BitLocker恢复指南BitLocker recovery guide

适用于:Applies to:

  • Windows 10Windows 10

本文针对 IT 专业人员介绍如何从 AD DS BitLocker密钥。This article for IT professionals describes how to recover BitLocker keys from AD DS.

组织可以使用BitLocker Active Directory 域服务 (AD DS) 中保存的BitLocker信息。Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. 建议在规划 BitLocker部署时为BitLocker创建恢复模型。Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended.

本文假定您了解如何设置 AD DS 以自动备份 BitLocker 信息,以及将哪些类型的恢复信息保存到 AD DS。This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.

本文不详细介绍如何配置 AD DS 以存储BitLocker信息。This article does not detail how to configure AD DS to store the BitLocker recovery information.

什么是BitLocker恢复?What is BitLocker recovery?

BitLocker恢复是一个过程,当无法正常解锁受 BitLocker 驱动器时,可以通过此过程还原对受保护驱动器的访问。BitLocker recovery is the process by which you can restore access to a BitLocker-protected drive in the event that you cannot unlock the drive normally. 在恢复方案中,可以使用以下选项还原对驱动器的访问:In a recovery scenario, you have the following options to restore access to the drive:

  • 用户可以提供恢复密码。The user can supply the recovery password. 如果你的组织允许用户打印或存储恢复密码,用户可以键入他们在 USB 驱动器或 Microsoft 帐户联机打印或存储的 48 位恢复密码。If your organization allows users to print or store recovery passwords, the user can type in the 48-digit recovery password that they printed or stored on a USB drive or with your Microsoft Account online. (在不是域用户成员的电脑BitLocker时,才允许使用 Microsoft 帐户联机保存恢复) 。(Saving a recovery password with your Microsoft Account online is only allowed when BitLocker is used on a PC that is not a member of a domain).
  • 数据恢复代理可以使用其凭据解锁驱动器。A data recovery agent can use their credentials to unlock the drive. 如果驱动器是操作系统驱动器,则必须将驱动器装载为另一台计算机的数据驱动器,数据恢复代理才能解锁它。If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
  • 域管理员可以从 AD DS 获取恢复密码,并使用它解锁驱动器。A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive. 建议将恢复密码存储在 AD DS 中,以便 IT 专业人员能够根据需要获取其组织中驱动器的恢复密码。Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in their organization if needed. 此方法要求您在 BitLocker 组策略设置中启用此恢复方法 选择如何恢复位于本地组策略编辑器中的计算机配置**\管理模板\Windows 组件\BitLocker驱动器加密\操作系统驱动器的受BitLocker**保护的操作系统驱动器。This method requires that you have enabled this recovery method in the BitLocker Group Policy setting Choose how BitLocker-protected operating system drives can be recovered located at Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives in the Local Group Policy Editor. 有关详细信息,请参阅 BitLocker 组策略设置For more information, see BitLocker Group Policy settings.

什么原因BitLocker恢复?What causes BitLocker recovery?

以下列表提供了特定事件的示例,这些事件将导致BitLocker启动操作系统驱动器时进入恢复模式:The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:

  • 在使用 BitLocker 驱动器加密的 PC 上,或仅在使用BitLocker 设备加密的平板电脑或手机上,当检测到攻击时,设备将立即重新启动并进入 BitLocker 恢复模式。On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use BitLocker Device Encryption only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. 若要利用此功能,管理员可以在本地组策略编辑器中设置交互式登录****:计算机帐户锁定阈值组策略设置,该设置位于**\Computer Configuration\Windows 设置\Security 设置\Local Policies\Security Options中。To take advantage of this functionality, administrators can set the Interactive logon: Machine account lockout threshold Group Policy setting located in \Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options in the Local Group Policy Editor. 或者,他们可以使用也可通过Microsoft Intune) 配置的Exchange ActiveSync (的MaxFailedPasswordAttempts**策略,以限制设备进入设备锁定之前尝试密码失败次数。Or they can use the MaxFailedPasswordAttempts policy of Exchange ActiveSync (also configurable through Microsoft Intune), to limit the number of failed password attempts before the device goes into Device Lockout.

  • 在具有 TPM 1.2 的设备上,更改 BIOS 或固件启动设备顺序将导致BitLocker恢复。On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. 但是,具有 TPM 2.0 的设备不会BitLocker恢复。However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 不会将启动设备顺序的固件更改视为安全威胁,因为操作系统启动加载程序未受到威胁。TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.

  • 在 BIOS 启动顺序中将 CD 或 DVD 驱动器在硬盘驱动器之前,然后插入或删除 CD 或 DVD。Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.

  • 在从硬盘驱动器启动之前无法从网络驱动器启动。Failing to boot from a network drive before booting from the hard drive.

  • 固定或移除便携计算机。Docking or undocking a portable computer. 在某些情况下 (计算机制造商和 BIOS) ,便携计算机的停靠条件是系统测量的一部分,并且必须一致才能验证系统状态和解锁 BitLocker。In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. 因此,如果便携计算机在打开BitLocker连接到其扩展坞,则它可能还需要在解锁时连接到扩展坞。So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. 相反,如果便携计算机在打开 BitLocker 时未连接到其扩展坞,则它可能需要在解锁时与扩展坞断开连接。Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.

  • 对磁盘上的 NTFS 分区表的更改,包括创建、删除或调整主分区的大小。Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.

  • 输入个人标识 (PIN) 错误次数,以便激活 TPM 的反攻击逻辑。Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. 反攻击逻辑是在经过一定时间后才接受 PIN 条目,增加对 PIN 进行暴力攻击的难度和成本的软件或硬件方法。Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.

  • 如果使用的是基于 USB 的密钥而不是 TPM,请关闭在预启动环境中从 BIOS 或 UEFI 固件读取 USB 设备的支持。Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM.

  • 关闭、禁用、停用或清除 TPM。Turning off, disabling, deactivating, or clearing the TPM.

  • 升级关键的早期启动组件,如 BIOS 或 UEFI 固件升级,导致相关启动测量发生变化。Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.

  • 启用 PIN 身份验证后,忘记 PIN。Forgetting the PIN when PIN authentication has been enabled.

  • 更新选项 ROM 固件。Updating option ROM firmware.

  • 升级 TPM 固件。Upgrading TPM firmware.

  • 添加或删除硬件;例如,在计算机中插入新卡,包括一些 PCMIA 无线卡。Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards.

  • 删除、插入或完全耗尽便携式计算机智能电池上的电量。Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.

  • 对磁盘上的主启动记录所做的更改。Changes to the master boot record on the disk.

  • 对磁盘上的启动管理器的更改。Changes to the boot manager on the disk.

  • 从操作系统隐藏 TPM。Hiding the TPM from the operating system. 某些 BIOS 或 UEFI 设置可用于阻止将 TPM 枚举到操作系统。Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. 如果实现此选项,则会使 TPM 在操作系统中隐藏。When implemented, this option can make the TPM hidden from the operating system. 隐藏 TPM 时,BIOS 和 UEFI 安全启动将被禁用,并且 TPM 不会响应任何软件中的命令。When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.

