Microsoft Intune 中的适用于 Windows 设备的合规性策略设置Compliance policy settings for Windows devices in Microsoft Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

本主题中描述的策略设置适用于运行 Windows 操作系统的设备。The policy settings described in this topic apply to devices running the Windows operating system. 以下各部分描述了支持的 Windows 版本。The following sections describe the supported Windows versions.

如果要查找有关其他平台的信息,请选择其中之一:If you are looking for information about other platforms, select one of these:

适用于 Windows Phone 设备的合规性策略设置Compliance policy settings for Windows Phone devices

本节中列出的设置支持 Windows Phone 8.1 及更高版本。The settings listed in this section are supported on Windows Phone 8.1 and later.

系统安全设置System security settings

PasswordPassword

  • 需要密码才可解锁移动设备:将此选项设置为“是”,要求用户在访问其设备之前输入密码。Require a password to unlock mobile devices: Set this to Yes to require the user to enter a password before they can access their device.

  • 允许简单密码:将此选项设置为“是”,允许用户创建简单密码,如 12341111Allow simple passwords: Set this to Yes to let the user create a simple password like 1234 or 1111.

  • 最短密码长度:指定用户密码必须包含的最小位数或最小字符数。Minimum password length: Specify the minimum number of digits or characters that the user’s password must have.

  • 所需的密码类型:指定用户必须创建“字母数字”密码还是“数字”密码。Required password type: Specify whether the user must create an Alphanumeric password or a Numeric password.

    对于运行 Windows 且通过 Microsoft 帐户访问的设备,如果最短密码长度超过 8 个字符或者最小字符集数大于 2,则将无法正确评估合规性策略。For devices that run Windows and are accessed with a Microsoft account, the compliance policy will fail to evaluate correctly if the minimum password length is greater than eight characters or if the minimum number of character sets is more than two.

  • 最小字符集数:如果“所需的密码类型”设置为“字母数字”,此设置将指定密码必须包含的最小字符集数。Minimum number of character sets: If Required password type is set to Alphanumeric, this setting specifies the minimum number of character sets that the password must have. 四个字符集为:The four character sets are:

    • 小写字母Lowercase letters
    • 大写字母Uppercase letters
    • 符号Symbols
    • 数字Numbers

    设置的数字越大,要求用户创建的密码越复杂。Setting a higher number for this setting will require the user to create a password that is more complex. 对于运行 Windows 且通过 Microsoft 帐户访问的设备,如果最短密码长度超过 8 个字符或者最小字符集数大于 2,则将无法正确评估合规性策略。For devices that run Windows and are accessed with a Microsoft account, the compliance policy will fail to evaluate correctly if the minimum password length is greater than eight characters or if the minimum number of character sets is more than two.

  • 要求提供密码之前的非活动分钟数:此设置指定用户必须重新输入其密码前的空闲时间。Minutes of inactivity before password is required: This setting specifies the idle time before the user must reenter their password.

  • 密码过期 (天):选择用户密码过期而必须创建新密码之前的天数。Password expiration (days): Choose the number of days before the user’s password expires and they must create a new one.

  • 记住密码历史记录:将此设置与“防止重用旧密码”结合使用,限制用户使用以前创建的密码。Remember password history: Use this setting in conjunction with Prevent reuse of previous passwords to restrict the user from creating previously used passwords.

  • 防止重用以前的密码:如果选择了“记住密码历史记录”,请指定不能重用的以前用过的密码数量。Prevent reuse of previous passwords: If Remember password history is selected, specify the number of previously used passwords that cannot be reused.

  • 设备从空闲状态返回时需要密码:与“要求提供密码之前的非活动分钟数”设置一起使用此设置。Require a password when the device returns from an idle state: Use this setting together with the Minutes of inactivity before password is required setting. 设备在“要求提供密码之前的非活动分钟数”设置指定的时间内处于非活动状态时,将提示用户输入密码才能访问设备。The user is prompted to enter a password to access a device that has been inactive for the time specified in the Minutes of inactivity before password is required setting.

    备注

    此设置适用于 Windows 10 移动版设备。This setting applies only to Windows 10 Mobile devices.

加密Encryption

  • 需要对移动设备进行加密:将此选项设置为“是”,要求对移动设备进行加密以连接到资源。Require encryption on mobile device: Set this to Yes to require the device to be encrypted in order to connect to resources.

设备运行状况设置Device health settings

  • 要求设备被报告为正常:可以在新的或现有的合规性策略中设置规则,要求 Windows 10 移动版设备必须被报告为正常。Require devices to be reported as healthy: You can set a rule to require that Windows 10 Mobile devices must be reported as healthy in new or existing compliance policies. 如果启用此设置,将通过运行状况证明服务 (HAS) 评估 Windows 10 设备的这些数据点:If this setting is enabled, Windows 10 devices are evaluated via the Health Attestation Service (HAS) for these data points:

    • 启用 BitLocker:Bitlocker 打开的情况下,当系统关闭或进入休眠状态时,设备可保护存储在驱动器上的数据,防止未经授权的访问。BitLocker is enabled: When BitLocker is on, the device can help protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. Windows BitLocker 驱动器加密可以加密所有存储在 Windows 操作系统卷上的数据。Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker 使用 TPM 来帮助保护 Windows 操作系统和用户数据。BitLocker uses the TPM to help protect the Windows operating system and user data. BitLocker 还有助于确保计算机不被篡改,即使它无人管理、丢失或被盗。BitLocker also helps ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen. 如果计算机装有兼容的 TPM,BitLocker 将使用 TPM 来锁定帮助保护数据的加密密钥。If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that help protect the data. 这样,在 TPM 验证计算机状态之前则无法访问密钥。As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
    • 启用代码完整性:代码完整性是一种功能,可用于在每次将驱动程序或系统文件载入内存时,验证它们的完整性。Code integrity is enabled: Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. 代码完整性检测是否正在将未签名的驱动程序或系统文件加载到内核中。Code integrity detects whether an unsigned driver or system file is being loaded into the kernel. 它还检测系统文件是否已被具有管理员权限的用户帐户运行的恶意软件进行了修改。It also detects whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
    • 启用安全启动:启用安全启动后,系统会被强制启动到出厂信任状态。Secure Boot is enabled: When Secure Boot is enabled, the system is forced to boot to a factory trusted state. 此外,启用安全启动后,用于启动设备的核心组件必须具有制造设备的组织所信任的正确加密签名。Also, when Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. UEFI 固件会在允许设备启动前确认这一点。The UEFI firmware verifies this before it lets the machine start. 如果有任何文件被篡改或破坏了签名,系统将不会启动。If any files have been tampered with, breaking their signature, the system will not boot.
    重要

    Windows 设备不支持作为设备运行状况证明的一部分安装的第三方开机初期启动的反恶意软件 (ELAM)。Windows devices do not support third-party Early Launch Anti Malware (ELAM) software installed as part of the Device health attestation.

    有关 HAS 服务工作方式的信息,请参阅运行状况证明 CSPFor information on how the HAS service works, see Health Attestation CSP.

    设备属性设置Device property settings

  • 所需的最低操作系统版本:设备不满足最低操作系统版本要求时,它将被报告为不符合要求。Minimum OS required: When a device does not meet the minimum OS version requirement, it is reported as noncompliant. 将显示一个链接,链接中包含有关如何升级的信息。A link with information on how to upgrade is displayed. 用户可以选择升级其设备,然后他们可以访问公司资源。The user can choose to upgrade their device, and then they can access company resources.

  • 允许的最高 OS 版本:设备使用的 OS 版本高于规则中指定的版本时,将阻止访问公司资源,并要求用户联系其 IT 管理员。Maximum OS version allowed: When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. 除非变更规则以允许该操作系统版本,否则该设备将不能用于访问公司资源。Until there is a change in rule to allow the OS version, this device cannot be used to access company resources.

适用于 Windows PC 的合规性策略设置Compliance policy settings for Windows PCs

此节中列出的设置在 Windows PC 上受支持。The settings listed in this section are supported on Windows PCs.

系统安全设置System security settings

PasswordPassword

  • 最短密码长度:在 Windows 8.1 上受支持。Minimum password length: Supported on Windows 8.1.

    指定用户密码必须包含的最小位数或最小字符数。Specify the minimum number of digits or characters that the user’s password must have.

    对于通过 Microsoft 帐户访问的设备,如果“最短密码长度”超过 8 个字符或者“最小字符集数”大于 2 个字符,则将无法正确评估合规性策略。For devices that are accessed with a Microsoft account, the compliance policy will fail to evaluate correctly if Minimum password length is greater than eight characters or if Minimum number of character sets is more than two characters.

  • 所需密码类型:在 Windows RT、Windows RT 8.1 和 Windows 8.1 上受支持。Required password type: Supported on Windows RT, Windows RT 8.1, and Windows 8.1.

    指定用户必须创建“字母数字”密码还是“数字”密码。Specify whether the user must create an Alphanumeric password or a Numeric password.

  • 最小字符集数:在 Windows RT、Windows RT 8.1 和 Windows 8.1 上受支持。Minimum number of character sets: Supported on Windows RT, Windows RT 8.1, and Windows 8.1.

    如果“所需的密码类型”设置为“字母数字”,此设置指定密码必须包含的字符集的最小数字。If Required password type is set to Alphanumeric, this setting specifies the minimum number of character sets that the password must have. 四个字符集为:The four character sets are:

    • 小写字母Lowercase letters
    • 大写字母Uppercase letters
    • 符号Symbols
    • 数字Numbers

    设置的数字越大,要求用户创建的密码越复杂。Setting a higher number for this setting will require the user to create a password that is more complex. 对于通过 Microsoft 帐户访问的设备,如果“最短密码长度”超过 8 个字符或者“最小字符集数”大于 2 个字符,则将无法正确评估合规性策略。For devices that are accessed with a Microsoft account, the compliance policy will fail to evaluate correctly if Minimum password length is greater than eight characters or if Minimum number of character sets is more than two characters.

  • 要求提供密码之前的非活动状态分钟数:在 Windows RT、Windows RT 8.1 和 Windows 8.1 上受支持。Minutes of inactivity before password is required: Supported on Windows RT, Windows RT 8.1, and Windows 8.1.

    指定用户必须重新输入密码前的空闲时间。Specify the idle time before the user must reenter their password.

  • 密码过期 (天数):在 Windows RT、Windows RT 8.1 和 Windows 8.1 上受支持。Password expiration (days): Supported on Windows RT, Windows RT 8.1, and Windows 8.1.

    选择用户密码过期而必须创建新密码之前的天数。Choose the number of days before the user’s password expires and they must create a new one.

  • 记住密码历史记录:在 Windows RT、Windows RT 和 Windows 8.1 上受支持。Remember password history: Supported on Windows RT, Windows RT, and Windows 8.1.

    将此设置与“防止重用旧密码”结合使用,以限制用户使用以前创建的密码。Use this setting in conjunction with Prevent reuse of previous passwords to restrict the user from creating previously used passwords.

  • 防止重用以前的密码:在 Windows RT、Windows RT 8.1 和 Windows 8.1 上受支持。Prevent reuse of previous passwords: Supported on Windows RT, Windows RT 8.1, and Windows 8.1.

    如果选择了“记住密码历史记录”,请指定不能重用的以前用过的密码数量。If Remember password history is selected, specify the number of previously used passwords that cannot be reused.

设备运行状况设置Device health settings

  • 需要设备被报告为正常:在 Windows 10 设备上受支持。Require devices to be reported as healthy: Supported on Windows 10 devices. 可以在新的或现有的合规性策略中设置规则,要求 Windows 10 设备必需被报告为正常。You can set a rule to require that Windows 10 devices must be reported as healthy in new or existing compliance policies. 如果启用此设置,将通过运行状况证明服务 (HAS) 评估 Windows 10 设备的这些数据点:If this setting is enabled, Windows 10 devices are evaluated via the Health Attestation Service (HAS) for these data points:

    • 启用 BitLocker:Bitlocker 打开的情况下,当系统关闭或进入休眠状态时,设备可保护存储在驱动器上的数据,防止未经授权的访问。BitLocker is enabled: When BitLocker is on, the device can help protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. Windows BitLocker 驱动器加密可以加密所有存储在 Windows 操作系统卷上的数据。Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker 使用 TPM 来帮助保护 Windows 操作系统和用户数据。BitLocker uses the TPM to help protect the Windows operating system and user data. BitLocker 还有助于确保计算机不被篡改,即使它无人管理、丢失或被盗。BitLocker also helps ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen. 如果计算机装有兼容的 TPM,BitLocker 将使用 TPM 来锁定帮助保护数据的加密密钥。If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that help protect the data. 这样,在 TPM 验证计算机状态之前则无法访问密钥。As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
    • 启用代码完整性:代码完整性是一种功能,可用于在每次将驱动程序或系统文件载入内存时,验证它们的完整性。Code integrity is enabled: Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. 代码完整性检测是否正在将未签名的驱动程序或系统文件加载到内核中。Code integrity detects whether an unsigned driver or system file is being loaded into the kernel. 它还检测系统文件是否已被具有管理员权限的用户帐户运行的恶意软件进行了修改。It also detects whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
    • 启用安全启动:启用安全启动后,系统会被强制启动到出厂信任状态。Secure Boot is enabled: When Secure Boot is enabled, the system is forced to boot to a factory trusted state. 此外,启用安全启动后,用于启动设备的核心组件必须具有制造设备的组织所信任的正确加密签名。Also, when Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. UEFI 固件会在允许设备启动前确认这一点。The UEFI firmware verifies this before it lets the machine start. 如果有任何文件被篡改或破坏了签名,系统将不会启动。If any files have been tampered with, breaking their signature, the system will not boot.
    • 启用开机初期启动的反恶意软件:开机初期启动的反恶意软件 (ELAM) 在计算机启动时和第三方驱动器初始化之前,对网络中的计算机提供保护。Early-launch antimalware is enabled: Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers are initialized.

    有关 HAS 服务工作方式的信息,请参阅运行状况证明 CSPFor information on how the HAS service works, see Health Attestation CSP.

设备属性设置Device property settings

  • 所需的最低操作系统:在 Windows 8.1 和 Windows 10 上受支持。Minimum OS required: Supported on Windows 8.1 and Windows 10.

    在此处指定 major.minor.build 编号。Specify the major.minor.build number here. 版本号必须与 winver 命令返回的版本一致。The version number must correspond to the version that the winver command returns.

    如果设备的操作系统版本比指定的版本低,它将被报告为不兼容。When a device has a earlier version than the specified OS version, it is reported as noncompliant. 将显示一个链接,链接中包含有关如何升级的信息。A link with information on how to upgrade is displayed. 用户可以选择升级其设备,然后他们可以访问公司资源。The user can choose to upgrade their device, and then they can access company resources.

  • 允许的最高操作系统版本:在 Windows 8.1 和 Windows 10 上受支持。Maximum OS version allowed: Supported on Windows 8.1 and Windows 10.

    当设备使用的操作系统版本高于规则中指定的版本时,将阻止访问公司资源,并要求用户联系其 IT 管理员。When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. 除非变更规则以允许该操作系统版本,否则该设备将不能用于访问公司资源。Until there is a change in rule to allow the OS version, this device cannot be used to access company resources.

若要查找要用于所需的最低操作系统允许的最高操作系统版本设置的操作系统版本,请从命令提示符处运行 winver 命令。To find the OS version to use for the Minimum OS required and Maximum OS version allowed settings, run the winver command from the command prompt. Winver 命令返回报告的操作系统版本。The winver command returns the reported version of the OS.

  • Windows 8.1 PC 返回版本 6.3Windows 8.1 PCs return a version of 6.3. 对于 Windows,如果操作系统版本规则设置为 Windows 8.1,则该设备将报告为不符合要求,即使该设备具有 Windows 8.1 也是如此。If the OS version rule is set to Windows 8.1 for Windows, then the device is reported as noncompliant even if the device has Windows 8.1.

  • 对运行 Windows 10 的电脑,版本应设置为 10.0 + winver 命令返回的 OS 内部版本号。For PCs running Windows 10, the version should be set as 10.0 plus the OS build number that the winver command returns. 例如,它可能类似于 10.0.10586。For example, it might be something like 10.0.10586.

    “关于Windows”对话框中突出显示的操作系统内部版本号

要提交产品反馈,请访问 Intune Feedback