Removable Storage Devices - Deny All Access (Non-Administrators)

This video will demonstrate how to create a (LGPO) local group policy object that will allow you to configure your computer to deny access to all removable storage devices for all non-administrators. Users with administrative privileges will continue to have access to removable storage devices but other users will not. This policy not only prevents non-administrators from copying company data onto a removable storage device, but it also prevents non-administrators from accessing removable storage devices entirely.

System requirements

( Windows 10/11 Pro, Enterprise, and Education editions )

Step Instructions:  

1st - you will need to log in with administrative privileges

2nd – type in mmc.exe in the search bar and select (click on) enter – select yes

3rd – select (click on) File and then select (click on) Add or Remove Snap-ins

4th – go to :Group Policy Object” and select (click on) Add 

5th - select (click on) “Browse” and then select (click on) the “Users” Tab

6th - select (click on) “Non-Administrators” and select (click on) OK

7th - select (click on) “Finish”

8th - select (click on) OK

The next steps will be to enable the policy that will Deny all access for all removable storage classes.

10th - select (click on) the local group policy object you just created (Example: “Non-Administrators Console”)

11th - under “console root” select (click on) “Local Computer\Non-Administrators Policy”

12th - select (click on) “User Configuration”

13th - select (click on) “ Administrative Templates”

14th - select (click on) “System”

15th - select (click on) “Removable Storage Access”

16th - select (click on) “All Removable Storage classes: Deny all access”

17th - select (click on) “Enable” and then Apply/OK

Make sure to test applications that standard (non-administrators) users will need to ensure they are working properly. If you need to remove this policy setting return to step 17 and select “Not Configured” and select apply.

Local Group Policy: All Removable Storage Classes: Deny all access 

While USB drives are the most common removable data security threat, considering twenty-two thousand USB flash drives were left at dry cleaners last year in the UK, there are other removable storage devices that can transfer your company data. Most desktop computers are configured with CD/DVD recorders that allow users the ability to burn thousands of documents on single dual layered DVD disks. Additionally, a user can connect their personal smartphone and transfer company data to their smartphone’s internal storage, some smartphones have more available storage than a typical business class computer.

Why should  - small businesses need to use this policy?

- protect sensitive information
If anyone connects a removable storage device to a company computer, they put you at risk. This policy prevents users from copying company data to an unsecured removable storage device and exposing your network to malicious threats that may be on the users "personal" device that has removable storage.

- security compliance
Regardless of your business sector if your company retains client/customer sensitive data (social security numbers, name, mailing addresses, birth date, bank account information, tax id numbers, email addresses, telephone numbers, etc.) there is a regulation “ somewhere” requiring you to protect it.
This policy will assist regarding removable storage devices.

- financial liability
A lost unsecured USB drive,CD/DVD media, Smartphone, etc with sensitive/confidential information can expose your business to legal actions, fines and even lawsuits.

Types of Removable storage
Removable storage devices/media