Windows 10 Pro, non-DOMAIN, disable usb storage by USER ?

finance_teacher used Ask the Experts™
How can I disable "USB storage" on the
below #4 via gpedit.msc or something else ?

  ** Operating System = Windows 10 Pro
  ** Location = Home
  ** Domain = NO

 1. I login as me
 2. USB storage works
 3. my 5 year old logs in
 4. no USB storage since I do NOT
    want child to copy data from
    bad USB drives onto PC
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

3rd party software.  Most security A/V bundles can do this
Distinguished Expert 2017

On a home version you have a single policy all or none.
The second account needs to be limited, standard any corruption will be limited to the standard user. It will not impact the system

An AV that scans ..... To shield the system.

info to user.
Distinguished Expert 2018
Create an MLGPO targeted at that very user and use ->user configuration - system - removable storage access. There, use the policies you find suitable.

MLGPOs explained:
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Distinguished Expert 2017

mcknife, interesting.
in a localized environment, did not think to even look...

The question while you can limit the user from accessing, the USB or any removable  device.  A USB storage device when connected is read in by the system which at times all that is needed if the "driver" is what is infected compromised?

If one follows the news there was a person arrested with payload laden usb devices. while this policy would prevent the user from accessing data or copying data out. The system when mounting the removable storage ....
Distinguished Expert 2018

When connecting a USB device, nothing is being read, there is no autorun anymore. The device cannot dictate a driver, no danger.

What are you referring to?
Distinguished Expert 2017

Does it not get mounted by the system?
The user level restriction is for access related rights.

Consider A package with a lock.
If seems suspicious you do not bring it in. A standard user, is handed a package with a lock. This person brings it in, and puts it at ....

Did not have an unused/previously connected storage though did not think ......

From the user configuration ..., settings.
Thought what happens when the restriction is in place and the user to whom it applies inserts a USB

In my test, it mounted the stick though it was previously used on the system
If it is mounted, extrapolating, if user inserts, the system then goes through the process USB enumeration, identify the device, load driver, ....whether or not a drive letter is assigned.

Some USB devices. include their own "driver"....
Distinguished Expert 2018

No software on a stick gets started automatically unless people intentionally active autorun - that just does not happen. If you have a stick with capabilities that go beyond what windows' own drivers make possible, then the user will have to start a software - it will never start on its own.
Distinguished Expert 2017

I am talking about the process windows goes through when a new USB stick/device is inserted.
No user involvement needed.

On the GPO computer configuration one can disable/limit USB to HID devices only, non-storage types

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial