USB Control & Device Lockdown Software

CtrlOne gives you specialist control over the USB port. Allow the keyboards, mice, and printers people need while blocking thumb drives, phones, and cameras - then set mass storage to off, read-only, or fully blocked across your entire Windows fleet from one web console.

What is USB control?

USB control is the practice of deciding, precisely and centrally, what can plug into the USB ports on a managed computer. The port is deliberately universal, which is exactly why it is a leak risk: a single flash drive can copy gigabytes of data out in seconds, a phone in MTP mode looks and behaves like a drive, and a rogue human-interface device can inject keystrokes without a user noticing. The goal of USB control is to keep the legitimate peripherals working while shutting down the storage and impersonation paths that carry data out of the organization or bring threats in.

CtrlOne makes the USB port a policy you manage from a web console rather than a setting on each machine. A lightweight, tamper-proof agent runs as a protected system service on every Windows 10 and Windows 11 PC and checks in about every 30 seconds. Its USB module goes deeper than a single on/off switch: per-class allow/deny lets you permit keyboards, mice, and printers while denying mass storage, cameras, MTP phones, network adapters, or HID, and the rule is applied before the device enumerates so an unauthorized class never comes online. That granularity means you can secure the data path without turning working USB ports into dead ports.

For removable storage specifically, CtrlOne provides three modes - off, read-only, or block. Read-only flips the write-protect flag immediately on already-mounted volumes so files can't be copied to a stick that is plugged in right now, while block prevents new mass-storage devices from mounting at all; charge-only power and input devices are unaffected either way. Because enforcement is carried by the agent, these rules hold when a laptop is off the network and fail closed after a configurable offline window, so USB protection can't be bypassed by simply unplugging from corporate Wi-Fi. Policies are versioned with one-click rollback and recorded in a tamper-evident audit log. This page focuses specifically on USB; for cameras, Bluetooth, and other peripherals, see the broader device-control solution.

Why control USB with CtrlOne

  • Close the thumb-drive leak - Block or read-only USB mass storage so employees and contractors can't copy sensitive files onto a stick and walk them out the door, whether the intent is careless or deliberate.
  • Keep input devices working - Per-class allow/deny permits keyboards, mice, and printers while denying storage and cameras, so lockdown never means unusable USB ports or a flood of accessory support tickets.
  • Read-only when block is too strict - Let approved drives mount for reading while preventing every write, striking a balance between usability and data protection where people still need to pull files in but never push them out.
  • Stop phone and camera sideloading - Deny MTP/PTP so Android phones, iPhones in transfer mode, and digital cameras won't enumerate as data devices over USB, while charge-only power delivery still works.
  • Fleet-wide from one console - Set a USB policy once and push it to hundreds of Windows PCs from any browser, with no per-machine registry edits to babysit and no need to touch each machine.
  • Tamper-proof and offline-safe - The protected agent blocks documented disable vectors and fails closed after an offline window, so USB rules can't be dodged by rebooting, unplugging, or leaving the network.
CtrlOne USB policy blocking storage across managed Windows PCs
Concept illustration: per-class USB rules and storage modes enforced across a managed Windows fleet.
CtrlOne USB control console overview
Concept visual: one console defines the USB policy that the tamper-proof agent enforces on every endpoint.

USB control features

  • Three-mode mass-storage control - Choose off, read-only, or block for USB storage. Read-only sets write-protect on mounted volumes so nothing can be copied to them; block stops new sticks from mounting at all.
  • Per-class allow / deny - Allow keyboards, mice, and printers while denying storage, cameras, MTP, network adapters, or HID, with the rule applied before enumeration so a blocked class never comes online.
  • Instant read-only enforcement - Read-only mode flips the WriteProtect flag on already-mounted volumes immediately, so a drive that is plugged in right now can't be written to without waiting for a reboot.
  • Block MTP/PTP phones & cameras - Stop the portable-device enumerator so phones and cameras in transfer mode refuse to appear as browsable storage over USB while still drawing charge power.
  • Full USB storage disable - Reconfigure the mass-storage driver so flash drives, external HDDs, and SSDs are blocked while keyboards, mice, headsets, and printers keep working normally.
  • Survives reboot and replug - USB policy persists across restarts and reconnects, so a user can't clear a block simply by rebooting or unplugging and plugging the device back in.
  • Auto-scheduled USB windows - Use the auto-scheduler to apply and lift USB restrictions on a daily time window automatically, matching shifts, class periods, or after-hours lockdown.
  • Fleet policy templates - Bake USB rules into Kiosk Lockdown, Office Baseline, or Lab / Classroom templates, then version and roll them back with one click if a change causes trouble.

Who uses CtrlOne USB control

  • Call centers & BPOs - Block thumb drives and phone transfers on shared agent PCs so customer records can't be copied out through the USB port during or between shifts.
  • Finance & legal teams - Enforce read-only or blocked storage on workstations handling regulated data to reduce insider exfiltration risk without disrupting daily workflows.
  • Healthcare workstations - Prevent copying of patient data to removable media while keeping approved scanners, keyboards, and label printers functional at the point of care.
  • Manufacturing & OT - Restrict shop-floor and control PCs to a known set of USB peripherals and stop unauthorized storage from ever mounting on sensitive equipment.
  • Schools & labs - Keep students from plugging personal drives or phones into shared lab computers while allowing the lab's own keyboards and mice.

CtrlOne vs Group Policy USB blocking

CapabilityCtrlOneGroup Policy USB block
Central web consoleYes - one policy for the fleetGPMC plus domain join required
Per-class allow / denyAllow input, deny storage and camerasMostly all-or-nothing by device ID
Read-only storage modeOne toggle, applied to mounted volumesManual registry write-protect
Block MTP phonesBuilt-in class denyExtra device-install rules to craft
Off-network devicesEnforced anywhere, fails closedNo refresh until back on domain
Tamper resistanceProtected agent blocks disable vectorsLocal admin can edit or revert
RollbackVersioned, one-clickManual GPO history at best

USB control FAQs

Can I block USB drives but keep keyboards and mice working?

Yes. Per-class allow/deny permits keyboards, mice, and printers while denying storage, cameras, MTP, network adapters, or HID. The rule applies before the device enumerates, so allowed input devices are never affected while blocked classes never come online.

What is the difference between read-only and block for USB storage?

Read-only lets a drive mount but sets the write-protect flag so nothing can be copied to it, while block keeps new mass-storage devices from mounting at all. Read-only takes effect immediately on volumes that are already plugged in, so you don't have to wait for a reboot.

Does this stop data going out through a phone in MTP mode?

Yes. You can deny the MTP/PTP class so Android phones, iPhones in transfer mode, and digital cameras won't enumerate as browsable storage over USB, while charge-only power delivery still works so the phone can top up.

Can a user bypass the block by rebooting or unplugging?

No. USB policy persists across reboots and replugs, and the tamper-proof agent blocks documented disable vectors, so clearing a block requires a policy change made from the console by an authorized operator.

Does USB control work when the laptop is off the corporate network?

Yes. Enforcement lives in the agent, so USB rules hold offline and fail closed after a configurable window, unlike domain Group Policy that only refreshes once the device is back on the network.

How quickly does a USB policy change reach devices?

Changes are queued in the console and picked up on the next agent check-in, typically within about 30 seconds, so tightening a rule across the fleet takes effect almost immediately.

Shut down USB data leaks on Windows

See how CtrlOne combines per-class allow/deny with off, read-only, and block storage modes, all enforced by a tamper-proof agent. Explore the full feature catalogue or get in touch for a walkthrough.