Skip to Content

How to Restrict USB Access to Specific Devices on Windows

By: Author Alex Lim

Posted on

Categories Troubleshooting

Learn how to configure your Windows PC to accept only a specific USB external drive and block all other devices using Group Policy Editor or Registry Editor.

Problem

If you need to collect data from your customers through an external storage device, such as a USB flash drive, you might want to restrict the access to only a specific device that is provided by your company. This way, you can prevent unauthorized data transfer or malware infection from other external drives. In this article, we will show you how to configure your Windows PC to accept only a specific USB external drive and block all other devices using two methods: Group Policy Editor and Registry Editor.

Method 1: Using Group Policy Editor

Group Policy Editor is a Windows feature that allows you to manage the settings of your computer and network. You can use it to create a policy that will only allow a specific USB external drive to be accessed by your PC and deny all other devices. Here are the steps to follow:

  1. Connect the USB external drive that you want to allow to your PC and note down its device ID. You can find the device ID by going to Device Manager, expanding the Disk drives section, right-clicking on your USB drive, and selecting Properties. Then, go to the Details tab and select Device Instance Path from the Property drop-down menu. The device ID is the string that starts with USBSTOR\ and ends with a combination of letters and numbers.
  2. Press Windows + R keys to open the Run dialog box and type gpedit.msc and click OK. This will open the Group Policy Editor window.
  3. In the left pane, navigate to Computer Configuration > Administrative Templates > System > Removable Storage Access. In the right pane, double-click on Removable Disks: Deny execute access and select Enabled. Then, click on Show next to Options and enter the device ID of your USB external drive in the Value name field and 0 in the Value field. Click OK to save the changes.
  4. Repeat the same steps for Removable Disks: Deny read access and Removable Disks: Deny write access policies. This will block all other USB external drives from executing, reading, or writing data on your PC, except for the one that you specified.
  5. Restart your PC for the changes to take effect.

Method 2: Using Registry Editor

Registry Editor is another Windows tool that allows you to modify the settings of your system and applications. You can use it to create a registry key that will only allow a specific USB external drive to be accessed by your PC and block all other devices. Here are the steps to follow:

  1. Connect the USB external drive that you want to allow to your PC and note down its device ID as explained in the previous method.
  2. Press Windows + R keys to open the Run dialog box and type regedit and click OK. This will open the Registry Editor window.
  3. In the left pane, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR. Under this key, you will see a subkey with the same name as your device ID. Right-click on it and select Permissions. Then, click on Advanced and change the owner to Administrators. Click OK to save the changes.
  4. Right-click on the same subkey again and select New > DWORD (32-bit) Value. Name it Deny_Execute and set its value to 0. This will allow your USB external drive to execute data on your PC.
  5. Repeat the same steps for Deny_Read and Deny_Write values. This will allow your USB external drive to read and write data on your PC.
  6. Go back to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR and right-click on it. Select New > Key and name it DeviceHackFlags. Under this key, create a new DWORD (32-bit) Value with the same name as your device ID and set its value to 10000000 in hexadecimal. This will block all other USB external drives from accessing your PC, except for the one that you specified.
  7. Restart your PC for the changes to take effect.

Frequently Asked Questions (FAQs)

Question: How can I undo the changes that I made using Group Policy Editor or Registry Editor?

Answer: To undo the changes that you made using Group Policy Editor, you can simply go back to the policies that you modified and select Not Configured instead of Enabled. To undo the changes that you made using Registry Editor, you can delete the values and keys that you created under USBSTOR.

Question: How can I find out the device ID of other USB external drives that I want to allow or block?

Answer: You can find out the device ID of other USB external drives by connecting them to your PC and following the same steps as explained in the first method.

Quesion: How can I apply the same settings to multiple PCs in a network?

Answer: You can apply the same settings to multiple PCs in a network by using the Group Policy Management Console (GPMC) or the Local Group Policy Object (LGPO) tool. You can find more information about these tools on the Microsoft website.

Summary

In this article, we showed you how to configure your Windows PC to accept only a specific USB external drive and block all other devices using two methods: Group Policy Editor and Registry Editor. This can help you to collect data from your customers securely and prevent unauthorized data transfer or malware infection from other external drives. We hope you found this article helpful and informative.

Disclaimer: This article is for informational purposes only and does not constitute professional advice. We are not responsible for any damage or loss that may result from following the instructions in this article. Always backup your data and system before making any changes to your PC. Use these methods at your own risk.