cr0x.net — Hard Problems. Clean Solutions.
English

Block USB Storage Without Breaking Keyboards and Mice

February 20, 2026 • February 20, 2026 • Read: 20 min • Views: 0

Was this helpful?

If you’ve ever pushed a “disable USB” policy and watched a helpdesk queue ignite, you already know the truth:
endpoints are messy, users are creative, and USB is the cockroach of interfaces. You can’t just “turn it off”
without tripping over keyboards, mice, smartcard readers, headsets, docking stations, and the occasional
monitor that thinks it’s a USB hub with opinions.

The goal is narrower and more realistic: block USB storage (mass storage class) while leaving human interface
devices (HID) alone. Do it with evidence, staged rollouts, and a plan for the weird edge cases—because the weird
edge cases are where outages live.

What you’re actually defending against

“Block USB storage” gets sold as a security checkbox. It’s not. It’s a control that reduces a few specific risks:

  • Data exfiltration by copying files to removable media.
  • Malware introduction via autorun-like workflows (less common now) and user-driven execution (still common).
  • Operational footguns like someone imaging the wrong machine, or booting from a “helpful” USB tool.
  • Regulatory posture: showing you can restrict removable media where required.

It does not solve “BadUSB” style attacks where a device pretends to be a keyboard. Blocking mass storage class won’t
stop a rogue HID. If you need that, you’re in device allowlisting territory, port control, or physical controls.

A usable policy usually looks like this:
block mass storage by default, allow approved exceptions (specific device IDs, specific machines, specific roles),
and log everything so you can answer “what happened?” without interpretive dance.

Facts and short history you can use in meetings

  1. USB Mass Storage Class (MSC) standardized the “flash drive looks like a disk” behavior; it’s class code 08 on USB.
  2. HID is class code 03. Keyboards and mice usually live here. Blocking class 08 shouldn’t touch class 03—unless your tooling is blunt.
  3. Early Windows loved autorun, and the security hangover lasted for years. Modern Windows largely neutered it, but users still double-click things.
  4. Many “USB sticks” are composite devices: storage plus CD-ROM emulation plus vendor interfaces. That’s why some controls miss them.
  5. UASP (USB Attached SCSI Protocol) improved performance for external SSDs, but it also changed which drivers bind—another way policies get bypassed accidentally.
  6. Phones often present as MTP/PTP, not mass storage. If your policy only blocks MSC, users may still move data via phone transfer protocols.
  7. USB-C made “a port” ambiguous: the same hole can carry storage, networking, display, and power. Port-level blocking is now a blunt instrument.
  8. Linux historically bound USB storage via the usb-storage module. Blocking that module is effective, but it can also break legitimate boot workflows and some docking behaviors.
  9. Some enterprise keyboards include USB hubs. The keyboard works, the hub enumerates, and suddenly your “no USB” policy thinks it found a new device class.

Design principles: block storage, not USB

If you remember one thing: don’t “disable USB.” Disable the ability to mount or access removable storage.
Those are different problems with different blast radiuses.

1) Be specific about what “USB storage” means

You’re targeting devices that expose block storage interfaces: class code 08, or drivers like
usb-storage on Linux and USBSTOR on Windows. But also watch for:

  • SD card readers integrated into keyboards/docks (often USB MSC).
  • External NVMe enclosures (MSC or UASP).
  • Virtual CD-ROM features on “secure” drives.
  • Thunderbolt storage (not USB class 08 at all; different control surface).

2) Decide whether you need “block” or “allowlist”

Blocking MSC broadly is simpler and usually enough. Allowlisting everything is safer but expensive to maintain.
In practice:

  • Most orgs: block mass storage, allow exceptions by device ID for approved encrypted drives, and log.
  • High-risk endpoints: allowlist by VID:PID and serial; deny everything else; use managed docking stations and keyboards.

3) Think in layers: kernel/driver + policy + filesystem

Driver-level blocking prevents the device from functioning as storage at all. Policy-level blocking can prevent
installation or mounting. Filesystem-level controls (like mount restrictions) can reduce damage even when the device is present.

