How to Configure Write Access to Removable Drives Not Protected by BitLocker in Windows

Though mounted as read-only devices, permissions to drives not protected by BitLocker can be modified. This can increase accessibility, enhance security, or simplify workflows. We’ll show you how to configure write access to removable drives not protected by BitLocker and provide recommendations for managing and securing them.

How to configure write access for non-BitLocker drives

Here are the different methods to configure access for your unencrypted drive.

Using the Group Policy Editor

Follow these steps to change write access to a removable drive not protected by BitLocker using the Group Policy Editor:

1. Open the Local Group Policy Editor by pressing the Win + R, typing “gpedit.msc,” and clicking OK.
2. In the left section, navigate to the Removable Data Drives folder through the following route:

Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Removable Data Drives

3. In the right section, double-click on Deny write access to removable drives not protected by BitLocker.
4. To enable write access, select Not Configured (the default setting) or Disabled and then click OK. To disable write access, select Enabled and then click OK.

If you wish to apply this policy to specific users or groups, create a custom Microsoft Management Console (MMC) that includes them. From this MMC, you can configure their write access to removable drives by following the steps above.

Using the Registry Editor (regedit)

These are the steps to allow or not allow write access to USB drives and similar removable drives in Windows using the Registry Editor:

1. Open Registry Editor by pressing Win + R, typing “regedit,” and pressing Enter.
2. Navigate to a specific folder using this route:

HKEY_LOCAL_MACHINE → SOFTWARE → Policies → Microsoft → Windows → RemovableStorageDevices → {53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

3. Create a new 32-bit DWORD value and name it Deny_Write.
4. Assign either of the following value data before clicking OK:

• • 0 — Enable write access
  • 1 — Disable write access

5. Close Registry Editor and restart your computer.

Though only four bytes, every DWORD value in the Windows Registry is significant for ensuring that your OS runs smoothly. Thus, assigning the right names and right functions—either true (1) or false (0)—to your DWORD values is essential.

Using Local Security Policy

You can use the Local Security Policy to disable or enable USB write access without BitLocker and for other removable drives not protected by BitLocker.

1. Open the Local Security Policy console by pressing the Windows key + R, typing “secpol.msc,” and pressing Enter.
2. Head to the Removable Storage Access folder via this route:

Computer Configuration → Administrative Templates → System → Removable Storage Access

3. Under the Policy column, double-click the Removable Disks: Deny write access policy to edit it.
4. Under the Security Setting column, right-click and select Enabled to deny write access or Disabled to allow write access.
5. Close the console and restart your computer.

Testing and verifying the configuration for write access to removable drives

How to check if the policy is applied correctly

After configuring your Windows removable drive security settings, you can confirm whether they have been applied correctly.

1. Connect your removable drive (e.g., USB flash drive, SD card) to your computer.
2. Open File Explorer. Right-click on the drive and choose Properties.
3. Click on the Security tab. Under Group and user names, choose the user or group to whom this setting/policy applies.
4. In the permissions window below, depending on the type of access you’ve set, there should (or should not) be a checkmark under the Allow column next to “Write.”

You can also use the Group and user names window to select different users or groups and cross-check their security settings; for instance, to confirm whether one group has write access to removable drives but another does not.

Common troubleshooting steps if the setting does not take effect

In case a drive’s “read-only” status hasn’t changed when you configure write access to removable drives, try one of these actions:

• Check for a physical switch: USB flash drives and SD cards are usually equipped with slide switches to lock or unlock write access. If your drive has one, ensure it’s in the correct setting.
• Check your drive’s storage: When it runs out of free space, your drive is automatically set to “read-only” mode. If so, transfer and back up your drive’s files before configuring write access.
• Check for viruses: The presence of viruses or malware on your removable drive could disable write (and even read) access to that drive. To be safe, scan the drive with your computer’s antivirus program and promptly address or remove any existing threats.

Security and compliance considerations when configuring write access to removable drives

To mitigate the security risks of enabling write access for a non-BitLocker removable drive, observe the following security and compliance considerations and measures.

How to mitigate security threats (e.g., malware, unauthorized data transfer)

• Make full use of your device’s antivirus program. Enable real-time protection, set up a firewall, and regularly scan your device and drives for possible malware.
• Constantly update your devices. This applies not only to your computer’s software but also to the drivers of your removable storage.
• Be wary of unfamiliar and suspicious files on your drive. Refrain from clicking on these files directly. Instead, scan your drive and refer to the courses of action suggested by your antivirus tool.

Understanding BitLocker and removable drive policies

What is BitLocker?

BitLocker is a built-in Windows security feature that protects your drive from unauthorized access via data encryption. Without the right key and/or password to decrypt your drive, the data within it appears scrambled and is rendered inaccessible to outside parties. Bitlocker is particularly useful when your drive is lost, stolen, or decommissioned.

