BitLocker 云解决方案提供商BitLocker CSP

警告

有些信息与预发布产品相关,这些产品在商业发行之前可能发生重大更改。Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft 不对此处提供的信息作任何明示或默示的担保。Microsoft makes no warranties, express or implied, with respect to the information provided here.

BitLocker 配置服务提供商 (CSP) 由企业用于管理 Pc 和设备加密。The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. 此 CSP 已添加到 Windows 10 版本1703。This CSP was added in Windows 10, version 1703. 从 Windows 10 版本1809开始, Windows 10 专业版也支持它。Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.

备注

只有在开始加密时, 才会强制执行设置。Settings are enforced only at the time encryption is started. 在设置更改时不会重新启动加密。Encryption is not restarted with settings changes.
必须将所有设置一起发送到单个 SyncML 才能生效。You must send all the settings together in a single SyncML to be effective.

除了 RequireDeviceEncryption 和 RequireStorageCardEncryption 之外的任何设置的 Get 操作返回由管理员配置的设置。A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns the setting configured by the admin.

对于 RequireDeviceEncryption 和 RequireStorageCardEncryption, Get 操作会将强制实施的实际状态返回到管理员, 例如, 如果需要 TPM 保护以及是否需要加密。For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if TPM protection is required and if encryption is required. 如果设备启用了 BitLocker 但带有密码保护器, 则报告的状态为0。And if the device has BitLocker enabled but with password protector, the status reported is 0. RequireDeviceEncryption 上的 Get 操作不会验证是否强制执行最小 PIN 长度 (SystemDrivesMinimumPINLength)。A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength).

下图显示了树格式的 BitLocker 配置服务提供程序。The following diagram shows the BitLocker configuration service provider in tree format.

bitlocker csp

./Device/Vendor/MSFT/BitLocker./Device/Vendor/MSFT/BitLocker

定义 BitLocker 配置服务提供程序的根节点。Defines the root node for the BitLocker configuration service provider.

RequireStorageCardEncryptionRequireStorageCardEncryption

允许管理员在设备上要求存储卡加密。Allows the administrator to require storage card encryption on the device. 此策略仅对移动 SKU 有效。This policy is valid only for a mobile SKU.

家庭版Home 专业版Pro 商务Business 企业版Enterprise 教育版Education 移动版Mobile 移动企业版Mobile Enterprise
cross mark cross mark cross mark cross mark cross mark check mark check mark

数据类型为整数。Data type is integer. 此节点的示例值以启用此策略: 1。Sample value for this node to enable this policy: 1. 禁用此策略将不会关闭存储卡上的加密, 但不再提示用户将其打开。Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.

  • 0 (默认值)-不需要加密存储卡。0 (default) – Storage cards do not need to be encrypted.
  • 1-需要加密存储卡。1 – Require Storage cards to be encrypted.

禁用此策略将不会关闭系统卡上的加密, 但不再提示用户将其打开。Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.

如果要禁用此策略, 请使用以下 SyncML:If you want to disable this policy use the following SyncML:

<SyncML>
    <SyncBody>
        <Replace>
            <CmdID>$CmdID$</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">int</Format>
                </Meta>
                <Data>0</Data>
                </Item>
        </Replace>
    </SyncBody>
</SyncML>

数据类型为整数。Data type is integer. 支持的操作包括 "添加"、"获取"、"替换" 和 "删除"。Supported operations are Add, Get, Replace, and Delete.

RequireDeviceEncryptionRequireDeviceEncryption

允许管理员通过使用 BitLocker\Device 加密来启用加密。Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.

家庭版Home 专业版Pro 商务Business 企业版Enterprise 教育版Education 移动版Mobile 移动企业版Mobile Enterprise
cross mark check mark check mark check mark check mark check mark check mark

数据类型为整数。Data type is integer. 此节点的示例值以启用此策略: 1。Sample value for this node to enable this policy: 1. 禁用此策略将不会关闭系统卡上的加密, 但不再提示用户将其打开。Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.

如果要禁用此策略, 请使用以下 SyncML:If you want to disable this policy use the following SyncML:

<SyncML>
    <SyncBody>
        <Replace>
            <CmdID>$CmdID$</CmdID>
            <Item>
                <Target>
                    <LocURI>./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption</LocURI>
                </Target>
                <Meta>
                    <Format xmlns="syncml:metinf">int</Format>
                </Meta>
                <Data>0</Data>
            </Item>
        </Replace>
    </SyncBody>
</SyncML>        

数据类型为整数。Data type is integer. 支持的操作包括 "添加"、"获取"、"替换" 和 "删除"。Supported operations are Add, Get, Replace, and Delete.

EncryptionMethodByDriveTypeEncryptionMethodByDriveType

允许你为每种不同的驱动器类型设置默认的 encrytion 方法: 操作系统驱动器、固定数据驱动器和可移动数据驱动器。Allows you to set the default encrytion method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. 将从加密中跳过隐藏、系统和恢复分区。Hidden, system and recovery partitions are skipped from encryption. 此设置是到 Bitlocker 组策略"的直接映射, 可选择 "驱动器加密方法" 和 "密码强度" (Windows 10 [版本"1511] 及更高版本)。This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".

家庭版Home 专业版Pro 商务Business 企业版Enterprise 教育版Education 移动版Mobile 移动企业版Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

ADMX 信息:ADMX Info:

  • GP 英语名称: 选择 "驱动器加密方法" 和 "密码强度" (Windows 10 [版本 1511] 及更高版本)GP English name: Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
  • GP 名称: EncryptionMethodWithXts_NameGP name: EncryptionMethodWithXts_Name
  • GP 路径: Windows 组件/Bitlocker 驱动器加密GP path: Windows Components/Bitlocker Drive Encryption
  • GP ADMX 文件名: VolumeEncryptionGP ADMX file name: VolumeEncryption.admx

提示

有关启用支持 ADMX 的策略的分步指南, 请参阅在 MDM 中启用支持 admx 的策略For a step-by-step guide to enable ADMX-backed policies, see Enable ADMX-backed policies in MDM. 有关其他信息, 请参阅了解 ADMX 支持的策略For additional information, see Understanding ADMX-backed policies.

