Skip to content
Follow
Windows

Deny Write Access to Unprotected Removable Drives in Windows 11

Richard
Written by
Richard
Feb 1, 2026 Updated Jul 13, 2026 4 min read
Deny Write Access to Unprotected Removable Drives in Windows 11
Deny Write Access to Unprotected Removable Drives in Windows 11

Denying write access to unprotected removable drives in Windows 11 stops people from saving files to USB drives that aren’t secured.

This feature helps protect sensitive information by only allowing data to be written to drives you’ve set up with extra security, like BitLocker encryption.

Normally, Windows 11 lets you save anything to any plugged-in USB drive, which can be risky if a drive is lost or stolen.

You can set this security rule using the Local Group Policy Editor, a tool found in Windows 11 Pro, Enterprise, and Education versions.

⚡ Quick Answer

Deny write access by opening Local Group Policy Editor, navigating to the BitLocker settings for removable drives, and enabling “Deny write access to removable drives not protected by BitLocker.” This restricts writing to BitLocker-encrypted drives only.

What is BitLocker?

BitLocker is a Windows security feature that encrypts your files, meaning only people with the correct key can read them. It protects critical data on your computer’s main drive, the Windows system itself, and also on USB sticks and other removable drives. BitLocker can protect:

You can use BitLocker to protect:

  • USB drives and other removable drives
  • Fixed drives inside your PC
  • Your Windows operating system drive

When BitLocker Drive Encryption is enabled for the Windows 11 system drive, the computer can unlock it automatically during startup, removing the need for manual password entry each time the PC begins.

Why Deny Write Access to Unprotected Drives?

Saving files to drives secured with BitLocker protects your information. This BitLocker security prevents accidental saving to unsecured drives, reducing data risk.

How to Deny Write Access Using Local Group Policy Editor

Follow these steps:

Step 1Open the Local Group Policy Editor

  1. Click the Start button
  2. Type Edit group policy and press Enter

Step 2Navigate to the BitLocker Settings

In the window that opens, navigate to this location:

Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Removable Data Drives

Step 3Find and Change the Setting

To deny write access to removable drives not protected by BitLocker, locate a specific setting within Windows. This setting, named ‘Deny write access to removable drives not protected by BitLocker,’ is crucial for preventing users from saving files to unencrypted USB drives.

Deny write access to removable drive not protected with BitLocker
Deny write access to removable drive not protected with BitLocker

Step 4Choose Your Option

To deny write access to unprotected removable drives, select the ‘Enabled’ option when configuring the restriction. This setting instructs Windows that only BitLocker-protected drives can be written to, effectively making all other drives read-only by default.

  • Not Configured (default) – Same as disabled. No restrictions.
  • Enabled – You can only write to drives protected by BitLocker. Unprotected drives become read-only (you can view files, but not save new ones).
  • Disabled – You can write to all removable drives, whether protected or not.

Select Enabled to protect your data.

Step 5Save and Restart

Click OK to save your changes.

Restart your PC to apply the changes.

Options for denying write access in BitLocker policy
Options for denying write access in BitLocker policy

Extra option: Enabling this setting also allows you to permit write access solely to devices configured by your organization. This is particularly useful for work environments.

How to Deny Write Access Using Windows Registry Editor

Editing settings in the Windows Registry enables users to deny write access to unprotected removable drives. It’s important to back up the Windows Registry before making changes, as incorrect edits can cause system instability. Administrator privileges are required for this action.

Step 1Open the Registry Editor

  1. Press Windows + R keys to open the Run box
  2. Type regedit and press Enter

Step 2Go to the First Registry Path

Navigate to this path:

🗝️Registry
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

Step 3Create or Edit RDVDenyCrossOrg

Look for a value named RDVDenyCrossOrg. If it’s not there, create it:

  1. Right-click the right side of the window
  2. Click NewDWORD (32-bit) Value
  3. Name it RDVDenyCrossOrg

Double-click RDVDenyCrossOrg and set its data to 0 to deny write access to unprotected drives.

Step 4Go to the Second Registry Path

Next, navigate to this path:

🗝️Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE

Step 5Create or Edit RDVDenyWriteAccess

Look for RDVDenyWriteAccess. If it’s missing, create it in the same manner.

Double-click RDVDenyWriteAccess and set its data to 1 to deny write access.

Step 6Close and Restart

After modifying the Registry settings to deny write access to unprotected removable drives, close the editor and restart your computer. To re-enable writing to all drives, you will need to remove the specific registry values that were added to block file changes.

Registry settings to deny write access
Registry settings to deny write access

📝Note
To allow write access only to devices from your organization, set both RDVDenyCrossOrg and RDVDenyWriteAccess to 1.

To permit writing to all drives again, delete the two specific registry values. This action reverts the security setting that blocked file changes on removable drives, restoring normal functionality for user data and software installation on USB sticks or external hard drives.

Summary

Denying write access to unprotected removable drives in Windows 11 can be accomplished using either the Local Group Policy Editor or by editing the Registry. This security measure ensures that only BitLocker-protected drives permit file saving, thereby enhancing your data security against unauthorized access.

You can set this up using the Local Group Policy Editor, or if you’re comfortable with it, by editing the Registry.

Denying write access to unprotected removable drives in Windows 11 keeps personal files safer and reduces the risk of unwanted data being saved to those drives, particularly when using a drive without built-in security features.

If you want to learn more about BitLocker, check out this helpful guide: How to Turn On BitLocker in Windows 11.

Was this guide helpful?

Tags: #Windows 11
Was this helpful?
Richard

About the Author

Richard

Tech Writer, IT Professional

Richard, a writer for Geek Rewind, is a tech enthusiast who loves breaking down complex IT topics into simple, easy-to-understand ideas. With years of hands-on experience in system administration and enterprise IT operations, he’s developed a knack for offering practical tips and solutions. Richard aims to make technology more accessible and actionable. He's deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions.

📚 Related Tutorials

How to Turn On BitLocker to Protect a Data Drive in Windows 11
Windows How to Turn On BitLocker to Protect a Data Drive in Windows 11
How to Turn On BitLocker for Your Windows 11 Operating System Drive
Windows How to Turn On BitLocker for Your Windows 11 Operating System Drive
How to Enable or Disable BitLocker to Unlock OS Drive with PIN or USB at Startup in Windows 11
Windows How to Enable or Disable BitLocker to Unlock OS Drive with PIN or USB at Startup in Windows 11
How to View Local Group Policies that are Configured in Windows 11
Windows How to View Local Group Policies that are Configured in Windows 11

No comments yet — be the first to share your thoughts!

Leave a Comment

Your email address will not be published. Required fields are marked *