To USB or not to USB: Removable Storage, Group Policy and Windows Vista

I was thinking this past weekend on what exactly should I blog, specifically what about Group Policy. It occurred to me, we have a many new policy settings shipping with Windows Vista. There are too many to list individually so I decide the blog would be a perfect way to introduce the new policy settings included with Windows Vista. Each week will include a new policy setting. As always, we welcome your comments. You can email us at


I decided to start this week with one of the most sought after policy settings shipping with Vista, Removable Storage. It is a never-ending nightmare to prevent and keep users from using removable devices. Key drives, digital cameras, and mp3 players are just a few of the more popular devices appearing around the office. Harmless as they may appear, these devices can wreak havoc on the network (introducing worms or viruses) or worse the can pose a threat of compromising Intellectual Property.


Its time for Group Policy to “lay the smack down” on removable storage by providing 32 policy settings to control removable storage. 16 computer settings and 16 equivalent user settings provide the ability to control removable storage. The device categories include: CD and DVD, Floppy Drives, Removable Disks (such as key drives), Tape Drives, PAP Devices (such as media player devices), and WPD Devices (includes cell phone, auxiliary displays, and WinCE devices). In addition, there is a policy setting to control classes of custom devices as well as a policy to control ALL removable devices. Each device category may restrict read access, write access or both. These policy settings are Windows Vista policy settings and apply only to computers running Windows Vista. Have no fear, these policy settings can co-exist in policies that apply to clients earlier than Windows Vista. Operating systems other than Windows Vista will ignore the settings.


You can find these policies under the Removable Storage Access category, under User or Computer Configuration in Group Policy Object Editor (know as GPEDIT), if you have a copy of Window Vista Beta 2. If you do not have a copy of Windows Vista Beta 2, read more about joining the Windows Vista Customer Preview Program (


NEXT WEEK: New Policy Settings for Event Logs


Mike Stephens , Technical Writer, Group Policy

Skip to main content