安裝和部署 Azure 資訊保護統一標籤掃描器的需求Requirements for installing and deploying the Azure Information Protection unified labeling scanner

*適用于Azure 資訊保護、Windows Server 2019、Windows Server 2016、windows server 2012 R2 **Applies to: Azure Information Protection, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2*

*適用于僅 AIP 統一標籤用戶端*Relevant for: AIP unified labeling client only. 若為傳統用戶端,請參閱 傳統用戶端掃描器必要條件*For the classic client, see Classic client scanner prerequisites*

在安裝 Azure 資訊保護的內部部署掃描器之前,請確定您的系統符合基本 Azure 資訊保護需求Before installing the Azure Information Protection on-premises scanner, make sure that your system complies with basic Azure Information Protection requirements.

此外,以下是掃描器特有的需求:Additionally, the following requirements are specific for the scanner:

如果您無法符合您的組織原則所禁止的所有掃描器需求,請參閱 其他 設定一節。If you can't meet all the requirements listed for the scanner because they are prohibited by your organization policies, see the alternative configurations section.

在生產環境中部署掃描器或測試多個掃描程式的效能時,請參閱 SQL Server 的儲存體需求和容量規劃When deploying the scanner in production or testing the performance for multiple scanners, see Storage requirements and capacity planning for SQL Server.

當您準備好開始安裝和部署掃描器時,請繼續 部署 Azure 資訊保護掃描器,以自動分類和保護檔案。When you're ready to start installing and deploying your scanner, continue with Deploying the Azure Information Protection scanner to automatically classify and protect files.

Windows Server 需求Windows Server requirements

您必須要有 Windows Server 電腦,才能執行具有下列系統規格的掃描器:You must have a Windows Server computer to run the scanner, which has the following system specifications:

規格Specification 詳細資料Details
處理器Processor 4核心處理器4 core processors
RAMRAM 8 GB8 GB
磁碟空間Disk space 10 GB 的可用空間 (暫存檔案的平均) 。10-GB free space (average) for temporary files.

掃描器需要足夠的磁碟空間,才能為所掃描的每個檔案建立暫存檔案,每個核心四個檔案。The scanner requires sufficient disk space to create temporary files for each file that it scans, four files per core.

建議的 10 GB 磁碟空間允許 4 核心處理器掃描 16 個檔案,檔案大小各為 625 MB。The recommended disk space of 10 GB allows for 4 core processors scanning 16 files that each have a file size of 625 MB.
作業系統Operating system -Windows Server 2019- Windows Server 2019
- Windows Server 2016- Windows Server 2016
- Windows Server 2012 R2- Windows Server 2012 R2

注意:在非生產環境中的測試或評估用途,您也可以使用 Azure 資訊保護用戶端所支援的任何 Windows 作業系統。Note: For testing or evaluation purposes in a non-production environment, you can also use any Windows operating system that is supported by the Azure Information Protection client.
網路連線Network connectivity 掃描器電腦可以是實體或虛擬電腦,而且可以快速且可靠的網路連線到要掃描的資料存放區。Your scanner computer can be a physical or virtual computer with a fast and reliable network connection to the data stores to be scanned.

如果因為您的組織原則而無法連線到網際網路,請參閱 使用替代設定部署掃描器If internet connectivity is not possible because of your organization policies, see Deploying the scanner with alternative configurations.

否則,請確定這部電腦具有網際網路連線能力,以允許透過 HTTPS 的下列 Url (埠 443) :Otherwise, make sure that this computer has internet connectivity that allows the following URLs over HTTPS (port 443):

- *. aadrm.com- *.aadrm.com
- *. azurerms.com- *.azurerms.com
- *. informationprotection.azure.com- *.informationprotection.azure.com
-informationprotection.hosting.portal.azure.net- informationprotection.hosting.portal.azure.net
- *. aria.microsoft.com- *.aria.microsoft.com
- *. protection.outlook.com- *.protection.outlook.com
NFS 共用NFS shares 若要支援對 NFS 共用的掃描,必須將 services for NFS 部署在掃描器電腦上。To support scans on NFS shares, services for NFS must be deployed on the scanner machine.

