How to Disable USB Drives on Windows 11 and Windows 10

, ,
  • Last updated
How to Disable USB Drives on Windows 11 and Windows 10 blog banner image
,,
  • Last updated

This concise guide demonstrates how to disable USB drives on Windows and handle USB drive risks. Blocking USB access is important to security in Windows 11 and Windows 10 deployments in organizations, as well as on personal devices, as it can prevent the spread of malware, data theft, and even physical damage to devices.

Protect your Windows devices and reduce the risk of data breaches and downtime.

🛡️Explore NinjaOne endpoint security for Windows.

How to disable USB drives in Windows

The method you use to disable USB drives in Windows will depend on whether you are managing a single device or multiple. Before you make any changes to your system, it is recommended that you perform a full backup.

Note that you will need to be logged in as an Administrator to perform all the below tasks.

Using Windows Registry Editor to disable USB storage

This method for disabling USB drives allows other USB devices to continue functioning, and is done via the Windows Registry:

  • Right-click on the Start button, click Run, and enter “regedit” to open the Registry Editor.
  • Within the Registry editor, navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUSBSTOR.
  • Edit the value for the Start Registry Key in USBSTOR path and change it to 4.
  • To revert this change and re-enable USB storage, change the value of Start back to 3.

When the value of the Start Registry Key in USBSTOR is set to 4, nothing will happen when a USB drive is connected, and an error will appear in the device manager entry for the USB storage device.

Using Windows Group Policy Editor to disable USB storage

You can also use Group Policy to disable USB drive access on a single machine, or on a Windows Domain using Active Directory:

  • Right-click on the Start button, click Run, and enter “gpedit.msc” to open the Group Policy Editor.
  • In the Group Policy Editor, use the navigation tree in the left panel to navigate to Computer Configuration/Administrative Template/System/Removable Storage Access.
  • In the right panel, select Removable Disks: Deny Execute Access.
  • Check Enabled to enable this policy and disable removable USB storage.

If you want to deploy this policy to multiple machines in a Windows Domain, use the Group Policy Management Console by running gpmc.smc on a domain controller. Then, enable the above policy for the Organizational Unit you want to disable removable USB storage for. This allows you to enable the restriction based on users’ group membership, or for specific machines.

Using the Device Manager to Disable USB Ports

To block USB access on a single computer, you can use the Device Manager. Note that this method comes with the risk that you disable the USB port or controller that your mouse and keyboard are connected to, so it is recommended that you use a method for disabling USB storage devices only, or set a system restore point before you start so that the change can be rolled back.

  • Right-click on the Start button and click Device Manager.
  • Expand the Universal Serial Bus controllers tree menu item.
  • Right click and disable USB ports as required.

Using third-party tools to block USB access

There are a number of products that allow you to disable USB drives in Windows, in some cases allowing for remote management of devices. These include USB Block and USB Lock RP.

Unless you need control over which specific USB devices can be connected, adding additional USB management software to your system is usually seen as unnecessary given Windows’ built-in ability to block access to USB storage (including the ability to restrict other specific kinds of USB devices using PowerShell).

If more robust protection is required in a corporate environment, a full endpoint security solution addresses both the risks posed by USB devices, as well as other cybersecurity threat vectors.

Understanding USB drive risks

There are several risks posed by removable USB storage that are solved by discouraging or preventing their use:

  • Data breaches and theft: USB drives containing sensitive information can be easily lost by an employee, resulting in a data breach. Theft is also an issue, as is the risk that an employee bypasses data access restrictions by using a colleague’s computer to load information they are not privy to on a USB stick, and sharing it.
  • Data loss and corruption: USB drives are not reliable storage devices. Discouraging their use removes the risk of an employee moving important data onto a USB stick, and it subsequently being lost or corrupted.
  • Malware and firmware infections: Some malware is able to spread via USB either as files or hidden in firmware, bypassing network protections. Additionally, some cyber attacks occur when an infected USB stick is intentionally left where a targeted employee is likely to find it and plug it in to see what’s on it (for example, on a shop counter, or building reception desk).

USB devices can also pose a physical threat. Specialized USB sticks that contain high-voltage hardware have been deployed by attackers to damage devices when they are plugged in. This makes securing public devices vital: not only should USB storage be disabled, but access to physical USB ports should also be restricted.

Use cases and impacts of disabling USB drives

The primary impact of disabling USB storage is on your users. To reduce complaints about USB drives not working, make sure they are aware of the changes you are enacting on their devices.

While some Windows security solutions make it possible to whitelist specific USB storage devices, this doesn’t prevent them from being used in other computers outside your control, potentially infecting them with malware. Instead, consider deploying cloud storage or network shares that can be monitored for misuse and malware, for your users to share files or work on them when out of the office.

See a 95% reduction in time spent securing your devices with NinjaOne’s Windows endpoint management tools.

📝 Sign up for a free trial.

Manually securing endpoints leads to security holes and breaches

Attempting to manually manage more than a few devices is likely to result in misconfiguration, leaving your organization’s devices vulnerable to the threats posed by insecure USB storage devices. It is important that the same policies are applied to devices for consistency and maintainability.

If you are tasked with securing multiple Windows devices on a network, consider a security solution that addresses not just the risks posed by USB devices but also cybersecurity threats such as malware, phishing, hackers, and user error. Endpoint management provided by NinjaOne gives you full visibility over your fleet of devices and allows you to enforce Windows policies and monitor for malware and potential data breaches for complete control of your IT environment.

Next Steps

For MSPs, their choice of RMM is critical to their business success. The core promise of an RMM is to deliver automation, efficiency, and scale so the MSP can grow profitably. NinjaOne has been rated the #1 RMM for 3+ years in a row because of our ability to deliver an a fast, easy-to-use, and powerful platform for MSPs of all sizes.
Learn more about NinjaOne, check out a live tour, or start your free trial of the NinjaOne platform.
Start your Free Trial

You might also like

How to Remotely Access & Control iPads & iPhones blog banner image

How to Remotely Access and Control iPads & iPhones

How to View Google Chrome Download History in Windows blog banner image

How to View Google Chrome Download History in Windows

How to Enable or Disable Domain Users to Sign in with Picture Password blog banner image

Enable or Disable Sign in with Picture Password in Windows 10

How to Turn On or Off ClearType in Windows 10 blog banner image

Complete Guide: How to Turn ClearType On or Off in Windows 10

How to Backup and Restore Local Group Policy Editor Settings in Windows 10 blog banner image.

How to Backup and Restore Local Group Policy Editor Settings in Windows 11

How to Enable or Disable Domain Users to Sign in with PIN to Windows 10 blog banner image

How to Enable or Disable Domain Users to Sign in with PIN on Windows 10

Ready to become an IT Ninja?

Learn how NinjaOne can help you simplify IT operations.

Start a Free Trial
Get a demo
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

Start your 14-day trial

No credit card required, full access to all features

Start my free trial now

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
I Accept