Windows 10: Deny Write Access to Removable Drives not Protected by BitLocker

How to: Deny Write Access to Removable Drives not Protected by BitLocker

Allow or Deny Write Access to Removable Drives not Protected by BitLocker in Windows


You can use BitLocker Drive Encryption to help protect your files on an entire drive. BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by physically removing it from your PC and installing it in a different one. You can still sign in to Windows and use your files as you normally would.

If you like, you can set a policy that configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive (ex: USB flash drive). All removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

This tutorial will show you how to allow or deny write access to removable drives not protected by BitLocker for all users in Windows 7, Windows 8, and Windows 10.

*Warning You must be signed in as an administrator to allow or deny write access to removable drives not protected by BitLocker.

*note For Windows 7, BitLocker Drive Encryption is only available in the Windows 7 Professional and Windows 7 Enterprise editions.

For Windows 8/8.1, BitLocker Drive Encryption is only available in the Windows 8 Pro and Windows 8 Enterprise editions.

For Windows 10, editions.


CONTENTS:

• Option One: Allow or Deny Write Access to Removable Drives not Protected by BitLocker in Local Group Policy Editor
• Option Two: Allow or Deny Write Access to Removable Drives not Protected by BitLocker using a REG file

EXAMPLE: Deny write access to removable drives not protected by BitLocker











OPTION ONE [/i] Allow or Deny Write Access to Removable Drives not Protected by BitLocker in Local Group Policy Editor
1. Open the Local Group Policy Editor.

2. Navigate to the policy location below in the left pane of Local Group Policy Editor. (see screenshot below)
*Arrow Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives




3. In the right pane of Removable Data Drives in Local Group Policy Editor, double click/tap on the Deny write access to removable drives not protected by BitLocker policy to edit it. (see screenshot above)

4. Do step 5 (allow) or step 6 (deny) below for what you would like to do.


5. To Allow Write Access to Removable Drives not Protected by BitLocker
A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see screenshot below)

*note Not Configured is the default setting.

6. To Deny Write Access to Removable Drives not Protected by BitLocker
A) Select (dot) Enabled, click/tap on OK, and go to step 7 below. (see screenshot below)

*note If the Deny write access to devices configured in another organization option is checked, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the Provide the unique identifiers for your organization policy setting located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption in the Local Group Policy Editor.




7. When finished, you can close the Local Group Policy Editor if you like.





OPTION TWO [/i] Allow or Deny Write Access to Removable Drives not Protected by BitLocker using a REG file
*note The downloadable .reg files below will add and modify the DWORD values in the registry keys below.

(Deny write access to removable drives not protected by BitLocker)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE

RDVDenyWriteAccess DWORD

(delete) = Allow (default)
1 = Deny

(Deny write access to devices configured in another organization)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

RDVDenyCrossOrg DWORD

(delete) = default
0 = Allow
1 = Deny


1. Do step 2 (allow), step 3 (deny), step 4 (deny also from another organization) below for what you would like to do.


2. To Allow Write Access to Removable Drives not Protected by BitLocker
*note This is the default setting.
A) Click/tap on the Download button below to download the file below, and go to step 5 below.

Allow_write_access_to_removable_drives_not_protected_by_BitLocker.reg

Download

3. To Deny Write Access to Removable Drives not Protected by BitLocker
A) Click/tap on the Download button below to download the file below, and go to step 5 below.

Deny_write_access_to_removable_drives_not_protected_by_BitLocker.reg

Download

4. To Deny Write Access to Removable Drives not Protected by BitLocker and from another Organization
*note This is for the Deny write access to devices configured in another organization option that only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the Provide the unique identifiers for your organization policy setting located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption in the Local Group Policy Editor.
A) Click/tap on the Download button below to download the file below, and go to step 5 below.

Deny_write_access_to_removable_drives_not_protected_by_BitLocker_and_from_another_organization.reg

Download
5. Save the .reg file to your desktop.

