Information
This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
The recommended state for this setting is: Enabled: 7 or more characters.
Rationale:
BitLocker requires the use of the function keys [F1-F10] for PIN entry since the PIN is entered in the pre-OS environment before localization support is available. This limits each PIN digit to one of ten possibilities. The TPM has an anti-hammering feature that includes a mechanism to exponentially increase the delay for PIN retry attempts; however, using a PIN that is short in length improves an attacker's chances of guessing the correct PIN.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: 7 or more characters:
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure minimum PIN length for startup
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Impact:
The minimum length of the startup PIN will be 7 or more digits (up to a maximum of 20 digits), as specified.
Default Value:
Disabled. (Users can configure a startup PIN of any length between 4 and 20 digits.)
References:
1. CCE-33073-8