Policy
Disallow standard users from changing the PIN or password
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows8, WindowsServer2012
This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords. If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\Software\Policies\Microsoft\FVE\DisallowStandardUserPINReset | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
This policy has no additional user input fields.
Other policies in this category
Explore related policies at the same level.
- ComputerAllow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.At least Windows Server 2016, Windows 10 Version 1703
- ComputerAllow enhanced PINs for startupAt least Windows Server 2008 R2 or Windows 7
- ComputerAllow network unlock at startupAt least Windows Server 2012 or Windows 8
- ComputerAllow Secure Boot for integrity validationAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerChoose how BitLocker-protected operating system drives can be recoveredAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure minimum PIN length for startupAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure pre-boot recovery message and URLAt least Windows Server 2016 or Windows 10
- ComputerConfigure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)Windows Server 2008, Windows 7, and Windows Vista
- ComputerConfigure TPM platform validation profile for BIOS-based firmware configurationsAt least Windows Server 2012 or Windows 8
- ComputerConfigure TPM platform validation profile for native UEFI firmware configurationsAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerConfigure use of hardware-based encryption for operating system drivesAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerConfigure use of passwords for operating system drivesAt least Windows Server 2012 or Windows 8