配置和安装 Azure 信息保护经典扫描程序Configuring and installing the Azure Information Protection classic scanner

适用于: Azure 信息保护、windows server 2019、windows server 2016、windows Server 2012 R2Applies to: Azure Information Protection, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护客户端(经典) 和标签管理 将于 2021 年 3 月 31 日 弃用 。To provide a unified and streamlined customer experience, Azure Information Protection client (classic) and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

如果使用的是统一标签扫描程序,请参阅 安装和配置 Azure 信息保护统一标签扫描器If you're using the unified labeling scanner, see Installing and configuring the Azure Information Protection unified labeling scanner.

在开始配置和安装 Azure 信息保护扫描程序之前,请确保系统符合 所需的先决条件Before you start configuring and installing the Azure Information Protection scanner, verify that your system complies with the required prerequisites.

准备就绪后,请继续执行以下步骤:When you're ready, continue with the following steps:

  1. 在 Azure 门户中配置扫描程序Configure the scanner in the Azure portal

  2. 安装扫描程序Install the scanner

  3. 获取扫描程序的 Azure AD 令牌Get an Azure AD token for the scanner

  4. 配置扫描程序以应用分类和保护Configure the scanner to apply classification and protection

根据系统需要执行以下附加配置过程:Perform the following additional configuration procedures as needed for your system:

过程Procedure 说明Description
更改要保护的文件类型Change which file types to protect 你可能想要扫描、分类或保护不同于默认文件类型的文件类型。You may want to scan, classify, or protect different file types than the default. 有关详细信息,请参阅 AIP 扫描进程For more information, see AIP scanning process.
升级扫描仪Upgrading your scanner 升级扫描仪以利用最新的功能和改进。Upgrade your scanner to leverage the latest features and improvements.
批量编辑数据存储库设置Editing data repository settings in bulk 使用导入和导出选项可以批量更改多个数据存储库。Use import and export options to make changes in bulk for multiple data repositories.
使用带有备用配置的扫描程序Use the scanner with alternative configurations 在不使用任何条件配置标签的情况下使用扫描程序Use the scanner without configuring labels with any conditions
优化性能Optimize performance 优化扫描程序性能的指导Guidance to optimize your scanner performance

有关详细信息,请参阅 扫描器的 Cmdlet 列表For more information, see also List of cmdlets for the scanner.

在 Azure 门户中配置扫描程序Configure the scanner in the Azure portal

在安装扫描程序之前,或者从扫描程序的旧版本升级它,请在 Azure 门户中为扫描仪创建群集和内容扫描作业。Before you install the scanner, or upgrade it from an older general availability version of the scanner, create a cluster and content scan job for the scanner in the Azure portal.

然后,将群集和内容扫描作业配置为扫描程序设置和要扫描的数据存储库。Then, configure the cluster and content scan job with scanner settings and the data repositories to scan.

若要配置扫描仪:To configure your scanner:

  1. 登录到 Azure 门户,导航到 " Azure 信息保护 " 窗格。Sign in to the Azure portal, and navigate to the Azure Information Protection pane.

    例如,在资源、服务和文档的搜索框中:开始键入“信息”并选择“Azure 信息保护”。For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

  2. 找到 " 扫描仪 " 菜单选项,然后选择 " 群集"。Locate the Scanner menu options, and select Clusters.

  3. 在 " Azure 信息保护-群集 " 窗格上,选择 " 添加":On the Azure Information Protection - Clusters pane, select Add:

    添加内容扫描作业(fo Azure 信息保护扫描程序)

  4. 在 " 添加新群集 " 窗格上:On the Add a new cluster pane:

    1. 为扫描程序指定一个有意义的名称。Specify a meaningful name for the scanner. 此名称用于标识扫描仪的配置设置和要扫描的数据存储库。This name is used to identify the scanner's configuration settings and the data repositories to scan.

      例如,可以指定“欧洲”**** 来标识扫描程序将涵盖的数据存储库的地理位置。For example, you might specify Europe to identify the geographical location of the data repositories that your scanner will cover. 以后安装或升级扫描程序时,需要指定相同的群集名称。When you later install or upgrade the scanner, you will need to specify the same cluster name.

