Deny Write Access to Unprotected Removable Drives in Windows 11

What is BitLocker?

BitLocker is a Windows tool that scrambles your data to keep it safe, so only you or trusted people can get to your files.

You can use BitLocker to protect:

• USB drives and other removable drives
• Fixed drives inside your PC
• Your Windows operating system drive

When BitLocker is turned on for your Windows system drive, your PC can unlock it automatically on startup.

Why Deny Write Access to Unprotected Drives?

Sometimes you want to make sure files can only be saved to drives protected by BitLocker. This keeps your data more secure. It also prevents accidentally saving data to unsafe drives.

How to Deny Write Access Using Local Group Policy Editor

Follow these steps:

Step 1Open the Local Group Policy Editor

1. Click the ⊞ Start button
2. Type Edit group policy and press Enter

Step 2Navigate to the BitLocker Settings

In the window that opens, go to this location:

Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Removable Data Drives

Step 3Find and Change the Setting

Look for the setting named “Deny write access to removable drives not protected by BitLocker” and double-click it.

Step 4Choose Your Option

To deny write access to unprotected removable drives, you need to select the ‘Enabled’ option in the Group Policy settings.

• Not Configured (default) – Same as disabled. No restrictions.
• Enabled – You can only write to drives protected by BitLocker. Unprotected drives become read-only (you can view files, but not save new ones).
• Disabled – You can write to all removable drives, whether protected or not.

Select Enabled to protect your data.

Step 5Save and Restart

Click OK to save your changes.

🔄 Restart your PC to apply the changes.

Extra option: When you enable this setting, you can also choose to allow write access only to devices set up by your organization. This is useful for work computers.

How to Deny Write Access Using Windows Registry Editor

You can also do this by changing settings in the Windows Registry. Be careful when editing the registry — it’s best to back it up first. ⚠️ Admin privileges required.

Step 1Open the Registry Editor

1. Press Windows + R keys to open the Run box
2. Type regedit and press Enter

Step 2Go to the First Registry Path

Navigate to this path:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

Step 3Create or Edit RDVDenyCrossOrg

Look for a value named RDVDenyCrossOrg. If it’s not there, create it:

1. Right-click the right side of the window
2. Click New → DWORD (32-bit) Value
3. Name it RDVDenyCrossOrg

Double-click RDVDenyCrossOrg and set its data to 0 (zero) to deny write access to unprotected drives.

Step 4Go to the Second Registry Path

Next, navigate to this path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE

Step 5Create or Edit RDVDenyWriteAccess

Look for RDVDenyWriteAccess. If it’s missing, create it the same way.

Double-click RDVDenyWriteAccess and set its data to 1 to deny write access.

Step 6Close and Restart

Close Registry Editor and 🔄 restart your PC.

Note: If you want to only allow write access to devices from your organization, set both RDVDenyCrossOrg and RDVDenyWriteAccess to 1.

To go back to normal and allow writing to all drives, delete these two values from the Registry.

Summary

You can deny write access to unprotected removable drives by setting up Windows so it only allows writing to drives with BitLocker encryption turned on.

You can set this up using the Local Group Policy Editor, or if you’re comfortable with it, by editing the Registry.

This helps keep your files safe and reduces the risk of data being saved to unprotected drives.

If you want to learn more about BitLocker, check out this helpful guide: How to Turn On BitLocker in Windows 11.