How to Prevent Copying Files to USB on Windows 10

| Servers | 42 seen

Lately I've been working as a system administrator and helping out a lot to a small company setting up office computers. It involves purchasing office computers, setting up operating systems, configuring LAN and of course security.

As these are topics I face on my everyday working day (though i feel more server guy) - I decided to write down my notes, as with time, things can be forgotten.

Just recently we faced an issue on port forwarding to enable Remote Administration, see: How To Setup Port Forwarding for TP-Link Wireless Router (Radmin).

As company is working with sensitive information (data) - it was agreed - we should enable another layer of security - preventing copying files from HDD to USB devices.

In general there are several way of achieving this, as the rule of thumb here are the two most popular options:

  • Using the Registry
  • Using the Group Policy

For this tutorial I will stick with the Group Policy option (for other use, see this guide: How to enable write protection for USB devices on Windows 10)

How to enable USB write/read/execute protection using the Group Policy

If you're running Windows 10 Pro, Enterprise, or Education, you can access the Group Policy editor to deny write permissions to removable storage devices.

To enable write protection using Group Policy, do the following:

1. Use the Windows key + R keyboard shortcut to open the Run command.

2. Type gpedit.msc and click OK to open the Local Group Policy Editor.

3. Browse the following path:

Computer Configuration > Administrative Templates > System > Removable Storage Access

4. On the right side, double-click the Removable Disks: Deny write access policy.

Local Group Policy Editor

Local Group Policy Editor

Double click on:

  • Removable Disks: Deny execute access
  • Removable Disks: Deny read access
  • Removable Disks: Deny write access

Optional - you can leave some of the rights intact, for example deny only copying to USD drive, or deny only execute from USD drive. By denying execute, read and write access we are tighetning security to the maximum regarding USD devices.

5. Select the Enabled option to activate the policy.

6. Click Apply.

7. Click OK.

8. Close the Group Policy editor.

9. Restart your computer to complete the task.

Next time you (or someone) will try to insert USD device, Access is Denied message will appear:

USB - Access is Denied

USB - Access is Denied

If you need to revert the changes, just follow the same steps, but on step 5 make sure to select the Not Configured option.