    2. (可选)指定用于管理目的的说明,以帮助你确定扫描仪的群集名称。Optionally, specify a description for administrative purposes, to help you identify the scanner's cluster name.

    3. 选择“保存” 。Select Save.

  5. 找到 " 扫描仪 " 菜单选项,然后选择 " 内容扫描作业"。Locate the Scanner menu options, and select Content scan jobs.

  6. 在 " Azure 信息保护-内容扫描作业 " 窗格上,选择 " 添加"。On the Azure Information Protection - Content scan jobs pane, select Add.

  7. 对于此初始配置,请配置以下设置,然后选择 " 保存 ",但不要关闭窗格:For this initial configuration, configure the following settings, and then select Save but do not close the pane:

    部分Section 设置Settings
    内容扫描作业设置Content scan job settings - Schedule:保留默认值 "手动"- Schedule: Keep the default of Manual
    - 要发现的信息类型:仅更改为 策略- Info types to be discovered: Change to Policy only
    - 配置存储库:此时不配置,因为必须先保存内容扫描作业。- Configure repositories: Do not configure at this time because the content scan job must first be saved.
    策略实施Policy enforcement - 强制:选择 "关闭"- Enforce: Select Off
    - 基于内容标记文件:将默认值设置为 on- Label files based on content: Keep the default of On
    - 默认标签:保留默认的策略默认值- Default label: Keep the default of Policy default
    - 重新标记文件:保持默认值为Off- Relabel files: Keep the default of Off
    配置文件设置Configure file settings - 保留 "修改日期"、"上次修改时间" 和 "修改者"保留的默认- Preserve "Date modified", "Last modified" and "Modified by": Keep the default of On
    - 要扫描的文件类型:保留默认文件类型以 排除- File types to scan: Keep the default file types for Exclude
    - 默认所有者:保留扫描仪帐户的默认值- Default owner: Keep the default of Scanner Account
  8. 既然已创建并保存了内容扫描作业,你就可以返回到 " 配置存储库 " 选项来指定要扫描的数据存储。Now that the content scan job is created and saved, you're ready to return to the Configure repositories option to specify the data stores to be scanned.

    指定 UNC 路径,以及 sharepoint 本地文档库和文件夹的 SharePoint Server Url。Specify UNC paths, and SharePoint Server URLs for SharePoint on-premises document libraries and folders.

    备注

    Sharepoint 支持 sharepoint Server 2019、SharePoint Server 2016 和 SharePoint Server 2013。SharePoint Server 2019, SharePoint Server 2016, and SharePoint Server 2013 are supported for SharePoint. 具有对此版本 SharePoint 的延长支持时,还支持 SharePoint Server 2010。SharePoint Server 2010 is also supported when you have extended support for this version of SharePoint.

    要添加第一个数据存储,请在 " 添加新的内容扫描作业 " 窗格上,选择 " 配置存储库 " 以打开 " 存储库 " 窗格:To add your first data store, while on the Add a new content scan job pane, select Configure repositories to open the Repositories pane:

    为 Azure 信息保护扫描程序配置数据存储库

  9. 在“存储库”窗格上,选择“添加”:On the Repositories pane, select Add:

    为 Azure 信息保护扫描程序添加数据存储库

  10. 在 " 存储库 " 窗格上,指定数据存储库的路径,然后选择 " 保存"。On the Repository pane, specify the path for the data repository, and then select Save.

    例如:For example:

    • 对于网络共享,请使用 \\Server\FolderFor a network share, use \\Server\Folder.
    • 对于 SharePoint 库,请使用 http://sharepoint.contoso.com/Shared%20Documents/FolderFor a SharePoint library, use http://sharepoint.contoso.com/Shared%20Documents/Folder.

    备注

    不支持通配符,也不支持 WebDav 位置。Wildcards are not supported and WebDav locations are not supported.

