Safeguard 10.3: Disable Autorun and Autoplay for Removable Media

To meet the safeguard 10.3: disable autorun and autoplay for removable media requirement, you must centrally disable Autorun/Autoplay on managed endpoints (and any managed servers where removable media is allowed), verify the setting is enforced, and retain proof of ongoing compliance. Operationalize it with standard configuration baselines, exception handling, and recurring evidence capture. ¹

Key takeaways:

• Disable Autorun and Autoplay through centrally managed configuration, not user settings. ¹
• Scope includes removable media use cases across Windows, macOS, and Linux endpoints where feasible, plus virtual desktop fleets. ²
• Auditors will ask for proof of enforcement and monitoring, not a policy statement. ¹

Safeguard 10.3 exists to remove a common infection path: removable media that executes code automatically when inserted. Even if your organization already restricts USB storage, you still need this control because “removable media” includes more than thumb drives in real environments (external hard drives, SD cards, and sometimes mounted media presented through docking stations or specialized devices). The operational goal is simple: insertion of removable media must not trigger automatic execution or auto-launch behaviors on managed systems. ¹

For a Compliance Officer, CCO, or GRC lead, the fastest path to defensible compliance is to treat this as a baseline configuration control with measurable technical enforcement. That means: define scope, set the standard, deploy via your endpoint management stack, validate with independent checks, and preserve evidence on a recurring cadence. If you allow exceptions (kiosks, lab instruments, OT jump hosts, developer test rigs), you need an exception record and compensating controls that reduce the same risk. ¹

This page gives requirement-level implementation guidance you can hand to endpoint engineering and audit teams and get to a testable outcome quickly.

Regulatory text

Framework requirement: “CIS Controls v8 safeguard 10.3 implementation expectation (Disable Autorun and Autoplay for Removable Media).” ¹

Operator interpretation: You are expected to prevent managed systems from automatically running or launching content when removable media is inserted. Disabling Autorun/Autoplay must be enforced through managed configuration and treated as an auditable control with repeatable evidence capture. ¹

What an assessor will look for: a documented control statement, technical configuration settings applied across in-scope assets, validation results, and an exception process for outliers. ²

Plain-English interpretation (what this really means)

• Users can still insert removable media (if allowed by your organization), but the system must not automatically execute code or automatically start playback/open an app based on the media’s metadata. ¹
• You are reducing “zero-click” execution paths from removable media and decreasing the chance that a user’s normal workflow triggers malware execution. ¹
• The compliance standard is not “we told users not to.” It is “we configured systems so they can’t.” ¹

Who it applies to

Entity scope: Most enterprises and technology organizations that manage endpoints and user workstations, regardless of industry, can map this safeguard directly into endpoint configuration management. ²

Operational scope (systems and contexts):

• End-user endpoints: corporate laptops/desktops, shared workstations, call center desktops, VDI images. ¹
• Servers (conditional): include servers if users can attach removable media to them (rare but common in IT admin jump hosts and break-glass systems). ¹
• Special-purpose devices: kiosks, lab systems, media ingestion machines, conference room PCs—often where Autoplay is mistakenly left enabled. ¹
• Third party-managed endpoints: if a third party supports systems in your environment, you still need a clear responsibility assignment and evidence that the configuration is enforced (contract clauses, attestation, or technical reporting). ¹

What you actually need to do (step-by-step)

1) Define the control statement and scope boundary

Create a short control description in your control library:

• Control objective: Disable Autorun/Autoplay for removable media on all in-scope managed systems. ¹
• In-scope assets: all managed endpoints; include VDI gold images; include admin jump hosts; identify any allowed exception classes (OT, lab, kiosk). ¹
• Owner: Endpoint Engineering (technical), GRC/Compliance (oversight), IT Operations (exception approvals). ¹

2) Pick your technical enforcement mechanism per platform

You want centralized, tamper-resistant enforcement:

• Windows: enforce via Group Policy (GPO) or MDM configuration profiles. Confirm the setting covers both Autorun and Autoplay behaviors for removable media. ¹
• macOS: enforce via MDM profiles and configuration restrictions relevant to external media behaviors; document how your tooling prevents user override. ¹
• Linux: disable desktop environment autoplay/auto-mount behaviors where applicable; document your endpoint standard for workstation images. ¹

Practical tip: write the “how” as an engineering runbook and the “what” as the compliance requirement. Auditors need the “what,” but operators succeed with the “how.”

3) Implement via baseline configuration and change control

• Add the setting to your secure configuration baseline (the same place you manage screen lock, firewall, and macro settings). ¹
• Deploy to a pilot group representing common device types (laptops, desktops, VDI pool) and one “problem child” population (developers, field devices) to flush out conflicts.
• Roll out broadly through your endpoint management tool using staged deployment if your environment requires it; document the rollout decision and approval in change management records. ¹

4) Validate enforcement with independent checks

Do not rely on “policy applied” as your only validation. Combine:

• Configuration compliance reporting from GPO/MDM (device-level status).
• Spot checks on representative devices (screenshots or command output that shows Autoplay/Autorun is disabled).
• Drift detection (your endpoint configuration monitoring should flag devices where the setting is missing or reverted). ¹

5) Implement exceptions with compensating controls

Some environments claim they “need Autoplay” for a workflow. Treat this as a high-friction exception:

