Information
This policy setting prevents the installation of removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable.
The recommended state for this setting is: Enabled
Note: By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device, except where
Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
is applied.
Preventing the installation of devices that are not approved to be connected to the system, can help with the prevention of data theft and unauthorized copies of company data being leaked via removable media.
It is important to note that this setting does not eliminate data theft, but creates a layer of security to help prevent it.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled :
Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of removable devices
Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer)
Impact:
If the
Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
policy setting is not Enabled all plug and play/removable devices will be denied installation, preventing the transfer of data via these type of devices.