Denial-of-service concern

Oct 12, 2010 at 9:59 PM

From the screenshot, it looks like any of the standard users on a system can change the OS volume PIN without any additional authorization. Given the denial-of-service potential of this action, shouldn't the standard user have to present a valid current PIN in order to authorize prior to setting the new OS volume PIN?

Jan 27, 2012 at 10:27 AM

You are wrong.

A standard user can start the tool and is asked to provide admin credentials.
If the tool is started using SCCM it is possible to start the tool automatically without providing admin credentials.

If the tool is started, you can set the PIN for Bitlocker startup. So it is some kind of preboot password.

Your suggestion of providing the current PIN is a nice idea, but we are not able to retriev the current pin.

Perhaps we can ask the user for its password to authorize...