此设置允许你配置 BitLocker 驱动器加密使用的算法和密码强度。This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. 启用 BitLocker 时, 将应用此设置。This setting is applied when you turn on BitLocker. 如果驱动器已加密或正在进行加密, 则更改加密方法将不起作用。Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

如果启用此设置, 你将能够分别为固定数据驱动器、操作系统驱动器和可移动数据驱动器配置加密算法和密钥密码强度。If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. 对于固定系统驱动器和操作系统驱动器, 建议使用 XTS-AES 算法。For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. 对于可移动驱动器, 如果该驱动器将在未运行 Windows 10 版本1511的其他设备中使用, 则应使用 AES-CBC 128 位或 AES 256 位。For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511.

如果禁用或未配置此策略设置, 则 BitLocker 将使用 XTS 的默认加密方法-AES 128 位或任何安装脚本指定的加密方法。If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.

此节点的示例值若要启用此策略并设置加密方法, 请执行以下操作:Sample value for this node to enable this policy and set the encryption methods is:

 <enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsFdvDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsRdvDropDown_Name" value="xx"/>

EncryptionMethodWithXtsOsDropDown_Name = 选择操作系统驱动器的加密方法EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives

EncryptionMethodWithXtsFdvDropDown_Name = 为固定数据驱动器选择加密方法。EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.

EncryptionMethodWithXtsRdvDropDown_Name = 选择可移动数据驱动器的加密方法。EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.

'xx' 的可能值为:The possible values for 'xx' are:

  • 3 = AES-CBC 1283 = AES-CBC 128
  • 4 = AES-CBC 2564 = AES-CBC 256
  • 6 = XTS-AES 1286 = XTS-AES 128
  • 7 = XTS-AES 2567 = XTS-AES 256

备注

启用 EncryptionMethodByDriveType 时, 必须为所有三个驱动器 (操作系统、固定数据和可移动数据) 指定值, 否则它将失败 (500 返回状态)。When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). 例如, 如果你仅为 OS 和可移动驱动器设置 encrytion 方法, 则将获得500返回状态。For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.

如果要禁用此策略, 请使用以下 SyncML:If you want to disable this policy use the following SyncML:

                          <Replace>
                         <CmdID>$CmdID$</CmdID>
                           <Item>
                             <Target>
                                 <LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
                             </Target>
                             <Meta>
                                 <Format xmlns="syncml:metinf">chr</Format>
                             </Meta>
                             <Data>&lt;disabled/&gt;</Data>
                           </Item>
                         </Replace>

数据类型为字符串。Data type is string. 支持的操作包括 "添加"、"获取"、"替换" 和 "删除"。Supported operations are Add, Get, Replace, and Delete.

SystemDrivesRequireStartupAuthenticationSystemDrivesRequireStartupAuthentication

此设置是在启动""时需要其他身份验证的 Bitlocker 组策略的直接映射。This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".

家庭版Home 专业版Pro 商务Business 企业版Enterprise 教育版Education 移动版Mobile 移动企业版Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

ADMX 信息:ADMX Info:

  • GP 英语名称: 启动时需要其他身份验证GP English name: Require additional authentication at startup
  • GP 名称: ConfigureAdvancedStartup_NameGP name: ConfigureAdvancedStartup_Name
  • GP 路径: Windows 组件/Bitlocker 驱动器加密/操作系统驱动器GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
  • GP ADMX 文件名: VolumeEncryptionGP ADMX file name: VolumeEncryption.admx

提示

有关启用支持 ADMX 的策略的分步指南, 请参阅在 MDM 中启用支持 admx 的策略For a step-by-step guide to enable ADMX-backed policies, see Enable ADMX-backed policies in MDM. 有关其他信息, 请参阅了解 ADMX 支持的策略For additional information, see Understanding ADMX-backed policies.

此设置允许你配置在每次计算机启动时 BitLocker 是否需要额外身份验证, 以及你使用的是不是受信任的平台模块 (TPM) 还是不使用 BitLocker。This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). 启用 BitLocker 时, 将应用此设置。This setting is applied when you turn on BitLocker.

备注

在启动时只能使用其他身份验证选项之一, 否则将出现错误。Only one of the additional authentication options can be required at startup, otherwise an error occurs.

如果想要在没有 TPM 的计算机上使用 BitLocker, 请设置"ConfigureNonTPMStartupKeyUsage_Name"数据。If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. 在此模式下, 启动时需要密码或 USB 驱动器。In this mode either a password or a USB drive is required for start-up. 使用启动密钥时, 用于加密驱动器的密钥信息存储在 USB 驱动器上, 并创建一个 USB 密钥。When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. 插入 USB 键后, 对驱动器的访问已通过身份验证, 并且驱动器可访问。When the USB key is inserted the access to the drive is authenticated and the drive is accessible. 如果 USB 密钥丢失或不可用, 或者你忘记了密码, 你将需要使用其中一个 BitLocker 恢复选项来访问驱动器。If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.

在具有兼容的 TPM 的计算机上, 可以在启动时使用四种类型的身份验证方法为加密数据提供额外保护。On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. 当计算机启动时, 它只能使用 TPM 进行身份验证, 或者它还需要插入一个包含启动密钥的 USB 闪存驱动器、一个6位数到20位的个人识别码 (PIN) 或这两者的条目。When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.

备注

在 Windows 10 版本1703版本 B 中, 你可以使用4位数的最小 PIN 码。In Windows 10, version 1703 release B, you can use a minimum PIN of 4 digits. SystemDrivesMinimumPINLength 策略必须设置为允许 Pin 码少于6位。SystemDrivesMinimumPINLength policy must be set to allow PINs shorter than 6 digits.