在您的電腦上,流覽至 [ windows 功能] (開啟或關閉 windows 功能]) 設定] 對話方塊,然後選取下列專案: Services for nfs 系統 > 管理工具Client for nfsOn your machine, navigate to the Windows Features (Turn Windows features on or off) settings dialog, and select the following items: Services for NFS > Administrative Tools and Client for NFS.

服務帳戶需求Service account requirements

您必須擁有服務帳戶,才能在 Windows Server 電腦上執行掃描器服務,以及驗證 Azure AD 並下載 Azure 資訊保護原則。You must have a service account to run the scanner service on the Windows Server computer, as well as authenticate to Azure AD and download the Azure Information Protection Policy.

您的服務帳戶必須是 Active Directory 帳戶,且已同步處理到 Azure AD。Your service account must be an Active Directory account and synchronized to Azure AD.

如果因為您的組織原則而無法同步處理此帳戶,請參閱 使用替代設定部署掃描器If you cannot synchronize this account because of your organization policies, see Deploying the scanner with alternative configurations.

此服務帳戶具備下列需求:This service account has the following requirements:

需求Requirement 詳細資料Details
登入本機 使用者權限指派Log on locally user right assignment 需要安裝和設定掃描器,但不需要執行掃描。Required to install and configure the scanner, but not required to run scans.

確認掃描器可以探索、分類及保護檔案之後,您就可以從服務帳戶中移除此許可權。Once you've confirmed that the scanner can discover, classify, and protect files, you can remove this right from the service account.

如果因為您的組織原則而無法在短時間內授與此許可權,請參閱 以替代設定部署掃描器If granting this right even for a short period of time is not possible because of your organization policies, see Deploying the scanner with alternative configurations.
以服務方式登入 使用者權限指派。Log on as a service user right assignment. 在掃描器安裝期間,此權限會自動授與服務帳戶,在安裝、設定和操作掃描器時都會需要此權限。This right is automatically granted to the service account during the scanner installation and this right is required for the installation, configuration, and operation of the scanner.
資料存放庫的許可權Permissions to the data repositories - 檔案 共用或本機 檔案:授與 [讀取]、[寫入] 和 [修改] 許可權來掃描檔案,然後依照設定套用分類和保護。- File shares or local files: Grant Read, Write, and Modify permissions for scanning the files and then applying classification and protection as configured.

- SharePoint:您必須授與「 完全控制 」許可權來掃描檔案,然後將分類和保護套用至符合 Azure 資訊保護原則中條件的檔案。- SharePoint: You must grant Full Control permissions for scanning the files and then applying classification and protection to the files that meet the conditions in the Azure Information Protection policy.

- 探索模式:若要只以探索模式執行掃描器, 讀取 許可權就已足夠。- Discovery mode: To run the scanner in discovery mode only, Read permission is sufficient.
針對重新保護或移除保護的標籤For labels that reprotect or remove protection 若要確保掃描器一律可以存取受保護的檔案,請將此帳戶設為 Azure 資訊保護的 超級 使用者,並確定已啟用超級使用者功能。To ensure that the scanner always has access to protected files, make this account a super user for Azure Information Protection, and ensure that the super user feature is enabled.

此外,如果您已在階段式部署中實施上線 控制 ,請確定服務帳戶已包含在您已設定的登入控制項中。Additionally, if you've implemented onboarding controls for a phased deployment, make sure that the service account is included in the onboarding controls you've configured.
特定的 URL 層級掃描Specific URL level scanning: 若要掃描及探索 特定 URL 下的網站和子網站,請將 網站收集器審核 程式許可權授與伺服器陣列層級上的掃描器帳戶。To scan and discover sites and subsites under a specific URL, grant Site Collector Auditor rights to the scanner account on the farm level.

