Deny Write Access to Unprotected Removable Drives in Windows 11
Denying write access to unprotected removable drives in Windows 11 stops people from saving files to USB drives that aren’t secured.
This feature helps protect sensitive information by only allowing data to be written to drives you’ve set up with extra security, like BitLocker encryption.
Normally, Windows 11 lets you save anything to any plugged-in USB drive, which can be risky if a drive is lost or stolen.
You can set this security rule using the Local Group Policy Editor, a tool found in Windows 11 Pro, Enterprise, and Education versions.
Deny write access by opening Local Group Policy Editor, navigating to the BitLocker settings for removable drives, and enabling “Deny write access to removable drives not protected by BitLocker.” This restricts writing to BitLocker-encrypted drives only.
What is BitLocker?
BitLocker is a Windows security feature that encrypts your files, meaning only people with the correct key can read them. It protects critical data on your computer’s main drive, the Windows system itself, and also on USB sticks and other removable drives. BitLocker can protect:
You can use BitLocker to protect:
- USB drives and other removable drives
- Fixed drives inside your PC
- Your Windows operating system drive
When BitLocker Drive Encryption is enabled for the Windows 11 system drive, the computer can unlock it automatically during startup, removing the need for manual password entry each time the PC begins.
Why Deny Write Access to Unprotected Drives?
Saving files to drives secured with BitLocker protects your information. This BitLocker security prevents accidental saving to unsecured drives, reducing data risk.
How to Deny Write Access Using Local Group Policy Editor
Follow these steps:
Step 1Open the Local Group Policy Editor
- Click the Start button
- Type
Edit group policyand press Enter
Step 2Navigate to the BitLocker Settings
In the window that opens, navigate to this location:
Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Removable Data Drives
Step 3Find and Change the Setting
To deny write access to removable drives not protected by BitLocker, locate a specific setting within Windows. This setting, named ‘Deny write access to removable drives not protected by BitLocker,’ is crucial for preventing users from saving files to unencrypted USB drives.

Step 4Choose Your Option
To deny write access to unprotected removable drives, select the ‘Enabled’ option when configuring the restriction. This setting instructs Windows that only BitLocker-protected drives can be written to, effectively making all other drives read-only by default.
- Not Configured (default) – Same as disabled. No restrictions.
- Enabled – You can only write to drives protected by BitLocker. Unprotected drives become read-only (you can view files, but not save new ones).
- Disabled – You can write to all removable drives, whether protected or not.
Select Enabled to protect your data.
Step 5Save and Restart
Click OK to save your changes.
Restart your PC to apply the changes.

Extra option: Enabling this setting also allows you to permit write access solely to devices configured by your organization. This is particularly useful for work environments.
How to Deny Write Access Using Windows Registry Editor
Editing settings in the Windows Registry enables users to deny write access to unprotected removable drives. It’s important to back up the Windows Registry before making changes, as incorrect edits can cause system instability. Administrator privileges are required for this action.
Step 1Open the Registry Editor
- Press
Windows + Rkeys to open the Run box - Type
regeditand press Enter
Step 2Go to the First Registry Path
Navigate to this path:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVEStep 3Create or Edit RDVDenyCrossOrg
Look for a value named RDVDenyCrossOrg. If it’s not there, create it:
- Right-click the right side of the window
- Click New → DWORD (32-bit) Value
- Name it
RDVDenyCrossOrg
Double-click RDVDenyCrossOrg and set its data to 0 to deny write access to unprotected drives.
Step 4Go to the Second Registry Path
Next, navigate to this path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVEStep 5Create or Edit RDVDenyWriteAccess
Look for RDVDenyWriteAccess. If it’s missing, create it in the same manner.
Double-click RDVDenyWriteAccess and set its data to 1 to deny write access.
Step 6Close and Restart
After modifying the Registry settings to deny write access to unprotected removable drives, close the editor and restart your computer. To re-enable writing to all drives, you will need to remove the specific registry values that were added to block file changes.

1.To permit writing to all drives again, delete the two specific registry values. This action reverts the security setting that blocked file changes on removable drives, restoring normal functionality for user data and software installation on USB sticks or external hard drives.
Summary
Denying write access to unprotected removable drives in Windows 11 can be accomplished using either the Local Group Policy Editor or by editing the Registry. This security measure ensures that only BitLocker-protected drives permit file saving, thereby enhancing your data security against unauthorized access.
You can set this up using the Local Group Policy Editor, or if you’re comfortable with it, by editing the Registry.
Denying write access to unprotected removable drives in Windows 11 keeps personal files safer and reduces the risk of unwanted data being saved to those drives, particularly when using a drive without built-in security features.
If you want to learn more about BitLocker, check out this helpful guide: How to Turn On BitLocker in Windows 11.
Was this guide helpful?
About the Author
Richard
Tech Writer, IT Professional
Richard, a writer for Geek Rewind, is a tech enthusiast who loves breaking down complex IT topics into simple, easy-to-understand ideas. With years of hands-on experience in system administration and enterprise IT operations, he’s developed a knack for offering practical tips and solutions. Richard aims to make technology more accessible and actionable. He's deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions.
No comments yet — be the first to share your thoughts!