2

How do I increase the maximum number of characters allowed in the BitLocker password? The current maximum is 20. I know that it's possible, because I have a second machine where the length is 8-256 characters.

  • The group policy option "Allow enhanced PINs for startup" does not seem to have an effect
  • The Powershell command Add-BitLockerKeyProtector is limited by the same restrictions.
  • On my second machine, no other BitLocker group policies are enabled.
  • I have Windows10 Pro, 21H2, 19044.1288.

Any suggestions?

JBSnorro
  • 257
  • 2
    What protection mode have you enabled? There's a difference between TPM+password and just password. Get-BitLockerVolume in powershell will give you the KeyProtectors in use. – vidarlo Mar 28 '22 at 11:07
  • @vidarlo It says RecoveryPassword+TpmPin. (On my second machine it states Password+RecoveryPassword). Maybe that's the source of the difference. However, I can't find (in e.g. Group Policy) how to change that. Do you know? – JBSnorro Mar 28 '22 at 11:46
  • Why do you want a longer password? The TPM includes brute force protection, so you'll not gain a lot by having a longer password. – vidarlo Mar 28 '22 at 14:24

1 Answers1

3

I think you are confusing different concepts:

  • BitLocker PIN has maximum length of 20. Only its minimum length is modifiable in the Group Policy Editor.

  • BitLocker Password has maximum length of 256 characters long.

  • BitLocker Recovery Password has maximum length of 48 digits.

For password, you need to use Add-BitLockerKeyProtector with the parameters of -PasswordProtector and -Password like this:

$encpass = ConvertTo-SecureString -AsPlainText -String "yourpassword" -Force
Add-BitlockerKeyProtector -MountPoint C:\ -Password $encpass -PasswordProtector

You may also do this the traditional way:

manage-bde -protectors -add c: -password "yourpassword"
harrymc
  • 480,290
  • I only got around to trying it now, but unfortunately it doesn't work, the error being: A password key protector cannot be added because a TPM protector exists on the drive. And if I disable BitLocker, then you command runs fine but there's no effect: no password is required at startup. – JBSnorro May 09 '22 at 12:09