Skip to main content

Windows USB policy

Updated today

Goal
Let IT block—or later unblock—all removable-storage devices (USB flash drives, external HDD/SSD, SD-card readers, smartphones in Mass-Storage mode, etc.) on Windows endpoints with a single policy. This helps stop data exfiltration and malware sideloading.


1 . Prerequisites

Requirement

Details

Supported editions

Windows 10 or later• Pro• Enterprise• Education• SE• IoT Enterprise / LTSC

Swif Agent

v1.102+ (auto-updates)

Local rights

No end-user admin rights required; policy is enforced by the Swif MDM service


2 . Add the policy

  1. Device Management ▸ Policies ▸ Add Policy.

  2. Select Windows USB Policy ▸ Configure.

  3. (Optional) Rename or describe the policy for your environment.

  4. Adjust the setting(s) below → Continue → assign to devices / groups → Publish.


3 . Available setting

Field

Values

Effect

Block the Removable Disk

True – disables Windows’ removable-storage class driver. Any new USB mass-storage device is rejected; existing drives are ejected.• False – allows removable drives as normal.

Policy refresh every 15 min or on reboot. No reboot needed to enable the block; a reboot is needed only if you later unblock and the device was actively in use.

Note
This control does not block USB keyboards, mice, webcams, network adapters, dongles, or charging. It targets the USBSTOR driver and Storage class GUIDs only.


4 . What the user sees

  • When a blocked USB stick is inserted, Windows shows “Access denied” and the drive letter will not mount.

  • Swif Desktop displays an optional toast: “USB removable storage is blocked by your organisation.”


5 . Verify enforcement

  1. Swif Inventory ▸ Device ▸ Policies tab should show Applied.

  2. On the endpoint, run Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" – value Start = 4 indicates the driver is disabled (blocked).


6 . Best-practice tips ✅

Scenario

Recommendation

Sensitive laptops (finance, HR, execs)

Apply Block = True to a “No-USB” device group.

Temporary exception

Flip Block = False, wait for policy sync, ask user to reboot, then revert to True once transfer is done.

Mixed environment

Combine with Swif’s macOS/Linux USB policies for uniform posture.

Logging

Pair with the Windows Tracking Policy to log plug/unplug events for audit.


7 . Troubleshooting

Symptom

Cause / Fix

USB still mounts after 30 minutes

Device offline – check last check-in time. Ask user to connect to VPN/Internet.

BitLocker recovery prompt appears

Expected if the drive was BitLocker-encrypted before blocking; allow user to cancel.

Need to allow a single authorised drive

Current policy is global. Use Windows AppLocker or a 3rd-party DLP tool for granular whitelisting.


Need assistance? Chat with us in-product or email support@swif.ai.

Swif Policy glossary – see All Windows policies article for context.

Did this answer your question?