There is a badly documented requirement for the Removable Storage Access group policy settings, which causes a lot of Active Directory administrators to complaint in official and unofficial forums.
The requirement is that a service named “Portable Device Enumerator Service” must be running for the setting to be effective. This poses a problem when you want to restrict devices to user targets, because in many cases you should deploy two GPOs: one to disable removable devices for users, and one to enable the service on their computers.
To enable the Portable Device Enumerator Service, apply to the computer a GPO configured in the Computer Configuration\Policies\Windows Settings\Security Settings\System Services section as shown in the following example:
Don't Touch IT 