BitLocker GPO settings BitLocker的GPO的設置

This GPO configures a specific aspect of the BitLocker configuration.此GPO設定一個具體方面的BitLocker的配置。 Lets first review what happens when you enable BitLocker.讓第一次審查會發生什麼當您啟用BitLocker的。

Once you initiate the BitLocker, a key is generated.一旦你開始BitLocker的，關鍵是生成的。 This key is save to the TPM, AD, and or a USB or external source.這關鍵是保存到TPM技術，廣告和或USB或外部來源。 This is the key that the computer uses to encrypt the hard drive.這是關鍵的計算機使用加密硬盤驅動器。 Now this key needs to be available whenever we want to read or write data from the hard drive.現在這個關鍵需要可每當我們要讀取或寫入數據從硬盤驅動器。 There are several ways we can do this.有幾種方法，我們可以做到這一點。

1) Store the key in a TPM Chip. 1 ）存儲的關鍵在一個TPM芯片。 this is the most secure way to store the key.這是最安全的方式來存儲的關鍵。 When you put a key in the TPM chip Windows will survey several configuration settings on the computer to generate a second key.當你把一個關鍵的TPM芯片的Windows將調查幾個設定的計算機上，以產生第二個關鍵。 (Yes we now have 2 keys) This second key is generated by reading values from several components during Windows Startup. （沒錯，我們現在有2個鍵）這第二個關鍵是所產生的閱讀價值從幾個部件在Windows啟動。 Ex: The Bios configuration, the boot configuration, the master boot record, and several others.例如： BIOS配置，引導配置，主引導記錄，以及其他一些。 When the computer is booted up the boot process needs to get the BitLocker key out of the TPM chip.當計算機啟動的引導過程需要得到BitLocker的關鍵出TPM芯片。 In order to do this it first must recreate the 2nd key that “guards” the 1st key.為了做到這一點，首先必須重新第二項“門衛”的第一關鍵。 If any of the boot environment has changed, as it would if you changed the hard drive to an new computer, the BitLocker boot program will ask you to either provide the key using a USB key, or to type it in manually.如果其中任何一個開機環境發生了變化，因為它會改變，如果你的硬盤驅動器的新電腦， BitLocker的啟動程序將要求您要么提供了關鍵性的使用USB鍵，或鍵入手動。

2) Store the key on a USB Drive. 2 ）存儲的關鍵在一個USB驅動器。 This allows people who don’t have a TPM to use BitLocker.這使人們誰沒有一個TPM使用BitLocker的。 However if someone steals your USB key along with your laptop they would still be able to access your laptop.但是，如果有人搶斷您的USB密鑰連同您的筆記型電腦，他們仍然能夠訪問您的筆記本電腦。 It is recommended that you store a backup copy of the BitLocker key on a usb key, but that you keep it in a separate location away from your computer.我們建議您存儲的備份副本BitLocker的關鍵一個USB閃盤，但你保持在一個單獨的位置遠離您的電腦。 (Even if you have a TPM chip this should be the standard practice) （即使你有TPM芯片這應該是標準的做法）

3) Store the key on paper, and type it in on every body. 3 ）店鋪的關鍵在紙面上，並輸入它的每一個機構。 This is by far the most inconvenient way to store a BitLocker key.這是迄今為止在最不方便的方式儲存BitLocker的關鍵。 They are quite long, and it would be annoying to type in 128bit or 256bit long key every time you booted up.他們是很長，這將是惱人的輸入128位或256位長期關鍵每次開機了。

This really leaves option 1 as your best option.這真的離開選擇1作為您的最佳選擇。 As mentioned in option 1 we generate a second key that “seals” the first BitLocker key in the TPM chip.正如我們選擇1產生第二個關鍵的“海豹”第一BitLocker的關鍵在TPM芯片。 Now what are the startup components that you use?現在什麼樣的啟動元件，您使用？

This GPO policy lists the available options.這GPO的政策列出了可用的選項。

The PCRs or Platform Configuration Registers are the startup areas that BitLocker will check when you boot up.該PCRs或平台配置寄存器是啟動BitLocker的地區，將檢查當你開機。 The more PCRs you choose to use the more secure your BitLocker key will be.更PCRs您選擇使用更安全的BitLocker的關鍵是。 However the caveat is that the more PCRs you use the less flexible your configuration will be.然而告誡的是，更多的PCRs使用不夠靈活配置將。 If you modify any of the listed elements on a regular basis you may have to reset your BitLocker Encryption when they change.如果您修改清單上的任何內容定期您可能必須重設您的BitLocker的加密當他們的變化。 This can be a lengthily process.這可能是一個長過程。

The best way to find out what settings are best for you is to set the option you want, then set your drive to encrypt itself using BitLocker IMPORTANT: Backup you Encryption key to USB .  As soon as the encrypting drive windows appears click pause.最好的辦法找出設置是最適合你是要選擇您想要的，然後設定您的驅動器本身的加密使用BitLocker的重要：備份你的加密USB接口的關鍵 。一旦加密硬盤窗口出現點擊暫停。 Restart your computer.重新啟動計算機。 if the computer restarts without asking for the BitLocker encryption key you are good to go.如果不重新啟動計算機要求BitLocker的加密金鑰你是好去。 As added tests try your most common applications, or consider running some of your standards tasks/maintenance on your PC.作為補充測試，您可以嘗試最常見的應用，或考慮運行您的一些標準的任務/維修您的PC上。 After each test reboot the computer to make sure that the BitLocker startup environment hasn’t been changed.在每次試驗後重新啟動計算機，以確保啟動BitLocker的環境沒有改變。