  • 使用未正确输入 PIN 或键盘映射与预启动环境假定的键盘映射不匹配的不同键盘。Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. 此问题可能会阻止输入增强的 PIN。This problem can prevent the entry of enhanced PINs.

  • 修改 TPM 验证配置文件 (使用) 配置注册 PCR。Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. 例如,包括PCR[1] 将导致 BitLocker对 BIOS 设置进行大多数更改,从而导致 BitLocker 进入恢复模式,即使非启动关键 BIOS 设置发生更改。For example, including PCR[1] would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.

    备注

    某些计算机具有将度量跳过到某些 PCR(如 PCR[2] ) 的 BIOS 设置。Some computers have BIOS settings that skip measurements to certain PCRs, such as PCR[2]. 在 BIOS 中更改此设置将导致BitLocker进入恢复模式,因为 PCR 测量将有所不同。Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.

  • 将 BitLocker 保护的驱动器移动到新的计算机。Moving the BitLocker-protected drive into a new computer.

  • 将主板升级到具有新 TPM 的新主板。Upgrading the motherboard to a new one with a new TPM.

  • 在启用启动密钥身份验证后,丢失包含启动密钥的 U 盘。Losing the USB flash drive containing the startup key when startup key authentication has been enabled.

  • TPM 自测试失败。Failing the TPM self-test.

  • 具有不符合客户端计算机的相关受信任计算组标准的 BIOS、UEFI 固件或选项 ROM 组件。Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. 例如,不兼容的实现可能会记录可变数据 (如 TPM 测量中的时间) ,从而导致每次启动时不同的度量,并导致 BitLocker 在恢复模式下启动。For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.

  • 将 TPM 的存储根密钥的使用授权更改为非零值。Changing the usage authorization for the storage root key of the TPM to a non-zero value.

    备注

    TPM BitLocker过程将使用率授权值设置为零,因此其他用户或进程必须显式更改此值。The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.

  • 在 Bootmgr Windows启动管理器上禁用代码完整性 (或) 。Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).

  • 在启动过程中按 F8 或 F10 键。Pressing the F8 or F10 key during the boot process.

  • 添加或删除加载项卡 (如视频卡或) 卡,或者升级加载项卡上的固件。Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.

  • 在启动过程中使用 BIOS 热键将启动顺序更改为硬盘驱动器外的其他内容。Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.

备注

在开始恢复之前,我们建议您确定导致恢复的原因。Before you begin recovery, we recommend that you determine what caused recovery. 这有助于防止将来再次出现问题。This might help prevent the problem from occurring again in the future. 例如,如果确定攻击者通过获取物理访问权限修改了计算机,可以创建新的安全策略来跟踪哪些人具有物理状态。For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. 使用恢复密码恢复对电脑的访问后,BitLocker将加密密钥重新封装为测量组件的当前值。After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.

对于规划的方案(如已知硬件或固件升级)来说,可以通过临时暂停硬件或固件BitLocker恢复。For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. 由于暂停BitLocker使驱动器完全加密,因此管理员可在BitLocker任务完成后快速恢复对驱动器的保护。Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. 使用暂停和恢复还会重新封装加密密钥,而无需输入恢复密钥。Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.

备注

如果挂起BitLocker重新启动电脑时自动恢复保护,除非使用 manage-bde 命令行工具指定重新启动计数。If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.

如果软件维护要求重新启动计算机并且使用的是双重身份验证,则当计算机没有本地用户提供其他身份验证方法时,可以启用 BitLocker 网络解锁以提供辅助身份验证因素。If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.

恢复在计划外或不预期行为的上下文中进行了描述,但您也可以将恢复作为预期生产方案,以便管理访问控制。Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. 例如,将台式机或笔记本电脑重新部署到企业中的其他部门或员工时,可以在将计算机BitLocker新用户之前强制恢复计算机。For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.

测试恢复Testing recovery

在您创建全面的 BitLocker 恢复过程之前,我们建议您测试恢复过程如何同时适用于呼叫支持人员以获得恢复密码) 的最终用户 (和管理员 (帮助最终用户获取恢复密码) 。Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). manage-bde 的 -forcerecovery 命令是一种在用户遇到恢复情况之前逐步执行恢复过程的简单方法。The -forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.

若要强制恢复本地计算机,To force a recovery for the local computer:

  1. 选择"开始" 按钮,在"开始搜索****"框中键入cmd, 右键单击"cmd.exe",然后选择"以管理员角色运行"。 ** **Select the Start button, type cmd in the Start Search box, right-click cmd.exe, and then select Run as administrator.
  2. 在命令提示符下,键入以下命令,然后按Enter:manage-bde -forcerecovery <BitLockerVolume>At the command prompt, type the following command and then press Enter: manage-bde -forcerecovery <BitLockerVolume>

为远程计算机强制恢复:To force recovery for a remote computer:

  1. 在"开始"屏幕上 ,cmd.exe", 然后选择"以管理员角色运行"。On the Start screen, type cmd.exe, and then select Run as administrator.

  2. 在命令提示符下,键入以下命令,然后按 Enter: manage-bde -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>At the command prompt, type the following command and then press ENTER: manage-bde -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>

    备注

    通过多次重新启动持续触发的恢复, -forcerecovery 直到添加 TPM 保护程序或用户暂停保护。Recovery triggered by -forcerecovery persists for multiple restarts until a TPM protector is added or protection is suspended by the user. 在使用现代待机设备 (Surface 设备) 时,不建议使用该选项,因为必须从 WinRE 环境手动解锁和禁用 BitLocker,操作系统才能再次 -forcerecovery 启动。When using Modern Standby devices (such as Surface devices), the -forcerecovery option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. 有关详细信息,请参阅BitLocker疑难解答:在平板电脑BitLocker恢复时持续重启循环。For more information, see BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device.

规划恢复过程Planning your recovery process

在规划BitLocker恢复过程时,请首先查阅组织恢复敏感信息的当前最佳做法。When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. 例如:企业如何处理丢失Windows密码?For example: How does your enterprise handle lost Windows passwords? 你的组织如何执行智能卡 PIN 重置?How does your organization perform smart card PIN resets? 您可以使用这些最佳做法和相关资源来 (和工具) 制定一个BitLocker模型。You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.

依赖驱动器加密BitLocker"BitLocker"转到"保护大量计算机和运行驱动器的可移动驱动器上Windows 10, Windows 8或 Windows 7 操作系统和 Windows to Go 应考虑使用 Microsoft BitLocker 管理和监控 (MBAM) 工具版本 2.0,该版本包含在适用于 Microsoft 软件保障 的 Microsoft 桌面优化包 (MDOP) 中。Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM 使BitLocker更易于部署和管理,并允许管理员设置和监视操作系统和固定驱动器的加密。MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM 在加密固定驱动器之前提示用户。MBAM prompts the user before encrypting fixed drives. MBAM 还管理固定驱动器和可移动驱动器的恢复密钥,使恢复更易于管理。MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM 可以用作 Microsoft System Center部署或独立解决方案的一部分。MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. 有关详细信息,请参阅Microsoft BitLocker管理和监视For more info, see Microsoft BitLocker Administration and Monitoring.

