Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'


This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives.

Note: This setting is enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

The recommended state for this setting is: Disabled.


Using a dictionary-style attack, passwords can be guessed or discovered by repeatedly attempting to unlock a drive. Since this type of BitLocker password does include anti-dictionary attack protections provided by a TPM, for example, there is no mechanism to slow down rapid brute-force attacks against them.


The password option will not be available when configuring BitLocker for fixed drives.


To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Configure use of passwords for fixed data drives

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).

Default Value:

Passwords are supported, without complexity requirements and with an 8 character minimum.

See Also


Item Details


References: 800-53|IA-5(1), CSCv7|13.6

Plugin: Windows

Control ID: ffb2b8d5d5ca54857ed7352066a8476376ad252caf256780d2a460f40dd17d29