Disabling USB Mass Storage Devices on Windows XP via Group Policy.
Before you do anything else, you'll need to import an .adm template file to provide the Custom Policy Settings required. These can be downloaded from Microsoft or you can click here to download this one...
This template is the one that I use. Use it by all means but please, if you are in any doubt about anything you download from the Internet, go to the source - in this case Microsoft - and download from there.
(http://support.microsoft.com/kb/555324)
To add this template to your existing Group Policy Objects:
- Select Administrative Templates.
- Right-click Administrative Templates and select 'Add/Remove Templates'.
- Click 'Add' and browse to the .adm file and select it.
- Click 'Open' and it will be added to the list.
- Click 'Close'.
Using the Group Policy Management snap-in, create a new Group Policy called 'Disable Mass Storage Device'. Right-click your new Group Policy Object and click 'Edit'. This will open up the Group Policy Editor.
Under 'Computer Configuration' branch down to Administrative Templates > Custom Policy Settings > Restrict Drives.
If you have imported the template file but there are still no visible options in the right-hand pane you'll need to change the view preference settings for all ADM files in the Group Policy Object Editor. To do this:
- Select Administrative Templates.
- Right-click Administrative Templates and then click View.
- Click Filtering and in the filtering dialog box, clear the check box for Only show policy settings that can be fully managed.
- Click OK.
You should now be able to see four options in the Restrict Drives Folder.
- Disable USB Drives
- Disable CDROM
- Disable Floppy
- Disable High Capacity Floppy
Double-click the Disable USB Drives option to bring up the dialogue box and on the settings tab, select the Enabled radio button. Next to 'usbstore.sys drive status', select 'Stopped' from the drop-down options.
Apply the policy to an OU and any PCs in that OU will not be able to use USB Mass Storage devices.
Re-enabling USB Mass Storage Devices on Windows XP via Group Policy.
To re-enable the mass storage devices on a Windows XP system, you need to create a second Group policy.
It is not enough to simply take the PC out of the 'Disable' Group Policy as the device drivers will remain disabled.
As with disabling USB storage drivers, create a new Group Policy, this time called 'Enable Mass Storage Device'. Follow the same steps as above until you reach the step 'Double-click the Disable USB Drives option'. This time you need to select 'Started' from the drop-down options.
Apply the policy to an OU and any PCs in that OU will have the USB Mass Storage drivers enabled again.
To implement this on one of the networks that I manage, I created two new OUs; 'Disable USB Mass Storage' and 'Enable USB Mass Storage'.
To disable mass storage, I just move the computer into the 'Disabled OU' and wait for the policy to take effect. If the PC needs its USB mass storage device enabled again, I just move it into the 'Enabled OU' and wait for the policy to update.
Of course, if you can't wait for the Group Policy to update across the network you can always run gpupdate on the client computer.