How to Restrict Access to Removable Devices in Windows 10?

Restrict access to removable devices is a security practice to prevent someone from copying sensitive data onto USB, CD, or other types of removable devices. This is just work for local access to a system. And restrict access to removable devices physically if some want to copy your files to all removable devices, but it can not protect uploading files to file upload centers or Microsoft One Drive, Google Drive etc…

The process will going to accomplish through Group Policy. The group policy settings will apply to all computer users and prevent access to all types of removable devices and medias that are classified as removable devices.

Restrict Access to Removable Devices in Windows 10

By default in all Windows clients, a user has the ability to copy files to any removable devices without any privilege restriction. So try to restrict access to removable devices in Windows client Windows 10. It works the same for Windows 8.1, 7.

  1. Open the Group Policy by typing “Gpedit.msc” to the Windows Run and Navigate to Computer Configuration, Administrative Templates, System, Removable Storage Access.
Removable Storage Access - Restrict Access to Removable Devices

Removable Storage Access – Restrict Access to Removable Devices

2. All Removable Storage Access are defined clearly. Double click a setting and enable it. For example, you want to prevent that users can not execute any executable files from their removable devices. Double click the Removable Disk Deny Execute Access, then select Enable and click OK to apply changes.

Removable Disk Deny Execute Access

Removable Disk Deny Execute Access

Apply the other settings the same as this one. For USB devices, CD and DVD writers, and others.

3. To apply changes immediately configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices.

Set Time In Seconds to Force Reboot

Set Time In Seconds to Force Reboot

If you want to enable this policy settings, set the number of seconds. It works in second not minutes. If you don’t reboot the system, it will not take effect, even by updating group policy with “Gpupdate /force” command.

4. Reboot the system and see the result. Plug a USB to your computer and test the settings you have applied through group policy.

Remember: In order to apply Restrict access to removable devices policy to specific user or group, configure it from User Configuration of Group Policy settings.

Hope this will help to protect your data from copying by unwanted users. Feel free to ask your questions about Windows Group Policy through comment area. Or read more articles related to group policy.

<p>I’m a network and Information Security instructor. Here is my online pictorial notebook. I would like to write and share my experience through this website for computer enthusiasts and technology geeks.</p>

6 Comments

  1. It won't work when you set it by User Configuration.

    • Hi Beto,
      Once update the group policy after applying policy. Troubleshot the group policy if it will not work.

  2. Thanks for the feedback Shais. I tried to set it from both my DC's GPOs and local GPEDIT. Tried to run gpupdate /force and restart to no avail. It will block the device only if I set through Computer Configuration. Could that be a bug from Win 10. The same GPO works like charm with my Win 7 boxes.

  3. I'm am getting the same results with the User Configuration. This worked just fine in my 2008 R2 domain but in 2012 R2 this is not working. I have worked on it for days now, I believe Microsoft has a Bug..

  4. Me too.
    I have tested the USER BASED usb disable.
    The GPO is working on windows 7 but not on windows 10.
    Is there any update?

  5. Didn't try for win10 but yes, on win 7 it works. Thanks.

Leave a Reply