1
I've got a Windows 10 Pro system ('Backpack'), and as the administator, I've set the group policy 'All Removable Storage classes: Deny all access' to Enabled, then the system was rebooted.
Looking in the registry, I see that 'HKLM\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices!Deny_All' is set to 1.
If I log in locally as the non-administrator account 'User', it works as expected - plugging a flash drive into the 'Backpack' system doesn't work.
However, if I remote desktop into 'Backpack' as the 'User' account, and then plug a flash drive into 'Backpack', it works! I'm able to (as the 'User' account) read and write the flash drive.
I assume that there's some other group policy that I'm unaware of that I have to set as well, but I've no idea what I'm looking for.
Per request, I've attached gpresult output below. gpresult was run from an admin command shell.
gpresult /scope computer /z
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 12/1/2017 at 1:17:30 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: B-f44d306d50e1
Domain Type: <Local Computer>
Applied Group Policy Objects
-----------------------------
Local Group Policy
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users
System Mandatory Level
Resultant Set Of Policies for Computer
---------------------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
N/A
Audit Policy
------------
N/A
User Rights
-----------
N/A
Security Options
----------------
N/A
N/A
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
GPO: Local Group Policy
Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\Deny_All
Value: 1, 0, 0, 0
State: Enabled
Michael Kohne
Posted 2017-11-30T17:20:24.547
Reputation: 3 808
What? I am confused by what you are doing exactly. You are connecting to the PC through a remote desktop, plugging in in the USB device to the remote PC, and you are able to access the drive as the user? – Ramhound – 2017-11-30T17:24:20.493
@Ramhound - Yes, that's correct. – Michael Kohne – 2017-11-30T17:34:48.237
It would be helpful to provide the relevant information from gpresult – Ramhound – 2017-11-30T17:41:28.637
I just played with this a bit more: The 'Removable Disks: Deny * access' policies (there's one for read, one for write, one for execute) behave in the same manner. – Michael Kohne – 2017-12-01T18:23:31.967