Group Policy Central

One of the great new features with Windows 7 was Bitlocker to Go that enabled IT Administrators to ensure that all data written to USB drives is encrypted. In conjunction with this new feature Microsoft also added another option called “Deny write access to removable drives not protected by BitLocker” which allowed user to still read the files off USB drives that were not encrypted.

The problem with this policy setting is that it is only supported on Windows 7 family computers so unless you are running a SOE that is 100% Windows 7 users could simply logon to XP or Windows Vista to get around this restriction.

Luckily Microsoft added a new feature to Windows XP Service Pack 2 that allowed administrator to prevent writing to USB block storage devices (a.k.a memory sticks ) which can be implemented via a Group Policy Preferences registry key.

Key: HKLM\System\CurrentControlSet\Control\StorageDevicePolicies

Value: WriteProtect (REG_DWORD)

Data: 0 = Disabled

Data: 1 = Enabled

To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type System\CurrentControlSet\Control\StorageDevicePolicies into the Key Path field then type WriteProtect into the Value Name field and 1 in the Value Data field and click OK.

Once the key is enabled this is the message the user will see when the try to write to a USB storage device.

Note: This registry key will also work on Windows Vista

Update: Seem that the MS articles had the wrong registry keys

I got the correct key from http://www.howtogeek.com/howto/windows-vista/registry-hack-to-disable-writing-to-usb-drives/

For additional WRONG information on this feature see the links below:
http://support.microsoft.com/kb/555441
http://support.microsoft.com/kb/823732