Windows 11 must be configured to require a minimum PIN length of six characters or greater.

STIG ID: WN11-CC-000260  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium (CAT II)  |  CCI: CCI-000366 |  Vulnerability Id: V-253401

Vulnerability Discussion

Windows allows the use of PINs and biometrics for authentication without sending a password to a network or website where it could be compromised. Longer minimum PIN lengths increase the available combinations an attacker would have to attempt. Shorter minimum length significantly reduces the strength.

Note: A different registry location is needed when systems are managed by Intune versus GPO.

Check

If the following registry value does not exist or is not configured as specified, this is a finding:

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity\ (For GPO-managed systems)
Or
Registry Path: \SOFTWARE\Microsoft\Policies\PassportForWork\[guid]\device\policies\PINComplexity (For Intune-managed systems)

Value Name: MinimumPINLength

Type: REG_DWORD
Value: 6 (or greater)

Fix

For GPO-managed systems:

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> PIN Complexity >> "Minimum PIN length" to "6" or greater.

For Intune-managed systems:

Revise the Intune policy to set the minimum PIN length to "6" or greater.