3.1.21 — Limit Use of Portable Storage Devices on External Systems

USB drives and portable hard drives are a classic way data walks out the door. This practice says you need to control whether your organization's USB drives can be plugged into outside computers.

Example 1: Via GPO, go to Computer Configuration → Administrative Templates → System → Removable Storage Access and set "All Removable Storage classes: Deny all access" to Enabled on workstations where USB storage is not needed. For workstations where it is needed, create a separate policy that allows only approved encrypted USB devices by device ID.

Example 2: In Microsoft Defender for Endpoint, go to Settings → Endpoints → Device Control → Removable storage access control and create a policy that only allows specific approved USB vendor IDs (e.g., IronKey or Apricorn encrypted drives). All other USB mass storage devices are blocked. Also configure an alert so your security team is notified whenever someone attempts to use an unauthorized drive.