How to Enable or Disable Standard Users from Changing BitLocker PIN or Password in Windows 10

information   Information
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

When you turn on BitLocker for the operating system drive, you can configure it to require a PIN (with TPM) or password to unlock the drive. Administrative privileges are required to configure BitLocker for operating system drives.

When you turn on BitLocker for a fixed or removable data drive, you can configure it to require a password to unlock the drive.

By default in Windows 8 and Windows 10, both administrators and standard users are allowed to change the BitLocker PIN or password for the operating system volume or the BitLocker password for fixed data volumes by default. This gives users the ability to choose PINs and passwords that correspond to a personal mnemonic instead of requiring the user remember a randomly generated character set and allows IT professionals to use the same initial PIN or password setting for all computer images. This also presents the opportunity for users to choose passwords and PINs that are more susceptible to password guessing, dictionary attacks, and social engineering attacks and gives users the ability unlock any computer that still uses the original PIN or password assignment. Requiring password complexity and PIN complexity by Group Policy is recommended to help ensure that users take appropriate care when setting passwords and PINs.

Standard users are required to enter the current PIN or password for the drive to change the BitLocker PIN or BitLocker password. If a user enters an incorrect current PIN or password, the default tolerance for retry attempts is set to 5. Once the retry limit is reached, a standard user will not be able to change the BitLocker PIN or BitLocker password. The retry counter is set to zero when the computer is restarted or when an administrator resets the BitLocker PIN or BitLocker password.

However, you may not want standard users to be able to change the Bitlocker PIN or password on a home PC.

This tutorial will show you how to enable or disable allowing standard users from being able to change BitLocker PINs or passwords of encrypted drives in Windows 10.

You must be signed in as an administrator to enable or disable enhanced PINs for BitLocker startup.
Note   Note
BitLocker Drive Encryption is only available in the Windows 10 Pro, Enterprise, and Education editions.

CONTENTS:
  • Option One: Enable or Disable Standard Users from Changing BitLocker PINs or Passwords in Local Group Policy Editor
  • Option Two: Enable or Disable Standard Users from Changing BitLocker PINs or Passwords using a REG file





OPTION ONE

Enable or Disable Standard Users from Changing BitLocker PINs or Passwords in Local Group Policy Editor


1. Open the Local Group Policy Editor.

2. In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Enable or Disable Standard Users Changing BitLocker PIN or Password-standard_users_changing_bitlocker_pin_or_passeword_gpedit-1.jpg

3. In the right pane of Operating System Drives in Local Group Policy Editor, double click/tap on the Disallow standard users from changing the PIN or password policy to edit it. (see screenshot above)

4. Do step 5 (enable) or step 6 (disable) below for what you would like to do.


 5. To Enable Standard Users from Changing BitLocker PINs or Passwords

A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see screenshot below)

NOTE: Not Configured is the default setting.


 6. To Disable Standard Users from Changing BitLocker PINs or Passwords

A) Select (dot) Enabled, click/tap on OK, and go to step 7 below. (see screenshot below)

Enable or Disable Standard Users Changing BitLocker PIN or Password-standard_users_changing_bitlocker_pin_or_passeword_gpedit-2.jpg

7. When finished, you can close the Local Group Policy Editor if you like.






OPTION TWO

Enable or Disable Standard Users from Changing BitLocker PINs or Passwords using a REG file


Note   Note
The .reg files below will add and modify the DWORD value in the registry key below.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

DisallowStandardUserPINReset DWORD

(delete) = Enable
1 = Disable

1. Do step 2 (enable) or step 3 (disable) below for what you would like to do.


 2. To Enable Standard Users from Changing BitLocker PINs or Passwords

A) Click/tap on the Download button below to download the file below, and go to step 4 below.

Enable_Standard_user_from_changing_BitLocker_PIN_or_Password.reg

Download


 3. To Disable Standard Users from Changing BitLocker PINs or Passwords

NOTE: This is the default setting.

A) Click/tap on the Download button below to download the file below, and go to step 4 below.

Disable_Standard_user_from_changing_BitLocker_PIN_or_Password.reg

Download

4. Save the .reg file to your desktop.

5. Double click/tap on the downloaded .reg file to merge it.

6. When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7. You can now delete the downloaded .reg file if you like.


That's it,
Shawn


Related Tutorials



  • Windows 11 Tutorials