6. Double click/tap on the downloaded .reg file to merge it.

7. When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8. You can now delete the downloaded .reg file if you like.

That's it,
Shawn


Related Tutorials

• How to Check Status of BitLocker Drive Encryption for Drive in Windows 10
• Allow or Deny Write Access to Fixed Data Drives not Protected by BitLocker in Windows
• How to Turn On or Off BitLocker for Removable Data Drives in Windows 10
• How to Enable or Disable Write Protection for a Disk Drive in Windows
• How to Enable or Disable Installation of Removable Devices in Windows
• How to Enable or Disable Access to All Removable Storage Devices in Windows

:)

 

Bitlocker making removable media Write Protected

Check the status of the
Deny write access to removable drives not protected by BitLocker and
Deny write access to devices configured in another organization group policies. For removable drives accessed from older versions of Windows, also check the
Allow access to BitLocker-protected removable data drives from earlier versions of Windows policy.

 

Bitlocker making removable media Write Protected

Our status for Deny write access to removable drives not protected by Bitlocker is enabled. And it prompts a user to encrypt their device using bitlocker before they are permitted to write to it. It then encrypts it if the user chooses to do so, or only
allows read access. Once it is encrypted, the device is writable at that time, but once it is removed and plugged back in (To the same machine, or another machine in the same network/organization), it prompts for the password that was set. Once the password
is entered, it shows the device as being unlocked, but when you try to write to it, it says that "This disk is write protected."

 

Bitlocker making removable media Write Protected

I work for a company who handles secure data. We use bitlocker to encrypt the drives on all company machines, as well as all removable storage devices (USB Flash drives, External Hard Drives, ETC.). This works seamlessly for all built in storage, but for
removable media, it is forcing write protection on the drives after encryption, even after the drive is unlocked using the Bitlocker passcode. We still want to maintain the enforcement of encrypting anything that may contain private company data, including
all removable storage devices, but want to still be able to write to them after they are encrypted. Is this normal? Is there any way to have all removable storage devices encrypted but disable write protection once they are unlocked?

In Group Policy, our status for Deny write access to removable drives not protected by Bitlocker is enabled. When a user plugs in an external storage device, it prompts them to encrypt their device using bitlocker before they are permitted to write to it.
It then encrypts it if the user chooses to do so, or only allows read access if they refuse. Once it is encrypted, the device is writable at that time, but once it is removed and plugged back in (To the same machine, or another machine in the same network/organization),
it prompts for the password that was set. Once the password is entered, it shows the device as being unlocked, but when you try to write to it, it says that "This disk is write protected."

Additionally, if it helps, we do not push any other removable media GP bitlocker related options such as 'Deny write access to devices configured in another organization' or 'Allow access to BitLocker-protected removable data drives from earlier versions
of Windows', so it would most likely be whatever the default setting is. However, every removable media device we have tested with has been new, empty, and unencrypted until into we plug into one of our machines and encrypt with Bitlocker. Still, could adding
one of these policies (Or maybe another I am not familiar with) as 'Enabled' potentially resolve the issue?

Any help would be greatly appreciated, as I am running out of things to try, and can not find any threads where people have run into this issue.

Thanks!

 

Bitlocker making removable media Write Protected

I work for a company who handles secure data. We use bitlocker to encrypt the drives on all company machines, as well as all removable storage devices (USB Flash drives, External Hard Drives, ETC.). This works seamlessly for all built in storage, but for
removable media, it is forcing write protection on the drives after encryption, even after the drive is unlocked using the Bitlocker passcode. We still want to maintain the enforcement of encrypting anything that may contain private company data, including
all removable storage devices, but want to still be able to write to them after they are encrypted. Is this normal? Is there any way to have all removable storage devices encrypted but disable write protection once they are unlocked?

Thanks!

 

Bitlocker - Access Denied Error

Have a small home server/pc running windows 10 Pro 64 Bit. Recently added a tmp module so I could setup bitlocker. Installed the tmp module and setup bitlocker on my C drive - 250gb SSD - main drive. I have a D drive which is another 250gb SSD that stores
all my personal files. The C drive is setup with bitlocker now but when I try to turn on bitlocker on my I get "access is denied". Both drives are sata drives running in ahci mode. Can't figure out why I get access denied when trying to setup bitlocker,
I can access the drive all the files on it just fine.