New-CMFDVPassPhrasePolicy
Create a policy to specify whether a password is required to unlock BitLocker-protected fixed data drives.
Syntax
Default (Default)
New-CMFDVPassPhrasePolicy
[-PolicyState <State>]
[-RequirePassword]
[-PasswordComplexity <Dispensation>]
[-MinimumLength <UInt64>]
[-DisableWildcardHandling]
[-ForceWildcardHandling]
[<CommonParameters>]
Description
Create a policy to specify whether a password is required to unlock BitLocker-protected fixed data drives. For these complexity requirement settings to be effective, also enable the group policy setting Password must meet complexity requirements in Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.
Note
Windows enforces these settings when you enable BitLocker, not when it unlocks a volume. BitLocker allows a user to unlock a drive with any of the available protectors.
You can't use passwords if you also enable Windows to use FIPS-compliant algorithms for encryption, hashing, and signing.
Examples
Example 1: New enabled policy that sets complexity and minimum length
This example creates a new policy that's enabled, requires a complex password that's at least 10 characters in length.
New-CMFDVPassPhrasePolicy -PolicyState Enabled -PasswordComplexity Require -MinimumLength 10
Example 2: New policy that requires a password
This example creates a policy that's enabled with the following properties:
- Allows but doesn't require a complex password
- At least 12 characters long
- Requires a password
New-CMFDVPassPhrasePolicy -PolicyState Enabled -PasswordComplexity Allow -MinimumLength 12 -RequirePassword
Parameters
-DisableWildcardHandling
This parameter treats wildcard characters as literal character values. You can't combine it with ForceWildcardHandling.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-ForceWildcardHandling
This parameter processes wildcard characters and may lead to unexpected behavior (not recommended). You can't combine it with DisableWildcardHandling.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-MinimumLength
Passwords must be at least 8 characters. To configure a greater minimum length for the password, use this parameter.
Parameter properties
| Type: | UInt64 |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-PasswordComplexity
Use this parameter to configure password complexity for fixed data drives. To enforce complexity requirements on the password, set the value to Require.
Require: When you enable BitLocker, a connection to a domain controller is necessary to validate the complexity of the password.Allow: The device tries to connect to a domain controller to validate the complexity. If it can't communicate with a domain controller, it still accepts the password whatever the actual complexity. BitLocker encrypts the drive using that password as a protector.Prohibit: The client doesn't connect to a domain controller to validate the password complexity.
Parameter properties
| Type: | Dispensation |
| Default value: | None |
| Accepted values: | Allow, Require, Prohibit |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-PolicyState
Use this parameter to configure the policy.
Enabled: If you enable this policy, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, use-PasswordComplexity Require.Disabled: If you disable this policy, the user can't use a password.NotConfigured: If you don't configure this policy, BitLocker supports passwords for fixed data drives with the default settings. The default settings don't include password complexity requirements and require only eight characters.
Parameter properties
| Type: | State |
| Default value: | None |
| Accepted values: | Enabled, Disabled, NotConfigured |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-RequirePassword
Add this parameter to require a password to unlock a BitLocker-protected fixed data drive.
Parameter properties
| Type: | SwitchParameter |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.