Details
This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
The recommended state for this setting is: Enabled: 7 or more characters.
Rationale:
BitLocker requires the use of the function keys [F1-F10] for PIN entry since the PIN is entered in the pre-OS environment before localization support is available. This limits each PIN digit to one of ten possibilities. The TPM has an anti-hammering feature that includes a mechanism to exponentially increase the delay for PIN retry attempts; however, using a PIN that is short in length improves an attacker’s chances of guessing the correct PIN.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: 7 or more characters:
Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionOperating System DrivesConfigure minimum PIN length for startup
Impact:
The minimum length of the startup PIN will be 7 or more digits (up to a maximum of 20 digits), as specified.
Default Value:
Disabled. (Users can configure a startup PIN of any length between 4 and 20 digits.)
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection, System and Information Integrity.This control applies to the following type of system Windows.