The Windows Club

TheWindowsClub covers authentic Windows 11, Windows 10 tips, tutorials, how-to's, features, freeware. Created by Anand Khanse, MVP.

How to disallow Standard Users from Changing BitLocker PIN/Password in Windows 11/10

Download Windows Speedup Tool to fix errors and make PC run faster

By default in Windows 11/10, both administrators and standard users are allowed to change the BitLocker PIN or password for the operating system volume or the BitLocker password for fixed data volumes by default. If you do not want standard users to be able to change the Bitlocker PIN or password on a PC, then this post will show you how to stop, prevent or disallow standard users from being able to change BitLocker PINs or passwords of encrypted drives in Windows 11/10.

Prevent Standard Users from Changing BitLocker PINs or Passwords

Standard users are required to enter the current PIN or password for the drive to change the BitLocker PIN or BitLocker password. If a user enters an incorrect current PIN or password, the default tolerance for retry attempts is set to 5. Once the retry limit is reached, a standard user will not be able to change the BitLocker PIN or BitLocker password. The retry counter is set to zero when the computer is restarted or when an administrator resets the BitLocker PIN or BitLocker password.

You must be signed in as an administrator to enable or disable enhanced PINs for BitLocker startup.

Open the Local Group Policy Editor and on the left pane of Local Group Policy Editor, navigate to the following location:

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

On the right pane of Operating System Drives in Local Group Policy Editor, double-click Disallow standard users from changing the PIN or password policy to edit it.

This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords. If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords.

Prevent Standard Users from Changing BitLocker PINs or Passwords

As shown in the screenshot above, do the following;

To Enable Standard Users from Changing BitLocker PINs or Passwords

  • Select the radio button for Not Configured or Disabled, and click OK.

To Disable Standard Users from Changing BitLocker PINs or Passwords

  • Select the radio button for Enabled, and click OK.

You can now exit the Group Policy Editor and restart your computer for changes to take effect.

Obinna@TWC

Obinna has completed B.Tech in Information & Communication Technology. He has worked as a System Support Engineer, primarily on User Endpoint Administration, as well as a Technical Analyst, primarily on Server/System Administration. He also has experience as a Network and Communications Officer. He has been a Windows Insider MVP (2020) and currently owns and runs a Computer Clinic.