Disallow Simple Bitlocker Startup Pins

jaybird283 561 Reputation points
2023-03-23T03:57:30.2066667+00:00

Is it possible to prevent users from changing their bitlocker pin to a simple or sequential pin? we are already setting the pin length but is there a way to prevent users from setting it to something like 1234567 or 1111111 for example? i just tried changing my pin to 1234567 and was shocked that it let me.

ChatGPT says there is a GPO called "Disallow Simple Pins" but i am unable to find that policy and there seems to be no reference to it on the web.

Its really surprising the lack of Intune support around setting pins and controlling them. i get that most organizations don't use pins. but it's a requirement on our systems. it's insane that we have to use third party tools to prompt a user to set a pin in the first place. but i digress. My question is about here is preventing the user from using control panel to set a simple (easy to guess) pin.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,638 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,212 questions
{count} votes

Accepted answer
  1. MTG 1,191 Reputation points
    2023-03-31T11:50:26.78+00:00

    Jaybird, I just took the opportunity to torture ChatGPT myself and again that wrong info came up: "Disallow Simple Pins".

    I made chatgpt aware of its error and it returned 'The "Disallow easy PINs" field is not available in the Group Policy Editor for BitLocker. I must have misspoken in my previous response'

    Cool system (not).

    I offered a script to the users which would set a PIN only after looking at complexity. There's nothing else you can do.

    But remember: even when someone has the PIN, he cannot decrypt the drive.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Limitless Technology 43,996 Reputation points
    2023-03-23T16:08:40.3866667+00:00

    Hello there,

    DisallowStandardUserPINReset will help you to achieve your requirements.

    This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first.

    This policy setting is applied when you turn on BitLocker.

    If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords.

    If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords.

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    1 person found this answer helpful.