You can access removable media on a Windows Server 2008-based computer even when the "All Removable Storage classes: Deny all Access" Group Policy object is enabled

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


Consider the following scenario:
  • You are running a Windows Server 2008-based computer.
  • The All Removable Storage classes: Deny all access Group Policy setting is enabled on the computer.
In this scenario, you can unexpectedly access removable media.


This problem occurs when the Startup Type option for the Portable Device Enumerator service is set to Manual.


To resolve this problem, use one of the following methods.

Method 1: Use the Services snap-in to change the Startup Type option to Automatic
  1. Click Start, click Run, and then type services.msc.
  2. Right-click Portable Device Enumerator, and then click Properties.
  3. In the Startup Type list, click Automatic, and then click OK.
Method 2: Modify the startup value for the WPDBusEnum registry subkey

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate the following registry subkey, and then click it:
  3. Click Edit, and then click Modify.
  4. In the Value data box, change the current value to 2.
  5. Restart the computer for the change to take effect. When the computer restarts, the Portable Device Enumerator service starts automatically.

More Information

Steps to reproduce the problem

  1. In the Group Policy MMC snap-in on a Windows Server 2008-based computer, enable the following Group Policy object:
    Computer Configuration/Administrative Templates/System/Removable Storage Access/All Removable Storage classes: Deny all Access
  2. Connect a USB flash drive to the computer.
  3. Verify that you can still access this USB flash drive.

  4. In the Services snap-in, right-click Portable Device Enumerator Service, and then click Start. Now when you try to access the device, you are blocked.

Article ID: 947294 - Last Review: Mar 6, 2008 - Revision: 1