使用 Intune 将设备标记为符合或不符合的 Windows 10 及更高版本设置Windows 10 and later settings to mark devices as compliant or not compliant using Intune

本文列出并描述了在 Intune 中可对 Windows 10 及更高版本设备配置的不同符合性设置。This article lists and describes the different compliance settings you can configure on Windows 10 and later devices in Intune. 作为移动设备管理 (MDM) 解决方案的一部分,请使用这些设置来要求使用 BitLocker,设置最小和最大操作系统,使用 Microsoft Defender for Endpoint 设置风险级别等。As part of your mobile device management (MDM) solution, use these settings to require BitLocker, set a minimum and maximum operating system, set a risk level using Microsoft Defender for Endpoint, and more.

此功能适用于:This feature applies to:

  • Windows 10 及更高版本Windows 10 and later
  • Windows Holographic for BusinessWindows Holographic for Business
  • Surface HubSurface Hub

作为 Intune 管理员,请使用这些符合性设置来帮助保护组织资源。As an Intune administrator, use these compliance settings to help protect your organizational resources. 若要详细了解符合性策略及其作用,请参阅设备符合性入门To learn more about compliance policies, and what they do, see get started with device compliance.

在开始之前Before you begin

创建合规性策略Create a compliance policy. 在“平台”中,选择“Windows 10 及更高版本” 。For Platform, select Windows 10 and later.

设备运行状况Device Health

Windows 运行状况证明服务评估规则Windows Health Attestation Service evaluation rules

  • 需要 BitLockerRequire BitLocker:
    Windows BitLocker 驱动器加密可以加密所有存储在 Windows 操作系统卷上的数据。Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker 使用受信任的平台模块 (TPM) 来帮助保护 Windows 操作系统和用户数据。BitLocker uses the Trusted Platform Module (TPM) to help protect the Windows operating system and user data. 此外,它还有助于确认计算机不被篡改,即使它处于无人参与、丢失或被盗状态,也不例外。It also helps confirm that a computer isn't tampered with, even if its left unattended, lost, or stolen. 如果计算机装有兼容的 TPM,BitLocker 将使用该 TPM 锁定用于保护数据的加密密钥。If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. 因此,仅当 TPM 验证计算机状态后,才能访问密钥。As a result, the keys can't be accessed until the TPM verifies the state of the computer.

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 必需 - 当系统关闭或休眠时,设备能够保护存储在驱动器上的数据免受未经授权的访问。Require - The device can protect data that's stored on the drive from unauthorized access when the system is off, or hibernates.

    设备 HealthAttestation CSP - BitLockerStatusDevice HealthAttestation CSP - BitLockerStatus

  • 需要在设备上启用安全启动Require Secure Boot to be enabled on the device:

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 必需 - 将系统强制启动为工厂信任的状态。Require - The system is forced to boot to a factory trusted state. 用于启动设备的核心组件必须具有制造设备的组织所信任的正确加密签名。The core components that are used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. UEFI 固件会在允许设备启动前确认签名。The UEFI firmware verifies the signature before it lets the machine start. 如果有任何文件被篡改,从而破坏了签名,系统将不会启动。If any files are tampered with, which breaks their signature, the system doesn't boot.

    备注

    一些 TPM 1.2 和 2.0 设备支持“需要在设备上启用安全启动”设置 。The Require Secure Boot to be enabled on the device setting is supported on some TPM 1.2 and 2.0 devices. 对于不支持 TPM 2.0 或更高版本的设备,Intune 中的策略状态显示为“不符合” 。For devices that don't support TPM 2.0 or later, the policy status in Intune shows as Not Compliant. 有关受支持版本的详细信息,请参阅设备运行状况证明For more information on supported versions, see Device Health Attestation.

  • 要求代码完整性Require code integrity:
    代码完整性是一种功能,可用于在每次将驱动器文件或系统文件加载到内存时,验证文件的完整性。Code integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory.

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 必需 - 代码完整性功能检测是否要将未签名的驱动程序文件或系统文件加载到内核中。Require - Require code integrity, which detects if an unsigned driver or system file is being loaded into the kernel. 此外,它还检测系统文件是否已被恶意软件更改,或是否被具有管理员特权的用户帐户运行。It also detects if a system file is changed by malicious software or run by a user account with administrator privileges.

