How to Block USB Drives With Group Policy

Need to block USB devices? In this article you will learn how to block USB drives with Active Directory Group Policy Objects (GPO). We will also compare using a GPO vs dedicated device control software for enforcing your removable media control policies.

Best Alternative to Group Policy for Blocking USB Devices

AccessPatrol is a device control software solution for preventing data loss to portable storage devices. In this video CurrentWare’s managing director Neel Lukka provides an overview of the features available in AccessPatrol.

🔒 Block USB flash drives, external hard drives, and other peripheral devices
🔒 Monitor USB activities including file transfers and what devices have been used
🔒 Get DLP alerts sent to your inbox when high-risk USB activities occur

AccessPatrol’s security policies are enforced by a software agent that is installed on your employee’s computers. This keeps devices restricted and monitored even when the computers are taken off of the network.

Get My Free Trial Learn More

Device Control: Group Policy vs AccessPatrol

Why Choose AccessPatrol for USB Restriction?

Logo for AccessPatrol, CurrentWare's USB Blocker and Endpoint Security Software
  1. Flexibility: Group Policy only supports domain-joined machines in a traditional Active Directory environment. AccessPatrol can integrate with your existing Active Directory OUs for ease of use while still allowing you to control non-domain machines.
  2. Ease of Use: Managing GPOs in a complex environment requires specialized skills, thorough testing, and trial & error to get right. With AccessPatrol blocking or allowing USB devices is as easy as a few clicks, saving admins valuable time in managing granular removable media device permissions in their environment.
  3. USB Activity Reports & Alerts: AccessPatrol’s reports make auditing USB activity simple and effective. Rather than combing through raw audit events data you can get automated alerts and easy-to-read reports that details File Operations to portable storage, attempts to use blocked peripheral devices, and general device usage history.
  4. Temporary Bypass: With AccessPatrol’s Access Code Generator you can provide a time-limited exemption from your USB control policies, even if the remote devices have no internet connection.
  5. Restrict File Transfers: If portable storage is a requirement in your environment, you may still want to prevent trusted devices from transferring sensitive files. With AccessPatrol’s Block File Transfers feature you can block transfers by File Name or Extension, preventing the transfer of sensitive data without limiting productivity.
  6. Seamless End-User Experience: When you update AccessPatrol’s device control policies your users will be seamlessly restricted without requiring a restart or logoff. When the policy updates take effect your end-users will not experience stuttering, menu closures, and other distractions that come with Group Policy updates.
  7. CurrentWare Suite: AccessPatrol can be purchased as a standalone module or seamlessly integrated with the rest of the CurrentWare Suite, providing added security controls such as User Activity Monitoring and Web Filtering.
Get My Free Trial Learn More

Devices That Can Be Controlled With AccessPatrol

AccessPatrol can block or limit the use of more than just USB storage devices. For full USB control, device permissions can be easily configured based on computer, user, or workgroup.

Device ClassDevicesAccess Permissions
Storage DevicesUSBFull / Read only / No access
DVD /CDFull / Read only / No access
FloppyFull / Read only / No access
TapeFull / Read only / No access
External Hard driveFull / Read only / No access
FirewireFull / Read only / No access
SD CardFull / Read only / No access
MM CardFull / Read only / No access
Wireless DevicesBluetoothFull / Audio Only / No access
InfraredFull / No access
WifiFull / No access
Communication PortsSerialFull / No access
ParallelFull / No access
Imaging DevicesScannersFull / No access
Cameras, Webcams & OthersFull / No access
OthersPrintersFull / No access
USB Ethernet AdapterFull / No access
Sound CardsFull / No access
Portable Devices (iPhones, Mobiles)Full / No access
Network ShareFull / No access

How to Block All Removable Media Devices

How to Block USB Devices With AccessPatrol

With AccessPatrol, blocking USB devices is as simple as a few clicks.

