Skip to content
Last update: 2022-02-15


The TPM+PIN mode uses the computer's TPM security hardware and a PIN as authentication.

Users have to enter this PIN in the Windows pre-boot environment every time the computer starts.

TPM+PIN requires a prepared TPM and the GPO settings of the system must allow the TPM+PIN mode.

If all conditions are met, the TPM+PIN setting dialog will be displayed and the user is prompted to define a PIN. The user can click Restart and Encrypt to immediately reboot the computer and start encryption.

If the GPO setting Allow enhanced PINs for startup is enabled, the PIN may include numbers, letters, and special characters. Otherwise, only numbers are allowed.

PINs for BitLocker are between four and twenty characters in length. You can define a higher minimum length through a group policy. The Sophos Central agent software sets the group policy to allow enhanced PINs. The dialog tells the user which characters may be entered and what minimum/maximum lengths are allowed.


All users of a specific Windows computer need to use the same PIN to unlock the system disk. After that, they log on to the operating system with their individual credentials. Single sign-on is not supported for Windows computers.

Back to top