如果启用此策略设置, 则用户可以在 BitLocker 设置向导中配置高级启动选项。If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.

如果禁用或未配置此设置, 则用户只能使用 TPM 配置计算机上的基本选项。If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.

备注

如果需要使用启动 PIN 和 USB 闪存驱动器, 必须使用命令行工具 manage-bde (而不是 BitLocker 驱动器加密设置向导) 配置 BitLocker 设置。If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.

要启用此策略, 此节点的示例值是:Sample value for this node to enable this policy is:

<enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/>

数据 id:Data id:

  • ConfigureNonTPMStartupKeyUsage_Name = 在没有兼容的 TPM 的情况下允许 BitLocker (需要在 USB 闪存驱动器上输入密码或启动密钥)。ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
  • ConfigureTPMStartupKeyUsageDropDown_Name = (适用于装有 TPM 的计算机) 配置 TPM 启动密钥。ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.
  • ConfigurePINUsageDropDown_Name = (适用于装有 TPM 的计算机) 配置 TPM 启动 PIN。ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN.
  • ConfigureTPMPINKeyUsageDropDown_Name = (适用于装有 TPM 的计算机) 配置 TPM 启动密钥和 PIN。ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.
  • ConfigureTPMUsageDropDown_Name = (适用于装有 TPM 的计算机) 配置 TPM 启动。ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.

'xx' 的可能值为:The possible values for 'xx' are:

  • true = 显式允许true = Explicitly allow
  • false = 策略未设置false = Policy not set

'yy' 的可能值为:The possible values for 'yy' are:

  • 2 = 可选2 = Optional
  • 1 = 必需1 = Required
  • 0 = 不允许0 = Disallowed

禁用策略将让系统选择默认行为。Disabling the policy will let the system choose the default behaviors. 如果要禁用此策略, 请使用以下 SyncML:If you want to disable this policy use the following SyncML:

                         <Replace>
                         <CmdID>$CmdID$</CmdID>
                           <Item>
                             <Target>
                                 <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
                             </Target>
                             <Meta>
                                 <Format xmlns="syncml:metinf">chr</Format>
                             </Meta>
                             <Data>&lt;disabled/&gt;</Data>
                           </Item>
                         </Replace>

数据类型为字符串。Data type is string. 支持的操作包括 "添加"、"获取"、"替换" 和 "删除"。Supported operations are Add, Get, Replace, and Delete.

SystemDrivesMinimumPINLengthSystemDrivesMinimumPINLength

此设置是到 Bitlocker 组策略"的直接映射, 用于配置启动"的最小 PIN 长度。This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".

家庭版Home 专业版Pro 商务Business 企业版Enterprise 教育版Education 移动版Mobile 移动企业版Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

ADMX 信息:ADMX Info:

  • GP 英语名称:配置启动的最小 PIN 长度GP English name:Configure minimum PIN length for startup
  • GP 名称: MinimumPINLength_NameGP name: MinimumPINLength_Name
  • GP 路径: Windows 组件/Bitlocker 驱动器加密/操作系统驱动器GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
  • GP ADMX 文件名: VolumeEncryptionGP ADMX file name: VolumeEncryption.admx

提示

有关启用支持 ADMX 的策略的分步指南, 请参阅在 MDM 中启用支持 admx 的策略For a step-by-step guide to enable ADMX-backed policies, see Enable ADMX-backed policies in MDM. 有关其他信息, 请参阅了解 ADMX 支持的策略For additional information, see Understanding ADMX-backed policies.

此设置允许你为受信任的平台模块 (TPM) 启动 PIN 配置最小长度。This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. 启用 BitLocker 时, 将应用此设置。This setting is applied when you turn on BitLocker. 启动 PIN 的长度必须为6位, 最大长度为20位。The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.

备注

在 Windows 10 版本1703版本 B 中, 你可以使用4位数的最小 PIN 长度。In Windows 10, version 1703 release B, you can use a minimum PIN length of 4 digits.

在 TPM 2.0 中, 如果将最小 PIN 长度设置为低于6位数字, Windows 将在更改 PIN 时尝试将 TPM 锁定期更新为大于默认值。In TPM 2.0 if minimum PIN length is set below 6 digits, Windows will attempt to update the TPM lockout period to be greater than the default when a PIN is changed. 如果成功, Windows 仅在 TPM 重置时, 才会将 TPM 锁定期重置回默认值。If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset. 这不适用于 TPM 1.2。This does not apply to TPM 1.2.

如果启用此设置, 则可以要求在设置启动 PIN 时使用最小位数。If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.

如果禁用或未配置此设置, 则用户可以配置6到20个数字之间任何长度的启动 PIN。If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.

要启用此策略, 此节点的示例值是:Sample value for this node to enable this policy is:

<enabled/><data id="MinPINLength" value="xx"/>

禁用策略将让系统选择默认行为。Disabling the policy will let the system choose the default behaviors. 如果要禁用此策略, 请使用以下 SyncML:If you want to disable this policy use the following SyncML:

                         <Replace>
                         <CmdID>$CmdID$</CmdID>
                           <Item>
                             <Target>
                                 <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
                             </Target>
                             <Meta>
                                 <Format xmlns="syncml:metinf">chr</Format>
                             </Meta>
                             <Data>&lt;disabled/&gt;</Data>
                           </Item>
                         </Replace>

数据类型为字符串。Data type is string. 支持的操作包括 "添加"、"获取"、"替换" 和 "删除"。Supported operations are Add, Get, Replace, and Delete.

SystemDrivesRecoveryMessageSystemDrivesRecoveryMessage

此设置是 Bitlocker 组策略"配置预启动恢复消息和 URL" (PrebootRecoveryInfo_Name) 的直接映射。This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).

