Q. How can I force Windows 7 clients to use BitLocker To Go before writing to USB devices?

A. Windows 7 includes the BitLocker To Go functionality, which allows removable devices to be encrypted. Many organizations mandate the use of BitLocker on laptops to protect the content in case the laptop is stolen. Removable devices can be an even bigger risk, with users copying large amounts of data to small devices. If these devices are lost, they can pose a huge risk.

You can now use a Group Policy that restricts a user from writing to a USB device unless the device is encrypted with BitLocker To Go.

  1. Open the Group Policy Management Editor and edit a Group Policy Object that's linked to an organizational unit or domain that contains the Windows clients.
  2. Navigate to Computer Configuration, Policies, Administrative Templates, Windows Components, BitLocker Drive Encryption, Removable Data Drives.
  3. Double-click Deny write access to removable drives not protected by BitLocker
  4. Set this policy to Enabled. You can also configure whether users can write to devices that aren't from the local organization.

    Click to expand.

  5. Click OK.
  6. Close the Group Policy Management Editor.

This updates the registry value HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE\RDVDenyWriteAccess.

Related Reading:

Check out hundreds more useful Q&As like this in John Savill's FAQ for Windows. Also, watch instructional videos made by John at ITTV.net.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.