Layering matters because attackers and accidents don’t respect your favorite layer.

4) Logging is part of the control

If your only signal is “user says mouse stopped working,” you’re operating by folklore.
Log what was blocked, why, and how it matched your rule.

Paraphrased idea from Gene Kim: the reliability win comes from fast feedback loops and learning from failure, not heroic after-the-fact fixes.

Linux toolbox: modules, udev, USBGuard

Linux gives you multiple levers. Use the least blunt instrument that still holds the line.

Option A: Disable the usb-storage module (effective, blunt)

This prevents USB MSC devices from binding to the storage driver. It’s simple and works well on servers and kiosks.
It can also surprise you on developer laptops and support benches, where people legitimately use removable media.

It’s also not complete: UAS uses the uas driver, and some devices bind differently. You need to block both if you’re serious.

Option B: udev rules to de-authorize devices (surgical, easy to get wrong)

udev can match devices and flip authorization. The upside: you can match on class code, vendor, product, and interface.
The downside: one sloppy match and you’ll deauthorize the internal USB bus behind a laptop’s keyboard.

Option C: USBGuard (policy engine, best for fleets)

USBGuard provides allow/deny rules, logging, and a policy language that understands device attributes.
It’s a better match for “block storage but allow HID,” because you can explicitly allow HID and explicitly block mass storage,
and you can do exceptions cleanly.

If you’re running a fleet, pick USBGuard or an endpoint management platform that does the same thing.
If you’re hardening one box, module blacklisting is fine.

Windows toolbox: GPO, registry, device install restrictions

Windows is where most orgs trip, because there are multiple overlapping mechanisms:

  • USBSTOR service: disabling it blocks USB mass storage driver load.
  • Removable Storage Access policies: restrict read/write access by class.
  • Device installation restrictions: prevent specific device classes or IDs from being installed.

The clean corporate answer is usually: GPO to block USB storage, with an exception process for approved encrypted devices.
But you need to validate that you’re not blocking smartcard readers, biometrics, or composite devices used for login.

macOS note: the uncomfortable truth

macOS can be controlled via MDM profiles, endpoint security tooling, and in some cases by restricting removable media.
But the specifics vary heavily by OS version and management platform.

Operationally: if you have a mixed fleet, don’t design the policy around the platform you understand best. Design it around
consistent outcomes: “no unmanaged removable media mounts,” “approved devices allowed,” and “events logged centrally.”

Practical tasks: commands, outputs, and decisions

These are the tasks I actually run when I’m trying to block USB storage without breaking keyboards and mice.
Each task includes: the command, what realistic output looks like, what it means, and what decision you make.

Task 1: Identify what the kernel thinks is USB vs not (Linux)

cr0x@server:~$ lsusb
Bus 002 Device 002: ID 046d:c534 Logitech, Inc. Unifying Receiver
Bus 002 Device 003: ID 0781:5567 SanDisk Corp. Cruzer Blade
Bus 001 Device 004: ID 0bda:5411 Realtek Semiconductor Corp. USB3.0 Card Reader

Meaning: you have a Logitech receiver (likely HID), a SanDisk flash drive (storage), and a card reader (storage).

Decision: plan to block storage class devices and consider whether you also want to block integrated card readers on docks.

Task 2: Check USB interface class codes (Linux)

cr0x@server:~$ lsusb -v -d 0781:5567 | egrep -i 'bInterfaceClass|bInterfaceSubClass|bInterfaceProtocol' | head
  bInterfaceClass         8 Mass Storage
  bInterfaceSubClass      6 SCSI
  bInterfaceProtocol     80 Bulk-Only

Meaning: this is classic MSC (class 8). If you block class 8 interfaces, this device dies as storage.

Decision: safe to block at the interface/class level, while leaving class 3 (HID) alone.

Task 3: Confirm keyboards and mice enumerate as HID (Linux)

cr0x@server:~$ lsusb -v -d 046d:c534 | egrep -i 'bInterfaceClass|HID' | head
  bInterfaceClass         3 Human Interface Device
  iInterface              0

Meaning: HID class device. Your “block storage class 8” approach shouldn’t touch it.

