manage-bde 保护程序manage-bde protectors

适用于:Windows Server(半年频道)、Windows Server 2019、Windows Server 2016Applies to: Windows Server (Semi-Annual Channel), Windows Server 2019, Windows Server 2016

管理用于 BitLocker 加密密钥的保护方法。Manages the protection methods used for the BitLocker encryption key.

语法Syntax

manage-bde -protectors [{-get|-add|-delete|-disable|-enable|-adbackup|-aadbackup}] <drive> [-computername <name>] [{-?|/?}] [{-help|-h}]

参数Parameters

参数Parameter 说明Description
-get-get 显示在驱动器上启用的所有密钥保护方法,并 (ID) 提供其类型和标识符。Displays all the key protection methods enabled on the drive and provides their type and identifier (ID).
-添加-add 添加使用额外 -添加 参数指定的密钥保护方法。Adds key protection methods as specified by using additional -add parameters.
-delete-delete 删除 BitLocker 使用的密钥保护方法。Deletes key protection methods used by BitLocker. 除非使用可选 -delete 参数指定要删除的保护程序,否则将从驱动器中删除所有密钥保护程序。All key protectors will be removed from a drive unless the optional -delete parameters are used to specify which protectors to delete. 删除驱动器上的最后一个保护程序时,将禁用驱动器的 BitLocker 保护,以确保不会无意中丢失对数据的访问权限。When the last protector on a drive is deleted, BitLocker protection of the drive is disabled to ensure that access to data is not lost inadvertently.
-disable-disable 禁用保护,使任何人都可以通过使加密密钥在驱动器上不受保护的加密密钥来访问加密的数据。Disables protection, which will allow anyone to access encrypted data by making the encryption key available unsecured on drive. 不会删除任何密钥保护程序。No key protectors are removed. 将在下次启动 Windows 时恢复保护,除非使用可选 的-disable 参数指定重启计数。Protection will be resumed the next time Windows is booted unless the optional -disable parameters are used to specify the reboot count.
-enable-enable 通过从驱动器中删除不安全的加密密钥来启用保护。Enables protection by removing the unsecured encryption key from the drive. 将强制实施驱动器上的所有已配置的密钥保护程序。All configured key protectors on the drive will be enforced.
-adbackup-adbackup 备份指定 Active Directory 域服务 (AD DS) 的驱动器的所有恢复信息。Backs up all recovery information for the drive specified to Active Directory Domain Services (AD DS). 若要仅备份一个恢复密钥以便 AD DS,请附加 -id 参数,并指定要备份的特定恢复密钥的 id。To back up only a single recovery key to AD DS, append the -id parameter and specify the ID of a specific recovery key to back up.
-aadbackup-aadbackup 备份指定 Azure Active Directory (Azure AD) 的驱动器的所有恢复信息。Backs up all recovery information for the drive specified to Azure Active Directory (Azure AD). 若要仅备份一个恢复密钥以便 Azure AD,请附加 -id 参数,并指定要备份的特定恢复密钥的 id。To back up only a single recovery key to Azure AD, append the -id parameter and specify the ID of a specific recovery key to back up.
<drive> 表示驱动器号后跟一个冒号。Represents a drive letter followed by a colon.
-computername-computername 指定 manage-bde.exe 将用于修改其他计算机上的 BitLocker 保护。Specifies that manage-bde.exe will be used to modify BitLocker protection on a different computer. 你还可以使用 -cn 作为此命令的缩写形式。You can also use -cn as an abbreviated version of this command.
<name> 表示要修改 BitLocker 保护的计算机的名称。Represents the name of the computer on which to modify BitLocker protection. 接受的值包括计算机的 NetBIOS 名称和计算机的 IP 地址。Accepted values include the computer's NetBIOS name and the computer's IP address.
-?-? 或 /?or /? 在命令提示符下显示 brief help。Displays brief help at the command prompt.
-help 或-h-help or -h 在命令提示符下显示完整的帮助。Displays complete help at the command prompt.

附加参数Additional -add parameters

-Add 参数还可以使用这些有效的附加参数。The -add parameter can also use these valid additional parameters.

manage-bde -protectors -add [<drive>] [-forceupgrade] [-recoverypassword <numericalpassword>] [-recoverykey <pathtoexternalkeydirectory>]
[-startupkey <pathtoexternalkeydirectory>] [-certificate {-cf <pathtocertificatefile>|-ct <certificatethumbprint>}] [-tpm] [-tpmandpin]
[-tpmandstartupkey <pathtoexternalkeydirectory>] [-tpmandpinandstartupkey <pathtoexternalkeydirectory>] [-password][-adaccountorgroup <securityidentifier> [-computername <name>]
[{-?|/?}] [{-help|-h}]
参数Parameter 说明Description
<drive> 表示驱动器号后跟一个冒号。Represents a drive letter followed by a colon.
-ms-fve-recoverypassword-recoverypassword 添加数字密码保护程序。Adds a numerical password protector. 你还可以使用 -rp 作为此命令的缩写形式。You can also use -rp as an abbreviated version of this command.
<numericalpassword> 表示恢复密码。Represents the recovery password.
-recoverykey-recoverykey 添加用于恢复的外部密钥保护程序。Adds an external key protector for recovery. 你还可以使用 -rk 作为此命令的缩写形式。You can also use -rk as an abbreviated version of this command.
<pathtoexternalkeydirectory> 表示恢复密钥的目录路径。Represents the directory path to the recovery key.
-启动-startupkey 添加用于启动的外部密钥保护程序。Adds an external key protector for startup. 你还可以使用 -sk 作为此命令的缩写形式。You can also use -sk as an abbreviated version of this command.
<pathtoexternalkeydirectory> 表示启动密钥的目录路径。Represents the directory path to the startup key.
-证书-certificate 为数据驱动器添加公钥保护程序。Adds a public key protector for a data drive. 你还可以使用 -cert 作为此命令的缩写形式。You can also use -cert as an abbreviated version of this command.
-cf-cf 指定将用于提供公钥证书的证书文件。Specifies that a certificate file will be used to provide the public key certificate.
表示证书文件的目录路径。Represents the directory path to the certificate file.
-ct-ct 指定将使用证书指纹来标识公钥证书Specifies that a certificate thumbprint will be used to identify the public key certificate
<certificatethumbprint> 指定要使用的证书的指纹属性的值。Specifies the value of the thumbprint property of the certificate you want to use. 例如,对于 a9 09 50 2d d8 2a e4 14 33 e6 f8 38 86 b0 0d 42 77 a3 2a 7b 的证书指纹值,应将其指定为 a909502dd82ae41433e6f83886b00d4277a32a7b。For example, a certificate thumbprint value of a9 09 50 2d d8 2a e4 14 33 e6 f8 38 86 b0 0d 42 77 a3 2a 7b should be specified as a909502dd82ae41433e6f83886b00d4277a32a7b.
-tpmandpin-tpmandpin 添加受信任的平台模块 (TPM) 和个人标识号 (适用于操作系统驱动器的 PIN) 保护程序。Adds a Trusted Platform Module (TPM) and personal identification number (PIN) protector for the operating system drive. 你还可以使用 -tp 作为此命令的缩写形式。You can also use -tp as an abbreviated version of this command.
-tpmandstartupkey-tpmandstartupkey 添加操作系统驱动器的 TPM 和启动密钥保护程序。Adds a TPM and startup key protector for the operating system drive. 你还可以使用 -tsk 作为此命令的缩写形式。You can also use -tsk as an abbreviated version of this command.
-tpmandpinandstartupkey-tpmandpinandstartupkey 为操作系统驱动器添加 TPM、PIN 和启动密钥保护程序。Adds a TPM, PIN, and startup key protector for the operating system drive. 你还可以使用 -tpsk 作为此命令的缩写形式。You can also use -tpsk as an abbreviated version of this command.
-password-password 添加数据驱动器的密码密钥保护程序。Adds a password key protector for the data drive. 你还可以使用 -pw 作为此命令的缩写形式。You can also use -pw as an abbreviated version of this command.
-adaccountorgroup-adaccountorgroup 为卷 (基于 SID) 的标识保护程序添加安全标识符。Adds a security identifier(SID)-based identity protector for the volume. 你还可以使用 -sid 作为此命令的缩写形式。You can also use -sid as an abbreviated version of this command. 重要提示: 默认情况下,不能使用 WMI 或 manage-bde 远程添加 ADaccountorgroup 保护程序。IMPORTANT: By default, you can't add an ADaccountorgroup protector remotely using either WMI or manage-bde. 如果你的部署需要能够远程添加此保护程序,则必须启用约束委派。If your deployment requires the ability to add this protector remotely, you must enable constrained delegation.
-computername-computername 指定正在使用 manage-bde 修改其他计算机上的 BitLocker 保护。Specifies that manage-bde is being used to modify BitLocker protection on a different computer. 你还可以使用 -cn 作为此命令的缩写形式。You can also use -cn as an abbreviated version of this command.
<name> 表示要修改 BitLocker 保护的计算机的名称。Represents the name of the computer on which to modify BitLocker protection. 接受的值包括计算机的 NetBIOS 名称和计算机的 IP 地址。Accepted values include the computer's NetBIOS name and the computer's IP address.
-?-? 或 /?or /? 在命令提示符下显示 brief help。Displays brief help at the command prompt.
-help 或-h-help or -h 在命令提示符下显示完整的帮助。Displays complete help at the command prompt.

