Most enterprises and managed service providers (MSPs) block unauthorized USB devices to prevent data leaks and reduce physical access attack vectors. This is a common security requirement in both business and MSP environments.
Administrators can implement scalable, audit-friendly, and reversible USB blocking policies using Microsoft Intune and Defender for Endpoint.
Different methods to block USB devices
In addition to Intune and Defender for Endpoint, USB drives can also be blocked using Group Policy, the Registry Editor, PowerShell, or the Command Prompt.
📌 Prerequisites:
- Windows 10/11 Enterprise or Education
- Administrator privileges
- Devices must be managed via Intune and, optionally, onboarded to Microsoft Defender for Endpoint.
- Defender for Endpoint licensing (P1 or P2 for device control)
📌 Recommended deployment strategies:
| Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Using Microsoft Intune | ✓ | |
| Method 2: Using Defender for Endpoint device control rules | ✓ | |
| Method 3: Using Group Policy (GPO) | ✓ | |
| Method 4: Using the Registry Editor | ✓ | |
| Method 5: Using PowerShell | ✓ | |
| Method 6: Using the Command Prompt | ✓ |
Method 1: Using Microsoft Intune
You can use Microsoft Intune to block USB storage devices using administrative templates.
📌 Use Case: IT administrators looking to create and deploy a profile to block USB devices using Intune
- Log in to the Intune admin center.
- Navigate to:
- Devices > Configuration > Create > New Policy
- Enter the following properties:
- Platform: Select Windows 10 and later.
- Profile type: Select Templates > Administrative Templates
- Press Create.
- In Basics, enter a name and description, then press Next.
- In the Configuration settings, scroll down and expand the General section.
- Look for Removable storage, then toggle Block.
- In Assignments, select the device groups that will receive the profile. Select Next.
- Review your settings in Review + create, then click Create to save the changes and assign the profile.
Method 2: Using Defender for Endpoint device control rules
This method uses Intune to manage Defender for Endpoint settings.
📌 Use Case: IT admins looking to use ASR (Attack Surface Reduction) device control to enforce a stronger policy
- Sign in to the Intune admin center.
- Go to Endpoint security, then Attack surface reduction.
- Press + Create Policy:
- Platform: Windows 10, Windows 11, and Windows Server
- Profile: Device Control
- Press Create.
- Name and describe your policy on the Basics tab.
- Look for the “Removable Disk: Deny Write Access” setting under Storage in the Configuration settings tab.
- Press the drop-down menu and select Enabled.
- Click Next.
- Click on Add groups, select Entra security group containing Windows devices, then press Next.
- Review the deployment summary and click the Create button.
Method 3: Using Group Policy (GPO)
This method uses the Local Group Policy Editor to block USB storage on devices.
📌 Use Cases: IT admins who want to enforce USB restrictions without using Intune or Microsoft Defender for Endpoint.
- Press Win + R, type gpedit.msc, then press Enter to open the Local Group Policy editor.
- Navigate to:
- Computer Configuration > Administrative Templates > System > Removable Storage Access
- Double-click on the following, then click Enabled:
- All Removable Storage classes: Deny all access
- Removable Disks: Deny read access
- Removable Disks: Deny write access
- Apply GPO to the desired Organizational Unit (OU).
- Restart the device to apply the changes.
Method 4: Using the Registry Editor
This method uses the Windows Registry to block USB devices manually.
📌 Use Case: IT admins who need an easy way to enforce USB or device restrictions in environments without centralized management tools
- Press Win + R, type regedit, then press Enter
- Navigate to:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices
- Edit the following registry keys:
- Deny_All (DWORD): 1 (blocks all removable storage for every user)
- Allow_Admins (DWORD): 0 (ensures that administrators are also blocked, preventing them from bypassing the restriction)
- Restart the device to apply the changes.
💡 Note: If the RemovableStorageDevices key is not present, see the Tips section below for instructions on how to create it.
💡 Tips:
- You can jump directly to the RemovableStorageDevices folder by copying and pasting the path into the address bar.
- If the keys don’t exist, create them by right-clicking on OneDrive. Select New > DWORD (32-bit) Value.
- You can also block USB class devices by navigating to:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR, setting Start (DWORD) to 4, then restarting the device.
⚠️ Warning: Editing the registry can have unintended consequences. Proceed with caution and back up the registry before making changes. (For more info, refer to: Things to look out for)
Method 5: Using PowerShell
This method uses PowerShell to disable or re-enable USB storage by modifying the USBSTOR service.
📌 Use Case: IT admins who need quick, scriptable control over USB storage, whether to block or unblock it. This method is ideal for automated deployments in environments without GPO or Intune.
- Press Win, type PowerShell, then click Run as administrator.
