配置 MBAM 服务
注意: 如果将 MBAM 配置为通过 Microsoft Configuration Manager 运行,则禁用"MBAM 状态报告服务",并将"MBAM 状态报告服务终结点"留空。此信息将在 Microsoft Configuration Manager 中进行管理。
使用此策略设置,可以管理 BitLocker 驱动器加密恢复信息的密钥恢复服务备份。它提供一种恢复 BitLocker 加密数据的管理方法,防止因缺少密钥信息而发生数据丢失。
MBAM 恢复服务终结点的 URL 为
http(s)://<服务器名称>:<端口>/MBAMRecoveryAndHardwareService/CoreService.svc
MBAM 状态报告服务终结点的 URL 为
http(s)://<服务器名称>:<端口>/MBAMComplianceStatusService/StatusReportingService.svc
根据 MBAM 的安装情况替换以上 URL 的服务器名称和端口号。
BitLocker 恢复信息包括恢复密码和一些唯一标识符数据。你也可以选择纳入一个数据包,其中包含 BitLocker 所保护的驱动器的加密密钥。此密钥数据包由一个或多个恢复密码来保护,当磁盘损坏时,它可以帮助执行特定的恢复操作。
此策略设置管理客户端检查客户端计算机上 BitLocker 保护策略和状态的频率。
使用此策略设置,可以管理要保存在报表服务器位置的相容性和状态信息。它提供一种生成相容性和状态报告的管理方法。
使用此策略设置,可以管理向报表服务报告相容性和状态信息的频率。
频率为每 1 到 2880 分钟(48 小时)一次。客户端检查状态的默认值是 90 分钟,状态报告的默认值是 720 分钟。频率值小于默认值将增加网络和服务器的利用率,并且可能会限制 MBAM 可以处理的客户端数量。
如果启用此策略设置,密钥恢复信息将在无提示的情况下自动备份到所配置的密钥恢复服务器位置,状态报告将在无提示的情况下自动发送到所配置的报表服务器位置。
如果禁用或未配置此策略设置,则不会保存密钥恢复和状态报告信息。
Supported on: 至少为 Windows 7
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | UseMBAMServices |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | UseKeyRecoveryService |
| Value Type | REG_DWORD |
| Value | 1 |
MBAM 恢复服务终结点:
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | KeyRecoveryServiceEndPoint |
| Value Type | REG_EXPAND_SZ |
| Default Value |
选择要存储的 BitLocker 恢复信息:
- 仅恢复密码
Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Value Name KeyRecoveryOptions Value Type REG_DWORD Value 0 - 恢复密码和密钥数据包
Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Value Name KeyRecoveryOptions Value Type REG_DWORD Value 1
输入客户端检查状态频率(以分钟为单位):
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | ClientWakeupFrequency |
| Value Type | REG_DWORD |
| Default Value | 90 |
| Min Value | 1 |
| Max Value | 2880 |
配置 MBAM 状态报告服务:
- 已禁用
Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Value Name UseStatusReportingService Value Type REG_DWORD Value 0 - 已启用
Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Value Name UseStatusReportingService Value Type REG_DWORD Value 1
MBAM 状态报告服务终结点:
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | StatusReportingServiceEndpoint |
| Value Type | REG_EXPAND_SZ |
| Default Value |
输入状态报告频率(以分钟为单位):
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | StatusReportingFrequency |
| Value Type | REG_DWORD |
| Default Value | 720 |
| Min Value | 1 |
| Max Value | 2880 |
bitlockermanagement.admx
- System
- App-V
- CEIP
- Client Coexistence
- Integration
- Publishing
- Reporting
- Scripting
- Streaming
- Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection
- Certificate Filter For Client SSL
- Enable Support for BranchCache
- Location Provider
- Package Installation Root
- Package Source Root
- Reestablishment Interval
- Reestablishment Retries
- Require Publish As Admin
- Specify what to load in background (aka AutoLoad)
- Verify certificate revocation list
- Virtualization
- App-V
- Windows Components
- MDOP MBAM (BitLocker 管理)
- Microsoft User Experience Virtualization
- Applications
- Access 2013 backup only
- Calculator
- Common 2013 backup only
- Excel 2013 backup only
- InfoPath 2013 backup only
- Internet Explorer 8
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
- Internet Explorer Common Settings
- Lync 2013 backup only
- Microsoft Access 2010
- Microsoft Access 2013
- Microsoft Excel 2010
- Microsoft Excel 2013
- Microsoft InfoPath 2010
- Microsoft InfoPath 2013
- Microsoft Lync 2010
- Microsoft Lync 2013
- Microsoft Office 365 Access 2013
- Microsoft Office 365 Common 2013
- Microsoft Office 365 Excel 2013
- Microsoft Office 365 InfoPath 2013
- Microsoft Office 365 Lync 2013
- Microsoft Office 365 OneNote 2013