家庭版Home 专业版Pro 商务Business 企业版Enterprise 教育版Education 移动版Mobile 移动企业版Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

ADMX 信息:ADMX Info:

  • GP 英语名称: 配置预启动恢复消息和 URLGP English name: Configure pre-boot recovery message and URL
  • GP 名称: PrebootRecoveryInfo_NameGP name: PrebootRecoveryInfo_Name
  • GP 路径: Windows 组件/Bitlocker 驱动器加密/操作系统驱动器GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
  • GP ADMX 文件名: VolumeEncryptionGP ADMX file name: VolumeEncryption.admx

提示

有关启用支持 ADMX 的策略的分步指南, 请参阅在 MDM 中启用支持 admx 的策略For a step-by-step guide to enable ADMX-backed policies, see Enable ADMX-backed policies in MDM. 有关其他信息, 请参阅了解 ADMX 支持的策略For additional information, see Understanding ADMX-backed policies.

此设置允许你在操作系统驱动器锁定时, 配置整个恢复消息或替换在预启动密钥恢复屏幕上显示的现有 URL。This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.

如果将值设置为"1" (使用默认恢复消息和 url), 则默认的 BITLOCKER 恢复消息和 url 将显示在 "预启动密钥恢复" 屏幕中。If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. 如果你以前配置了自定义恢复消息或 URL, 并且想要还原到默认消息, 必须使策略保持启用状态, 并将值"1"设置为 1 (使用默认恢复消息和 URL)。If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).

如果将值设置"为 2" (使用自定义恢复消息), 则在 " "RecoveryMessage_Input"数据" 字段中设置的消息将显示在 "预启动密钥恢复" 屏幕中。If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. 如果有可用的恢复 URL, 请将其包含在邮件中。If a recovery URL is available, include it in the message.

如果将值设置"为 3" (使用自定义恢复 URL), 则在"RECOVERYURL_INPUT"数据字段中键入的 url 将替换默认恢复消息中的默认 url, 该 url 将显示在 "预启动密钥恢复" 屏幕中。If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.

要启用此策略, 此节点的示例值是:Sample value for this node to enable this policy is:

<enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>

'xx' 的可能值为:The possible values for 'xx' are:

  • 0 = 空0 = Empty
  • 1 = 使用默认恢复消息和 URL (在这种情况下, 无需为 "RecoveryMessage_Input" 或 "RecoveryUrl_Input") 指定值。1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input").
  • 2 = 已设置自定义恢复消息。2 = Custom recovery message is set.
  • 3 = 设置自定义恢复 URL。3 = Custom recovery URL is set.
  • "yy" = 最大长度900的字符串。'yy' = string of max length 900.
  • "zz" = 最大长度500的字符串。'zz' = string of max length 500.

备注

启用 SystemDrivesRecoveryMessage 时, 你必须为所有三个设置 (预启动恢复屏幕、恢复消息和恢复 URL) 指定值, 否则它将失败 (500 返回状态)。When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). 例如, 如果您仅指定邮件和 URL 的值, 您将获得500返回状态。For example, if you only specify values for message and URL, you will get a 500 return status.

禁用策略将让系统选择默认行为。Disabling the policy will let the system choose the default behaviors. 如果要禁用此策略, 请使用以下 SyncML:If you want to disable this policy use the following SyncML:

                        <Replace>
                         <CmdID>$CmdID$</CmdID>
                           <Item>
                             <Target>
                                 <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
                             </Target>
                             <Meta>
                                 <Format xmlns="syncml:metinf">chr</Format>
                             </Meta>
                             <Data>&lt;disabled/&gt;</Data>
                           </Item>
                         </Replace>

备注

并非所有字符和语言都在预启动中受支持。Not all characters and languages are supported in pre-boot. 强烈建议你测试用于自定义消息或 URL 的字符是否正确显示在预启动恢复屏幕上。It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.

数据类型为字符串。Data type is string. 支持的操作包括 "添加"、"获取"、"替换" 和 "删除"。Supported operations are Add, Get, Replace, and Delete.

SystemDrivesRecoveryOptionsSystemDrivesRecoveryOptions

此设置是到 Bitlocker 组策略"的直接映射, 可选择如何恢复"受 Bitlocker 保护的操作系统驱动器 (OSRecoveryUsage_Name)。This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).

家庭版Home 专业版Pro 商务Business 企业版Enterprise 教育版Education 移动版Mobile 移动企业版Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

ADMX 信息:ADMX Info:

  • GP 英语名称: 选择可以如何恢复受 BitLocker 保护的操作系统驱动器GP English name: Choose how BitLocker-protected operating system drives can be recovered
  • GP 名称: OSRecoveryUsage_NameGP name: OSRecoveryUsage_Name
  • GP 路径: Windows 组件/Bitlocker 驱动器加密/操作系统驱动器GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
  • GP ADMX 文件名: VolumeEncryptionGP ADMX file name: VolumeEncryption.admx

提示

有关启用支持 ADMX 的策略的分步指南, 请参阅在 MDM 中启用支持 admx 的策略For a step-by-step guide to enable ADMX-backed policies, see Enable ADMX-backed policies in MDM. 有关其他信息, 请参阅了解 ADMX 支持的策略For additional information, see Understanding ADMX-backed policies.

此设置允许你控制在缺少所需启动密钥信息的情况下如何恢复受 BitLocker 保护的操作系统驱动器。This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. 启用 BitLocker 时, 将应用此设置。This setting is applied when you turn on BitLocker.

