BitLocker - How do I Force Password/PIN change in BitLocker?

asked 2022-06-08T12:58:37.907+00:00
SandyPro447 21 Reputation points

We need to configure BitLocker to prompt the user to change their password every 60 days. I've searched online but only found a couple of articles that say it cannot be done. Is that true? Thanks in Advance. Sandy

Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,729 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,135 questions
{count} votes

Accepted answer
  1. answered 2022-06-09T07:53:13.143+00:00
    Limitless Technology 37,301 Reputation points

    Hi Sandydenigris-5440,

    This is the official guidance for Bitlocker settings. There is no mention of prompting the user to change their password periodically. Therefore, I would conclude that it is indeed not possible:

    https://learn.microsoft.com/en-us/mem/configmgr/protect/tech-ref/bitlocker/settings

    I hope this answers your question.

    --------------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    No comments

3 additional answers

Sort by: Most helpful
  1. answered 2022-06-09T13:24:43.677+00:00
    SandyPro447 21 Reputation points

    Yes, thank you for the confirmation.

    No comments

  2. answered 2022-06-09T14:11:10.147+00:00
    SandyPro447 21 Reputation points

    So it coincides with our security policy. All passwords need to be changed every 60 days. I opened a ticket with Microsoft yesterday and the tech confirmed BitLocker doesn't have this option. He did provide an alternative.

    From MS:
    Forcing users to change their BitLocker PIN/Password every 60 days similarly as Windows password- No, we don't have such option available in Bitlocker.

    The closest option available is "Recovery Key Rotation" using MECM/Intune (If Intune is there in your environment)

    Windows 10, version 1909 introduced new BitLocker CSP settings to configure Recovery password rotation.

    Refer Link: Using BitLocker recovery keys with Microsoft Endpoint Manager - Microsoft Intune - Microsoft Tech Community
    https://techcommunity.microsoft.com/t5/intune-customer-success/using-bitlocker-recovery-keys-with-microsoft-endpoint-manager/ba-p/2255517

    No comments

  3. answered 2022-06-10T07:08:01.733+00:00
    MTG 911 Reputation points

    "All passwords need to be changed every 60 days" - but that is not a password. Passwords can be brute forced, bitlocker PINs cannot! They have a lockout mechanism, the TPM closes its gates after 32 wrong attempts already, closes them for good! There is no need to change the PIN that often.
    If you insist on it, use a script that deletes the PIN in regular intervals by means of a scheduled task and sets a new random PIN and displays it to the user.

    No comments