Deny write access to removable drives not protected by BitLocker - RDVDenyCrossOrg

Information

This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

If you enable this policy setting all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker it will be mounted with read and write access.

If the 'Deny write access to devices configured in another organization' option is selected only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the 'Provide the unique identifiers for your organization' policy setting.

If you disable or do not configure this policy setting all removable data drives on the computer will be mounted with read and write access.

Note: This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the 'Removable Disks: Deny write access' policy setting is enabled this policy setting will be ignored.

Solution

Policy Path: Windows Components\BitLocker Drive Encryption\Removable Data Drives
Policy Setting Name: Deny write access to removable drives not protected by BitLocker

See Also

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-24h2-security-baseline/ba-p/4252801

Item Details

Category: MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|MP-4, 800-53|SC-28(1)

Plugin: Windows

Control ID: 69867adfd57a443d81a6f28a83601026cdc193f6d08ec2a44f4bb7c42c0f04dd