常见标识和设备访问策略Common identity and device access policies

适用对象Applies to

本文介绍用于保护对 Microsoft 365 云服务的访问的常见建议策略,包括使用 Azure Active Directory (Azure AD) 应用程序代理发布的本地应用程序。This article describes the common recommended policies for securing access to Microsoft 365 cloud services, including on-premises applications published with Azure Active Directory (Azure AD) Application Proxy.

本指南讨论如何在新设置的环境中部署建议的策略。This guidance discusses how to deploy the recommended policies in a newly-provisioned environment. 在单独的实验室环境中设置这些策略,可以在将推出暂存到生产前和生产环境之前了解和评估建议的策略。Setting up these policies in a separate lab environment allows you to understand and evaluate the recommended policies before staging the rollout to your preproduction and production environments. 新预配的环境可以是仅云环境或混合环境,以反映评估需求。Your newly provisioned environment can be cloud-only or hybrid to reflect your evaluation needs.

策略集Policy set

下图演示了推荐的一组策略。The following diagram illustrates the recommended set of policies. 它显示每个策略所适用的保护层,以及策略是适用于电脑、手机和平板电脑,还是适用于这两类设备。It shows which tier of protections each policy applies to and whether the policies apply to PCs or phones and tablets, or both categories of devices. 它还指示配置这些策略的地方。It also indicates where you configure these policies.

用于配置标识和设备访问的常见策略Common policies for configuring identity and device access

以下是包含指向各个策略的链接的一页 PDF 摘要:Here's a one-page PDF summary with links to the individual policies:

用于讲义的标识和设备保护Microsoft 365图像Thumb image for Identity and device protection for Microsoft 365 handout
以 PDF 格式查看 |以 PDF 格式下载View as a PDF | Download as a PDF

本文的其余部分介绍如何配置这些策略。The rest of this article describes how to configure these policies.

备注

建议在 Intune 中注册设备 (MFA) 要求使用多重身份验证,以确保设备由目标用户拥有。Requiring the use of multi-factor authentication (MFA) is recommended before enrolling devices in Intune to assure that the device is in the possession of the intended user. 必须先在 Intune 中注册设备,然后才能强制执行设备合规性策略。You must enroll devices in Intune before you can enforce device compliance policies.

为了给你一些时间来完成这些任务,我们建议按此表中列出的顺序实现基准策略。To give you time to accomplish these tasks, we recommend implementing the baseline policies in the order listed in this table. 但是,可随时实施针对敏感和高度管控级别的保护的 MFA 策略。However, the MFA policies for sensitive and highly regulated levels of protection can be implemented at any time.

保护级别Protection level 策略Policies 详细信息More information 许可Licensing
BaselineBaseline 当登录风险为中或高 时需要 MFARequire MFA when sign-in risk is medium or high Microsoft 365 E5或Microsoft 365 E3 E5 安全附加设备Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on
阻止不支持新式身份验证的客户端Block clients that don't support modern authentication 不使用新式身份验证的客户端可以绕过条件访问策略,因此阻止这些策略非常重要。Clients that do not use modern authentication can bypass Conditional Access policies, so it's important to block these. Microsoft 365 E3 或 E5Microsoft 365 E3 or E5
高风险用户必须更改密码High risk users must change password 如果为用户的帐户检测到高风险活动,则强制用户在登录时更改其密码。Forces users to change their password when signing in if high-risk activity is detected for their account. Microsoft 365 E5或Microsoft 365 E3 E5 安全附加设备Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on
将应用程序保护策略 (APP) 数据保护Apply Application Protection Policies (APP) data protection 每个平台的一个 Intune 应用保护 (Windows iOS/iPadOS、Android) 。One Intune App Protection policy per platform (Windows, iOS/iPadOS, Android). Microsoft 365 E3 或 E5Microsoft 365 E3 or E5
需要批准的应用和应用保护Require approved apps and app protection 使用 iOS、iPadOS 或 Android 对手机和平板电脑强制执行移动应用保护。Enforces mobile app protection for phones and tablets using iOS, iPadOS, or Android. Microsoft 365 E3 或 E5Microsoft 365 E3 or E5
定义设备合规性策略Define device compliance policies 每个平台一个策略。One policy for each platform. Microsoft 365 E3 或 E5Microsoft 365 E3 or E5
需要兼容电脑Require compliant PCs 使用 macOS 或 Windows Intune 管理电脑。Enforces Intune management of PCs using Windows or macOS. Microsoft 365 E3 或 E5Microsoft 365 E3 or E5
敏感Sensitive 登录风险低、中或高时需要MFA Require MFA when sign-in risk is low, medium, or high Microsoft 365 E5或Microsoft 365 E3 E5 安全附加设备Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on
要求兼容电脑 移动设备Require compliant PCs and mobile devices 对 macOS 或 macOS (Windows和) iOS、iPadOS 或 Android (平板电脑强制执行 Intune) 。Enforces Intune management for both PCs (Windows or macOS) and phones or tablets (iOS, iPadOS, or Android). Microsoft 365 E3 或 E5Microsoft 365 E3 or E5
高度管控Highly regulated 始终 需要 MFAAlways require MFA Microsoft 365 E3 或 E5Microsoft 365 E3 or E5

向组和用户分配策略Assigning policies to groups and users

在配置策略之前,请确定要用于每一层保护的 Azure AD 组。Before configuring policies, identify the Azure AD groups you are using for each tier of protection. 通常,基线保护适用于组织中的每个人。Typically, baseline protection applies to everybody in the organization. 同时包含基线和敏感保护的用户将应用所有基线策略以及敏感策略。A user who is included for both baseline and sensitive protection will have all the baseline policies applied plus the sensitive policies. 保护是累积的,并且强制执行最严格的策略。Protection is cumulative and the most restrictive policy is enforced.

建议的做法是创建用于条件访问排除的 Azure AD 组。A recommended practice is to create an Azure AD group for Conditional Access exclusion. 将此组添加到"分配"部分"用户和组"设置的" 排除值"中的所有条件 访问 策略。Add this group to all of your Conditional Access policies in the Exclude value of the Users and groups setting in the Assignments section. 这样,在解决访问问题时,就提供了为用户提供访问权限的方法。This gives you a method to provide access to a user while you troubleshoot access issues. 建议仅作为临时解决方案。This is recommended as a temporary solution only. 监视该组的更改并确保仅按预期使用排除组。Monitor this group for changes and be sure the exclusion group is being used only as intended.

下面是要求 MFA 的组分配和排除的示例。Here's an example of group assignment and exclusions for requiring MFA.

MFA 策略的组分配和排除示例

以下是结果:Here are the results:

  • 当登录风险为中或高时,所有用户都需要使用 MFA。All users are required to use MFA when the sign-in risk is medium or high.

  • 当登录风险较低、中等或较高时,Executive Staff 组的成员需要使用 MFA。Members of the Executive Staff group are required to use MFA when the sign-in risk is low, medium, or high.

    在这种情况下,Executive Staff 组的成员与基线和敏感条件访问策略匹配。In this case, members of the Executive Staff group match both the baseline and sensitive Conditional Access policies. 两个策略的访问控制组合在一起,在这种情况下等效于敏感条件访问策略。The access controls for both policies are combined, which in this case is equivalent to the sensitive Conditional Access policy.

  • 始终需要顶级密码Project X 组的成员才能使用 MFAMembers of the Top Secret Project X group are always required to use MFA

    在这种情况下,Top Secret Project X 组的成员同时匹配基线和高度管控的条件访问策略。In this case, members of the Top Secret Project X group match both the baseline and highly-regulated Conditional Access policies. 两种策略的访问控制组合在一起。The access controls for both policies are combined. 由于高度管控条件访问策略的访问控制更加严格,因此使用了该策略。Because the access control for the highly-regulated Conditional Access policy is more restrictive, it is used.

对组和用户应用较高级别的保护时要谨慎。Be careful when applying higher levels of protection to groups and users. 例如,Top Secret Project X 组的成员每次登录时都需要使用 MFA,即使他们未针对 Project X 处理高度管控的内容。For example, members of the Top Secret Project X group will be required to use MFA every time they sign in, even if they are not working on the highly-regulated content for Project X.

作为这些建议的一部分创建的所有 Azure AD 组都必须创建为Microsoft 365组。All Azure AD groups created as part of these recommendations must be created as Microsoft 365 groups. 这一点对于在保护文档和文档安全时部署Microsoft Teams SharePoint。This is important for the deployment of sensitivity labels when securing documents in Microsoft Teams and SharePoint.

