How to Disable Autorun in Windows: A PowerShell Script for IT Pros and MSPs

In the vast expanse of modern enterprise technology, IT professionals and Managed Service Providers (MSPs) constantly juggle security concerns. A simple but crucial task, like disabling the Autorun (Autoplay) feature on Windows drives, can be a game-changer for improving system security. For those searching for an efficient 'disable autorun script', look no further. Below, we'll delve into a PowerShell script that does just that and discuss its implications for IT professionals and MSPs. 

Understanding the 'Disable Autorun' Script

This PowerShell script, neatly crafted, serves a straightforward purpose: disabling the Autorun or Autoplay feature on all Windows drives. At first glance, it might seem simple, but the security value it offers, especially in enterprise environments, is immense. 

Quick synopsis of the script:

• What it does: Disables Autorun (Autoplay) on all drives. 
• Requirements: Windows 10 or Windows Server 2016 and above, PowerShell v5.1 
• Usage: It's pretty straightforward to execute: PS C:> Disable-Autorun.ps1 

The Script

#Requires -Version 5.1

<#
.SYNOPSIS
    Disables Autorun(Autoplay) on all drives.
.DESCRIPTION
    Disables Autorun(Autoplay) on all drives.
.EXAMPLE
    No parameters needed.
.EXAMPLE
    PS C:\> Disable-Autorun.ps1
    No parameters needed.
.OUTPUTS
    None
.NOTES
    Minimum OS Architecture Supported: Windows 10, Windows Server 2016
    Release Notes:
    Initial Release
    (c) 2023 NinjaOne
    By using this script, you indicate your acceptance of the following legal terms as well as our Terms of Use at https://www.ninjaone.com/terms-of-use.
    Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms. 
    Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party. 
    Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library or website belonging to or under the control of any other software provider. 
    Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations. 
    Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks. 
    Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script. 
    EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
.COMPONENT
    DataIOSecurity
#>

[CmdletBinding()]
param ()

begin {
    function Test-IsElevated {
        $id = [System.Security.Principal.WindowsIdentity]::GetCurrent()
        $p = New-Object System.Security.Principal.WindowsPrincipal($id)
        if ($p.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator))
        { Write-Output $true }
        else
        { Write-Output $false }
    }
    function Set-ItemProp {
        param (
            $Path,
            $Name,
            $Value,
            [ValidateSet("DWord", "QWord", "String", "ExpandedString", "Binary", "MultiString", "Unknown")]
            $PropertyType = "DWord"
        )
        New-Item -Path $Path -Force | Out-Null
        if ((Get-ItemProperty -Path $Path -Name $Name -ErrorAction SilentlyContinue)) {
            Set-ItemProperty -Path $Path -Name $Name -Value $Value -Force -Confirm:$false | Out-Null
        }
        else {
            New-ItemProperty -Path $Path -Name $Name -Value $Value -PropertyType $PropertyType -Force -Confirm:$false | Out-Null
        }
    }
}
process {
    if (-not (Test-IsElevated)) {
        Write-Error -Message "Access Denied. Please run with Administrator privileges."
        exit 1
    }
    $Path = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer'
    $Name = "NoDriveTypeAutorun"
    $Value = 0xFF
    # Sets NoDriveTypeAutorun to 0xFF
    Set-ItemProp -Path $Path -Name $Name -Value $Value
}
end {}

Why Disabling Autorun is Important

• Minimized Risk of Malware: Autorun, when enabled, can allow harmful software to execute automatically from USBs or other external drives. By disabling this feature, the script helps in mitigating the risk of malware spreading across networked systems. 
• Streamlined User Experience: For IT and MSPs managing large networked systems, it's crucial to maintain a consistent user experience. Eliminating unexpected Autorun pop-ups or automatic software launches contributes to this consistency. 
• Easy Deployment: The 'disable autorun script' provided can be easily deployed across multiple systems in an enterprise environment, making it a powerful tool for bulk system management. 

The Potential Risks of Disabling Autorun

• Users may not be able to run executable files from USB drives. 
• Users may have to manually open each file on a USB drive. 
• Some software may not work properly if Autorun is disabled. 

Other Ways to Disable Autorun 

Through the Windows Registry: 

• Open the Registry Editor. 
• Navigate to the following key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 
• Double-click the NoDriveAutoRun value. 
• Set the value to 1 to disable Autorun for all drives. 
• Set the value to 2 to disable Autorun for removable drives only. 

Through Group Policy: 

• Open the Group Policy Management Console. 
• Navigate to the following policy setting: 
• Computer Configuration\Administrative Templates\Windows Components\Autoplay 
• Set the policy to Disabled to disable Autorun for all drives. 
• Set the policy to Enabled to disable Autorun for removable drives only. 

Final Thoughts

In the rapidly evolving world of IT, sometimes it's simple scripts that can make the most significant impact. Whether you're an IT professional, an MSP, or a curious techie, having tools like the 'disable autoplay script' in your arsenal is essential. After all, in a world teeming with cybersecurity threats, it's the foundational precautions like disabling autorun on a drive that often prove most crucial.