[German]A German blog reader has informed me that the RemovableStorageDevice blocking GPI is broken in Windows 10 and 11 . USB device control via GPO simply no longer works since the April 2025 patchday. This has been confirmed by Microsoft, a fix is in the works. I'll post the information here in the blog in case other administrators stumble across the issue.
RemovableStorageDevice blocking via GPO
In enterprise environments, administrators often want to block access to removable USB media (USB sticks, USB hard disks) for security reasons. This is to prevent malware from being introduced via USB sticks or data from being dragged out via USB media.
Works in Windows 10/11 with on-board resources via group policies (GPOs). In gpedit.msc go to Computer Configuration – Administrative Templates – System – Removable Disk Access and you should be able to set the relevant policies "Removable disks …" for execute, read and write.
You can read the Microsoft learn article here, and possibly this article with older, but illustrated instructions.
RemovableStorageDevice blocking via GPO is broken
German blog reader Marcel contacted me by email on July 4, 2025 (thanks for that) and wrote that there is currently a problem with USB device control. As a KRITIS institution, the IT administrators in Marcel's environment have to restrict access to removable storage devices.
Blocking by GPO policy
This is currently done using Windows on-board resources via a group policy. IT creates three registry entries under:
HKCU\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Deny_Execute - REG_DWORD - 1
Deny_Read - REG_DWORD - 1
Deny_Write - REG_DWORD – 1
These three entries are intended to prevent the user from accessing a removable disk. Depending on which of the three registry entries are set, only write access can be blocked, for example. "This allows us to control this flexibly, depending on the use case," wrote the reader.
Blocking no longer works
Now comes the point that a Microsoft software administrator should always be wary of: an update overrides a set GPO. The reader wrote that they had noticed that the RemovableStorageDevice blocking was no longer working since the installation of the cumulative security updates since one of the last updates (specifically since April 2025).
This misbehavior is reproducible under Windows 10 22H2 and Windows 11 23H2. According to the reader, setting the registry entries in the HKLM branch has also stopped working since the April 2025 update.
The only thing that helps here, the reader wrote, is uninstalling the current cumulative update or "blocking the upper device class", which can block other devices. Uninstalling the cumulative updates is of course not an option from a security point of view, according to the reader.
Support case opened at Microsoft
The company's IT staff approached Microsoft last week with this problem and opened a support case. After the initial conversation, the IT administrators received a response from Microsoft on June 3, 2025 confirming that this was a bug that had been present since the April 2025 patch day. Microsoft's explanation:
In April, Microsoft changed its infrastructure for driver signing in "pre-production" due to the expiry of the certification authority certificates.
This change affects how drivers are validated and may impact mechanisms for enforcing group policies at the driver level.
Microsoft confirms that it has not only identified this issue, but plans to fix it at some point in a future cumulative update, according to the response from Redmond, which I have received and which I am posting below.
Marcel wrote to me about this: I think one or the other may also be struggling with this problem, which is why I would like to ask you to provide information about this problem in your blog. I have done so – I think the thanks of the readership go to Marcel for pointing this out. Below is the anonymized e-mail from Microsoft Support.
Thank you for your patience as we've worked to understand the issue affecting USB Group Policy enforcement after recent Windows updates.
Summary of the Issue
We understand how important it is for your organization to maintain strict control over USB device access. Following the installation of cumulative update KB5060999 (May 2025) on Windows 11 23H2, and similar updates on Windows 10 22H2, Group Policy settings that previously blocked USB removable storage devices are no longer functioning as expected. Uninstalling the update restores the intended behavior.We've confirmed this is a known issue currently under investigation by Microsoft.
Background
Microsoft is transitioning its pre-production driver signing infrastructure due to the expiration of long-lived certificate authorities (CAs). This change affects how drivers are validated and may impact Group Policy enforcement mechanisms that rely on driver-level control.Key points:
A new certificate authority ("Microsoft Windows Component Preproduction CA 2024") is being introduced starting June 9, 2025.A servicing update released on June 10, 2025 is required to ensure continued trust in pre-production drivers.
Until this transition is fully implemented, some Group Policy settings—particularly those related to device control—may not behave as expected.
You can find more technical details here: Changes to Pre-Production Driver Signing | Microsoft Community Hub
Recommended Actions
While we await a permanent fix from Microsoft, we suggest the following steps to help mitigate the issue:Recreate and Reapply the Group Policy
In some cases, recreating the policy from scratch and reapplying it to affected devices has helped restore enforcement.Verify Device GUIDs
Please confirm that the GUID {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} used in your registry settings is still valid. The update may have changed how USB devices are classified, which could affect how the policy is applied.Submit Feedback via Feedback Hub
We strongly encourage submitting this issue through the Feedback Hub. This helps Microsoft prioritize the issue and ensures your experience is considered in future updates.Monitor for Future Updates
Microsoft is actively working on a resolution. A fix is expected in a future cumulative update, though no specific release date has been announced yet.
We truly understand how disruptive this issue can be and appreciate your efforts in helping us investigate it thoroughly.
Please don't hesitate to reach out if you need assistance with any of the above steps or if you'd like help submitting feedback to Microsoft
