How to Disable USB Ports in Windows Using Group Policy
By CtrlOne Team ·
USB storage is convenient - and that is exactly the problem. A single flash drive can carry sensitive files out of the building or bring malware in, without touching the network. Disabling USB access is one of the first controls most IT teams reach for, and Group Policy is the classic way to do it. Here is how the Group Policy method works, the registry setting underneath it, and where it starts to fall short.

Why organizations disable USB storage
The goal is rarely to break every USB device - keyboards and mice still need to work. What teams want to stop is removable storage: flash drives and external disks that can copy data off a machine or introduce unapproved files. Blocking that one class closes a major data-loss and malware path while leaving normal peripherals alone.
Disabling USB storage with Group Policy
On a domain, the built-in path is the 'Removable Storage Access' policies. In the Group Policy Editor you navigate to Computer Configuration → Administrative Templates → System → Removable Storage Access and enable 'All Removable Storage classes: Deny all access', or the read/write-specific variants. Applied to an OU, the policy pushes to every machine in scope at the next refresh.
- Open the Group Policy Management Console and edit a GPO.
- Go to Computer Configuration → Administrative Templates → System → Removable Storage Access.
- Enable 'Removable Disks: Deny write access' or 'Deny all access'.
- Link the GPO to the right OU and let it apply at the next refresh.
The registry setting underneath it
Group Policy ultimately writes registry values. The classic manual equivalent is setting the USBSTOR service Start value under HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR to 4 (disabled). Editing the registry directly works on machines that are not domain-joined, but it is fragile: it is easy to mistype, easy for a local admin to reverse, and hard to track across many machines.
Where the Group Policy approach falls short
The built-in method is blunt. It tends to be all-or-nothing, it depends on a domain and Active Directory, and it does little for laptops that spend most of their time off the corporate network. A user with local admin rights can undo it, and there is no easy central proof of which machines are actually enforcing the block right now.
- All-or-nothing rather than per device-class control.
- Requires domain join and regular policy refresh.
- Reversible by a determined local admin.
- Little coverage for remote or offline devices.
A granular, managed alternative
CtrlOne enforces USB control as a managed restriction rather than a one-off registry edit. You can allow or deny by device class - permit keyboards and mice while blocking removable storage - apply the rule across the whole fleet from one console, and keep enforcement tamper-resistant so it survives reboots and offline periods. Because it does not rely on a domain, it covers remote laptops the same way it covers office desktops.
Frequently asked questions
How do I disable USB in Windows with Group Policy?
On a domain, edit a GPO and enable the Removable Storage Access policies under Computer Configuration → Administrative Templates → System → Removable Storage Access - for example 'All Removable Storage classes: Deny all access' - then link the GPO to the correct OU.
Does disabling USB storage also block my keyboard and mouse?
No, if you target the removable-storage class specifically. The goal is to block flash drives and external disks while leaving input devices and other approved peripherals working normally, which is why per-class control matters.
Can users undo a USB block set through Group Policy?
A user with local administrator rights can often reverse a registry-based or Group Policy setting, and offline laptops may not receive the policy at all. Tamper-resistant, centrally enforced device control avoids both gaps.
Control USB the granular way
See how CtrlOne blocks removable storage by device class across every machine - no domain required.