更多资源:More resources:

设备属性Device Properties

操作系统版本Operating System Version

若要发现所有 Windows 10 功能更新和累积更新(要在以下某些字段中使用)的内部版本,请参阅 Windows 10 版本信息To discover build versions for all Windows 10 Feature Updates and Cumulative Updates (to be used in some of the fields below), see Windows 10 release information. 请确保包含 10.0。Be sure to include the 10.0. 内部版本号之前的前缀,如以下示例所示。prefix before the build numbers, as the following examples illustrate.

  • 最低操作系统版本Minimum OS version:
    以 major.minor.build.revision number 数字格式输入最低允许版本。Enter the minimum allowed version in the major.minor.build.revision number format. 要获取正确的值,请打开命令提示符,然后键入 verTo get the correct value, open a command prompt, and type ver. ver 命令返回以下格式的版本:The ver command returns the version in the following format:

    Microsoft Windows [Version 10.0.17134.1]

    如果设备的 OS 版本低于你输入的版本,它会被报告为不符合要求。When a device has an earlier version than the OS version you enter, it's reported as noncompliant. 将显示一个链接,链接中包含有关如何升级的信息。A link with information on how to upgrade is shown. 最终用户可以选择升级自己的设备。The end user can choose to upgrade their device. 升级后,他们可以访问公司资源。After they upgrade, they can access company resources.

  • 最高操作系统版本Maximum OS version:
    以 major.minor.build.revision 数字格式输入最高允许版本。Enter the maximum allowed version, in the major.minor.build.revision number format. 要获取正确的值,请打开命令提示符,然后键入 verTo get the correct value, open a command prompt, and type ver. ver 命令返回以下格式的版本:The ver command returns the version in the following format:

    Microsoft Windows [Version 10.0.17134.1]

    当设备使用的操作系统版本高于输入的版本时,将阻止对组织资源的访问。When a device is using an OS version later than the version entered, access to organization resources is blocked. 系统会要求最终用户联系其 IT 管理员。The end user is asked to contact their IT administrator. 除非将规则更改为允许该操作系统版本,否则设备无法访问组织资源。The device can't access organization resources until the rule is changed to allow the OS version.

  • 移动设备所需的最低 OSMinimum OS required for mobile devices:
    以 major.minor.build 数字格式输入最低允许版本。Enter the minimum allowed version, in the major.minor.build number format.

    如果设备的 OS 版本低于你输入的版本,它会被报告为不符合要求。When a device has an earlier version that the OS version you enter, it's reported as noncompliant. 将显示一个链接,链接中包含有关如何升级的信息。A link with information on how to upgrade is shown. 最终用户可以选择升级自己的设备。The end user can choose to upgrade their device. 升级后,他们可以访问公司资源。After they upgrade, they can access company resources.

  • 移动设备所需的最高 OSMaximum OS required for mobile devices:
    以 major.minor.build 数字格式输入最高允许版本。Enter the maximum allowed version, in the major.minor.build number.

    当设备使用的操作系统版本高于输入的版本时,将阻止对组织资源的访问。When a device is using an OS version later than the version entered, access to organization resources is blocked. 系统会要求最终用户联系其 IT 管理员。The end user is asked to contact their IT administrator. 除非将规则更改为允许该操作系统版本,否则设备无法访问组织资源。The device can't access organization resources until the rule is changed to allow the OS version.

  • 有效的操作系统内部版本Valid operating system builds:
    指定最低和最高操作系统内部版本的列表。Specify a list of minimum and maximum operating system builds. 与最低和最高操作系统版本相比,有效的操作系统内部版本可提供更大的灵活性。Valid operating system builds provides additional flexibility when compared against minimum and maximum OS versions. 请考虑将最低操作系统版本设置为 10.0.18362.xxx (Windows 10 1903) 并将最高操作系统版本设置为 10.0.18363.xxx (Windows 10 1909) 的方案。Consider a scenario where minimum OS version is set to 10.0.18362.xxx (Windows 10 1903) and maximum OS version is set to 10.0.18363.xxx (Windows 10 1909). 此配置可以允许未安装最新累积更新且标识为符合的 Windows 10 1903 设备。This configuration can allow a Windows 10 1903 device that doesn't have recent cumulative updates installed to be identified as compliant. 如果在单个 Windows 10 版本上实现了标准化,则最低和最高操作系统版本可能适用,但如果需要使用多个内部版本(每个版本都有特定的修补程序级别),则最低和最高操作系统版本无法满足你的要求。Minimum and maximum OS versions might be suitable if you have standardized on a single Windows 10 release, but might not address your requirements if you need to use multiple builds, each with specific patch levels. 在这种情况下,请考虑改用有效的操作系统内部版本,这样可以根据以下示例指定多个内部版本。In such a case, consider leveraging valid operating system builds instead, which allows multiple builds to be specified as per the following example.