• Require a written business justification and time limit.
• Require compensating controls such as: removable media restrictions, application allowlisting on the device, malware scanning on insertion, and restricted local admin rights. ¹
• Keep an exception register entry that maps the exception to the safeguard, states the compensating controls, and shows approval. ¹

6) Operationalize recurring evidence capture

Your goal is “always-on proof”:

• Schedule recurring exports/reports from MDM/GPO compliance views.
• Keep a simple monthly or quarterly control operation record that states: population size in scope, number compliant, list of non-compliant devices with remediation tickets. Avoid percentages unless your tools produce them and you can retain the source report. ¹

If you use Daydream to manage your control library and evidence, map Safeguard 10.3 to a documented control operation and set an evidence request cadence so your team does not rebuild audit packets under pressure. ¹

Required evidence and artifacts to retain

Store evidence in a way an auditor can replay the story:

Policy / standards

• Endpoint configuration standard that states Autorun/Autoplay is disabled for removable media. ¹
• Control narrative mapped to CIS v8 Safeguard 10.3 with scope statement. ²

Technical configuration

• GPO/MDM profile screenshots or exported configuration settings showing the relevant Autorun/Autoplay disablement. ¹
• Deployment groups / assignment rules showing which device groups receive the policy. ¹

Operational proof

• Compliance report exports (device compliance status for the setting).
• Sample device validation artifacts (screenshots/command outputs) with hostname, timestamp, and operator initials. ¹
• Remediation tickets for exceptions or drift, with closure evidence. ¹

Exceptions

• Exception register entries, approvals, compensating controls, and review notes. ¹

Common exam/audit questions and hangups

1. “Show me it’s enforced, not documented.” Have the GPO/MDM profile plus device compliance reporting ready. ¹
2. “What systems are in scope?” Auditors dislike hand-wavy scopes. Provide an asset inventory extract or endpoint count by platform, then show the policy targeting logic. ¹
3. “How do you know it stays disabled?” Show recurring evidence capture and drift remediation workflow. ¹
4. “What about third party-supported endpoints?” Provide contractual responsibility language or a technical report produced by the third party’s management plane, plus your review/acceptance record. ¹

Frequent implementation mistakes (and how to avoid them)

• Mistake: relying on user training. Fix: enforce via GPO/MDM; treat training as supplemental. ¹
• Mistake: disabling Autoplay but not Autorun behaviors. Fix: explicitly verify both are addressed by your platform configuration and validate on an endpoint. ¹
• Mistake: excluding VDI images. Fix: bake the setting into the golden image and also enforce via the VDI management policy layer. ¹
• Mistake: exceptions without compensating controls. Fix: formal exception workflow tied to risk acceptance, with concrete compensating controls and review cadence. ¹
• Mistake: no evidence trail. Fix: pre-schedule evidence exports and store them with clear naming (date, fleet, control). Daydream-style evidence tasks help keep this from becoming a calendar reminder that nobody owns. ¹

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this safeguard. In practice, the risk is operational and incident-driven: Autorun/Autoplay increases the chance that removable media introduces malware without deliberate user action, which can trigger broader compromise and regulatory exposure through downstream incident reporting obligations. Keep the discussion grounded: this safeguard reduces a known execution pathway and is straightforward to test. ¹

Practical 30/60/90-day execution plan

Use phases to match your change management reality.

First 30 days (baseline + pilot)

• Confirm in-scope asset populations (Windows/macOS/Linux/VDI) and identify device owners.
• Draft the control narrative and endpoint standard update mapped to Safeguard 10.3. ¹
• Build GPO/MDM profiles; run a pilot; document test results and any workflow breakage.

Days 31–60 (rollout + monitoring)

• Deploy to the broader fleet through normal change control.
• Turn on compliance reporting for the setting; create a remediation queue for non-compliant endpoints. ¹
• Stand up the exception workflow with required compensating controls and approval routing.

Days 61–90 (evidence hardening + audit readiness)

• Formalize recurring evidence capture (report exports + sampling). ¹
• Add control operation steps to your GRC calendar and assign ownership.
• Run an internal “mock audit”: produce the artifacts list above from scratch and fix gaps.

Frequently Asked Questions

Does disabling Autoplay also disable Autorun on Windows?

Not always. Validate both behaviors with your specific GPO/MDM settings and a device-level check, and retain proof that the applied configuration addresses the safeguard requirement. ¹

What counts as “removable media” for this safeguard?

Treat it broadly: USB mass storage, external drives, and similar removable storage presented to the OS. Document your definition in the control narrative so scope questions do not stall your assessment. ¹

We block USB storage. Do we still need Safeguard 10.3?

Usually yes, because exceptions happen and some removable media classes may still be permitted. Disabling Autorun/Autoplay is a low-friction safety layer and is easy to validate. ¹

How do we handle kiosks or lab devices that ingest media as part of operations?

Use an exception with compensating controls (restricted apps, scanning on insertion, tight privilege controls) and document the business justification and approval. Keep the exception list current and review it routinely. ¹

What evidence is “enough” for an auditor?

Provide (1) the enforced configuration artifact (GPO/MDM profile), (2) a fleet compliance report export, and (3) a small set of device-level validation samples, plus any exceptions with approvals. ¹

How can Daydream help without turning this into a big GRC project?

Map Safeguard 10.3 to a control record, attach the endpoint standard and the MDM/GPO artifacts, and schedule recurring evidence capture tasks so the same proof shows up every cycle without manual chasing. ¹

Footnotes

1. CIS Controls v8

2. CIS Controls Navigator v8