I'm having trouble turning off USB Mass Storage with Windows GPE or the Registry Editor.
I'm having trouble turning off USB Mass Storage with Windows GPE or the Registry Editor.
I own a Windows PC where USB mass storage must be turned off. I accessed the Group Policy Editor and activated all three removable disk policies that block R, W, X access. I set the policy to block all removable storage classes and disabled direct remote access to these devices. Yet after restarting my machine, external USBs could still be detected and their files accessed (such as opening .txt files). I then checked the registry for specific keys related to USB storage and adjusted their values, including modifying the Start value in two registry paths and creating a new subkey under USBTOR with a DWORD set to 1. Despite these changes, my PC continues to identify and interact with USB mass storage devices. I am unsure if further adjustments to policies or registry entries are necessary to fully disable this functionality.
When you implemented the different configuration adjustments, were you certain to preserve them or verify their confirmation? With the assurance of having adequate administrative privileges from the start.
Restricting access for users other than the admin is recommended, though alternative methods exist beyond Windows. You might check the BIOS settings to turn off USB ports, which are often present in business-grade computers. Remember to set a BIOS password. Another option is to unplug the front ports or cut the Data+ and/or - lines, rendering them usable for charging but preventing data transfer. For rear ports, installing USB lock/blockers is possible, which can be removed when needed for reinstalling Windows. Large organizations may opt for software like USB Lock RP or USB Block to manage USB ports centrally on all company computers.
I checked the registry and noticed that for both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER, the RemovableStorageDevices key had the Deny_All value set to 1. Besides examining the registry and testing with a USB device, I don’t have another method to confirm the changes were applied.
It seems your conditions seem mutually exclusive: you cannot turn off USB ports for storage devices while permitting other peripherals like keyboards or mice to access them. Yet, there might still be workable options. - You've already tried registry modifications without success. Please remember that registry changes should only be considered after backing up the system completely, including the registry itself.
One approach could involve using PowerShell.
For reference:
https://thedroidguy.com/how-to-disable-u...en-1263570
This resource offers suggestions that might help resolve these conflicts. It includes tips on registry adjustments and the use of PowerShell commands.
Other useful links are available:
https://www.windows11forums.com/art...po...curity.55/
Blocking USB ports is something I haven't handled before (full disclosure), and I don't endorse or suggest any specific app or tool.
Powershell can help identify connected devices, for instance:
Get-PNPDevice -Class 'USB'
Get-PNPDevice -FriendlyName '*USB*'
The general idea is to check if a device is labeled as "storage" and then disable the USB port via "Stop-Service". Alternatively, you can query the system for HID devices and manage them accordingly.
Usually, a detailed PowerShell script would be needed, and even then, bypassing these restrictions might remain possible.
USB Class codes:
https://www.usb.org/defined-class-codes
It should be feasible to turn off USB mass storage without shutting down the ports by disabling the USB Hub. I verified this on another machine and it functioned correctly. Yet, the device I need to disable removable drives isn’t letting me disable the USB Hub. I opened a new thread since it doesn’t involve any GPO or registry adjustments I’ve already made.
Hubs are a Base Class - 09h.
The message indicates difficulty disabling removable devices when trying to disable a USB Hub. The specific error messages or details about failures were not provided. It seems there is a concern about distinguishing USB-connected devices and potential security implications.