Skip to main content

How to enable write protection for USB devices on Windows 10

Windows 10 is the most secure version of Windows yet, but even though Microsoft has spent countless hours building new features to make computers more secure, someone can still just walk in, insert a USB drive, and walk away with sensitive data.

Of course, you can always protect your computer with a password, or set up a very strong PIN, but it's possible for someone with physical access to your machine get a hold to your sensitive data.

Fortunately, Windows 10 includes a write protection feature, which is hidden for some mysterious reason, and it allows you prevent any users from inserting a USB drive and downloading any data from your computer.

In this Windows 10 guide, we'll walk you through the steps to edit the Registry or the Group Policy editor to enable the write protection feature in the operating system to block users from saving data to a USB drive.

How to enable USB write protection using the Registry

Important: This is a friendly reminder to let you know that editing the registry is risky, and it can cause irreversible damage to your installation if you don't do it correctly. It's recommended to make a full backup of your PC before proceeding.

  1. Use the Windows key + R keyboard shortcut to open the Run command.
  2. Type regedit, and click OK to open the registry.
  3. Browse the following path:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
  4. Right-click the Control (folder) key, select New, and click on Key.
  5. Name the new key StorageDevicePolicies and press Enter.

  1. Select the newly created key, and right-click on the right side, select New, and click on DWORD (32-bit) Value.

  1. Name the new DWORD WriteProtect and press Enter.
  2. Double-click the newly created DWORD and change its value from 0 to 1.
  3. Click OK.

  1. Close the Registry to complete the task.

Once you completed the steps, anyone who connects a USB drive to your computer will be denied copy privileges, and they'll get a "This disk is write-protected" message. As a result, no one will be able to edit, delete, create, or rename files in the external storage.

At any time you can revert the changes by following the steps mentioned above, but on step 8, make sure to change the DWORD value from 1 to 0.

How to enable USB write protection using the Group Policy

Alternatively, if you don't feel comfortable modifying the Registry, and you're running Windows 10 Pro, Enterprise, or Education, you can access the Group Policy editor to deny write permissions to removable storage devices.

To enable write protection using Group Policy, do the following:

  1. Use the Windows key + R keyboard shortcut to open the Run command.
  2. Type gpedit.msc and click OK to open the Local Group Policy Editor.
  3. Browse the following path:Computer Configuration > Administrative Templates > System > Removable Storage Access
  4. On the right side, double-click the Removable Disks: Deny write access policy.

  1. On the top-left, select the Enabled option to activate the policy.
  2. Click Apply.
  3. Click OK.

  1. Close the Group Policy editor.
  2. Restart your computer to complete the task.

Once your computer reboots, anyone who connects a USB drive will be denied access to save, edit, or delete any content from the removable storage. However, unlike the enabling write protection using the Registry, users will get the "You'll need to provide administrator permission to copy to this folder" message, but even with administrator privileges no one will be able to export data to the USB drive.

It's worth pointing out that inside of Removable Storage Access, you'll also get a number of other storage policies. For example, "All Removable Storage classes: Deny all access," which doesn't enable write protection, but it will prevent anyone from accessing any removable storage, which achieves the same result.

If you need to revert the changes, just follow the same steps, but on step 5 make sure to select the Not Configured option.

Wrapping things up

While you can enable the write protection feature on your computer to protect your data from falling on to the wrong hands, there a number of other scenarios where something like this will be useful.

For example, this feature can add an extra layer of security when implementing a kiosk machine, or when you work with sensitive data on your business, just to name a few.

Although we're focusing this guide on Windows 10, it's worth pointing out that the same concept should work on previous versions of the operating system, including Windows 8.1 and Windows 7.

Do you think Windows 10 should include this option in the Settings app? Tell us in the comments below.

Thanks @Jessicator for the alternative tip!

More Windows 10 resources

For more help articles, coverage, and answers on Windows 10, you can visit the following resources:

Mauro Huculak is technical writer for WindowsCentral.com. His primary focus is to write comprehensive how-tos to help users get the most out of Windows 10 and its many related technologies. He has an IT background with professional certifications from Microsoft, Cisco, and CompTIA, and he's a recognized member of the Microsoft MVP community.

