RMM Script: The Zero-Cost PowerShell USB Storage Lockdown

7 min. read

The Ticket: The Failed Compliance Audit

The Ticketing System is blowing up because your biggest client just failed their annual compliance audit. The auditor walked right up to a receptionist's unattended terminal, plugged in a generic thumb drive, and copied a dummy payload without triggering a single alert. Now the client's management team is in full panic mode, demanding a total USB lockdown across 300 endpoints by EOD. They refuse to pay the licensing uplift for a premium EDR device control module. We need a native, scripted solution to kill mass storage instantly.

Pre-Flight Check

• Permissions: Local Administrator (or NT AUTHORITY\SYSTEM via RMM execution).
• Tools: PowerShell 5.1+, Windows Registry Editor.
• Impact: Moderate - Instantly neuters mass storage device initialization. Standard HID peripherals (mice, keyboards, webcams) remain completely unaffected.

The Solution

PowerShell

# --- 404 & More: Disable USB Storage Script ---

param (
    [ValidateSet("Disable","Enable")]
    [string]$Action = "Disable"  # Defaults to locking down if no parameter is explicitly passed.
)

$regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR"
$valueName = "Start"

# Service Start Type Values
$disableValue = 4
$enableValue  = 3

# .NET Access Token Check for Administrator Rights
if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")) {
    Write-Host "ERROR: Elevated privileges required. Relaunch as Administrator." -ForegroundColor Red
    exit 1
}

# Verify the USBSTOR class key actually exists before manipulating it
if (-not (Test-Path $regPath)) {
    Write-Host "ERROR: USBSTOR registry path not found. Is the OS corrupted?" -ForegroundColor Red
    exit 1
}

switch ($Action) {
    "Disable" {
        Set-ItemProperty -Path $regPath -Name $valueName -Value $disableValue
        Write-Host "SUCCESS: USB mass storage driver (USBSTOR.sys) execution has been DISABLED." -ForegroundColor Yellow
    }
    "Enable" {
        Set-ItemProperty -Path $regPath -Name $valueName -Value $enableValue
        Write-Host "SUCCESS: USB mass storage driver execution ENABLED. Revert successful." -ForegroundColor Green
    }
}

Write-Host "NOTE: A reboot or physical replug of existing devices is required for the state change to take full effect."

The "Why" (Root Cause)

When a user plugs in a USB device, the Windows Plug and Play (PnP) manager reads the hardware's device descriptor to identify its class. If it identifies a Mass Storage Class (MSC) device, the PnP manager consults the registry at HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR to determine how to handle the usbstor.sys kernel driver.

The Start DWORD in this registry key dictates the driver's startup behavior. By default, Windows sets this value to 3 (Demand Start), meaning the driver loads manually the moment a thumb drive is detected, successfully mounting the volume. By forcefully changing this DWORD to 4 (Disabled), we are explicitly telling the Windows kernel that the usbstor.sys driver is forbidden from loading into memory, regardless of what the PnP manager requests. The hardware is physically recognized at the USB root hub level, but the OS refuses to load the software bridge required to read or write data to the filesystem. The device simply sits there, unmounted and useless.

Under the Hood (Technical Deep Dive)

To understand why this script is bulletproof, you have to understand the Windows Service Control Manager's startup types. The Start registry value accepts specific integers: 0 (Boot), 1 (System), 2 (Automatic), 3 (Manual/Demand), and 4 (Disabled).

When our PowerShell script executes Set-ItemProperty -Path $regPath -Name $valueName -Value $disableValue, it alters the kernel's operational parameters in real-time. We use the [Security.Principal.WindowsPrincipal] .NET class to query the current execution token. We do not rely on standard PowerShell cmdlets for the admin check because they can be spoofed or bypassed in certain restricted runspaces. We are directly asking the underlying operating system if the current thread possesses the BUILTIN\Administrators SID.

The most common pushback from Tier 1 techs is that this registry edit will paralyze the user by killing their mouse and keyboard. This is a fundamental misunderstanding of the Windows driver stack. HID (Human Interface Devices) do not use usbstor.sys. When you plug in a mouse, the PnP manager matches it to kbdhid.sys or mouhid.sys, located in entirely different registry paths (HKLM\SYSTEM\CurrentControlSet\Services\kbdhid). Because our script strictly targets the USBSTOR service, we achieve surgical precision.

If you want to track the exact moment a user attempts to plug in a blocked drive, you can crack open Event Viewer. Navigate to Applications and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational. Look for Event ID 2003 or Event ID 1003. You'll see the PnP manager attempt to initialize the device and subsequently fail because the target driver (usbstor.sys) has been administratively disabled.

RMM & Automation Tips

For workgroups or standalone endpoints, this script is the only reliable way to enforce device control at scale. Active Directory environments typically use GPOs for this, but GPOs are notoriously slow to sync over VPNs and fail entirely if the endpoint is off-network.

• RMM Deployment: Push this script as a System-level task. Create an RMM variable named [USB_Lockdown_State]. Map your RMM script parameters to read this variable, allowing you to globally toggle the $Action flag from your dashboard without editing the code.
• Self-Healing Monitors: Set an RMM registry monitor targeting HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start. If the value drifts to 3 (meaning a user or rogue update re-enabled it), trigger an auto-remediation script to force it back to 4 and generate a PSA ticket for an unauthorized configuration change.

Troubleshooting & Edge Cases

• Edge Case 1: Smart Phones (MTP/PTP Devices): This script blocks thumb drives and external HDDs, but it does not block smartphones plugged in via USB. Android and iOS devices use the Windows Portable Devices (WPD) architecture, leveraging the WudfPf (User-Mode Driver Framework) and WpdFs drivers. To block smartphones, you must also target HKLM\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\WPDDevices and set the Deny_Read and Deny_Write DWORDs to 1.
• Edge Case 2: Existing Connections: If a USB drive is already plugged in and actively mounted before the script runs, the usbstor.sys driver is already loaded into RAM. The script will succeed, but the user will maintain access until the device is physically unplugged or the machine is rebooted.