在 Intune 中添加终结点保护设置Add endpoint protection settings in Intune

使用 Intune,可以使用设备配置文件来管理设备上的公共终结点保护安全功能,包括:With Intune, you can use device configuration profiles to manage common endpoint protection security features on devices, including:

  • 防火墙Firewall
  • BitLockerBitLocker
  • 允许和阻止应用Allowing and blocking apps
  • Microsoft Defender 和加密Microsoft Defender and encryption

例如,可以创建一个终结点保护配置文件,仅允许 macOS 用户安装来自 Mac App Store 的应用。For example, you can create an endpoint protection profile that only allows macOS users to install apps from the Mac App Store. 或者在 Windows 10 设备上运行应用时启用 Windows SmartScreen。Or, enable Windows SmartScreen when running apps on Windows 10 devices.

在创建配置文件之前,请查看详细介绍 Intune 可以针对每个支持平台管理的终结点保护设置的以下文章:Before you create a profile, review the following articles that detail the endpoint protection settings Intune can manage for each supported platform:

创建包含终结点保护设置的设备配置文件Create a device profile containing endpoint protection settings

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“设备” > “配置文件” > “创建配置文件”。Select Devices > Configuration profiles > Create profile.

  3. 输入以下属性:Enter the following properties:

    • 平台:选择设备平台。Platform: Choose the platform of your devices. 选项包括:Your options:

      • macOSmacOS
      • Windows 10 及更高版本Windows 10 and later
    • 配置文件:选择“Endpoint Protection”。Profile: Select Endpoint protection.

  4. 选择“创建”。Select Create.

  5. 在“基本信息”中,输入以下属性:In Basics, enter the following properties:

    • 名称:输入策略的描述性名称。Name: Enter a descriptive name for the policy. 为策略命名,以便稍后可以轻松地识别它们。Name your policies so you can easily identify them later. 例如,好的策略名称可包括配置文件类型和平台。For example, a good policy name might include the profile type and platform.

    • 描述:输入策略的说明。Description: Enter a description for the policy. 此设置是可选的,但建议进行。This setting is optional, but recommended.

  6. 选择“下一步”。Select Next.

  7. 在“配置设置”中,根据所选择的平台,可配置的设置有所不同。In Configuration settings, depending on the platform you chose, the settings you can configure are different. 选择平台,以了解详细设置:Choose your platform for detailed settings:

  8. 选择“下一步”。Select Next.

  9. 在“作用域标记”(可选)中,分配一个标记以将配置文件筛选到特定 IT 组(如 US-NC IT TeamJohnGlenn_ITDepartment)。In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. 有关范围标记的详细信息,请参阅将 RBAC 和范围标记用于分布式 ITFor more information about scope tags, see Use RBAC and scope tags for distributed IT.

    选择“下一步”。Select Next.

  10. 在“分配”中,选择将接收配置文件的用户或组。In Assignments, select the users or groups that will receive your profile. 有关分配配置文件的详细信息,请参阅分配用户和设备配置文件For more information on assigning profiles, see Assign user and device profiles.

    选择“下一步”。Select Next.

  11. 在“查看并创建”中查看设置。In Review + create, review your settings. 选择“创建”时,将保存所做的更改并分配配置文件。When you select Create, your changes are saved, and the profile is assigned. 该策略也会显示在配置文件列表中。The policy is also shown in the profiles list.

为 Windows 10 设备添加自定义防火墙规则Add custom Firewall rules for Windows 10 devices

在将 Microsoft Defender 防火墙配置为包含 Windows 10 终结点保护规则的配置文件的一部分后,可以为防火墙配置自定义规则。When you configure the Microsoft Defender Firewall as part of a profile that includes endpoint protection rules for Windows 10, you can configure custom rules for Firewalls. 通过自定义规则,可以扩展 Windows 10 支持的预定义防火墙规则集。Custom rules let you expand on the pre-defined set of Firewall rules supported for Windows 10.

在计划使用带自定义防火墙规则的配置文件时,请考虑以下信息,这些信息可能会影响在配置文件中对防火墙规则进行分组的方式:When you plan for profiles with custom Firewall rules, consider the following information, which could affect how you choose to group firewall rules in your profiles:

  • 每个配置文件最多支持 150 个防火墙规则。Each profile supports up to 150 firewall rules. 使用超过 150 个规则时,请创建其他配置文件,每个配置文件限制为 150 个规则。When you use more than 150 rules, create additional profiles, each limited to 150 rules.

  • 对于每个配置文件,如果单个规则无法使用,则该配置文件中的所有规则都无法使用,并且不会将任何规则应用于设备。For each profile, if a single rule fails to apply, all rules in that profile are failed and none of the rules are applied to the device.

  • 如果某个规则无法使用,则配置文件中的所有规则都将报告为无法使用。When a rule fails to apply, all rules in the profile are reported as failed. Intune 无法识别哪个单独的规则无法使用。Intune cannot identify which individual rule failed.

Windows 防火墙配置服务提供程序 (CSP) 中详细介绍了 Intune 可以管理的防火墙规则。The Firewall rules that Intune can manage are detailed in the Windows Firewall configuration service provider (CSP). 若要查看 Intune 支持的 Windows 10 设备自定义防火墙设置列表,请参阅自定义防火墙规则To review the list of custom firewall settings for Windows 10 devices that Intune supports, see Custom Firewall rules.

向 Endpoint Protection 配置文件添加自定义防火墙规则To add custom firewall rules to an Endpoint protection profile

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“设备” > “配置文件” > “创建配置文件”。Select Devices > Configuration profiles > Create Profile.

  3. 对于“平台”,选择“Windows 10 及更高版本”,对于“配置文件”,选择“Endpoint Protection”。For Platform, select Windows 10 and later, and then for Profile select Endpoint protection.

    选择“创建”。Select Create.

  4. 输入配置文件的“名称”>“下一步” 。Enter a Name for your profile > Next.

  5. 在“配置设置”中,选择“Microsoft Defender 防火墙” 。In Configuration settings, select Microsoft Defender Firewall. 对于“防火墙规则”,选择“添加”以打开“创建规则”页面 。For Firewall rules, select Add to open the Create Rule page.

  6. 指定“防火墙规则”的设置,然后选择“确定”以保存该设置。Specify settings for the Firewall rule, and then select OK to save it. 若要查看文档中可用的自定义防火墙规则选项,请参阅自定义防火墙规则To review the available custom firewall rule options in documentation, see Custom Firewall rules.

    1. 规则将显示在规则列表中的“Microsoft Defender 防火墙”页上。The rule appears on the Microsoft Defender Firewall page in the list of rules.
    2. 若要修改规则,请从列表中选择规则,以打开“编辑规则”页。To modify a rule, select the rule from the list, to open the Edit Rule page.
    3. 若要从配置文件中删除规则,请选择规则的省略号“(…)”,然后选择“删除”。To delete a rule from a profile, select the ellipsis (…) for the rule, and then select Delete.
    4. 若要更改规则的显示顺序,请选择规则列表顶部的向上箭头、向下箭头图标。To change the order in which rules display, select the up arrow, down arrow icon at the top of the rule list.
  7. 选择“下一步”,直到看到“查看 + 创建” 。Select Next until you get to Review + create. 选择“创建”时,将保存所做的更改并分配配置文件。When you select Create, your changes are saved and the profile is assigned. 该策略也会显示在配置文件列表中。The policy is also shown in the profiles list.

后续步骤Next steps

此时,配置文件创建完成,但它可能尚未执行任何操作。The profile is created, but it may not be doing anything yet. 下一步,分配配置文件监视其状态Next, assign the profile and monitor its status.