Decision: explicitly allow HID class in any allow/deny engine you deploy (USBGuard), because clarity beats hope.

Task 4: See which kernel modules are in play (Linux)

cr0x@server:~$ lsmod | egrep 'usb_storage|uas|usbhid' | head
usbhid                 61440  0
usb_storage            73728  1 uas
uas                    28672  0

Meaning: HID is loaded (good), and both usb_storage and uas exist (storage paths).

Decision: if you blacklist only usb_storage, UASP devices may still work via uas. Block both for consistency.

Task 5: Watch what happens when a USB stick is plugged in (Linux)

cr0x@server:~$ sudo udevadm monitor --kernel --udev
KERNEL[2317.332122] add      /devices/pci0000:00/0000:00:14.0/usb2/2-1 (usb)
UDEV  [2317.410923] add      /devices/pci0000:00/0000:00:14.0/usb2/2-1 (usb)
KERNEL[2317.972114] add      /devices/pci0000:00/0000:00:14.0/usb2/2-1/2-1:1.0 (usb)
UDEV  [2317.973881] add      /devices/pci0000:00/0000:00:14.0/usb2/2-1/2-1:1.0 (usb)

Meaning: you’re seeing device and interface nodes. The interface (…:1.0) is where class-based matching often happens.

Decision: build rules around interface attributes, not only device VID:PID, when you want “block storage, allow HID.”

Task 6: Inspect sysfs attributes for a specific device (Linux)

cr0x@server:~$ usb_path=$(readlink -f /sys/bus/usb/devices/2-1)
cr0x@server:~$ echo "$usb_path"
/sys/devices/pci0000:00/0000:00:14.0/usb2/2-1
cr0x@server:~$ cat /sys/bus/usb/devices/2-1/idVendor; cat /sys/bus/usb/devices/2-1/idProduct
0781
5567

Meaning: sysfs gives you stable-ish identifiers for writing udev rules or USBGuard policies.

Decision: use VID:PID for exception allowlists; add serial if you need tighter control.

Task 7: Blacklist storage modules (Linux)

cr0x@server:~$ sudo tee /etc/modprobe.d/usb-storage-block.conf >/dev/null <<'EOF'
blacklist usb_storage
blacklist uas
EOF
cr0x@server:~$ sudo update-initramfs -u
update-initramfs: Generating /boot/initrd.img-6.5.0-26-generic

Meaning: you’ve prevented these modules from loading in future boots, and rebuilt initramfs so early boot respects it.

Decision: use this on servers/kiosks where you truly never want removable storage. On laptops, prefer policy engines and exceptions.

Task 8: Validate that storage no longer binds after a reboot (Linux)

cr0x@server:~$ lsmod | egrep 'usb_storage|uas' || echo "no usb storage modules loaded"
no usb storage modules loaded

Meaning: the kernel isn’t offering the usual storage path.

Decision: proceed only if you’ve confirmed legitimate workflows won’t need USB storage (or you have an out-of-band recovery path).

Task 9: Deploy USBGuard and generate a baseline policy (Linux)

cr0x@server:~$ sudo apt-get install -y usbguard
Reading package lists... Done
Setting up usbguard (1:1.0.0-2) ...
cr0x@server:~$ sudo usbguard generate-policy
allow id 046d:c534 serial "" name "Unifying Receiver" hash "..."
block with-interface equals { 08:*:* }

Meaning: baseline policy allows your existing receiver and blocks interfaces of class 08 (mass storage).

Decision: review the generated policy before enforcing. Baselines can accidentally “allow” something you don’t want, like a dock-integrated card reader.

