This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We need to configure BitLocker to prompt the user to change their password every 60 days. I've searched online but only found a couple of articles that say it cannot be done. Is that true? Thanks in Advance. Sandy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
There's no built-in mechanism for this, no. All you could do to enforce this is to use a script to notify the user to use the GUI to change it and, if he doesn't, delete the PIN and set a random PIN which would be set by a scheduled task. All doable, but not really comfortable.
May I ask why you see the need to change the PIN that often? 60 days is very often.
Hi Sandydenigris-5440,
This is the official guidance for Bitlocker settings. There is no mention of prompting the user to change their password periodically. Therefore, I would conclude that it is indeed not possible:
https://learn.microsoft.com/en-us/mem/configmgr/protect/tech-ref/bitlocker/settings
I hope this answers your question.
--------------------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--
Yes, thank you for the confirmation.
So it coincides with our security policy. All passwords need to be changed every 60 days. I opened a ticket with Microsoft yesterday and the tech confirmed BitLocker doesn't have this option. He did provide an alternative.
From MS:
Forcing users to change their BitLocker PIN/Password every 60 days similarly as Windows password- No, we don't have such option available in Bitlocker.
The closest option available is "Recovery Key Rotation" using MECM/Intune (If Intune is there in your environment)
Windows 10, version 1909 introduced new BitLocker CSP settings to configure Recovery password rotation.
Refer Link: Using BitLocker recovery keys with Microsoft Endpoint Manager - Microsoft Intune - Microsoft Tech Community
https://techcommunity.microsoft.com/t5/intune-customer-success/using-bitlocker-recovery-keys-with-microsoft-endpoint-manager/ba-p/2255517
"All passwords need to be changed every 60 days" - but that is not a password. Passwords can be brute forced, bitlocker PINs cannot! They have a lockout mechanism, the TPM closes its gates after 32 wrong attempts already, closes them for good! There is no need to change the PIN that often.
If you insist on it, use a script that deletes the PIN in regular intervals by means of a scheduled task and sets a new random PIN and displays it to the user.