"OSAllowDRA_Name" (允许基于证书的数据恢复代理) 数据字段用于指定数据恢复代理是否可以与受 BitLocker 保护的操作系统驱动器一起使用。The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. 在可以使用数据恢复代理之前, 必须从组策略管理控制台或本地组策略编辑器中的公钥策略项添加。Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. 有关添加数据恢复代理的详细信息, 请参阅 Microsoft TechNet 上的 BitLocker 驱动器加密部署指南。Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

在"OSRecoveryPasswordUsageDropDown_Name"和"OSRecoveryKeyUsageDropDown_Name"中 (配置 BitLocker 恢复信息的用户存储) 设置是允许、需要还是不允许用户生成 48-数字恢复密码或256位恢复密钥。In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

设置"OSHideRecoveryPage_Name" (省略 bitlocker 设置向导中的恢复选项), 以防止用户在驱动器上启用 BitLocker 时指定恢复选项。Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. 这意味着, 你将无法指定在启用 BitLocker 时使用的恢复选项, 而是由策略设置确定该驱动器的 BitLocker 恢复选项。This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

将"OSActiveDirectoryBackup_Name" (将 BitLocker 恢复信息保存到 Active Directory 域服务), 以选择要在 AD DS for 操作系统驱动器中存储的 BitLocker 恢复信息 (OSActiveDirectoryBackupDropDown_Name).Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). 如果设置"1" (备份恢复密码和密钥数据包), 则 BitLocker 恢复密码和密钥数据包都存储在 AD DS 中。If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. 存储密钥包支持从物理损坏的驱动器恢复数据。Storing the key package supports recovering data from a drive that has been physically corrupted. 如果设置"2" (仅备份恢复密码), 则仅将恢复密码存储在 AD DS 中。If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.

如果要"防止"用户启用 bitlocker (除非计算机已连接), 则设置 OSRequireActiveDirectoryBackup_Name (不要启用 BitLocker, 直到恢复信息存储在 AD DS for 操作系统驱动器) 数据字段对域和 BitLocker 恢复信息到 AD DS 的备份成功。Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

>> [!Note]
>如果"OSRequireActiveDirectoryBackup_Name" (不要启用 BitLocker, 直到恢复信息存储在适用于操作系统驱动器的 AD DS 中) 数据字段已设置, 则会自动生成恢复密码。> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.

如果启用此设置, 你可以控制用户可用于从受 BitLocker 保护的操作系统驱动器中恢复数据的方法。If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.

如果禁用或未配置此设置, 则支持 BitLocker 恢复的默认恢复选项。If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. 默认情况下, 允许 DRA, 用户可以指定恢复选项, 包括恢复密码和恢复密钥, 并且不会将恢复信息备份到 AD DS。By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

要启用此策略, 此节点的示例值是:Sample value for this node to enable this policy is:

<enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>

'xx' 的可能值为:The possible values for 'xx' are:

  • true = 显式允许true = Explicitly allow
  • false = 策略未设置false = Policy not set

'yy' 的可能值为:The possible values for 'yy' are:

  • 2 = 允许2 = Allowed
  • 1 = 必需1 = Required
  • 0 = 不允许0 = Disallowed

'zz' 的可能值为:The possible values for 'zz' are:

  • 2 = 仅存储恢复密码2 = Store recovery passwords only
  • 1 = 存储恢复密码和密钥包1 = Store recovery passwords and key packages

禁用策略将让系统选择默认行为。Disabling the policy will let the system choose the default behaviors. 如果要禁用此策略, 请使用以下 SyncML:If you want to disable this policy use the following SyncML:

                         <Replace>
                         <CmdID>$CmdID$</CmdID>
                           <Item>
                             <Target>
                                 <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
                             </Target>
                             <Meta>
                                 <Format xmlns="syncml:metinf">chr</Format>
                             </Meta>
                             <Data>&lt;disabled/&gt;</Data>
                           </Item>
                         </Replace>

数据类型为字符串。Data type is string. 支持的操作包括 "添加"、"获取"、"替换" 和 "删除"。Supported operations are Add, Get, Replace, and Delete.

FixedDrivesRecoveryOptionsFixedDrivesRecoveryOptions

此设置是到 Bitlocker 组策略"的直接映射, 可选择如何恢复"受 Bitlocker 保护的固定驱动器 ()。This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().

家庭版Home 专业版Pro 商务Business 企业版Enterprise 教育版Education 移动版Mobile 移动企业版Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

ADMX 信息:ADMX Info:

  • GP 英语名称: 选择如何恢复受 BitLocker 保护的固定驱动器GP English name: Choose how BitLocker-protected fixed drives can be recovered
  • GP 名称: FDVRecoveryUsage_NameGP name: FDVRecoveryUsage_Name
  • GP 路径: Windows 组件/Bitlocker 驱动器加密/固定驱动器GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
  • GP ADMX 文件名: VolumeEncryptionGP ADMX file name: VolumeEncryption.admx

提示

有关启用支持 ADMX 的策略的分步指南, 请参阅在 MDM 中启用支持 admx 的策略For a step-by-step guide to enable ADMX-backed policies, see Enable ADMX-backed policies in MDM. 有关其他信息, 请参阅了解 ADMX 支持的策略For additional information, see Understanding ADMX-backed policies.

此设置允许你控制在缺少所需凭据时如何恢复受 BitLocker 保护的固定数据驱动器。This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. 启用 BitLocker 时, 将应用此设置。This setting is applied when you turn on BitLocker.

"FDVAllowDRA_Name" (Allow data recovery agent) 数据字段用于指定数据恢复代理是否可以与受 BitLocker 保护的固定数据驱动器一起使用。The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. 在可以使用数据恢复代理之前, 必须从组策略管理控制台或本地组策略编辑器中的公钥策略项添加。Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. 有关添加数据恢复代理的详细信息, 请参阅 Microsoft TechNet 上的 BitLocker 驱动器加密部署指南。Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

在"FDVRecoveryPasswordUsageDropDown_Name" (配置 BitLocker 恢复信息的用户存储) 中, 设置是否允许或不允许用户生成48位数的恢复密码或256位恢复密钥。In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

设置"FDVHideRecoveryPage_Name" (省略 bitlocker 设置向导中的恢复选项), 以防止用户在驱动器上启用 BitLocker 时指定恢复选项。Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. 这意味着, 你将无法指定在启用 BitLocker 时使用的恢复选项, 而是由策略设置确定该驱动器的 BitLocker 恢复选项。This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

将"FDVActiveDirectoryBackup_Name" (将 BitLocker 恢复信息保存到 Active Directory 域服务) 以启用将恢复密钥保存到 AD。Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.

