Privacy and Security Deny Write Access to Fixed Data Drives not Protected by BitLocker in Windows 11


BitLocker_drive_banner.png

This tutorial will show you how to allow or deny write access to fixed data drives not protected by BitLocker for all users in Windows 10 and Windows 11.

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers. You can turn on BitLocker protection for operating system drives, fixed data drives, and removable data drives.

You can use the Deny write access to fixed drives not protected by BitLocker policy setting to require encryption of fixed drives prior to granting write access.

If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only with "This disk is write-protected". If the drive is protected by BitLocker, it will be mounted with read and write access.

If you disable or don't configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.

You must be signed in as an administrator to be able to allow or deny write access to fixed data drives not protected by BitLocker.




Contents

  • Option One: Allow or Deny Write Access to Fixed Data Drives not Protected by BitLocker in Local Group Policy Editor
  • Option Two: Allow or Deny Write Access to Fixed Data Drives not Protected by BitLocker using REG file


EXAMPLE: Deny write access to fixed data drives not protected by BitLocker

This_disk_is_write-protected.png





Option One

Allow or Deny Write Access to Fixed Data Drives not Protected by BitLocker in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 10/11 Pro, Enterprise, and Education editions.

All editions can use Option Two to configure the same policy.


1 Open the all users, specific users or groups, or all users except administrators Local Group Policy Editor for how you want this policy applied.

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives

Deny_write_access_to_fixed_data_drives_not_protected_by_BitLocker_gpedit-1.png

3 In the right pane of Fixed Data Drives in the Local Group Policy Editor, double click/tap on the Deny write access to fixed drives not protected by BitLocker policy to edit it. (see screenshot above)

4 Do step 5 (allow) or step 6 (deny) below for what you want.

5 Allow Write Access to Fixed Data Drives not Protected by BitLocker

This is the default setting.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK, and go to step 7.​

Deny_write_access_to_fixed_data_drives_not_protected_by_BitLocker_gpedit-2.png

6 Deny Write Access to Fixed Data Drives not Protected by BitLocker

A) Select (dot) Enabled. (see screenshot below)​

B) Click/tap on OK, and go to step 7.​

Deny_write_access_to_fixed_data_drives_not_protected_by_BitLocker_gpedit-3.png

7 Close the Local Group Policy Editor.

8 Restart the computer to apply.




Option Two

Allow or Deny Write Access to Fixed Data Drives not Protected by BitLocker using REG file


1 Do step 2 (allow) or step 3 (deny) below for what you want.

2 Allow Write Access to Fixed Data Drives not Protected by BitLocker

This is the default setting.


A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Allow_write_access_to_fixed_data_drives_not_protected_by_BitLocker.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE]
"FDVDenyWriteAccess"=-

3 Deny Write Access to Fixed Data Drives not Protected by BitLocker

A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Deny_write_access_to_fixed_data_drives_not_protected_by_BitLocker.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE]
"FDVDenyWriteAccess"=dword:00000001

4 Save the REG file to your desktop.

5 Double click/tap on the downloaded REG file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 Restart the computer to apply.

8 You can now delete the downloaded REG file if you like.


That's it,
Shawn Brink


Related Tutorials

 

Attachments

Last edited:
Click to expand...
You must log in or register to reply here.

Similar Windows 11 Tutorials

  • Article Article
Privacy and Security Deny Write Access to Removable Drives not Protected by BitLocker in Windows 11
Replies
0
Views
4K
Brink
Brink
  • Article Article
Privacy and Security Enforce BitLocker Encryption Type on Fixed Data Drives in Windows 11
Replies
0
Views
3K
Brink
Brink
  • Article Article
Privacy and Security Enable or Disable App Diagnostics Access in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article Article
Privacy and Security Enforce BitLocker Encryption Type on Removable Data Drives in Windows 11
Replies
0
Views
4K
Brink
Brink
  • Featured
  • Article Article
Apps Enable or Disable Recall Feature in Windows 11
Replies
2
Views
8K
Brink
Brink
  • Article Article
Devices Add Enable or Disable New "USB connections" Context Menu in Windows 11
Replies
0
Views
3K
Brink
Brink
  • Article Article
Privacy and Security Change Maximum Storage Duration for Recall Snapshots in Windows 11
Replies
0
Views
717
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom