double click the configuration item named CD and DVD: Deny write access.
On the configuration item screen, you need to select the Enable option.
To finish the group policy creation you need to close the Group policy editor window.
Only when you close the group policy window, the system will save your configuration.
Tutorial – Applying the USB Write Access Restriction GPO
You have finished the creation of the network restriction GPO.
But, you still need to enable the use of your new Group Policy.
On the Group policy management screen, you need to right-click the Organizational Unit desired and select the option to link an existent GPO.
In our example, we are going to link the group policy named DENY USB WRITE to the root of our domain named TECH.LOCAL.
After applying the GPO you need to wait for 10 or 20 minutes.
During this time the GPO will be replicated to other domain controllers that you might have.
After waiting 20 minutes, you should reboot a user’s computer.
During the boot, the computer will get and apply a copy of the new group policy.
To test the configuration, you need to connect a USB storage drive to the computer and try to save a file.
Your computer should automatically deny the write access to USB storage device.