SQL server 需求SQL server requirements

若要儲存掃描器設定資料,請使用具有下列需求的 SQL server:To store the scanner configuration data, use an SQL server with the following requirements:

  • 本機或遠端實例。A local or remote instance.

    建議您將 SQL server 和掃描器服務裝載在不同的電腦上,除非您使用的是小型部署。We recommend hosting the SQL server and the scanner service on different machines, unless you're working with a small deployment. 此外,我們建議使用僅提供掃描器資料庫的專用 SQL 實例,而不會與其他應用程式共用。Additionally, we recommend having a dedicated SQL instance that serves the scanner database only, and that is not shared with other applications.

    如果您是在共用伺服器上工作,請確定您可以使用 建議的核心數目 ,讓掃描器資料庫能夠正常運作。If you're working on a shared server, make sure that the recommended number of cores are free for the scanner database to work.

    SQL Server 2016 是下列版本的最小版本:SQL Server 2016 is the minimum version for the following editions:

    • SQL Server EnterpriseSQL Server Enterprise

    • SQL Server StandardSQL Server Standard

    • SQL Server Express 僅針對測試環境建議 () SQL Server Express (recommended for test environments only)

  • 具有系統管理員(Sysadmin)角色可安裝掃描器的帳戶。An account with Sysadmin role to install the scanner.

    系統管理員(Sysadmin)角色可讓安裝程式自動建立掃描器設定資料庫,並將必要的 db_owner 角色授與執行掃描器的服務帳戶。The Sysadmin role enables the installation process to automatically create the scanner configuration database and grant the required db_owner role to the service account that runs the scanner.

    如果您無法被授與系統管理員(Sysadmin)角色,或您的組織原則需要手動建立和設定資料庫,請參閱 使用替代設定部署掃描器If you cannot be granted the Sysadmin role or your organization policies require databases to be created and configured manually, see Deploying the scanner with alternative configurations.

  • 能力。Capacity. 如需容量指引,請參閱 SQL Server 的儲存體需求和容量規劃For capacity guidance, see Storage requirements and capacity planning for SQL Server.

  • 區分大小寫的定序。Case insensitive collation.

注意

當您指定掃描器的自訂叢集名稱,或使用掃描器的預覽版本時,會支援相同 SQL server 上的多個設定資料庫。Multiple configuration databases on the same SQL server are supported when you specify a custom cluster name for the scanner, or when you use the preview version of the scanner.

SQL Server 的儲存體需求和容量規劃Storage requirements and capacity planning for SQL Server

掃描器設定資料庫所需的磁碟空間量,以及執行 SQL Server 的電腦規格,可能會因每個環境而異,因此我們建議您自行測試。The amount of disk space required for the scanner's configuration database and the specification of the computer running SQL Server can vary for each environment, so we encourage you to do your own testing. 使用下列指引作為起點。Use the following guidance as a starting point.

如需詳細資訊,請參閱 優化掃描器的效能For more information, see Optimizing the performance of the scanner.

掃描器設定資料庫的磁片大小會因每個部署而異。The disk size for the scanner configuration database will vary for each deployment. 使用下列方程式做為指導方針:Use the following equation as guidance:

100 KB + <file count> *(1000 + 4* <average file name length>)

例如,若要掃描1000000檔案的平均檔案名為250個位元組,請配置 2 GB 的磁碟空間。For example, to scan 1 million files that have an average file name length of 250 bytes, allocate 2-GB disk space.

針對多個掃描器:For multiple scanners:

  • 最多10個掃描器,請使用:Up to 10 scanners, use:

    • 4核心處理器4 core processors
    • 建議使用 8 GB 的 RAM8-GB RAM recommended
  • 超過10個掃描器 (40) 的最大值,請使用:More than 10 scanners (maximum 40), use:

    • 8個核心流程8 core processes
    • 建議使用 16 GB 的 RAM16-GB RAM recommended

Azure 資訊保護用戶端需求Azure Information Protection client requirements

您必須在 Windows Server 電腦上安裝 Azure 資訊保護用戶端的 目前正式推出版本You must have either the current general availability version of the Azure Information Protection client installed on the Windows Server computer.

