deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Configure use of passwords policies

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-09-28 06:34:17 -04:00
parent 668a2198bd
commit d8811e116e
4 changed files with 46 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
windows/security/operating-system-security/data-protection/bitlocker/_bitlocker-group-policy-settings.md
View File

@ -12,8 +12,6 @@ ms.date: 11/08/2022
### Configure minimum PIN length for startup
This policy setting is applied when BitLocker is turned on. The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits.
Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
@ -62,39 +60,7 @@ This policy setting is used to require, allow, or deny the use of smart cards wi
> [!NOTE]
> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
### Configure use of passwords on removable data drives
This policy setting is used to require, allow, or deny the use of passwords with removable data drives.
| Item | Info |
|:---|:---|
|**Policy description**|With this policy setting, it can be specified whether a password is required to unlock BitLocker-protected removable data drives.|
|**Drive type**|Removable data drives|
|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
|**Conflicts**|To use password complexity, the **Password must meet complexity requirements** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy** must also be enabled.|
|**When enabled**|Users can configure a password that meets the defined requirements. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
|**When disabled**|The user isn't allowed to use a password.|
|**When not configured**|Passwords are supported with the default settings, which don't include password complexity requirements and require only eight characters.|
#### Reference: Configure use of passwords on removable data drives
If use of passwords is allowed, requiring a password to be used, enforcement of password complexity requirements, and password minimum length can all be configured. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy*, must also be enabled.
> [!NOTE]
> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the wanted number of characters in the **Minimum password length** box.
When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity of the password.
When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is still be accepted regardless of actual password complexity and the drive is encrypted by using that password as a protector.
When set to **Do not allow complexity**, no password complexity validation is done.
> [!NOTE]
> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS compliance is enabled.
For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
### Enable use of BitLocker authentication requiring preboot keyboard input on slates

43
windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-fixed-data-drives.md
View File

@ -7,34 +7,25 @@ ms.topic: include
### Configure use of passwords for fixed data drives
This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective the Group Policy setting "Password must meet complexity requirements" located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled. Note: These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive. If you enable this policy setting, users can configure a password that meets the requirements you define. To require the use of a password, select "Require password for fixed data drive". To enforce complexity requirements on the password, select "Require complexity". When set to "Require complexity" a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to "Allow complexity" a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to "Do not allow complexity", no password complexity validation will be done. Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the "Minimum password length" box. If you disable this policy setting, the user is not allowed to use a password. If you do not configure this policy setting, passwords will be supported with the default settings, which do not include password complexity requirements and require only 8 characters. Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing" policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
This policy setting is used to require, allow, or deny the use of passwords with fixed data drives.
To use password complexity, the **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements** policy setting must also be enabled.
Users can configure a password that meets the defined requirements. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.
**When disabled** The user isn't allowed to use a password.
**When not configured** Passwords are supported with the default settings, which don't include password complexity requirements and require only eight characters.
When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled.
When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is accepted regardless of the actual password complexity, and the drive is encrypted by using that password as a protector.
When set to **Do not allow complexity**, no password complexity validation is performed.
Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
> [!NOTE]
> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** > **Password must meet complexity requirements** must also be enabled. This policy setting is configured on a per-computer basis. The policy setting also applies to both local user accounts and domain user accounts. Because the password filter that's used to validate password complexity is located on the domain controllers, local user accounts can't access the password filter because they're not authenticated for domain access. When this policy setting is enabled, if a local user account signs in, and a drive is attempted to be encrypted or a password changed on an existing BitLocker-protected drive, an **Access denied** error message is displayed. In this situation, the password key protector can't be added to the drive.
Enabling this policy setting requires that a device is connected to a domain before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they can't connect to the domain should be made aware of this requirement so that they can schedule a time when they'll be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.
This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to allow the use of a password, you can require that a password be used, enforce complexity requirements, and configure a minimum length.
> [!IMPORTANT]
> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in *Computer Configuration* > *Windows Settings* > *Security Settings* > *Local Policies* > *Security Options* specifies whether FIPS compliance is enabled.
> For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements*** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled.
If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select **Require complexity**:
- When set to **Require complexity** a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password
- When set to **Allow complexity** connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector
- When set to **Do not allow complexity**, password complexity isn't validated
Passwords must be at least 8 characters. To configure a greater minimum length for the password, specify the desired number of characters under **Minimum password length**
If you disable or do not configure this policy setting, the default length constraint of 8 characters applies to operating system drive passwords and no complexity checks occur.
> [!IMPORTANT]
> Passwords can't be used if FIPS-compliance is enabled.
>
> The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS-compliance is enabled.
| | Path |
|--|--|

20
windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-operating-system-drives.md
View File

@ -7,22 +7,20 @@ ms.topic: include
### Configure use of passwords for operating system drives
This policy controls how non-TPM based systems utilize the password protector. Used with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords.
This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements, and configure a minimum length.
For the complexity requirement setting to be effective, the policy *Password must meet complexity requirements*, which is located at **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled.
> [!IMPORTANT]
> For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements*** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled.
> [!NOTE]
> These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select **Require complexity**:
When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there's no password complexity validation.
- When set to **Require complexity** a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password
- When set to **Allow complexity** connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector
- When set to **Do not allow complexity**, password complexity isn't validated
Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, specify the desired number of characters under **Minimum password length**
When this policy setting is enabled, the option **Configure password complexity for operating system drives** can be set to:
- Allow password complexity
- Deny password complexity
- Require password complexity
If you disable or do not configure this policy setting, the default length constraint of 8 characters applies to operating system drive passwords and no complexity checks occur.
> [!IMPORTANT]
> Passwords can't be used if FIPS-compliance is enabled.

20
windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-removable-data-drives.md
View File

@ -7,7 +7,25 @@ ms.topic: include
### Configure use of passwords for removable data drives
This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective the Group Policy setting "Password must meet complexity requirements" located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled. Note: These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive. If you enable this policy setting, users can configure a password that meets the requirements that you define. To require the use of a password, select "Require password for removable data drive". To enforce complexity requirements on the password, select "Require complexity". When set to "Require complexity" a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to "Allow complexity" a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to "Do not allow complexity", no password complexity validation will be done. Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the "Minimum password length" box. If you disable this policy setting, the user is not allowed to use a password. If you do not configure this policy setting, passwords will be supported with the default settings, which do not include password complexity requirements and require only 8 characters. Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing" policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow the use of a password, you can require that a password be used, enforce complexity requirements, and configure a minimum length.
> [!IMPORTANT]
> For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements*** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled.
If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select **Require complexity**:
- When set to **Require complexity** a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password
- When set to **Allow complexity** connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector
- When set to **Do not allow complexity**, password complexity isn't validated
Passwords must be at least 8 characters. To configure a greater minimum length for the password, specify the desired number of characters under **Minimum password length**
If you disable or do not configure this policy setting, the default length constraint of 8 characters applies to operating system drive passwords and no complexity checks occur.
> [!IMPORTANT]
> Passwords can't be used if FIPS-compliance is enabled.
>
> The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS-compliance is enabled.
| | Path |
|--|--|