System Designate Dev Drive as Trusted or Untrusted in Windows 11


DevDrive_banner.png

This tutorial will show you how to designate a Dev Drive as trusted or untrusted in Windows 11.

Microsoft introduced Dev Drive starting with Windows 11 build 22621.2338.

Dev Drive is a new form of storage volume available to improve performance for key developer workloads. Dev Drive is built upon Resilient File System (ReFS) technology and includes file system optimizations and features that provide more control over storage volume settings and security, including trust designation, antivirus configuration, and administrative control over what filters are attached. It has been designed to meet a developer’s needs to host project source code, working folders, and package caches. It is not designed for general consumer workloads such as document libraries, installing packaged applications or non-developer tools.

By default, to give the best possible performance, creating a Dev Drive automatically grants trust in the new volume. A trusted Dev Drive volume causes real-time protection to run in a special asynchronousperformance mode” for that volume. Running performance mode provides a balance between threat protection and performance. The balance is achieved by deferring security scans until after the open file operation has completed, instead of performing the security scan synchronously while the file operation is being processed. This mode of performing security scans inherently provides faster performance, but with less protection. However, enabling performance mode provides significantly better protection than other performance tuning methods such as using folder exclusions, which block security scans altogether.

The following table summarizes performance mode synchronous and asynchronous scan behavior.

Performance mode state​
Scan type​
Description​
Summary​
Not enabled (Off)Synchronous
(Real-time protection)
Opening a file initiates a Real-time protection scan.Open now, scan now.
Enabled (On) - defaultAsynchronousFile open operations are scanned asynchronously.Open now, scan later.

An untrusted Dev Drive doesn't have the same benefits as a trusted Dev Drive. Security runs in synchronous, Real-time protection mode when a Dev Drive is untrusted. Real-time protection scans may impact performance.

For performance mode to be enabled, the Dev Drive must be designated as trusted and Microsoft Defender Real-time protection must be set to "On".

Starting with Windows 11 build 25931 (Canary), you can now enable or disable performance mode for Dev Drive protection in Windows Security.

While a Dev Drive is trusted by default, you can designate a Dev Drive as untrusted if wanted for better security at a possible performance cost.

References:


You must be signed in as an administrator to designate a Dev Drive as trusted or untrusted.



Contents





Option One

See if a Dev Drive is Currently Trusted or Untrusted


1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

2 Type the command below into Windows Terminal (Admin), and press Enter. (see screenshots below)

fsutil devdrv query <drive letter>:

Substitute <drive letter> in the command above with the actual drive letter (ex: "F") of the Dev Drive you want to check.

For example: fsutil devdrv query F:


3 You will now see if this Dev Drive is currently trusted or untrusted.

Dev_Drive_quary_trusted.png

Dev_Drive_quary_not-trusted.png





Option Two

Designate a Dev Drive as Trusted


1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

2 Type the command below into Windows Terminal (Admin), and press Enter. (see screenshot below)

fsutil devdrv trust <drive letter>:

Substitute <drive letter> in the command above with the actual drive letter (ex: "F") of the Dev Drive you want to designate as trusted.

For example: fsutil devdrv trust F:


Trust_Dev_Drive_command.png





Option Three

Designate a Dev Drive as Untrusted


1 Open Windows Terminal (Admin), and select either Windows PowerShell or Command Prompt.

2 Type the command below into Windows Terminal (Admin), and press Enter. (see screenshot below)

fsutil devdrv untrust <drive letter>:

Substitute <drive letter> in the command above with the actual drive letter (ex: "F") of the Dev Drive you want to designate as untrusted.

For example: fsutil devdrv untrust F:


Untrust_Dev_Drive_command.png



That's it,
Shawn Brink


 
Last edited:

Latest Support Threads

Back
Top Bottom