Geek Rewind

BitLocker drive encrytion featured image

Deny Write Access to Unprotected Removable Drives in Windows 11

This article explains how to deny write access to removable drives not protected by BitLocker in Windows 11.

BitLocker helps protect computer data so only authorized users can access it. New files created on a BitLocker-enabled drive will also be protected.

Users can protect external, fixed, and operating system drives using BitLocker. When you enable BitLocker to protect the OS drive, it automatically unlocks the drive at startup using a TPM chip.

You can use the Deny write access to removable drives not protected by BitLocker policy setting to configure whether BitLocker protection is required for a device to write data to a removable data drive.

When this policy is enabled, all removable data drives that are not BitLocker-protected are mounted as read-only, and drive protected by BitLocker will be mounted with read and write access.

Deny write access to removable drives not protected by BitLocker

As mentioned above, users can configure a policy setting in Windows to configure whether BitLocker protection is required for a device to write data to a removable data drive.

Here’s how to do it.

First, open the Local Group Policy Editor (gpedit.msc). (Search for “Edit group policy”) on the Start menu.

Then, navigate the folders below:

Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Removable Data Drives

In the BitLocker Drive Encryption details pane on the right, locate and double-click the “Deny write access to removable drives not protected by BitLocker” settings.

Deny write access to removeable drive not protected with BitLocker

On the “Deny write access to removable drives not protected by BitLocker” window, set the option to Not ConfigureEnabled, or Disabled.

  • Not Configured (default) – Same as Disabled.
  • Enabled – all removable data drives that are not BitLocker-protected will be mounted as read-only.
  • Disabled – all removable data drives on the computer will be mounted with read and write access.
Deny write access to removeable drive not protected with BitLocker options

When enabled, you can further configure the policy under Options to select “Do not allow write access to devices configured in another organization.”

If the “Deny write access to devices configured in another organization” option is selected, only drives with identification fields matching the computer’s identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the “Provide the unique identifiers for your organization” policy setting.

Deny write access to removeable drive not protected with BitLocker options selection

Click OK to save your changes. You may have to reboot your device for the settings to apply.

Allow or deny write access to removable drives not protected by BitLocker using the Windows Registry Editor

Yet another way to configure the policy to deny write access to drive not protected by BitLocker is to use the Windows Registry editor.

First, open the Windows Registry and navigate to the folder key path below.

ComputerHKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftFVE

Next, double-click these two (REG_DWORD) names on the FVE key’s right pane to open it.

RDVDenyCrossOrg

Then, enter a value 0 to deny access to drive not encrypted by BitLocker.

Next, navigate to the registry key below.

ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetPoliciesMicrosoftFVE

Then, double-click these two (REG_DWORD) names on the FVE key’s right pane to open it.

RDVDenyWriteAccess

Then, enter a value 1 to deny access to drive not encrypted by BitLocker.

If you do not see the two items, right-click a blank area and create a new DWORD (32-bit) registry item for both.

Then, enter a value 0 for “RDVDenyCrossOrg” and 1 for “RDVDenyWriteAccess” to deny access to drives not encrypted by BitLocker.

Deny write access to drives not protected by BitLocker

To enable the option “Do not allow write access to devices configured in another organization,” change the values for both “RDVDenyCrossOrg” and “RDVDenyWriteAccess” to 1.

To restore the default behavior and continue to use removeable drives not encrypted, delete both items created above.

RDVDenyCrossOrg
RDVDenyWriteAccess

Save your changes and restart your computer.

That should do it!

Conclusion:

  • Implementing the “Deny write access to removable drives not protected by BitLocker” policy setting in Windows 11 ensures that only BitLocker-protected devices can write data to removable drives, enhancing data security.
  • The policy can be easily configured through the Local Group Policy Editor, allowing users to set the desired level of access for removable data drives.
  • Alternatively, users can utilize the Windows Registry Editor to deny write access to drives not protected by BitLocker, offering an additional method for implementing this security measure.
  • Following these steps, users can effectively strengthen their data protection measures and ensure that only authorized devices can write to removable drives in a BitLocker environment.

Frequently Asked Questions

How do I deny write access to removable drives in Windows 11?

To deny write access to removable drives in Windows 11, open the Local Group Policy Editor and navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives. Double-click on 'Deny write access to removable drives not protected by BitLocker' and set it to Enabled.

What happens when I enable the deny write access policy?

When you enable the deny write access policy, all removable data drives that are not protected by BitLocker will be mounted as read-only. This means users will not be able to write data to these drives until they are protected by BitLocker.

Can I configure write access for specific organizations?

Yes, you can configure write access for specific organizations by selecting the option 'Do not allow write access to devices configured in another organization' within the policy settings. This restricts write access to only those drives that match the computer's identification fields.

What is BitLocker and why is it important?

BitLocker is a disk encryption feature in Windows that helps protect data by encrypting entire drives. It ensures that only authorized users can access the data, making it crucial for safeguarding sensitive information on both internal and removable drives.

Do I need to restart my computer after changing the policy settings?

Yes, after changing the policy settings for denying write access to removable drives, you may need to reboot your device for the changes to take effect. This ensures that the new settings are applied correctly.

Categories:

Tags:

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

Exit mobile version