Published by


Brink's Avatar
Administrator

Posts: 25,241

Show Printable Version 


How to Specify Minimum PIN Length for BitLocker Startup in Windows 10

information   Information
When you turn on BitLocker for the operating system drive with a compatible TPM, you can choose to unlock the OS drive at startup with a PIN.

Originally, BitLocker allowed from 4 to 20 characters for a PIN. Starting with Windows 10 version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0. To help organizations with the transition, beginning with Windows 10 version 1709 and Windows 10 version 1703 with the October 2017 Fall Cumulative Update installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. If the minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.

The Configure minimum PIN length for startup policy is used to set a minimum PIN length when you use an unlock method that includes a PIN. This policy setting is applied when you turn on BitLocker for the OS drive. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.

This tutorial will show you how to specify a minimum length for a TPM startup PIN used with BitLocker in Windows 10.

You must be signed in as an administrator to specify a minimum PIN length for BitLocker startup.
Note   Note
BitLocker Drive Encryption is only available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions.

CONTENTS:
  • Option One: Specify Minimum PIN Length for BitLocker Startup in Local Group Policy Editor
  • Option Two: Specify Minimum PIN Length for BitLocker Startup in Registry Editor





Specify Minimum PIN Length for BitLocker Startup in Windows 10 OPTION ONE Specify Minimum PIN Length for BitLocker Startup in Windows 10
Specify Minimum PIN Length for BitLocker Startup in Local Group Policy Editor

Note   Note
Local Group Policy Editor is only available in the Windows 10 Pro, Enterprise, and Education editions.

1. Open the Local Group Policy Editor.

2. In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

Name:  Minimum_PIN_length_for_BitLocker_startup_gpedit-1.jpg
Views: 84
Size:  112.3 KB

3. In the right pane of Operating System Drives in Local Group Policy Editor, double click/tap on the Configure minimum PIN length for startup policy to edit it. (see screenshot above)

4. Do step 5 (specify) or step 6 (default) below for what you would like to do.


 5. To Specify Minimum PIN Length for BitLocker Startup

A) Select (dot) Enabled, enter a number between 4 to 20 in Minimum characters for what you want, click/tap on OK, and go to step 7 below. (see screenshot below)
Note   Note
If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
Name:  Minimum_PIN_length_for_BitLocker_startup_gpedit-3.png
Views: 84
Size:  49.6 KB


 6. To Use Default Minimum PIN Length for BitLocker Startup

A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see screenshot below)

NOTE: Not Configured is the default setting.

Name:  Minimum_PIN_length_for_BitLocker_startup_gpedit-2.png
Views: 83
Size:  43.5 KB

7. When finished, you can close the Local Group Policy Editor if you like.






Specify Minimum PIN Length for BitLocker Startup in Windows 10 OPTION TWO Specify Minimum PIN Length for BitLocker Startup in Windows 10
Specify Minimum PIN Length for BitLocker Startup in Registry Editor

1. Press the Win+R keys to open Run, type regedit into Run, and click/tap on OK to open Registry Editor.

2. Navigate to the key below in the left pane of Registry Editor. (see screenshot below)
Note   Note
If you do not have a FVE key, then right click on the Microsoft key, click/tap on New, click/tap on Key, type FVE for the name, and press Enter.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

Name:  Minimum_PIN_length_for_BitLocker_startup_regedit-1.png
Views: 76
Size:  25.9 KB

3. Do step 4 (specify) or step 5 (default) below for what you would like to do.


 4. To Specify Minimum PIN Length for BitLocker Startup

A) In the right pane of the FVE key, right click or press and hold on the MinimumPIN DWORD to modify it. (see screenshot below step 2)

B) Select (dot) Decimal, enter a number between 4 to 20 for what you want, click/tap on OK, and go to step 6 below. (see screenshot below)
Note   Note
If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
Name:  Minimum_PIN_length_for_BitLocker_startup_regedit-2.png
Views: 75
Size:  19.1 KB


 5. To Use Default Minimum PIN Length for BitLocker Startup

A) In the right pane of the FVE key, right click or press and hold on the MinimumPIN DWORD, and click/tap on Delete. (see screenshot below step 2)

B) Click/tap on Yes to confirm, and go to step 6 below. (see screenshot below)

Name:  Minimum_PIN_length_for_BitLocker_startup_regedit-3.png
Views: 76
Size:  9.4 KB

6. You can now close Registry Editor if you like.

That's it,
Shawn