How to prevent users from connecting USB

storage devices
To stop users connecting USB storage devices
The following items must be carried out to ensure that the USB storage driver
cannot be accessed, in cases where the USB storage driver has been installed the
services should be disabled.

 Deny Access to usbstor.inf and usbstor.pnf

 Disable the USB storage service

1.Deny Access to usbstor.inf and usbstor.pnf

Open the Group Policy Object and drill down to File System

Computer Configuration -> Windows Settings -> Security Settings -> File System

Right click and select Add File…

Enter %SystemRoot%\inf\usbstor.inf
Click OK

Assign the Deny permissions to Authenticated Users and System

Click OK
Click Yes
Click OK

Carry out same procedure for %SystemRoot%\inf\usbstor.pnf

2.Disable the USB Storage Service

The Start Dword value must be set to 00000004 (disable) in the registry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbstore]
"Start"=dword:00000004

To disable this service using Group Policy create an adm template.

Copy the following section into a text editor and save the file as usbstore.adm

CLASS MACHINE
  CATEGORY !!CATUSBManagement
     POLICY !!POLUSBManagement
        EXPLAIN !!POLUSBManagement_Help
          KEYNAME "System\CurrentControlSet\Services\usbstor"
             PART !!Part00 DROPDOWNLIST
                VALUENAME "Start"
              ITEMLIST
            NAME !!Name00 VALUE NUMERIC 0
         NAME !!Name01 VALUE NUMERIC 1
       NAME !!Name02 VALUE NUMERIC 2
      NAME !!Name03 VALUE NUMERIC 3
     NAME !!Name04 VALUE NUMERIC 4 DEFAULT
    END ITEMLIST
   END PART
  END POLICY
END CATEGORY

[strings]
CATUSBManagement="USB Management"
POLUSBManagement="USB Storage Service"
POLUSBManagement_Help="Enables the changing of the startup type for the USB
Storage Service.\nDisabled should be selected from startup type.\n\nYou should
also set permissons on following files:\n\n%SystemRoot%\Inf\Usbstor.pnf\n
%SystemRoot%\Inf\Usbstor.pnf"
Part00="Startup type"
Name00="Boot"
Name01="System"
Name02="Auto Load"
Name03="Load On Demand"
Name04="Disabled"

As this isn’t quite as simple as setting a Group Policy more instructions are included below,
detailing how to load adm template using the Group Policy snap-in.

Add Administrative Template usbstore.adm

Open the Group Policy object that you want to edit.
Console tree, Administrative Templates

In the console tree, right-click Administrative Templates

Click Add/Remove Templates
Add/Remove Templates dialog

Click Add

Browse to template

Browse to .adm template and open, Click Close

The adm preference template is added

If you can see the policy\preference skip next two screens, if you see:
“There are no items to show in this view”

Filtering Menu
Right click in left pane
Select
View
Select Filtering…

Remove Filtering

Deselect\Untick
Only show policy settings that can be fully managed
Preference Preview

Double click the policy\preference, in this case USB Storage Service

Enable Preference
Select Enabled
Select startup type: Disabled
Click Apply\OK

This is a preference rather than a group policy so it will tattoo the registry:

This registry setting is not stored in a policies key and is thus considered a preference. Therefore
if the Group Policy Object that implements the setting is ever removed, this setting will remain

A copy of the template used to disable usbstore service can be found here: disable usbstore adm

Adapted from KB823732 KB555324

SecurityDisabling USB storage drives, Group Policy