Windows 10: Enable or Disable Standard Users Changing BitLocker PIN or Password

How to: Enable or Disable Standard Users Changing BitLocker PIN or Password

How to Enable or Disable Standard Users from Changing BitLocker PIN or Password in Windows 10


Information BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

When you Administrative privileges are required to configure BitLocker for operating system drives.

When you turn on BitLocker for a removable data drive, you can configure it to require a password to unlock the drive.

By default in Windows 8 and Windows 10, both password for the operating system volume or the BitLocker password for fixed data volumes by default. This gives users the ability to choose PINs and passwords that correspond to a personal mnemonic instead of requiring the user remember a randomly generated character set and allows IT professionals to use the same initial PIN or password setting for all computer images. This also presents the opportunity for users to choose passwords and PINs that are more susceptible to password guessing, dictionary attacks, and social engineering attacks and gives users the ability unlock any computer that still uses the original PIN or password assignment. Requiring password complexity and PIN complexity by Group Policy is recommended to help ensure that users take appropriate care when setting passwords and PINs.

Standard users are required to enter the current PIN or password for the drive to change the BitLocker PIN or BitLocker password. If a user enters an incorrect current PIN or password, the default tolerance for retry attempts is set to 5. Once the retry limit is reached, a standard user will not be able to change the BitLocker PIN or BitLocker password. The retry counter is set to zero when the computer is restarted or when an administrator resets the BitLocker PIN or BitLocker password.

However, you may not want standard users to be able to change the Bitlocker PIN or password on a home PC.

This tutorial will show you how to enable or disable allowing standard users from being able to change BitLocker PINs or passwords of encrypted drives in Windows 10.

You must be signed in as an administrator to enable or disable enhanced PINs for BitLocker startup.


Note editions.

CONTENTS:

• Option One: Enable or Disable Standard Users from Changing BitLocker PINs or Passwords in Local Group Policy Editor
• Option Two: Enable or Disable Standard Users from Changing BitLocker PINs or Passwords using a REG file

OPTION ONE [/i] Enable or Disable Standard Users from Changing BitLocker PINs or Passwords in Local Group Policy Editor
1. Open the Local Group Policy Editor.

2. In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)
*Arrow Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives




3. In the right pane of Operating System Drives in Local Group Policy Editor, double click/tap on the Disallow standard users from changing the PIN or password policy to edit it. (see screenshot above)

4. Do step 5 (enable) or step 6 (disable) below for what you would like to do.


5. To Enable Standard Users from Changing BitLocker PINs or Passwords
A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see screenshot below)

NOTE: Not Configured is the default setting.

6. To Disable Standard Users from Changing BitLocker PINs or Passwords
A) Select (dot) Enabled, click/tap on OK, and go to step 7 below. (see screenshot below)




7. When finished, you can close the Local Group Policy Editor if you like.





OPTION TWO [/i] Enable or Disable Standard Users from Changing BitLocker PINs or Passwords using a REG file


Note The .reg files below will add and modify the DWORD value in the registry key below.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

DisallowStandardUserPINReset DWORD

(delete) = Enable
1 = Disable

1. Do step 2 (enable) or step 3 (disable) below for what you would like to do.


2. To Enable Standard Users from Changing BitLocker PINs or Passwords
A) Click/tap on the Download button below to download the file below, and go to step 4 below.

Enable_Standard_user_from_changing_BitLocker_PIN_or_Password.reg

Download

3. To Disable Standard Users from Changing BitLocker PINs or Passwords
NOTE: This is the default setting.
A) Click/tap on the Download button below to download the file below, and go to step 4 below.

Disable_Standard_user_from_changing_BitLocker_PIN_or_Password.reg

Download
4. Save the .reg file to your desktop.

5. Double click/tap on the downloaded .reg file to merge it.

6. When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7. You can now delete the downloaded .reg file if you like.

That's it,
Shawn


Related Tutorials

• How to Turn On or Off BitLocker for Fixed Data Drives in Windows 10
• How to Turn On or Off BitLocker for Removable Data Drives in Windows 10
• How to Turn On or Off BitLocker for Operating System Drive in Windows 10
• How to Change BitLocker Startup PIN in Windows 10
• How to Change BitLocker Password in Windows 10
• How to Add or Remove Change BitLocker Password Context Menu in Windows 10
• How to Enable or Disable Enhanced PINs for BitLocker Startup in Windows 10
• How to Specify Minimum PIN Length for BitLocker Startup in Windows 10
• How to Add or Remove Change BitLocker PIN Context Menu in Windows 10

:)

 

Disabling User Passwords Disables PIN and Hello?