设置"FDVRequireActiveDirectoryBackup_Name" (在为固定数据驱动器在 AD DS 中存储恢复信息之前不要启用 bitlocker) 数据字段如果要阻止用户启用 bitlocker, 除非计算机连接到域和 BitLocker 恢复信息到 AD DS 的备份成功。Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

设置"FDVActiveDirectoryBackupDropDown_Name" (将 BitLocker 恢复信息的存储配置为 AD ds), 以选择要在 ad ds 中存储的用于固定数据驱动器的 BitLocker 恢复信息。Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. 如果选择"1" (备份恢复密码和密钥数据包), 则 BitLocker 恢复密码和密钥数据包都存储在 AD DS 中。If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. 存储密钥包支持从物理损坏的驱动器恢复数据。Storing the key package supports recovering data from a drive that has been physically corrupted. 如果选择"2" (仅备份恢复密码), 则只将恢复密码存储在 AD DS 中。If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.

>> [!Note]
>如果"FDVRequireActiveDirectoryBackup_Name" (不要启用 BitLocker, 直到恢复信息存储在用于固定数据驱动器的 AD DS 中) 数据字段已设置, 则会自动生成恢复密码。> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.

如果启用此设置, 你可以控制用户可用于从受 BitLocker 保护的固定数据驱动器中恢复数据的方法。If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.

如果未配置或禁用此设置, 则支持 BitLocker 恢复的默认恢复选项。If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. 默认情况下, 允许 DRA, 用户可以指定恢复选项, 包括恢复密码和恢复密钥, 并且不会将恢复信息备份到 AD DS。By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

要启用此策略, 此节点的示例值是:Sample value for this node to enable this policy is:

<enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>

'xx' 的可能值为:The possible values for 'xx' are:

  • true = 显式允许true = Explicitly allow
  • false = 策略未设置false = Policy not set

'yy' 的可能值为:The possible values for 'yy' are:

  • 2 = 允许2 = Allowed
  • 1 = 必需1 = Required
  • 0 = 不允许0 = Disallowed

'zz' 的可能值为:The possible values for 'zz' are:

  • 2 = 仅存储恢复密码2 = Store recovery passwords only
  • 1 = 存储恢复密码和密钥包1 = Store recovery passwords and key packages

禁用策略将让系统选择默认行为。Disabling the policy will let the system choose the default behaviors. 如果要禁用此策略, 请使用以下 SyncML:If you want to disable this policy use the following SyncML:

                         <Replace>
                         <CmdID>$CmdID$</CmdID>
                           <Item>
                             <Target>
                                 <LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
                             </Target>
                             <Meta>
                                 <Format xmlns="syncml:metinf">chr</Format>
                             </Meta>
                             <Data>&lt;disabled/&gt;</Data>
                           </Item>
                         </Replace>

数据类型为字符串。Data type is string. 支持的操作包括 "添加"、"获取"、"替换" 和 "删除"。Supported operations are Add, Get, Replace, and Delete.

FixedDrivesRequireEncryptionFixedDrivesRequireEncryption

此设置是对 Bitlocker 组策略"拒绝对不受 Bitlocker"保护的驱动器的写入访问权限的直接映射 (FDVDenyWriteAccess_Name)。This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).

家庭版Home 专业版Pro 商务Business 企业版Enterprise 教育版Education 移动版Mobile 移动企业版Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

ADMX 信息:ADMX Info:

  • GP 英语名称: 拒绝对未受 BitLocker 保护的固定驱动器的写入访问权限GP English name: Deny write access to fixed drives not protected by BitLocker
  • GP 名称: FDVDenyWriteAccess_NameGP name: FDVDenyWriteAccess_Name
  • GP 路径: Windows 组件/Bitlocker 驱动器加密/固定驱动器GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
  • GP ADMX 文件名: VolumeEncryptionGP ADMX file name: VolumeEncryption.admx

提示

有关启用支持 ADMX 的策略的分步指南, 请参阅在 MDM 中启用支持 admx 的策略For a step-by-step guide to enable ADMX-backed policies, see Enable ADMX-backed policies in MDM. 有关其他信息, 请参阅了解 ADMX 支持的策略For additional information, see Understanding ADMX-backed policies.

此设置确定固定数据驱动器是否需要 BitLocker 保护才能在计算机上写入。This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.

如果启用此设置, 则不受 BitLocker 保护的所有固定数据驱动器将以只读方式装载。If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. 如果驱动器受 BitLocker 保护, 它将使用读写访问权限挂载。If the drive is protected by BitLocker, it will be mounted with read and write access.

要启用此策略, 此节点的示例值是:Sample value for this node to enable this policy is:

<enabled/>

如果禁用或未配置此设置, 则计算机上的所有固定数据驱动器都将使用读写访问权限挂载。If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. 如果要禁用此策略, 请使用以下 SyncML:If you want to disable this policy use the following SyncML:

                         <Replace>
                         <CmdID>$CmdID$</CmdID>
                           <Item>
                             <Target>
                                 <LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
                             </Target>
                             <Meta>
                                 <Format xmlns="syncml:metinf">chr</Format>
                             </Meta>
                             <Data>&lt;disabled/&gt;</Data>
                           </Item>
                         </Replace>

数据类型为字符串。Data type is string. 支持的操作包括 "添加"、"获取"、"替换" 和 "删除"。Supported operations are Add, Get, Replace, and Delete.