    添加 SharePoint 路径时,请使用以下语法:Use the following syntax when adding SharePoint paths:

    路径Path 语法Syntax
    根路径Root path http://<SharePoint server name>

    扫描所有站点,包括任何允许用于扫描程序用户的站点集合。Scans all sites, including any site collections allowed for the scanner user.
    需要 额外的权限 来自动发现根内容Requires additional permissions to automatically discover root content
    特定 SharePoint 子网站或集合Specific SharePoint subsite or collection 下列类型作之一:One of the following:
    - http://<SharePoint server name>/<subsite name>
    - http://SharePoint server name>/<site collection name>/<site name>

    需要 额外的权限 来自动发现网站集内容Requires additional permissions to automatically discover site collection content
    特定 SharePoint 库Specific SharePoint library 下列类型作之一:One of the following:
    - http://<SharePoint server name>/<library name>
    - http://SharePoint server name>/.../<library name>
    特定 SharePoint 文件夹Specific SharePoint folder http://<SharePoint server name>/.../<folder name>

    对于此窗格上的其余设置,请不要更改此初始配置的设置,但请将其保留为 内容扫描作业默认值For the remaining settings on this pane, do not change them for this initial configuration, but keep them as Content scan job default. 默认设置表示数据存储库从内容扫描作业继承设置。The default setting means that the data repository inherits the settings from the content scan job.

  11. 如果要添加另一个数据存储库,请重复步骤8和9。If you want to add another data repository, repeat steps 8 and 9.

  12. 关闭 " 存储库 " 窗格和 " 内容扫描作业 " 窗格。Close the Repositories pane and the content scan job pane.

返回 " Azure 信息保护-内容扫描作业" 窗格,显示你的内容扫描名称,以及显示为 "手动" 和 "强制" 列为空的 "计划" 列。Back on the Azure Information Protection - Content scan job pane, your content scan name is displayed, together with the SCHEDULE column showing Manual and the ENFORCE column is blank.

你现在已准备好在已创建的内容扫描程序作业中安装扫描程序。You're now ready to install the scanner with the content scanner job that you've created. 继续 安装扫描仪Continue with Install the scanner.

安装扫描程序Install the scanner

在 Azure 门户中配置 Azure 信息保护扫描程序之后,请执行以下步骤安装扫描仪:After you've configured the Azure Information Protection scanner in the Azure portal, perform the steps below to install the scanner:

  1. 登录到将要运行扫描程序的 Windows Server 计算机。Sign in to the Windows Server computer that will run the scanner. 使用具有本地管理员权限并具有写入到 SQL Server master 数据库权限的帐户。Use an account that has local administrator rights and that has permissions to write to the SQL Server master database.

  2. 使用“以管理员身份运行”选项打开 Windows PowerShell 会话****。Open a Windows PowerShell session with the Run as an administrator option.

  3. 运行 install-aipscanner cmdlet,指定要在其中为 Azure 信息保护扫描程序创建数据库的 SQL Server 实例,以及在上一节中指定的扫描仪群集名称:Run the Install-AIPScanner cmdlet, specifying your SQL Server instance on which to create a database for the Azure Information Protection scanner, and the scanner cluster name that you specified in the preceding section:

    Install-AIPScanner -SqlServerInstance <name> -Profile <cluster name>
    

    例如,使用配置文件名称“欧洲”****:Examples, using the profile name of Europe:

    • 对于默认实例:Install-AIPScanner -SqlServerInstance SQLSERVER1 -Profile EuropeFor a default instance: Install-AIPScanner -SqlServerInstance SQLSERVER1 -Profile Europe

    • 对于命名实例:Install-AIPScanner -SqlServerInstance SQLSERVER1\AIPSCANNER -Profile EuropeFor a named instance: Install-AIPScanner -SqlServerInstance SQLSERVER1\AIPSCANNER -Profile Europe

    • 对于 SQL Server Express:Install-AIPScanner -SqlServerInstance SQLSERVER1\SQLEXPRESS -Profile EuropeFor SQL Server Express: Install-AIPScanner -SqlServerInstance SQLSERVER1\SQLEXPRESS -Profile Europe

    出现提示时,请提供扫描程序服务帐户的凭据 (\<domain\user name>) 和密码。When you are prompted, provide the credentials for the scanner service account (\<domain\user name>) and password.

  4. 使用管理工具服务验证是否已安装该服务 > ServicesVerify that the service is now installed by using Administrative Tools > Services.

    已安装的服务被命名为 Azure信息保护扫描程序,并被配置为使用你创建的扫描程序服务帐户运行****。The installed service is named Azure Information Protection Scanner and is configured to run by using the scanner service account that you created.

现在,你已安装了扫描仪,你需要 获取一个 Azure AD 令牌,以便扫描程序 服务帐户进行身份验证,以便扫描程序可以在无人参与的情况下运行。Now that you have installed the scanner, you need to get an Azure AD token for the scanner service account to authenticate, so that the scanner can run unattended.

获取扫描程序的 Azure AD 令牌Get an Azure AD token for the scanner

Azure AD 令牌允许扫描程序对 Azure 信息保护服务进行身份验证。An Azure AD token allows the scanner to authenticate to the Azure Information Protection service.

获取 Azure AD 令牌:To get an Azure AD token:

  1. 返回 Azure 门户,以创建两个 Azure AD 应用程序来指定用于身份验证的访问令牌。Return to the Azure portal to create two Azure AD applications to specify an access token for authentication. 此令牌允许扫描程序以非交互方式运行。This token lets the scanner run non-interactively.

    有关详细信息,请参阅 如何以非交互方式为 Azure 信息保护标记文件For more information, see How to label files non-interactively for Azure Information Protection.

  2. 在 Windows Server 计算机中,如果你的扫描程序服务帐户已被授予 本地登录 的权限,请使用此帐户登录并启动 PowerShell 会话。From the Windows Server computer, if your scanner service account has been granted the Log on locally right for the installation, sign in with this account and start a PowerShell session.

    运行 Set-AIPAuthentication,指定从上一步骤中复制的值:Run Set-AIPAuthentication, specifying the values that you copied from the previous step:

    Set-AIPAuthentication -webAppId <ID of the "Web app / API" application> -webAppKey <key value generated in the "Web app / API" application> -nativeAppId <ID of the "Native" application>
    

    系统提示时,请为 Azure AD 的服务帐户凭据指定密码,然后单击“接受”****。When prompted, specify the password for your service account credentials for Azure AD, and then click Accept.

    例如:For example:

    Set-AIPAuthentication -WebAppId "57c3c1c3-abf9-404e-8b2b-4652836c8c66" -WebAppKey "+LBkMvddz?WrlNCK5v0e6_=meM59sSAn" -NativeAppId "8ef1c873-9869-4bb1-9c11-8313f9d7f76f").token | clip
    Acquired application access token on behalf of the user
    

提示

如果你的扫描仪服务帐户无法被授予 本地登录 权限,请 指定并使用 set-aipauthentication 的 Token 参数If your scanner service account cannot be granted the Log on locally right, Specify and use the Token parameter for Set-AIPAuthentication.

现在,扫描器提供了一个用于对 Azure AD 进行身份验证的令牌,此令牌根据你在 Azure AD 中配置的 Web 应用 的配置,该令牌的有效期为一年、两年或从不。The scanner now has a token to authenticate to Azure AD, which is valid for one year, two years, or never, according to your configuration of the Web app /API in Azure AD.

如果令牌过期,则须重复步骤 1 和步骤 2。When the token expires, you must repeat steps 1 and 2.

现在可随时在发现模式下运行第一次扫描。You're now ready to run your first scan in discovery mode. 有关详细信息,请参阅 运行发现周期和查看扫描程序报告For more information, see Run a discovery cycle and view reports for the scanner.

如果已运行发现扫描,请继续 配置扫描仪以应用分类和保护If you've already run a discovery scan, continue with Configure the scanner to apply classification and protection.

将扫描程序配置为应用分类和保护Configure the scanner to apply classification and protection

默认设置将扫描程序配置为运行一次,并将其配置为仅报告模式。The default settings configure the scanner to run once, and in reporting-only mode.

若要更改这些设置,请编辑内容扫描作业:To change these settings, edit the content scan job:

  1. 在 Azure 门户的 " Azure 信息保护-内容扫描作业 " 窗格上,选择要编辑的群集和内容扫描作业。In the Azure portal, on the Azure Information Protection - Content scan jobs pane, select the cluster and content scan job to edit it.

