Skip to content

USB Controls

⚠ Note: We do not currently support the enforcement of a USB device policy in the SenseOn platform. This does not affect our ability to detect malware or suspicious activity from USB devices. The restriction of USB removable media is a simple task using Active Directory and this guide can help you configure it.

Configuring USB Controls Using Active Directory (AD) Group Policy Objects (GPO)

This guide provides step-by-step instructions on how to configure USB controls using Group Policy in Active Directory.

Prerequisites

Before proceeding, ensure you have the following:

  • Administrative privileges on the domain controller.
  • Access to the Group Policy Management Console (GPMC).

Step 1: Open Group Policy Management

  1. Log in to your domain controller.
  2. Open Group Policy Management by typing gpmc.msc in the Run dialog (Win + R) and pressing Enter.

Run

Step 2: Create a New Group Policy Object (GPO)

  1. In the Group Policy Management window, navigate to the organizational unit (OU) where you want to apply the policy.
  2. Right-click on the Organisational Unit (OU) and select Create a GPO in this domain, and Link it here….
  3. Name the new Group Policy Object (GPO), for example, USB Control Policy, and click OK.

Edit GPO

Step 3: Edit the GPO

  1. Right-click the newly created GPO and select Edit.
  2. The Group Policy Management Editor will open.

Create GPO

Step 4: Configure USB Device Restrictions

Option 1: Disable All Removable Storage Devices

To prevent USB storage devices from being used entirely:

  1. Navigate to Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
  2. In the right pane, find and double-click All Removable Storage classes: Deny all access.
  3. Set the policy to Enabled and click OK.

Create GPO

Option 2: Disable specific read/write/execute functions for USB devices.

To specifically disable read/write/execute functionality for USB devices:

  1. Navigate to Computer Configuration > Policies > Administrative Templates > System > Removable Storage Access.
  2. In the right pane, find and double-click Removable Disks: Deny (read/write/execute) depending on the desired function to restrict.
  3. Set the policy to Enabled and click OK.

Create GPO

Step 5: Apply the GPO

  1. Close the Group Policy Management Editor.
  2. Ensure that the new GPO is linked to the correct OU.
  3. To apply the policy immediately, you can run the following command on target machines: 
    gpupdate /force

Step 6: Verify the Policy

  1. Log in to a machine within the OU where the policy was applied.
  2. Use the gpresult /r command to verify that the policy is applied on the target machine.
  3. Check the functionality of USB devices to ensure the policy is working as expected.

Check GP

Troubleshooting

  • Ensure that the GPO is correctly linked to the OU containing the target computers.
  • Check for any conflicting policies that might override the USB control settings.