deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/operating-system-security/data-protection/bitlocker/includes/deny-write-access-to-removable-drives-not-protected-by-bitlocker.md
Paolo Matarazzo 7135a27212 updates
2023-10-30 18:30:20 -04:00

1.7 KiB
Raw Blame History

author, ms.author, ms.date, ms.topic
author ms.author ms.date ms.topic
paolomatarazzo paoloma 10/30/2023 include

Deny write access to removable drives not protected by BitLocker

This policy setting configures whether BitLocker protection is required for a device to be able to write data to a removable data drive.

If you enable this policy setting:

  • all removable data drives that are not BitLocker-protected are mounted as read-only
  • if the drive is protected by BitLocker, it's mounted with read and write access
  • if the Deny write access to devices configured in another organization option is selected, only drives with identification fields matching the computer's identification fields are given write access
    • When a removable data drive is accessed, it's checked for valid identification field and allowed identification fields. These fields are defined by the (Provide the unique identifiers for your organization)[] policy setting

If you disable or do not configure this policy setting, all removable data drives on the computer are mounted with read and write access.

Note

This policy setting is ignored if the policy settings Removable Disks: Deny write access is enabled.

Important

If you enable this policy:

  • Use of BitLocker with the TPM startup key or TPM key and PIN must be disallowed
  • Use of recovery keys must be disallowed
Path
CSP ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption
GPO Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives