BitLocker and How To Change the User PIN

Posted on December 9, 2009 by Dominik Zemp

As you probably know, a user needs admin rights to change the PIN used together with the TPM (TPM + PIN as the authentication option). Therefore, a standard user isn’t able to change the PIN.

So you have two different options to allow an user to change the PIN:

  1. Assign the user local admin rights (yeah I know, that’s not what most enterprises wants for their standard users)
  2. Develop and install a privileged process/service which uses manage-bde.exe –ChangePIN.

 

Unfortunately, there is no easy and sexy out-of-the-box solution to allow a standard user to change their PIN. :-(

BTW: you can find more information about possible deployments (samples and documentation) at http://code.msdn.microsoft.com/bdedeploy/Release/ProjectReleases.aspx?ReleaseId=3206.

This entry was posted in Windows BitLocker. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>