启动BitLocker后,用户可以使用恢复密码解锁对加密数据的访问。After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. 考虑组织的自恢复和恢复密码检索方法。Consider both self-recovery and recovery password retrieval methods for your organization.

当您确定恢复过程时,您应:When you determine your recovery process, you should:

自恢复Self-recovery

在某些情况下,用户可能在打印输出或 U 盘中拥有恢复密码,并且可以执行自恢复。In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. 我们建议你的组织创建一个自恢复策略。We recommend that your organization create a policy for self-recovery. 如果自恢复包括使用存储在 U 盘上的密码或恢复密钥,应警告用户不要将 U 盘存储在电脑的同一位置,尤其是在旅行期间,例如,如果电脑和恢复项目都在同一个包中,则未经授权的用户访问电脑很容易。If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag, then it's easy for an unauthorized user to access the PC. 要考虑的另一个策略是让用户在执行自恢复之前或之后联系支持人员,以便找出根本原因。Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.

恢复密码检索Recovery password retrieval

如果用户在打印输出或 U 盘上没有恢复密码,则用户将需要能够从联机源检索恢复密码。If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. 如果电脑是域的成员,则恢复密码可以备份到 AD DS。If the PC is a member of a domain, the recovery password can be backed up to AD DS. 但是,默认情况下不会发生此情况。However, this does not happen by default. 在电脑上启用组策略之前,BitLocker配置相应的组策略设置。You must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker可以在本地组策略编辑器或组策略管理控制台 (GPMC) 计算机配置**\管理模板\Windows 组件\BitLocker 驱动器**加密下找到组策略设置。BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. 以下策略设置定义可用于在身份验证方法失败或无法使用BitLocker驱动器时还原对受保护驱动器的访问的恢复方法。The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.

  • 选择BitLocker保护的操作系统驱动器的恢复方式Choose how BitLocker-protected operating system drives can be recovered
  • 选择BitLocker驱动器的恢复Choose how BitLocker-protected fixed drives can be recovered
  • 选择BitLocker保护的可移动驱动器如何恢复Choose how BitLocker-protected removable drives can be recovered

在每个策略中,选择"将 BitLocker 恢复信息保存到Active Directory域服务",然后选择要存储在 Active Directory 域服务 (AD DS) 中的 BitLocker 恢复信息。In each of these policies, select Save BitLocker recovery information to Active Directory Domain Services and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). 如果要阻止用户启用 BitLocker,除非计算机连接到域并且驱动器的 BitLocker 恢复信息备份成功,否则选中"在恢复信息存储在AD DS中之前不启用 BitLocker"复选框。Select the Do not enable BitLocker until recovery information is stored in AD DS check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.

备注

如果电脑是工作组的一部分,应建议用户使用其 Microsoft BitLocker保存其恢复密码。If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. 建议使用联机副本BitLocker恢复密码,以帮助确保在需要恢复时不会丢失对数据的访问权限。Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.

通过 BitLocker Active Directory 用户和计算机恢复密码查看器工具,域管理员可以查看 Active Directory 中特定计算机对象的 BitLocker 恢复密码。The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.

可以使用以下列表作为模板,创建自己的恢复过程以检索恢复密码。You can use the following list as a template for creating your own recovery process for recovery password retrieval. 此示例过程使用 BitLocker Active Directory 用户和计算机恢复密码查看器工具。This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.

记录用户计算机的名称Record the name of the user's computer

可以使用用户计算机的名称在 AD DS 中查找恢复密码。You can use the name of the user's computer to locate the recovery password in AD DS. 如果用户不知道计算机的名称,请让用户阅读"驱动器加密密码输入"用户界面中BitLocker" 驱动器标签"的第**** 一个单词。If the user does not know the name of the computer, ask the user to read the first word of the Drive Label in the BitLocker Drive Encryption Password Entry user interface. 这是启用计算机BitLocker计算机名称,可能是计算机的当前名称。This is the computer name when BitLocker was enabled and is probably the current name of the computer.

验证用户身份Verify the user's identity

验证请求恢复密码的人员是否确实是该计算机的授权用户。Verify that the person that is asking for the recovery password is truly the authorized user of that computer. 您可能还需要验证用户名为用户的计算机是否属于该用户。You might also want to verify that the computer with the name the user provided belongs to the user.

在 AD DS 中查找恢复密码Locate the recovery password in AD DS

在 AD DS 中查找具有匹配名称的 Computer 对象。Locate the Computer object with the matching name in AD DS. 由于计算机对象名称列在 AD DS 全局编录中,因此即使具有多域林,也应能够找到该对象。Because Computer object names are listed in the AD DS global catalog, you should be able to locate the object even if you have a multi-domain forest.

多个恢复密码Multiple recovery passwords

如果 AD DS 中的计算机对象下存储了多个恢复密码,BitLocker信息对象的名称将包含密码的创建日期。If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date that the password was created.

如果您随时不确定提供哪个密码,或者如果您认为您提供的密码不正确,请让用户阅读恢复控制台中显示的八个字符密码 ID。If at any time you are unsure what password to provide, or if you think you might be providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console.

由于密码 ID 是一个与 AD DS 中存储的每个恢复密码相关联的唯一值,因此使用此 ID 运行查询将找到用于解锁加密卷的正确密码。Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID will find the correct password to unlock the encrypted volume.

收集信息以确定发生恢复的原因Gather information to determine why recovery occurred

在向用户提供恢复密码之前,应收集有助于确定需要恢复的原因的任何信息,以便分析恢复后分析过程中的根本原因。Before you give the user the recovery password, you should gather any information that will help determine why the recovery was needed, in order to analyze the root cause during the post-recovery analysis. 有关恢复后分析详细信息,请参阅恢复 后分析For more info about post-recovery analysis, see Post-recovery analysis.

为用户提供恢复密码Give the user the recovery password

由于恢复密码是 48 位数长,因此用户可能需要通过记下密码或在不同的计算机上键入密码来记录密码。Because the recovery password is 48 digits long, the user might need to record the password by writing it down or typing it on a different computer. 如果你使用的是 MBAM,恢复密码将在从 MBAM 数据库恢复后重新生成,以避免与不受控密码相关的安全风险。If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.

备注

因为 48 位恢复密码很长,并且包含数字的组合,所以用户可能会误解或键入错误的密码。Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. 启动时恢复控制台使用内置的校验和数字检测 48 位恢复密码的每个 6 位块中的输入错误,并让用户有机会更正此类错误。The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.

恢复后分析Post-recovery analysis

使用恢复密码解锁卷时,事件将写入事件日志,并且平台验证度量在 TPM 中重置以匹配当前配置。When a volume is unlocked using a recovery password, an event is written to the event log and the platform validation measurements are reset in the TPM to match the current configuration. 解锁卷意味着加密密钥已释放,并且已准备好在将数据写入卷时进行即点加密,并在从卷中读取数据时进行即点解密。Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. 解锁卷后,BitLocker无论授予访问权限的方式如何,操作方式都相同。After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.

