This guide will help you stop your Windows 11 computer from saving (writing) files to USB drives or other removable drives that are not protected with BitLocker. BitLocker is a tool that keeps your data safe by encrypting your drives.

What is BitLocker?

BitLocker helps protect your files so only you or authorized people can access them. It works by encrypting your drive, which means it scrambles the data to keep it safe.

You can use BitLocker to protect:

• USB drives and other removable drives
• Fixed drives inside your PC
• Your Windows operating system drive

When BitLocker is turned on for your Windows system drive, your PC can unlock it automatically when it starts up.

Why Deny Write Access to Unprotected Drives?

Sometimes, you want to be sure that files can only be saved to drives that are protected by BitLocker. This helps keep your data more secure and prevents accidentally writing data to unsafe drives.

How to Deny Write Access Using Local Group Policy Editor

Follow these simple steps:

1. Open the Local Group Policy Editor:
   • Click the Start button
   • Type Edit group policy and press Enter
2. In the window that opens, go here:
   

   Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Removable Data Drives

   
   
3. Look for the setting named “Deny write access to removable drives not protected by BitLocker” and double-click it.
4. Choose one of these options:
   • Not Configured (default) – The same as Disabled.
   • Enabled – You can only write to drives protected by BitLocker. Unprotected drives will be read-only (you can view files, but not save new ones).
   • Disabled – You can write to all removable drives, whether they are protected or not.
5. Click OK to save.
6. Restart your PC to apply the changes.

Extra option: When you enable the setting, you can also choose to allow write access only to devices set up by your own organization. This is useful for work computers.

How to Deny Write Access Using Windows Registry Editor

If you prefer, you can do the same by changing some settings in the Windows Registry. Be careful when editing the registry — it’s best to back it up first.

1. Open the Registry Editor:
   • Press Windows + R keys to open the Run box.
   • Type regedit and press Enter.
2. Go to this path:
   

   HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftFVE

   
   
3. Look for a value named RDVDenyCrossOrg. If it’s not there, create it:
   • Right-click the right side → New → DWORD (32-bit) Value
   • Name it RDVDenyCrossOrg
4. Double-click RDVDenyCrossOrg and set the value to 0 (zero) to deny write access to unprotected drives.
5. Next, go to this path:
   

   HKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFVE

   
   
6. Look for RDVDenyWriteAccess. If it’s missing, create it the same way.
7. Double-click RDVDenyWriteAccess and set the value to 1 to deny write access.
8. Close Registry Editor and restart your PC.

Note: If you want to only allow write access to devices from your organization, set both RDVDenyCrossOrg and RDVDenyWriteAccess to 1.

To go back to normal (allow writing to all drives), just delete these two values from the Registry.

Summary

• You can protect your data by making sure Windows only allows writing to removable drives that have BitLocker encryption.
• You can set this up easily using the Local Group Policy Editor or by editing the Registry if you’re comfortable with that.
• This helps keep your files safe and reduces the risk of data being saved to unprotected drives.

If you want to learn more about BitLocker, check out this helpful guide: How to Turn On BitLocker in Windows 11.