This article explains how to deny write access to fixed data drives not protected by BitLocker in Windows 11.
BitLocker helps protect computer data so only authorized users can access it. New files created on a BitLocker-enabled drive will also be protected.
Users can protect external, fixed, and operating system drives using BitLocker. When you enable BitLocker to protect the OS drive, it automatically unlocks the drive at startup using a TPM chip.
You can use the Deny write access to fixed drives not protected by BitLocker policy setting to configure whether BitLocker protection is required for a device to write data to a fixed data drive.
When this policy is enabled, all fixed data drives not BitLocker-protected will be mounted as read-only. If BitLocker protects the drive, it will be mounted with read and write access.
Deny write access to fixed data drives not protected by BitLocker
As mentioned above, users can configure a policy setting in Windows to configure whether BitLocker protection is required for a device to write data to a fixed data drive.
Here’s how to do it.
First, open the Local Group Policy Editor (gpedit.msc). (Search for “Edit group policy”) on the Start menu.
Then, navigate the folders below:
Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Fixed Data Drives
In the BitLocker Drive Encryption details pane on the right, locate and double-click the “Deny write access to fixed drives not protected by BitLocker” settings.
On the “Deny write access to fixed drives not protected by BitLocker” window, set the option to Not Configure, Enabled, or Disabled.
- Not Configured (default) – Same as Disabled.
- Enabled – all fixed data drives that are not BitLocker-protected will be mounted as read-only.
- Disabled – all fixed data drives on the computer will be mounted with read and write access.
Click OK to save your changes. You may have to reboot your device to apply the settings.
Allow or deny write access to fixed drives not protected by BitLocker using the Windows Registry Editor
Yet another way to configure the policy to deny write access to fixed drives not protected by BitLocker is to use the Windows Registry editor.
First, open the Windows Registry editor as administrator.
Then, navigate to the registry key below.
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE
Next, double-click the FDVDenyWriteAccess (DWORD) 32-bit Value name on the FVE key’s right pane to open it.
Then, enter a value 1 to deny access to all fixed drives not protected by BitLocker.
If you do not see the “FDVDenyWriteAccess” item, right-click a blank area and create a new DWORD 32-bit Value registry item.
Then, type the name “FDVDenyWriteAccess” and enter a value data 1 to disable write access to all fixed drives not protected by BitLocker.
To restore the default behavior and continue using fixed drives that are not encrypted, delete the “FDVDenyWriteAccess” item created above.
Save your changes and restart your computer.
That should do it!
Conclusion:
- Implementing the “Deny write access to fixed drives not protected by BitLocker” policy setting ensures data protection on fixed data drives.
- Users can choose to configure the setting through the Local Group Policy Editor or Windows Registry Editor, providing flexibility in management.
- By following the steps outlined in this article, users can effectively enhance security measures and safeguard data integrity in Windows 11.
Leave a Reply Cancel reply