  2. 在 "内容扫描作业" 窗格上,更改以下内容,然后选择 " 保存":On the Content scan job pane, change the following, and then select Save:

    • 从 "内容扫描作业" 部分:将计划更改为 "始终"From the Content scan job section: Change the Schedule to Always
    • 策略强制 部分:将 强制 更改为 开启From the Policy enforcement section: Change Enforce to On

    提示

    你可能需要更改此窗格上的其他设置,例如是否更改文件属性以及扫描程序是否可以重新标记文件。You may want to change other settings on this pane, such as whether file attributes are changed and whether the scanner can relabel files. 使用信息弹出通知帮助了解有关每个配置设置的详细信息。Use the information popup help to learn more information about each configuration setting.

  3. 记下当前时间,然后从 " Azure 信息保护-内容扫描作业 " 窗格中再次启动扫描仪:Make a note of the current time and start the scanner again from the Azure Information Protection - Content scan jobs pane:

    启动 Azure 信息保护扫描程序扫描

    或者,在 PowerShell 会话中运行以下命令:Alternatively, run the following command in your PowerShell session:

    Start-AIPScan
    
  4. 若要查看标记的文件、应用了哪些分类以及是否应用了保护的报告,请监视事件日志中的信息类型 911 和最新的时间戳。To view reports of files labeled, what classification was applied, and whether protection was applied, monitor the event log for the informational type 911 and the most recent time stamp.

    检查报表详细信息,或使用 Azure 门户查找此信息。Check reports for details, or use the Azure portal to find this information.

现在,扫描器计划为连续运行。The scanner is now scheduled to run continuously. 当扫描程序在所有配置的文件中工作时,它会自动启动一个新循环,以便发现所有新文件和更改的文件。When the scanner works its way through all configured files, it automatically starts a new cycle so that any new and changed files are discovered.

更改要保护的文件类型Change which file types to protect

默认情况下,AIP 扫描器仅保护 Office 文件类型和 PDF 文件。By default, the AIP scanner protects Office file types and PDF files only. 若要更改此行为(例如,若要将扫描仪配置为保护所有文件类型,就像客户端一样)或保护特定的其他文件类型,请按如下所示编辑注册表:To change this behavior, such as to configure the scanner to protect all file types, just as the client does, or to protect specific additional file types, edit the registry as follows:

  • 指定要保护的其他文件类型Specify the additional file types that you want to be protected
  • 指定要应用 (本机或泛型) 的保护类型Specify the type of protection you want to apply (native or generic)

有关详细信息,请参阅开发人员指南中的文件 API 配置For more information, see File API configuration from the developer guidance. 对于本文档中的开发人员,常规保护被称为“PFile”。In this documentation for developers, generic protection is referred to as "PFile".

若要使受支持的文件类型与客户端保持一致,则所有文件都将自动通过本机或一般保护进行保护:To align the supported file types with the client, where all files are automatically protected with native or generic protection:

  1. 指定:Specify:

    • *作为注册表项的通配符The * wildcard as a registry key
    • Encryption 作为值 (REG_SZ) Encryption as the value (REG_SZ)
    • Default 作为值数据Default as the value data
  2. 验证 MSIPCFileProtection 项是否存在。Verify whether the MSIPC and FileProtection keys exist. 如果不是,则手动创建它们,然后为每个文件扩展名创建一个子项。Create them manually if they don't, and then create a subkey for each file name extension.

    例如,若要让扫描仪保护除 Office 文件和 Pdf 之外的 TIFF 图像,在编辑后,注册表将如下所示:For example, for the scanner to protect TIFF images in addition to Office files and PDFs, the registry will look similar to the following after you've edited it:

    编辑扫描程序的注册表以应用保护

    备注

    作为图像文件,TIFF 文件支持本机保护,生成的文件扩展名为 ptiff。As an image file, TIFF files support native protection and the resulting file name extension is .ptiff.

    对于不支持本机保护的文件,请将文件扩展名指定为新密钥,并为 PFile 获取常规保护****。For files that don't support native protection, specify the file name extension as a new key, and PFile for generic protection. 受保护文件的生成文件扩展名为 .pfile。The resulting file name extension for the protected file is .pfile.

