This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 4 and 20 digits. Countermeasure: Increasing the PIN length increases the entropy and as such increases the number of tries required for an attacker to guess the correct PIN when attempting to brute force the system. The recommended minimum PIN length is 7 digits. Of course, an even longer PIN will provide additional protection. Potential Impact: None

[minimum_pin_length]

(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure minimum PIN length for startup (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE!MinimumPIN