e

Block USB Write Access for Better Security: Registry and Group Policy Methods

Written by

adm

in

Quickly Disable USB Write Access Using PowerShell or Command Line

Preventing unauthorized copying to USB drives can reduce data loss and malware spread. This guide shows quick, reversible methods to disable USB write access on Windows using Group Policy, Registry edits, and PowerShell/Command Line — suitable for single machines or deployment via scripts.

Before you begin

  • Scope assumed: Windows ⁄11 or Windows Server.
  • Admin rights required: You must run commands or edit the registry as an administrator.
  • Backup: Export affected registry keys or create a system restore point before changes.

Method 1 — Using Group Policy (Local Group Policy Editor)

Use this when managing a single machine interactively.

  1. Press Windows+R, type gpedit.msc, Enter.
  2. Navigate to: Computer Configuration → Administrative Templates → System → Removable Storage Access.
  3. Double-click Removable Disks: Deny write access, set to Enabled, then click OK.
  4. Apply changes immediately with an elevated Command Prompt: 
    Code
    gpupdate /force

Effect: Users will be blocked from writing to USB removable disks. To revert, set the policy to Not Configured or Disabled and run gpupdate /force.

Method 2 — Registry edit (quick, scriptable)

This works on Home editions where gpedit.msc may not exist.

  • Disable write access:
    1. Open an elevated Command Prompt or PowerShell.
    2. Run: 
      Code
      reg add “HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies” /v WriteProtect /t REGDWORD /d 1 /f

      If the StorageDevicePolicies key doesn’t exist, create it first: 

      Code
      reg add “HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies” /f reg add “HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies” /v WriteProtect /t REGDWORD /d 1 /f
  • Re-enable write access: 
    Code
    reg add “HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies” /v WriteProtect /t REGDWORD /d 0 /f
  • Remove the key (restore default behavior): 
    Code
    reg delete “HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies” /f

Effect: Windows will block write operations to USB mass storage devices. A reboot may be required.

Method 3 — PowerShell: Block specific device classes (scriptable, granular)

Use PowerShell to disable USB mass storage driver (affects all USB storage devices until re-enabled).

  • Disable the USBSTOR service (prevents loading USB storage driver): 
    Code
    Stop-Service -Name USBSTOR -ErrorAction SilentlyContinue Set-Service -Name USBSTOR -StartupType Disabled
  • Re-enable: 
    Code
    Set-Service -Name USBSTOR -StartupType Manual Start-Service -Name USBSTOR

Note: On some systems, USBSTOR may be managed differently; a reboot may be required. This method prevents any USB storage mounting, not just writes.

Method 4 — PowerShell: Deny write for specific volumes (per-volume ACL)

If you want to allow reading but block writing on mounted USB volumes, run a script that detects removable volumes and removes write permissions for standard users.

  • Example (run elevated): 
    powershell
    Get-Volume | Where-Object {\(_</span><span class="token" style="color: rgb(57, 58, 52);">.</span><span>DriveType </span><span class="token" style="color: rgb(57, 58, 52);">-eq</span><span> </span><span class="token" style="color: rgb(163, 21, 21);">'Removable'</span><span class="token" style="color: rgb(57, 58, 52);">}</span><span> </span><span class="token" style="color: rgb(57, 58, 52);">|</span><span> </span><span class="token" style="color: rgb(57, 58, 52);">ForEach-Object</span><span> </span><span class="token" style="color: rgb(57, 58, 52);">{</span><span> </span><span></span><span class="token" style="color: rgb(54, 172, 170);">\)acl = Get-Acl \(_</span><span class="token" style="color: rgb(57, 58, 52);">.</span><span>Path </span><span>  </span><span class="token" style="color: rgb(54, 172, 170);">\)rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    “Users”,“Write, Modify”,“ContainerInherit,ObjectInherit”,“None”,“Deny”)
  \(acl</span><span class="token" style="color: rgb(57, 58, 52);">.</span><span>AddAccessRule</span><span class="token" style="color: rgb(57, 58, 52);">(</span><span class="token" style="color: rgb(54, 172, 170);">\)rule)
  Set-Acl -Path \(_</span><span class="token" style="color: rgb(57, 58, 52);">.</span><span>Path </span><span class="token" style="color: rgb(57, 58, 52);">-</span><span>AclObject </span><span class="token" style="color: rgb(54, 172, 170);">\)acl
}
  • To remove those deny rules, inspect and remove the specific deny entries with Get-Acl / Set-Acl.

Caveat: ACL-based blocking can be bypassed by admins and may interfere with legitimate operations; test carefully.

Deployment tips

  • For domain environments, prefer Group Policy (GPO) for consistent enforcement. Use the same registry or PowerShell commands via startup scripts, Intune, or endpoint management tools for large deployments.
  • Combine policies with endpoint protection and device whitelisting for stronger controls.
  • Document rollback steps and test on a non-production machine first.

Troubleshooting

  • Changes not applied: run gpupdate /force or reboot.
  • Registry key ignored: ensure correct path and that StorageDevicePolicies exists.
  • Devices still writable: some USB devices present as non-removable; consider driver/blocking approaches.

Quick command summary

  • Group Policy refresh: 
    Code
    gpupdate /force
  • Registry enable write-protect: 
    Code
    reg add “HKLM\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies” /v WriteProtect /t REGDWORD /d 1 /f
  • Disable USB storage driver: 
    Code
    Stop-Service -Name USBSTOR Set-Service -Name USBSTOR -StartupType Disabled

If you want, I can produce a ready-to-run script for a specific environment (standalone PC, Active Directory domain, or Intune).

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts