Goal
Let IT block—or later unblock—all removable-storage devices (USB flash drives, external HDD/SSD, SD-card readers, smartphones in Mass-Storage mode, etc.) on Windows endpoints with a single policy. This helps stop data exfiltration and malware sideloading.
1 . Prerequisites
Requirement | Details |
Supported editions | Windows 10 or later• Pro• Enterprise• Education• SE• IoT Enterprise / LTSC |
Swif Agent | v1.102+ (auto-updates) |
Local rights | No end-user admin rights required; policy is enforced by the Swif MDM service |
2 . Add the policy
Device Management ▸ Policies ▸ Add Policy.
Select Windows USB Policy ▸ Configure.
(Optional) Rename or describe the policy for your environment.
Adjust the setting(s) below → Continue → assign to devices / groups → Publish.
3 . Available setting
Field | Values | Effect |
Block the Removable Disk | • True – disables Windows’ removable-storage class driver. Any new USB mass-storage device is rejected; existing drives are ejected.• False – allows removable drives as normal. | Policy refresh every 15 min or on reboot. No reboot needed to enable the block; a reboot is needed only if you later unblock and the device was actively in use. |
Note
This control does not block USB keyboards, mice, webcams, network adapters, dongles, or charging. It targets the USBSTOR driver and Storage class GUIDs only.
4 . What the user sees
When a blocked USB stick is inserted, Windows shows “Access denied” and the drive letter will not mount.
Swif Desktop displays an optional toast: “USB removable storage is blocked by your organisation.”
5 . Verify enforcement
Swif Inventory ▸ Device ▸ Policies tab should show Applied.
On the endpoint, run
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR"
– value Start = 4 indicates the driver is disabled (blocked).
6 . Best-practice tips ✅
Scenario | Recommendation |
Sensitive laptops (finance, HR, execs) | Apply Block = True to a “No-USB” device group. |
Temporary exception | Flip Block = False, wait for policy sync, ask user to reboot, then revert to True once transfer is done. |
Mixed environment | Combine with Swif’s macOS/Linux USB policies for uniform posture. |
Logging | Pair with the Windows Tracking Policy to log plug/unplug events for audit. |
7 . Troubleshooting
Symptom | Cause / Fix |
USB still mounts after 30 minutes | Device offline – check last check-in time. Ask user to connect to VPN/Internet. |
BitLocker recovery prompt appears | Expected if the drive was BitLocker-encrypted before blocking; allow user to cancel. |
Need to allow a single authorised drive | Current policy is global. Use Windows AppLocker or a 3rd-party DLP tool for granular whitelisting. |
Need assistance? Chat with us in-product or email support@swif.ai.
Swif Policy glossary – see All Windows policies article for context.