Abraham Deutsch
asked on
Restrict specific user from using removable drivers
I am looking to restrict a user from using removable drivers on their laptops, this can be accomplished with a local GP, but wondering if there is a way to apply the policy or do it in a different way so I can apply it only to standard users [or specific user] not to admin users.
Also, would I like to lock if possible to boot from USB so they cannot remove or change their password
Windows 10 not joined domain
Also, would I like to lock if possible to boot from USB so they cannot remove or change their password
Windows 10 not joined domain
On a laptop, the GPO would need to be local or otherwise it will not apply if the logon occurs while the user is away from the LAn.
If there is an enterprise clas anti-virus, mcaffee, Symantec, etc. it might be possible to restrict using a policy of the anti-virus.
The only way to prevent boot from USB is by locking the access to the bios while making sure it does not provide an option to boot of USB. Or ....
If there is an enterprise clas anti-virus, mcaffee, Symantec, etc. it might be possible to restrict using a policy of the anti-virus.
The only way to prevent boot from USB is by locking the access to the bios while making sure it does not provide an option to boot of USB. Or ....
ASKER
I am not sure where I find the option of filtering when I open Edit Group policy I get this window, and do not see the option of filtering
please help
please help
Looks like you are using GPEDIT.msc not GPMC. GPEDIT is local only and would not have the security filtering. You need to us GPMC which can be accessed via a domain controller or a computer with RSAT installed.
ASKER
I tried to install RSAT but since this laptops are not joined to a domain, it does not seem to work.
on the laptop you would need to use regedit and effectively block USB to be functional only as a mouse, keyboard and likely webcam, not storage.
These are the limits.
These are the limits.
ASKER
Since I am not sure how to do it please provide more details which registry key to edit and how to it in a way it should apply to all user, highly appreciated
Con a laptop that is not joined to a domain, the change is applicable to all.
https://www.raymond.cc/blog/how-to-disable-removable-storage-devices-such-as-usb-drives/
Look at the manual entry, disable the loading/starting if the usbstor driver while retaining the other functionalities.
This does not prevent the user from booting the system using a USB bootable/cd/DVD bootable to offload data if they are so intent on.
https://www.raymond.cc/blog/how-to-disable-removable-storage-devices-such-as-usb-drives/
Look at the manual entry, disable the loading/starting if the usbstor driver while retaining the other functionalities.
This does not prevent the user from booting the system using a USB bootable/cd/DVD bootable to offload data if they are so intent on.
ASKER
Just tested it I changed the value to 4 but USB it still accessible on the laptop
is there any difference if it's done by local gp or by regedit? Also is there a difference if the policy is applied at the user configuration or at the computer configuration?
is there any difference if it's done by local gp or by regedit? Also is there a difference if the policy is applied at the user configuration or at the computer configuration?
Sorry I assumed that this was a domain computer based on the details I the question.
The registry change requires a reboot as the driver loads on boot up.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
User Configuration | Administrative Templates | System | Removable Storage Access | <select your setting>
Apply the proper Security filtering and link it to the proper OU and you should be set.
My policy applies to Computers, but the same principal applies for the User Configuration settings. Deny-Access-to-Removable-Storage.htm