终结点数据丢失防护入门Get started with Endpoint data loss prevention

Microsoft 终结点数据丢失防护(终结点 DLP)是 Microsoft 365 数据丢失防护 (DLP) 功能套件的一部分,可用于发现和保护 Microsoft 365 服务中的敏感项目。Microsoft Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft 365 data loss prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. 有关 Microsoft 所有 DLP 产品/服务的更多信息,请参阅数据丢失防护概述For more information about all of Microsoft’s DLP offerings, see Learn about data loss prevention. 若要了解有关终结点 DLP 的详细信息,请参阅了解终结点数据丢失防护To learn more about Endpoint DLP, see Learn about Endpoint data loss prevention

通过 Microsoft 终结点 DLP,你可以监视 Windows 10 设备并检测何时使用和共享敏感项目。Microsoft Endpoint DLP allows you to monitor Windows 10 devices and detect when sensitive items are used and shared. 这为你提供了所需的可见性和控制力,以确保正确使用和保护它们,并帮助防止可能危害它们的危险行为。This gives you the visibility and control you need to ensure that they are used and protected properly, and to help prevent risky behavior that might compromise them.

准备工作Before you begin

SKU/订阅许可SKU/subscriptions licensing

在开始使用终结点 DLP 之前,应该先确认 Microsoft 365 订阅以及任何加载项。Before you get started with Endpoint DLP, you should confirm your Microsoft 365 subscription and any add-ons. 若要访问和使用终结点 DLP 功能,必须具有这些订阅或加载项中的一个。To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.

  • Microsoft 365 E5Microsoft 365 E5
  • Microsoft 365 A5 (EDU)Microsoft 365 A5 (EDU)
  • Microsoft 365 E5 合规Microsoft 365 E5 compliance
  • Microsoft 365 A5 合规Microsoft 365 A5 compliance
  • Microsoft 365 E5 信息保护和治理Microsoft 365 E5 information protection and governance
  • Microsoft 365 A5 信息保护和治理Microsoft 365 A5 information protection and governance

权限Permissions

若要启用设备管理,你使用的帐户必须是以下任何一个角色的成员:To enable device management, the account you use must be a member of any one of these roles:

  • 全局管理员Global admin
  • 安全管理员Security admin
  • 合规性管理员Compliance admin

如果要使用自定义帐户查看设备管理设置,该帐户必须具有以下角色之一:If you want to use a custom account to view the device management settings, it must be in one of these roles:

  • 全局管理员Global admin
  • 合规性管理员Compliance admin
  • 合规性数据管理员Compliance data admin
  • 全局读取者Global reader

如果要使用自定义帐户访问载入/载出页面,该帐户必须具有以下角色之一:If you want to use a custom account to access the onboarding/offboarding page, it must be in one of these roles:

  • 全局管理员Global admin
  • 合规性管理员Compliance admin

如果要使用自定义帐户打开/关闭设备监视,该帐户必须具有以下角色之一:If you want to use a custom account to turn on/off device monitoring, it must be in one of these roles:

  • 全局管理员Global admin
  • 合规性管理员Compliance admin

可在活动资源管理器中查看终结点 DLP 中的数据。Data from Endpoint DLP can be viewed in Activity explorer. 有四个角色可向活动资源管理器授予权限,用于访问数据的帐户必须是其中任何一个的成员。There are four roles that grant permission to activity explorer, the account you use for accessing the data must be a member of any one of them.

  • 全局管理员Global admin
  • 合规性管理员Compliance admin
  • 安全管理员Security admin
  • 合规性数据管理员Compliance data admin
  • 全局读取者Global reader
  • 安全读者Security reader
  • 报表阅读人员Reports reader

准备终结点Prepare your endpoints

确保你计划部署终结点 DLP 的 Windows 10 设备满足这些要求。Make sure that the Windows 10 devices that you plan on deploying Endpoint DLP to meet these requirements.

  1. 必须运行 Windows 10 x64 内部版本 1809 或更高版本。Must be running Windows 10 x64 build 1809 or later.

  2. 反恶意软件客户端的版本为 4.18.2009.7 或更高版本。Antimalware Client Version is 4.18.2009.7 or newer. 若要查看当前版本,请打开“Windows 安全中心”应用,选择“设置”图标,然后选择“关于”。Check your current version by opening Windows Security app, select the Settings icon, and then select About. “反恶意软件客户端版本”下列出了版本号。The version number is listed under Antimalware Client Version. 通过安装 Windows 更新 KB4052623,更新到最新的反恶意软件客户端版本。Update to the latest Antimalware Client Version by installing Windows Update KB4052623.

    备注

    无需激活 Windows 安全组件,可运行独立于 Windows 安全中心状态的终结点 DLP,但必须启用实时保护和行为监视器)。None of Windows Security components need to be active, you can run Endpoint DLP independent of Windows Security status, but the Real-time protection and Behavior monitor) must be enabled.

  3. 已安装以下 Windows 更新。The following Windows Updates are installed.

    备注

    这些更新不是将设备加入终结点 DLP 的先决条件,但它们包含对重要问题的修复,因此必须在使用该产品之前完成安装。These updates are not a pre-requisite to onboard a device to Endpoint DLP, but contain fixes for important issues thus must be installed before using the product.

