New-CMOSPassphrase
Create a policy to specify the constraints for passwords used to unlock BitLocker-protected OS drives.
Syntax
New-CMOSPassphrase
[-PolicyState <State>]
[-PasswordComplexity <Dispensation>]
[-MinimumLength <UInt64>]
[-RequireAsciiOnlyPassword]
[-DisableWildcardHandling]
[-ForceWildcardHandling]
[<CommonParameters>]Description
Create a policy to specify the constraints for passwords used to unlock BitLocker-protected OS drives. If you allow non-TPM protectors on OS drives, you can provision a password, enforce complexity requirements, and configure a minimum length. For these complexity requirement settings to be effective, also enable the group policy setting Password must meet complexity requirements in Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
Note
Windows enforces these settings when you enable BitLocker, not when it unlocks a volume. BitLocker allows a user to unlock a drive with any of the available protectors.
You can't use passwords if you also enable Windows to use FIPS-compliant algorithms for encryption, hashing, and signing.
Examples
Example 1: New enabled policy that sets complexity and minimum length
This example creates a new policy that's enabled, requires a complex password that's at least 10 characters in length.
New-CMOSPassphrase -PolicyState Enabled -PasswordComplexity Require -MinimumLength 10Example 2: New policy that requires ASCII
This example creates a policy that's enabled with the following properties:
- Allows but doesn't require a complex password
- At least 12 characters long
- Requires that the password only includes ASCII characters.
New-CMOSPassphrase -PolicyState Enabled -PasswordComplexity Allow -MinimumLength 12 -RequireAsciiOnlyPasswordParameters
-DisableWildcardHandling
This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ForceWildcardHandling
This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MinimumLength
Passwords must be at least 8 characters. To configure a greater minimum length for the password, use this parameter.
| Type: | UInt64 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PasswordComplexity
Use this parameter to configure password complexity for OS drives. To enforce complexity requirements on the password, set the value to Require.
Require: When you enable BitLocker, a connection to a domain controller is necessary to validate the complexity of the password.Allow: The device tries to connect to a domain controller to validate the complexity. If it can't communicate with a domain controller, it still accepts the password whatever the actual complexity. BitLocker encrypts the drive using that password as a protector.Prohibit: The client doesn't connect to a domain controller to validate the password complexity.
| Type: | Dispensation |
| Accepted values: | Allow, Require, Prohibit |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PolicyState
Use this parameter to configure the policy.
Enabled: If you enable this policy, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, use-PasswordComplexity Require.DisabledorNotConfigured: If you disable or don't configure this policy, the default length constraint of eight characters applies to OS drive passwords, and it doesn't check the password complexity.
| Type: | State |
| Accepted values: | Enabled, Disabled, NotConfigured |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RequireAsciiOnlyPassword
Add this parameter to require ASCII-only passwords for OS drives.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
None
Outputs
Microsoft.ConfigurationManagement.AdminConsole.BitlockerManagement.PolicyObject
Related Links
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for