使用 Microsoft Intune 监视安全基线和配置文件Monitor security baselines and profiles in Microsoft Intune

Intune 提供了用于监视安全基线的多个选项。Intune provides several options to monitor your security baselines. 你可以:You can:

  • 监视安全基线,以及与建议值匹配(或不匹配)的任何设备。Monitor a security baseline, and any devices that match (or don't match) the recommended values.
  • 监视应用于用户和设备的安全基线配置文件。Monitor the security baselines profile that applies to your users and devices.
  • 查看如何在所选设备上设置所选配置文件的设置。View how the settings from a selected profile are set on a selected device.

你还可以查看应用于单个设备(包括安全基线)的终结点安全配置。You can also view the Endpoint security configurations that apply to individual devices, which include security baselines.

本文介绍了这些监视选项。This article walks you through these monitoring options.

Intune 中的安全基线详细介绍了 Microsoft Intune 中的安全基线功能。Security baselines in Intune provides more details on the security baselines feature in Microsoft Intune.

监视基线和设备Monitor the baseline and your devices

监视基线时,你根据 Microsoft 的建议深入了解设备的安全状态。When you monitor a baseline, you get insight into the security state of your devices based on Microsoft's recommendations. 若要查看这些见解,请登录到 管理中心,转到“终结点安全” > “安全基线”,并选择一种安全基线类型,如“MDM 安全基线”。To view these insights, sign in to the Microsoft Endpoint Manager admin center, go to Endpoint security > Security baselines and select a security baseline type like the MDM Security Baseline. 然后,从“配置文件”窗格中,选择要查看详细信息的配置文件实例。Then, from the Profile pane, select the profile instance for which you want to view details. 此时将打开配置文件“属性”窗格,然后可从“监视”部分选择任何配置文件报表 。This opens to the profiles Properties pane where you can then select any of the profile reports from the Monitor section.

首次分配基线后,最多 24 小时后会显示数据。It takes up to 24 hours for data to appear after you first assign a baseline. 之后进行的更改最多六个小时后会显示。Later changes take up to six hours to appear.

深入查看报表和设备,了解各种详细信息。As you drill in to reports and devices, various details are available.

监视配置文件Monitor the profile

通过监视配置文件,可以根据基线建议深入了解设备部署状态,而不是安全状态。Monitoring the profile gives insight into the deployment state of your devices, but not the security state based on the baseline recommendations.

  1. 在 Intune 中,选择“安全基线”,然后选择基线以打开其“配置文件”窗格。In Intune, select Security Baselines > select a baseline to open its Profiles pane.
  1. “管理” > “属性”下列出了基线中的所有设置。Under Manage > Properties, a list of all the settings in the baseline are shown. 还可以更改其中任何设置:You can also change any of these settings:

    查看和更新安全基线配置文件中的设置

  2. 在“监视”中,可以查看各个设备上配置文件的部署状态、每个用户的状态,以及基线中每个设置的状态:In Monitor, you can see the deployment status of the profile on individual devices, the status for each user, and the status for each setting in the baseline:

    查看安全基线配置文件的其他监视选项

查看应用于设备的配置文件中的设置View settings from profiles that apply to a device

可以为安全基线选择一个配置文件,并在应用于单个设备的情况下深入查看该配置文件中的设置列表。You can select a profile for a Security Baseline, and drill-in to view a list of settings from that profile as they apply to an individual device. 若要查看该列表,请钻取到“终结点安全” > “安全基线” > “选择安全基线类型” > “选择要查看的配置文件” > “设备状态”。To view that list, drill into Endpoint security > Security baselines > select the security baseline type > select the Profile you want to view > Device status. 也可以通过转到“终结点安全” > “所有设备” > “选择设备” > “终结点安全配置” > “选择基线版本”来查看列表。You can also view the list by going to Endpoint Security > All devices > select a device > Endpoint security configuration > select a baseline version.

选择设备后,Microsoft Endpoint Manager 管理中心将显示来自该配置文件的设置列表,其中包括设置所属的类别,以及设备上的配置状态。After selecting a device, Microsoft Endpoint Manager admin center displays a list of the settings from that profile, including the category the setting is from, and the configuration state on the device. 配置状态包括以下值:Configuration states include the following values:

  • 成功 - 设备上的设置与配置文件中配置的值相匹配。Success – The setting on the device matches the value as configured in the profile. 这要么是基线默认值和建议值,要么是管理员在配置配置文件时指定的自定义值。This is either the baselines default and recommended value, or a custom value specified by an administrator when the profile was configured.
  • 冲突 - 此设置与另一个策略冲突,出现错误,或者正在等待更新。Conflict – The setting is in conflict with another policy, has an error, or is pending an update.
  • 不适用:此设置不适用于配置文件。Not applicable – The setting is not applied by the profile.