RemovableDrivesRequireEncryptionRemovableDrivesRequireEncryption

此设置是到 Bitlocker 组策略"拒绝对不受 Bitlocker"保护的可移动驱动器进行写入访问的直接映射 (RDVDenyWriteAccess_Name)。This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).

家庭版Home 专业版Pro 商务Business 企业版Enterprise 教育版Education 移动版Mobile 移动企业版Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

ADMX 信息:ADMX Info:

  • GP 英语名称: 拒绝对不受 BitLocker 保护的可移动驱动器的写入访问权限GP English name: Deny write access to removable drives not protected by BitLocker
  • GP 名称: RDVDenyWriteAccess_NameGP name: RDVDenyWriteAccess_Name
  • GP 路径: Windows 组件/Bitlocker 驱动器加密/可移动驱动器GP path: Windows Components/Bitlocker Drive Encryption/Removeable Drives
  • GP ADMX 文件名: VolumeEncryptionGP ADMX file name: VolumeEncryption.admx

提示

有关启用支持 ADMX 的策略的分步指南, 请参阅在 MDM 中启用支持 admx 的策略For a step-by-step guide to enable ADMX-backed policies, see Enable ADMX-backed policies in MDM. 有关其他信息, 请参阅了解 ADMX 支持的策略For additional information, see Understanding ADMX-backed policies.

此设置配置计算机能否将数据写入可移动数据驱动器所需的 BitLocker 保护。This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

如果启用此设置, 则不受 BitLocker 保护的所有可移动数据驱动器将以只读方式挂载。If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. 如果驱动器受 BitLocker 保护, 它将使用读写访问权限挂载。If the drive is protected by BitLocker, it will be mounted with read and write access.

如果设置"了" RDVCrossOrg (拒绝对另一个组织中配置的设备进行写入访问) 选项, 则只有具有与计算机的标识字段匹配的驱动器's 标识字段才会获得写入访问权限。If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. 访问可移动数据驱动器时, 将检查它是否有有效的标识字段和允许的标识字段。When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. 这些字段由"提供组织"组策略设置的唯一标识符定义。These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.

如果禁用或未配置此策略设置, 则计算机上的所有可移动数据驱动器都将使用读写访问权限挂载。If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.

>> [!Note]
>此策略设置可由 "用户配置 \ 管理模板 Templates\System\Removable 存储访问" 下的组策略设置替代。> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. 如果 " "可移动磁盘: 拒绝写入访问"组策略设置" 已启用此策略设置将被忽略。If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.

要启用此策略, 此节点的示例值是:Sample value for this node to enable this policy is:

 <enabled/><data id="RDVCrossOrg" value="xx"/>

'xx' 的可能值为:The possible values for 'xx' are:

  • true = 显式允许true = Explicitly allow
  • false = 策略未设置false = Policy not set

禁用策略将让系统选择默认行为。Disabling the policy will let the system choose the default behaviors. 如果要禁用此策略, 请使用以下 SyncML:If you want to disable this policy use the following SyncML:

                         <Replace>
                         <CmdID>$CmdID$</CmdID>
                           <Item>
                             <Target>
                                 <LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
                             </Target>
                             <Meta>
                                 <Format xmlns="syncml:metinf">chr</Format>
                             </Meta>
                             <Data>&lt;disabled/&gt;</Data>
                           </Item>
                         </Replace>

AllowWarningForOtherDiskEncryptionAllowWarningForOtherDiskEncryption

允许管理员在 RequireDeviceEncryption 策略也设置为1的用户计算机上禁用针对其他磁盘加密的警告提示。Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.

重要

从 Windows 10 版本1803开始, 仅可为 Azure Active Directory 已加入设备设置值0。Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. 当 RequireDeviceEncryption 设置为1且 AllowWarningForOtherDiskEncryption 设置为0时, Windows 将尝试以静默方式启用BitLockerWhen RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable BitLocker.

警告

在使用第三方加密的设备上启用 BitLocker 时, 它可能会导致设备不可用, 需要重新安装 Windows。When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows.

家庭版Home 专业版Pro 商务Business 企业版Enterprise 教育版Education 移动版Mobile 移动企业版Mobile Enterprise
cross mark check mark check mark check mark check mark cross mark cross mark

以下列表显示了受支持的值:The following list shows the supported values:

  • 0–禁用警告提示。0 – Disables the warning prompt. 从 Windows 10 版本1803开始, 仅可为 Azure Active Directory 已加入设备设置值0。Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows 将尝试以静默方式为值0启用 BitLocker。Windows will attempt to silently enable BitLocker for value 0.
  • 1 (默认值)-允许的警告提示。1 (default) – Warning prompt allowed.
<Replace>
    <CmdID>110</CmdID>
    <Item>
        <Target>
            <LocURI>./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption</LocURI>
        </Target>
        <Meta>
            <Format xmlns="syncml:metinf">int</Format>
        </Meta>
        <Data>0</Data>
    </Item>
</Replace>

备注

当您禁用警告提示时, 操作系统驱动器的恢复密钥将备份到用户的 Azure Active Directory 帐户。When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. 当你允许警告提示时, 收到提示的用户可以选择备份操作系统驱动器的恢复密钥的位置。When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.

固定数据驱动器的备份终结点按以下顺序选择:The endpoint for a fixed data drive's backup is chosen in the following order:

  1. 用户的 Windows Server Active Directory 域服务帐户。The user's Windows Server Active Directory Domain Services account.
  2. 用户的 Azure Active Directory 帐户。The user's Azure Active Directory account.
  3. 用户个人 OneDrive (仅限 MDM/MAM)。The user's personal OneDrive (MDM/MAM only).

加密将等待, 直到这三个位置之一备份成功。Encryption will wait until one of these three locations backs up successfully.

AllowStandardUserEncryptionAllowStandardUserEncryption
允许管理员强制实施 "RequireDeviceEncryption" 策略, 以便在当前登录用户是非管理员/标准用户 Azure AD 帐户的情况下推送策略。Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.