- Copy and paste the following scripts into the prompt, then press Enter:
- To turn off USB storage by stopping the USBSTOR driver:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" -Name "Start" -Value 4
- To turn off USB storage by stopping the USBSTOR driver:
Stop-Service -Name "USBSTOR"
- To re-enable:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" -Name "Start" -Value 3
- To re-enable:
Start-Service -Name "USBSTOR"
- For audit logging:
Get-WinEvent -LogName Security | Where-Object {$_.Message -like "*USB*"}
- For audit logging:
- Restart the device to apply the changes.
You can run the following script to ensure the change was successful:
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR' -Name 'Start'
Get-Service -Name USBSTOR
💡 Note: This command may take a long time to complete because it queries the entire Security log. Double-check or refine the query with a time filter to avoid delays.⚠️ Warning: Before deploying the settings change on different endpoints, it’s best to test it out on a local machine first. (For more info, refer to: Things to look out for)
Method 6: Using the Command Prompt
This method uses Command Prompt to block or unblock USB storage by editing registry values.
📌 Use Case: IT admins looking for a quick, script-based approach to turn USB storage drivers on or off
- Press Win, type cmd, then click Run as administrator.
- Copy and paste the following scripts into the prompt, then press Enter:
- Disable USB storage drivers:
- reg add “HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR” /v Start /t REG_DWORD /d 4 /f
- Enable USB storage drivers:
- reg add “HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR” /v Start /t REG_DWORD /d 3 /f
- Disable USB storage drivers:
- Run the following in order to force GPO update:
gpupdate /force
- Verify the change by running the following script:
- reg query HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start
- The query will return a REG_DWORD value. If it is 0x4, the USBSTOR driver is disabled (USB storage blocked). If it is 0x3, the driver is enabled (USB storage available).
- reg query HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /v Start
💡 Tip: If forcing GPO update doesn’t apply the changes, restart the device.
⚠️ Warning: Ensure you copy and paste the proper script, as incorrect syntax can cause errors. (For more info, refer to: Things to look out for)
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Editing the Registry without backup | Incorrectly editing the registry could result in corruption, so it’s best to make a backup beforehand. | Export registry key before changes by pressing File > Export. |
| Not testing on a local machine | Deploying an untested script may cause devices to crash due to issues such as registry key incompatibility. | Apply the changes you want on a local machine, and then verify if the configuration reflects the intended results. |
| Incorrect command syntax | Incorrect command syntax could result in registry corruption, system misbehavior, or the code not doing anything. | Ensure you copy and paste the proper script into the prompt. You may also use apps like PSScriptAnalyzer to check code quality. |
Additional considerations
When blocking USB storage devices, consider the following scenarios and best practices.
Granular access control
Device Control Profiles allow you to specify which USB devices can be used. This means you can allow or block specific device types or individual devices using their IDs.
Audit mode
Before blocking USB devices, run the device in audit mode for 30 days to log all USB-related activities (connection, file access, and wire attempts). This provides insight into frequently used devices, departments that depend on removable storage, and potential exceptions to the policy.’
AppLocker use
You can combine the above methods with AppLocker for more layered protection. AppLocker restricts executables and scripts, preventing malware or unauthorized apps from running off USB devices.
Mobile scenarios
Tablets and hybrid mobile devices often rely on USB-C accessories. In this case, MAM (Mobile Application Management) via Intune can control data flow within corporate apps. You can also use Microsoft Defender for Endpoint to enforce USB restrictions on mobiles.
Troubleshooting common issues
Below are issues you could face when blocking USB devices and how to resolve them.
USB devices are not blocked
If USB devices are still accessible, ensure the policy is assigned to the correct Entra group and verify device sync.
Driver auto-installs
You can prevent driver auto-installs by turning off the USBSTOR service. To do so, run the following script in PowerShell:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" -Name "Start" -Value 4
Device exceptions
Adding device exceptions is possible on Intune. You must configure Device Control settings in the ASR policy to specify the exceptions.
NinjaOne services that can help enforce and monitor USB access policies
NinjaOne has powerful tools for enforcing and monitoring USB access policies. These tools enhance Intune and Defender capabilities by closing the automation and observability gap across environments.
- Registry automation: Push registry changes to restrict USB access via device policies
- Script deployment: Schedule and deploy PowerShell or CMD scripts for USB control at scale
- Policy engine: Automate compliance checks and alert when USB access is re-enabled
- Real-time alerts: Notify administrators when new removable storage is detected
- Cross-platform enforcement: Use NinjaOne’s scripting and policy management on both hybrid and cloud-managed endpoints
Prevent data leakage by blocking USB storage devices
Blocking USB storage devices limits data leakage, malware delivery, and physical access attack vectors. IT administrators can manage removable storage restrictions using Microsoft Intune, Defender for Endpoint, and command-line scripts.
Related topics:
- How to Disable USB Drives on Windows 11 and Windows 10
- How to Enable or Disable USB Storage Devices on Linux with Shell Scripting
- How to Configure Write Access to Removable Drives Not Protected by BitLocker in Windows
- What Is BadUSB? Definition and How To Prevent It
- PowerShell Script for Detecting USB Devices: An Essential Tool for IT Professionals