How BitLocker protects removable drives

BitLocker drive encryption also applies to removable storage through the BitLocker To Go feature. This is suitable for USB flash drives, SD cards, external hard disk drives, and other drives formatted with the NTFS, FAT16, FAT32, and exFAT file systems. As with fixed drives, BitLocker encrypts the data on your removable device and prompts you to either create a password or save a generated recovery key so you can reaccess the data.

Risks of allowing write access to unprotected drives

While configuring write access to an unencrypted drive lessens the steps you need to take to modify the data in it, this renders the drive vulnerable to numerous security risks, including but not limited to the following:

• Data theft: Sensitive data, such as personal and financial records, can be easily stolen or even changed without your notice by unauthorized users.
• Accidental deletion: Irresponsible use of write access can lead to you deleting crucial files or folders by mistake, with scarce options to recover them.
• Spread of malware: With unbarred write access, your drive can become a host for malware planted by suspicious parties, physically or digitally.

Group Policy and registry settings for managing removable storage

When multiple end users in an organization store sensitive work-related data in USB drives, properly configuring read and/or write access to these drives is vital to the organization’s cybersecurity. IT professionals can manage this access through Group Policy and registry settings, and as such, they would need administrator privileges to do so.

Best practices for organizations managing removable storage policies

For organizations and enterprise environments where individuals often handle external storage containing sensitive data, the best practices for managing removable drive permissions in Windows include the following:

• Ensure that the right policies apply to the right users and groups. Granting write access for unencrypted drives to unauthorized users, for example, can lead to the loss or mishandling of important work-related data contained in those drives.
• Set “read-only” access as the default and disable autorun. As much as possible, write access to removable drives should be reserved for those with administrator privileges. In addition, disabling autorun prevents malicious programs from being automatically executed when the drive is connected to a computer.
• Promote secure storage of removable drives. Remind end users to store their flash drives, SD cards, and external hard drives in cool and protected locations, such as safes and locked drawers.

Compliance implications (e.g., GDPR, HIPAA, NIST recommendations)

Compliance with certain authorities and policies regarding proper data handling is necessary, whether you’ve enabled or disabled write access to non-BitLocker removable drives. These regulations include the following:

• GDPR — According to Article 5(e) of the General Data Protection Regulation (GDPR) concerning storage limitation, personal data to be processed for archiving, research, or statistical purposes should not be kept in storage indefinitely but only as long as their usefulness allows. This is to safeguard the privacy and safety of the owners of this data.
• HIPAA — Part 164.310 of the Health Insurance Portability and Accountability Act’s (HIPAA’s) Security Rule stresses that entities handling electronic protected health information (ePHI) should establish measures to safeguard the transport, use, and management of devices and media containing ePHI. These measures include proper data backup and storage.
• NIST — Special Publication 800-88 of the National Institute of Standards and Technology (NIST) outlines comprehensive guidelines for the “sanitization” of different types of electronic media, including the “protection [of data] against . . . recovery techniques . . . through the standard Read and Write commands to the storage device.”

Alternative security measures for unencrypted removable drives

To secure removable drives, use the right programs and tools to lock and encrypt them. Here are some actions you can take to ensure that your (or other end users’) removable drives are kept safe from bad actors.

Enforcing BitLocker encryption for all removable drives

Perhaps the most reliable method is to use Windows’ native encryption feature, particularly BitLocker To Go, for removable storage. Users can read and write Drives protected by BitLocker with the passwords and recovery keys needed to decrypt them. If BitLocker isn’t your preference, use third-party encryption tools to keep your removable drives under lock and key.

Implementing data loss prevention (DLP) policies

When enforced, DLP policies identify and protect sensitive data—from personal information to financial records—across several endpoints as an added layer of security. These policies can be customized depending on your organization’s goals and resources, and the kinds of data you aim to safeguard against unauthorized parties and attackers.

Auditing removable storage access through Windows Event Viewer

Lastly, you can use Windows Event Viewer to manually document access to removable drives through these steps:

1. Open Windows Event Viewer by clicking the Start button, typing “event viewer,” and selecting Event Viewer.
2. In the left pane, under the Windows Logs folder, click on Security.
3. Use the following event IDs to track successful or failed read and write attempts on removable drives:

• • Event 4663 — Success
  • Event 4656 — Failure

Based on these logs, you can create or adjust policies on removable storage write access for endpoints as appropriate.

When to allow or restrict write access to unprotected removable drives

Determining who can be permitted write access to removable drives may be dictated by an organization’s structure, goals, and workflow (which can be streamlined when such access is granted, even for unprotected storage). Always remember that this action comes with significant risks, including the increased vulnerability of sensitive data to theft and misuse.

Unless allowing write access to unprotected drives is absolutely necessary, we highly recommend safeguarding all kinds of removable storage with BitLocker or another third-party encryption tool and constantly updating storage policies for the appropriate users and groups.