如果您注意到计算机具有重复的恢复密码解锁,您可能需要让管理员执行恢复后分析以确定恢复和刷新 BitLocker 平台验证的根本原因,以便用户每次启动计算机时都不再需要输入恢复密码。If you notice that a computer is having repeated recovery password unlocks, you might want to have an administrator perform post-recovery analysis to determine the root cause of the recovery and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. 请参阅:See:

确定恢复的根本原因Determine the root cause of the recovery

如果用户需要恢复驱动器,必须尽快确定启动恢复的根本原因。If a user needed to recover the drive, it is important to determine the root cause that initiated the recovery as soon as possible. 正确分析计算机状态并检测篡改可能会暴露对企业安全产生更广泛的影响的威胁。Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security.

虽然在某些情况下,管理员可以远程调查恢复原因,但最终用户可能需要将包含已恢复驱动器的计算机带到站点上,以进一步分析根本原因。While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further.

查看并回答组织的以下问题:Review and answer the following questions for your organization:

  1. 哪些BitLocker保护模式 (TPM、TPM + PIN、TPM + 启动密钥、仅启动) ?What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? 电脑上使用哪个 PCR 配置文件?Which PCR profile is in use on the PC?
  2. 用户只是忘记 PIN 还是丢失了启动密钥?Did the user merely forget the PIN or lose the startup key? 如果令牌丢失,令牌可能在哪里?If a token was lost, where might the token be?
  3. 如果 TPM 模式有效,恢复是否由启动文件更改导致?If TPM mode was in effect, was recovery caused by a boot file change?
  4. 如果恢复是由启动文件更改引起的,更改是预期用户操作 (例如 BIOS 升级) ,还是由恶意软件导致?If recovery was caused by a boot file change, was the change an intended user action (for example, BIOS upgrade), or was it caused by malicious software?
  5. 用户上次成功启动计算机是何时?之后计算机可能发生了什么情况?When was the user last able to start the computer successfully, and what might have happened to the computer since then?
  6. 用户是否遇到了恶意软件或自上次成功启动后使计算机无人值守?Might the user have encountered malicious software or left the computer unattended since the last successful startup?

为帮助您回答这些问题,请使用 BitLocker 命令行工具查看当前配置和保护模式 (例如manage-bde -status) 。To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, manage-bde -status). 扫描事件日志以查找有助于指示启动原因的事件 (例如,如果启动文件) 。Scan the event log to find events that help indicate why recovery was initiated (for example, if the boot file changed). 这两项功能都可以远程执行。Both of these capabilities can be performed remotely.

解决根本原因Resolve the root cause

确定导致恢复的原因后,你可以重置BitLocker保护,并避免每次启动时恢复。After you have identified what caused recovery, you can reset BitLocker protection and avoid recovery on every startup.

此重置的详细信息可能因恢复的根本原因而异。The details of this reset can vary according to the root cause of the recovery. 如果无法确定根本原因,或者恶意软件或 rootkit 可能感染了计算机,则支持人员应应用最佳实践病毒策略以做出相应的响应。If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.

备注

可以通过暂停和恢复BitLocker重置验证配置文件BitLocker。You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.

未知 PINUnknown PIN

如果用户忘记了 PIN,则必须在登录到计算机时重置 PIN,以防止 BitLocker 每次重新启动计算机时启动恢复。If a user has forgotten the PIN, you must reset the PIN while you are logged on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.

防止由于 PIN 未知而继续恢复To prevent continued recovery due to an unknown PIN

  1. 使用恢复密码解锁计算机。Unlock the computer using the recovery password.
  2. 重置 PIN:Reset the PIN:
    1. 右键单击驱动器,然后选择更改PIN。Right-click the drive and then select Change PIN.
    2. 在"BitLocker加密"对话框中,选择 "重置忘记了的 PIN"。In the BitLocker Drive Encryption dialog, select Reset a forgotten PIN. 如果未使用管理员帐户登录,则此时提供管理凭据。If you are not logged in with an administrator account, provide administrative credentials at this time.
    3. 在"PIN 重置"对话框中,提供并确认使用的新 PIN,然后选择"完成 "。In the PIN reset dialog, provide and confirm the new PIN to use and then select Finish.
  3. 下次解锁驱动器时,你将使用新 PIN。You will use the new PIN the next time you unlock the drive.

丢失的启动密钥Lost startup key

如果丢失了包含启动密钥的 U 盘,则必须使用恢复密钥解锁该驱动器,然后创建新的启动密钥。If you have lost the USB flash drive that contains the startup key, then you must unlock the drive by using the recovery key and then create a new startup key.

防止由于启动密钥丢失而继续恢复To prevent continued recovery due to a lost startup key

  1. 以管理员角色登录到具有丢失的启动密钥的计算机。Log on as an administrator to the computer that has the lost startup key.
  2. 打开"管理BitLocker"。Open Manage BitLocker.
  3. 选择 "复制启动密钥",插入要写入密钥的干净 USB 驱动器,然后选择"保存 "。Select Duplicate start up key, insert the clean USB drive on which you are going to write the key and then select Save.

对启动文件所做的更改Changes to boot files

如果更新固件,则可能会发生此错误。This error might occur if you updated the firmware. 最佳做法是,在更改固件BitLocker,然后更新完成后恢复保护。As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. 此操作可防止计算机进入恢复模式。This action prevents the computer from going into recovery mode. 但是,如果在启用BitLocker进行了更改,则使用恢复密码登录计算机,平台验证配置文件将进行更新,以便下次不会进行恢复。However if changes were made when BitLocker protection was on, then log on to the computer using the recovery password, and the platform validation profile will be updated so that recovery will not occur the next time.

Windows RE BitLocker设备加密Windows RE and BitLocker Device Encryption

Windows恢复 (RE) 可用于恢复对受设备加密保护BitLocker的访问Windows Recovery Environment (RE) can be used to recover access to a drive protected by BitLocker Device Encryption. 如果电脑在两次失败后无法启动,则将自动启动修复。If a PC is unable to boot after two failures, Startup Repair will automatically start. 当由于启动失败而自动启动启动修复时,它仅执行操作系统和驱动程序文件修复,只要启动日志或任何可用的故障转储点指向特定损坏的文件。When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. 在 Windows 8.1 及更高版本中,包括固件以支持 PCR 的特定 TPM 测量的设备[7] TPM 可以验证 Windows RE 是受信任的操作环境,如果 Windows RE 尚未修改,它将解锁受 BitLocker 保护的驱动器。In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR[7] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. 如果Windows RE已修改,例如 TPM 已禁用,则驱动器将保持锁定状态,直到BitLocker恢复密钥。If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. 如果启动修复无法从电脑自动运行,而是Windows RE从修复磁盘手动启动,则必须提供 BitLocker 恢复密钥以解锁受 BitLocker 保护的驱动器。If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.

