Deny Write Access to Unprotected Drives in Windows 11

Why Block Writing to Unprotected Drives?

BitLocker is a built-in Windows tool that protects your files by encrypting your drives. When you use BitLocker, only people with permission can open and change files on the drive. By blocking write access to unencrypted drives, you keep your data safe from accidental changes or security risks.

What Drives Can BitLocker Protect?

• External drives (like USB sticks)
• Internal fixed drives
• Your main Windows system drive

When BitLocker is turned on for your Windows system drive, it can unlock automatically when you start your PC if you have the right security chip (called TPM).

What Happens When You Block Unprotected Drives?

Windows lets you set a rule to block writing (saving or changing files) on any fixed drives that don’t have BitLocker protection. This means your computer will only allow changes on drives that are encrypted and secure. Unencrypted drives become read-only.

Method 1Using Group Policy Editor

You can deny write access to unprotected drives in Windows 11 using the Group Policy Editor by following a few straightforward steps.

1. Click the ⊞ Start button and type Edit group policy. Click to open the Local Group Policy Editor.
2. In the left panel, follow this path: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives
3. In the right panel, find and double-click Deny write access to fixed drives not protected by BitLocker.
4. Choose one of these options:

   • Not Configured (default) – Same as Disabled below.
   • Enabled – Blocks writing to drives without BitLocker. Those drives will be read-only.
   • Disabled – Allows writing to all fixed drives, with or without BitLocker.
5. Click OK to save your choice.
6. 🔄 Restart your computer to apply the changes.

Here’s a screenshot of the setting:

Method 2Using Registry Editor

Denying write access to unprotected drives in Windows 11 can also be done using the Registry Editor, but be sure to back it up first.

1. [ADMIN REQUIRED] Open Registry Editor as an administrator:

   • ⊞ Click Start, type regedit, right-click it and select Run as administrator.
2. Go to this location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE
3. Look for a value named FDVDenyWriteAccess in the right pane.
4. If it doesn’t exist, 🖱️ right-click on the empty space, select New > DWORD (32-bit) Value, and name it FDVDenyWriteAccess.
5. Double-click FDVDenyWriteAccess and set its value to 1 to block writing on unprotected drives.
6. Click OK and close the Registry Editor.
7. 🔄 Restart your computer to make the change take effect.

If you want to allow writing again on unprotected drives, delete the FDVDenyWriteAccess entry or set its value to 0.

Summary

Setting up BitLocker to deny write access to unprotected drives is a simple way to keep your data safer, preventing changes on drives not protected by BitLocker.