有关类似于支持本机保护,但必须在注册表中指定的文本和图像文件类型的列表,请参阅 支持分类和保护的文件类型For a list of text and images file types that similarly support native protection but must be specified in the registry, see Supported file types for classification and protection.

升级扫描仪Upgrading your scanner

如果以前安装了扫描仪并想要升级,请参阅 升级 Azure 信息保护扫描程序If you have previously installed the scanner and want to upgrade, see Upgrading the Azure Information Protection scanner.

然后,按常规方式 配置使用扫描仪 ,跳过安装扫描程序的步骤。Then, configure and use your scanner as usual, skipping the steps to install your scanner.

备注

如果扫描仪版本早于1.48.204.0,但尚未准备好进行升级,请参阅 部署以前版本的 Azure 信息保护扫描程序以自动对文件进行分类和保护If you have a version of the scanner that is older than 1.48.204.0 and you're not ready to upgrade it, see Deploying previous versions of the Azure Information Protection scanner to automatically classify and protect files.

批量编辑数据存储库设置Editing data repository settings in bulk

使用 " 导出 " 和 " 导入 " 按钮可以在多个存储库中对扫描程序进行更改。Use the Export and Import buttons to make changes for your scanner across several repositories.

这样一来,就不需要在 Azure 门户中手动进行相同的更改。This way, you don't need to make the same changes several times, manually, in the Azure portal.

例如,如果在多个 SharePoint 数据存储库上有一个新的文件类型,则可能需要批量更新这些存储库的设置。For example, if you have a new file type on several SharePoint data repositories, you may want to update the settings for those repositories in bulk.

跨存储库批量进行更改:To make changes in bulk across repositories:

  1. 在 " 存储库 " 窗格的 "Azure 门户" 中,选择 " 导出 " 选项。In the Azure portal on the Repositories pane, select the Export option. 例如:For example:

    导出扫描程序的数据存储库设置

  2. 手动编辑导出的文件以进行更改。Manually edit the exported file to make your change.

  3. 使用同一页面上的 " 导入 " 选项将更新导入到存储库中。Use the Import option on the same page to import the updates back across your repositories.

使用具有备选配置的扫描程序Using the scanner with alternative configurations

Azure 信息保护扫描程序通常会查找为标签指定的条件,以便根据需要对内容进行分类和保护。The Azure Information Protection scanner usually looks for conditions specified for your labels in order to classify and protect your content as needed.

在以下情况下,Azure 信息保护扫描程序还可以扫描内容并管理标签,而不会配置任何条件:In the following scenarios, the Azure Information Protection scanner is also able to scan your content and manage labels, without any conditions configured:

将默认标签应用于数据存储库中的所有文件Apply a default label to all files in a data repository

在此配置中,存储库中所有未标记的文件都标有为存储库或内容扫描作业指定的默认标签。In this configuration, all unlabeled files in the repository are labeled with the default label specified for the repository or the content scan job. 文件标记为 "无检查"。Files are labeled without inspection.

配置下列设置:Configure the following settings:

  • 基于内容标记文件: 设置为 OffLabel files based on content: Set to Off
  • 默认标签: 设置为 " 自定义",然后选择要使用的标签Default label: Set to Custom, and then select the label to use

标识所有自定义条件和已知的敏感信息类型Identify all custom conditions and known sensitive information types

此配置使你能够查找你可能未意识到的敏感信息,因为扫描程序的扫描速率很高。This configuration enables you to find sensitive information that you might not realize you had, at the expense of scanning rates for the scanner.

将要 发现的信息类型 设置为 " 所有"。Set the Info types to be discovered to All.

为了识别用于标记的条件和信息类型,扫描程序使用为标签指定的自定义条件,以及可为标签指定的信息类型列表,如 Azure 信息保护策略中所列。To identify conditions and information types for labeling, the scanner uses custom conditions specified for labels, and the list of information types available to specify for labels, as listed in the Azure Information Protection policy.

有关详细信息,请参阅 快速入门:查找您拥有的敏感信息For more information, see Quickstart: Find what sensitive information you have.

