Prevent Standard Users from Changing BitLocker PINs or Passwords
Standard users are required to enter the current PIN or password for the drive to change the BitLocker PIN or BitLocker password. If a user enters an incorrect current PIN or password, the default tolerance for retry attempts is set to 5. Once the retry limit is reached, a standard user will not be able to change the BitLocker PIN or BitLocker password. The retry counter is set to zero when the computer is restarted or when an administrator resets the BitLocker PIN or BitLocker password. You must be signed in as an administrator to enable or disable enhanced PINs for BitLocker startup. Open the Local Group Policy Editor and on the left pane of Local Group Policy Editor, navigate to the following location:
On the right pane of Operating System Drives in Local Group Policy Editor, double-click Disallow standard users from changing the PIN or password policy to edit it.
As shown in the screenshot above, do the following; To Enable Standard Users from Changing BitLocker PINs or Passwords
Select the radio button for Not Configured or Disabled, and click OK.
To Disable Standard Users from Changing BitLocker PINs or Passwords
Select the radio button for Enabled, and click OK.
You can now exit the Group Policy Editor and restart your computer for changes to take effect.
