New-CMRDVPassPhrasePolicy
Create a policy to specify whether a password is required to unlock BitLocker-protected removable data drives.
Syntax
New-CMRDVPassPhrasePolicy
[-PolicyState <State>]
[-RequirePassword]
[-PasswordComplexity <Dispensation>]
[-MinimumLength <UInt64>]
[-DisableWildcardHandling]
[-ForceWildcardHandling]
[<CommonParameters>] Description
Create a policy to specify whether a password is required to unlock BitLocker-protected removable data drives. If you allow a password, you can require it, enforce complexity requirements, and configure a minimum length. For these complexity requirement settings to be effective, also enable the group policy setting Password must meet complexity requirements in Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
Note
Windows enforces these settings when you enable BitLocker, not when it unlocks a volume. BitLocker allows a user to unlock a drive with any of the available protectors.
You can't use passwords if you also enable Windows to use FIPS-compliant algorithms for encryption, hashing, and signing.
Examples
Example 1: New enabled policy that sets complexity and minimum length
This example creates a new policy that's enabled, requires a complex password that's at least 10 characters in length.
New-CMRDVPassPhrasePolicy -PolicyState Enabled -PasswordComplexity Require -MinimumLength 10Example 2: New policy that requires a password
This example creates a policy that's enabled with the following properties:
- Allows but doesn't require a complex password
- At least 12 characters long
- Requires a password
New-CMRDVPassPhrasePolicy -PolicyState Enabled -PasswordComplexity Allow -MinimumLength 12 -RequirePasswordParameters
-DisableWildcardHandling
This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ForceWildcardHandling
This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MinimumLength
Passwords must be at least 8 characters. To configure a greater minimum length for the password, use this parameter.
| Type: | UInt64 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PasswordComplexity
Use this parameter to configure password complexity for removable data drives. To enforce complexity requirements on the password, set the value to Require.
Require: When you enable BitLocker, a connection to a domain controller is necessary to validate the complexity of the password.Allow: The device tries to connect to a domain controller to validate the complexity. If it can't communicate with a domain controller, it still accepts the password whatever the actual complexity. BitLocker encrypts the drive using that password as a protector.Prohibit: The client doesn't connect to a domain controller to validate the password complexity.
| Type: | Dispensation |
| Accepted values: | Allow, Require, Prohibit |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PolicyState
Use this parameter to configure the policy.
Enabled: If you enable this policy, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, use-PasswordComplexity Require.Disabled: If you disable this policy, the user can't use a password.NotConfigured: If you don't configure this policy, BitLocker supports passwords for removable data drives with the default settings. The default settings don't include password complexity requirements and require only eight characters.
| Type: | State |
| Accepted values: | Enabled, Disabled, NotConfigured |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RequirePassword
Add this parameter to require a password to unlock a BitLocker-protected removable data drive.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
None
Outputs
Microsoft.ConfigurationManagement.AdminConsole.BitlockerManagement.PolicyObject
Related Links
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for