Policy

Deny write access to removable drives not protected by BitLocker

Microsoft Windows

Back to Removable Data DrivesBack to main
Deny write access to removable drives not protected by BitLocker
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
Windows Components > BitLocker Drive Encryption > Removable Data Drives
Supported on
At least Windows Server 2008 R2 or Windows 7

Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016

This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored.

Internal name
RDVDenyWriteAccess_Name
Policy ID
cb21eda529ac
Elements
1

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
System\CurrentControlSet\Policies\Microsoft\FVE
Value name
RDVDenyWriteAccess
REG_DWORD
HKLM
1
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
System\CurrentControlSet\Policies\Microsoft\FVE
Value name
RDVDenyWriteAccess
Hive
HKLM
Enabled value
1
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

ScopeElementTypeRegistry mappingConstraints & behaviorCopy
Computer
Do not allow write access to devices configured in another organization
ID RDVCrossOrg
boolean
Path
Software\Policies\Microsoft\FVE
Value name
RDVDenyCrossOrg
Type
REG_DWORD
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0
Do not allow write access to devices configured in another organization
Computer · Type boolean
Registry mapping
Path
Software\Policies\Microsoft\FVE
Value name
RDVDenyCrossOrg
Type
REG_DWORD
Details
Options: true (1), false (0)
True: Set value = 1 · False: Set value = 0