创建组Microsoft 365示例

基于登录风险要求 MFARequire MFA based on sign-in risk

应在要求用户使用 MFA 之前让用户注册 MFA。You should have your users register for MFA prior to requiring its use. 如果你有 Microsoft 365 E5、Microsoft 365 E3 E5 安全加载项、Office 365 EMS E5 或单个 Azure AD 高级版 P2 许可证,你可以将 MFA 注册策略与 Azure AD Identity Protection 一同使用,以要求用户注册 MFA。If you have Microsoft 365 E5, Microsoft 365 E3 with the E5 Security add-on, Office 365 with EMS E5, or individual Azure AD Premium P2 licenses, you can use the MFA registration policy with Azure AD Identity Protection to require that users register for MFA. 先决条件 工作 包括使用 MFA 注册所有用户。The prerequisite work includes registering all users with MFA.

注册用户后,可以使用新的条件访问策略要求 MFA 进行登录。After your users are registered, you can require MFA for sign-in with a new Conditional Access policy.

  1. 转到 Azure 门户,然后使用你的凭据登录。Go to the Azure portal, and sign in with your credentials.
  2. 在 Azure 服务列表中,选择 "Azure Active Directory"。In the list of Azure services, choose Azure Active Directory.
  3. 在"管理" 列表中,选择"安全性", 然后选择"条件 访问"。In the Manage list, choose Security, and then choose Conditional Access.
  4. 选择 "新建 策略"并键入新策略的名称。Choose New policy and type the new policy's name.

下表介绍了条件访问策略设置,要求基于登录风险进行 MFA。The following tables describes the Conditional Access policy settings to require MFA based on sign-in risk.

在" 分配" 部分:In the Assignments section:

设置Setting 属性Properties Values 注意Notes
用户和组Users and groups 包括Include Select users and groups > Users and groups: Select specific groups containing targeted user accounts.Select users and groups > Users and groups: Select specific groups containing targeted user accounts. 从包含试点用户帐户的组开始。Start with the group that includes pilot user accounts.
排除Exclude 用户和组:选择条件访问例外组;服务帐户 (应用标识) 。Users and groups: Select your Conditional Access exception group; service accounts (app identities). 应根据需要临时修改成员身份。Membership should be modified on an as-needed, temporary basis.
云应用或操作Cloud apps or actions 云应用>包括Cloud apps > Include 选择应用:选择要应用此策略的应用。Select apps: Select the apps you want this policy to apply to. 例如,选择"Exchange Online"。For example, select Exchange Online.
条件Conditions 配置特定于您的环境和需求的条件。Configure conditions that are specific to your environment and needs.
登录风险Sign-in risk 请参阅下表中的指南。See the guidance in the following table.

登录风险条件设置Sign-in risk condition settings

根据目标保护级别应用风险级别设置。Apply the risk level settings based on the protection level you are targeting.

保护级别Level of protection 所需的风险级别值Risk level values needed 操作Action
基线Baseline 高、中High, medium 检查两者。Check both.
敏感Sensitive 高、中、低High, medium, low 检查全部三者。Check all three.
高度管控Highly regulated 保留所有选项未选中状态,以始终强制执行 MFA。Leave all options unchecked to always enforce MFA.

在" 访问控制" 部分:In the Access controls section:

设置Setting 属性Properties Values 操作Action
授予Grant Grant accessGrant access SelectSelect
需要多重身份验证Require Multi-factor authentication 支票Check
需要所有已选控件Require all the selected controls SelectSelect

选择 " 选择"保存 "授予" 设置。Choose Select to save the Grant settings.

最后,为"启用 策略"选择"打开", 然后选择"创建 "。Finally, select On for Enable policy, and then choose Create.

还应考虑使用 What if 工具测试策略。Also consider using the What if tool to test the policy.

阻止不支持多重身份验证的客户端Block clients that don't support multi-factor

将这些表中的设置用于条件访问策略,以阻止不支持多重身份验证的客户端。Use the settings in these tables for a Conditional Access policy to block clients that don't support multi-factor authentication.

有关支持多重身份验证的 Microsoft 365 请参阅本文。See this article for a list of clients in Microsoft 365 that do support multi-factor authentication.

