No announcement yet.

locking down Windows XP USB

  • Filter
  • Time
  • Show
Clear All
new posts

  • locking down Windows XP USB

    I found a registry setting that would disable write access to USB. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l with new key StorageDevicePolices with DWORD WriteProtect set to 1.

    When I input this manually on an XP machine it worked successfully. Setting it to 0 will enable write access as well (requires restart both ways).

    However, implementing this as a GPO is giving me trouble. I import this from ADM template:
    CATEGORY "USB Storage Devices"
    POLICY "Write Protect USB Storage"
    KEYNAME "SYSTEM\CurrentControlSet\Control\StorageDevicePol icies"
    VALUENAME "WriteProtect"

    This works when I manually gpupdate /force to the target machine. I have two problems with this. Value can be edited manually and it will not apply this setting as computer boots up. ie If I delete the value then reboot, it will still be gone after restart.

    Can anyone clear this up?

    *edit: There appear to be extra spaces in the middle of words, but it looks normal in the textbox.

  • #2
    Re: locking down Windows XP USB


    When you say edited manually, are you referring to your users? If so, they should be prevented from accessing the registry editor (and there are ways to do this).

    I also have slight memories of a colleague talking about this and how the key would often revert to the denied access once changed. So in other words: once changed, assume you cannot map a drive via usb on that machine again. This was some time ago so may have changed now.


    • #3
      Re: locking down Windows XP USB

      I am testing this on one machine at the moment. When I say that I manually edited it, I mean that I went into my registry and inserted this value to make sure that it does what I want. It did what I want (which is disable write ability to USB drives).


      • #4
        Re: locking down Windows XP USB

        pjustin, just an FYI: You can edit your post by clicking the "Edit" button in the lower right corner of your post. You don't have to make an entirely new thread and abandon the old one.

        Last edited by Nonapeptide; 13th March 2010, 02:16.
        Wesley David
        LinkedIn | Careers 2.0
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow:


        • #5
          Re: locking down Windows XP USB

          HI pjustin

;en-us;555324 this link should help..It works for me. And Im already implementing it in my active directory.

          Do this in your AD or Local machine
          1. Copy from CLASS MACHINE up to Disabled = "Disabled" then paste to notepad
          2. Save as adm file: select all files > name the template whatever you want and file extension should be .adm ex. Disableusbstor.adm save it to %windir%\inf (C:\Windows\inf)
          3. Open gpedit.msc or GPMC > create a new policy (if in Active Directory no need to create if local GPO)
          4. Under Computer Configuration > Right click Administrative template > Add/remove template > Add > select the .adm that you saved ex. Disableusbstor.adm > Close/Exit
          5. Under Computer Configuration > Expand Administrative Templates > Custom Policy Settings > Right Click Restrict Drives > View > View>Filtering and uncheck the "Only show policy settings that can be fully managed" it will refresh
          6. Go back to Computer Configuration > Custom Policy settings > Restrict Drives > If you did it right you should be able to see setting

          Refer to the image I attached.. Figure1..

          I hope this helps..
          Attached Files
          There is only one way to find Out..Its to try it and/or Do it...