其他-删除参数Additional -delete parameters

manage-bde -protectors -delete <drive> [-type {recoverypassword|externalkey|certificate|tpm|tpmandstartupkey|tpmandpin|tpmandpinandstartupkey|Password|Identity}]
[-id <keyprotectorID>] [-computername <name>] [{-?|/?}] [{-help|-h}]
参数Parameter 说明Description
<drive> 表示驱动器号后跟一个冒号。Represents a drive letter followed by a colon.
-type-type 标识要删除的密钥保护程序。Identifies the key protector to delete. 你还可以使用 -t 作为此命令的缩写形式。You can also use -t as an abbreviated version of this command.
ms-fve-recoverypasswordrecoverypassword 指定应删除任何恢复密码密钥保护程序。Specifies that any recovery password key protectors should be deleted.
externalkeyexternalkey 指定应删除与驱动器关联的任何外部密钥保护程序。Specifies that any external key protectors associated with the drive should be deleted.
证书 (certificate)certificate 指定应删除与驱动器关联的任何证书密钥保护程序。Specifies that any certificate key protectors associated with the drive should be deleted.
tpmtpm 指定应删除与驱动器关联的任何仅 TPM 密钥保护程序。Specifies that any TPM-only key protectors associated with the drive should be deleted.
tpmandstartupkeytpmandstartupkey 指定应删除与驱动器关联的任何基于 TPM 和启动密钥保护程序的密钥保护程序。Specifies that any TPM and startup key based key protectors associated with the drive should be deleted.
tpmandpintpmandpin 指定应删除与驱动器关联的任何基于 TPM 和 PIN 的密钥保护程序。Specifies that any TPM and PIN based key protectors associated with the drive should be deleted.
tpmandpinandstartupkeytpmandpinandstartupkey 指定应删除与驱动器关联的任何基于 TPM、PIN 和启动密钥保护程序的密钥保护程序。Specifies that any TPM, PIN, and startup key based key protectors associated with the drive should be deleted.
passwordpassword 指定应删除与驱动器关联的任何密码密钥保护程序。Specifies that any password key protectors associated with the drive should be deleted.
标识identity 指定应删除与驱动器关联的任何标识密钥保护程序。Specifies that any identity key protectors associated with the drive should be deleted.
-ID-ID 使用密钥标识符标识要删除的密钥保护程序。Identifies the key protector to delete by using the key identifier. 此参数是 -type 参数的替代选项。This parameter is an alternative option to the -type parameter.
<keyprotectorID> 标识要删除的驱动器上的单个密钥保护程序。Identifies an individual key protector on the drive to delete. 可以通过使用 manage-bde-保护程序-get 命令显示密钥保护程序 id。Key protector IDs can be displayed by using the manage-bde -protectors -get command.
-computername-computername 指定 manage-bde.exe 将用于修改其他计算机上的 BitLocker 保护。Specifies that manage-bde.exe will be used to modify BitLocker protection on a different computer. 你还可以使用 -cn 作为此命令的缩写形式。You can also use -cn as an abbreviated version of this command.
<name> 表示要修改 BitLocker 保护的计算机的名称。Represents the name of the computer on which to modify BitLocker protection. 接受的值包括计算机的 NetBIOS 名称和计算机的 IP 地址。Accepted values include the computer's NetBIOS name and the computer's IP address.
-?-? 或 /?or /? 在命令提示符下显示 brief help。Displays brief help at the command prompt.
-help 或-h-help or -h 在命令提示符下显示完整的帮助。Displays complete help at the command prompt.