Task 10: Turn on enforcement and confirm logging (Linux USBGuard)

cr0x@server:~$ sudo sed -i 's/^ImplicitPolicyTarget=.*/ImplicitPolicyTarget=block/' /etc/usbguard/usbguard-daemon.conf
cr0x@server:~$ sudo systemctl enable --now usbguard
cr0x@server:~$ sudo systemctl status usbguard --no-pager | head
● usbguard.service - USBGuard daemon
     Loaded: loaded (/lib/systemd/system/usbguard.service; enabled)
     Active: active (running)

Meaning: daemon is running; implicit policy is block, so unknown devices are denied unless allowed by rules.

Decision: stage enforcement in “log-only” mode first if you can (or start on a canary group). Production endpoints hate surprises.

Task 11: Prove HID still works while storage is blocked (Linux)

cr0x@server:~$ sudo usbguard list-devices
1: allow id 046d:c534 name "Unifying Receiver" serial "" via-port "usb2" with-interface { 03:00:00 }
2: block id 0781:5567 name "Cruzer Blade" serial "..." via-port "usb2" with-interface { 08:06:80 }

Meaning: HID (03) allowed; storage (08) blocked.

Decision: this is the money screenshot for your change request. It demonstrates “keyboards/mice OK, storage no.”

Task 12: Investigate why a storage device still mounted (Linux)

cr0x@server:~$ dmesg | tail -n 12
[ 4123.112233] usb 2-1: new SuperSpeed USB device number 7 using xhci_hcd
[ 4123.134455] scsi host6: uas
[ 4123.145678] scsi 6:0:0:0: Direct-Access     Samsung  Portable SSD T7  0    PQ: 0 ANSI: 6
[ 4123.156789] sd 6:0:0:0: [sdb] 1953525168 512-byte logical blocks: (1.00 TB/932 GiB)

Meaning: UAS attached. If you only blocked usb-storage, UAS could still work. Or your policy allows it.

Decision: ensure uas is blocked (module blacklist) or ensure your policy blocks interface class 08 regardless of transport.

Task 13: Windows: Check whether USBSTOR is disabled (PowerShell)

cr0x@server:~$ powershell -NoProfile -Command "Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR' -Name Start"
Start : 4
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR

Meaning: Start=4 is disabled. (Common values: 3=manual, 4=disabled.)

Decision: if your intent is to block USB storage broadly, this is a strong control. If you need exceptions, you’ll need a more nuanced approach.

Task 14: Windows: Verify removable storage access policy (PowerShell)

cr0x@server:~$ powershell -NoProfile -Command "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices' -ErrorAction SilentlyContinue"

Meaning: no output usually means the policy key isn’t set on this box (or is managed elsewhere).

Decision: if the environment relies on GPO, confirm with gpresult and the central policy rather than hand-editing registry.

Task 15: Windows: See what device class a thing is (PowerShell)

cr0x@server:~$ powershell -NoProfile -Command "Get-PnpDevice -PresentOnly | Where-Object { $_.FriendlyName -match 'USB' } | Select-Object -First 8 Status,Class,FriendlyName"
OK  HIDClass  USB Input Device
OK  DiskDrive Samsung Portable SSD T7 USB Device
OK  USB       USB Composite Device
OK  HIDClass  HID-compliant mouse

Meaning: you can distinguish HIDClass from DiskDrive. Composite devices show up separately.

Decision: if you see DiskDrive entries you didn’t expect, your control isn’t working or exceptions are too wide.

Task 16: Windows: Confirm applied policies (gpresult)

cr0x@server:~$ powershell -NoProfile -Command "gpresult /r | Select-String -Pattern 'Applied Group Policy Objects' -Context 0,8"
Applied Group Policy Objects
-----------------------------
    Workstation Baseline
    Removable Media Restrictions

Meaning: you’ve verified the policy objects applied. This matters when troubleshooting “it works on my machine.”

Decision: if the expected GPO isn’t listed, stop blaming drivers and fix policy targeting first.

Fast diagnosis playbook

When someone reports “USB storage is blocked” or “my keyboard died” right after a change, you need a fast path to truth.
Here’s the order that saves time.

First: Is this a storage issue or an input device issue?

  • Linux: run lsusb and check class codes with lsusb -v for the device in question.
  • Windows: Get-PnpDevice filtered by class HIDClass vs DiskDrive.