备注

设置的状态值将在未来版本中更新,以提供更精细的详细信息。The status values for settings will update in a future release to provide more granular details.

查看每个设备的终结点安全配置View Endpoint security configurations per device

查看有关适用于单个设备的安全配置详细信息,这有助于隔离配置错误的设置。View details about the security configurations that apply to an individual device, which can help you isolate settings that are misconfigured.

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 转到“设备” > 所有设备”,然后选择要查看的设备 。Go to Devices > All devices and select the device you want to view.

  3. 在“监视器”类别中,选择“终结点安全配置”,查看适用于该设备的安全配置列表。In the Monitor category, select Endpoint security configuration to view the list of security configurations that apply to that device.

  4. 可选择终结点安全配置,进一步探索并查看有关在设备上评估该安全配置的其他详细信息。You can select an Endpoint security configuration to drill in and view additional details about the evaluation of that security configuration on the device.

使用每个设置状态排除故障Troubleshoot using per-setting status

已部署安全基线,但部署状态显示错误。You deployed a security baseline, but the deployment status shows an error. 下面逐步介绍了对错误进行故障排除。The following steps give you some guidance on troubleshooting the error.

  1. 在 Intune 中,依次选择“安全基线”、“基线”和“配置文件” 。In Intune, select Security Baselines > select a baseline > Profiles.

  2. 选择配置文件,在依次转到“监视” > “每个设置状态”下。Select a profile > Under Monitor > Per-setting status.

  3. 此时,表中显示所有设置以及每个设置的状态。The table shows all the settings, and the status of each setting. 选择“错误”列或“冲突”列,以查看导致错误出现的设置。Select the Error column or the Conflict column to see the setting causing the error.

MDM 诊断信息MDM diagnostic information

现在,你知道哪个设置有问题。Now you know the problematic setting. 下一步是确定此设置为什么会导致错误或冲突出现。The next step is to find out why this setting is causing an error or conflict.

Windows 10 设备上内置有 MDM 诊断信息报告。On Windows 10 devices, there's a built-in MDM diagnostic information report. 此报告包含默认值、当前值,不仅会列出策略,还会显示是部署到设备还是部署到用户等。This report includes default values, current values, lists the policy, shows if it's deployed to the device or the user, and more. 使用此报告有助于确定设置为什么会导致冲突或错误出现。Use this report to help determine why the setting is causing a conflict or error.

  1. 在设备上,依次转到“设置” > “帐户” > “访问工作或学校”。On the device, go to Settings > Accounts > Access work or school.

  2. 选择帐户,再依次选择“信息” > “高级诊断报告” > “生成报告”。Select the account > Info > Advanced Diagnostic Report > Create report.

  3. 选择“导出”,再打开所生成的文件。Choose Export, and open the generated file.

  4. 在报告的不同部分中查找错误或冲突设置。In the report, look for the error or conflict setting in the different sections of the report.

例如,在“已注册的配置源和目标资源”部分或“非托管策略”部分中查找。For example, look in the Enrolled configuration sources and target resources section or the Unmanaged policies section. 这样可能就会知道设置为什么会导致错误或冲突出现。You may get an idea of why it's causing an error or conflict.

在 Windows 10 中诊断 MDM 故障详细介绍了此内置报告。Diagnose MDM failures in Windows 10 provides more information on this built-in report.

提示

  • 一些设置还列出了 GUID。Some settings also list the GUID. 可以在本地注册表 (regedit) 中搜索此 GUID 是否是任何设定值。You can search for this GUID in the local registry (regedit) for any set values.
  • 事件查看器日志可能还包括有问题设置的一些错误信息(依次转到“事件查看器” > “应用和服务日志” > “Microsoft” > “Windows” > “DeviceManagement-Enterprise-Diagnostics-Provider” > “管理员”)。The Event Viewer logs may also include some error information on the problematic setting (Event viewer > Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin).

后续步骤Next steps