Disable USB GPO Not Working with Windows 10 Pro N Edition
I have a Group Policy setting configured to Deny Read/Write access to USB drives on all computers. It is applied to the correct OU's, it is not filtered out, and I can see via RSOP & gpresult that this setting is correctly applied to the PCs.
However, some Windows 10 PC's do not apply this setting and USB devices can still be accessed regardless of what the GPO settings are.
Recently, somebody responded to a post I had made on another site and he was able to identify the issue.
As it turns out, the service, Portable Device Enumerator Service, is not installed on Windows 10 Pro N by default. It is installed as part of the standalone Media Feature Pack that installs Windows Media Player. Even the description of this service states:
"Enforces group policy for removable mass-storage devices. Enables applications such as Windows Media Player and Image Import Wizard to transfer and synchronize content using removable mass-storage devices."
I have deployed Windows 10 Pro N to our PC's because it is a cleaner version of W10 without Pandora, game ads, and other items that aren't necessary on a business PC.
I was able to verify this issue by opening a USB drive on a Windows 10 Pro N v1709 PC that has the GPO settings correctly applied to block USB access. I then installed the Media Feature Pack, rebooted the PC, tried the USB drive again, and it was successfully blocked.
Microsoft needs to update the USB services on Windows 10 Pro N PC's so Group Policy will successfully block USB drives on any version of Windows 10 regardless if that PC has Windows Media Player installed or not. Or at the very least, have the Portable Device Enumerator Service installed on all versions of Windows 10 by default. Each Feature update requires a different Media Feature Pack to re-install Windows Media Player and the service mentioned above.
If this service is required to enforce Group Policies, why is it not included in every version of Windows 10?
This is a severe security issue for a financial institution. It is not feasible to re-install Windows Media Player on every computer after each bi-annual feature update. Currently, every time we push a feature update to our PC's it will break our USB access restrictions opening security risks for both our business and our customers.
I need to ensure this Group Policy Object is working 100% of the time.
I as advised to post this issue on this thread from my Technet post on the same issue.
We're using ThreatLocker in our company. It's easy to manage and allows creating organization, groups and computer policies for blocking USB devices, DVD/BD, etc. It also helps with permitting or denying path access to our fileservers and application whitelisting.
I'm voting this one up. I am concerned that Windows 10 Pro N using businesses may be exposed to USB risks merely because a faithful effort to apply policy is not honored by the client systems running this variant. - David Taylor, CISSP, Former MSFT PFE, Oracle Employee.
Jeff Stokes commented