  1. Open the CurrentWare Console and select AccessPatrol
    central management console for AccessPatrol endpoint security solutions
  2. Select the group(s) of computers or users you would like to control; AccessPatrol can control USB devices based on groups of user accounts or specific groups of computers.
  3. Under the AccessPatrol tab, select Device Permissions
    Screenshot of AccessPatrols peripheral device blocking permissions window
  4. Under Storage Devices, you can set unique access permissions for USB, CD/DVD, Floppy, Tape, External HDD, Firewire, SD Card, and MM Cards.

    Device Blocking window Screenshot of CurrentWare's USB device control software AccessPatrol
  5. For granular control over each device: Under Access Permissions set the desired level of restriction (Full Access, Read Only, No Access)
  6. To restrict all devices: Click “All Devices” and select the desired level of restriction.
  7. Click Apply to save your changes
Get My Free Trial Learn More

How to Use Group Policy to Block All Removable Media Devices

Create a group policy object to store the policy you wish to impose in your domain.

  1. Launch the Group Policy Management tool on the domain controller
  2. Right-click Group Policy Objects, click New
  3. Enter a name for the GPO and click OK
  4. Right-click the policy and click Edit.

    Adding Policies to the Group Policy Object
  5. Group Policy Management Editor
  6. Navigate to Computer Configuration Policies > Administrative Templates > System > Removable Storage Access
  7. Right-click on All Removable Storage classes: Deny all access, click Edit.
  8. Click Enabled and click Apply and then OK

    Linking the Group Policy Object
  9. Right-click on the OU
  10. Click Link an Existing GPO
  11. Select the GPO you created and click OK

    Updating the Group Policy
  12. The last step is to update the group policy using the command line gpupdate /force.
A departing employee was caught stealing classified files! If we didn’t have AccessPatrol we would never have known.

Learn how Viking Yachts protected their intellectual property from a departing employee in our case study

Read Their Story

How to Block Some Devices & Not Others

How to Block Specific Devices With AccessPatrol

With AccessPatrol, blocking specific USB devices is as simple as a few clicks.

  1. Open the CurrentWare Console and select AccessPatrol
    central management console for AccessPatrol endpoint security solutions
  2. Select the group(s) of computers or users you would like to control; AccessPatrol can control USB devices based on groups of user accounts or specific groups of computers.
  3. Under the AccessPatrol tab, select Device Permissions
    Screenshot of AccessPatrols peripheral device blocking permissions window
  4. Click on the exact device classes that you’d like to restrict; within each class of peripherals you can selectively disable specific device types.

    Device Blocking window Screenshot of CurrentWare's USB device control software AccessPatrol
  5. Under Access Permissions set the desired level of restriction (Full Access, Read Only, No Access)
  6. Click Apply to save your changes
Get My Free Trial Learn More

How to Allow (Whitelist) Approved Devices With AccessPatrol

With AccessPatrol’s Allowed List you can block USB devices and other peripherals while allowing specific authorized removable media devices.

  1. Connect the desired USB device to any computer that has a CurrentWare Client installed
  2. Open the CurrentWare Console
    central management console for AccessPatrol endpoint security solutions
  3. Select the folder with the computers or users you would like to control
  4. Under the AccessPatrol tab, select Allowed List
    AccessPatrol device allowed list
  5. Click “Add From Available Devices”
  6. Choose a device from the Vendor ID, Serial Number and/or PNP Device ID lists
    Screenshot of AccessPatrol's USB device allow list
  7. Click on Add to Allowed List, then click OK

Administrators can use AccessPatrol’s Device Allowed List to establish a list of devices that their end-users can use on company devices, even when USB ports are disabled.

You can choose to allow devices by the following identifiers:

  • Vendor ID
  • Serial number
  • PNP device ID

Device whitelisting is configured on a per-folder basis. Devices that are added to the allowed list for a given folder will apply to any computers that are in the specified folder. AccessPatrol’s allowed list supports USBs, External Hard drives, Imaging devices, and portable devices.