If it’s HID and it’s broken, your policy is too broad or you blocked a parent hub. Treat it like an outage.

Second: Did the device bind to a driver?

  • Linux: check dmesg for usb-storage or uas, and check lsmod.
  • Windows: check USBSTOR service state and device status in PnP.

If the driver never bound, your block is working (or too aggressive). If it bound, you’re missing a path (UAS, composite behavior, Thunderbolt).

Third: Is the problem policy, or enforcement?

  • Linux: USBGuard status and device list; udev rules and sysfs authorization state.
  • Windows: gpresult and the registry policy keys.

If policies aren’t applied, don’t debug devices. Fix targeting. If policies are applied but ineffective, you likely blocked the wrong class or missed an alternate driver.

Three corporate mini-stories from the trenches

1) Incident caused by a wrong assumption: “HID devices aren’t affected”

A mid-size company rolled out a “block USB storage” change on Linux desktops used by their customer support team.
The engineer writing the udev rule matched on the word “USB” in a subsystem filter and then deauthorized the whole device node.
The assumption was that storage is “a device,” so block the device.

What they missed: many desks used cheap keyboards with built-in USB hubs. The keyboard enumerated as HID,
but the hub enumerated as a separate device. The udev rule fired on the hub, deauthorized it, and took the keyboard down with it.
The mouse, plugged into the keyboard, went dark too.

Support calls piled up. Remote remediation was possible for some systems, but a chunk of endpoints couldn’t be controlled because
you need a working keyboard/mouse to log in, and remote tooling required interactive approval. The fix ended up being a physical walk
to desks with a known-good wired keyboard plugged directly into the laptop/dock.

The postmortem was boring and correct: match on interface class 08 only, test with composite devices, and keep a rollback mechanism that doesn’t require local input.
Also, don’t ship a rule you haven’t proven against at least one docking station model and one “random office keyboard.”

2) Optimization that backfired: “We’ll just blacklist modules everywhere”

Another org wanted a fast win, so they blacklisted usb_storage across all Linux hosts using their configuration management system.
It worked. It also broke their on-call workflow in a way that didn’t show up in testing.

Their server recovery process relied on booting a known-good OS image from a USB stick for certain bare-metal problems.
Not every server had working virtual media, and not every incident happened in a data center with a perfect console.
The blacklisting didn’t just block casual file copying; it removed a recovery tool.

In the next real incident, an on-call engineer arrived with their USB recovery media and discovered the host couldn’t see it.
They lost time, then lost more time explaining to security why the “simple fix” had operational consequences. The irony is that
the security team was not amused, but the outage was still real.

They pivoted to a tiered approach: blacklist on kiosks and call-center desktops, USBGuard allow/deny on developer laptops,
and “break glass” exceptions for a small set of support machines. Same security intent, less self-sabotage.

3) Boring but correct practice that saved the day: “Canary and logs”

A large enterprise did the rollout the way nobody wants to do it because it feels slow: canary ring, then pilot ring,
then broad rollout. They also enabled detailed logging from the policy engine into their central log platform with a standard field set:
device ID, interface classes, action taken, rule matched.

During pilot, a specific headset dock started failing. Not intermittently—consistently. The helpdesk had a clear symptom:
“USB audio dock not recognized.” The log data showed the dock exposed a card reader (MSC class 08) plus audio.
The policy was denying the whole composite device, not just the storage interface. That’s a policy nuance, not a user problem.

Because it was pilot and the logs were good, they made a targeted exception: allow that device, but deny its storage interface,
and enforce “no mount” at the OS level for removable media. The dock worked, storage didn’t, and the business didn’t feel the change.

Nobody wrote a heroic email. Nobody got a trophy. The rollout quietly succeeded—which is the only kind of success operations should trust.

Common mistakes: symptoms → root cause → fix

1) Symptom: keyboard and mouse stop working after “USB storage block”

Root cause: you blocked an upstream hub or deauthorized the whole USB device node instead of the storage interface.

