Restrict USB access on Windows Home
  • 28 Sep 2023
  • 2 Minutes to read
  • PDF

Restrict USB access on Windows Home

  • PDF

Article summary

The following PowerShell script helps the IT Admins to block USB devices like Pendrive, external HDD, SDD.

  1. Create a file on your desktop, for example, restrict_usb_access.ps1 and open it in a text editor like notepad++
  2. Copy the contents below to the file or click hereto download the file.
    Shell
    #This script helps to restrict USB Access
    #Computer restart is required for changes to take into effect (uncomment last line to restart computer via this script)
    
    #Update below variables with value 1 (i.e. enable) or 0 (i.e. disable)
    $Deny_Read = 1
    $Deny_Write = 1
    $Deny_Execute = 1
    $Deny_All = 1
    
    
    $USBStorageRegKey = 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
    $USBStorageRegKeyEx = 'HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
    $StorageRegKey = 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices'
    $StorageRegKeyEx = 'HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices'
    $USBRegKey = '{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
    $DenyReadRegName = 'Deny_Read'
    $DenyWriteRegName = 'Deny_Write'
    $DenyExecuteRegName = 'Deny_Execute'
    $DenyAllRegName = 'Deny_All'
    
    $exists = Test-Path $USBStorageRegKey
    if (!$exists) {
        New-Item -Path $StorageRegKey -Name $USBRegKey -Force | Out-Null
    }
    
    if($Deny_Read)
    {
    	reg add $USBStorageRegKeyEx /v $DenyReadRegName /t REG_DWORD /d 1 /f
    }
    else
    {
    	try
    	{
    		$Read = Get-ItemPropertyValue $USBStorageRegKey -Name $DenyReadRegName
    		
    		if($Read -ne $null)
    		{
    			reg delete $USBStorageRegKeyEx /v $DenyReadRegName /f
    		}
    	}
    	catch
    	{
    	}
    }
    
    if($Deny_Write)
    {
    	reg add $USBStorageRegKeyEx /v $DenyWriteRegName /t REG_DWORD /d 1 /f
    }
    else
    {
    	try
    	{
    		$Write = Get-ItemPropertyValue $USBStorageRegKey -Name $DenyWriteRegName
    		
    		if($Write -ne $null)
    		{
    			reg delete $USBStorageRegKeyEx /v $DenyWriteRegName /f
    		}
    	}
    	catch
    	{
    	}
    }
    
    if($Deny_Execute)
    {
    	reg add $USBStorageRegKeyEx /v $DenyExecuteRegName /t REG_DWORD /d 1 /f
    }
    else
    {
    	try
    	{
    		$Execute = Get-ItemPropertyValue $USBStorageRegKey -Name $DenyExecuteRegName
    		
    		if($Execute -ne $null)
    		{
    			reg delete $USBStorageRegKeyEx /v $DenyExecuteRegName /f
    		}
    	}
    	catch
    	{
    	}
    }
    
    if($Deny_All)
    {
    	reg add $StorageRegKeyEx /v $DenyAllRegName /t REG_DWORD /d 1 /f
    }
    else
    {
    	try
    	{
    		$DenyAll = Get-ItemPropertyValue $StorageRegKey -Name $DenyAllRegName
    		
    		if($DenyAll -ne $null)
    		{
    			reg delete $StorageRegKeyEx /v $DenyAllRegName /f
    		}
    	}
    	catch
    	{
    	}
    }
    
    #Restart-Computer -Force
    1. Choose the Execution level as: Device level.
    2. The script changes the below Registry values of RemovableStorageDevices to 'Enabled':
      'Deny_Read' ; 'Deny_Write' ; 'Deny_Execute' ; 'Deny_All'
    3. Updating the above variables with value 1 means- enable or 0 means- disable. For example, 1 below will block access.
      Shell
      $Deny_Read = 1
      $Deny_Write = 1
      $Deny_Execute = 1
      $Deny_All = 1

    4. So, when you connect a removable USB storage device to your windows computer, you would be able to see the drive in My Computer, but access to it will be blocked. For example, in the below image, there is an SSD connected to the device however the access to the USB in D:\ drive is blocked.
    5. Once the script is executed successfully the computer restart is required for changes to take effect.
  3. You will be able to see the status of the same in the View Status report on the Scalefusion dashboard.
  4. Follow our guide to upload & publish the PowerShell script using Scalefusion Dashboard.

Please note that to use the PowerShell scripts, the Scalefusion MDM Agent Application must be installed on the device(s). Please follow our guide to publish and install the Scalefusion MDM Agent Application.
Notes:
1. The scripts and their contents are sourced from various albeit authenticated Microsoft sources and forums.
2. Please validate the scripts on a test machine before deploying them on all your managed devices.
3. Scalefusion has tested these scripts, however, Scalefusion will not be responsible for any loss of data or system malfunction that may arise due to the incorrect usage of these scripts.




Was this article helpful?