Share via

How to disable USB sticks for a domain but pop up admin credentials request when a normal user wants.

Süleyman Baki Memiş 0 Reputation points
2025-09-19T11:53:44.33+00:00

My idea is;

Disabling the USB sticks for every user in the domain but at the same time when they plug a USB stick into their device. Windows will pop-up a admin credential requirement screen to run that device so the Admin can use them credentials to allow one time data transfer with usb stick.

Is this possible or not? if possible i need also help for steps.

Thanks,

Windows for business | Windows Server | Directory services | Deploy group policy objects
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harry Phan 9,835 Reputation points Independent Advisor
    2025-09-19T12:53:32.9133333+00:00

    Hello Suleyman,

    What you're aiming for is a setup where USB storage is blocked for all users by default, but when a device is plugged in, Windows prompts for admin credentials to allow temporary access. While Windows doesn’t offer this exact “one-time approval” workflow natively, there are ways to achieve a similar result using Group Policy or Intune.

    Here’s how you can approach it:

    Block USB Storage Globally Use Group Policy or Intune to disable USB mass storage devices for all non-admin users. This can be done by setting “Prevent installation of removable devices” and “Prevent installation of devices not described by other policy settings” to Enabled.

    Trigger Admin Credential Prompt With these policies in place, when a user plugs in a USB stick, Windows will block the device and prompt for admin credentials if the user attempts to install or access it. This gives administrators the ability to temporarily allow access.

    Optional: Device ID Whitelisting You can also allow specific USB devices by whitelisting their hardware IDs, giving you granular control over which devices are permitted.

    Audit and Monitor Consider enabling logging via Event Viewer or Defender for Endpoint to track USB access attempts and approvals.

    While this setup doesn’t offer a “one-time transfer” toggle, you can simulate it by temporarily allowing access and then reapplying the restriction after the transfer is complete.

    If this answer helped clarify things, feel free to hit “Accept Answer” so we know you’re good to go 😊

    T&B, Harry.

    0 comments
  2. Süleyman Baki Memiş 0 Reputation points
    2025-09-22T09:09:23.83+00:00

    Hello Harry, Actually, my goal is to combine the first two options you shared with me;

    I want to disable USB drives for every user so they cannot transfer any data, but there may be an emergency situation where this is needed. So if I can set up a policy that, when a user inserts a drive and Windows asks for administrator credentials, it offers the option to enable USB usage once. When the user removes the device and plug it again, it will ask for administrator credentials again.

    Is this possible in AD or Intune somehow ?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.