Fix: match and block only interface class 08. If using USBGuard, allow HID interfaces explicitly; avoid “block all USB” defaults on endpoints.

2) Symptom: USB flash drives still work on some machines

Root cause: policy not applied (GPO scoping, config management drift), or UAS path not blocked (uas still loads).

Fix: verify policy application (gpresult on Windows; service status/config on Linux), and block both usb_storage and uas or block class 08 at policy layer.

3) Symptom: phone file transfer still works even after blocking USB storage

Root cause: phones use MTP/PTP, not mass storage class 08.

Fix: decide whether your requirement includes MTP/PTP. If yes, restrict those protocols via endpoint policy/MDM and data loss prevention controls.

4) Symptom: a docking station stops working (network, display, audio) when blocking storage

Root cause: composite device treated as “one thing,” and denial affects the whole device; or policy engine denies the dock because it includes an MSC card reader.

Fix: allow the dock by ID and deny only the storage interface if your tooling supports per-interface rules; otherwise pick a dock model without an integrated reader.

5) Symptom: users can still write to USB drives but cannot read (or vice versa)

Root cause: partial policy (read/write toggles set inconsistently) or filesystem mount options applied only to some mount points.

Fix: standardize: either deny the driver entirely, or enforce consistent read/write restrictions with centrally managed policy and test both directions.

6) Symptom: “blocked USB storage” breaks boot/recovery workflows

Root cause: you blocked storage at the driver level on machines that need USB boot media for recovery.

Fix: carve out break-glass hosts or roles; document recovery paths; consider temporary allow tokens rather than permanent exceptions.

7) Symptom: devices randomly flip between allowed and blocked

Root cause: allowlisting without serial numbers; VID:PID matches multiple device batches; hub topology changes; policy baselines updated carelessly.

Fix: include serial where possible; treat policy updates like code; test on representative hardware; log rule matches.

Joke #1: USB stands for “Universal Serial Bus,” but in production it often means “Usually Someone Broke-it.”

Checklists / step-by-step plan

Step 1: Decide the policy boundary (and write it down)

  • Block USB MSC class 08 by default?
  • Allow approved encrypted drives?
  • What about SD card readers on docks?
  • What about phones (MTP/PTP), cameras, and USB Ethernet adapters?
  • Do you need to prevent booting from USB, or only mounting in the OS?

If you can’t answer these, you don’t have a policy; you have a vibe.

Step 2: Inventory real hardware in your environment

  • At least one example of each laptop model.
  • Every dock model in circulation.
  • At least two “random office keyboards” (seriously).
  • Smartcard readers and biometric devices used for login.

Collect VID:PID and interface classes. Don’t guess.

Step 3: Pick your enforcement mechanism by endpoint type

  • Servers/kiosks: Linux module blacklist + filesystem mount restrictions; Windows USBSTOR disable if no exceptions needed.
  • Employee laptops: policy engine (USBGuard / endpoint tooling), with allowlisted exceptions and strong logging.
  • Privileged/admin workstations: allowlist mode; treat any new device as suspicious until approved.

Step 4: Build exceptions deliberately

  • Prefer allowlisting specific encrypted drive models by VID:PID + serial.
  • Time-box exceptions (e.g., short-lived approvals) if your tooling supports it.
  • Require a business reason and an owner for each exception.

Step 5: Canary rollout (non-negotiable if you like sleep)

  • Start with IT and security endpoints. They can self-rescue.
  • Then a pilot group with representative docking setups.
  • Then broad rollout.

Joke #2: The best change window is “never,” but the second-best is “after you’ve tested on the CFO’s dock.”

Step 6: Logging and alerting

  • Centralize logs for “device blocked” and “device allowed by exception.”
  • Alert on repeated blocks on a single machine (could be user behavior, could be malware staging).
  • Track top blocked device models; it’s usually a dock/card reader you didn’t know you had.

Step 7: Operational runbook and rollback

  • Have a rollback that doesn’t require local keyboard/mouse input (remote management, out-of-band console).
  • Keep a documented “emergency allow” procedure with approvals.
  • Train helpdesk on what to ask: device model, dock, whether the device is storage vs HID.