BitLocker恢复屏幕BitLocker recovery screen

在BitLocker期间,Windows可以显示自定义恢复消息和提示,以确定可以从何处检索密钥。During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. 这些改进可在恢复期间帮助BitLocker恢复。These improvements can help a user during BitLocker recovery.

自定义恢复邮件Custom recovery message

BitLockerWindows 10 版本 1511 中的组策略设置可在 BitLocker 恢复屏幕上配置自定义恢复消息和 URL,其中可能包括 BitLocker 自助恢复门户的地址、IT 内部网站或支持电话号码。BitLocker Group Policy settings in Windows 10, version 1511, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.

可以使用计算机配置 管理模板 Windows 组件**** BitLocker 驱动器加密操作系统驱动器 下的 GPO 配置此策略 > **** > **** > **** > **** > 配置预启动恢复消息和 URL。This policy can be configured using GPO under Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Configure pre-boot recovery message and URL.

它还可以使用 BitLocker CSP 中的 Intune 移动设备管理 (MDM) 进行配置* <LocURI> :./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage </LocURI> *It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP: <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>

自定义 URL

自定义恢复屏幕的示例:Example of customized recovery screen:

自定义BitLocker恢复屏幕

BitLocker恢复键提示BitLocker recovery key hints

BitLocker元数据已在 Windows 10 版本 1903 中进行了增强,以包含有关备份 BitLocker 密钥的信息。BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. 此信息不会通过 UI 或任何公共 API 公开。This information is not exposed through the UI or any public API. 它仅由 BitLocker屏幕以提示的形式使用,以帮助用户查找卷的恢复密钥。It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. 提示显示在恢复屏幕上,并引用保存密钥的位置。Hints are displayed on the recovery screen and refer to the location where the key has been saved. 提示显示在新式蓝色 (和) 黑色 () 上。Hints are displayed on both the modern (blue) and legacy (black) recovery screen. 这适用于启动管理器恢复屏幕和 WinRE 解锁屏幕。This applies to both the boot manager recovery screen and the WinRE unlock screen.

自定义BitLocker恢复屏幕

重要

建议不要打印恢复密钥或将其保存至文件中。We don't recommend printing recovery keys or saving them to a file. 请改为使用 Active Directory 备份或基于云的备份。Instead, use Active Directory backup or a cloud-based backup. 基于云的备份包括 Azure AD Azure Active Directory (和 Microsoft) 帐户。Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account.

有一些规则可以控制在恢复过程中显示的提示 (顺序处理) :There are rules governing which hint is shown during the recovery (in order of processing):

  1. 如果已使用 GPO 或 MDM (自定义恢复消息,则始终显示) 。Always display custom recovery message if it has been configured (using GPO or MDM).
  2. 始终显示常规提示:"有关详细信息,请转到 https://aka.ms/recoverykeyfaq "。Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq".
  3. 如果卷上存在多个恢复密钥,请确定上次创建的恢复 (并成功备份) 密钥。If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery key.
  4. 将成功备份的密钥优先级放在从未备份的密钥上。Prioritize keys with successful backup over keys that have never been backed up.
  5. 按以下顺序为远程备份位置设置备份提示的优先级 :Microsoft 帐户> Azure AD> Active Directory 。Prioritize backup hints in the following order for remote backup locations: Microsoft Account > Azure AD > Active Directory.
  6. 如果已打印密钥并保存到文件中,则显示组合提示"查找包含该密钥的打印输出或文本文件",而不是两个单独的提示。If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
  7. 如果对同一恢复 (执行多次相同类型的备份) 执行本地备份,则使用最新备份日期设置备份信息优先级。If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed up date.
  8. 保存到本地 Active Directory 的密钥没有特定提示。There is no specific hint for keys saved to an on-premises Active Directory. 在这种情况下,将显示自定义邮件 (配置) 消息"联系组织的技术支持"。In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," will be displayed.
  9. 如果磁盘上存在两个恢复密钥,但只有一个恢复密钥已成功备份,则系统将请求已备份的密钥,即使另一个密钥是较新的密钥。If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer.

示例 1 (单个备份策略使用单个恢复) Example 1 (single recovery key with single backup)

自定义 URLCustom URL Yes
保存到 Microsoft 帐户Saved to Microsoft Account Yes
保存到 Azure ADSaved to Azure AD No
保存到 Active DirectorySaved to Active Directory No
打印Printed No
保存到文件Saved to file No

结果: 将显示 Microsoft 帐户和自定义 URL 的提示。Result: The hint for the Microsoft Account and the custom URL are displayed.

自定义恢复屏幕BitLocker 1

示例 2 (单个备份策略设置单个恢复) Example 2 (single recovery key with single backup)

自定义 URLCustom URL Yes
保存到 Microsoft 帐户Saved to Microsoft Account No
保存到 Azure ADSaved to Azure AD No
保存到 Active DirectorySaved to Active Directory Yes
打印Printed No
保存到文件Saved to file No

结果: 只显示自定义 URL。Result: Only the custom URL is displayed.

自定义恢复屏幕BitLocker 2

示例 3 (具有多个备份的单个恢复) Example 3 (single recovery key with multiple backups)

自定义 URLCustom URL No
保存到 Microsoft 帐户Saved to Microsoft Account Yes
保存到 Azure ADSaved to Azure AD Yes
保存到 Active DirectorySaved to Active Directory No
打印Printed Yes
保存到文件Saved to file Yes

结果: 只显示 Microsoft 帐户提示。Result: Only the Microsoft Account hint is displayed.

自定义恢复屏幕BitLocker 3

示例 4 (多个恢复密码) Example 4 (multiple recovery passwords)

自定义 URLCustom URL No
保存到 Microsoft 帐户Saved to Microsoft Account No
保存到 Azure ADSaved to Azure AD No
保存到 Active DirectorySaved to Active Directory No
打印Printed No
保存到文件Saved to file Yes
创建时间Creation time 1PM1PM
密钥 IDKey ID A564F193A564F193

      

自定义 URLCustom URL No
保存到 Microsoft 帐户Saved to Microsoft Account No
保存到 Azure ADSaved to Azure AD No
保存到 Active DirectorySaved to Active Directory No
打印Printed No
保存到文件Saved to file No
创建时间Creation time 3PM3PM
密钥 IDKey ID T4521ER5T4521ER5

结果: 只显示成功备份密钥的提示,即使它不是最新的密钥。Result: Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.

自定义恢复屏幕BitLocker 4

示例 5 (多个恢复密码) Example 5 (multiple recovery passwords)

自定义 URLCustom URL No
保存到 Microsoft 帐户Saved to Microsoft Account Yes
保存到 Azure ADSaved to Azure AD Yes
保存到 Active DirectorySaved to Active Directory No
打印Printed No
保存到文件Saved to file No
创建时间Creation time 1PM1PM
密钥 IDKey ID 99631A3499631A34

      

自定义 URLCustom URL No
保存到 Microsoft 帐户Saved to Microsoft Account No
保存到 Azure ADSaved to Azure AD Yes
保存到 Active DirectorySaved to Active Directory No
打印Printed No
保存到文件Saved to file No
创建时间Creation time 3PM3PM
密钥 IDKey ID 9DF709319DF70931

结果: 将显示最新键的提示。Result: The hint for the most recent key is displayed.

