Windows - Configuration - Disable AutoRun

What the AutoRun Disabler does

This Automox Worklet™ disables the AutoRun feature on Windows endpoints. AutoRun is a legacy Windows feature that automatically executes programs stored on external drives, removable media, and network shares when they are accessed or connected to a computer.

The Worklet configures the NoDriveTypeAutoRun registry value at HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. By setting this value to 255, the Worklet disables AutoRun for all drive types: unknown drives, removable drives, fixed drives, network drives, CD-ROM drives, and RAM disks.

By setting the NoDriveTypeAutoRun registry value to 255, the Worklet disables AutoRun for all drive types: unknown drives, removable drives, fixed drives, network drives, CD-ROM drives, and RAM disks.

Malware authors have historically exploited AutoRun to automatically execute malicious code when USB drives or external media are inserted into endpoints. Disabling AutoRun blocks this attack path while allowing normal drive access and manual application execution.

Why disable AutoRun on your endpoints

AutoRun has been a vector for worm infections and malware distribution for over two decades. Malware can place executable files on USB drives or external media that automatically launch when connected to an endpoint, bypassing user awareness. This is particularly dangerous in environments where users share removable media, connect personal endpoints, or use external drives from untrusted sources.

Compliance frameworks including CIS Benchmarks recommend disabling AutoRun as a foundational security control. Many organizations treat AutoRun as a mandatory security requirement for workstations and servers. Disabling it reduces your attack surface and prevents one of the easiest methods for malware distribution across your network.

Microsoft has progressively disabled AutoRun by default in newer Windows versions, but endpoints running Windows 7, Windows 8, and Windows Server 2008 R2 through 2012 still have AutoRun enabled by default. Legacy applications may also re-enable AutoRun, requiring periodic enforcement of this security control.

How AutoRun disablement works

1. Evaluation phase: The Worklet reads the NoDriveTypeAutoRun registry value from HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. If the value is set to 255, AutoRun is already disabled and the endpoint is compliant. If the value is missing or set to any other value, the endpoint requires remediation.

2. Remediation phase: The Worklet uses New-ItemProperty to create or update the NoDriveTypeAutoRun registry value with a data type of Dword and a value of 255. This disables AutoRun for all drive types on the endpoint. The configuration takes effect immediately without requiring a restart.

AutoRun disablement requirements

• Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, or Windows 11

• Windows Server 2008 or later

• Administrative privileges on the endpoint

• Registry modification access (group policies or Automox agent privileges)

• No restart required for the change to take effect

Expected endpoint behavior after remediation

After successful remediation, external drives and removable media will no longer automatically execute programs when connected to the endpoint. Users can still manually open files on USB drives and external media, but autorun.inf files and auto-launch functionality are disabled. The endpoint can still access network drives, CD-ROM drives, and other storage media through normal file sharing protocols.

You can verify the remediation by opening Registry Editor and navigating to HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Look for the NoDriveTypeAutoRun value and confirm it is set to 255. Users might encounter a behavior change with legacy applications or hardware (like some CD/DVD installers) that previously relied on AutoRun to launch automatically, but this represents a security improvement rather than a loss of functionality.

How to validate disable autorun changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for disable autorun.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as CD-ROM, Get-ItemProperty, Write-Output.

4. Validate remediation effects from script operations such as CD-ROM, Get-ItemProperty, Write-Output, then rerun evaluation for compliance.