This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, all new BitLocker startup PINs set will be enhanced PINs. Note: Not all computers may support enhanced PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup. If you disable or do not configure this policy setting, enhanced PINs will not be used. Countermeasure: Numeric-only PINs provide much less entropy than a PIN that is alpha-numeric. Increasing the number of characters from 10 digits derived from the function keys to include at least 26 alpha characters from a typical US-ENG key board significantly increase the entropy for a PIN and increases the number of attempts required by an attacker to brute force the system dramatically. Potential Impact: Not all computers enable full keyboard support in the PreOS environment. Some keys may not be available. It is recommended this functionality be tested using the computers in your environment prior to it being deployed.

[enabled/disabled]

(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Allow enhanced PINs for startup (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE!UseEnhancedPin