    示例Example:
    下表是适用于不同 Windows 10 版本的可接受操作系统版本范围的示例。The following table is an example of a range for the acceptable operating systems versions for different Windows 10 releases. 在此示例中,允许使用三个不同的功能更新(1809、1909 和 2004)。In this example, three different Feature Updates have been allowed (1809, 1909 and 2004). 具体而言,只有这三个 Windows 版本和已应用累积更新(2020 年 6 月到 9 月)的 Windows 版本才被视为合规。Specifically, only those versions of Windows and which have applied cumulative updates from June to September 2020 will be considered to be compliant. 这只是示例数据。This is sample data only. 该表的第一列包含要描述条目的任何文本,后跟该条目的最低和最高操作系统版本。The table includes a first column that includes any text you want to describe the entry, followed by the minimum and maximum OS version for that entry. 第二列和第三列必须遵循 major.minor.build.revision 数字格式的有效操作系统内部版本。The second and third columns must adhere to valid OS build versions in the major.minor.build.revision number format. 定义一个或多个条目后,可以将列表导出为逗号分隔值 (CSV) 文件。After you define one or more entries, you can Export the list as a comma-separated values (CSV) file.

    描述Description 最低操作系统版本Minimum OS version 最高操作系统版本Maximum OS version
    Win 10 2004(2020 年 6 月到 9 月)Win 10 2004 (Jun-Sept 2020) 10.0.19041.32910.0.19041.329 10.0.19041.50810.0.19041.508
    Win 10 1909(2020 年 6 月到 9 月)Win 10 1909 (Jun-Sept 2020) 10.0.18363.90010.0.18363.900 10.0.18363.111010.0.18363.1110
    Win 10 1809(2020 年 6 月到 9 月)Win 10 1809 (Jun-Sept 2020) 10.0.17763.128210.0.17763.1282 10.0.17763.149010.0.17763.1490

Configuration Manager 符合性Configuration Manager Compliance

仅适用于运行 Windows 10 及更高版本的共同管理设备。Applies only to co-managed devices running Windows 10 and later. 仅 Intune 设备返回不可用状态。Intune-only devices return a not available status.

  • 要求设备与Configuration Manager 相符合Require device compliance from Configuration Manager:
    • 未配置(默认)- Intune 不会检查是否符合任何 Configuration Manager 设置要求。 Not configured (default) - Intune doesn't check for any of the Configuration Manager settings for compliance.
    • 必需 - 要求符合 Configuration Manager 中的所有设置(配置项目)。Require - Require all settings (configuration items) in Configuration Manager to be compliant.

系统安全System Security

PasswordPassword

  • 需要密码才可解锁移动设备Require a password to unlock mobile devices:

    • 未配置(默认)- 不会评估此设置的符合性和不符合性 。Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
    • 必需 - 用户必须输入密码后才能访问其设备。Require - Users must enter a password before they can access their device.
  • 简单密码Simple passwords:

    • 未配置(默认) - 用户可创建简单的密码,例如 1234 或 1111 。Not configured (default) - Users can create simple passwords, such as 1234 or 1111.
    • 阻止 - 用户无法创建简单密码,如 1234 或 1111。 Block - Users can't create simple passwords, such as 1234 or 1111.
  • 密码类型Password type:
    选择所需的密码或 PIN 类型。Choose the type of password or PIN required. 选项包括:Your options:

    • 设备默认(默认) - 需要密码、数字 PIN 或字母数字 PINDevice default (default) - Require a password, numeric PIN, or alphanumeric PIN
    • 数值 - 需要密码或数字 PINNumeric - Require a password or numeric PIN
    • 字母数字 - 需要密码或字母数字 PIN。Alphanumeric - Require a password, or alphanumeric PIN.