FAQ

1) Will blocking USB storage stop BadUSB attacks?

No. BadUSB often presents as a keyboard (HID). Blocking mass storage class 08 doesn’t block HID class 03.
If you need to mitigate that, you need device allowlisting, port control, or physical restrictions.

2) Why not just disable all USB ports?

Because you’ll break basic input, smartcards, docking, and sometimes network connectivity.
Also, USB-C ports are multi-purpose now; “disable the port” is often equivalent to “disable the user’s workstation.”

3) Is blacklisting usb-storage enough on Linux?

Often, but not always. Many modern storage devices use UAS, which binds to uas.
If you take the module blacklist route, block both usb_storage and uas, and validate with real devices.

4) If we block USB storage, can users still move data out?

Yes. Email, cloud sync, screenshots, phones via MTP, and USB Ethernet adapters exist.
USB storage blocking reduces one channel. It’s not a full data loss prevention strategy.

5) How do we allow only company-approved encrypted USB drives?

Use allowlisting by VID:PID plus serial numbers where possible, and keep an exception workflow.
On Linux, USBGuard policies are a practical way. On Windows, pair USBSTOR/device restrictions with endpoint tooling that supports device control and auditing.

6) What about SD card readers in laptops and docks?

Many enumerate as USB mass storage. If your requirement is “no removable media,” block them too.
If your requirement is “no external flash drives,” you may need per-device exceptions so you don’t break docking stations that include readers.

7) Can we block mounting but still let the device enumerate?

Yes. That’s a softer control: the device shows up, but the OS won’t mount it or allow access.
It can reduce breakage, but it’s easier to bypass if users have admin rights or if other subsystems can access raw devices.

8) How do we prove to auditors that USB storage is blocked?

Provide evidence from multiple layers: policy configuration (GPO/USBGuard), endpoint verification (commands showing driver disabled),
and logs demonstrating blocks with device identifiers and timestamps.

9) What’s the single most common reason these rollouts fail?

Treating “USB storage” as a device category instead of an interface/driver category, and blocking too high in the stack
(hubs, composite devices, or all USB).

Next steps you can do this week

If you want a policy that blocks USB storage and doesn’t become a weekly incident generator, do this in order:

  1. Inventory: run class-code checks on your actual hardware mix, especially docks and integrated card readers.
  2. Choose enforcement per endpoint: module blacklist for truly fixed-purpose systems; policy engine for user endpoints.
  3. Block both classic and modern paths: on Linux, think usb_storage and uas; on Windows, validate USBSTOR and removable storage policies.
  4. Canary rollout with logging: if you can’t see what you’re blocking, you’re just guessing loudly.
  5. Plan exceptions: approved encrypted drives and required composite devices get explicit rules, not hand-waved allowances.

Most importantly: don’t ship a control you can’t roll back. Security changes that take down input devices are memorable for all the wrong reasons.

← Previous
Windows Installer Can’t Find Drives: When You Need IRST or VMD
Next →
Gamepad Not Working in Windows: Fix HID Drivers the Clean Way

Related articles

App Control / WDAC Lite: Practical Allow‑Listing for Normal People February 26, 2026 Fix “Your Organization Manages This Device” When It’s Your PC February 26, 2026 UAC Explained: The One Level You Shouldn’t Use February 26, 2026 The ‘Best Antivirus’ Myth: What Actually Prevents Ransomware February 22, 2026 Post‑Reinstall Hardening Checklist: What to Lock Down First February 21, 2026 Windows: The Security Baseline That Stops 80% of RDP Attacks February 20, 2026 Stop Credential Theft: The Windows Setting Nobody Enables February 20, 2026 Secure Boot + TPM: What They Protect (and What They Don’t) February 19, 2026 SmartScreen, Reputation, and “Blocked” Files: What’s Real vs Noise February 17, 2026 Turn Off the Risky Windows Features Attackers Love (Safely) February 15, 2026

Leave a comment