BitLocker Password or Pin - Prevent Users from Changing

How to Allow or Prevent Standard Users from Changing BitLocker Password or Pin in Windows 8

information   Information
In Windows 8, administrative privileges are still required to configure BitLocker, however standard users are allowed to change the BitLocker PIN or password for the operating system volume or the BitLocker password for fixed and removable data volumes by default. This gives users the ability to choose PINs and passwords that correspond to a personal mnemonic instead of requiring the user remember a randomly generated character set and allows IT professionals to use the same initial PIN or password setting for all computer images. This also presents the opportunity for users to choose passwords and PINs that are more susceptible to password guessing, dictionary attacks, and social engineering attacks and gives users the ability unlock any computer that still uses the original PIN or password assignment.

Standard users are required to enter the current PIN or password for the drive to change the BitLocker PIN or BitLocker password. If a user enters an incorrect current PIN or password, the default tolerance for retry attempts is set to 5. Once the retry limit is reached, a standard user will not be able to change the BitLocker PIN or BitLocker password. The retry counter is set to zero when the computer is restarted or when an administrator resets the BitLocker PIN or BitLocker password.

For more information, see: What's New in BitLocker

This tutorial will show you how to allow or prevent standard users from being able to change the BitLocker PIN or password of an unlocked encrypted OS drive, fixed data drive, or removable data drive in Windows 8.

You must be signed in as an administrator to be able to do the steps in this tutorial.

Note   Note
When standard users are prevented from being able to change a BitLocker PIN or password, they will be prompted by UAC to enter an administrator's password before being allowed to.


EXAMPLE: Standard Users Enabled and Disabled to Change BitLocker PIN or Password
Enabled.jpgDisabled.jpg






OPTION ONE

Allow or Prevent Standard Users to Change BitLocker PIN or Password in Group Policy


1. Press the Windows + R keys to open the Run dialog, type gpedit.msc, and press Enter.​
2. If prompted by UAC, then click/tap on Yes.​
3. In the left pane of Group Policy, click/tap on to expand Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, and open Operating System Drives. (see screenshot below)​
BitLocker_Password_GPEDIT-1.jpg
4. In the right pane of Operating System Drives, double click/tap on Disallow standard users from changing the PIN or password to edit it. (see screenshot above)​
5. Do step 6 or 7 below for what you would like to do.​
6. To Allow Standard Users to Change BitLocker PIN or Password
A) Select (dot) either Not Configured or Disabled, and go to step 8 below. (see screenshot below step 8)​
NOTE: Not Configured is the default setting.​
7. To Prevent Standard Users from Changing BitLocker PIN or Password
A) Select (dot) Enabled, and go to step 8 below. (see screenshot below step 8)​
8. Click/tap on OK. You can now close Group Policy if you like. (see screenshot below)​
BitLocker_Password_GPEDIT-2.jpg






OPTION TWO

Allow or Prevent Standard Users to Change BitLocker PIN or Password with REG File


1. Do step 2, 3, or 4 below for what you would like to do.​
2. To Allow Standard Users to Change BitLocker PIN or Password
NOTE: This is the default setting.​
A) Click/tap on the Download button below to download the file below, and go to step 4 below.​
Enable_Standard_Users_Change_BitLocker_PIN_Password.reg
download
3. To Prevent Standard Users from Changing BitLocker PIN or Password
A) Click/tap on the Download button below to download the file below, and go to step 4 below.​
Disable_Standard_Users_Change_BitLocker_PIN_Password.reg
download
4. Save the .reg file to your desktop.​
5. Double click/tap on the downloaded .reg file to merge it.​
6. If prompted, click/tap on Run, Yes (UAC), Yes, and OK.​
7. Sign out and sign in, or restart the PC to apply.​
8. When finished, you can delete the downloaded .reg file if you like.​

That's it,
Shawn


 

Attachments

  • Enable_Standard_Users_Change_BitLocker_PIN_Password.reg
    598 bytes · Views: 1,200
  • Disable_Standard_Users_Change_BitLocker_PIN_Password.reg
    624 bytes · Views: 1,140
  • OS_Locked.png
    OS_Locked.png
    16.6 KB · Views: 279
Last edited:
Back
Top