自定义恢复屏幕BitLocker 5

使用其他恢复信息Using additional recovery information

除了 48 位BitLocker密码之外,其他类型的恢复信息也存储在 Active Directory 中。Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. 本节介绍如何使用此信息。This section describes how this additional information can be used.

BitLocker密钥包BitLocker key package

如果本文档前面讨论的恢复方法未解锁卷,可以使用 BitLocker 修复工具解密块级别的卷。If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. 该工具使用BitLocker密钥包来帮助从严重损坏的驱动器中恢复加密数据。The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. 然后,你可以使用此恢复的数据来回收加密数据,即使在正确的恢复密码未能解锁损坏的卷之后。You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. 我们建议您仍保存恢复密码。We recommend that you still save the recovery password. 如果没有相应的恢复密码,则不能使用密钥包。A key package cannot be used without the corresponding recovery password.

备注

必须使用"修复BitLocker repair-bde" 来使用BitLocker包。You must use the BitLocker Repair tool repair-bde to use the BitLocker key package.

默认情况下BitLocker密钥包。The BitLocker key package is not saved by default. 若要在 AD DS 中保存程序包以及恢复密码,必须在控制恢复**** 方法的组策略设置中选择"备份恢复密码和密钥包"选项。To save the package along with the recovery password in AD DS, you must select the Backup recovery password and key package option in the Group Policy settings that control the recovery method. 还可以从工作卷导出密钥包。You can also export the key package from a working volume. 若要详细了解如何导出密钥包,请参阅检索密钥BitLockerFor more details about how to export key packages, see Retrieving the BitLocker Key Package.

重置恢复密码Resetting recovery passwords

提供和使用的恢复密码失效。Invalidate a recovery password after it has been provided and used. 当您出于任何原因有意使现有恢复密码失效时,也应执行该设置。It should also be done when you intentionally want to invalidate an existing recovery password for any reason.

可以通过两种方式重置恢复密码:You can reset the recovery password in two ways:

  • 使用 manage-bde:您可以使用 manage-bde 删除旧的恢复密码并添加新的恢复密码。Use manage-bde: You can use manage-bde to remove the old recovery password and add a new recovery password. 该过程标识此方法的命令和语法。The procedure identifies the command and the syntax for this method.
  • 运行脚本:可以运行脚本来重置密码,而无需解密卷。Run a script: You can run a script to reset the password without decrypting the volume. 过程中的示例脚本演示了此功能。The sample script in the procedure illustrates this functionality. 示例脚本创建新的恢复密码,并使所有其他密码失效。The sample script creates a new recovery password and invalidates all other passwords.

若要使用 manage-bde 重置恢复密码,To reset a recovery password using manage-bde:

  1. 删除以前的恢复密码Remove the previous recovery password

    Manage-bde –protectors –delete C: –type RecoveryPassword
    
  2. 添加新的恢复密码Add the new recovery password

    Manage-bde –protectors –add C: -RecoveryPassword
    
  3. 获取新恢复密码的 ID。Get the ID of the new recovery password. 从屏幕上复制恢复密码的 ID。From the screen, copy the ID of the recovery password.

    Manage-bde –protectors –get C: -Type RecoveryPassword
    
  4. 将新的恢复密码备份到 AD DS。Back up the new recovery password to AD DS.

    Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
    

    警告

    您必须在 ID 字符串中包括大括号。You must include the braces in the ID string.

运行示例恢复密码脚本:To run the sample recovery password script:

  1. 将以下示例脚本保存在 VBScript 文件中。Save the following sample script in a VBScript file. 例如:ResetPassword.vbs。For example: ResetPassword.vbs.

  2. 在命令提示符下,键入与以下示例脚本类似的命令:At the command prompt, type a command similar to the following sample script:

    cscript ResetPassword.vbscscript ResetPassword.vbs

    重要

    此示例脚本配置为仅适用于 C 卷。This sample script is configured to work only for the C volume. 必须自定义脚本以匹配要测试密码重置的卷。You must customize the script to match the volume where you want to test password reset.

备注

若要管理远程计算机,可以指定远程计算机名称,而不是本地计算机名称。To manage a remote computer, you can specify the remote computer name rather than the local computer name.

可以使用以下示例脚本创建 VBScript 文件以重置恢复密码:You can use the following sample script to create a VBScript file to reset the recovery passwords:

' Target drive letter
strDriveLetter = "c:"
' Target computer name
' Use "." to connect to the local computer
strComputerName = "."
' --------------------------------------------------------------------------------
' Connect to the BitLocker WMI provider class
' --------------------------------------------------------------------------------
strConnectionStr = "winmgmts:" _
                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                 & strComputerName _
                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"


On Error Resume Next 'handle permission errors
Set objWMIService = GetObject(strConnectionStr)
If Err.Number <> 0 Then
     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
     Wscript.Echo "Ensure that you are running with administrative privileges."
     WScript.Quit -1
End If
On Error GoTo 0
strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
Set colTargetVolumes = objWMIService.ExecQuery(strQuery)
If colTargetVolumes.Count = 0 Then
    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " &  strDriveLetter & " on computer " & strComputerName & "."
    WScript.Quit -1
End If
' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next
' objVolume is now our found BitLocker-capable disk volume
' --------------------------------------------------------------------------------
' Perform BitLocker WMI provider functionality
' --------------------------------------------------------------------------------
' Add a new recovery password, keeping the ID around so it doesn't get deleted later
' ----------------------------------------------------------------------------------
nRC = objVolume.ProtectKeyWithNumericalPassword("Recovery Password Refreshed By Script", , sNewKeyProtectorID)
If nRC <> 0 Then
WScript.Echo "FAILURE: ProtectKeyWithNumericalPassword failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If
' Removes the other, "stale", recovery passwords
' ----------------------------------------------------------------------------------
nKeyProtectorTypeIn = 3 ' type associated with "Numerical Password" protector
nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)
If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If
' Delete those key protectors other than the one we just added.
For Each sKeyProtectorID In aKeyProtectorIDs
If sKeyProtectorID <> sNewKeyProtectorID Then
nRC = objVolume.DeleteKeyProtector(sKeyProtectorID)
If nRC <> 0 Then
WScript.Echo "FAILURE: DeleteKeyProtector on ID " & sKeyProtectorID & " failed with return code 0x" & Hex(nRC)
WScript.Quit -1
Else
' no output
'WScript.Echo "SUCCESS: Key protector with ID " & sKeyProtectorID & " deleted"
End If
End If
Next
WScript.Echo "A new recovery password has been added. Old passwords have been removed."
' - some advanced output (hidden)
'WScript.Echo ""
'WScript.Echo "Type ""manage-bde -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."