Note: Allowing a device by serial number is fully compatible with Windows 10. For Windows 7 or 8, some newer models of USB devices may not support this feature. Instead of allowing by serial number, it will allow all devices from the same vendor and model.

Get My Free Trial Learn More

How to Use Group Policy to Block Only Some Removable Media Devices

Screenshot of Local Group Policy Editor with removable storage access settings displayed
  1. In the Local Group Policy Editor (gpedit.msc) browse to the following location: User Configuration > Administrative Templates > System > Removable Storage Access
  2. For each media type you’d like to control, enable Deny Read Access, Deny Write Access, or Both. With this method you can control CD/DVD, Custom Classes, Floppy Drives, Removable Disks, Tape Drives, and WPD Devices.
  3. Apply the GPO to the Users or OUs that you want to restrict

NOTE: This feature doesn’t work in N editions of Windows 10 Pro.

How to Allow USB Storage Devices But Restrict Specific File Transfers

How to Prevent Specific Files From Being Transferred From USB Ports With AccessPatrol

AccessPatrol allows you to prevent specific files from being transferred to external devices based on their filename or file extension.  

  1. Open the CurrentWare Console
    central management console for AccessPatrol endpoint security solutions
  2. Select the computers or users you would like to control
  3. Under the AccessPatrol tab, select Block File Transfers
    Screenshot of AccessPatrol's USB file transfer blocking feature
  4. Under Enter File Name or Extension, type in the desired extension (CSV, BAK, CAD, etc) or file name (client-list, archive, etc) that you would like to block
  5. Click Add, then click Close
  6. Click Apply to Clients and then click OK
Get My Free Trial Learn More

This feature is not available in Group Policy

How to Audit USB Device Usage

How to Audit USB Device Usage With AccessPatrol

Hey everyone, this is Dale here. I am the Digital Marketing Manager for CurrentWare.

In today’s video, I’d like to show off the new USB activity dashboards introduced to AccessPatrol in version 7.0.

These dashboards provide a convenient overview of the peripheral device usage of your entire workforce as well as specific groups or users—all from the convenience of a web browser.

They work in tandem with AccessPatrol’s device control features and USB activity reports to protect sensitive data against the security risks of portable storage devices.

Today’s video is just a sneak peek of what AccessPatrol is capable of; as time goes on you can expect to see further enhancements and data points added to these dashboards.

At this time, AccessPatrol can track activities from the following peripherals:

  1. Portable storage devices such as USB flash drives, external hard drives, optical discs, tape drives, and SD cards
  2. and Mobile devices including smartphones, PDAs, and tablets

This device usage data is used to populate various graphs across AccessPatrol’s dashboards. You can further refine how granular this data is by limiting the time frame, selecting only specific groups, and even investigating individual users.

Having these metrics available at a glance makes detecting potential insider threats far more efficient as your organization scales. 

Any groups or users that need to be reviewed further can be investigated using the more granular dashboards and AccessPatrol’s device activity reports.

For a more proactive approach to insider threat management you can set up targeted alerts that will notify designated staff members when these high-risk activities occur. 

For the most up-to-date information on AccessPatrol’s activity tracking and data loss prevention capabilities, visit our knowledge base at CurrentWare.com/Support or visit the AccessPatrol product page at CurrentWare.com/AccessPatrol

 In the overview dashboard you can review the following metrics:

  • File Operations that happened over the selected time period, including the number of files that have been copied/created, the number of files that have been deleted, and the number of files that have been renamed/saved as.
  • Overall Device Activities, with a breakdown of how many of the peripherals were authorized and how many were blocked from use.
  • The Top 5 File Types graph shows the most common file types that are copied/created or deleted to and from portable storage devices
  • The Top 5 Device Types graph shows the most common classes of peripheral devices that are blocked and allowed
  • The Top 5 Files Operations graph shows which groups or users have the greatest number of files that have been Copied/Created and Deleted to and from portable storage devices
  • The Top 5 Devices Activities graph shows which groups or users have the greatest number of Blocked and Allowed devices.
  • And finally, The Activity Log provides access to the raw data, with controls to show and hide certain columns, filter and sort data, conduct searches, and export the data to an Excel spreadsheet or PDF. Each dashboard has their own Activity Log with columns that are relevant to that specific dashboard.

