Disable USB Ports

brandon220

What is the go-to tool for disabling USB storage access on Win 10 machines? Been wanting to do this for a while but it keeps getting put off. Is Group Policy the best method? I know it can be done there but I am sure there are tools as well.

notverypunny

My gut says that GPO is going to be the preferred option for a domain. In non-domain you'd probably have to go the 3rd party / registry route. There might be some RMM / endpoint control / security products that have this baked in but I'm not aware of anything right off the top of my head.

brandon220

@notverypunny It is on a domain and I'm leaning towards GPO. Never hurts to get input from others though.

RojoLoco

Even if not on a domain, you can edit the local group policy to block USB. Obviously not ideal if you have more than a few systems.

gjacobse

I’m sure the likely need is for USB storage or cell phones-

But does disabling USB differentiate between input devices over storage?

scottalanmiller

@gjacobse said in Disable USB Ports:

I’m sure the likely need is for USB storage or cell phones-

But does disabling USB differentiate between input devices over storage?

No, once a physical port is turned off, it never gets a chance to query the device. It's like asking a person to close their eyes, but then asking them to look to see what they are looking at before deciding what to see... can't work that way.

notverypunny

@gjacobse said in Disable USB Ports:

I’m sure the likely need is for USB storage or cell phones-

But does disabling USB differentiate between input devices over storage?

IIRC you can disable USB mass storage and leave it available for input at the OS level. If you want to disable it completely that would be a BIOS setting... or simply break the physical ports :smiling_face_with_horns:

brandon220

Not disabling the ports completely - Just making them not accept storage devices. I would assume other peripherals and accessories would work as intended.

RojoLoco

@gjacobse said in Disable USB Ports:

I’m sure the likely need is for USB storage or cell phones-

But does disabling USB differentiate between input devices over storage?

I'm pretty sure the GPO setting is to block "mass storage", i.e. thumb drives and phones (detected as mass storage). Mice and keyboards should be unaffected.

Dashrender

@scottalanmiller said in Disable USB Ports:

@gjacobse said in Disable USB Ports:

I’m sure the likely need is for USB storage or cell phones-

But does disabling USB differentiate between input devices over storage?

No, once a physical port is turned off, it never gets a chance to query the device. It's like asking a person to close their eyes, but then asking them to look to see what they are looking at before deciding what to see... can't work that way.

This is likely not what is wanted. Keyboards and mice are almost exclusively USB now... So assuming you have them, the USB ports need to be enabled for that purpose.

Then toss on the fact that some Laptops only charge via USB-C now days.. so you can't disable that feature either.