Privacy and Security Deny Write Access to Removable Drives not Protected by BitLocker in Windows 11


  • Staff
BitLocker_drive_banner.png

This tutorial will show you how to allow or deny write access to removable drives not protected by BitLocker for all users in Windows 10 and Windows 11.

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers. You can turn on BitLocker protection for operating system drives, fixed data drives, and removable data drives.

You can use the Deny write access to removable drives not protected by BitLocker policy setting to configure whether BitLocker protection is required for a device to be able to write data to a removable data drive.

If you enable this policy setting:
  • All removable data drives that are not BitLocker-protected are mounted as read-only with "This disk is write-protected".
  • If the drive is protected by BitLocker, it's mounted with read and write access.
  • If the Do not allow write access to devices configured in another organization option is selected, only drives with identification fields matching the computer's identification fields are given write access.
If you disable or do not configure this policy setting, all removable data drives on the computer are mounted with read and write access.

You must be signed in as an administrator to allow or deny write access to removable drives not protected by BitLocker.


This Deny write access to removable drives not protected by BitLocker policy setting is ignored if the policy settings Removable Disks: Deny write access is enabled.




Contents

  • Option One: Allow or Deny Write Access to Removable Drives not Protected by BitLocker in Local Group Policy Editor
  • Option Two: Allow or Deny Write Access to Removable Drives not Protected by BitLocker using REG file


EXAMPLE: Deny write access to removable drives not protected by BitLocker

Encrypt_this_drive_notification.png
This_disk_is_write-protected.png





Option One

Allow or Deny Write Access to Removable Drives not Protected by BitLocker in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 10/11 Pro, Enterprise, and Education editions.

All editions can use Option Two to configure the same policy.


1 Open the all users, specific users or groups, or all users except administrators Local Group Policy Editor for how you want this policy applied.

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives

Deny_write_access_to_removable_drives_not_protected_by_BitLocker_gpedit-1.png

3 In the right pane of Removable Data Drives in the Local Group Policy Editor, double click/tap on the Deny write access to removable drives not protected by BitLocker policy to edit it. (see screenshot above)

4 Do step 5 (allow) or step 6 (deny) below for what you want.

5 Allow Write Access to Removable Drives not Protected by BitLocker

This is the default setting.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK, and go to step 7.​

Deny_write_access_to_removable_drives_not_protected_by_BitLocker_gpedit-2.png

6 Deny Write Access to Removable Drives not Protected by BitLocker

A) Select (dot) Enabled. (see screenshot below)​

B) Under "Options", check or uncheck (default) Do not allow write access to devices configured in another organization for what you want.​

If the Do not allow write access to devices configured in another organization option is checked, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the Provide the unique identifiers for your organization policy setting located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption in the Local Group Policy Editor.


C) Click/tap on OK, and go to step 7.​

Deny_write_access_to_removable_drives_not_protected_by_BitLocker_gpedit-3.png

7 You can now close the Local Group Policy Editor if you like.




Option Two

Allow or Deny Write Access to Removable Drives not Protected by BitLocker using REG file


1 Do step 2 (allow), step 3 (deny), or step 4 (deny also from another organization) below for what you want.

2 Allow Write Access to Removable Drives not Protected by BitLocker

This is the default setting.


A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Allow_write_access_to_removable_drives_not_protected_by_BitLocker.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"RDVDenyCrossOrg"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE]
"RDVDenyWriteAccess"=-

3 Deny Write Access to Removable Drives not Protected by BitLocker

A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Deny_write_access_to_removable_drives_not_protected_by_BitLocker.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"RDVDenyCrossOrg"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE]
"RDVDenyWriteAccess"=dword:00000001

4 Deny Write Access to Removable Drives not Protected by BitLocker and from another Organization

This is for the Do not allow write access to devices configured in another organization option that only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the Provide the unique identifiers for your organization policy setting located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption in the Local Group Policy Editor.


A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Deny_write_access_to_removable_drives_not_protected_by_BitLocker_and_from_another_organization.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"RDVDenyCrossOrg"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE]
"RDVDenyWriteAccess"=dword:00000001

5 Save the REG file to your desktop.

6 Double click/tap on the downloaded REG file to merge it.

7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8 You can now delete the downloaded REG file if you like.


That's it,
Shawn Brink


 

Attachments

  • Allow_write_access_to_removable_drives_not_protected_by_BitLocker.reg
    792 bytes · Views: 4
  • Deny_write_access_to_removable_drives_not_protected_by_BitLocker.reg
    844 bytes · Views: 3
  • Deny_write_access_to_removable_drives_not_protected_by_BitLocker_and_from_another_organization.reg
    844 bytes · Views: 2
Last edited:

Latest Support Threads

Back
Top Bottom