Moving on to the Files Dashboard you will see…

  • A timeline of file operations that shows the relationship between the various operations over the course of the selected time period. This can be used to search for patterns in anomalous device usage, such as peaks in file transfers outside of regular operating hours.
  • You will also see graphs with the Top File Types Copied/Created to internal hard drives and external devices
  • Below that, we have graphs that show the users or groups that have Copied/Created or Deleted the most files
  • And, just like the overview dashboard, there is an Activity Log with the raw data.

Finally, we have the Devices Dashboard

In this dashboard, we have…

  • A device activities graph that shows a timeline with the number of allowed and blocked devices each day. This can be further refined to show an hourly breakdown of a specific day so you can find out what time your users were attempting to use blocked devices. 
  • Next, we have graphs with the users or groups that have the most allowed and blocked devices activity over the selected time period. 
  • Scrolling down to the Activity Log, we can use the sorting controls to take a closer look at the users that have been attempting to use unauthorized peripherals.

As you can see, we have specific users that are repeatedly trying to use devices that have not been approved for use by the organization.

While this could just be an accidental oversight on the user’s part, there’s a risk that it’s something much more serious. 

For example, what if this is actually a disgruntled employee trying to steal trade secrets or sensitive customer data so they can bring it to a competitor, or worse, sell it to cybercriminals on the dark web.

Between the costs associated with a damaged reputation, fines, loss of competitive advantage, and remediation, a data breach like this could completely ruin a company.

Before we confront this employee or send them for retraining, let’s investigate this incident further so we can make an informed decision.

Clicking on this user, we’ll be taken to a dashboard that focuses exclusively on their activity. 

Looking at the Devices graph we can see that they have made multiple attempts to use blocked devices. 

Scrolling down, we can see that they’ve been trying to use unauthorized portable storage devices.

Since AccessPatrol is currently blocking any devices that are not explicitly allowed, I know that the only way sensitive data is leaving through a USB drive is if it’s a device that we’ve allowed before. So, let’s take a closer look at how they’ve been using their approved devices.

As you can see here, the types of files that they are transferring are more than capable of containing sensitive data; let’s take a look at the file names for more details.

With the Activity Log we can use the filters, sorting, and column options to isolate our view to the entries we’re the most interested in. 

Once we find something that looks off, we have more than enough information to confront this employee and take any necessary corrective actions.

Ready to protect your sensitive data against theft to USB portable storage devices? Block and monitor peripheral device usage today with a free trial of AccessPatrol, CurrentWare’s USB control software.

Simply visit CurrentWare.com/Download to get started instantly, or get in touch with us at CurrentWare.com/Contact to book a demo with one of our team members. See you next time!

Citrix Ready Badge

With AccessPatrol, blocking USB devices is as simple as a few clicks.

  1. Open the CurrentWare Console and select AccessPatrol
    central management console for AccessPatrol endpoint security solutions
  2. Select Device Reports, then select the Report Type, Computers/Users, Reporting Period, and other options for your USB activity report.
    AccessPatrol USB device reports feature window
  3. Click Run Report to generate a report that is populated with data that meets the parameters you set.
Get My Free Trial Learn More

How to Monitor the Use of Removable Storage Devices in Group Policy

Microsoft has released instructions on monitor the use of removable storage devices with group policy.

If you configure this policy setting, an audit event is generated each time a user attempts to copy, move, or save a resource to a removable storage device.

Auditing USB device usage in this way involved manually combing through event logs in search of specific event IDs, such as event 4663, which logs successful attempts to write to or read from a removable storage device.

