Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
In Windows Server environments, blocking program installations from USB drives is an important security measure. This helps prevent the installation of unauthorized software and the spread of malware through removable storage devices.
With Group Policy, administrators can enforce specific rules and restrictions on USB drives and other removable media. Below is an overview of how you can block program installations from USB drives using Group Policy in Windows Server 2025.
In this lab tutorial we will configure a layered Group Policy Object (GPO) in our domain Active Directory environment to prevent domain-joined Windows 11 Enterprise client computers from running or installing programs from USB drives. You will work directly on server, your Windows Server 2025 Domain Controller, using the Group Policy Management Console (GPMC).
Prerequisites
Before starting this lab, confirm the following in your vmorecloud.com environment:
- Domain Controller: WS2025-server is running Windows Server 2025 with Active Directory Domain Services configured and the vmorecloud.com domain operational.
- GPMC Available: Group Policy Management Console is installed on WS2025-DC01. Verify by opening Server Manager > Tools > Group Policy Management.
- Admin Credentials: You are logged into WS2025-DC01 with Domain Administrator credentials (VMORECLOUD\Administrator or equivalent).
- Computer OU Exists: A dedicated Organizational Unit exists (or you will create one) that contains the computer accounts of the Windows 11 Enterprise client machines you want to protect.
- Test Client Available: At least one Windows 11 Enterprise machine is domain-joined to vmorecloud.com and located in the target OU for policy testing.
- Test USB Drive: A USB flash drive with at least one installer file (.exe or .msi) is available for testing the restriction after deployment.
Create the GPO and Link It to the Computers OU
Step 1.1 — Open Group Policy Management Console
Log in to WS2025-DC01 as VMORECLOUD\Administrator. Press Windows + R, type gpmc.msc, and press Enter. The Group Policy Management Console opens. In the left navigation tree, expand the following path:
Forest: vmorecloud.com
└─ Domains
└─ vmorecloud.com
└─ [Your Target OU for Computer Accounts]
Step 1.2 — Create and Name the GPO
In GPMC, right-click the Organizational Unit that contains your Windows 11 Enterprise computer accounts.
Select Create a GPO in this domain, and Link it here. In the Name field, type the following name and click OK
Block-USB-Program-Installations
The new GPO now appears linked to your target OU with a status of Enabled. Right-click the GPO and select Edit to open the Group Policy Management Editor.
Task 2: Configure Device Installation Restrictions (Layer 1)
Step 2.1 — Navigate to Device Installation Restrictions
In the Group Policy Management Editor for your Block-USB-Program-Installations GPO, navigate to the following path:
Computer Configuration
└─ Policies
└─ Administrative Templates
└─ System
└─ Device Installation
└─ Device Installation Restrictions
The right panel displays all available Device Installation Restriction policies. You will configure two policies in this section.
Step 2.2 — Enable Policy A: Prevent Installation of Removable Devices
- In the right panel, locate and double-click: Prevent installation of removable devices.
- In the policy settings window, select Enabled.
- Click OK to save.
| Setting / Policy | Value / Configuration |
| Policy Name | Prevent installation of removable devices |
| Location | System > Device Installation > Device Installation Restrictions |
| Setting | Enabled |
| Effect | Prevents Windows from installing device drivers for any new removable storage device not previously recognized by this machine. |
Step 2.3 — Enable Policy B: Prevent Installation of Devices Not Described by Other Policy Settings
In the same Device Installation Restrictions section, locate and double-click: Prevent installation of devices not described by other policy settings.
Select Enabled and click OK.
| Setting / Policy | Value / Configuration |
| Policy Name | Prevent installation of devices not described by other policy settings |
| Setting | Enabled |
| Effect | Acts as a catch-all — any device class not explicitly permitted by a whitelist policy is blocked from installing. Prevents bypass via obscure or renamed USB device classes. |
Task 3: Configure Windows Installer Restrictions (Layer 2)
Step 3.1 — Navigate to Windows Installer Policies
In the Group Policy Management Editor, navigate to:
Computer Configuration
└─ Policies
└─ Administrative Templates
└─ Windows Components
└─ Windows Installer
Step 3.2 — Enable: Prevent Removable Media Source for Any Install
- In the Windows Installer policy folder, locate and double-click: Prevent removable media source for any install.
- Select Enabled and click OK.
| Setting / Policy | Value / Configuration |
| Policy Name | Prevent removable media source for any install |
| Location | Windows Components > Windows Installer |
| Setting | Enabled |
| Effect | Instructs the Windows Installer engine (msiexec.exe) to refuse any installation where the source package is located on a removable drive — including USB flash drives, external HDDs, and SD cards. Users receive an error if they try to run an .msi installer from USB. |
Task 4: Configure AutoPlay Policies (Layer 3)
Step 4.1 — Navigate to AutoPlay Policies
In the Group Policy Management Editor, navigate to:
Computer Configuration
└─ Policies
└─ Administrative Templates
└─ Windows Components
└─ AutoPlay Policies
Step 4.2 — Enable: Turn Off AutoPlay
In the AutoPlay Policies folder, locate and double-click: Turn off AutoPlay. Select Enabled. In the Turn off AutoPlay on dropdown, select All Drives. This ensures AutoPlay is disabled for USB drives, optical media, and all other removable media types.
