InformationThis policy setting allows you to specify whether a password is required to unlock BitLocker-protected removable data drives.
Note: This setting is enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.
The recommended state for this setting is: Disabled.
Using a dictionary-style attack, passwords can be guessed or discovered by repeatedly attempting to unlock a drive. Since this type of BitLocker password does not include anti-dictionary attack protections provided by a TPM, for example, there is no mechanism to slow down use of rapid brute-force attacks against them.
The password option will not be available when configuring BitLocker for removable drives.
SolutionTo establish the recommended configuration via GP, set the following UI path to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Configure use of passwords for removable data drives
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Passwords are supported, without complexity requirements and with an 8 character minimum.