优化扫描程序性能Optimizing scanner performance

备注

如果希望提高扫描仪计算机的响应能力而不是扫描程序性能,请使用 "高级客户端设置" 限制扫描程序使用的线程数If you are looking to improve the responsiveness of the scanner computer rather than the scanner performance, use an advanced client setting to limit the number of threads used by the scanner.

使用以下选项和指南来帮助优化扫描程序性能:Use the following options and guidance to help you optimize scanner performance:

选项Option 描述Description
在扫描程序计算机和被扫描的数据存储之间建立高速可靠的网络连接Have a high speed and reliable network connection between the scanner computer and the scanned data store 例如,将扫描仪计算机放在与扫描的数据存储相同的网络段中,或者在同一网段中放置。For example, place the scanner computer in the same LAN, or preferably, in the same network segment as the scanned data store.

由于要检查文件,扫描程序会将文件内容传输到运行 scanner 服务的计算机,因此网络连接的质量会影响扫描程序性能。The quality of the network connection affects the scanner performance because, to inspect the files, the scanner transfers the contents of the files to the computer running the scanner service.

减少或消除传输数据所需的网络跃点还可以减少网络上的负载。Reducing or eliminating the network hops required for the data to travel also reduces the load on your network.
确保扫描程序计算机具有可用的处理器资源Make sure the scanner computer has available processor resources 检查文件内容并对文件进行加密和解密是处理密集型操作。Inspecting the file contents and encrypting and decrypting files are processor-intensive actions.

监视指定数据存储的典型扫描周期,以确定缺乏处理器资源是否会对扫描程序性能产生负面影响。Monitor the typical scanning cycles for your specified data stores to identify whether a lack of processor resources is negatively affecting the scanner performance.
安装扫描程序的多个实例Install multiple instances of the scanner 当你指定自定义群集 (配置文件的自定义群集) 名称时,Azure 信息保护扫描程序在相同的 SQL server 实例上支持多个配置数据库。The Azure Information Protection scanner supports multiple configuration databases on the same SQL server instance when you specify a custom cluster (profile) name for the scanner.
授予特定权限并禁用低完整性级别Grant specific rights and disable low integrity level 确认运行扫描程序的服务帐户只包含 服务帐户要求中所述的权限。Confirm that the service account that runs the scanner has only the rights documented in Service account requirements.

然后,配置 " 高级客户端" 设置 以禁用扫描程序的低完整性级别。Then, configure the advanced client setting to disable the low integrity level for the scanner.
检查备选配置用法Check your alternative configuration usage 在使用备选配置将默认标签应用于所有文件时,扫描程序可以更快地运行,因为扫描程序不检查文件内容。The scanner runs more quickly when you use the alternative configuration to apply a default label to all files because the scanner does not inspect the file contents.

如果你使用替换配置标识所有自定义条件和已知敏感信息类型,扫描程序的运行速度会更慢。The scanner runs more slowly when you use the alternative configuration to identify all custom conditions and known sensitive information types.
减少扫描程序超时Decrease scanner timeouts 减少扫描程序超时和 高级客户端设置。缩短扫描程序超时可提供更好的扫描速率和更低的内存消耗。Decrease the scanner timeouts with advanced client settings.Decreased scanner timeouts provide better scanning rates and lower memory consumption.

注意: 减少扫描程序超时意味着可能会跳过某些文件。Note: Decreasing scanner timeouts means that some files may be skipped.

影响性能的其他因素Additional factors that affect performance

影响扫描程序性能的其他因素包括:Additional factors that affect the scanner performance include:

因子Factor 说明Description
加载/响应时间Load/response times 包含要扫描的文件的数据存储的当前负载和响应时间也会影响扫描程序性能。The current load and response times of the data stores that contain the files to scan will also affect scanner performance.
扫描模式 (发现/强制) Scanner mode (Discovery / Enforce) 发现模式的扫描速度通常比 "强制" 模式高。Discovery mode typically has a higher scanning rate than enforce mode.

发现需要单个文件读取操作,而 "强制" 模式需要读取和写入操作。Discovery requires a single file read action, whereas enforce mode requires read and write actions.
策略更改Policy changes 如果你已更改 Azure 信息保护策略中的条件,则你的扫描程序性能可能会受到影响。Your scanner performance may be affected if you've made changes to the conditions in the Azure Information Protection policy .