在" 分配" 部分:In the Assignments section:

设置Setting 属性Properties Values 注意Notes
用户和组Users and groups 包括Include Select users and groups > Users and groups: Select specific groups containing targeted user accounts.Select users and groups > Users and groups: Select specific groups containing targeted user accounts. 从包含试点用户帐户的组开始。Start with the group that includes pilot user accounts.
排除Exclude 用户和组:选择条件访问例外组;服务帐户 (应用标识) 。Users and groups: Select your Conditional Access exception group; service accounts (app identities). 应根据需要临时修改成员身份。Membership should be modified on an as-needed, temporary basis.
云应用或操作Cloud apps or actions 云应用>包括Cloud apps > Include 选择应用:选择与不支持新式验证的客户端相对应的应用。Select apps: Select the apps corresponding to the clients that do not support modern authentication.
条件Conditions 客户端应用Client apps "配置"****选择"是"Choose Yes for Configure

清除浏览器和 移动应用以及****桌面客户端的选中标记Clear the check marks for Browser and Mobile apps and desktop clients

在" 访问控制" 部分:In the Access controls section:

设置Setting 属性Properties Values 操作Action
授予Grant 阻止访问Block access SelectSelect
需要所有已选控件Require all the selected controls SelectSelect

选择 " 选择"保存 "授予" 设置。Choose Select to save the Grant settings.

最后,为"启用 策略"选择"打开", 然后选择"创建 "。Finally, select On for Enable policy, and then choose Create.

请考虑使用 What if 工具测试策略。Consider using the What if tool to test the policy.

例如Exchange Online,可以使用身份验证策略禁用基本身份验证,这将强制所有客户端访问请求使用新式验证。For Exchange Online, you can use authentication policies to disable Basic authentication, which forces all client access requests to use modern authentication.

高风险用户必须更改密码High risk users must change password

为了确保强制所有高风险用户遭到入侵的帐户在登录时执行密码更改,必须应用以下策略。To ensure that all high-risk users' compromised accounts are forced to perform a password change when signing-in, you must apply the following policy.

Log in to the Microsoft Azure portal (https://portal.azure.com) with your administrator credentials, and then navigate to Azure AD Identity Protection > User Risk Policy.Log in to the Microsoft Azure portal (https://portal.azure.com) with your administrator credentials, and then navigate to Azure AD Identity Protection > User Risk Policy.

在" 分配" 部分:In the Assignments section:

类型Type 属性Properties Values 操作Action
UsersUsers 包括Include 所有用户All users SelectSelect
用户风险User risk HighHigh SelectSelect

在"第二 个工作分配" 部分:In the second Assignments section:

类型Type 属性Properties Values 操作Action
AccessAccess 允许访问Allow access SelectSelect
需要更改密码Require password change 支票Check

选择 "完成 "保存 Access 设置。Choose Done to save the Access settings.

最后,为"强制策略****"选择"打开", 然后选择"保存 "。Finally, select On for Enforce policy, and then choose Save.

请考虑使用 What if 工具测试策略。Consider using the What if tool to test the policy.

结合配置 Azure AD密码保护 使用此策略,可检测和阻止已知的弱密码及其变体以及特定于你的组织的其他弱术语。Use this policy in conjunction with Configure Azure AD password protection, which detects and blocks known weak passwords and their variants and additional weak terms that are specific to your organization. 使用 Azure AD 密码保护可确保更改后的密码是强密码。Using Azure AD password protection ensures that changed passwords are strong ones.

应用 APP 数据保护策略Apply APP data protection policies

APP 定义允许哪些应用以及它们可以对组织数据采取的操作。APPs define which apps are allowed and the actions they can take with your organization's data. APP 中可用的选项使组织能够定制保护以满足其特定需求。The choices available in APP enable organizations to tailor the protection to their specific needs. 对于一些用户,实现完整方案所需的策略设置可能并不明显。For some, it may not be obvious which policy settings are required to implement a complete scenario. 为了帮助组织确定移动客户端终结点强化的优先级,Microsoft 引入了适用于 iOS 和 Android 移动应用管理的 APP 数据保护框架的分类。To help organizations prioritize mobile client endpoint hardening, Microsoft has introduced taxonomy for its APP data protection framework for iOS and Android mobile app management.

