Published by


Brink's Avatar
Administrator

Posts: 25,184

Show Printable Version 


Allow or Deny Write Access to Removable Drives not Protected by BitLocker in Windows

information   Information
You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would.

If you like, you can set a policy that configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive (ex: USB flash drive). All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

This tutorial will show you how to allow or deny write access to removable drives not protected by BitLocker in Windows 7, Windows 8, and Windows 10.

You must be signed in as an administrator to allow or deny write access to removable drives not protected by BitLocker.
Note   Note
For Windows 7, BitLocker Drive Encryption is only available in the Windows 7 Professional and Windows 7 Enterprise editions.

For Windows 8/8.1, BitLocker Drive Encryption is only available in the Windows 8 Pro and Windows 8 Enterprise editions.

For Windows 10, BitLocker Drive Encryption is only available in the Windows 10 Pro, Enterprise, and Education editions.

CONTENTS:
  • Option One: Allow or Deny Write Access to Removable Drives not Protected by BitLocker in Local Group Policy Editor
  • Option Two: Allow or Deny Write Access to Removable Drives not Protected by BitLocker using a REG file


EXAMPLE: Deny write access to removable drives not protected by BitLocker
Name:  BitLocker_Before_you_can_sace_files_on_this_drive.png
Views: 164
Size:  18.8 KB Name:  This_disk_is_write-protected.png
Views: 163
Size:  14.0 KB






Deny Write Access to Removable Drives not Protected by BitLocker OPTION ONE Deny Write Access to Removable Drives not Protected by BitLocker
Allow or Deny Write Access to Removable Drives not Protected by BitLocker in Local Group Policy Editor

1. Open the Local Group Policy Editor.

2. In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives

Name:  Deny_write_access_to_removable_drives_not_protected_by_BitLocker_gpedit-1.jpg
Views: 171
Size:  76.5 KB

3. In the right pane of Removable Data Drives in Local Group Policy Editor, double click/tap on the Deny write access to removable drives not protected by BitLocker policy to edit it. (see screenshot above)

4. Do step 5 (allow) or step 6 (deny) below for what you would like to do.


 5. To Allow Write Access to Removable Drives not Protected by BitLocker

A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see screenshot below)

NOTE: Not Configured is the default setting.


 6. To Deny Write Access to Removable Drives not Protected by BitLocker

A) Select (dot) Enabled, click/tap on OK, and go to step 7 below. (see screenshot below)
Note   Note
If the Deny write access to devices configured in another organization option is checked, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the Provide the unique identifiers for your organization policy setting located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption in the Local Group Policy Editor.
Name:  Deny_write_access_to_removable_drives_not_protected_by_BitLocker_gpedit-2.jpg
Views: 165
Size:  77.2 KB

7. When finished, you can close the Local Group Policy Editor if you like.






Deny Write Access to Removable Drives not Protected by BitLocker OPTION TWO Deny Write Access to Removable Drives not Protected by BitLocker
Allow or Deny Write Access to Removable Drives not Protected by BitLocker using a REG file

Note   Note
The .reg files below will add and modify the DWORD values in the registry keys below.

(Deny write access to removable drives not protected by BitLocker)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE

RDVDenyWriteAccess DWORD

(delete) = Allow (default)
1 = Deny

(Deny write access to devices configured in another organization)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

RDVDenyCrossOrg DWORD

(delete) = default
0 = Allow
1 = Deny

1. Do step 2 (allow), step 3 (deny), step 4 (deny also from another organization) below for what you would like to do.


 2. To Allow Write Access to Removable Drives not Protected by BitLocker

NOTE: This is the default setting.

A) Click/tap on the Download button below to download the file below, and go to step 5 below.

Allow_write_access_to_removable_drives_not_protected_by_BitLocker.reg

download


 3. To Deny Write Access to Removable Drives not Protected by BitLocker

A) Click/tap on the Download button below to download the file below, and go to step 5 below.

Deny_write_access_to_removable_drives_not_protected_by_BitLocker.reg

download


 4. To Deny Write Access to Removable Drives not Protected by BitLocker and from another Organization

Note   Note
This is for the Deny write access to devices configured in another organization option that only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the Provide the unique identifiers for your organization policy setting located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption in the Local Group Policy Editor.

A) Click/tap on the Download button below to download the file below, and go to step 5 below.

Deny_write_access_to_removable_drives_not_protected_by_BitLocker_and_from_another_organization.reg

download

5. Save the .reg file to your desktop.

6. Double click/tap on the downloaded .reg file to merge it.

7. When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8. You can now delete the downloaded .reg file if you like.


That's it,
Shawn