    • 对于 Windows 10 1809 - KB4559003、KB4577069、KB4580390For Windows 10 1809 - KB4559003, KB4577069, KB4580390
    • 对于 Windows 10 1903 或 1909 - KB4559004、KB4577062、KB4580386For Windows 10 1903 or 1909 - KB4559004, KB4577062, KB4580386
    • 对于 Windows 10 2004 - KB4568831、KB4577063For Windows 10 2004 - KB4568831, KB4577063
    • 对于运行 Office 2016(而未运行任何其他 Office 版本)的设备 - KB4577063For devices running Office 2016 (and not any other Office version) - KB4577063
  4. 所有设备必须已建立 Azure Active Directory (Azure AD) 联接 已建立 AD 联接、已建立混合 Azure AD 联接,或已注册 AAD。All devices must be Azure Active Directory (Azure AD) joined, AD joined, Hybrid Azure AD joined, or AAD registered.

  5. 在终结点设备上安装 Microsoft Chromium Edge 浏览器,以对上传到云活动执行策略操作。Install Microsoft Chromium Edge browser on the endpoint device to enforce policy actions for the upload to cloud activity. 请参见下载基于 Chromium 的新 Microsoft EdgeSee, Download the new Microsoft Edge based on Chromium.

  6. 如果使用的是 Microsoft 365 应用版的月度企业版 2004-2008,则终结点 DLP 的已知问题会分类 Office 内容,需要更新到版本 2009 或更高版本。If you are on Monthly Enterprise Channel of Microsoft 365 Apps versions 2004-2008, there is a known issue with Endpoint DLP classifying Office content and you need to update to version 2009 or later. 参见 Microsoft 365 应用版的更新历史记录(按日期列出)See Update history for Microsoft 365 Apps (listed by date) for current versions. 要了解有关此问题的更多信息,请参阅有关 2020 年当前频道发行的发行说明To learn more about this issue, see the Office Suite section of Release notes for Current Channel releases in 2020.

  7. 如果你有使用设备代理连接到 internet 的端点,请按照 配置设备代理和端点 DLP 的 internet 连接设置中的过程进行操作。If you have endpoints that use a device proxy to connect to the internet, follow the procedures in Configure device proxy and internet connection settings for Endpoint DLP.

将设备载入设备管理Onboarding devices into device management

必须先启用设备监视功能并载入终结点,然后才能监视和保护设备上的敏感项目。You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. 这两项操作都在 Microsoft 365 合规门户中完成。Both of these actions are done in the Microsoft 365 Compliance portal.

当你想载入尚未载入的设备时,你需要下载适当的脚本并将其部署到那些设备上。When you want to onboard devices that haven't been onboarded yet, you'll download the appropriate script and deploy it to those devices. 按照载入设备程序进行操作。Follow the Onboarding devices procedure.

已载入到 Microsoft Defender for Endpoint 的设备将显示在“托管设备”列表中。If you already have devices onboarded into Microsoft Defender for Endpoint, they will already appear in the managed devices list. 请按照“与设备载入到 Microsoft Defender for Endpoint 的过程”进行操作。Follow the With devices onboarded into Microsoft Defender for Endpoint procedure.

载入设备Onboarding devices

在此部署方案中,你将载入尚未载入的设备,并且只想监视和保护敏感项目,防止 Windows 10 设备上发生意外共享。In this deployment scenario, you'll onboard devices that have not been onboarded yet, and you just want to monitor and protect sensitive items from unintentional sharing on Windows 10 devices.

  1. 打开“Microsoft 合规中心”。Open the Microsoft compliance center.

  2. 打开合规中心设置页面,然后选择“载入设备”。Open the Compliance Center settings page and choose Onboard devices.

    启用设备管理enable device management

    备注

    设备载入通常需要大约 60 秒才能启用,请先等待 30 分钟,然后再与 Microsoft 支持人员接洽。While it usually takes about 60 seconds for device onboarding to be enabled, please allow up to 30 minutes before engaging with Microsoft support.

  3. 选择“设备管理”,以打开“设备”列表。Choose Device management to open the Devices list. 在载入设备之前,此列表将为空。The list will be empty until you onboard devices.

  4. 选择“载入”以开始载入流程。Choose Onboarding to begin the onboarding process.

  5. 从“部署方法”列表中选择要部署到这些额外设备的方式,然后 下载程序包Choose the way you want to deploy to these additional devices from the Deployment method list and then download package.

    部署方法deployment method

  6. 按照适用于 Windows 10 计算机的载入工具和方法中的相应程序进行操作。Follow the appropriate procedures in Onboarding tools and methods for Windows 10 machines. 此链接会将你定位到登录页面,你可以在其中访问与在步骤 5 中选择的部署程序包相匹配的 Microsoft Defender for Endpoint 过程:This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:

    • 使用组策略载入 Windows 10 计算机Onboard Windows 10 machines using Group Policy
    • 使用 Microsoft Endpoint Configuration Manager 载入 Windows 10 计算机Onboard Windows machines using Microsoft Endpoint Configuration Manager
    • 使用移动设备管理工具载入 Windows 10 计算机Onboard Windows 10 machines using Mobile Device Management tools
    • 使用本地脚本载入 Windows 10 计算机Onboard Windows 10 machines using a local script
    • 载入非持久性虚拟桌面基础结构 (VDI) 计算机。Onboard non-persistent virtual desktop infrastructure (VDI) machines.