APP 数据保护框架分为三个不同的配置级别,每个级别都从上一级别构建:The APP data protection framework is organized into three distinct configuration levels, with each level building off the previous level:

  • Enterprise级别 1 (保护) 确保应用使用 PIN 进行保护并加密,并执行选择性擦除操作。Enterprise basic data protection (Level 1) ensures that apps are protected with a PIN and encrypted and performs selective wipe operations. 对于 Android 设备,此级别验证 Android 设备证明。For Android devices, this level validates Android device attestation. 这是在邮箱策略中提供类似数据保护Exchange Online,并且向 APP 介绍 IT 和用户填充的条目级别配置。This is an entry level configuration that provides similar data protection control in Exchange Online mailbox policies and introduces IT and the user population to APP.
  • Enterprise级别 2 (增强) 引入了应用数据泄露防护机制和最低操作系统要求。Enterprise enhanced data protection (Level 2) introduces APP data leakage prevention mechanisms and minimum OS requirements. 这是适用于访问工作或学校数据的大多数移动用户的配置。This is the configuration that is applicable to most mobile users accessing work or school data.
  • Enterprise高级数据保护 (级别 3) 引入了高级数据保护机制、增强的 PIN 配置和 APP 移动威胁防护。Enterprise high data protection (Level 3) introduces advanced data protection mechanisms, enhanced PIN configuration, and APP Mobile Threat Defense. 访问高风险数据的用户需要此配置。This configuration is desirable for users that are accessing high risk data.

若要查看每个配置级别和必须保护的最低应用的特定建议,请查看使用应用保护 策略的数据保护框架To see the specific recommendations for each configuration level and the minimum apps that must be protected, review Data protection framework using app protection policies.

根据标识和设备 访问配置中概述的原则,基线和敏感保护层与级别 2 企业增强数据保护设置紧密映射。Using the principles outlined in Identity and device access configurations, the Baseline and Sensitive protection tiers map closely with the Level 2 enterprise enhanced data protection settings. 高度管控保护层紧密映射到第 3 级企业高数据保护设置。The Highly regulated protection tier maps closely to the Level 3 enterprise high data protection settings.

保护级别Protection level 应用保护策略App Protection Policy 详细信息More information
基线Baseline 第 2 级增强数据保护Level 2 enhanced data protection 级别 2 中强制执行的策略设置包括建议级别 1 的所有策略设置,并且仅添加或更新以下策略设置,以实施比级别 1 更多的控件和更复杂的配置。The policy settings enforced in level 2 include all the policy settings recommended for level 1 and only adds to or updates the below policy settings to implement more controls and a more sophisticated configuration than level 1.
敏感Sensitive 第 2 级增强数据保护Level 2 enhanced data protection 级别 2 中强制执行的策略设置包括建议级别 1 的所有策略设置,并且仅添加或更新以下策略设置,以实施比级别 1 更多的控件和更复杂的配置。The policy settings enforced in level 2 include all the policy settings recommended for level 1 and only adds to or updates the below policy settings to implement more controls and a more sophisticated configuration than level 1.
高度管控Highly Regulated 第 3 级企业高数据保护Level 3 enterprise high data protection 级别 3 中强制执行的策略设置包括为级别 1 和级别 2 建议的所有策略设置,并且仅添加或更新以下策略设置,以实施比级别 2 更多的控件和更复杂的配置。The policy settings enforced in level 3 include all the policy settings recommended for level 1 and 2 and only adds to or updates the below policy settings to implement more controls and a more sophisticated configuration than level 2.

若要使用数据保护框架设置 (iOS 和 Android) 中Microsoft Endpoint Manager每个平台创建新的应用保护策略,你可以:To create a new app protection policy for each platform (iOS and Android) within Microsoft Endpoint Manager using the data protection framework settings, you can:

  1. 手动创建策略,具体步骤如下:如何使用 Microsoft Intune 创建和部署应用保护策略Manually create the policies by following the steps in How to create and deploy app protection policies with Microsoft Intune.
  2. 使用 Intune 的PowerShell脚本导入示例Intune 应用保护策略配置框架 JSON模板。Import the sample Intune App Protection Policy Configuration Framework JSON templates with Intune's PowerShell scripts.

需要批准的应用和应用保护Require approved apps and APP protection

若要强制执行在 Intune 中应用的应用保护策略,必须创建条件访问策略,以要求批准的客户端应用和应用保护策略中设置的条件。To enforce the APP protection policies you applied in Intune, you must create a Conditional Access policy to require approved client apps and the conditions set in the APP protection policies.

强制执行 APP 保护策略需要一组策略,如使用条件访问要求云 应用访问应用保护策略中所述Enforcing APP protection policies requires a set of policies described in in Require app protection policy for cloud app access with Conditional Access. 每个策略都包含在此推荐的标识和访问配置策略集内。These policies are each included in this recommended set of identity and access configuration policies.

