none
Bitlocker Minumum PIN Lengh change in Creator / RS2 RRS feed

  • Question

  • Can anyone explain why the Bitlocker Minimum PIN Length was changed to 6 digits in RS2?

    Back to Windows 7 it policy has allowed 4 digit PIN. In Creator the policy clearly changed Minimum PIN length to 6.  Seems like a small deal but when you support an enterprise of  100,000 users there will be an associated cost from ticket volume of users having problems.

    Friday, May 5, 2017 2:43 PM

All replies

  • Dear John,

    From this Microsoft documentation, we can see the minimum PIN length is still 4 digits.

    BitLocker Group Policy settings

    https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3

    But as you said, when I open group policy editor on a 1703 machine, I notice the minimum length has been changed to 6 digits.

    However, there is an interesting thing, we still can configure the value as 4, then click Apply. You could have a try to see if can be effective.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 8, 2017 3:08 AM
    Moderator
  • We have 4 configured in our domain policy but manage-bde and MBAM both say minimum is 6. 

    Friday, May 12, 2017 5:08 PM
  • Hi! We just discovered the same change. Even if you configure 4 numbers it want 6 numbers to be entered as minimum and be compliant. Even MBAM server change log does not mention that. Nor the official TechNet documentation.
    Wednesday, May 24, 2017 1:00 PM
  • Has anyone ever found a work-around for this?  My environment uses 4 digit pins.  Having a small subset of users required to use a 6 digit pin is a PITA.
    Friday, July 28, 2017 4:17 PM
  • No. When you go with clean install on that build number, it will require 6 numbers. But it is a little bit hard to tell this users.
    Sunday, August 6, 2017 7:37 AM
  • I've heard Rumor through TAP that this will be fixed in RS3 and possibly RS2. the Fix  will allow minimum PIN length of 4 digits.

    Can anyone provide details or confirm this?  This bug has the potential to be expensive.  Users changing their PIN via MBAM (per company policy) receive a non specific error.  MBAM instructions still say 4 digits are allowed.  Help desk calls could total in the millions. 


    Wednesday, September 6, 2017 12:31 PM
  • Hi John,

    I'm on the same trail and have also posted a follow up to your question/experiences here (https://social.technet.microsoft.com/Forums/windows/en-US/028a68ed-ca76-4702-8667-67ddd8b25291/bitlocker-on-rs2-1703-15063-will-not-accept-4-digit-pin).

    I have a machine with Win10 RS2 installed (currently being updated to RS3) and I can confirm that a 4 digit PIN can be set (I used the manage-bde command).

    Gav.

    Thursday, September 28, 2017 10:05 AM
  • Just to confirm, by RS2/RS3 I meant the Windows Insider programme.

    All Insider builds up to and including Win10 1703 16299.15 will accept a 4 digit PIN.

    Gav.

    Tuesday, October 3, 2017 11:41 AM
  • Build 17017.1000 accepts a 4 digit Pin.......

    Gav.

    Monday, October 16, 2017 12:32 PM