18.9.11.2.11 (BL) Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters'

Information

This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
The recommended state for this setting is: Enabled: 7 or more characters.

Rationale:
BitLocker requires the use of the function keys [F1-F10] for PIN entry since the PIN is entered in the pre-OS environment before localization support is available. This limits each PIN digit to one of ten possibilities. The TPM has an anti-hammering feature that includes a mechanism to exponentially increase the delay for PIN retry attempts; however, using a PIN that is short in length improves an attacker's chances of guessing the correct PIN.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: 7 or more characters:
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure minimum PIN length for startup
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).

Impact:
The minimum length of the startup PIN will be 7 or more digits (up to a maximum of 20 digits), as specified.

Default Value:
Disabled. (Users can configure a startup PIN of any length between 4 and 20 digits.)

References:
1. CCE-33073-8

See Also

https://workbench.cisecurity.org/benchmarks/14249

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|2, CSCv7|5.1

Plugin: Windows

Control ID: 8467ed50beda36ff287d202b08c9c74ca0d4b05f4bf7d33d2e3c59505e0f4752