24 Comments
  • Features like this should be in the GUI and not hidden away as registry hacks.
  • Features like this *are* in the GUI, You *can* do this from the Group Policy Editor (local group policy too, not just domain policy)...
    Computer Configuration > Administrative Templates > System > Removable Storage Access > Removable Disks: Deny write access
  • Boom!
  • Still not actually in the GUI, as in a toggle switch in the security settings, and not everyone has group policy editor
  • Do you have any idea how many fine tuning settings there are? Please open the group policy editor (type group policy in the search bar/Cortana) and take a look at everything that's in there. Do you really want all of that in the average user's hands in the general settings app? And then there are even more things you can change via the registry (not hacking, by the way... The registry is just a unified configuration file of sorts). I think let's get Microsoft to first migrate everything from the control panel to settings and then see how big it is before asking even more.
  • Nope.. not in my windows 10 home
  • Isn't gpedit.msc snapin only Pro & up SKUs?
  • While that is true, this is not the kind of thing that most people wouldn't be looking to do on the average home computer (which is where Windows 10 Home is intended to be used). This is not even something that the average enterprise would even be likely to enable, due to the inconvenience factor. For Point of Sales systems and other systems where untrusted people have physical access to systems, this kind of security measure is critical. But then if you need this level of security and you're looking to tweak the OS to this degree, then that's what the Pro version is for (if not the Enterprise version). Bottom line: If you want Pro features to be readily available, then you should probably be running the Pro version.
  • Jessica. Group policy isn't exactly what I would call GUI.
    As the U suggests, users... Not administrator interface.
  • I guess you have to think of it this way though: Somebody managed to get onto your computer. They try to copy data, and it doesn't work. "oh let's check the settings" and suddenly they easily find it, disable it and still take data.
    At least with it being in the registry, the registry you need to edit, is hidden in thousands of other registry's. And only someone who knows what they're doing would even think of checking the registry. Even then they'd also need to know where to look.
    If you're gonna use this sort of security, you don't want it to be easily turned off by anyone, so the registry is a good place for this.
  • "Windows 10 is the most secure version of Windows yet"
    I don't think so....
  • Please, enlighten us
  • just log on with your ms account.. all is secure..
  • But still, you give no reason. Your comment was more just a waste of time to read :)
  • Though if your main account is an Administrator account someone can just as easily change this registry flag and get access. Which is yet another reason that your day-to-day account should not have Administrator privileges.
  • Indeed. First thing I do to a new machine is create a new admin-level account that is local only (not tied to a Microsoft Account) and then change the primary account to a standard user type. There are very few scenarios where your account needs admin-level permissions for longer than a few minutes.
  • What I like about this setup is that you basically have the Linux/OSX sudo password functionality on Windows.
  • Words! Just words!: "Windows 10 is the most secure version of Windows yet" This feature and others are enabled since Windows 7 era, I mean, I still don't find a valid reason to migrate from 7 to 10, just "support". You want to know about Vulnerabilities, just visit pages like TheHackerNews.com and you will find that everyday new exploits are found and the same applies to any technology.
  • the only "real" reason is direct x 12 and windows uwp. Directx 12 is mostly useless and the store ?? people dont want apps on windows. It's WINDOWS.. I'm taking my gaming to linux and vulcan..
  • That explains why apps are coming to the Windows store... And why people are using them. Because "people don't want apps" lol think about your logic before you comment :p
  • No sir, I will not touch the registry files. My system crashed last week it self and I don't want to go through all that all over again.
  • That's why there's a disclaimer at the start :p although I do believe if you are using W10 pro, you can use group policy (someone explained it near top of comments)
  • You showed how to add the extra layer of Security, but what if you want to extra the drive yourself and what if the person knows how to undo your registry edit? I've also seen where someone PC crash on them and they couldn't recover their files from another computer because of this same type of projection. So I wouldn't recommend this type of Security being in the settings app unless it can be remove with a simple code.
  • This is good, But What if I had to transfer music,pictures and documents from laptop to Pendrive, or from pendrive to laptop. It will deny to transfer data between them.