Control Read or Write Access to Removable Devices or Media

Applies To: Windows Server 2008

You can use this procedure to restrict the ability of your users to read or write to a device affected by the policy setting.

Device categories for which policy settings exist include:

  • CD and DVD drives. This type of drive uses removable media.

  • Floppy disk drives. This type of drive uses removable media.

  • Removable drives. This type of drive is an external drive connected to the computer using a USB or IEEE 1394 connection. It includes both hard disk drives and flash memory drives.

  • Tape drives. This type of drive uses removable media.

  • Windows Portable Devices. This type of device includes media players, smart phones, and so on.

  • Custom Classes. If the device to which you want to prevent access is not covered by any of the other categories, you can deny read or write access to devices that have a specified device setup class GUID.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

Controlling read or write access to removable devices or media

You can use the following methods to control read or write access to removable devices or media:

  • Deny access to devices that match one of the types predefined by Windows

  • Deny access to a device that has a specific device setup class

Deny access to devices that match one of the types predefined by Windows

To deny access to devices that match one of the types predefined by Windows

  1. Open the Group Policy Management Editor. To do so, click Start, and then in the Start Search box, type mmc gpedit.msc.

  2. In the navigation pane, open Local Computer Policy. Then do one of the following:

    • If you want the policy to affect all users on the computer, open Computer Configuration in the navigation pane.

    • If you want the policy to affect only the currently logged on user, open User Configuration in the navigation pane.

  3. Continue by opening the following folders: Administrative Templates, System, Removable Storage Access.

  4. In the details pane, select and double-click the policy setting that describes the device type you want to restrict, and the kind of restriction you want enforced.

  5. Click Enabled.

  6. Click OK to save your changes. You can repeat steps 4 and 5 for other restrictions to this device type, or to create restrictions for other devices.

Additional considerations

  • To restrict all read and write access to all removable device types, do not set all of the individual device type restriction policies. Instead, see Deny All Access to Removable Devices or Media.

  • Make sure to test all applications required by the users that will be affected by this policy setting to ensure that you do not prevent applications required by the user from working properly.

  • If you edit policy settings locally on a computer, you will affect the settings on only that one computer. If you configure the settings in a Group Policy object (GPO) hosted in an Active Directory domain, then the settings apply to all computers that are subject to that GPO. For more information about Group Policy in an Active Directory domain, see Group Policy (https://go.microsoft.com/fwlink/?LinkId=55625).

Deny access to a device that has a specific device setup class

To deny access to a device that has a specific device setup class

  1. Open the Group Policy Management Editor. To do so, click Start, and then in the Start Search box, type mmc gpedit.msc.

  2. In the navigation pane, open Local Computer Policy. Then do one of the following:

    • If you want the policy to affect all users on the computer, open Computer Configuration in the navigation pane.

    • If you want the policy to affect only the currently logged on user, open User Configuration in the navigation pane.

  3. Continue by opening the following folders: Administrative Templates, System, Removable Storage Access.

  4. In the details pane, double-click either Custom Classes: Deny read access or Custom Classes: Deny write access, depending on which restriction you want to enforce.

  5. Click Enabled, and then click Show.

  6. In the Show Contents dialog box, click Add.

  7. In the Add Item dialog box, type the GUID for the device setup class that applies to your device. Ensure that you include the curly brace characters on either side of the value.

  8. Click OK to save your changes. You can repeat steps 6 and 7 for other devices.

  9. Click OK to save the completed list, and then click OK to save the policy.

Additional considerations

  • To determine the device setup class GUID for your device, see Determine the Device Setup Class for Your Device.

  • Make sure to test all applications required by the users that will be affected by this policy setting to ensure that you do not prevent applications required by the user from working properly.

  • If you edit policy settings locally on a computer, you will affect the settings on only that one computer. If you configure the settings in a Group Policy object (GPO) hosted in an Active Directory domain, then the settings apply to all computers that are subject to that GPO. For more information about Group Policy in an Active Directory domain, see Group Policy (https://go.microsoft.com/fwlink/?LinkId=55625).