    设置为“字母数字”时,有下列可用设置 :When set to Alphanumeric, the following settings are available:

  • 最短密码长度Minimum password length:
    输入密码必须包含的最小位数或最小字符数。Enter the minimum number of digits or characters that the password must have.

  • 需要提供密码之前处于非活动状态的最大分钟数Maximum minutes of inactivity before password is required:
    输入用户必须重新输入密码前的空闲时间。Enter the idle time before the user must reenter their password.

  • 密码过期(天)Password expiration (days):
    输入密码过期之前的天数(介于 1 - 730 之间),然后必须创建一个新密码。Enter the number of days before the password expires, and they must create a new one, from 1-730.

  • 阻止重用的曾用密码数Number of previous passwords to prevent reuse:
    输入之前使用但无法使用的密码的数量。Enter the number of previously used passwords that can't be used.

  • 必须提供密码才能让设备从空闲状态恢复(移动版和全息版)Require password when device returns from idle state (Mobile and Holographic):

    • 未配置(默认) Not configured (default)
    • 必需 - 要求设备用户在每次设备从空闲状态恢复时输入密码。Require - Require device users to enter the password every time the device returns from an idle state.

    重要

    当 Windows 桌面的密码要求更改时,用户下次登录时会受到影响,因为此时设备从空闲状态变为活动状态。When the password requirement is changed on a Windows desktop, users are impacted the next time they sign in, as that's when the device goes from idle to active. 密码满足要求的用户仍然会被提示更改密码。Users with passwords that meet the requirement are still prompted to change their passwords.

加密Encryption

  • 加密设备上的数据存储Encryption of data storage on a device:
    此设置适用于设备上的所有驱动器。This setting applies to all drives on a device.

    • 未配置(默认) Not configured (default)
    • 必需 - 使用“必需”加密设备上的数据存储。 Require - Use Require to encrypt data storage on your devices.

    DeviceStatus CSP - DeviceStatus/Compliance/EncryptionComplianceDeviceStatus CSP - DeviceStatus/Compliance/EncryptionCompliance

    备注

    “设备上的数据存储加密”设置通常会检查设备上是否存在加密,具体而言,是在 OS 驱动器级别。The Encryption of data storage on a device setting generically checks for the presence of encryption on the device, more specifically at the OS drive level. 当前,Intune 仅支持使用 BitLocker 进行加密检查。Currently, Intune supports only the encryption check with BitLocker. 为获取更可靠的加密设置,请考虑使用“需要 BitLocker”,它利用 Windows 设备运行状况证明来验证 TPM 级别的 Bitlocker 状态 。For a more robust encryption setting, consider using Require BitLocker, which leverages Windows Device Health Attestation to validate Bitlocker status at the TPM level.

设备安全性Device Security

  • 防火墙Firewall:

    • 未配置(默认) - Intune 不控制 Microsoft Defender 防火墙,也不更改现有设置。Not configured (default) - Intune doesn't control the Microsoft Defender Firewall, nor change existing settings.
    • 需要 - 打开 Microsoft Defender 防火墙,并阻止用户将其关闭。Require - Turn on the Microsoft Defender Firewall, and prevent users from turning it off.

    防火墙 CSPFirewall CSP

    备注

    如果设备在重启后立即同步,或立即同步从睡眠状态唤醒,则此设置可能会报告为“错误” 。If the device immediately syncs after a reboot, or immediately syncs waking from sleep, then this setting may report as an Error. 此方案可能不会影响整体设备合规性状态。This scenario might not affect the overall device compliance status. 若要重新评估合规性状态,请手动同步设备To re-evaluate the compliance status, manually sync the device.

  • 受信任的平台模块 (TPM)Trusted Platform Module (TPM):

    • 未配置(默认) - Intune 不检查设备的 TPM 芯片版本。Not configured (default) - Intune doesn't check the device for a TPM chip version.
    • 需要 - Intune 检查 TPM 芯片版本是否符合要求。Require - Intune checks the TPM chip version for compliance. 如果 TPM 芯片版本大于 0(零),则设备符合要求 。The device is compliant if the TPM chip version is greater than 0 (zero). 如果设备上没有 TPM 版本,则设备不符合要求。The device isn't compliant if there isn't a TPM version on the device.

    DeviceStatus CSP - DeviceStatus/TPM/SpecificationVersionDeviceStatus CSP - DeviceStatus/TPM/SpecificationVersion

  • 防病毒Antivirus:

    • 未配置(默认)- Intune 不会检查设备上安装的任何防病毒软件解决方案。 Not configured (default) - Intune doesn't check for any antivirus solutions installed on the device.
    • 必需 - 使用在 Windows 安全中心注册的防病毒解决方案(如 Symantec 和 Microsoft Defender)来检查符合性。Require - Check compliance using antivirus solutions that are registered with Windows Security Center, such as Symantec and Microsoft Defender.

    DeviceStatus CSP - DeviceStatus/Antivirus/StatusDeviceStatus CSP - DeviceStatus/Antivirus/Status

  • 反间谍软件Antispyware:

    • 未配置(默认)- Intune 不会检查设备上安装的任何反间谍软件解决方案。 Not configured (default) - Intune doesn't check for any antispyware solutions installed on the device.
    • 必需 - 使用在 Windows 安全中心注册的反间谍解决方案(如 Symantec 和 Microsoft Defender)来检查符合性。Require - Check compliance using antispyware solutions that are registered with Windows Security Center, such as Symantec and Microsoft Defender.

    DeviceStatus CSP - DeviceStatus/Antispyware/StatusDeviceStatus CSP - DeviceStatus/Antispyware/Status

DefenderDefender

Windows 10 桌面版支持以下合规性设置。The following compliance settings are supported with Windows 10 Desktop.

  • Microsoft Defender 反恶意软件Microsoft Defender Antimalware:

    • 未配置(默认) - Intune 不控制服务,也不更改现有设置。Not configured (default) - Intune doesn't control the service, nor change existing settings.
    • 需要 - 打开 Microsoft Defender 反恶意软件服务,并阻止用户将其关闭。Require - Turn on the Microsoft Defender anti-malware service, and prevent users from turning it off.
  • Microsoft Defender 反恶意软件的最低版本Microsoft Defender Antimalware minimum version:
    输入 Microsoft Defender 反恶意软件服务的最低允许版本。Enter the minimum allowed version of Microsoft Defender anti-malware service. 例如,输入 4.11.0.0For example, enter 4.11.0.0. 如果留空,则可以使用任何版本的 Microsoft Defender 反恶意软件服务。When left blank, any version of the Microsoft Defender anti-malware service can be used.

    默认情况下,没有配置任何版本 。By default, no version is configured.

  • Microsoft Defender 反恶意软件安全智能是最新版本Microsoft Defender Antimalware security intelligence up-to-date:
    控制设备上的 Windows 安全病毒和威胁防护更新。Controls the Windows Security virus and threat protection updates on the devices.

    • 未配置(默认) - Intune 不强制执行任何要求。Not configured (default) - Intune doesn't enforce any requirements.
    • 需要 - 强制 Microsoft Defender 安全智能的版本为最新版本。Require - Force the Microsoft Defender security intelligence be up-to-date.

    Defender CSP - Defender/Health/SignatureOutOfDate CSPDefender CSP - Defender/Health/SignatureOutOfDate CSP

    有关详细信息,请参阅 Microsoft Defender 防病毒和其他 Microsoft 反恶意软件的安全智能更新For more information, see Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware.

  • 实时保护Real-time protection:

    • 未配置(默认) - Intune 不控制此功能,也不更改现有设置。Not configured (default) - Intune doesn't control this feature, nor change existing settings.
    • 需要 - 启用实时保护,该保护会扫描恶意软件、间谍软件和其他不需要的软件。Require - Turn on real-time protection, which scans for malware, spyware, and other unwanted software.

    策略 CSP - Defender/AllowRealtimeMonitoring CSPPolicy CSP - Defender/AllowRealtimeMonitoring CSP

用于终结点的 Microsoft DefenderMicrosoft Defender for Endpoint

Microsoft Defender for Endpoint 规则Microsoft Defender for Endpoint rules

  • 要求设备不超过计算机风险评分Require the device to be at or under the machine risk score:
    使用此设置,可以将防御威胁服务中的风险评估视为符合性条件。Use this setting to take the risk assessment from your defense threat services as a condition for compliance. 选择允许的最大威胁级别:Choose the maximum allowed threat level:

    • 未配置(默认) Not configured (default)
    • 清除 - 此选项是最安全的,因为设备不能具有任何威胁。Clear -This option is the most secure, as the device can't have any threats. 如果设备被检测到具有任一等级的威胁,就会被评估为不符合要求。If the device is detected as having any level of threats, it's evaluated as non-compliant.
    • - 若设备上仅存在低级威胁,则将其评为合规。Low - The device is evaluated as compliant if only low-level threats are present. 高于此级别的威胁均会使设备处于不合规状态。Anything higher puts the device in a non-compliant status.
    • - 如果设备上存在的威胁为低级或中级,设备也将被评估为符合策略。Medium - The device is evaluated as compliant if existing threats on the device are low or medium level. 如果检测到设备存在高级威胁,则确定其不符合要求。If the device is detected to have high-level threats, it's determined to be non-compliant.
    • - 此选项是最不安全的,允许所有威胁级别。High - This option is the least secure, and allows all threat levels. 如果将此解决方案仅用作报告目的,则可能有用。It may be useful if you're using this solution only for reporting purposes.

    要将 Microsoft Defender for Endpoint 设置为防御威胁服务,请参阅启用具有条件访问权限的 Microsoft Defender for EndpointTo set up Microsoft Defender for Endpoint as your defense threat service, see Enable Microsoft Defender for Endpoint with Conditional Access.

Windows Holographic for BusinessWindows Holographic for Business

Windows Holographic for Business 使用 Windows 10 及更高版本 的平台。Windows Holographic for Business uses the Windows 10 and later platform. Windows Holographic for Business 支持以下设置:Windows Holographic for Business supports the following setting:

  • “系统安全” > ”加密” > ”设备上的数据存储加密”。System Security > Encryption > Encryption of data storage on device.

若要对 Microsoft HoloLens 验证设备加密,请参阅验证设备加密To verify device encryption on the Microsoft HoloLens, see Verify device encryption.

Surface HubSurface Hub

Surface Hub 使用 Windows 10 及更高版本的平台。Surface Hub uses the Windows 10 and later platform. 支持将 Surface Hub 用于符合性和条件访问。Surface Hubs are supported for both compliance and Conditional Access. 若要在 Surface Hub 上启用这些功能,建议在 Intune 中启用 Windows 10 自动注册(需要 Azure Active Directory (Azure AD)),并将 Surface Hub 设备用作目标设备组。To enable these features on Surface Hubs, we recommend you enable Windows 10 automatic enrollment in Intune (requires Azure Active Directory (Azure AD)), and target the Surface Hub devices as device groups. Surface Hub 必须加入 Azure AD,这样符合性和条件访问策略才能正常运行。Surface Hubs are required to be Azure AD joined for compliance and Conditional Access to work.

请参阅设置 Windows 设备的注册获取指导。For guidance, see set up enrollment for Windows devices.

运行 Windows 10 协同版操作系统的 Surface Hub 的特别注意事项Special consideration for Surface Hubs running Windows 10 Team OS:
运行 Windows 10 协同版操作系统的 Surface Hub 目前不支持 Microsoft Defender for Endpoint 和密码符合性策略。Surface Hubs that run Windows 10 Team OS do not support the Microsoft Defender for Endpoint and Password compliance policies at this time. 因此,对于运行 Windows 10 协同版操作系统的 Surface Hub,将以下两个设置设为默认值,即“未配置”:Therefore, for Surface Hubs that run Windows 10 Team OS set the following two settings to their default of Not configured:

  • Password 类别中,将“需要密码才可解锁移动设备”设置为默认值“未配置”。In the category Password, set Require a password to unlock mobile devices to the default of Not configured.

  • Microsoft Defender for Endpoint 类别中,将“要求设备不超过计算机风险评分”设置为默认值“未配置”。In the category Microsoft Defender for Endpoint, set Require the device to be at or under the machine risk score to the default of Not configured.

后续步骤Next steps