Prevent Changing BitLocker PIN within Shell RRS feed

  • Question

  • Apologies if this is not the right forum (also cross-posting to the Win7 Security forum).

    Is there any way to prevent or block users from changing their BitLocker PIN through the shell? 

    There are essentially two ways that a user change their BitLocker PIN (provided they have admin rights):

       a) from command line using the "manage-bde.exe" tool
       b) from dialog box if user selects "Manage BitLocker" in Explorer or Control Panel

    The dialog asks the user if they want to "Save or Print Recovery Key Again" or "Reset the PIN".

    We want to block the execution of the process that resets the PIN.   (Ideally it would be nice not to have the dialog display at all.)

    I've tested AppLocker but it does not block the shell process.  However, we do limit what manage-bde.exe can do with BeyondTrust's Privilege Manager.

    [FYI, we want to do this because we want enforce password complexity and a password change every 90 days -- something that we are doing via a script.]

    Roland Thomas

    Life Motto #1: "Live your life like you give a damn."
    Wednesday, September 15, 2010 6:22 PM


  • Hi,

    I noticed that you posted a duplicated question in Windows 7 Security forums. Generally, we answer one question per post in the thread. As your problem is mainly related to Windows 7 Security, in order to concentrate fully on this issue, we will close this thread and focus on the following one.


    Thanks for your understanding and cooperation.

    Best Regards

    Dale Qiao

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Dale Qiao Thursday, September 23, 2010 8:32 AM
    Friday, September 17, 2010 3:03 AM