How to Prevent Standard Users from Changing BitLocker Password

Posted on Matthew By Matthew No Comments on How to Prevent Standard Users from Changing BitLocker Password
Prevent Standard Users from Changing BitLocker Password
Prevent Standard Users from Changing BitLocker Password

If you need to configure BitLocker in Windows 11/10, it typically requires administrator privileges. However, by default, standard users have the ability to change the BitLocker password. This vulnerability poses a significant threat to data integrity and confidentiality. In this guide, we’ll walk you through two methods to prevent standard users from changing the BitLocker password in Windows 11/10. If you are looking to enable pre-boot BitLocker PIN read, How to Enable a Pre-Boot BitLocker PIN on Windows.

By implementing the right measures, you can fortify your data against potential breaches and maintain a robust security posture. Also read, How to correctly disable BitLocker on Windows Server and Install BitLocker on Windows Server via the Server Manager.

Method 1: Using Group Policy to Prevent Standard Users from Changing BitLocker

Press the WIN + R keys to open the Run box. Type gpedit.msc, then hold down the CTRL + Shift keys and press Enter to run as administrator.

Run utility for Group Policy
Run the Group Policy Editor

In the Local Group Policy Editor, navigate to:

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Double-click on “Disallow standard users from changing the PIN or password policy” in the right pane.

Select disallow standard users from changing the PIN or password policy
Select disallow standard users from changing the PIN or password policy

Select the “Enabled” option, click Apply, and then OK.

Select enabled to disallow standard users
Enable to disallow standard users

When standard users attempt to change the BitLocker password on a fixed drive, the UAC will prompt them to enter an administrator’s password first.

Here are other related guides: How to Change BitLocker Password in Windows, and how to create a Shortcut That enables Standard Users to run Applications as Administrator.

Method 2: Using Registry Editor

Press the WIN + R keys to open the Run box. Type regedit, then hold down the CTRL + Shift keys and press Enter to run as administrator.

Open run utility
Run the Registry Editor

In the Registry Editor, navigate to the key: 

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

If the FVE key doesn’t exist, right-click the Microsoft key, and create a subkey named FVE.

Create a DWORD value
Create a DWORD value

While the FVE key is selected, right-click on a blank area in the right pane and create a DWORD (32-bit) value named DisallowStandardUserPINReset.

Open the created DWORD
Open the created DWORD

Double-click on the created DWORD and set its value data to 1.

Enter 1 to disable standard user access
Enter 1 to disable standard user access

Close the Registry Editor. Please see how to Change User Account Type in Windows 10, and how to Disable BitLocker on Windows 10.

If you want to allow standard users to change the BitLocker password, change the value data of DisallowStandardUserPINReset to 0.

Enter 0 to enable standard user access
Enter 0 to enable standard user access

These methods provide effective ways to restrict standard users from changing the BitLocker password.

Note: Keep in mind that altering the Windows Registry should be done with caution, and it’s recommended to create backups before making any changes.

Also, see Force BitLocker Recovery mode: How to unlock BitLocker Protected Drive, how To Turn On Or Off Auto-Unlock For BitLocker Drive In Windows 10/11, and Reasons for BitLocker Recovery Prompt: Query the number of BitLocker recovery request.

FAQs

What does the Group Policy method do to prevent standard users from changing the BitLocker password?

The Group Policy method, when enabled, disallows standard users from changing the PIN or password policy for BitLocker on operating system drives. It ensures that only users with administrator credentials can modify BitLocker settings.

Is it safe to modify the Windows Registry to prevent standard users from changing BitLocker password?

While modifying the Windows Registry can be done safely, it should be approached with caution. It's recommended to create backups before making any changes to the Registry.

Incorrect modifications may lead to system instability, and only users with a good understanding of the Registry should attempt these changes.

Should I enable Secure Boot?

UEFI Secure Boot should be enabled and configured to audit firmware modules, expansion devices, and bootable OS images. You cannot run windows 11 if Secureboot is not enabled. You don’t need to enable UEFI to run Windows 10. It is entirely compatible with both BIOS and UEFI However, it’s the storage device that might require UEFI.

Secure Boot must be enabled before an operating system is installed. If an operating system was installed while Secure Boot was disabled, it will not support Secure Boot and a new installation is required.

I hope you found the post on how to Prevent Standard Users from Changing BitLocker Password useful.

Rate this post
Windows Tags:, , , , ,

Related Posts

More Related Articles

Feature image OCS inventory Install and use OCS inventory on Windows Windows
sandbox How to Configure Windows Sandbox Virtualization
Remote Desktop 2 1 How to install RDS via Quick Start Deployment: Install, Publish, Update, and Uninstall Remote Desktop Web Client Web Server
fghj Windows Profile: How to determine your windows username Windows
print driver How to update Printer Drivers on your Windows device Windows
Windows Storage Sense Enable Storage Sense: Manage Storage Drives on Windows Storage

Leave a Reply