使用移动设备管理工具载入 Windows 10 设备Onboard Windows 10 devices using Mobile Device Management tools

适用于:Applies to:

想要体验适用于终结点的 Defender?Want to experience Defender for Endpoint? 注册免费试用版。Sign up for a free trial.

可以使用移动设备管理 (MDM) 解决方案配置设备。You can use mobile device management (MDM) solutions to configure devices. Defender for Endpoint 通过提供创建OMA-URIs管理设备的策略来支持 MDM。Defender for Endpoint supports MDMs by providing OMA-URIs to create policies to manage devices.

有关使用 Defender for Endpoint CSP 有关详细信息,请参阅 WindowsAdvancedThreatProtection CSPWindowsAdvancedThreatProtection DDF 文件For more information on using Defender for Endpoint CSP see, WindowsAdvancedThreatProtection CSP and WindowsAdvancedThreatProtection DDF file.

准备工作Before you begin

如果你使用的是 Microsoft Intune,则必须注册设备 MDM。If you're using Microsoft Intune, you must have the device MDM Enrolled. 否则,设置将不会成功应用。Otherwise, settings will not be applied successfully.

有关使用 Microsoft Intune 启用 MDM 的信息,请参阅 Microsoft Intune (设备) 。 For more information on enabling MDM with Microsoft Intune, see Device enrollment (Microsoft Intune).

使用 Microsoft Intune 载入设备Onboard devices using Microsoft Intune

显示使用 Microsoft Intune 将设备载入到 Defender for Endpoint 的 PDF 的图像 Image of the PDF showing onboarding devices to Defender for Endpoint using Microsoft Intune

请查看 PDF 或 Visio 以查看部署 Defender for Endpoint 中的各个路径。Check out the PDF or Visio to see the various paths in deploying Defender for Endpoint.

按照 Intune 中的说明操作Follow the instructions from Intune.

有关使用 Defender for Endpoint CSP 有关详细信息,请参阅 WindowsAdvancedThreatProtection CSPWindowsAdvancedThreatProtection DDF 文件For more information on using Defender for Endpoint CSP see, WindowsAdvancedThreatProtection CSP and WindowsAdvancedThreatProtection DDF file.

备注

  • 载入 设备的运行状况策略使用 只读属性,并且无法修正。The Health Status for onboarded devices policy uses read-only properties and can't be remediated.
  • 诊断数据报告频率的配置仅适用于 Windows 10 版本 1703 上的设备。Configuration of diagnostic data reporting frequency is only available for devices on Windows 10, version 1703.

提示

载入设备后,你可以选择运行检测测试,以验证设备是否正确载入到服务。After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. 有关详细信息,请参阅对新载入的 Microsoft Defender for Endpoint设备运行检测测试。For more information, see Run a detection test on a newly onboarded Microsoft Defender for Endpoint device.

请查看 PDF 或 Visio 以查看部署 Microsoft Defender for Endpoint 的各种路径。Check out the PDF or Visio to see the various paths in deploying Microsoft Defender for Endpoint.

使用移动设备管理工具离开并监视设备Offboard and monitor devices using Mobile Device Management tools

出于安全考虑,用于"载出"设备的程序包将在下载日期 30 天后过期。For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. 发送到设备的过期载出包将被拒绝。Expired offboarding packages sent to a device will be rejected. 下载载出包时,你将收到程序包到期日期的通知,该日期也将包含在程序包名称中。When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.

备注

载入和载出策略不得同时部署在同一设备上,否则将导致不可预知的冲突。Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.

  1. 从 Microsoft Defender 安全中心获取载 出程序包Get the offboarding package from Microsoft Defender Security Center:

    1. 在导航窗格中,选择"设置 > ""载出"。In the navigation pane, select Settings > Offboarding.

    2. 选择 Windows 10 作为操作系统。Select Windows 10 as the operating system.

    3. 在"部署方法" 字段中,选择 "移动设备管理/Microsoft Intune"。In the Deployment method field, select Mobile Device Management / Microsoft Intune.

    4. 单击 "下载程序包",然后保存 .zip 文件。Click Download package, and save the .zip file.

  2. 将 .zip 文件的内容提取到将部署包的网络管理员可以访问的共享只读位置。Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. 你应该有一个名为 WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding 的文件You should have a file named WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding.

  3. 使用 Microsoft Intune 自定义配置策略部署以下受支持的 OMA-URI 设置。Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings.

    OMA-URI:./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/OffboardingOMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding
    日期类型:StringDate type: String
    值:[复制并粘贴 WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding 文件的内容中的值]Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file]

有关 Microsoft Intune 策略设置详细信息,请参阅 Microsoft Intune 中的 Windows 10 策略设置For more information on Microsoft Intune policy settings see, Windows 10 policy settings in Microsoft Intune.

备注

" 载出设备的运行状况状态"策略 使用只读属性,并且无法修正。The Health Status for offboarded devices policy uses read-only properties and can't be remediated.

重要

"载出"会导致设备停止向门户发送传感器数据,但设备数据(包括对已保留的任何警报的引用)最多保留 6 个月。Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.