Set Up Windows 10/11 Local Group Policies to Block USB Storage (Allow Keyboard/Mouse)
Difficulty: Intermediate |
Time Required: 20 minutes
USB flash drives and external USB hard drives are convenient—but they’re also a common way malware and data leaks happen. If you share a PC, manage a small office, or just want tighter control, Windows Local Group Policy can block
USB storage while still allowing everyday USB devices like
keyboards and mice.
This guide shows how to do it using built-in Windows policies (no third-party tools), with notes for Windows 10 and Windows 11.
Introduction: What this solves (and what it doesn’t)
Goal: Prevent users from reading/writing to USB storage devices (flash drives, USB HDD/SSD, SD card readers presenting as USB mass storage) while still allowing USB input devices like
keyboard/mouse.
Important limitation: Group Policy blocks by
device class/driver behavior, not by “port power.” So your USB ports still work—this is good, because it means keyboards, mice, printers, and many other peripherals can remain functional.
Prerequisites
- Windows Edition:
- Local Group Policy Editor (
gpedit.msc) is built-in on Windows 10/11 Pro, Enterprise, Education.
- Windows Home doesn’t include
gpedit.msc by default. (You can still do similar things via Registry, MDM, or device installation restrictions with extra steps, but that’s outside this tutorial.)
- Admin rights: You must be signed in as an administrator.
- Plan for recovery: If you accidentally lock out legitimate storage access, you’ll need admin access to revert the policy.
Step-by-step: Block USB storage via Local Group Policy
Step 1) Open the Local Group Policy Editor
- Press Win + R
- Type:
gpedit.msc
- Press Enter
Note (Windows 11): The editor looks slightly different, but policy paths and names are the same.
Step 2) Block USB storage using “Removable Storage Access” policies (recommended)
These policies are straightforward and specifically target removable storage behavior.
- In the left pane, go to:
Computer Configuration → Administrative Templates → System → Removable Storage Access
- In the right pane, locate and configure these policies:
Option A (most common): Block all removable storage read/write
- Removable Disks: Deny read access → set to Enabled
- Removable Disks: Deny write access → set to Enabled
- Click Apply, then OK for each.
This blocks typical USB flash drives and many USB external drives that Windows classifies as “removable.”
Tip: If you only want to prevent data theft but still allow scanning a USB drive, enable Deny write only. Users can read from USB but cannot copy files to it.
Option B (stronger): Deny access to all removable storage classes
If you want broader coverage:
- All Removable Storage classes: Deny all access → set to Enabled
Warning: This can also affect other removable storage types (depending on your system and device classification). Use it if you want a stricter “no removable storage” policy.
Step 3) Ensure keyboards and mice still work (what to check)
Good news:
keyboard and mouse are HID (Human Interface Device) class devices, and the “Removable Storage Access” policies target storage, not HID—so keyboards/mice should remain unaffected.
Still, it’s wise to avoid additional policies that block “USB devices” broadly.
- Do not enable blanket device installation blocks unless you fully understand device classes and have tested.
Step 4) Apply the policy immediately
Group Policy refreshes automatically, but you can force it:
- Open Command Prompt (Admin):
- Right-click Start → Windows Terminal (Admin) / Command Prompt (Admin)
- Run:
gpupdate /force
- Restart the PC (recommended) to ensure device access is fully re-evaluated.
Step 5) Test with a USB flash drive
- Insert a USB flash drive.
- Try to open it in File Explorer.
Expected results:
- With Deny read enabled: you should see “Access is denied” or similar when opening.
- With Deny write enabled only: you can open it, but copying files to it fails.
- With Deny all access enabled: access should be blocked entirely.
Note: Some drives present as “fixed disks” rather than “removable.” If your test drive still works, use the stronger method in Step 6.
Stronger method (optional): Block the USB Mass Storage driver (USBSTOR)
If you need to block nearly all USB storage (including many devices that don’t behave like “removable”), you can disable the USB mass storage driver.
Step 6) Disable USB mass storage device installation (Device Installation Restrictions)
This approach prevents the system from installing/using USB storage devices while leaving HID devices alone.
- Go to:
Computer Configuration → Administrative Templates → System → Device Installation → Device Installation Restrictions
- Enable:
- Prevent installation of removable devices → Enabled
- (Optional but powerful) Enable:
- Prevent installation of devices that match any of these device IDs → Enabled
- Click Show… and add hardware IDs for USB mass storage devices (more work, requires collecting IDs first)
Warning: Device Installation Restrictions can be very strict. If you add the wrong IDs or block too broadly, you can prevent legitimate devices from working.
Tips, notes, and troubleshooting
Tip: Use per-user vs per-computer correctly
Most of these settings are under
Computer Configuration, meaning they apply to the whole PC (all users). That’s usually what you want for security.
If you need different rules for different users, consider:
- Separate PCs, or
- Domain Group Policy (Active Directory), or
- Third-party device control solutions
Troubleshooting 1: “gpedit.msc not found”
- You’re likely on Windows Home. Options include:
- Upgrade to Pro, or
- Use Registry-based equivalents (advanced), or
- Use Microsoft Intune/MDM policies (if managed)
Troubleshooting 2: USB drive still works after enabling policies
- Run:
gpupdate /force
- Restart.
- Try a different USB drive.
- Use All Removable Storage classes: Deny all access (Step 2, Option B).
- Consider the stronger driver/device-install restriction method (Step 6).
Troubleshooting 3: A specific approved USB drive should be allowed
Local Group Policy doesn’t provide a simple “allowlist this one USB drive” for typical home setups. Common approaches:
- Use BitLocker To Go policies (allow only encrypted drives, for example)
- Use device installation allowlists by hardware ID (more complex)
- Use enterprise device control solutions
Safety note: Keep an admin “escape hatch”
Before rolling this out on a shared PC:
- Ensure at least one administrator account is known and accessible.
- Consider testing on a non-critical machine or a restore point.
Note: Creating a restore point can help you recover from configuration mistakes, though Group Policy changes are usually reversible from an admin account.
Conclusion: Why this is worth doing
Blocking USB storage is a practical, built-in way to reduce the risk of malware infections and unauthorized data copying—without crippling your PC’s ability to use normal USB devices like keyboards and mice. With Local Group Policy, you get a clear, maintainable configuration that can be reverted or adjusted later as your needs change.
Key Takeaways:
- Block USB storage in Windows 10/11 Pro+ using Removable Storage Access policies.
- Keyboards and mice (HID devices) continue working because the policy targets storage, not USB ports.
- Use gpupdate /force and reboot to ensure settings take effect.
- For tougher scenarios, consider Device Installation Restrictions to stop mass storage more broadly.
This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.