操作系统驱动器加密设置
使用此策略设置,可以管理是否必须加密操作系统驱动器。
为了更高的安全性,当启用 TPM + PIN 保护程序时,可能考虑在系统/电源管理/睡眠设置中,禁用以下策略:
睡眠时允许待机状态 (S1-S3)(接通电源)
睡眠时允许待机状态 (S1-S3)(使用电池)
如果想要在没有 TPM 的计算机上使用 BitLocker,请选择"在没有兼容的 TPM 情况下允许 BitLocker"复选框(受 Windows 8 或更高版本支持)。在此模式中,启动需要密码。如果忘记密码,则需要使用一个 BitLocker 恢复选项来访问驱动器。
在具有兼容的 TPM 的计算机上,启动时刻使用两种类型的身份验证方法来为加密的数据提供额外保护。当计算机启动时,仅可为身份验证使用 TPM,或者可能还需要输入 4 - 20 位数的个人标识号(PIN)。
如果启用此策略设置,则用户将操作系统驱动器置于 BitLocker 保护中,且驱动器将被加密。
如果禁用此策略,则用户将不能将操作系统驱动器置于 BitLocker 保护中。请注意,加密操作系统驱动器之后应用此策略将导致其解密。
如果未配置此策略,则不需要将操作系统驱动器置于 BitLocker 保护中。
Supported on: 至少为 Windows 7
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | ShouldEncryptOSDrive |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
允许无兼容的 TPM 的 BitLocker (需要密码)| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\Policies\Microsoft\FVE |
| Value Name | EnableBDEWithNoTPM |
| Value Type | REG_DWORD |
| Default Value | 1 |
| True Value | 1 |
| False Value | 0 |
为操作系统驱动器选择保护程序:
- 仅 TPM
Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Value Name OSDriveProtector Value Type REG_DWORD Value 1 Registry Hive Registry Path: Value Name Value Type Value HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement DisallowStandardUserPINReset REG_DWORD 1 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UsePartialEncryptionKey REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UsePIN REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseAdvancedStartup REG_DWORD 1 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPM REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPMKey REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPMPIN REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPMKeyPIN REG_DWORD 2 - TPM 和 PIN
Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Value Name OSDriveProtector Value Type REG_DWORD Value 4 Registry Hive Registry Path: Value Name Value Type Value HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement DisallowStandardUserPINReset REG_DWORD 1 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UsePartialEncryptionKey REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UsePIN REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseAdvancedStartup REG_DWORD 1 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPM REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPMKey REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPMPIN REG_DWORD 2 HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement UseTPMKeyPIN REG_DWORD 2
用于具有 TPM 的计算机的设置:
为启动配置最小的 PIN 长度
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Microsoft\FVE |
| Value Name | MinimumPIN |
| Value Type | REG_DWORD |
| Default Value | 4 |
| Min Value | 4 |
| Max Value | 20 |
bitlockermanagement.admx
- System
- App-V
- CEIP
- Client Coexistence
- Integration
- Publishing
- Reporting
- Scripting
- Streaming
- Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection
- Certificate Filter For Client SSL
- Enable Support for BranchCache
- Location Provider
- Package Installation Root
- Package Source Root
- Reestablishment Interval
- Reestablishment Retries
- Require Publish As Admin
- Specify what to load in background (aka AutoLoad)
- Verify certificate revocation list
- Virtualization
- App-V
- Windows Components
- MDOP MBAM (BitLocker 管理)
- Microsoft User Experience Virtualization
- Applications
- Access 2013 backup only
- Calculator
- Common 2013 backup only
- Excel 2013 backup only
- InfoPath 2013 backup only
- Internet Explorer 8
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
- Internet Explorer Common Settings
- Lync 2013 backup only
- Microsoft Access 2010
- Microsoft Access 2013
- Microsoft Excel 2010
- Microsoft Excel 2013
- Microsoft InfoPath 2010
- Microsoft InfoPath 2013
- Microsoft Lync 2010
- Microsoft Lync 2013
- Microsoft Office 365 Access 2013
