Turn Off USB Storage Ports on Windows 11 for Enhanced Security

Ensuring that your USB storage ports are disabled can significantly enhance your computer's security by preventing unauthorized data access and potential theft. Here’s how you can turn off USB storage ports on Windows 11.

How Can I Disable USB Drives on Windows 11?​

1. Block USB Drives in Registry Editor​

1. Open Registry Editor:
   • Press the Windows key + R on your keyboard.
   • Type regedit.exe and click OK.
   • If prompted by the User Account Control, click Yes.
2. Navigate to USBSTOR:
   • In the left panel of Registry Editor, expand the following path:
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR.
3. Change Value Data:
   • In the right panel, double-click on Start.
   • Change the Value data from 3 to 4.
     
   • Click OK to save the changes.
   • By changing the value, USB drives will no longer be recognized when inserted. This effectively blocks any USB storage devices from being used on your system.
     

2. Disable USB Ports in Device Manager​

1. Open Device Manager:
   • Right-click the Windows Start icon on the Taskbar.
   • Select and open Device Manager from the Power User Menu.
2. Disable USB Devices:
   • Expand the Universal Serial Bus controllers section.
   • Right-click each item listed and select Disable device.
   • Confirm your selection by clicking Yes in the dialog box.
   • Disabling the USB controllers will prevent any devices, including USB drives, from functioning. This is a straightforward way to ensure no USB devices can be used.
     

3. Disable USB Ports via Local Group Policy Editor​

1. Open Local Group Policy Editor:
   • Open Start and type gpedit.msc, then press Enter.
2. Navigate to Removable Storage Access:
   • In the Local Group Policy Editor, go to:
     Computer Configuration > Administrative Templates > System > Removable Storage Access.
3. Deny All Access:
   • On the right side, double-click All Removable Storage classes: Deny all access.
     
   • Select the Enabled option.
   • Click Apply, then OK.
   • This method will deny access to all removable storage devices, ensuring that no unauthorized USB devices can be used.
     

4. Block USB Drives Using Intune​

1. Deploy PowerShell Script via Intune:
   • Create a PowerShell script that modifies the necessary registry keys to block USB access.
   Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR" -Name "Start" -Value 4
   
   
2. Deploy via Intune:
   • In Intune, go to Devices > Scripts.
   • Upload the PowerShell script and assign it to the desired groups.
   • Using Intune for device management allows for scalable deployment across multiple devices. This ensures that all managed devices adhere to your security policies.
     

5. Block USB Drives Using Device Remediations in Intune​

1. Create Device Remediation Policy:
   • Access Intune and go to Devices > Compliance policies > Policies.
   • Create a new compliance policy and add a custom configuration profile for Windows 10 and later.
2. Add Configuration Settings:
   • Use the configuration settings to modify registry keys similar to the PowerShell script.
   {
   "OmaUri": "./Device/Vendor/MSFT/Policy/Config/AdministrativeTemplates/System/RemovableStorageAccess/AllRemovableStorageClassesDenyAllAccess",
   "DataType": "String",
   "Value": "true"
   }
   
   This method ensures that the registry settings are enforced across all managed devices, providing a robust solution for disabling USB storage ports.

By following these methods, you can effectively disable USB drives on Windows 11 to protect your data from unauthorized access and potential theft.