In Windows 8, administrative privileges are still required to configure BitLocker, however standard users
are allowed to change the BitLocker PIN or password
for the operating system volume
or the BitLocker password for fixed
data volumes by default. This gives users the ability to choose PINs and passwords that correspond to a personal mnemonic instead of requiring the user remember a randomly generated character set and allows IT professionals to use the same initial PIN or password setting for all computer images. This also presents the opportunity for users to choose passwords and PINs that are more susceptible to password guessing, dictionary attacks, and social engineering attacks and gives users the ability unlock any computer that still uses the original PIN or password assignment.
Standard users are required to enter the current PIN or password for the drive to change the BitLocker PIN or BitLocker password. If a user enters an incorrect current PIN or password, the default tolerance for retry attempts is set to 5. Once the retry limit is reached, a standard user will not be able to change the BitLocker PIN or BitLocker password. The retry counter is set to zero when the computer is restarted or when an administrator resets the BitLocker PIN or BitLocker password.
For more information, see: What's New in BitLocker
This tutorial will show you how to allow or prevent standard users
from being able to change the BitLocker PIN or password
of an unlocked encrypted OS drive, fixed data drive, or removable data drive in Windows 8
You must be signed in as an administrator
to be able to do the steps in this tutorial.