其他-禁用参数Additional -disable parameters

manage-bde -protectors -disable <drive> [-rebootcount <integer 0 - 15>] [-computername <name>] [{-?|/?}] [{-help|-h}]
参数Parameter 说明Description
<drive> 表示驱动器号后跟一个冒号。Represents a drive letter followed by a colon.
rebootcountrebootcount 指定在重新启动 Windows 后,操作系统卷的保护已挂起,并将在 rebootcount 参数中指定的次数后恢复。Specifies that protection of the operating system volume has been suspended and will resume after Windows has been restarted the number of times specified in the rebootcount parameter. 指定 0 则无限期挂起保护。Specify 0 to suspend protection indefinitely. 如果未指定此参数,则在重新启动 Windows 后,BitLocker 保护将自动恢复。If this parameter isn't specified, BitLocker protection automatically resumes after Windows is restarted. 还可以使用 -rc 作为此命令的缩写形式。You can also use -rc as an abbreviated version of this command.
-computername-computername 指定 manage-bde.exe 将用于修改其他计算机上的 BitLocker 保护。Specifies that manage-bde.exe will be used to modify BitLocker protection on a different computer. 你还可以使用 -cn 作为此命令的缩写形式。You can also use -cn as an abbreviated version of this command.
<name> 表示要修改 BitLocker 保护的计算机的名称。Represents the name of the computer on which to modify BitLocker protection. 接受的值包括计算机的 NetBIOS 名称和计算机的 IP 地址。Accepted values include the computer's NetBIOS name and the computer's IP address.
-?-? 或 /?or /? 在命令提示符下显示 brief help。Displays brief help at the command prompt.
-help 或-h-help or -h 在命令提示符下显示完整的帮助。Displays complete help at the command prompt.

示例Examples

若要将证书密钥保护程序(由证书文件标识)添加到驱动器 E,请键入:To add a certificate key protector, identified by a certificate file, to drive E, type:

manage-bde -protectors -add E: -certificate -cf c:\File Folder\Filename.cer

若要将 adaccountorgroup 密钥保护程序(由域和用户名标识)添加到驱动器 E,请键入:To add an adaccountorgroup key protector, identified by domain and user name, to drive E, type:

manage-bde -protectors -add E: -sid DOMAIN\user

若要在计算机重新启动3次之前禁用保护,请键入:To disable protection until the computer has rebooted 3 times, type:

manage-bde -protectors -disable C: -rc 3

若要在驱动器 C 上删除所有基于 TPM 和启动密钥的密钥保护程序,请键入:To delete all TPM and startup keys-based key protectors on drive C, type:

manage-bde -protectors -delete C: -type tpmandstartupkey

若要将驱动器 C 的所有恢复信息备份到 AD DS,请键入:To back up all recovery information for drive C to AD DS, type:

manage-bde -protectors -adbackup C:

其他参考Additional References