- Microsoft Office 365 Outlook 2013
- Microsoft Office 365 PowerPoint 2013
- Microsoft Office 365 Project 2013
- Microsoft Office 365 Publisher 2013
- Microsoft Office 365 Visio 2013
- Microsoft Office 365 Word 2013
- Microsoft Office 2010 Common Settings
- Microsoft Office 2013 Common Settings
- Microsoft Office 2013 Upload Center
- Microsoft OneDrive for Business 2013
- Microsoft OneNote 2010
- Microsoft OneNote 2013
- Microsoft Outlook 2010
- Microsoft Outlook 2013
- Microsoft PowerPoint 2010
- Microsoft PowerPoint 2013
- Microsoft Project 2010
- Microsoft Project 2013
- Microsoft Publisher 2010
- Microsoft Publisher 2013
- Microsoft Visio 2010
- Microsoft Visio 2013
- Microsoft Word 2010
- Microsoft Word 2013
- Notepad
- OneNote 2013 backup only
- Outlook 2013 backup only
- PowerPoint 2013 backup only
- Project 2013 backup only
- Publisher 2013 backup only
- Visio 2013 backup only
- Word 2013 backup only
- WordPad
- Windows Apps
- Configure Sync Method
- Contact IT Link Text
- Contact IT URL
- Do not synchronize Windows Apps
- First Use Notification
- Ping the settings storage location before sync
- Settings package size warning threshold
- Settings storage path
- Settings template catalog path
- Synchronization timeout
- Synchronize Windows settings
- Sync settings over metered connections even when roaming
- Sync settings over metered connections
- Sync Unlisted Windows Apps
- Tray Icon
- Use User Experience Virtualization (UE-V)
- VDI Configuration
- Applications
- Windows Components
- MDOP MBAM (BitLocker 管理)
- Microsoft User Experience Virtualization
- Applications
- Access 2013 backup only
- Calculator
- Common 2013 backup only
- Excel 2013 backup only
- InfoPath 2013 backup only
- Internet Explorer 8
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
- Internet Explorer Common Settings
- Lync 2013 backup only
- Microsoft Access 2010
- Microsoft Access 2013
- Microsoft Excel 2010
- Microsoft Excel 2013
- Microsoft InfoPath 2010
- Microsoft InfoPath 2013
- Microsoft Lync 2010
- Microsoft Lync 2013
- Microsoft Office 365 Access 2013
- Microsoft Office 365 Common 2013
- Microsoft Office 365 Excel 2013
- Microsoft Office 365 InfoPath 2013
- Microsoft Office 365 Lync 2013
- Microsoft Office 365 OneNote 2013
- Microsoft Office 365 Outlook 2013
- Microsoft Office 365 PowerPoint 2013
- Microsoft Office 365 Project 2013
- Microsoft Office 365 Publisher 2013
- Microsoft Office 365 Visio 2013
- Microsoft Office 365 Word 2013
- Microsoft Office 2010 Common Settings
- Microsoft Office 2013 Common Settings
- Microsoft Office 2013 Upload Center
- Microsoft OneDrive for Business 2013
- Microsoft OneNote 2010
- Microsoft OneNote 2013
- Microsoft Outlook 2010
- Microsoft Outlook 2013
- Microsoft PowerPoint 2010
- Microsoft PowerPoint 2013
- Microsoft Project 2010
- Microsoft Project 2013
- Microsoft Publisher 2010
- Microsoft Publisher 2013
- Microsoft Visio 2010
- Microsoft Visio 2013
- Microsoft Word 2010
- Microsoft Word 2013
- Notepad
- OneNote 2013 backup only
- Outlook 2013 backup only
- PowerPoint 2013 backup only
- Project 2013 backup only
- Publisher 2013 backup only
- Visio 2013 backup only
- Word 2013 backup only
- WordPad
- Windows Apps
- Configure Sync Method
- Do not synchronize Windows Apps
- Ping the settings storage location before sync
- Settings package size warning threshold
- Settings storage path
- Synchronization timeout
- Synchronize Windows settings
- Sync settings over metered connections even when roaming
- Sync settings over metered connections
- Use User Experience Virtualization (UE-V)
- VDI Configuration
- Applications