Forum Discussion

drivesafely's avatar
drivesafely
Copper Contributor
Feb 05, 2025

MDE Device Control Prevent installation of removable devices

Hello All, We had configured a Device Control policy restricting removable device installations under Device Installation Restrictions > Prevent installation of removable devices (Enabled). This blo...
drivesafely's avatar
drivesafely
Copper Contributor
Feb 08, 2025

Hello luchete 

Thanks for your response.

Can you please provide the name of which key value should be set to 1 to allow installation at the location "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor" ?

The value of "Start" key is 3, which mean it is allowed.

Thanks again.

luchete's avatar
luchete
Steel Contributor
Feb 08, 2025

Good morning drivesafely!

The key I'm referring to in the registry is the same you provided: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor, should have its Start value set to 3 to allow USB devices to be installed.

As you've mentioned if the Start key is already set to 3, then it is correct for allowing installation.

Since that it is ok, I would suggest verifying if there are any other policies or restrictions applied at the group policy or local security level that might be interfering with USB installations. Sometimes other settings, like "Prevent installation of devices not described by other policy settings," could also have an impact.

In case you don't know the location it would be:

Open the Group Policy Editor (Windows + R, type gpedit.msc,). From there, navigate to Computer Configuration, then Administrative Templates, followed by System, Device Installation, and finally Device Installation Restrictions. Look for the policy called "Prevent installation of devices not described by other policy settings". If it's enabled, change it to Not Configured or Disabled to allow USB devices. Once done, restart your computer or run gpupdate /force in Command Prompt to apply the changes.

Additionally, another thing that comes to my mind is that you can check if any other security software or endpoint protection solution is enforcing restrictions on USB devices. 

For that you can look into the settings of any antivirus or endpoint protection software installed on the device. Open the security software’s main interface and look for any device control or USB management settings. These settings often allow or block USB devices based on predefined rules. If there are any restrictions in place, you can disable them or adjust the settings to allow USB devices. If you’re using a centralized endpoint protection solution, you might need to check with your IT team to ensure no policies are blocking USB devices in case you dont have access/permissions to do it. 

Let me know how it goes or we can keep finding more ideas to resolve your issue,

Regards,

Resources