Worklet: Disable USB Removable Storage in Windows

This worklet can be used to disable USB remote storage devices in Windows. It has only been tested on Windows 10, and because of the default version of PowerShell on Win 7/8 and Server 2012 and older, I don’t believe it will work on those older operating systems without upgrading PowerShell on them - but haven’t tested. I’d be curious to see if it works on any of the older OSs, so let us know what you find.

Be sure you’re not using this in an environment where GPOs would be fighting this worklet. It’s preferable if you use GPOs in your environment that you control USB remote storage that way and not with a worklet.

The way the worklet is currently written, it will check to see if the USB removable storage policy is disabled (access to the removable drive is permitted) and enables it to lock down the use of USB removable storage. With some tweaking, you can also make it a worklet to reverse the process (disable the policy to allow USB removable storage). You can also tweak it so that it just audits to the Automox activity log what systems have the policy enabled/disabled by setting Evaluation to “Exit 1” and set $USBPolicy in remediation to “Check”.

Evaluation:

<#

        .SYNOPSIS
        Enable, Disable, or check access to Removable Storage

        .DESCRIPTION
        This is a Powershell script to enable or disable access to Removable Storage.

        USB Removable Storage Policy
        Enabled = Access to the drive is prohibited
        Disabled = Access to the drive is permitted
        Check = Query the status of the policy

        This particular worklet determines if the USB Removable Storage policy is disabled, and if so, remediates to enable it

#>

Function Test-RegistryValue {
     param
     (
         [Object]
         $regkey,

         [Object]
         $name
     )

    $exists = Get-ItemProperty -Path "$regkey" -Name "$name" -ErrorAction SilentlyContinue
    If (($exists -ne $null) -and ($exists.Length -ne 0)) {
        # The policy is enabled
        Exit 0
    }
    # The policy is disabled and needs to be enabled
    Exit 1
}

Test-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Name 'Deny_Read'

Remediation:

<#

        .SYNOPSIS
        Enable, Disable, or check access to Removable Storage

        .DESCRIPTION
        This is a Powershell script to enable, disable, or check access to Removable Storage.

        Enable = Enable the policy for Removable Storage, access to the drive is prohibited
        Disable = Disable the policy for Removable Storage, access to the drive is permitted
        Check = Query the status of the policy
       
#>

# What do you want to do with the policy: Enable, Disable, Check
$USBPolicy = 'Enable'

Function Test-RegistryValue {
     param
     (
         [Object]
         $regkey,

         [Object]
         $name
     )

    $exists = Get-ItemProperty -Path "$regkey" -Name "$name" -ErrorAction SilentlyContinue
    If (($exists -ne $null) -and ($exists.Length -ne 0)) {
        Return Write-Output 'The policy is currently Enabled'
    }
    Return Write-Output 'The policy is currently Disabled'
}

Function Create-RegistryValue {
     param
     (
         [Object]
         $regkey,

         [Object]
         $name
     )
    $exists = Test-Path $regkey
    if (!$exists) {
        New-Item -Path 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices' -Name '{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Force | Out-Null
    }
    New-ItemProperty -Path $regkey -Name $name -Value 1 -PropertyType 'DWord' -Force | Out-Null
}

Function Delete-RegistryValue {
     param
     (
         [Object]
         $regkey
     )
     $exists = Test-Path $regkey
    if ($exists) {
        Remove-Item -Path $regkey -Recurse -Force | Out-Null
    }
}

If ($USBPolicy -eq 'Enable') { 
    Create-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Name 'Deny_Read'
    Create-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Name 'Deny_Write'
    Write-Output 'Policy is now set to Enabled...' 
} 
Elseif ($USBpolicy -eq 'Disable') {
    Delete-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
    Write-Output 'Policy is now set to Disabled...'
} 
Elseif ($USBpolicy -eq 'Check') {
    Test-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Name 'Deny_Read'
}