Details
This policy setting allows you to specify whether a password is required to unlock BitLocker-protected removable data drives.
Note: This setting is enforced when turning on BitLocker, not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.
The recommended state for this setting is: Disabled.
Rationale:
Using a dictionary-style attack, passwords can be guessed or discovered by repeatedly attempting to unlock a drive. Since this type of BitLocker password does not include anti-dictionary attack protections provided by a TPM, for example, there is no mechanism to slow down use of rapid brute-force attacks against them.
Impact:
The password option will not be available when configuring BitLocker for removable drives.
Solution
To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsBitLocker Drive EncryptionRemovable Data DrivesConfigure use of passwords for removable data drives
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template VolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
Default Value:
Passwords are supported, without complexity requirements and with an 8 character minimum.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Risk Assessment.This control applies to the following type of system Windows.