Worklet: Disable USB Removable Storage in Windows

This worklet can be used to disable USB remote storage devices in Windows. It has only been tested on Windows 10, and because of the default version of PowerShell on Win 7/8 and Server 2012 and older, I don’t believe it will work on those older operating systems without upgrading PowerShell on them - but haven’t tested. I’d be curious to see if it works on any of the older OSs, so let us know what you find.

Be sure you’re not using this in an environment where GPOs would be fighting this worklet. It’s preferable if you use GPOs in your environment that you control USB remote storage that way and not with a worklet.

The way the worklet is currently written, it will check to see if the USB removable storage policy is disabled (access to the removable drive is permitted) and enables it to lock down the use of USB removable storage. With some tweaking, you can also make it a worklet to reverse the process (disable the policy to allow USB removable storage). You can also tweak it so that it just audits to the Automox activity log what systems have the policy enabled/disabled by setting Evaluation to “Exit 1” and set $USBPolicy in remediation to “Check”.

Evaluation:

<#





        .SYNOPSIS


        Enable, Disable, or check access to Removable Storage





        .DESCRIPTION


        This is a Powershell script to enable or disable access to Removable Storage.





        USB Removable Storage Policy


        Enabled = Access to the drive is prohibited


        Disabled = Access to the drive is permitted


        Check = Query the status of the policy





        This particular worklet determines if the USB Removable Storage policy is disabled, and if so, remediates to enable it





#>





Function Test-RegistryValue {


     param


     (


         /Object]


         $regkey,





         /Object]


         $name


     )





    $exists = Get-ItemProperty -Path "$regkey" -Name "$name" -ErrorAction SilentlyContinue


    If (($exists -ne $null) -and ($exists.Length -ne 0)) {


        # The policy is enabled


        Exit 0


    }


    # The policy is disabled and needs to be enabled


    Exit 1


}





Test-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Name 'Deny_Read'

Remediation:

<#





        .SYNOPSIS


        Enable, Disable, or check access to Removable Storage





        .DESCRIPTION


        This is a Powershell script to enable, disable, or check access to Removable Storage.





        Enable = Enable the policy for Removable Storage, access to the drive is prohibited


        Disable = Disable the policy for Removable Storage, access to the drive is permitted


        Check = Query the status of the policy


       


#>





# What do you want to do with the policy: Enable, Disable, Check


$USBPolicy = 'Enable'





Function Test-RegistryValue {


     param


     (


         /Object]


         $regkey,





         /Object]


         $name


     )





    $exists = Get-ItemProperty -Path "$regkey" -Name "$name" -ErrorAction SilentlyContinue


    If (($exists -ne $null) -and ($exists.Length -ne 0)) {


        Return Write-Output 'The policy is currently Enabled'


    }


    Return Write-Output 'The policy is currently Disabled'


}





Function Create-RegistryValue {


     param


     (


         /Object]


         $regkey,





         /Object]


         $name


     )


    $exists = Test-Path $regkey


    if (!$exists) {


        New-Item -Path 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices' -Name '{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Force | Out-Null


    }


    New-ItemProperty -Path $regkey -Name $name -Value 1 -PropertyType 'DWord' -Force | Out-Null


}





Function Delete-RegistryValue {


     param


     (


         /Object]


         $regkey


     )


     $exists = Test-Path $regkey


    if ($exists) {


        Remove-Item -Path $regkey -Recurse -Force | Out-Null


    }


}





If ($USBPolicy -eq 'Enable') { 


    Create-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Name 'Deny_Read'


    Create-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Name 'Deny_Write'


    Write-Output 'Policy is now set to Enabled...' 


} 


Elseif ($USBpolicy -eq 'Disable') {


    Delete-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'


    Write-Output 'Policy is now set to Disabled...'


} 


Elseif ($USBpolicy -eq 'Check') {


    Test-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Name 'Deny_Read'


}

Be the first to reply!

Reply

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded