在 Microsoft Intune 中使用 Windows 防火墙策略帮助保护 Windows PCHelp protect Windows PCs using Windows Firewall policies in Microsoft Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

Microsoft Intune 可通过多种方式帮助你保护使用 Intune 客户端管理的 Windows 电脑。Microsoft Intune can help you to secure Windows PCs that you manage with the Intune client in a number of ways. 其中的一种方法是提供使你能够在电脑上配置 Windows 防火墙设置的策略。One way in which it does this is to provide policies that enable you to configure Windows Firewall settings on PCs.

如果你尚未在计算机上安装 Intune Windows 电脑客户端,请参阅使用 Microsoft Intune 安装 Windows 电脑客户端If you have not yet installed the Intune Windows PC client on your computers, see Install the Windows PC client with Microsoft Intune.

以下各部分的信息可帮助你在 Windows 电脑上配置和部署 Windows 防火墙策略并进行监视。Use the information in the following sections to help you configure, deploy, and monitor Windows Firewall policies on Windows PCs.

使用 Intune 策略来管理 Windows 防火墙Use Intune policies to manage Windows Firewall

利用 Windows 防火墙策略,你能够创建和部署用于在被管理的电脑上控制 Windows 防火墙的设置。The Windows Firewall policy lets you create and deploy settings that control Windows Firewall on managed PCs. 你无法管理 Windows 防火墙的自定义例外,这些设置不影响第三方防火墙。You cannot manage custom exceptions for Windows Firewall, and these settings do not affect third-party firewalls.

备注

如果将 Microsoft Intune 策略和组策略都配置为管理 PC 上的相同设置,则组策略设置将替代 Microsoft Intune 策略。If Microsoft Intune policy and Group Policy are configured to manage the same setting on the PC, the Group Policy setting overrides the Microsoft Intune policy. 有关如何避免 Intune 策略与组策略之间的冲突的信息,请参阅解决 GPO 与 Microsoft Intune 之间的策略冲突For information about how to avoid conflicts between Intune policy and Group Policy, see Resolve GPO and Microsoft Intune policy conflicts.

如果你想要将 Windows 防火墙设置部署到运行 Windows Vista 的计算机,则必须先安装热修复补丁 KB971800 到这些计算机上。If you want to deploy Windows Firewall settings to computers that run Windows Vista, you must first install Hotfix KB971800 on these computers.

重要

若要使用 Intune 管理 Windows 防火墙,请确保在要托管的计算机上启用以下两项服务:To manage Windows Firewall by using Intune, ensure that the following two services are enabled on the computers that you manage:

  • Windows 防火墙Windows Firewall
  • IPsec 策略代理IPsec Policy Agent

配置 Windows 防火墙策略Configure a Windows Firewall policy

  1. Microsoft Intune 管理控制台中,选择“策略”>“添加策略”。In the Microsoft Intune administration console, choose Policy > Add Policy.

  2. 配置和部署 Windows 防火墙设置策略。Configure and deploy a Windows Firewall Settings policy. 你可以使用建议的设置,或对设置进行自定义。You can use the recommended settings or customize the settings. 如果你需要有关如何创建和部署策略的详细信息,请参阅使用 Microsoft Intune 计算机客户端的常见 Windows 电脑管理任务If you need more information about how to create and deploy policies, see Common Windows PC management tasks with the Microsoft Intune computer client.

    以下部分列出你可在策略中配置的值,还列出将在你未自定义策略的情况下使用的默认值。The following section lists the values that you can configure in the policy and also the default values that will be used if you don’t customize the policy.

部署 Windows 防火墙策略之后,你可以在“策略”工作区的“所有策略”页上查看其状态。After you deploy a Windows Firewall policy, you can view its status on the All Policies page of the Policy workspace.

指定 Windows 防火墙策略设置Specify policy settings for Windows Firewall

启用 Windows 防火墙Turn on Windows Firewall

这些策略设置允许在托管的计算机上启用 Windows 防火墙,这些托管的计算机:These policy settings enable Windows Firewall on managed computers that are:

  • 连接到域(例如,在工作区)Connected to a domain (for example, at the workplace)
  • 连接到专用(受信任的)网络(例如家庭网络)Connected to a private (trusted) network (such as a home network)
  • 连接到不受信任的公用网络(例如咖啡店)Connected to an untrusted public network (such as a coffee shop)

以上每个设置的默认值都是“是”,这是最安全的值。The default value for each of these settings is Yes, which is the most secure value.

阻止所有传入连接,包括位于允许程序列表中的程序Block all incoming connections, including those in the list of allowed programs

这些策略设置在托管的计算机上配置 Windows 防火墙以阻止传入网络流量,这些托管的计算机:These policy settings configure Windows Firewall to block incoming network traffic on managed computers that are:

  • 连接到域(例如,在工作区)Connected to a domain (for example, at the workplace)
  • 连接到专用(受信任的)网络(例如家庭网络)Connected to a private (trusted) network (such as a home network)
  • 连接到不受信任的公用网络(例如咖啡店)Connected to an untrusted public network (such as a coffee shop)

以上每个设置的默认值都是“是”,这是最安全的值。The default value for each of these settings is Yes, which is the most secure value.

重要

如果你的环境中包括运行 Windows Vista(未安装 Service Pack)的被管理的计算机,则必须安装与 Microsoft 知识库文章 971800 相关的更新,或在部署到这些计算机的策略中禁用“阻止所有传入连接”策略设置。If your environment includes managed computers that are running Windows Vista with no service packs installed, you must either install the update that's associated with article 971800 in the Microsoft Knowledge Base or disable the Block all incoming connections policy settings in policies that are deployed to those computers.

Windows 防火墙阻止新程序时通知用户Notify the user when Windows Firewall blocks a new program

当托管的计算机为以下情况时,Windows 防火墙将在阻止传入网络流量时决定是否通知电脑用户:These policy settings determine whether Windows Firewall notifies a PC user when it blocks incoming network traffic when the managed computer is:

  • 连接到域(例如,在工作区)Connected to a domain (for example, at the workplace)
  • 连接到专用(受信任的)网络(例如家庭网络)Connected to a private (trusted) network (such as a home network)
  • 连接到不受信任的公用网络(例如咖啡店)Connected to an untrusted public network (such as a coffee shop)

以上每个设置的默认值都是“是”。The default value for each of these settings is Yes.

配置预定义的例外Configure predefined exceptions

你可以配置例外以允许特定类型的网络流量通过防火墙,而无需考虑先前配置的值。You can configure exceptions that allow specific types of network traffic through the firewall regardless of the values that you configured earlier. 默认情况下,不会配置其中任何设置。None of these settings are configured by default.

设置名Setting name 详细信息Details
BranchCache - 内容检索BranchCache - Content Retrieval
(Windows 7 或更高版本)(Windows 7 or later)
允许 BranchCache 客户端使用 HTTP 从分布模式中的另一个 BranchCache 客户端以及从托管缓存模式中的托管缓存中检索内容。Lets BranchCache clients use HTTP to retrieve content from other BranchCache clients while in distributed mode and from the hosted cache while in hosted cache mode. 此设置使用 HTTP。This setting uses HTTP.
BranchCache - 托管缓存客户端BranchCache - Hosted Cache Client
(Windows 7 或更高版本)(Windows 7 or later)
允许 BranchCache 客户端使用托管缓存。Lets BranchCache clients use a hosted cache. 此设置使用 HTTPS。This setting uses HTTPS.
BranchCache - 托管缓存服务器BranchCache - Hosted Cache Server 允许 BranchCache 客户端使用托管缓存来与其他客户端通信。Lets BranchCache clients use a hosted cache to communicate with other clients. 此设置使用 HTTPS。This setting uses HTTPS.
BranchCache - 对等机发现BranchCache - Peer Discovery
(Windows 7 或更高版本)(Windows 7 or later)
允许 BranchCache 客户端使用 Web 服务动态发现 (WS-Discovery) 协议在本地子网上查看内容可用性。Lets BranchCache clients use the Web Services Dynamic Discovery (WS-Discovery) protocol to look up content availability on the local subnet.
BITS 对等缓存BITS Peercaching 允许客户端使用后台智能传输服务 (BITS) 在同一子网中的客户端上查找和共享存储在 BITS 缓存中的文件。Lets clients use Background Intelligent Transfer Service (BITS) to find and share files that are stored in the BITS cache on clients in the same subnet. 此设置使用基于设备的 Web 服务 (WSDAPI) 和远程过程调用 (RPC)。This setting uses Web Services on Devices (WSDAPI) and Remote Procedure Call (RPC).
连接到网络投影仪Connect to a Network Projector 允许用户通过有线网络或无线网络连接到投影仪以投影演示文稿。Lets users connect to projectors over wired or wireless networks to project presentations. 此设置使用 WSDAPI。This setting uses WSDAPI.
核心网络Core Networking 允许客户端使用 IPv4 和 IPv6 连接到网络资源。Lets clients use IPv4 and IPv6 to connect to network resources.
分布式事务处理协调器Distributed Transaction Coordinator 启用被管理的计算机以协调用于更新受事务保护的资源(如数据库、消息队列和文件系统)的事务。Enables managed computers to coordinate transactions that update transaction-protected resources, such as databases, message queues, and file systems.
文件和打印机共享File and Printer Sharing 允许用户与网络上的其他用户共享本地文件和打印机。Enables users to share local files and printers with other users on the network. 此设置使用 NetBIOS、链路本地多播名称解析 (LLMNR)、服务器消息块 (SMB) 协议和 RPC。This setting uses NetBIOS, Link Local Multicast Name Resolution (LLMNR), Server Message Block (SMB) protocol, and RPC.
家庭组HomeGroup
(Windows 7 或更高版本)(Windows 7 or later)
启用被管理的计算机以加入家庭组网络。Enables managed computers to participate in a HomeGroup network.
iSCSI 服务iSCSI Service 启用被管理的计算机以连接到 iSCSI 服务器和设备。Enables managed computers to connect to iSCSI servers and devices.
密钥管理服务Key Management Service 在企业环境中针对许可证合规性对计算机进行计数。Lets computers be counted for license compliance in enterprise environments.
Media Center ExtenderMedia Center Extenders 启用 Media Center Extenders 以与运行 Windows Media Center 的计算机进行通信。Enables Media Center Extenders to communicate with computers that are running Windows Media Center. 此设置使用简单服务发现协议 (SSDP) 和 qWave。This setting uses Simple Service Discovery Protocol (SSDP) and qWave.
Netlogon 服务Netlogon Service 配置域客户端与域控制器之间用于验证用户和服务的安全通道。Configures a security channel between domain clients and a domain controller for authenticating users and services. 此设置使用 RPC。This setting uses RPC.
网络发现Network Discovery 允许计算机发现其他设备以及被网络上的其他设备发现。Lets computers discover other devices and be discovered by other devices on the network. 此设置使用功能发现主机和发布服务以及 SSDP、NetBIOS、LLMNR 和 UPnP 网络协议。This setting uses Function Discovery Host and Publication Services and SSDP, NetBIOS, LLMNR, and UPnP network protocols.
性能日志和警报Performance Logs and Alerts 允许以远程方式管理性能日志和警报服务。Enables the Performance Logs and Alerts service to be remotely managed. 此设置使用 RPC。This setting uses RPC.
远程管理Remote Administration 允许对计算机进行远程管理。Enables remote administration of the computer.