Click OK to save.
| Setting / Policy | Value / Configuration |
| Policy Name | Turn off AutoPlay |
| Location | Windows Components > AutoPlay Policies |
| Setting | Enabled |
| Scope | All Drives |
| Effect | Prevents Windows from automatically launching any content when a drive is connected. Eliminates the AutoPlay popup dialog and any automatic execution triggered by drive insertion. |
Step 4.3 — Enable: Set the Default Behavior for AutoRun
- In the same AutoPlay Policies folder, locate and double-click: Set the default behavior for AutoRun.
- Select Enabled.
- In the Default AutoRun Behavior dropdown, select Do not execute any autorun commands.
- Click OK to save.
| Setting / Policy | Value / Configuration |
| Policy Name | Set the default behavior for AutoRun |
| Setting | Enabled |
| AutoRun Behavior | Do not execute any autorun commands |
| Effect | Suppresses execution of autorun.inf-based commands that were a common malware delivery mechanism via USB drives. Even if a drive contains an autorun.inf file, its commands will not be executed. |
Task 5: Verify All GPO Settings Are Configured
Step 5.1 — Review the Complete GPO Configuration
Before applying the policy, do a final review to confirm all five policy settings are correctly configured. In the Group Policy Management Editor, use the Settings view (right-click the GPO in GPMC and select Settings) or manually navigate to each setting to confirm:
| # | Policy Name | Required Setting |
| 1 | Prevent installation of removable devices | ENABLED |
| 2 | Prevent installation of devices not described by other policy settings | ENABLED |
| 3 | Prevent removable media source for any install | ENABLED |
| 4 | Turn off AutoPlay | ENABLED — All Drives |
| 5 | Set the default behavior for AutoRun | ENABLED — Do not execute any autorun commands |
Task 6: Apply the Policy and Test on a Windows 11 Client
Step 6.1 — Force Group Policy Update on the Domain Controller
Close the Group Policy Management Editor. In a Command Prompt or PowerShell window on WS2025-DC01, force an immediate Group Policy refresh:
gpupdate /force
This pushes the updated policy to the SYSVOL share and makes it available for client machines to download on their next policy refresh cycle.
Step 6.2 — Force Policy Update on the Windows 11 Test Client
On your domain-joined Windows 11 Enterprise test machine (or via a remote PowerShell session), run:
gpupdate /force
The client machine downloads and applies the new Computer Configuration policy settings. For Device Installation Restrictions to take full effect, a machine restart is recommended:
shutdown /r /t 0
Step 6.3 — Verify the Policy Was Applied with gpresult
After the client restarts and logs in, verify the GPO is being applied correctly. Run the following in an elevated Command Prompt on the Windows 11 client:
gpresult /r
In the output, look for the Computer Settings section. Your Block-USB-Program-Installations GPO should appear under Applied Group Policy Objects. If it does not appear, check the troubleshooting section below.
For a detailed HTML report that is easier to read:
gpresult /h C:\Temp\gpreport.html /f
start C:\Temp\gpreport.html
Step 6.4 — Test 1: USB Installer Execution Test
Insert a USB flash drive containing an installer file (.exe or .msi) into the Windows 11 test client. Observe the result when the drive is inserted — the AutoPlay dialog should NOT appear. Open File Explorer. If Layer 1 (Device Installation Restrictions) is fully effective, the USB drive may not appear as a drive letter at all. If it does appear (the drive was already installed before the policy), proceed to step 4. If the drive appears in File Explorer, navigate to it and attempt to double-click the installer file (.exe or .msi).
Expected result: The installer fails to launch. For MSI installers, you will see an error indicating the installation source is not accessible. For EXE installers, the execution may be blocked depending on whether the EXE is also an MSI wrapper.
Step 6.5 — Test 2: AutoPlay Verification
- Remove and reinsert the USB drive on the Windows 11 test client.
- Confirm that NO AutoPlay dialog appears. On an unmanaged machine, Windows would typically show a dialog asking what to do with the newly inserted drive.
- If AutoPlay is correctly suppressed, no action happens and no dialog is shown when the drive is inserted.
Conclusion
You have successfully configured a three-layer Group Policy Object in your vmorecloud.com domain environment to block program installations from USB drives on domain-joined Windows 11 Enterprise computers. The combination of Device Installation Restrictions, Windows Installer controls, and AutoPlay policy creates overlapping, bypass-resistant coverage that addresses hardware-level USB access, MSI-based installer execution, and automatic execution triggers simultaneously.
