How to Prevent Users From Installing Removable Devices in Windows

How to Prevent Users From Installing Removable Devices in Windows

With more and more malicious programs and worms circulating through removable media like thumb drives, it is only natural that you want to restrict or prevent users from installing their own removable devices. Blocking the installation of external removable devices renders them inaccessible and it is particularly helpful in an organization, or like when you are using public hotspots where you leave your machine for short amounts of time to grab a cup of coffee or something.

So if you ever need, here is how you can use the Windows Group Policy Editor to block users from installing removable devices.

Since we are using Group Policy Editor to manage the changes, you need to have a Pro or Enterprise version of Windows and depending on your needs, you can apply the changes to the whole network. First off, press “Win + R,” type gpedit.msc and press the Enter button to open up the Group Policy Editor.

Open up the Group Policy Editor.

Once the Group Policy Editor has been opened, navigate to the following location “Computer Configuration –> Administrative Templates –> System –> Device Installation –> Device Installation Restrictions”. Here, find and double-click on the setting “Prevent Installation of Removable Devices.”

Find and double-click on the setting 'Prevent Installation of Removable Devices.'

The above action will open the removable devices settings window. Here, select the radio button “Enabled” and click on the “OK” button to save the changes.

Open the removable devices settings window.

That’s all there is to do and from this point forward, no user (including the administrator) can install removable devices.

If you want to, you can display a custom message whenever Windows blocks the installation of a removable device. For that, you need to configure the policy “Display a custom message when installation is prevented by a policy setting.”

You can display a custom message whenever Windows blocks the installation of a removable device.

One thing to keep in mind while configuring this setting is that this policy setting will take priority over all the settings in this group.

As you can see, the downside of configuring this setting is that even the administrators are blocked from installing removable devices and this will be a pain at times. Fortunately, you can configure Group Policy and allow administrators to bypass this restriction.

To do that, double-click on the policy “Allow Administrators to Override Device Installation Restriction.”

Configure Group Policy and allow administrators to bypass restrictions.

The above action will open the respective policy settings window. Here, select the option “Enabled” and click on the “OK” button to save the changes. Once you are done with the changes, restart your system and you are good to go.

Open the respective policy settings window.

From this point forward, the administrators can easily override the device installation restrictions without having to mess with Group Policy settings frequently. As a side note, this policy will take precedence over and above all other policies configured in this group (including the restrictions placed above).

Administrators can easily override the device installation restrictions.

If you don’t want to block all the installations of the removable devices, you can configure Group Policy to only allow installation of removable devices of only listed hardware IDs. To do that, you need to enable the setting “Allow installation of devices that match any of these device IDs.” While enabling, don’t forget to add the hardware IDs by clicking on the “Show” button.

Configure Group Policy to only allow installation of removable devices of only listed hardware IDs.

In case you are wondering, you can easily find your device hardware ID by opening the device manager, right-clicking on the device and selecting the option “Properties.” Here, navigate to the “Details” tab and select “Hardware IDs” from the dropdown list.

You can easily find your device hardware ID by opening the device manager.

That’s all there is to do, and it is that simple to restrict users from installing removable devices using the inbuilt Group Policy Editor. The good thing about the methods shared above is that they just work with simple settings and also eliminate any need for installing third-party software to achieve the same result.

Hopefully, this helps and do comment below sharing your thoughts and experiences about using this simple method to block removable device installations.

5 comments

  1. This is quite useless, since as long as it is enabled in the BIOS nothing wil prevent me from booting from a USB device, and modifying the filesystem of the Harddrive.

    So if you do this as a security measure: forget it, this will instill a fake sense of security whih=ch is worse than no security…

    • Most users are not going to go into the BIOS and those who are will get around something like this I agree. You should also add a BIOS password for another level too. Thanks for pointing this out Ronald.

    • I don’t think average users are smart enough to know how to get into the BIOS in a professional business environment and if there’s secure info on the computers, BITLocker would prevent them from getting to it from a USB flash drive anyway, given that you have BIT Locker set up to encrypt the drives on each computer. But a smart admin would set up network drives that only someone part of the domain could access given the proper permissions rendering access to the BIOS useless if trying to get the data. The purpose for this GPO isn’t to prevent someone from booting to a flash drive. It’s purpose is more to prevent user’s from putting media on a flash drive like music and movies and watching/listening to those files during work or to prevent user’s from taking classified information off of the computer or network drives and storing them onto the flash drive for personal gain. Sorry to ruin your fun, Ronald.

      So when proper precautions are taken, this GPO is actually really useful, but it would be a pain to enter hardware IDs for all the exceptions in a bigger company that used a large amount of USB devices (I.E. voice recorders, printers for supervisors, cameras, etc).

      • I pointed out that if you use it as a security measure this is not enough, and in the case of security measures: one failure is all it takes to infect your network. Or to paraphrase a quote (I cannot remember who it is from) : “You must defend against the enemy’s possibilities not his -imagined- intentions.”

        So what is not said in the article is that there are other lines of attack that one should secure as well.

  2. Thank you V. Krishna! As usual your articles are spot on and a lot of tech forget this stuff. Your article was actaully a tech question I had for a telephone screening and in-person interview for a job.
    I guess a lot of commentors forgot that bad-USB is still out there. I worked, as IT support, in both a large office and small office. You would be amazed what employees are doing with their USB’s on company time.

Comments are closed.

Sponsored Stories