How to Restrict Access to Removable Devices in Windows 10?

Restrict access to removable devices is a security practice to prevent someone from copying sensitive data onto USB, CD, or other types of removable devices. This is just work for local access to a system. And restrict access to removable devices physically if some want to copy your files to all removable devices, but it can not protect uploading files to file upload centers or Microsoft One Drive, Google Drive etc…

The process will going to accomplish through Group Policy. The group policy settings will apply to all computer users and prevent access to all types of removable devices and medias that are classified as removable devices.

Restrict Access to Removable Devices in Windows 10

By default in all Windows clients, a user has the ability to copy files to any removable devices without any privilege restriction. So try to restrict access to removable devices in Windows client Windows 10. It works the same for Windows 8.1, 7.

  1. Open the Group Policy by typing “Gpedit.msc” to the Windows Run and Navigate to Computer Configuration, Administrative Templates, System, Removable Storage Access.
Removable Storage Access - Restrict Access to Removable Devices
Removable Storage Access – Restrict Access to Removable Devices

2. All Removable Storage Access are defined clearly. Double click a setting and enable it. For example, you want to prevent that users can not execute any executable files from their removable devices. Double click the Removable Disk Deny Execute Access, then select Enable and click OK to apply changes.

Removable Disk Deny Execute Access
Removable Disk Deny Execute Access

Apply the other settings the same as this one. For USB devices, CD and DVD writers, and others.

3. To apply changes immediately configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices.

Set Time In Seconds to Force Reboot
Set Time In Seconds to Force Reboot

If you want to enable this policy settings, set the number of seconds. It works in second not minutes. If you don’t reboot the system, it will not take effect, even by updating group policy with “Gpupdate /force” command.

4. Reboot the system and see the result. Plug a USB to your computer and test the settings you have applied through group policy.

Remember: In order to apply Restrict access to removable devices policy to specific user or group, configure it from User Configuration of Group Policy settings.

Hope this will help to protect your data from copying by unwanted users. Feel free to ask your questions about Windows Group Policy through comment area. Or read more articles related to group policy.

You might also like
6 Comments
  1. Beto says

    It won’t work when you set it by User Configuration.

    1. Shais says

      Hi Beto,
      Once update the group policy after applying policy. Troubleshot the group policy if it will not work.

  2. Beto says

    Thanks for the feedback Shais. I tried to set it from both my DC’s GPOs and local GPEDIT. Tried to run gpupdate /force and restart to no avail. It will block the device only if I set through Computer Configuration. Could that be a bug from Win 10. The same GPO works like charm with my Win 7 boxes.

  3. Silas says

    I’m am getting the same results with the User Configuration. This worked just fine in my 2008 R2 domain but in 2012 R2 this is not working. I have worked on it for days now, I believe Microsoft has a Bug..

  4. ycjackchen says

    Me too.
    I have tested the USER BASED usb disable.
    The GPO is working on windows 7 but not on windows 10.
    Is there any update?

  5. Ramesh says

    Didn’t try for win10 but yes, on win 7 it works. Thanks.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.