检索BitLocker包Retrieving the BitLocker key package

可以使用两种方法检索密钥包,如使用其他 恢复信息中所述You can use two methods to retrieve the key package, as described in Using Additional Recovery Information:

  • 从 AD DS 导出以前保存的密钥包。Export a previously saved key package from AD DS. 必须拥有对存储在 AD DS BitLocker的恢复密码的读取权限。You must have Read access to BitLocker recovery passwords that are stored in AD DS.
  • 从已解锁的受安全保护的卷BitLocker新的密钥包。Export a new key package from an unlocked, BitLocker-protected volume. 在出现任何损坏之前,您必须具有对工作卷的本地管理员访问权限。You must have local administrator access to the working volume, before any damage has occurred.

以下示例脚本从 AD DS 中导出以前保存的所有密钥包。The following sample script exports all previously saved key packages from AD DS.

运行示例密钥包检索脚本:To run the sample key package retrieval script:

  1. 将以下示例脚本保存在 VBScript 文件中。Save the following sample script in a VBScript file. 例如:GetBitLockerKeyPackageADDS.vbs。For example: GetBitLockerKeyPackageADDS.vbs.

  2. 在命令提示符下,键入与以下示例脚本类似的命令:At the command prompt, type a command similar to the following sample script:

    cscript GetBitLockerKeyPackageADDS.vbs -?cscript GetBitLockerKeyPackageADDS.vbs -?

可以使用以下示例脚本创建 VBScript 文件,以从 AD DS BitLocker密钥包:You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS:

' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
Sub ShowUsage
   Wscript.Echo "USAGE: GetBitLockerKeyPackageADDS [Path To Save Key Package] [Optional Computer Name]"
   Wscript.Echo "If no computer name is specified, the local computer is assumed."
   Wscript.Echo
   Wscript.Echo "Example: GetBitLockerKeyPackageADDS E:\bitlocker-ad-key-package mycomputer"
   WScript.Quit
End Sub
' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------
Set args = WScript.Arguments
Select Case args.Count
  Case 1
    If args(0) = "/?" Or args(0) = "-?" Then
    ShowUsage
    Else
      strFilePath = args(0)
      ' Get the name of the local computer
      Set objNetwork = CreateObject("WScript.Network")
      strComputerName = objNetwork.ComputerName
    End If

  Case 2
    If args(0) = "/?" Or args(0) = "-?" Then
      ShowUsage
    Else
      strFilePath = args(0)
      strComputerName = args(1)
    End If
  Case Else
    ShowUsage
End Select
' --------------------------------------------------------------------------------
' Get path to Active Directory computer object associated with the computer name
' --------------------------------------------------------------------------------
Function GetStrPathToComputer(strComputerName)
    ' Uses the global catalog to find the computer in the forest
    ' Search also includes deleted computers in the tombstone
    Set objRootLDAP = GetObject("LDAP://rootDSE")
    namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com
    strBase = "<GC://" & namingContext & ">"

    Set objConnection = CreateObject("ADODB.Connection")
    Set objCommand = CreateObject("ADODB.Command")
    objConnection.Provider = "ADsDSOOBject"
    objConnection.Open "Active Directory Provider"
    Set objCommand.ActiveConnection = objConnection
    strFilter = "(&(objectCategory=Computer)(cn=" &  strComputerName & "))"
    strQuery = strBase & ";" & strFilter  & ";distinguishedName;subtree"
    objCommand.CommandText = strQuery
    objCommand.Properties("Page Size") = 100
    objCommand.Properties("Timeout") = 100
    objCommand.Properties("Cache Results") = False
    ' Enumerate all objects found.
    Set objRecordSet = objCommand.Execute
    If objRecordSet.EOF Then
      WScript.echo "The computer name '" &  strComputerName & "' cannot be found."
      WScript.Quit 1
    End If
    ' Found object matching name
    Do Until objRecordSet.EOF
      dnFound = objRecordSet.Fields("distinguishedName")
      GetStrPathToComputer = "LDAP://" & dnFound
      objRecordSet.MoveNext
    Loop
    ' Clean up.
    Set objConnection = Nothing
    Set objCommand = Nothing
    Set objRecordSet = Nothing
End Function
' --------------------------------------------------------------------------------
' Securely access the Active Directory computer object using Kerberos
' --------------------------------------------------------------------------------
Set objDSO = GetObject("LDAP:")
strPathToComputer = GetStrPathToComputer(strComputerName)
WScript.Echo "Accessing object: " + strPathToComputer
Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_SEALING = 64 '0x40
Const ADS_USE_SIGNING = 128 '0x80
' --------------------------------------------------------------------------------
' Get all BitLocker recovery information from the Active Directory computer object
' --------------------------------------------------------------------------------
' Get all the recovery information child objects of the computer object
Set objFveInfos = objDSO.OpenDSObject(strPathToComputer, vbNullString, vbNullString, _
                                   ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
objFveInfos.Filter = Array("msFVE-RecoveryInformation")
' Iterate through each recovery information object and saves any existing key packages
nCount = 1
strFilePathCurrent = strFilePath & nCount
For Each objFveInfo in objFveInfos
   strName = objFveInfo.Get("name")
   strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
   strKeyPackage = objFveInfo.Get("msFVE-KeyPackage")
   WScript.echo
   WScript.echo "Recovery Object Name: " + strName
   WScript.echo "Recovery Password: " + strRecoveryPassword
   ' Validate file path
   Set fso = CreateObject("Scripting.FileSystemObject")
   If (fso.FileExists(strFilePathCurrent)) Then
 WScript.Echo "The file " & strFilePathCurrent & " already exists. Please use a different path."
WScript.Quit -1
   End If
   ' Save binary data to the file
   SaveBinaryDataText strFilePathCurrent, strKeyPackage

   WScript.echo "Related key package successfully saved to " + strFilePathCurrent
   ' Update next file path using base name
   nCount = nCount + 1
   strFilePathCurrent = strFilePath & nCount
Next
'----------------------------------------------------------------------------------------
' Utility functions to save binary data
'----------------------------------------------------------------------------------------
Function SaveBinaryDataText(FileName, ByteArray)
  'Create FileSystemObject object
  Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")

  'Create text stream object
  Dim TextStream
  Set TextStream = FS.CreateTextFile(FileName)

  'Convert binary data To text And write them To the file
  TextStream.Write BinaryToString(ByteArray)
End Function
Function BinaryToString(Binary)
  Dim I, S
  For I = 1 To LenB(Binary)
    S = S & Chr(AscB(MidB(Binary, I, 1)))
  Next
  BinaryToString = S
End Function
WScript.Quit

以下示例脚本从已解锁的加密卷中导出新的密钥包。The following sample script exports a new key package from an unlocked, encrypted volume.

运行示例密钥包检索脚本:To run the sample key package retrieval script:

  1. 将以下示例脚本保存在 VBScript 文件中。Save the following sample script in a VBScript file. 例如:GetBitLockerKeyPackage.vbsFor example: GetBitLockerKeyPackage.vbs

  2. 打开管理员命令提示符,然后键入类似于以下示例脚本的命令:Open an administrator command prompt, and then type a command similar to the following sample script:

    cscript GetBitLockerKeyPackage.vbs -?cscript GetBitLockerKeyPackage.vbs -?