若要创建需要已批准应用和应用保护的条件访问策略,请按照方案1:Microsoft 365应用需要具有应用保护策略的已批准应用(允许适用于 iOS 和 Android 的 Outlook,但阻止支持 OAuth 的 Exchange ActiveSync 客户端连接到 Exchange Online)中的"步骤 1:为 Microsoft 365 配置 Azure AD 条件访问策略"。To create the Conditional Access policy that requires approved apps and APP protection, follow "Step 1: Configure an Azure AD Conditional Access policy for Microsoft 365" in Scenario 1: Microsoft 365 apps require approved apps with app protection policies, which allows Outlook for iOS and Android, but blocks OAuth capable Exchange ActiveSync clients from connecting to Exchange Online.

备注

此策略可确保移动用户可以使用Office访问所有终结点。This policy ensures mobile users can access all Office endpoints using the applicable apps.

如果要启用对 Exchange Online 的移动访问,请实现阻止ActiveSync客户端Exchange ActiveSync利用基本身份验证的客户端连接到 Exchange Online。If you are enabling mobile access to Exchange Online, implement Block ActiveSync clients, which prevents Exchange ActiveSync clients leveraging basic authentication from connecting to Exchange Online. 此策略未在本文顶部的插图中显示。This policy is not pictured in the illustration at the top of this article. 在用于保护电子邮件的策略 建议中进行了介绍和说明It is described and pictured in Policy recommendations for securing email.

若要创建需要适用于 iOS 和 Android 的 Edge 的条件访问策略,请按照方案 2:浏览器应用需要具有应用保护策略(允许适用于 iOS 和 Android 的 Edge)批准的应用中的"步骤2:为 Microsoft 365 配置 Azure AD 条件访问策略",但阻止其他移动设备 Web 浏览器连接到 Microsoft 365 终结点。To create the Conditional Access policy that requires Edge for iOS and Android, follow "Step 2: Configure an Azure AD Conditional Access policy for Microsoft 365" in Scenario 2: Browser apps require approved apps with app protection policies, which allows Edge for iOS and Android, but blocks other mobile device web browsers from connecting to Microsoft 365 endpoints.

这些策略利用授权控件"需要批准的客户端应用"和"需要应用保护策略"。These policies leverage the grant controls Require approved client app and Require app protection policy.

最后,阻止 iOS 和 Android 设备上其他客户端应用的旧身份验证可确保这些客户端无法绕过条件访问策略。Finally, blocking legacy authentication for other client apps on iOS and Android devices ensures that these clients cannot bypass Conditional Access policies. 如果你遵循本文中的指南,则已经配置了阻止不支持新式 身份验证的客户端If you're following the guidance in this article, you've already configured Block clients that don't support modern authentication.

定义设备合规性策略Define device-compliance policies

设备合规性策略定义设备必须满足的要求,以被确定为合规。Device-compliance policies define the requirements that devices must meet to be determined as compliant. 从管理中心内创建 Intune Microsoft Endpoint Manager策略。You create Intune device compliance policies from within the Microsoft Endpoint Manager admin center.

必须为每个电脑、手机或平板电脑平台创建策略:You must create a policy for each PC, phone, or tablet platform:

  • Android 设备管理员Android device administrator
  • Android EnterpriseAndroid Enterprise
  • iOS/iPadOSiOS/iPadOS
  • macOSmacOS
  • Windows 8.1及更高版本Windows 8.1 and later
  • Windows 10及更高版本Windows 10 and later

若要创建设备合规性策略,请Microsoft Endpoint Manager管理员凭据 登录到管理中心,然后导航到"设备 合规性 > 策略 > 策略"。To create device compliance policies, log in to the Microsoft Endpoint Manager Admin Center with your administrator credentials, and then navigate to Devices > Compliance policies > Policies. 选择 "创建策略"。Select Create Policy.

若要部署设备合规性策略,必须将其分配给用户组。For device compliance policies to be deployed, they must be assigned to user groups. 创建并保存策略后分配策略。You assign a policy after you create and save it. 在管理中心,选择策略, 然后选择分配In the admin center, select the policy and then select Assignments. 选择要接收策略的组后,选择"保存"以保存该组分配并部署该策略。After selecting the groups that you want to receive the policy, select Save to save that group assignment and deploy the policy.

有关在 Intune 中创建合规性策略的分步指南,请参阅Intune 文档中的在 Microsoft Intune 创建合规性策略。For step-by-step guidance on creating compliance policies in Intune, see Create a compliance policy in Microsoft Intune in the Intune documentation.