完成操作并启用终结点后,它应该在设备列表中可见,并且还应开始向活动资源管理器报告审核活动日志。Once done and endpoint is onboarded, it should be visible in the devices list and also start reporting audit activity logs to Activity explorer.

备注

此体验根据许可证强制实施。This experience is under license enforcement. 如果没有所需的许可证,数据将不可见或不可访问。Without the required license, data will not be visible or accessible.

与设备载入到 Microsoft Defender for EndpointWith devices onboarded into Microsoft Defender for Endpoint

在此方案中,已经部署了 Microsoft Defender for Endpoint,并且在其中报告了终结点。In this scenario, Microsoft Defender for Endpoint is already deployed and there are endpoints reporting in. 所有这些终结点都将显示在托管设备列表中。All these endpoints will appear in the managed devices list. 可通过使用载入设备程序将新设备继续载入到终结点 DLP 中,以扩展覆盖范围。You can continue to onboard new devices into Endpoint DLP to expand coverage by using the Onboarding devices procedure.

  1. 打开“Microsoft 合规中心”。Open the Microsoft compliance center.

  2. 打开合规中心设置页面,然后选择“启用设备监视”。Open the Compliance Center settings page and choose Enable device monitoring.

  3. 选择“设备管理”,以打开“设备”列表。Choose Device management to open the Devices list. 你应该会看到已经向 Microsoft Defender for Endpoint 报告的设备列表。You should see the list of devices that are already reporting in to Microsoft Defender for Endpoint.

    设备管理device management

  4. 如果需要载入附加设备,请选择“载入”。Choose Onboarding if you need to onboard additional devices.

  5. 从“部署方法”列表中选择要部署到这些额外设备的方式,然后 下载程序包Choose the way you want to deploy to these additional devices from the Deployment method list and then Download package.

  6. 按照适用于 Windows 10 计算机的载入工具和方法中的相应程序进行操作。Follow the appropriate procedures in Onboarding tools and methods for Windows 10 machines. 此链接会将你定位到登录页面,你可以在其中访问与在步骤 5 中选择的部署程序包相匹配的 Microsoft Defender for Endpoint 过程:This link takes you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:

    • 使用组策略载入 Windows 10 计算机Onboard Windows 10 machines using Group Policy
    • 使用 Microsoft Endpoint Configuration Manager 载入 Windows 10 计算机Onboard Windows machines using Microsoft Endpoint Configuration Manager
    • 使用移动设备管理工具载入 Windows 10 计算机Onboard Windows 10 machines using Mobile Device Management tools
    • 使用本地脚本载入 Windows 10 计算机Onboard Windows 10 machines using a local script
    • 载入非持久性虚拟桌面基础结构 (VDI) 计算机。Onboard non-persistent virtual desktop infrastructure (VDI) machines.

完成操作并载入终结点后,它应该在“设备”表下可见,并且还应开始向 活动资源管理器 报告审核日志。Once done and endpoint is onboarded, it should be visible under the Devices table and also start reporting audit logs to the Activity Explorer.

备注

此体验根据许可证强制实施。This experience is under license enforcement. 如果没有所需的许可证,数据将不可见或不可访问。Without the required license, data will not be visible or accessible.

在 DLP 警报管理仪表板中查看“终点 DLP 警报”Viewing Endpoint DLP alerts in DLP Alerts Management dashboard

  1. 打开 Microsoft 365 安全合规中心的“数据丢失防护”页,然后选择“警报”。Open the Data loss prevention page in the Microsoft 365 Compliance center and choose Alerts.

  2. 请参阅 如何配置和查看 DLP 策略的警报 中的过程,以查看你的终结点 DLP 策略警报。Refer to the procedures in How to configure and view alerts for your DLP policies to view alerts for your Endpoint DLP policies.

在活动资源管理器中查看终结点 DLP 数据Viewing Endpoint DLP data in activity explorer

  1. 在 Microsoft 365 合规中心中打开域的“数据分类页面”,然后选择“活动资源管理器”。Open the Data classification page for your domain in the Microsoft 365 Compliance center and choose Activity explorer.

  2. 请参考活动资源管理器入门中的程序,以访问和筛选终结点设备的所有数据。Refer to the procedures in Get started with Activity explorer to access and filter all the data for your Endpoint devices.

    终结点设备的活动资源管理器筛选器activity explorer filter for endpoint devices

后续步骤Next steps

现在,你已载入设备,并且可以在“活动资源管理器”中查看活动数据,那么就可以继续下一步,在其中创建保护敏感项目的 DLP 策略。Now that you have onboarded devices and can view the activity data in Activity explorer, you are ready to move on to your next step where you create DLP policies that protect your sensitive items.

另请参阅See also