如需詳細資訊,請參閱 統一標籤用戶端系統管理員指南For more information, see the Unified labeling client admin guide.

重要

您必須安裝掃描器的完整用戶端。You must install the full client for the scanner. 請不要安裝只有 PowerShell 模組的用戶端。Do not install the client with just the PowerShell module.

標籤設定需求Label configuration requirements

您至少必須在掃描器帳戶的其中一個 Microsoft 365 標籤系統管理中心設定一個敏感度標籤,才能套用分類和(選擇性)保護。You must have at least one sensitivity label configured in one of the Microsoft 365 labeling admin centers for the scanner account, to apply classification and, optionally, protection.

Microsoft 365 標籤的系統管理中心包括 Microsoft 365 的「安全性中心」、「Microsoft 365 合規性中心」和「Microsoft 365 安全性與合規性中心」。Microsoft 365 labeling admin centers include the Microsoft 365 Security Center, the Microsoft 365 Compliance Center, and the Microsoft 365 Security and Compliance Center.

掃描器帳戶 是您將在針對 set-aipauthentication Cmdlet 的 DelegatedUser 參數中指定的帳號,在 設定掃描器時執行。The scanner account is the account that you'll specify in the DelegatedUser parameter of the Set-AIPAuthentication cmdlet, run when configuring your scanner.

如果您的標籤沒有自動標記的條件,請參閱下列替代設定的 指示If your labels don't have auto-labeling conditions, see the instructions for alternative configurations below.

如需詳細資訊,請參閱For more information, see:

SharePoint 需求SharePoint requirements

若要掃描 SharePoint 文件庫和資料夾,請確定您的 SharePoint 伺服器符合下列需求:To scan SharePoint document libraries and folders, ensure that your SharePoint server complies with the following requirements:

需求Requirement 描述Description
支援版本Supported versions 支援的版本包括: SharePoint 2019、SharePoint 2016 和 SharePoint 2013。Supported versions include: SharePoint 2019, SharePoint 2016, and SharePoint 2013.
掃描器不支援其他版本的 SharePoint。Other versions of SharePoint are not supported for the scanner.
版本控制Versioning 當您使用 版本控制時,掃描器會檢查並標記上次發佈的版本。When you use versioning, the scanner inspects and labels the last published version.

如果掃描器標記檔案,且需要 核准內容 ,則必須將標示為「檔案」的檔案核准給使用者使用。If the scanner labels a file and content approval is required, that labeled file must be approved to be available for users.
大型 SharePoint 伺服器陣列Large SharePoint farms 若為大型 SharePoint 伺服器陣列,請檢查您是否需要增加清單檢視閾值 (預設為 5000),以便掃描器能存取所有檔案。For large SharePoint farms, check whether you need to increase the list view threshold (by default, 5,000) for the scanner to access all files.

如需詳細資訊,請參閱 管理 SharePoint 中的大型清單和文件庫For more information, see Manage large lists and libraries in SharePoint.
長檔案路徑Long file paths 如果您在 SharePoint 中有較長的檔案路徑,請確定您的 SharePoint 伺服器 HTTPRuntime. maxUrlLength 值超過預設的260個字元。If you have long file paths in SharePoint, ensure that your SharePoint server's httpRuntime.maxUrlLength value is larger than the default 260 characters.

如需詳細資訊,請參閱 避免 SharePoint 中的掃描器超時For more information, see Avoid scanner timeouts in SharePoint.

