• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

BitLocker Password or Pin - Prevent Users from Changing


Brink

Administrator
Administrator
mvp
Posts
23,916
BitLocker Password or Pin - Prevent Users from Changing
This tutorial will show you how to allow or prevent standard users from being able to change the BitLocker PIN or password of an unlocked encrypted OS drive, fixed data drive, or removable data drive in Windows 8.
Published by Brink
#1
Category:
ByLine
How to Allow or Prevent Standard Users from Changing BitLocker Password or Pin in Windows 8
Synopsis
This tutorial will show you how to allow or prevent standard users from being able to change the BitLocker PIN or password of an unlocked encrypted OS drive, fixed data drive, or removable data drive in Windows 8.
How to Allow or Prevent Standard Users from Changing BitLocker Password or Pin in Windows 8

information   Information
In Windows 8, administrative privileges are still required to configure BitLocker, however standard users are allowed to change the BitLocker PIN or password for the operating system volume or the BitLocker password for fixed and removable data volumes by default. This gives users the ability to choose PINs and passwords that correspond to a personal mnemonic instead of requiring the user remember a randomly generated character set and allows IT professionals to use the same initial PIN or password setting for all computer images. This also presents the opportunity for users to choose passwords and PINs that are more susceptible to password guessing, dictionary attacks, and social engineering attacks and gives users the ability unlock any computer that still uses the original PIN or password assignment.

Standard users are required to enter the current PIN or password for the drive to change the BitLocker PIN or BitLocker password. If a user enters an incorrect current PIN or password, the default tolerance for retry attempts is set to 5. Once the retry limit is reached, a standard user will not be able to change the BitLocker PIN or BitLocker password. The retry counter is set to zero when the computer is restarted or when an administrator resets the BitLocker PIN or BitLocker password.

For more information, see: What's New in BitLocker

This tutorial will show you how to allow or prevent standard users from being able to change the BitLocker PIN or password of an unlocked encrypted OS drive, fixed data drive, or removable data drive in Windows 8.

You must be signed in as an administrator to be able to do the steps in this tutorial.

Note   Note
When standard users are prevented from being able to change a BitLocker PIN or password, they will be prompted by UAC to enter an administrator's password before being allowed to.


EXAMPLE: Standard Users Enabled and Disabled to Change BitLocker PIN or Password
Enabled.jpg Disabled.jpg






OPTION ONE
Allow or Prevent Standard Users to Change BitLocker PIN or Password in Group Policy

1. Press the Windows + R keys to open the Run dialog, type gpedit.msc, and press Enter.​
2. If prompted by UAC, then click/tap on Yes.​
3. In the left pane of Group Policy, click/tap on to expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, and open Operating System Drives. (see screenshot below)​
BitLocker_Password_GPEDIT-1.jpg
4. In the right pane of Operating System Drives, double click/tap on Disallow standard users from changing the PIN or password to edit it. (see screenshot above)​
5. Do step 6 or 7 below for what you would like to do.​
6. To Allow Standard Users to Change BitLocker PIN or Password
A) Select (dot) either Not Configured or Disabled, and go to step 8 below. (see screenshot below step 8)​
NOTE: Not Configured is the default setting.​
7. To Prevent Standard Users from Changing BitLocker PIN or Password
A) Select (dot) Enabled, and go to step 8 below. (see screenshot below step 8)​
8. Click/tap on OK. You can now close Group Policy if you like. (see screenshot below)​
BitLocker_Password_GPEDIT-2.jpg






OPTION TWO
Allow or Prevent Standard Users to Change BitLocker PIN or Password with REG File

1. Do step 2, 3, or 4 below for what you would like to do.​
2. To Allow Standard Users to Change BitLocker PIN or Password
NOTE: This is the default setting.​
A) Click/tap on the Download button below to download the file below, and go to step 4 below.​
Enable_Standard_Users_Change_BitLocker_PIN_Password.reg
download
3. To Prevent Standard Users from Changing BitLocker PIN or Password
A) Click/tap on the Download button below to download the file below, and go to step 4 below.​
Disable_Standard_Users_Change_BitLocker_PIN_Password.reg
download
4. Save the .reg file to your desktop.​
5. Double click/tap on the downloaded .reg file to merge it.​
6. If prompted, click/tap on Run, Yes (UAC), Yes, and OK.​
7. Sign out and sign in, or restart the PC to apply.​
8. When finished, you can delete the downloaded .reg file if you like.​

That's it,
Shawn


Related Tutorials


 
Last edited:

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    3 x 27" Asus VE278Q
    Screen Resolution
    1920x1080
    Hard Drives
    1TB Samsung 970 EVO Plus M.2,
    250GB Samsung 960 EVO M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Arris SB8200 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Lumia 1520 phone

Users Who Are Viewing This Thread (Users: 0, Guests: 1)