Policy
Configure use of passwords for operating system drives
Microsoft Windows
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows8, WindowsServer2012
This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective the Group Policy setting "Password must meet complexity requirements" located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled. Note: These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive. If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select "Require complexity". When set to "Require complexity" a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to "Allow complexity" a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to "Do not allow complexity", no password complexity validation will be done. Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the "Minimum password length" box. If you disable or do not configure this policy setting, the default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur. Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing" policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
Registry values
How enabled and disabled states update the registry.
| Scope | Registry location | Type | Enabled value | Disabled value | Copy |
|---|---|---|---|---|---|
| Computer | Path Software\Policies\Microsoft\FVE Value name OSPassphrase | REG_DWORD | HKLM 1 | HKLM 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Scope | Element | Type | Registry mapping | Constraints & behavior | Copy |
|---|---|---|---|---|---|
| Computer | Minimum password length for operating system drive: ID OSPassphraseLength_Name | decimal | Path Software\Policies\Microsoft\FVE Value name OSPassphraseLength Type REG_DWORD | Range: 8 to 255 | |
| Computer | Configure password complexity for operating system drives: ID OSPassphraseComplexity_Name | enum | Path Software\Policies\Microsoft\FVE Value name OSPassphraseComplexity Type REG_DWORD | Options: Allow password complexity (2), Do not allow password complexity (0), Require password complexity (1) | |
| Computer | Require ASCII-only passwords for removable OS drives ID OSPassphraseASCIIOnly_Name | boolean | Path Software\Policies\Microsoft\FVE Value name OSPassphraseASCIIOnly Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |