Apologies if this is not the right forum (also cross-posting to the Win7 User Interface forum). Is there any way to prevent or block users from changing their BitLocker PIN through the shell? There are essentially two ways that a user change their BitLocker PIN (provided they have admin rights): a) from command line using the "manage-bde.exe" tool b) from dialog box if user selects "Manage BitLocker" in Explorer or Control Panel The dialog asks the user if they want to "Save or Print Recovery Key Again" or "Reset the PIN". We want to block the execution of the process that resets the PIN. (Ideally it would be nice not to have the dialog display at all.) I've tested AppLocker but it does not block the shell process. However, we do limit what manage-bde.exe can do with BeyondTrust's Privilege Manager. [FYI, we want to do this because we want enforce password complexity and a password change every 90 days -- something that we are doing via a script.] Thanks, Roland Thomas Life Motto #1: "Live your life like you give a damn."

see my blog which talks about how to prevent bitlocker from Shell. http://blogs.technet.com/b/askcore/archive/2010/08/13/how-to-prevent-local-administrator-from-turning-off-bitlocker.aspxManoj Sehgal

Hi Manoj, Good to hear from you again (you helped me with some BitLocker issues during our initial Windows 7 deployment last year for my firm). We will try this and let you know. Right now we have solved the problem by using Beyond Trust Privilege Manager to block the BitLocker process from executing if a user tries to suspend or decrypt BitLocker -- but they get a very unhelpful and meaningless error message. If your solution is easier and more user-friendly we will use it. Thanks, Roland Thomas Life Motto #1: "Live your life like you give a damn."