Usb Block

Leave a Comment / Uncategorized / By

Key Points

  • How to disable USB drives on Windows
    • Registry Editor
      • Edit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR → Set Start value to 4
    • Group Policy Editor
      • gpedit.msc → Computer Configuration → Administrative Templates → System → Removable Storage Access → Enable “Deny Execute Access”
      • For multiple devices, use Group Policy Management Console on a domain controller
    • Device Manager
      • Right-click USB ports under “Universal Serial Bus controllers” → Disable
      • Risk: May disable mouse/keyboard if they use the same ports
    • Third-party tools
      • Use specialized software (e.g., USB BlockUSB Lock RP) for remote management or advanced restrictions
  • Key risks of USB drives
    • Data loss/theft if drives are lost, stolen, or used maliciously
    • Malware transmission via hidden files or firmware exploits
    • Physical damage from malicious USB devices designed to fry hardware
  • Impacts of disabling USB
    • Users lose plug-and-play file sharing; ensure they know about this policy
    • Encourage cloud storage or network shares to manage data securely
    • Manual endpoint management is error-prone—use endpoint security solutions for consistent policy enforcement


This concise guide demonstrates how to disable USB drives on Windows and handle USB drive risks. Blocking USB access is important to security in Windows 11 and Windows 10 deployments in organizations, as well as on personal devices, as it can prevent the spread of malware, data theft, and even physical damage to devices.

How to disable USB drives in Windows

The method you use to disable USB drives in Windows will depend on whether you are managing a single device or multiple. Before you make any changes to your system, it is recommended that you perform a full backup.

Note that you will need to be logged in as an Administrator to perform all the below tasks.

Using Windows Registry Editor to disable USB storage

This method for disabling USB drives allows other USB devices to continue functioning, and is done via the Windows Registry:

  • Right-click on the Start button, click Run, and enter “regedit” to open the Registry Editor.
  • Within the Registry editor, navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUSBSTOR.
  • Edit the value for the Start Registry Key in USBSTOR path and change it to 4.
  • To revert this change and re-enable USB storage, change the value of Start back to 3.

When the value of the Start Registry Key in USBSTOR is set to 4, nothing will happen when a USB drive is connected, and an error will appear in the device manager entry for the USB storage device.

Using Windows Group Policy Editor to disable USB storage

You can also use Group Policy to disable USB drive access on a single machine, or on a Windows Domain using Active Directory:

  • Right-click on the Start button, click Run, and enter “gpedit.msc” to open the Group Policy Editor.
  • In the Group Policy Editor, use the navigation tree in the left panel to navigate to Computer Configuration/Administrative Template/System/Removable Storage Access.
  • In the right panel, select Removable Disks: Deny Execute Access.
  • Check Enabled to enable this policy and disable removable USB storage.

If you want to deploy this policy to multiple machines in a Windows Domain, use the Group Policy Management Console by running gpmc.smc on a domain controller. Then, enable the above policy for the Organizational Unit you want to disable removable USB storage for. This allows you to enable the restriction based on users’ group membership, or for specific machines.

Using the Device Manager to Disable USB Ports

To block USB access on a single computer, you can use the Device Manager. Note that this method comes with the risk that you disable the USB port or controller that your mouse and keyboard are connected to, so it is recommended that you use a method for disabling USB storage devices only, or set a system restore point before you start so that the change can be rolled back.

  • Right-click on the Start button and click Device Manager.
  • Expand the Universal Serial Bus controllers tree menu item.
  • Right click and disable USB ports as required.

Using third-party tools to block USB access

There are a number of products that allow you to disable USB drives in Windows, in some cases allowing for remote management of devices. These include USB Block and USB Lock RP.

Unless you need control over which specific USB devices can be connected, adding additional USB management software to your system is usually seen as unnecessary given Windows’ built-in ability to block access to USB storage (including the ability to restrict other specific kinds of USB devices using PowerShell).

If more robust protection is required in a corporate environment, a full endpoint security solution addresses both the risks posed by USB devices, as well as other cybersecurity threat vectors.

