I use PIN to unlock a windows 10 machine with bitlocker-protected OS drive. Currently, only 0-9 characters are allowed in PIN. Following a documentation, I enabled "Allow enhanced PINs for startup" in gpedit.msc. However, still only 0-9 characters are allowed. Why is it so and what else can be done?
Windows – Allow enhanced PINs for startup with Bitlocker
bitlockergroup-policywindows 10
Related Solutions
I purchased a refurbished PC for the office that came with a 446GB SSD as the primary disk. I faced the same situation as the OP...the encryption stage would always get to 99.9% completion and go no further. chkdsk
turned up no disk errors. Resetting the TPM didn't help. Telling BitLocker to use the older encryption algorithm versus the newer didn't help. Encrypting only the used space versus the entire disk made no difference either.
What finally worked was to use the Disk Management tool to shrink the primary partition by some random number of Gigabytes (I chose to shrink off 40GB). I then enabled BitLocker again and this time it ran until the disk was 100% encrypted and it completed successfully. I was then able to go back into the Disk Management tool and enlarge the primary partition to reclaim the 40GB of space I had shrunk off earlier. In the end I had access to the full amount of original disk space and BitLocker was fully enabled.
To bring up the Disk Management tool, press Win+R then enter
diskmgmt.msc
:Right-click on the drive you are trying to enable BitLocker on (in my case it was "C:") and choose "Shrink Volume...":
Tell it how much you want to shrink the volume by (screen not shown here). When finished, the shrunk space will appear as unallocated space to the right of the drive:
Now return to the BitLocker management window and enable BitLocker again. For me, the encryption now ran to 100% and successfully completed:
You can now return to the Disk Management tool and reclaim the shrunk space. To do this, right-click on the drive you previously shrunk and select "Extend Volume...":
Tell it to reclaim all the unallocated space (screen not shown here). When finished, the drive should be back to its original full size, and the entire drive should still be BitLocker protected:
Here's the steps I used, note this was for a cluster shared volume but presumably will work just as well for a local volume.
$BLV = Get-BitLockerVolume -MountPoint "C:\clusterstorage\volume3"
Remove-BitlockerKeyProtector -MountPoint "C:\clusterstorage\volume3" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
Note that in the MS documentation it uses index 1, but if you only have one protector then it should actually be index 0! You can check this by comparing the output from $BLV.KeyProtector[0] to the (probably zero) output from $BLV.KeyProtector[1].
Also, until I added the final .KeyProtectorID I kept getting "invalid class string".
Best Answer
However, still only 0-9 characters are allowed. Why is it so?
The setting you changed only applies to new BitLocker startup pins.
...
Source BitLocker Group Policy Settings
What else can be done?
You can decrypt the drive and then encrypt it again, which will require you to set up another password.
Source What is the difference between disabling BitLocker Drive Encryption and decrypting the volume?
BitLocker Group Policy Settings
...
Source BitLocker Group Policy Settings