Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'


This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives.

Note: This setting is enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

The recommended state for this setting is: Disabled.


Using a dictionary-style attack, passwords can be guessed or discovered by repeatedly attempting to unlock a drive. Since this type of BitLocker password does include anti-dictionary attack protections provided by a TPM, for example, there is no mechanism to slow down rapid brute-force attacks against them.


The password option will not be available when configuring BitLocker for the operating system drive.


To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Configure use of passwords for operating system drives

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).

Default Value:

Passwords are supported, without complexity requirements and with an 8 character minimum.

See Also


Item Details


References: 800-53|IA-5(1), CSCv7|13.6

Plugin: Windows

Control ID: 266767c5206d85aa917bd8a284eaac0555503faee9f36e26bb772a38f48f2669