This tutorial will show you how to designate a Dev Drive as trusted or untrusted in Windows 11.
Microsoft introduced Dev Drive starting with Windows 11 build 22621.2338.
Dev Drive is a new form of storage volume available to improve performance for key developer workloads. Dev Drive is built upon Resilient File System (ReFS) technology and includes file system optimizations and features that provide more control over storage volume settings and security, including trust designation, antivirus configuration, and administrative control over what filters are attached. It has been designed to meet a developer’s needs to host project source code, working folders, and package caches. It is not designed for general consumer workloads such as document libraries, installing packaged applications or non-developer tools.
By default, to give the best possible performance, creating a Dev Drive automatically grants trust in the new volume. A trusted Dev Drive volume causes real-time protection to run in a special asynchronous “performance mode” for that volume. Running performance mode provides a balance between threat protection and performance. The balance is achieved by deferring security scans until after the open file operation has completed, instead of performing the security scan synchronously while the file operation is being processed. This mode of performing security scans inherently provides faster performance, but with less protection. However, enabling performance mode provides significantly better protection than other performance tuning methods such as using folder exclusions, which block security scans altogether.
The following table summarizes performance mode synchronous and asynchronous scan behavior.
Performance mode state | Scan type | Description | Summary |
---|---|---|---|
Not enabled (Off) | Synchronous (Real-time protection) | Opening a file initiates a Real-time protection scan. | Open now, scan now. |
Enabled (On) - default | Asynchronous | File open operations are scanned asynchronously. | Open now, scan later. |
An untrusted Dev Drive doesn't have the same benefits as a trusted Dev Drive. Security runs in synchronous, Real-time protection mode when a Dev Drive is untrusted. Real-time protection scans may impact performance.
For performance mode to be enabled, the Dev Drive must be designated as trusted and Microsoft Defender Real-time protection must be set to "On".
Starting with Windows 11 build 25931 (Canary), you can now enable or disable performance mode for Dev Drive protection in Windows Security.
While a Dev Drive is trusted by default, you can designate a Dev Drive as untrusted if wanted for better security at a possible performance cost.
References:
Set up a Dev Drive on Windows 11
Learn about the new Dev Drive storage available to improve file system performance for development scenarios using the ReFS volume format, including how to set it up, designate trust to use performance mode for Microsoft Defender Antivirus, customized filters, and FAQs.
learn.microsoft.com
fsutil devdrv
Reference article for the fsutil devdrv command, which groups dev drive related functionality.
learn.microsoft.com
You must be signed in as an administrator to designate a Dev Drive as trusted or untrusted.
Contents
- Option One: See if a Dev Drive is Currently Trusted or Untrusted
- Option Two: Designate a Dev Drive as Trusted
- Option Three: Designate a Dev Drive as Untrusted
1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.
2 Type the command below into Windows Terminal (Admin), and press Enter. (see screenshots below)
fsutil devdrv query <drive letter>:
Substitute <drive letter> in the command above with the actual drive letter (ex: "F") of the Dev Drive you want to check.
For example: fsutil devdrv query F:
3 You will now see if this Dev Drive is currently trusted or untrusted.
1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.
2 Type the command below into Windows Terminal (Admin), and press Enter. (see screenshot below)
fsutil devdrv trust <drive letter>:
Substitute <drive letter> in the command above with the actual drive letter (ex: "F") of the Dev Drive you want to designate as trusted.
For example: fsutil devdrv trust F:
1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.
2 Type the command below into Windows Terminal (Admin), and press Enter. (see screenshot below)
fsutil devdrv untrust <drive letter>:
Substitute <drive letter> in the command above with the actual drive letter (ex: "F") of the Dev Drive you want to designate as untrusted.
For example: fsutil devdrv untrust F:
That's it,
Shawn Brink
Last edited: