This guide will help you stop your Windows 11 computer from saving files to drives that are not protected by BitLocker encryption. This is a good way to keep your data safe.

BitLocker is a built-in Windows tool that protects your files by encrypting your drives. When you use BitLocker, only people with permission can open and change files on the drive.

You can use BitLocker to protect:

• External drives (like USB sticks)
• Internal fixed drives
• Your main Windows system drive

When BitLocker is turned on for your Windows system drive, it can unlock automatically when you start your PC if you have the right security chip (called TPM).

Windows also lets you set a rule to block writing (saving or changing files) on any fixed drives that don’t have BitLocker protection. This means your computer will only allow changes on drives that are encrypted and secure.

How to Stop Writing to Unprotected Drives Using Group Policy Editor

Follow these simple steps to set this up:

1. Click the Start button and type Edit group policy. Click to open the Local Group Policy Editor.
2. In the left panel, follow this path:
   

   Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives

   
   
3. In the right panel, find and double-click Deny write access to fixed drives not protected by BitLocker.
4. Choose one of these options:
   • Not Configured (default) – Same as Disabled below.
   • Enabled – Blocks writing to drives without BitLocker. Those drives will be read-only.
   • Disabled – Allows writing to all fixed drives, with or without BitLocker.
5. Click OK to save your choice.
6. Restart your computer to apply the changes.

Here’s a screenshot of the setting:

How to Do the Same Using the Registry Editor

If you prefer, you can also make this change by editing the Windows Registry. Be careful when editing the Registry – it’s a good idea to make a backup first.

1. Open Registry Editor as an administrator:
   • Click Start, type regedit, right-click it and select Run as administrator.
2. Go to this location:
   

   HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFVE

   
   
3. Look for a value named FDVDenyWriteAccess in the right pane.
4. If it doesn’t exist, right-click on the empty space, select New > DWORD (32-bit) Value, and name it FDVDenyWriteAccess.
5. Double-click FDVDenyWriteAccess and set its value to 1 to block writing on unprotected drives.
6. Click OK and close the Registry Editor.
7. Restart your computer to make the change take effect.

If you want to allow writing again on unprotected drives, delete the FDVDenyWriteAccess entry or set its value to 0.

Summary

• Using this setting helps keep your data safe by only allowing changes on drives protected by BitLocker.
• You can set this up easily with either the Group Policy Editor or Registry Editor.
• After setting it up, your PC will prevent writing to any unencrypted fixed drives, protecting your files from accidental changes or risks.

If you want to learn more about turning on BitLocker, check out this helpful guide: How to Turn On BitLocker in Windows 11.