- Microsoft Office 365 Common 2013
- Microsoft Office 365 Excel 2013
- Microsoft Office 365 InfoPath 2013
- Microsoft Office 365 Lync 2013
- Microsoft Office 365 OneNote 2013
- Microsoft Office 365 Outlook 2013
- Microsoft Office 365 PowerPoint 2013
- Microsoft Office 365 Project 2013
- Microsoft Office 365 Publisher 2013
- Microsoft Office 365 Visio 2013
- Microsoft Office 365 Word 2013
- Microsoft Office 2010 Common Settings
- Microsoft Office 2013 Common Settings
- Microsoft Office 2013 Upload Center
- Microsoft OneDrive for Business 2013
- Microsoft OneNote 2010
- Microsoft OneNote 2013
- Microsoft Outlook 2010
- Microsoft Outlook 2013
- Microsoft PowerPoint 2010
- Microsoft PowerPoint 2013
- Microsoft Project 2010
- Microsoft Project 2013
- Microsoft Publisher 2010
- Microsoft Publisher 2013
- Microsoft Visio 2010
- Microsoft Visio 2013
- Microsoft Word 2010
- Microsoft Word 2013
- Notepad
- OneNote 2013 backup only
- Outlook 2013 backup only
- PowerPoint 2013 backup only
- Project 2013 backup only
- Publisher 2013 backup only
- Visio 2013 backup only
- Word 2013 backup only
- WordPad
- Windows Apps
- Configure Sync Method
- Contact IT Link Text
- Contact IT URL
- Do not synchronize Windows Apps
- First Use Notification
- Ping the settings storage location before sync
- Settings package size warning threshold
- Settings storage path
- Settings template catalog path
- Synchronization timeout
- Synchronize Windows settings
- Sync settings over metered connections even when roaming
- Sync settings over metered connections
- Sync Unlisted Windows Apps
- Tray Icon
- Use User Experience Virtualization (UE-V)
- VDI Configuration
- Applications
- Windows Components
- MDOP MBAM (BitLocker 管理)
- Microsoft User Experience Virtualization
- Applications
- Access 2013 backup only
- Calculator
- Common 2013 backup only
- Excel 2013 backup only
- InfoPath 2013 backup only
- Internet Explorer 8
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
- Internet Explorer Common Settings
- Lync 2013 backup only
- Microsoft Access 2010
- Microsoft Access 2013
- Microsoft Excel 2010
- Microsoft Excel 2013
- Microsoft InfoPath 2010
- Microsoft InfoPath 2013
- Microsoft Lync 2010
- Microsoft Lync 2013
- Microsoft Office 365 Access 2013
- Microsoft Office 365 Common 2013
- Microsoft Office 365 Excel 2013
- Microsoft Office 365 InfoPath 2013
- Microsoft Office 365 Lync 2013
- Microsoft Office 365 OneNote 2013
- Microsoft Office 365 Outlook 2013
- Microsoft Office 365 PowerPoint 2013
- Microsoft Office 365 Project 2013
- Microsoft Office 365 Publisher 2013
- Microsoft Office 365 Visio 2013
- Microsoft Office 365 Word 2013
- Microsoft Office 2010 Common Settings
- Microsoft Office 2013 Common Settings
- Microsoft Office 2013 Upload Center
- Microsoft OneDrive for Business 2013
- Microsoft OneNote 2010
- Microsoft OneNote 2013
- Microsoft Outlook 2010
- Microsoft Outlook 2013
- Microsoft PowerPoint 2010
- Microsoft PowerPoint 2013
- Microsoft Project 2010
- Microsoft Project 2013
- Microsoft Publisher 2010
- Microsoft Publisher 2013
- Microsoft Visio 2010
- Microsoft Visio 2013
- Microsoft Word 2010
- Microsoft Word 2013
- Notepad
- OneNote 2013 backup only
- Outlook 2013 backup only
- PowerPoint 2013 backup only
- Project 2013 backup only
- Publisher 2013 backup only
- Visio 2013 backup only
- Word 2013 backup only
- WordPad
- Windows Apps
- Configure Sync Method
- Do not synchronize Windows Apps
- Ping the settings storage location before sync
- Settings package size warning threshold
- Settings storage path
- Synchronization timeout
- Synchronize Windows settings
- Sync settings over metered connections even when roaming
- Sync settings over metered connections
- Use User Experience Virtualization (UE-V)
- VDI Configuration
- Applications