I've got a Windows 10 Pro system ('Backpack'), and as the administator, I've set the group policy 'All Removable Storage classes: Deny all access' to Enabled, then the system was rebooted.
Looking in the registry, I see that 'HKLM\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices!Deny_All' is set to 1.
If I log in locally as the non-administrator account 'User', it works as expected - plugging a flash drive into the 'Backpack' system doesn't work.
However, if I remote desktop into 'Backpack' as the 'User' account, and then plug a flash drive into 'Backpack', it works! I'm able to (as the 'User' account) read and write the flash drive.
I assume that there's some other group policy that I'm unaware of that I have to set as well, but I've no idea what I'm looking for.
Per request, I've attached gpresult output below. gpresult was run from an admin command shell.
gpresult /scope computer /z
COMPUTER SETTINGS
------------------
Last time Group Policy was applied: 12/1/2017 at 1:17:30 AM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: B-f44d306d50e1
Domain Type:
Applied Group Policy Objects
-----------------------------
Local Group Policy
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
NT AUTHORITY\Authenticated Users
System Mandatory Level
Resultant Set Of Policies for Computer
---------------------------------------
Software Installations
----------------------
N/A
Startup Scripts
---------------
N/A
Shutdown Scripts
----------------
N/A
Account Policies
----------------
N/A
Audit Policy
------------
N/A
User Rights
-----------
N/A
Security Options
----------------
N/A
N/A
Event Log Settings
------------------
N/A
Restricted Groups
-----------------
N/A
System Services
---------------
N/A
Registry Settings
-----------------
N/A
File System Settings
--------------------
N/A
Public Key Policies
-------------------
N/A
Administrative Templates
------------------------
GPO: Local Group Policy
Folder Id: Software\Policies\Microsoft\Windows\RemovableStorageDevices\Deny_All
Value: 1, 0, 0, 0
State: Enabled
Answer
OK, I truly have no idea what's going on with the group policy. It truly looks like it gets turned off for remote desktop sessions. That probably makes sense if you know enough about Windows internals, but from my vantage point it looks very much like a bug.
I did find a registry method to get around the problem. This is an older approach, and seems to do what I want:
Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor!Start to 4 (per this MS help page).
Doing so makes the USB storage devices simply never show up, as opposed to being denied access, and the effect persists even when logged in via remote desktop.
No comments:
Post a Comment