Windows 2016 updating group policy
The easiest way to do this is through the use of Security Filtering in the GPO.For example, to prevent the USB block policy from being applied to the Domain Admins group: If the task is different: you need to allow USB drives to be used by all but a certain group of users, you need to add your user group in the security settings of the policy with read and apply GPO permissions, and leave only the read permissions for the Authenticated Users or Domain Computers groups (uncheck the Apply group policy option).For the purpose of this post I have updated the scheduled install day from ‘1 – Every Sunday’ to ‘4 – Every Wednesday’. If you’re using Advanced Group Policy Management you’ll need to right click the GPO and check in, and then deploy the GPO.Depending on your environment you may need to wait a short while for replication, you can force a group policy refresh on a server by running gpupdate /force from the command line.Open Group Policy Management and browse to the relevant GPO you want to update, right click and Edit the GPO.If you’re using Advanced Group Policy Management you’ll need to check out the policy before editing. Double click the setting you want to change and update as appropriate.In this case I changed the scheduled install day from ‘1 – Sunday’ to ‘4 – Wednesday’, the value of the registry option Scheduled Install Day has changed from 1 to 4, so I know the change has taken effect.
All the above policies correspond to certain registry keys in the HKLM (or HKCU) \SOFTWARE\Policies\Microsoft\Windows\Removable Storage Devices (by default this registry key is missing).
For example, to prevent writing data to USB flash drives and other types of USB drives, you should enable the policy Removable Disk: Deny write access.
In this case, users will be able to read the data stored on a USB flash drive, but when they attempt to write information to it, they will receive an access error: Note.
When I go to test the usb as an administrator I can not access the usb. It also helps with permitting or denying path access to our fileservers and application whitelisting.
If you need to update group policy to change an update schedule or make other alterations you can do so, even after patches have been approved on the WSUS server.