远程协助Remote Assistance 允许被管理的计算机的用户向网络上的其他用户请求远程协助。Lets users of managed computers request remote assistance from other users on the network. 此设置使用 SSDP、对等名称解析协议 (PNRP)、Teredo 和 UPnP 网络协议。This setting uses SSDP, Peer Name Resolution Protocol (PNRP), Teredo, and UPnP network protocols.
远程桌面Remote Desktop 允许计算机使用远程桌面来访问其他计算机。Lets the computer use Remote Desktop to access other computers.
远程事件日志管理Remote Event Log Management 允许以远程方式查看和管理客户端事件日志。Lets client event logs be viewed and managed remotely. 此设置使用命名管道和 RPC。This setting uses Named Pipes and RPC.
远程计划任务管理Remote Scheduled Tasks Management 启用对任务计划服务的远程管理。Enables remote management of the task scheduling service. 此设置使用 RPC。This setting uses RPC.
远程服务管理Remote Service Management 启用对客户端上的本地服务的远程管理。Enables remote management of local services on clients. 此设置使用命名管道和 RPC。This setting uses Named Pipes and RPC.
远程卷管理Remote Volume Management 启用远程软件和硬件磁盘卷管理。Enables remote software and hardware disk volume management. 此设置使用 RPC。This setting uses RPC.
路由和远程访问Routing and Remote Access 启用进入计算机的传入 VPN 和远程访问连接。Enables incoming VPN and remote access connections to computers.
安全套接字隧道协议Secure Socket Tunneling Protocol 启用使用安全套接字隧道协议 (SSTP) 进入被管理的计算机的传入 VPN 连接。Enables incoming VPN connections to managed computers with Secure Socket Tunneling Protocol (SSTP). 此设置使用 HTTPS。This setting uses HTTPS.
SNMP 陷阱SNMP Trap 允许被管理的计算机接收简单网络管理协议 (SNMP) 陷阱服务流量。Lets managed computers receive Simple Network Management Protocol (SNMP) Trap service traffic.
UPnP 框架UPnP Framework 在计算机上配置 UPnP 框架服务,以允许这些计算机发现和使用 UPnP 认证设备。Configures the UPnP Framework service on computers to let them discover and use UPnP certified devices.
Windows 协作计算机名注册服务Windows Collaboration Computer Name Registration Service 允许计算机通过使用 SSDP 和 PNRP 查找其他计算机并与之通信。Lets computers find and communicate with other computers by using SSDP and PNRP.
Windows Media PlayerWindows Media Player 允许用户通过用户数据报协议 (UDP) 接收流媒体。Lets users receive streaming media over User Datagram Protocol (UDP).
Windows Media Player 网络共享服务Windows Media Player Network Sharing Service 允许用户通过网络共享媒体。Lets users share media over a network. 此设置使用 SSDP、qWave 和 UPnP 网络协议。This setting uses the SSDP, qWave, and UPnP network protocols.
Windows Media Player 网络共享服务(Internet)Windows Media Player Network Sharing Service (Internet)
(Windows 7 或更高版本)(Windows 7 or later)
允许用户通过 Internet 共享家庭媒体。Lets users share home media over the Internet.
Windows 会议室Windows Meeting Space 允许用户通过网络进行协作以共享文档、程序及其桌面。Lets users collaborate over a network to share documents, programs, and their desktops. 此设置使用分布式文件系统复制 (DFSR) 和 P2P。This setting uses Distributed File System Replication (DFSR) and P2P.
Windows 对等协作基础Windows Peer to Peer Collaboration Foundation 配置各种对等程序和技术以允许它们连接。Configures various peer-to-peer programs and technologies to enable them to connect. 此设置使用 SSDP 和 PNRP。This setting uses SSDP and PNRP.
Windows 远程管理(兼容性)Windows Remote Management (Compatibility) 启用使用 WS-Management(一种基于 Web 服务的协议,用于远程管理操作系统和设备)对被管理的计算机进行远程管理。Enables remote management of managed computers with WS-Management, a Web services-based protocol for remote management of operating systems and devices.
Windows 远程管理Windows Remote Management
(Windows 8 或更高版本)(Windows 8 or later)
启用使用 WS-Management(一种基于 Web 服务的协议,用于远程管理操作系统和设备)对被管理的计算机进行远程管理。Enables remote management of managed computers with WS-Management, a Web services-based protocol for remote management of operating systems and devices.
Windows Virtual PCWindows Virtual PC
(Windows 7 或更高版本)(Windows 7 or later)
允许虚拟机与其他计算机通信。Lets virtual machines communicate with other computers.
无线便携设备Wireless Portable Devices 启用使用媒体传输协议 (MTP) 从启用网络的照相机或媒体设备向被管理的计算机传输媒体。Enables the transfer of media from a network-enabled camera or media device to managed computers with Media Transfer Protocol (MTP). 此设置使用 SSDP 和 UPnP 网络协议。This setting uses SSDP and UPnP network protocols.

另请参阅See also

保护 Windows 电脑的策略Policies to protect Windows PCs

要提交产品反馈,请访问 Intune Feedback