' --------------------------------------------------------------------------------
' Usage
' --------------------------------------------------------------------------------
Sub ShowUsage
   Wscript.Echo "USAGE: GetBitLockerKeyPackage [VolumeLetter/DriveLetter:] [Path To Save Key Package]"
   Wscript.Echo
   Wscript.Echo "Example: GetBitLockerKeyPackage C: E:\bitlocker-backup-key-package"
   WScript.Quit
End Sub
' --------------------------------------------------------------------------------
' Parse Arguments
' --------------------------------------------------------------------------------
Set args = WScript.Arguments
Select Case args.Count
  Case 2
    If args(0) = "/?" Or args(0) = "-?" Then
      ShowUsage
    Else
      strDriveLetter = args(0)
      strFilePath = args(1)
    End If
  Case Else
    ShowUsage
End Select
' --------------------------------------------------------------------------------
' Other Inputs
' --------------------------------------------------------------------------------
' Target computer name
' Use "." to connect to the local computer
strComputerName = "."
' Default key protector ID to use. Specify "" to let the script choose.
strDefaultKeyProtectorID = ""
' strDefaultKeyProtectorID = "{001298E0-870E-4BA0-A2FF-FC74758D5720}"  ' sample
' --------------------------------------------------------------------------------
' Connect to the BitLocker WMI provider class
' --------------------------------------------------------------------------------
strConnectionStr = "winmgmts:" _
                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                 & strComputerName _
                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"


On Error Resume Next 'handle permission errors
Set objWMIService = GetObject(strConnectionStr)
If Err.Number <> 0 Then
     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
     Wscript.Echo "Ensure that you are running with administrative privileges."
     WScript.Quit -1
End If
On Error GoTo 0
strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
Set colTargetVolumes = objWMIService.ExecQuery(strQuery)
If colTargetVolumes.Count = 0 Then
    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " &  strDriveLetter & " on computer " & strComputerName & "."
    WScript.Quit -1
End If
' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next
' objVolume is now our found BitLocker-capable disk volume
' --------------------------------------------------------------------------------
' Perform BitLocker WMI provider functionality
' --------------------------------------------------------------------------------
' Collect all possible valid key protector ID's that can be used to get the package
' ----------------------------------------------------------------------------------
nNumericalKeyProtectorType = 3 ' type associated with "Numerical Password" protector
nRC = objVolume.GetKeyProtectors(nNumericalKeyProtectorType, aNumericalKeyProtectorIDs)
If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If
nExternalKeyProtectorType = 2 ' type associated with "External Key" protector
nRC = objVolume.GetKeyProtectors(nExternalKeyProtectorType, aExternalKeyProtectorIDs)
If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If
' Get first key protector of the type "Numerical Password" or "External Key", if any
' ----------------------------------------------------------------------------------
if strDefaultKeyProtectorID = "" Then
' Save first numerical password, if exists
If UBound(aNumericalKeyProtectorIDs) <> -1 Then
strDefaultKeyProtectorID = aNumericalKeyProtectorIDs(0)
End If
' No numerical passwords exist, save the first external key
If strDefaultKeyProtectorID = "" and UBound(aExternalKeyProtectorIDs) <> -1 Then
strDefaultKeyProtectorID = aExternalKeyProtectorIDs(0)
End If
' Fail case: no recovery key protectors exist.
If strDefaultKeyProtectorID = "" Then
WScript.Echo "FAILURE: Cannot create backup key package because no recovery passwords or recovery keys exist. Check that BitLocker protection is on for this drive."
WScript.Echo "For help adding recovery passwords or recovery keys, type ""manage-bde -protectors -add -?""."
WScript.Quit -1
End If
End If
' Get some information about the chosen key protector ID
' ----------------------------------------------------------------------------------
' is the type valid?
nRC = objVolume.GetKeyProtectorType(strDefaultKeyProtectorID, nDefaultKeyProtectorType)
If Hex(nRC) = "80070057" Then
WScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " is not valid."
WScript.Echo "This ID value may have been provided by the script writer."
ElseIf nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectorType failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If
' what's a string that can be used to describe it?
strDefaultKeyProtectorType = ""
Select Case nDefaultKeyProtectorType
  Case nNumericalKeyProtectorType
      strDefaultKeyProtectorType = "recovery password"
  Case nExternalKeyProtectorType
      strDefaultKeyProtectorType = "recovery key"
  Case Else
      WScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " does not refer to a valid recovery password or recovery key."
      WScript.Echo "This ID value may have been provided by the script writer."
End Select
' Save the backup key package using the chosen key protector ID
' ----------------------------------------------------------------------------------
nRC = objVolume.GetKeyPackage(strDefaultKeyProtectorID, oKeyPackage)
If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyPackage failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If
' Validate file path
Set fso = CreateObject("Scripting.FileSystemObject")
If (fso.FileExists(strFilePath)) Then
WScript.Echo "The file " & strFilePath & " already exists. Please use a different path."
WScript.Quit -1
End If
Dim oKeyPackageByte, bKeyPackage
For Each oKeyPackageByte in oKeyPackage
  'WScript.echo "key package byte: " & oKeyPackageByte
  bKeyPackage = bKeyPackage & ChrB(oKeyPackageByte)
Next
' Save binary data to the file
SaveBinaryDataText strFilePath, bKeyPackage
' Display helpful information
' ----------------------------------------------------------------------------------
WScript.Echo "The backup key package has been saved to " & strFilePath & "."
WScript.Echo "IMPORTANT: To use this key package, the " & strDefaultKeyProtectorType & " must also be saved."
' Display the recovery password or a note about saving the recovery key file
If nDefaultKeyProtectorType = nNumericalKeyProtectorType Then
nRC = objVolume.GetKeyProtectorNumericalPassword(strDefaultKeyProtectorID, sNumericalPassword)
If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectorNumericalPassword failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If
WScript.Echo "Save this recovery password: " & sNumericalPassword
ElseIf nDefaultKeyProtectorType = nExternalKeyProtectorType Then
WScript.Echo "The saved key file is named " & strDefaultKeyProtectorID & ".BEK"
WScript.Echo "For help re-saving this external key file, type ""manage-bde -protectors -get -?"""
End If
'----------------------------------------------------------------------------------------
' Utility functions to save binary data
'----------------------------------------------------------------------------------------
Function SaveBinaryDataText(FileName, ByteArray)
  'Create FileSystemObject object
  Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")

  'Create text stream object
  Dim TextStream
  Set TextStream = FS.CreateTextFile(FileName)

  'Convert binary data To text And write them To the file
  TextStream.Write BinaryToString(ByteArray)
End Function
Function BinaryToString(Binary)
  Dim I, S
  For I = 1 To LenB(Binary)
    S = S & Chr(AscB(MidB(Binary, I, 1)))
  Next
  BinaryToString = S
End Function

另请参阅See also