对于运行策略创建过程的步骤 2 Windows 10 合规性设置中配置的运行以下设置的 PC,建议使用以下设置。The following settings are recommended for PCs running Windows 10 and later, as configured in Step 2: Compliance settings, of the policy creation process.

有关 设备运行状况> Windows证明服务评估规则, 请参阅此表。For Device health > Windows Health Attestation Service evaluation rules, see this table.

属性Properties Value 操作Action
需要BitLockerRequire BitLocker 需要Require SelectSelect
要求在设备上启用安全启动Require Secure Boot to be enabled on the device 需要Require SelectSelect
需要代码完整性Require code integrity 需要Require SelectSelect

对于 设备属性,根据你的 IT 和安全策略为操作系统版本指定适当的值。For Device properties, specify appropriate values for operating system versions based on your IT and security policies.

对于 "配置管理器合规性", 选择"需要"。For Configuration Manager Compliance, select Require.

有关 系统安全性,请参阅此表。For System security, see this table.

类型Type 属性Properties Value 操作Action
PasswordPassword 需要密码才能解锁移动设备Require a password to unlock mobile devices 需要Require SelectSelect
简单密码Simple passwords 阻止Block SelectSelect
密码类型Password type 设备默认值Device default SelectSelect
最短密码长度Minimum password length 6 6 类型Type
需要密码之前不活动的最大分钟数Maximum minutes of inactivity before password is required 1515 类型Type

Android 版本 4.0 及以上或 KNOX 4.0 及以上版本支持此设置。This setting is supported for Android versions 4.0 and above or KNOX 4.0 and above. 对于 iOS 设备,iOS 8.0 及以上版本支持。For iOS devices, it's supported for iOS 8.0 and above.

密码过期 (天数) Password expiration (days) 4141 类型Type
防止重复使用的以前密码的数量Number of previous passwords to prevent reuse 5 5 类型Type
设备从空闲状态返回时需要密码 (移动设备和全息) Require password when device returns from idle state (Mobile and Holographic) 需要Require 可用于 Windows 10 及更高版本Available for Windows 10 and later
加密Encryption 设备上数据存储的加密Encryption of data storage on device 需要Require SelectSelect
设备安全Device Security 防火墙Firewall 需要Require SelectSelect
防病毒Antivirus 需要Require SelectSelect
反间谍软件Antispyware 需要Require SelectSelect

此设置要求在安全中心注册反间谍软件Windows 安全中心解决方案。This setting requires an Anti-Spyware solution registered with Windows Security Center.

DefenderDefender Microsoft Defender 反恶意软件Microsoft Defender Antimalware 需要Require SelectSelect
Microsoft Defender 反恶意软件最低版本Microsoft Defender Antimalware minimum version 类型Type

仅受桌面Windows 10支持。Only supported for Windows 10 desktop. Microsoft 建议版本与最新版本的后面版本不超过 5 个。Microsoft recommends versions no more than five behind from the most recent version.

Microsoft Defender 反恶意软件签名最新Microsoft Defender Antimalware signature up to date 需要Require SelectSelect
实时保护Real-time protection 需要Require SelectSelect

仅受桌面Windows 10支持Only supported for Windows 10 desktop

Microsoft Defender for EndpointMicrosoft Defender for Endpoint

类型Type 属性Properties Value 操作Action
Microsoft Defender for Endpoint 规则Microsoft Endpoint Manager管理中心Microsoft Defender for Endpoint rules in the Microsoft Endpoint Manager admin center 要求设备处于计算机风险分数或处于计算机风险分数之下Require the device to be at or under the machine-risk score Medium SelectSelect

要求兼容电脑 (但不符合标准的手机和平板电脑) Require compliant PCs (but not compliant phones and tablets)

在将策略添加到要求合规电脑之前,请务必在 Intune 中注册设备以管理。Before adding a policy to require compliant PCs, be sure to enroll your devices for management in Intune. 建议在将设备注册到 Intune 中之前使用多重身份验证,确保设备由预期用户拥有。Using multi-factor authentication is recommended before enrolling devices into Intune for assurance that the device is in the possession of the intended user.

需要兼容电脑:To require compliant PCs:

  1. 转到 Azure 门户,然后使用你的凭据登录。Go to the Azure portal, and sign in with your credentials.

  2. 在 Azure 服务列表中,选择 "Azure Active Directory"。In the list of Azure services, choose Azure Active Directory.

