How to Disable USB Drives on Windows 11 and Windows 10

Blocking USB access is important to security in Windows 11 and Windows 10 deployments in organizations, as well as on personal devices, as it can prevent the spread of malware, data theft, and even physical damage to devices. This concise guide demonstrates how to disable USB drives on Windows and handle USB drive risks

If you prefer watching over reading, watch this video on How to Disable USB Drives on Windows 10 and 11.

How to disable USB drives in Windows

The method you use to disable USB drives in Windows will depend on whether you are managing a single device or multiple.

⚠️ IMPORTANT: All methods require users to be logged in as an Administrator to work correctly. Before you make any changes to your system, it is recommended that you perform a full backup.

Method 1: Using Windows Registry Editor to disable USB storage

This method for disabling USB drives allows other USB devices to continue functioning, and is done via the Windows Registry:

1. Right-click on the Start button, click Run, and enter “regedit” to open the Registry Editor.
2. Within the Registry editor, navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUSBSTOR.
3. Edit the value for the Start Registry Key in USBSTOR path and change it to 4. T
   • To revert this change and re-enable USB storage, change the value of Start back to 3.

When the value of the Start Registry Key in USBSTOR is set to 4, nothing will happen when a USB drive is connected, and an error will appear in the device manager entry for the USB storage device.

Method 2: Using Windows Group Policy Editor to disable USB storage

You can also use Group Policy to disable USB drive access on a single machine, or on a Windows Domain using Active Directory:

1. Right-click on the Start button, click Run, and enter “gpedit.msc” to open the Group Policy Editor.
2. In the Group Policy Editor, use the navigation tree in the left panel to navigate to Computer Configuration/Administrative Template/System/Removable Storage Access.
3. In the right panel, select Removable Disks: Deny Execute Access.
4. Check Enabled to enable this policy and disable removable USB storage.

To deploy this policy to multiple machines in a Windows Domain, use the Group Policy Management Console by running gpmc.smc on a domain controller. Then, enable the above policy for the Organizational Unit you want to disable removable USB storage for. This allows you to enable the restriction based on users’ group membership, or for specific machines.

Method 3: Using the Device Manager to Disable USB Ports

To block USB access on a single computer, you can use the Device Manager.

1. Right-click the Start button and click Device Manager.
2. Expand the Universal Serial Bus controllers tree menu item.
3. Right click and disable USB ports as required.

Before making changes, create a system restore point so you can roll back if critical devices are accidentally disabled.

Method 4: Using third-party tools to block USB access

There are a number of products that allow you to disable USB drives in Windows, in some cases allowing for remote management of devices. These include USB Block and USB Lock RP.

Unless you need control over which specific USB devices can be connected, adding additional USB management software to your system is usually seen as unnecessary given Windows’ built-in ability to block access to USB storage (including the ability to restrict other specific kinds of USB devices using PowerShell).

If more robust protection is required in a corporate environment, a full endpoint security solution addresses both the risks posed by USB devices and other cybersecurity threat vectors.

Understanding USB drive risks

There are several risks posed by removable USB storage that are solved by discouraging or preventing their use:

• Data breaches and theft: An employee can easily lose a USB drive containing sensitive information, resulting in a data breach. Theft is also an issue, as is the risk that an employee bypasses data access restrictions by using a colleague’s computer to load information they are not privy to on a USB stick
• Data loss and corruption: USB drives are not reliable storage devices. Discouragement of their use removes the risk of an employee moving important data onto a USB stick and subsequently losing or corrupting it
• Malware and firmware infections: Some malware can spread via USB either as files or hidden in firmware, bypassing network protections. Additionally, some cyber attacks occur when an infected USB stick is intentionally left where a targeted employee is likely to find it and plug it in to see what’s on it (for example, on a shop counter, or building reception desk).

USB devices can also pose a physical threat. Attackers have deployed specialized USB sticks that contain high-voltage hardware to damage devices when they are plugged in. This makes securing public devices vital: not only should USB storage be disabled, but access to physical USB ports should also be restricted.

Beyond technical risks, many compliance frameworks (such as HIPAA, GDPR, and PCI DSS) require strict control over removable media. Disabling USB storage helps organizations meet these security obligations.

Use cases and impacts of disabling USB drives

The primary impact of disabling USB storage is on your users. To reduce complaints about USB drives not working, make sure they are aware of the changes you are enacting on their devices.

While some Windows security solutions make it possible to whitelist specific USB storage devices, this doesn’t prevent them from being used in other computers outside your control, potentially infecting them with malware. Instead, consider deploying cloud storage or network shares that can be monitored for misuse and malware, for your users to share files or work on them when out of the office.

Manually securing endpoints leads to security holes and breaches

Attempting to manually manage more than a few devices is likely to result in misconfiguration, leaving your organization’s devices vulnerable to the threats posed by insecure USB storage devices. It is important that the same policies are applied to devices for consistency and maintainability.

If you are tasked with securing multiple Windows devices on a network, consider a security solution that addresses not just the risks posed by USB devices but also cybersecurity threats such as malware, phishing, hackers, and user error. Endpoint management provided by NinjaOne gives you full visibility over your fleet of devices and allows you to enforce Windows policies and monitor for malware and potential data breaches for complete control of your IT environment.