备注

此策略仅在 Azure AD 帐户中受支持。This policy is only supported in Azure AD accounts.

"AllowStandardUserEncryption" 策略绑定到 "AllowWarningForOtherDiskEncryption" 策略被设置为 "0", 即强制执行无声加密。"AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy being set to "0", i.e, silent encryption is enforced.

如果未设置 "AllowWarningForOtherDiskEncryption", 或设置为 "1", "RequireDeviceEncryption" 策略将不会尝试加密驱动器 (如果标准用户是系统中的当前登录用户)。If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.

此策略的预期值是:The expected values for this policy are:

  • 1 = "RequireDeviceEncryption" 策略将尝试对所有固定驱动器启用加密, 即使当前登录的用户是标准用户。1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
  • 0 = 当未设置策略时, 这是默认设置。0 = This is the default, when the policy is not set. 如果当前登录的用户是标准用户, 则 "RequireDeviceEncryption" 策略将不会尝试在任何驱动器上启用加密。If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.

如果要禁用此策略, 请使用以下 SyncML:If you want to disable this policy use the following SyncML:

 <Replace>
 <CmdID>111</CmdID>
   <Item>
     <Target>
         <LocURI>./Device/Vendor/MSFT/BitLocker/AllowStandardUserEncryption</LocURI>
     </Target>
     <Meta>
         <Format xmlns="syncml:metinf">int</Format>
     </Meta>
     <Data>0</Data>
   </Item>
 </Replace>

SyncML 示例SyncML example

提供以下示例以显示正确的格式, 不应将其用作建议。The following example is provided to show proper format and should not be taken as a recommendation.

<SyncML xmlns="SYNCML:SYNCML1.2">
    <SyncBody>

      <!-- Phone only policy -->
      <Replace>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">int</Format>
          </Meta>
          <Data>1</Data>
        </Item>
      </Replace>

      <Replace>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption</LocURI>
          </Target>
          <Meta>
            <Format xmlns="syncml:metinf">int</Format>
          </Meta>
          <Data>1</Data>
        </Item>
      </Replace>

      <!-- All of the following policies are only supported on desktop SKU -->    
      <Replace>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
          </Target>
          <Data>
            &lt;enabled/&gt;
            &lt;data id=&quot;EncryptionMethodWithXtsOsDropDown_Name&quot; value=&quot;4&quot;/&gt;
            &lt;data id=&quot;EncryptionMethodWithXtsFdvDropDown_Name&quot; value=&quot;7&quot;/&gt;
            &lt;data id=&quot;EncryptionMethodWithXtsRdvDropDown_Name&quot; value=&quot;4&quot;/&gt;
          </Data>
        </Item>
      </Replace>

      <Replace>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
          </Target>
          <Data>
            &lt;enabled/&gt;
            &lt;data id=&quot;ConfigureNonTPMStartupKeyUsage_Name&quot; value=&quot;true&quot;/&gt;
            &lt;data id=&quot;ConfigureTPMStartupKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
            &lt;data id=&quot;ConfigurePINUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
            &lt;data id=&quot;ConfigureTPMPINKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
            &lt;data id=&quot;ConfigureTPMUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
          </Data>
        </Item>
      </Replace>

      <Replace>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
          </Target>
          <Data>
            &lt;enabled/&gt;
            &lt;data id=&quot;MinPINLength&quot; value=&quot;6&quot;/&gt;
          </Data>
        </Item>
      </Replace>

      <Replace>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
          </Target>
          <Data>
            &lt;enabled/&gt;
            &lt;data id=&quot;RecoveryMessage_Input&quot; value=&quot;blablablabla&quot;/&gt;
            &lt;data id=&quot;PrebootRecoveryInfoDropDown_Name&quot; value=&quot;2&quot;/&gt;
            &lt;data id=&quot;RecoveryUrl_Input&quot; value=&quot;blablabla&quot;/&gt;
          </Data>
        </Item>
      </Replace>

      <Replace>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
          </Target>
          <Data>
            &lt;enabled/&gt;
            &lt;data id=&quot;OSAllowDRA_Name&quot; value=&quot;true&quot;/&gt;
            &lt;data id=&quot;OSRecoveryPasswordUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
            &lt;data id=&quot;OSRecoveryKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
            &lt;data id=&quot;OSHideRecoveryPage_Name&quot; value=&quot;true&quot;/&gt;
            &lt;data id=&quot;OSActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
            &lt;data id=&quot;OSActiveDirectoryBackupDropDown_Name&quot; value=&quot;2&quot;/&gt;
            &lt;data id=&quot;OSRequireActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
          </Data>
        </Item>
      </Replace>

      <Replace>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
          </Target>
          <Data>
            &lt;enabled/&gt;
            &lt;data id=&quot;FDVAllowDRA_Name&quot; value=&quot;true&quot;/&gt;
            &lt;data id=&quot;FDVRecoveryPasswordUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
            &lt;data id=&quot;FDVRecoveryKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
            &lt;data id=&quot;FDVHideRecoveryPage_Name&quot; value=&quot;true&quot;/&gt;
            &lt;data id=&quot;FDVActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
            &lt;data id=&quot;FDVActiveDirectoryBackupDropDown_Name&quot; value=&quot;2&quot;/&gt;
            &lt;data id=&quot;FDVRequireActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
          </Data>
        </Item>
      </Replace>

      <Replace>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
          </Target>
          <Data>
            &lt;enabled/&gt;
          </Data>
        </Item>
      </Replace>

      <Replace>
        <CmdID>$CmdID$</CmdID>
        <Item>
          <Target>
            <LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
          </Target>
          <Data>
            &lt;enabled/&gt;
            &lt;data id=&quot;RDVCrossOrg&quot; value=&quot;true&quot;/&gt;
          </Data>
        </Item>
      </Replace>

      <Final/>
    </SyncBody>
</SyncML>