Share via

Change bitlocker PIN requires elevation

JG 396 Reputation points
2022-10-27T14:44:42.977+00:00

We are migrating from MBAM to ConfigMgr-managed bitlocker but i have noticed that users cannot change their PIN as it requires elevation and they are not admins.
How do we allow standard users to be able to change their PIN without elevation? Is this normal?

I can see any settings for this in the policy. I have found this
https://www.tenforums.com/tutorials/96939-enable-disable-standard-users-changing-bitlocker-pin-password.html

should we use a GPO/regkey locally- how will this impact the ConfigMgr policy?

Thanks

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Microsoft Security | Intune | Configuration Manager | Other

Answer accepted by question author

  1. Jason Sandys 31,421 Reputation points Microsoft Employee Moderator
    2022-10-27T18:10:40.113+00:00

    How do we allow standard users to be able to change their PIN without elevation? Is this normal?

    Yes, this is a current Windows constraint and not related to MBAM or ConfigMgr. The default for this policy is to not allow so not explicitly disabling it means standards users can't change the PIN.

    should we use a GPO/regkey locally

    What you should do is based on your requirements and security posture. I generally recommend against using a BitLocker PIN at all.

    how will this impact the ConfigMgr policy?

    ConfigMgr doesn't care or know about this.

    Was this answer helpful?

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.