Password options

On the Password Options tab you have the following options:

Please note that this password setting applies to the end user only.

  1. You specify a BitLocker password and select none of the other options in the in the top part of the dialog:

    • The encryption process starts when you activate it and/or assign the policy. The user of the client computer is allowed to change the password later or continues to use the password you specified.

      Please note that you are responsible for communicating the password to the users over a secure channel.

  2. You check the User cannot change password box:

    • Please specify a fixed password which the user can never change. The initial encryption process starts automatically even without the user being logged on to the client computer, after you activate it and/or assign the policy.

    • As soon as the user starts the computer, the BitLocker password must be entered to unlock the encrypted hard disks.

      Please provide users with the appropriate password information over a secure channel.

    • The password is entered independently of the encryption progress, i.e. as soon as encryption is started, the BitLocker password must be entered in the PBA.

  3. Check the User must specify the password for encryption option (see figure):

    • The user can specify a password, you do not enter a password here.

      In order for encryption to start at all, users must enter the password.

    • If required, you can define the requirements the user password must meet.
    • The encryption process starts as soon as the user specifies the password.
    • The password may be changed later.
    • With the Maximum password age setting, you specify the number of days after which the end user must change the password again.
    • Use the Reject the 'x' last used passwords setting to specify that a certain number of passwords which were used last are no longer permitted. In the example above, the last 2 passwords used are rejected.

Use the options below Password must meet the following requirements to specify the exact criteria that a password assigned by the user must meet. The option is selected by default.

  1. You can select the Allow numbers only option if all client computers are equipped with a TPM which means that 6 characters are allowed.

    If there is no TPM on client computers or non-system partitions need to be encrypted as well, the default is still at least 8 characters. (Microsoft default for passwords on data partitions).

  2. The Allow numbers and Latin based characters option restricts the usage of allowed characters. Special characters can no longer be used with this setting. Please note the information in the BitLocker pre-boot authentication chapter.

  3. With the A valid password must contain at least... options you define the number of letters, numbers and special characters:

    • The password must be between 8 and 20 characters long. A number below 8 or higher than 20 leads to an error message.
    • Define the minimum requirements (number of letters, number, special characters etc.).
    • If you select the Treat numbers as special characters option, numbers count as numbers and also as special characters. Please make sure that the numbers and special characters correspond.

  4. The Dictionary file option allows you to select a dictionary in which you have set passwords that must not be used. The dictionary file must have been previously created in the file storage. When a password is assigned, this file gets checked and the password is allowed or rejected accordingly.

    In the figure above, the *blacklist4.txt file is used as the dictionary file.

    Note that passwords are also denied if there is any part of the password in the dictionary (for example: if the dictionary contains "it", passwords such as "hit", "kitten" or "favorite" are not allowed).