Video Screencast Help

Regarding the policy

Created: 23 Oct 2011 • Updated: 29 Oct 2011 | 12 comments
This issue has been solved. See solution.

Hi Firend- Required the help to create the policy of CD-DVD and USB read only and blockage the access of mobile.

I have the knowledge to create the policy of cd-dvd blockage and access but don't know about readonly creation step so pls help..

Comments 12 CommentsJump to latest comment

pete_4u2002's picture

check out thesearticle, this should help

How to make USB drives read-only with Symantec Endpoint Protection using Application and Device Control

After setting up an Application and Device Control policy to block CD writing, CD writing is not blocked as expected, and write attempt is not logged

set here as read only ( as mentioned in article)

Sumit G's picture

Thanks a lot for sharin such document, I will implement the policy as per mention docs and revert if any thing pending..


Sumit G.

Sumit G's picture

Firend- It only for USB but I need to create the policy of "CD/DVD" readonly also.


Sumit G.

Vikram Kumar-SAV to SEP's picture

You can make CD/DVD read only by editing the USB read only policy (Application Control default policy ) and then edit the * in the policy and select CD/DVD.

You need to be aware that CD/DVD ready only is only partially applied using Application Device Control.

Only when CD/DVD writing is done using Windows Writer using EXPLORER.exe then only application control will block it.

If you do it using Nero or any other program SEP will not block it. You will have to block such programs using Application Control.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search use it.

Sumit G's picture

It's mean that we can update the policy block the application(nero) usage on the CD/DVD rom Systems.


Sumit G.

Jason1222's picture

Hello SumitGupta,

In Windows XP (not available in Vista or Win7), there is a service called IMAPI.

See screenshot.

By disabling or setting this service to "Manual or Disabled" you will be able to prevent users from Writing to a Disc (CD/DVD/BR) regardless of the application.  I.E. Nero, CDBurnXP, etc.

You can disable the service using "Local Security Policy" or "Group Policy" in Active Directory.

Alternatively, you can also modify the registry using a "*.Reg" file to disable the service at logon for example.

* * * * * * *

For Windows Vista and Windows 7, it is a little more complicated:

This can be accomplished through the Registry or through Local Group Policy.

For Local Policy:

1. Expand User Configuration, Administrative Templates, Windows Components, and Windows Explorer

2. In the right pane, right click on Remove CD Burning features and click on Edit.

Read the explanation carefully.

- Enabling the policy will Disable "Writing CD/DVD, etc."

- Disabling or not configuring the policy will "allow the users to be able to burn"

* * * * * * * * * * *

In the registry for Windows 7 and Vista the key is located in:


NoCDBurning=dword:00000001 -> Disbaled

NoCDBurning=dword:00000000 -> Enabled

That basically sums it all up.

This information is provided as is and is beyond the scope of the Symantec Forums!

Use at your own discretion and always back up your registry before making any modifications.

Sumit G's picture

Hi Jason - Thanks a lot, I will try this one.


Sumit G.

Sumit G's picture

Hi Jason,

   As per your mentioned, same change will be done in GP. But as per client requirment only change will be done threw SEPM.


Sumit G.

Sumit G's picture

I have not tried this mentioned doc as per some audit reason, I will try the same at today and revert back


Sumit G.

Sumit G's picture

Hi Pete,

    Ur Mentioned document is helpful to me thanks a lot for sharing the same...


Sumit G.