I am attempting to use GPO in order to block USB mass storage devices for certain OUs inside a domain.  I currently have this configured on a hybrid testbed system (VM & Physical).  I currently have 2 GPOs configured for allow and deny.  In each, I have the USBstor  Start Reg Key set to 3 and 4.  I also have lines in there to configure the USBstor inf and pnf files Explicitly allowing and denying OUs (Note that these have the same permissions for each GPO).  I then have these GPOs linked to the various OUs on my domain to allow or deny access to GPO.  In my testbed (Server 2008R2, server 2012, and win 7) this seems to function correctly.  However, when I implement these GPOs on my running domain, this is not the case.  I am able to block usb that has previously been installed.  However, I cannot stop the running of newly installed usb devices.  uPNP seems to overwrite my GPO and force install.  On my testbed, if I try to install a new usb device, I will install the driver, but will also force the USB to remain inactive.  When navigating to device manager, I can see the USB mass device with a yellow notice symbol on it (as it should be).  Any idea what could be configured differently on my running domain that is allowing the uPNP feature to run new usb drives???  In the end, I would just like some OUs to have full usb access, while other OUs are fully restricted from using any form of USB mass storage.  Note: I have gone through all measures to disable the uPNP services both locally and in reg.  

 However, I cannot stop the running of newly installed usb devices.  uPNP seems to overwrite my GPO and force install.  

Please check on your client machine and see if related reg keys have been received correctly.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor, then in the right pane, find "Start" key, view it's value, (4=Disable USB Drives; 3=Enable USB Drives)

Try to run Gpresult /h result.html and see if the GPO is applied correctly.
 

Also, take a look at these links and see if helpful:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/60d14311-8a9e-4a25-a18a-1c456940b346/policy-to-turn-off-usb-mass-storage-device-by-user-not-computer?forum=winserverGP

https://social.technet.microsoft.com/Forums/windowsserver/en-US/5e10c51a-5d58-4648-8779-aec402efd567/disable-usb-mass-storage-through-gp-across-windows-7-xp-but-usb-keyboard-mouse-should?forum=winserverGP

Ashish

• Edited by Ashish Basran IT Convergys Inc Friday, August 28, 2015 5:21 AM

 However, I cannot stop the running of newly installed usb devices.  uPNP seems to overwrite my GPO and force install.  

Please check on your client machine and see if related reg keys have been received correctly.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor, then in the right pane, find "Start" key, view it's value, (4=Disable USB Drives; 3=Enable USB Drives)

Try to run Gpresult /h result.html and see if the GPO is applied correctly.
 

Also, take a look at these links and see if helpful:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/60d14311-8a9e-4a25-a18a-1c456940b346/policy-to-turn-off-usb-mass-storage-device-by-user-not-computer?forum=winserverGP

https://social.technet.microsoft.com/Forums/windowsserver/en-US/5e10c51a-5d58-4648-8779-aec402efd567/disable-usb-mass-storage-through-gp-across-windows-7-xp-but-usb-keyboard-mouse-should?forum=winserverGP

Ashish

• Edited by Ashish Basran IT Convergys Inc Friday, August 28, 2015 5:21 AM
• Marked as answer by Ethan HuaMicrosoft contingent staff, Moderator 2 hours 44 minutes ago

Hi,
 
How is it going? 
 

Regards,

Eth

Hi,
 
I'm marking the reply as answer as there has been no update for a couple of days.
 
If you come back to find it doesn't work for you, please reply to us and unmark the answer.
 

Regards,

Eth