ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Active Directory Policies

GPO to prevent autoplay on non-volume devices

Autoplay is a feature in Windows that automatically executes a predefined action when a new device, such as a USB drive, camera, or phone, is connected to the system. While convenient, it can pose a security risk, particularly in an enterprise environment, as it can lead to the automatic execution of malicious software. This article provides a detailed guide for system administrators on creating a Group Policy Object (GPO) to prevent Autoplay on non-volume devices, enhancing the security of networked systems.

Understanding Autoplay Risks

Autoplay might inadvertently facilitate the spread of malware, as it can execute software from connected devices without user consent. Disabling this feature, especially for non-volume devices like cameras and phones, is a key security measure in a controlled IT environment.


  • Administrative Rights: You must have administrative privileges in your Active Directory (AD) environment.
  • Group Policy Management Console (GPMC): This tool must be installed and accessible.

Step-by-Step Instructions

Step 1: Open Group Policy Management Console

Access GPMC by typing “Group Policy Management” in the Start menu search or by running gpmc.msc.

Step 2: Create or Edit a Group Policy Object
  • To create a new GPO, right-click on the domain or an Organizational Unit (OU) and select “Create a GPO in this domain, and Link it here…”.
  • To modify an existing GPO, find it under the appropriate domain or OU, right-click it, and select “Edit”.
Step 3: Navigate to Autoplay Policies

In the Group Policy Management Editor, go to: Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsAutoplay Policies.

Step 4: Configure Autoplay for Non-Volume Devices
  • Locate and open the policy “Turn off Autoplay”.
  • Set this policy to “Enabled”.
  • In the options section, select “All drives” to turn off Autoplay on all devices, including non-volume devices such as cameras and phones. Alternatively, you can customize the settings based on your specific requirements.
Step 5: Apply and Enforce the GPO
  • Click “OK” or “Apply” to save the changes.
  • Link the GPO to the relevant OU(s).
  • The policy will be applied at the next Group Policy refresh cycle. To expedite, run gpupdate /force on the client machines.

Advanced Configuration and Use Cases

  1. Security in Sensitive Environments: In high-security environments, like R&D labs or government institutions, preventing automatic execution from external devices is crucial for safeguarding sensitive information.
  2. Data Leakage Prevention: In corporate environments where data leakage is a concern, this policy can help prevent unauthorized data transfers via external devices.
  3. Compliance with IT Policies: For organizations with strict IT security policies, disabling Autoplay can be a part of adhering to best practices and compliance requirements.

Security Considerations

  • Balancing Security and Usability: Ensure that the policy does not unduly hinder legitimate use of external devices. Provide guidelines on how users can manually access media from these devices.
  • User Training and Awareness: Educate users about the change in policy and the reasons behind it to foster understanding and compliance.
  • Regular Policy Review: Continually evaluate the effectiveness of the Autoplay policy and make necessary adjustments in line with the evolving IT environment and security landscape.


  • Issues with Policy Application: If the GPO does not apply as expected, use tools like Resultant Set of Policy (RSoP) or gpresult for diagnosis and troubleshooting.
  • Operational Challenges: If the policy disrupts essential operations, consider revising the settings or creating exceptions for specific types of devices or user groups.


Disabling Autoplay on non-volume devices via GPO is an important security measure for preventing the automatic execution of potentially harmful software in a Windows environment. By following the steps outlined in this guide, system administrators can effectively manage Autoplay settings, enhancing the overall security of the organization’s network.

Related posts
Active Directory Policies

Block windows app installation with elevated privileges using GPO

Active Directory Policies

GPO to prevent regular users from changing MSI installation options

Active Directory Policies

Prevent remote logon for local accounts with blank password - GPO

Active Directory Policies

How to deny anonymous enumeration of SAM accounts using GPO


There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.