当扫描程序必须检查每个文件时,第一个扫描周期的时间比默认情况下的后续扫描周期长,仅检查新文件和更改的文件。Your first scan cycle, when the scanner must inspect every file, will take longer than subsequent scan cycles that by default, inspect only new and changed files.

如果更改条件,将再次扫描所有文件。If you change the conditions, all files are scanned again. 有关详细信息,请参阅重新 扫描文件For more information, see Rescanning files.
Regex 构造Regex constructions 扫描程序性能会受到构造自定义条件的正则表达式的影响。Scanner performance is affected by how your regex expressions for custom conditions are constructed.

为避免占用过多内存并存在超时风险(每个文件 15 分钟),请查看正则表达式了解有效的模式匹配。To avoid heavy memory consumption and the risk of timeouts (15 minutes per file), review your regex expressions for efficient pattern matching.

例如:For example:
-避免 贪婪限定符- Avoid greedy quantifiers
-使用非捕获组,例如 (?:expression) 而不是 (expression)- Use non-capturing groups such as (?:expression) instead of (expression)
日志级别Log level 日志级别选项包括扫描器报表的 调试信息错误关闭Log level options include Debug, Info, Error and Off for the scanner reports.

- 禁用 会获得最佳性能- Off results in the best performance
- 调试 大大降低了扫描程序的速度,只应使用进行故障排除。- Debug considerably slows down the scanner and should be used only for troubleshooting.

有关详细信息,请参阅 Set-AIPScannerConfiguration cmdlet 的 eportLevel 参数**。For more information, see the ReportLevel parameter for the Set-AIPScannerConfiguration cmdlet.
正在扫描的文件Files being scanned -除了 Excel 文件,Office 文件的扫描速度比 PDF 文件更快。- With the exception of Excel files, Office files are more quickly scanned than PDF files.

与受保护的文件相比,-不受保护的文件的扫描速度更快。- Unprotected files are quicker to scan than protected files.

-大型文件比小文件需要更长的时间来扫描。- Large files obviously take longer to scan than small files.

适用于扫描程序的 cmdlet 列表List of cmdlets for the scanner

本部分列出 Azure 信息保护扫描程序支持的 PowerShell cmdlet。This section lists PowerShell cmdlets supported for the Azure Information Protection scanner.

备注

Azure 信息保护扫描程序是从 Azure 门户配置的。The Azure Information Protection scanner is configured from the Azure portal. 因此,在以前的版本中用于配置数据存储库的 cmdlet 和 "扫描的文件类型" 列表现已弃用。Therefore, cmdlets used in previous versions to configure data repositories and the scanned file types list are now deprecated.

扫描程序支持的 cmdlet 包括:Supported cmdlets for the scanner include:

后续步骤Next steps

安装并配置了扫描仪后,开始 扫描文件Once you've installed and configured your scanner, start scanning your files.

另请参阅: 部署 Azure 信息保护扫描程序以自动对文件进行分类和保护See also: Deploying the Azure Information Protection scanner to automatically classify and protect files.

详细信息:More information:

想了解 Microsoft 的 Core Services 工程和运行团队是如何实现此扫描程序的?Interested in how the Core Services Engineering and Operations team in Microsoft implemented this scanner? 请阅读以下技术案例研究:使用 Azure 信息保护扫描程序自动执行数据保护Read the technical case study: Automating data protection with Azure Information Protection scanner.

您可能想知道: Windows SERVER FCI 和 Azure 信息保护扫描程序之间的区别是什么?You might be wondering: What's the difference between Windows Server FCI and the Azure Information Protection scanner?

还可在台式计算机中,利用 PowerShell 以交互方式对文件进行分类和保护。You can also use PowerShell to interactively classify and protect files from your desktop computer. 要详细了解此方案及使用 PowerShell 的其他方案,请参阅将 PowerShell 与 Azure 信息保护客户端配合使用For more information about this and other scenarios that use PowerShell, see Using PowerShell with the Azure Information Protection client.