This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords. If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords. Countermeasure: Enabling this policy setting is a more secure configuration, however many organizations will find it much easier to support BitLocker if they allow standard users to create their own personalized PIN. Potential Impact: If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords. If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords."

[enabled/disabled]

(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Disallow standard users from changing the PIN or password (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE!DisallowStandardUserPINReset