How to Allow Temporary Access to USB Devices

How to Temporarily Allow Blocked USB Devices With AccessPatrol

AccessPatrol can grant temporary access to blocked devices using it’s access code generator

Administrators and authorized managers can use the generator to produce a single-use code that provides users with a set duration where the computer’s USB ports are no longer disabled by AccessPatrol. 

The access code is unique to each computer that you generate for and the computers do not need to be connected to the internet to use it. So long as the CurrentWare client is installed on the employee’s computer they can be provided with temporary access to USB devices.

  1. Generate a temporary access code
    Screenshot of AccessPatrol's access code Code Generator to temporarily enable USB devices
  • Open the CurrentWare Console
  • Select the computers or users you would like to provide temporary USB device access to
  • Click “Access Code Generator”
  • Choose the expiration date and duration of the access code
  • Click Generate to create a temporary access code
  1. Activate the temporary access code from the employee’s computer
grant access to endpoint devices from control panel
  • Have the employee open the Control Panel
  • Set “View By” to large icons or small icons
  • Click “Grant access to endpoint devices”
  • Have the employee enter the temporary access code into the dialogue box, then click “Unlock”
Get My Free Trial Learn More

How to Bypass GPO USB Blocking

Group Policy does not support temporarily bypassing GPOs for a set period of time.

To temporarily allow access to USB devices you will need to manually disable the GPO and manually re-enable it when the end-user no longer requires access to USB devices.

To do this, open the the Group Policy Management Console (GPMC), right click the USB blocking GPO under the OU and uncheck the option “Link Enabled”.

To reenable the GPO, simply repeat the process and recheck “Link Enabled”

removable media policy template mockup

Removable Media
Policy Template

  • Set data security standards for portable storage
  • Define the acceptable use of removable media
  • Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

Get the FREE Template

3 Disadvantages of Using Group Policy to Block USBs

Although applying group policies is a viable way to control the use of USB storage devices in an organization, there are disadvantages that should not go unnoticed. Here are some of the pitfalls to using GPOs you want to consider before depending on it for data security in your organization.


1. Complex to Setup & Maintain

Using the Group Policy Object Editor to manage USB security policies can be overwhelming for those without a background in Active Directory and Group Policy management. From an organizational standpoint, the time and expertise needed to to administer and modify USB restriction policies in this way might not be readily available. The complexity of GPOs is further compounded when it comes to applying unique USB restrictions to different departments, computers, and users in your organization.

With AccessPatrol blocking USB devices is as easy as a few clicks. The time savings from not having to manually create and manage GPOs allows IT pros to focus their time on higher value tasks. Should USB restriction policies need an update the task can be readily delegated to someone with access to an authorized (and uniquely restricted) Operator account.


2. Misconfiguration Will Affect Performance

Group Policy Objects have mandatory updates that regularly occur at a set interval or when a PC is rebooted. You can modify the length of time between updates, however misconfigurations will bog down your your network with an abundance of traffic.

With CurrentWare’s lightweight server and client your AccessPatrol USB security policies will seamlessly update without hogging bandwidth and system resources.


3. Limited to Domain-Joined Machines

Group Policy only supports domain-joined machines in a traditional Active Directory environment. In mixed environments where IT pros need to manage both domain-joined and non-domain-joined machines, having AccessPatrol as a dedicated USB control software provides critical security controls for all of their managed devices.

AccessPatrol peripheral device permissions mockup block usb

Ready to take back control over USB device usage in your organization? Get started today with a FREE trial of AccessPatrol, CurrentWare’s device control software.

Get My Free Trial Try the Live Demo
Sai Kit Chu
Sai Kit Chu
Sai Kit Chu is a Product Manager with CurrentWare. He enjoys helping businesses improve their employee productivity & data loss prevention efforts through the deployment of the CurrentWare solutions.

Related posts

AI in the workplace: how to safeguard data
June 15, 2023

The Cybersecurity Risks of AI & How to Safeguard Sensitive Data

Read more
Why Your Business Needs a Data Loss Prevention Strategy
May 30, 2023

Why Your Business Needs a Data Loss Prevention Strategy

Read more