Understanding USB drive risks

There are several risks posed by removable USB storage that are solved by discouraging or preventing their use:

  • Data breaches and theft: USB drives containing sensitive information can be easily lost by an employee, resulting in a data breach. Theft is also an issue, as is the risk that an employee bypasses data access restrictions by using a colleague’s computer to load information they are not privy to on a USB stick, and sharing it.
  • Data loss and corruption: USB drives are not reliable storage devices. Discouraging their use removes the risk of an employee moving important data onto a USB stick, and it subsequently being lost or corrupted.
  • Malware and firmware infections: Some malware is able to spread via USB either as files or hidden in firmware, bypassing network protections. Additionally, some cyber attacks occur when an infected USB stick is intentionally left where a targeted employee is likely to find it and plug it in to see what’s on it (for example, on a shop counter, or building reception desk).

USB devices can also pose a physical threat. Specialized USB sticks that contain high-voltage hardware have been deployed by attackers to damage devices when they are plugged in. This makes securing public devices vital: not only should USB storage be disabled, but access to physical USB ports should also be restricted.

Use cases and impacts of disabling USB drives

The primary impact of disabling USB storage is on your users. To reduce complaints about USB drives not working, make sure they are aware of the changes you are enacting on their devices.

While some Windows security solutions make it possible to whitelist specific USB storage devices, this doesn’t prevent them from being used in other computers outside your control, potentially infecting them with malware. Instead, consider deploying cloud storage or network shares that can be monitored for misuse and malware, for your users to share files or work on them when out of the office.

1. Disable Usb Drives in Registry Editor

This method works in all editions of running Windows 10, and it disconnects only USB drives, without affecting the mouse, keyboard, and printer connected via USB. Before editing the registry, it is recommended to create a system restore point.

Open Windows registry editor: in the search bar or in the menu to execute (run with the Win + R keys) enter the regedit command and press the Enter key.

Go to HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ USBSTOR. In the USBSTOR section, open the Start ⇨ parameter in the “Value” field, set 4 and click “OK”.

Now, if you connect a USB flash drive to a computer, it will not be displayed anywhere, and in Device Manager you will see an error installing the driver for this device. If you want to re-enable USB drives in the future — change the value of the “Start” parameter to 3 and click “OK”.

2. Disable Usb Drives in Group Policies

First, you need to open local group policy editor.

In the search bar or in the menu to execute (execute is called with the Win + R keys), enter:

gpedit.msc

and press the Enter key.

Then you need to open Removable Disks: Deny Execute Access

To do this open “Computer Configuration” ⇨ “Administrative Templates” ⇨ “System” ⇨ “Removable Storage Access” ⇨ in the right pane, open “Removable Disks: Deny Execute Access”.

After that choose “Enabled” and click “OK”. Also put is included in “Removable disks: Deny Read Access” and in “Removable disks: Deny Write Access”, they are also found in “Computer configuration” ⇨ “Administrative templates” ⇨ “System” ⇨ “Removable Storage Access”

.

3. Enable or Disable Usb Ports Through Device Manager

IMPORTANT: We recommend creating a system restore point before disconnecting the USB ports so you can easily turn them on again whenever you want.

Right-click on the “Start” button on the taskbar and select “Device Manager”.

Expand USB Controllers. Right-click on all entries, one after another, and click “Disable Device”. Click “Yes” when you see a confirmation dialog.

4. Disable or Enable Usb Ports in BIOS

Some manufacturers offer an option in BIOS / UEFI to disable or enable USB ports. Download the BIOS / UEFI and check if there is an option to disable or enable USB ports. Check your PC user manual to find out if the option to enable or disable USB ports is present in the BIOS / UEFI.

Consider Using Action1 to Block USB Ports Remotely if:

  • You need to perform an action on multiple computers simultaneously.
  • You have remote employees with computers not connected to your corporate network.

Action1 is an autonomous endpoint management solution for patch management, software deployment, remote desktop, IT asset inventory and reporting.

Leave a Comment

Your email address will not be published. Required fields are marked *