Event details
MicrosoftHi Lalanc01. No. The options are extremely limited -- mostly by design and the limitations of the platform at the time it was designed. For this reason, this is one of the reasons many recommend not using a PIN at all. This is not a universal recommendation, but is something to consider when choosing whether or not to enforce a PIN. If your organization feels that they need a PIN, I'd first suggest revisiting this as there's a lot of unfounded and outdated FUD floating around out there on this. If you still come to the conclusion that you need to enforce a PIN, then you should look at Personal Device Encryption (PDE) instead or on top of BitLocker (without a PIN) as PDE implements a layer of file system encryption that is gated by Windows Hello for Business thus actually being more secure and easier to use for end-users.
Yes PDE will surely help once we move to 24h2 since it supports a broader scope of documents/places.
Could you elaborate a bit more on 'lot of unfounded and outdated FUD floating around'? This could help in our discussions with our security team for a new for the PIN.
Thks
- Jason_Sandys
In general, most of the info you'll find on the web involves some level of attack on the hardware and specifically the bus between the TPM and the CPU. This can involve specialized knowledge and skills but some attacks don't require an excessive amount of this, just someone willing to dedicate a small amount of time money. Eliminating this attack though is as simple as eliminating the ability to physically access the bus though which nearly all (maybe even all) devices sold within the last few years do by using integrated TPMs instead of separate TPMs that required a bus physically exposed and accessible. The Pluton architecture does this as do other modern motherboard and CPU architectures.