  3. 在"管理" 列表中,选择"安全性", 然后选择"条件 访问"。In the Manage list, choose Security, and then choose Conditional Access.

  4. 选择 "新建 策略"并键入新策略的名称。Choose New policy and type the new policy's name.

  5. " 分配 " 下,选择"用户和组",并包括您希望策略应用于的用户。Under Assignments, choose Users and groups and include who you want the policy to apply to. 此外,排除条件访问排除组。Also exclude your Conditional Access exclusion group.

  6. 分配 下,选择 云应用或操作Under Assignments, choose Cloud apps or actions.

  7. 对于 "包含",选择" 选择>选择",然后从"云应用"列表中选择 所需的 应用。For Include, choose Select apps > Select, and then select the desired apps from the Cloud apps list. 例如,选择"Exchange Online"。For example, select Exchange Online. 完成后 选择选择Choose Select when done.

  8. 若要要求兼容电脑 (但不符合手机和平板电脑) ,在"分配"下,选择"设备平台>条件"。To require compliant PCs (but not compliant phones and tablets), under Assignments, choose Conditions > Device platforms. "配置"****选择"是"。Select Yes for Configure. 选择 "选择设备平台****",Windows****和 macOS", 然后选择"完成 "。Choose Select device platforms, select Windows and macOS, and then choose Done.

  9. "访问控制"下,选择"授予"。Under Access controls, choose Grant .

  10. 选择 "授予访问权限",然后选中"要求设备 标记为合规"。Choose Grant access and then check Require device to be marked as compliant. 对于多个控件,选择 "需要所有选定的控件"。For multiple controls, select Require all the selected controls. 完成后,选择"选择"。When complete, choose Select.

  11. "启用****策略"选择"打开", 然后选择"创建 "。Select On for Enable policy, and then choose Create.

备注

在启用此策略之前,请确保你的设备合规。Make sure that your device is compliant before enabling this policy. 否则,您可能被锁定,在用户帐户已添加到条件访问排除组之前,将无法更改此策略。Otherwise, you could get locked out and will be unable to change this policy until your user account has been added to the Conditional Access exclusion group.

要求兼容电脑 移动设备Require compliant PCs and mobile devices

若要要求所有设备的合规性:To require compliance for all devices:

  1. 转到 Azure 门户,然后使用你的凭据登录。Go to the Azure portal, and sign in with your credentials.

  2. 在 Azure 服务列表中,选择 "Azure Active Directory"。In the list of Azure services, choose Azure Active Directory.

  3. 在"管理" 列表中,选择"安全性", 然后选择"条件 访问"。In the Manage list, choose Security, and then choose Conditional Access.

  4. 选择 "新建 策略"并键入新策略的名称。Choose New policy and type the new policy's name.

  5. " 分配 " 下,选择"用户和组",并包括您希望策略应用于的用户。Under Assignments, choose Users and groups and include who you want the policy to apply to. 此外,排除条件访问排除组。Also exclude your Conditional Access exclusion group.

  6. 分配 下,选择 云应用或操作Under Assignments, choose Cloud apps or actions.

  7. 对于 "包含",选择" 选择>选择",然后从"云应用"列表中选择 所需的 应用。For Include, choose Select apps > Select, and then select the desired apps from the Cloud apps list. 例如,选择"Exchange Online"。For example, select Exchange Online. 完成后 选择选择Choose Select when done.

  8. "访问控制"下,选择"授予"。Under Access controls, choose Grant .

  9. 选择 "授予访问权限",然后选中"要求设备 标记为合规"。Choose Grant access and then check Require device to be marked as compliant. 对于多个控件,选择 "需要所有选定的控件"。For multiple controls, select Require all the selected controls. 完成后,选择"选择"。When complete, choose Select.

  10. "启用****策略"选择"打开", 然后选择"创建 "。Select On for Enable policy, and then choose Create.

备注

在启用此策略之前,请确保你的设备合规。Make sure that your device is compliant before enabling this policy. 否则,您可能被锁定,在用户帐户已添加到条件访问排除组之前,将无法更改此策略。Otherwise, you could get locked out and will be unable to change this policy until your user account has been added to the Conditional Access exclusion group.

后续步骤Next step

步骤 3:来宾和外部用户策略Step 3: Policies for guest and external users

了解针对来宾用户和外部用户的策略建议Learn about policy recommendations for guest and external users