This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 68%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFR%3C/text%3E%3C/svg%3E)
Hello,
BitLocker provides three different types of character based key protectors for operational system drives. I have assumed that these differ as follows:
Unfortunately, I have now discovered that the length set for the password is not enforced when PIN+Enhanced PIN+Password is enabled.
Can someone please explain what the difference between the three protectors is and what influence the two Group Policy elements "Configure use of passwords for operating system drives" and "Configure minimum PIN length for startup" have?
Regards
Felix
Hi
PIN: A user-entered numeric key protector that can only be used in addition to the TPM.
Enhanced PIN: A user-entered alphanumeric key protector that can only be used in addition to the TPM.
Recovery password: A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard, if the numbers on the normal keyboard are not responding you can always use the function keys (F1-F10) to input the numbers.
Recovery key: An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.
More detail see BitLocker key protectors and BitLocker authentication methods.
Configure use of passwords for operating system drives:
This policy controls how non-TPM based systems utilize the password protector. Used in conjunction with the Password must meet complexity requirements policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose Require password complexity because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords.
More on: Configure use of passwords for operating system drives
Configure minimum PIN length for startup:
This policy setting is used to set a minimum PIN length when you use an unlock method that includes a PIN.
More on: Configure minimum PIN length for startup
Also more questions about BitLocker Key Management FAQ and BitLocker Group Policy settings.
I hope this information above can help you.
@Dale Kudusi Thank you for fast answering
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
@MariaA :
You write "Unfortunately, I have now discovered that the length set for the password is not enforced when PIN+Enhanced PIN+Password is enabled."
We cannot enable PIN+Enhanced PIN+Password. That is not possible since you will only have the choice PIN OR password.
PINs/enhanced PINs will not allowed to be longer than 20 characters, by the way.