How to Configure USB Device Restriction via Group Policy on Windows Server 2012 R2

How to Configure USB Device Restriction via Group Policy on Windows Server 2012 R2

Removable storage devices represent a significant data exfiltration and malware introduction risk in any organization. USB flash drives, portable hard drives, and other removable media can bypass network-level security controls entirely. Windows Server 2012 R2 provides multiple mechanisms to restrict removable storage device access through Group Policy—from completely blocking all removable storage to granular controls that allow specific device classes while blocking others, or read-only access for auditing purposes. This guide covers implementing USB restriction policies at both the domain-wide and OU-specific levels.

Prerequisites

• Domain Admin access and GPMC on a management workstation
• Windows Server 2012 R2 target servers
• Understanding of the device classes you need to control (USB storage vs. HID devices like keyboards/mice)
• A plan for legitimate exceptions—backup admins who need USB access, for example

Step 1: Understand Removable Storage Policy Options

Windows Server 2012 R2 offers several policy approaches for USB control:

• Removable Disks Access policies — Control read/write/execute access to all removable disk drives under a single policy umbrella
• Device Installation Restrictions — Prevent installation of device drivers for specific device classes or device hardware IDs
• BitLocker To Go — Allow removable storage only when encrypted with BitLocker

Step 2: Configure Removable Storage Access Policies

Navigate in GPMC to:

Computer Configuration → Administrative Templates → System → Removable Storage Access

The following policies control access to different classes of removable storage:

# Verify the current state of removable storage policies via registry
# (these are the registry paths that Group Policy writes to)

# Removable Disks: Deny read access
Get-ItemProperty "HKLM:SOFTWAREPoliciesMicrosoftWindowsRemovableStorageDevices{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" -ErrorAction SilentlyContinue

# Removable Disks: Deny write access
Get-ItemProperty "HKLM:SOFTWAREPoliciesMicrosoftWindowsRemovableStorageDevices{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}" -ErrorAction SilentlyContinue

In the GPMC editor, enable the following policies under Removable Storage Access:

• Removable Disks: Deny read access — Enabled (prevents reading files from USB drives)
• Removable Disks: Deny write access — Enabled (prevents writing to USB drives)
• Removable Disks: Deny execute access — Enabled (prevents running programs from USB drives)
• All Removable Storage: Deny all access — Enabled (this is the most restrictive option, overriding all individual class settings)

Step 3: Configure Device Installation Restrictions

For more granular control at the driver level, use Device Installation Restrictions. Navigate to:

Computer Configuration → Administrative Templates → System → Device Installation → Device Installation Restrictions

Key policies:

• Prevent installation of removable devices — Enabled (blocks installation of any device where the Removable capability flag is set in the driver)
• Prevent installation of devices not described by other policy settings — Enabled only if you are explicitly allowing specific devices
• Allow installation of devices that match any of these device IDs — Use this to whitelist specific approved devices by hardware ID

# Find device hardware IDs for whitelisting approved USB devices
# Run on a machine where the approved USB device is connected:
Get-PnpDevice -PresentOnly | Where-Object { $_.Class -eq "DiskDrive" -or $_.Class -eq "USB" } |
    Select-Object Status, Class, FriendlyName, InstanceId

# Get the full hardware ID for a specific device
Get-PnpDeviceProperty -InstanceId "USBSTORDISK&VEN_SANDISK&PROD_ULTRA&REV_1.0012345678" -KeyName "DEVPKEY_Device_HardwareIds"

Step 4: Create Exception Groups for Authorized USB Users

Some users (backup administrators, forensic analysts) may need legitimate USB access. Create a security group and use GPO security filtering to exclude them from the restriction policy:

Import-Module ActiveDirectory

# Create exception group
New-ADGroup -Name "USB-Authorized-Users" `
    -GroupScope Global `
    -GroupCategory Security `
    -Description "Users authorized to use USB storage devices"

# Add authorized users
Add-ADGroupMember -Identity "USB-Authorized-Users" -Members "BackupAdmin","ForensicAnalyst"

# In GPMC, apply the USB restriction GPO with security filtering:
# GPO Properties → Security Filtering → Remove "Authenticated Users"
# Add "Domain Computers" with Apply permission
# Add "USB-Authorized-Users" with Read permission but DENY Apply (or use WMI filter)

# Alternatively, use the Delegation tab to add USB-Authorized-Users with Deny Apply Group Policy permission

Step 5: Configure BitLocker To Go Requirement

Instead of blocking all USB storage, require that removable drives be encrypted with BitLocker To Go before they can be used. Navigate to:

Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Removable Data Drives

• Deny write access to removable drives not protected by BitLocker — Enabled
• Allow access to BitLocker-protected removable data drives from earlier versions of Windows — Configure based on client OS mix

# Verify BitLocker To Go policy via registry
$regPath = "HKLM:SOFTWAREPoliciesMicrosoftFVE"
if (Test-Path $regPath) {
    (Get-ItemProperty $regPath).RDVDenyWriteAccess
    # Should be 1 if policy is applied
}

Step 6: Enable Audit Logging for USB Device Events

Configure audit logging to detect when users attempt to use USB devices:

# Enable object access auditing for removable storage
auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable

# Verify
auditpol /get /subcategory:"Removable Storage"

# Monitor USB storage events in the Security log (Event ID 4663 with Object Type removable storage)
Get-WinEvent -LogName Security -FilterXPath `
    "*[System[EventID=4663] and EventData[Data[@Name='ObjectType']='Removable Storage']]" `
    -MaxEvents 50 | Select-Object TimeCreated, Message

Also monitor the System log for device installation events:

# Monitor device installation events (driver installed for new USB device)
Get-WinEvent -LogName System -FilterXPath "*[System[EventID=20001 or EventID=20003]]" -MaxEvents 20 |
    Select-Object TimeCreated, Message

Step 7: Deploy and Test

# Link the USB restriction GPO to Servers OU
New-GPLink -Name "USB-Restriction-Servers" -Target "OU=Servers,DC=corp,DC=example,DC=com"

# Force GPO update
gpupdate /force

# Test on a target server - insert a USB drive and attempt to access it
# The drive letter should not appear, or access should be denied

# Verify GPO is applied
gpresult /r /scope computer | Select-String "USB"

Summary

USB device restriction via Group Policy on Windows Server 2012 R2 is a critical data loss prevention (DLP) and malware prevention control. By deploying Removable Storage Access policies to block read, write, and execute access for all removable disks, creating a security group exception for authorized users, optionally requiring BitLocker To Go encryption rather than outright blocking, and enabling audit logging for removable storage access attempts, you have implemented a layered approach to USB security. This configuration satisfies data exfiltration prevention requirements common in PCI DSS, HIPAA, and government compliance frameworks.