Policy
Configure minimum PIN length for startup
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016
This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits. NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Minimum characters: ID MinPINLength | decimal | HKLM\Software\Policies\Microsoft\FVE\MinimumPIN Type REG_DWORD | Range: 4 to 20 |
Other policies in this category
Explore related policies at the same level.
- ComputerAllow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.At least Windows Server 2016, Windows 10 Version 1703
- ComputerAllow enhanced PINs for startupAt least Windows Server 2008 R2 or Windows 7
- ComputerAllow network unlock at startupAt least Windows Server 2012 or Windows 8
- ComputerAllow Secure Boot for integrity validationAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerChoose how BitLocker-protected operating system drives can be recoveredAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure pre-boot recovery message and URLAt least Windows Server 2016 or Windows 10
- ComputerConfigure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)Windows Server 2008, Windows 7, and Windows Vista
- ComputerConfigure TPM platform validation profile for BIOS-based firmware configurationsAt least Windows Server 2012 or Windows 8
- ComputerConfigure TPM platform validation profile for native UEFI firmware configurationsAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerConfigure use of hardware-based encryption for operating system drivesAt least Windows Server 2012, Windows 8 or Windows RT
- ComputerConfigure use of passwords for operating system drivesAt least Windows Server 2012 or Windows 8
- ComputerDisallow standard users from changing the PIN or passwordAt least Windows Server 2012 or Windows 8