Windows 10 systems must use a BitLocker PIN with a minimum length of six digits for pre-boot authentication. (Cat II impact)
If data at rest is unencrypted, it is vulnerable to disclosure. Even if the operating system enforces permissions on data access, an adversary can remove non-volatile memory and read it directly, thereby circumventing operating system controls. Encrypting the data ensures that confidentiality is protected even when the operating system is not running. Pre-boot authentication prevents unauthorized users from accessing encrypted drives. Increasing the PIN length requires a greater number of guesses for an attacker.
If the following registry value does not exist or is not configured as specified, this is a finding. For virtual desktop implementations (VDIs) in which the virtual desktop instance is deleted or refreshed upon logoff, this is NA. For Azure Virtual Desktop (AVD) implementations with no data at rest, this is NA. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\FVE\ Value Name: MinimumPIN Type: REG_DWORD Value: 0x00000006 (6) or greater
Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives "Configure minimum PIN length for startup" to "Enabled" with "Minimum characters:" set to "6" or greater.
Rule ID: SV-220704r859297_rule
Vulnerability ID: V-220704
Group Title: SRG-OS-000185-GPOS-00079
The information system protects the confidentiality and/or integrity of organization-defined information at rest.
The organization distributes symmetric cryptographic keys using NIST FIPS-compliant or NSA-approved key management technology and processes.
The organization produces asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user^s private key.
The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of organization-defined information at rest on organization-defined information system components.