deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 13:53:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

added change to min PIN length

Browse Source
This commit is contained in:
Justin Hall
2017-08-16 11:03:38 -07:00
parent 193077453d
commit 4dfc9e2311
3 changed files with 52 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
windows/device-security/bitlocker/bitlocker-group-policy-settings.md
View File

@ -237,7 +237,7 @@ On a computer with a compatible TPM, four types of authentication methods can be
- only the TPM for authentication
- insertion of a USB flash drive containing the startup key
- the entry of a 6-digit to 20-digit personal identification number (PIN)
- the entry of a 4-digit to 20-digit personal identification number (PIN)
- a combination of the PIN and the USB flash drive
There are four options for TPM-enabled computers or devices:
@ -323,7 +323,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
<tbody>
<tr class="odd">
<td align="left"><p><strong>Policy description</strong></p></td>
<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits, and it can have a maximum length of 20 digits.</p></td>
<td align="left"><p>With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Introduced</strong></p></td>
@ -347,14 +347,34 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
</tr>
<tr class="odd">
<td align="left"><p><strong>When disabled or not configured</strong></p></td>
<td align="left"><p>Users can configure a startup PIN of any length between 6 and 20 digits.</p></td>
<td align="left"><p>Users can configure a startup PIN of any length between 4 and 20 digits.</p></td>
</tr>
</tbody>
</table>
 
**Reference**
This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
This policy setting is applied when you turn on BitLocker.
The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
Originally, BitLocker allowed from 4 to 20 characters for a PIN.
Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability.
For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
This totals a maximum of about 4415 guesses per year.
If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
Increasing the PIN length requires a greater number of guesses for an attacker.
In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
### Disable new DMA devices when this computer is locked