Hello Eric,

Thank you for posting your concern in Microsoft community and welcome to the windows 10 Family.

From the description provided, I understand that the sign in option is not working after you disabled the option for PIN input for password.

At this point, I would suggest you to deploy the
System Restore option in Windows.

This option takes your PC back to an earlier point in time, called a system restore point. Restore points are generated when you install a new app, driver, or Windows update, and when you

create a restore point manually. Restoring won’t affect your personal files, but it will remove apps, drivers, and updates installed after the restore point was made.

• 
  Right-click (or press and hold) the Start button, and then select Control Panel.
  
• 
  Search Control Panel for Recovery.
  
• 
  Select Recovery > Open System Restore > Next.
  
• 
  Choose the restore point related to the problematic app, driver, or update, and then select
  Next > Finish.
  

In order to disable the PIN sign in option in Windows 10, refer to the below steps.

Step 1: Access PC settings and open
Users and accounts.

Step 2: Select Sign-in options and tap the
Remove button under PIN.

Note: you can navigate to the same path in order to re-enable the PIN.

Hope the above information is helpful. If you need further assistance, we would be happy to help you.

Thank you.

 

BitLocker Setup- How Do I Disable the TPM and Use a Password Instead?


I would like to enable BitLocker on my laptop, which has a TPM. However, I want to use a password instead of the TPM to decrypt the drive during pre-boot.

I've tried disabling the TPM (using 'tpm.msc') and then enabling "Require additional authentication at startup" within the Group Policy Editor, but those steps didn't work.

How can I disable the TPM and use a password instead? Alternatively, how can I keep the TPM enabled but also require a password (not a PIN) during pre-boot?

Thanks!

 

Disabling User Passwords Disables PIN and Hello?

Sayan:

Thanks for your reply, but that's not really my issue. Let me try again:

At home I want to completely bypass any password or login steps. When I take my Surface on the road I want to require a PIN at login. Windows Phone makes this very easy, for example.

On Windows 10 it appears to enable a PIN, I have to get back into User Accounts and re-enable 'Require passwords." First, I'd like to know if this is correct; if not, is there an easy way to do what I want?

Thanks.

 

changing bitlocker password, Windows 10

Hello Keith,

We suggest to change it from Control Panel. You may follow the steps below:

• Press Windows key + X.
• Select Control Panel.
• Click BitLocker Drive Encryption.
• Click Unlock drive.
• Type your present password and click Unlock.
• The drive will be unlocked and you will notice more links on the right of that particular unlocked drive, click
  Change password.
• Now, you may type your Old password, New password and Confirm new password.
• Click Change password.

Let us know how it goes.

Regards.

 

Windows 10 Change password to pin

Hi Ana,

Thank you for posting your query in Microsoft Community. I regret the inconvenience caused to you. Let me help you.



Please share the details.

• 
  Are you able to log in to your desktop?
  
• 
  Do you see any error code along with the error message?
  

I suggest you to go through the below steps and check if it helps.

Follow these steps to set up a PIN on your Windows User Account:

• 
  Press the Windows +S key combination to display the Search box.
  
• 
  Type the word pin into the Search box, then click
  Set up PIN sign-in.
  
• 
  Find the “PIN” section and click the Add button.
  
• 
  Type in the password for your User Account, then click the
  Ok button.
  
• 
  Select and enter a 4 digit numeric pin, then enter it again for confirmation.
  
• 
  Exit the PIN setup utility.
  

From now on you’ll be able to log in to your Windows account by entering your 4 digit PIN instead of your password.



You can change your PIN at any time by following the steps below:

• 
  Press the Windows +S key combination to display the Search box.
  
• 
  Type the word pin into the Search box, then click Set up PIN sign-in.
  
• 
  Find the “PIN” section and click the Change button.
  
• 
  Enter your Windows password, then click the
  Ok button.
  
• 
  Select and enter a new 4 digit numeric pin, then enter it again for confirmation.
  
• 
  Click the Finish button.
  
• 
  Exit the PIN setup utility.
  

Check if it helps.



I hope the information helps. Please keep us posted on the issue. We will be happy to assist you accordingly.

Thank you.