Deny Write to Fixed Drives not Protected by BitLocker

Hdd Disk Ssd Hard Drive Icon Big 1

For extra protection, Windows 10 allows enabling a special policy that prevents write operations to fixed drives that are not protected by BitLocker. Non-protected drives will be mounted as read-only to ensure that all your sensitive data is written to an encrypted storage device.BitLocker was first introduced in Windows Vista and still exists in Windows 10. It was implemented exclusively for Windows and has no official support in alternative operating systems. BitLocker can utilize your PC's Trusted Platform Module (TPM) to store its encryption key secrets. In modern versions of Windows such as Windows 8.1 and Windows 10, BitLocker supports hardware-accelerated encryption if certain requirements are met (the drive has to support it, Secure Boot must be on and many other requirements). Without hardware encryption, BitLocker switches to software-based encryption so there is a dip in your drive's performance.

Note: In Windows 10, BitLocker Drive Encryption is only available in the Pro, Enterprise, and Education editions.

To deny write to fixed drives not protected by BitLocker, do the following.

  1. Press Win + R keys together on your keyboard and type:
    gpedit.msc

    Press Enter.

  2. Group Policy Editor will open. Go to Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives.
  3. On the right, double-click the policy Deny write access to fixed drives not protected by BitLocker.
  4. Set it to Enabled.
  5. Restart Windows 10 to apply the restriction, and you are done.

Note: Local Group Policy Editor (gpedit.msc) is only available in
Windows 10 Pro, Enterprise, and Education editions.

Alternatively, you can enable or disable the policy with a Registry tweak.

Registry Tweak to Deny Write to Fixed Drives not Protected by BitLocker

  1. Open Registry Editor.
  2. Go to the following Registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FVE

    Tip: See how to jump to the desired Registry key with one click.

    If you do not have such a key, then just create it.

  3. Here, create a new 32-bit DWORD value FDVDenyWriteAccess. Note: Even if you are running 64-bit Windows, you still need to use a 32-bit DWORD as the value type.
  4. Set it to 1 to disable activate the policy.
  5. To make the changes done by the Registry tweak take effect, you need to restart Windows 10.

To save your time, I made ready-to-use Registry files. You can download them here:

Download Registry Files

The undo tweak is included.

That's it.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

Leave a Reply

Your email address will not be published.

Exit mobile version
Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.