wrote a script for a customers network administrator to enable and disable access to removable storage. In the example below I used the registry keys for the Removable Disks: Deny write access and Removable Disks: Deny read access Group Policy Objects. It is easier to fix this with Group Policy if the computers are domain joined, you can set the policy in Computer Configuration > Administrative Templates > System > Removable Storage Access.
Note: The script below is only tested on Windows 10, version 1511. Use it as reference for your own environment.
<#
.SYNOPSIS
Enable or Disable access to Removable Storage
.DESCRIPTION
This is a simple Powershell script to enable or disable access to Removable Storage.
It make use of the following two policies:
- http://gpsearch.azurewebsites.net/#7963
- http://gpsearch.azurewebsites.net/#7965
.PARAMETER Check
Query the status of the policy
.PARAMETER Disable
Disable the policy for Removable Storage, access to the drive is permitted
.PARAMETER Enable
Enable the policy for Removable Storage, access to the drive is prohibited
.PARAMETER Query
Query the status of the policy
.EXAMPLE
Query the status of the policy
PS C:\> .\Block-USB.ps1 -Check
The policy is Disabled...
.EXAMPLE
Disable the policy
PS C:\> .\Block-USB.ps1 -Disable
Policy is set to Disabled...
.EXAMPLE
Enable the policy
PS C:\> .\Block-USB.ps1 -Enable
Policy is set to Enabled...
.EXAMPLE
Query the status of the policy
PS C:\> .\Block-USB.ps1 -Query
The policy is Disabled...
.NOTES
Author: Branko Vucinec
Blog : https://blog.brankovucinec.com/
.LINK
https://blog.brankovucinec.com/
#>
#Requires -Version 5 -RunAsAdministrator
[CmdletBinding()]
Param(
[Switch]$Check,
[Switch]$Disable,
[Switch]$Enable,
[Switch]$Query)
Function Test-RegistryValue {
param
(
[Object]
$regkey,
[Object]
$name
)
$exists = Get-ItemProperty -Path "$regkey" -Name "$name" -ErrorAction SilentlyContinue
If (($exists -ne $null) -and ($exists.Length -ne 0)) {
Return Write-Host 'The policy is Enabled...' -BackgroundColor Green -ForegroundColor Black
}
Return Write-Host 'The policy is Disabled...' -BackgroundColor Green -ForegroundColor Black
}
Function Create-RegistryValue {
param
(
[Object]
$regkey,
[Object]
$name
)
$exists = Test-Path $regkey
if (!$exists) {
New-Item -Path 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices' -Name '{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Force | Out-Null
}
New-ItemProperty -Path $regkey -Name $name -Value 1 -PropertyType 'DWord' -Force | Out-Null
}
Function Delete-RegistryValue {
param
(
[Object]
$regkey
)
$exists = Test-Path $regkey
if ($exists) {
Remove-Item -Path $regkey -Recurse -Force | Out-Null
}
}
if (($Enable) -and ($Disable)) {
Write-Host 'It is not possible to use the parameter -Enable together with -Disable at the command line' -ForegroundColor Red
Break
} Elseif ($Enable) {
Create-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Name 'Deny_Read'
Create-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Name 'Deny_Write'
Write-Host 'Policy is set to Enabled...' -BackgroundColor Green -ForegroundColor Black
Break
} Elseif ($Disable) {
Delete-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Write-Host 'Policy is set to Disabled...' -BackgroundColor Red -ForegroundColor Black
Break
} Elseif (($Check) -or ($Query)) {
Test-RegistryValue -regkey 'HKLM:\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}' -Name 'Deny_Read'
Break
} Elseif ((!$Enable) -and (!$Disable)) {
Write-Host 'No parameter used, use -Enable or -Disable at the command line' -ForegroundColor Red
}
Download: Block-USB.zip 1.2 KB ( 1269 bytes )
SHA256: ed87ea7332df0a8dada6d902790d15b2e753f65cef0bb9463156ad0953af37bb
VirusTotal: link
Comments