Microsoft Office 需求Microsoft Office requirements

若要掃描 Office 檔,您的檔必須採用下列其中一種格式:To scan Office documents, your documents must be in one of the following formats:

  • Microsoft Office 97-2003Microsoft Office 97-2003
  • Word、Excel 和 PowerPoint 的 Office Open XML 格式Office Open XML formats for Word, Excel, and PowerPoint

如需詳細資訊,請參閱 Azure 資訊保護統一標籤用戶端支援的檔案類型For more information, see File types supported by the Azure Information Protection unified labeling client.

檔案路徑需求File path requirements

根據預設,若要掃描檔案,您的檔案路徑必須有最多260個字元。By default, to scan files, your file paths must have a maximum of 260 characters.

若要掃描檔案路徑超過260個字元的檔案,請使用下列其中一種 Windows 版本在電腦上安裝掃描器,並視需要設定電腦:To scan files with file paths of more than 260 characters, install the scanner on a computer with one of the following Windows versions, and configure the computer as needed:

Windows 版本Windows version 描述Description
Windows 2016 或更新版本Windows 2016 or later 設定電腦以支援長路徑Configure the computer to support long paths
Windows 10 或 Windows Server 2016Windows 10 or Windows Server 2016 定義下列 群組原則設定本機電腦原則 > 電腦 設定 > 系統管理範本 > 所有設定都 > 啟用 Win32 長路徑Define the following group policy setting: Local Computer Policy > Computer Configuration > Administrative Templates > All Settings > Enable Win32 long paths.

如需這些版本的完整檔案路徑支援詳細資訊,請參閱 Windows 10 開發人員檔中的 路徑長度限制 一節。For more information long file path support in these versions, see the Maximum Path Length Limitation section from the Windows 10 developer documentation.
Windows 10 1607 版或更新版本Windows 10, version 1607 or later 加入宣告更新的 MAX_PATH 功能。Opt in for the updated MAX_PATH functionality. 如需詳細資訊,請參閱 在 Windows 10 1607 版和更新版本中啟用長路徑For more information, see Enable Long Paths in Windows 10 versions 1607 and later.

使用量統計資料需求Usage statistics requirements

使用下列其中一種方法來停用使用量統計資料:Disable usage statistics using one of the following methods:

  • AllowTelemetry 參數設定為0Setting the AllowTelemetry parameter to 0

  • 確認在掃描器安裝程式期間,將 [ 使用統計資料傳送給 Microsoft] 選項保持未選取狀態,以確定 [協助改善 Azure 資訊保護]。Ensure that the Help improve Azure Information Protection by sending usage statistics to Microsoft option remains unselected during the scanner installation process.

部署使用替代設定的掃描器Deploying the scanner with alternative configurations

上面所列的必要條件是掃描器部署的預設需求,建議您這樣做,因為它們支援最簡單的掃描器設定。The prerequisites listed above are the default requirements for the scanner deployment, and recommended because they support the simplest scanner configuration.

預設需求應該適用于初始測試,如此您就可以檢查掃描器的功能。The default requirements should be suitable for initial testing, so that you can check the capabilities of the scanner.

不過,在生產環境中,您的組織原則可能會與預設需求不同。However, in a production environment, your organization's policies may be different than the default requirements. 掃描器可透過其他設定來容納下列變更:The scanner can accommodate the following changes with additional configuration:

探索並掃描特定 URL 下的所有 Sharepoint 網站和子網站Discover and scan all Sharepoint sites and subsites under a specific URL

掃描器可以使用下列設定,探索並掃描特定 URL 下的所有 Sharepoint 網站和子網站:The scanner can discover and scan all Sharepoint sites and subsites under a specific URL with the following configuration:

  1. 啟動 [ SharePoint 管理中心]。Start SharePoint Central Administration.

  2. SharePoint 管理中心 網站的 [ 應用程式管理 ] 區段中,按一下 [ 管理 web 應用程式]。On the SharePoint Central Administration website, in the Application Management section, click Manage web applications.

  3. 按一下以反白顯示您要管理其許可權原則層級的 web 應用程式。Click to highlight the web application whose permission policy level you want to manage.

  4. 選擇相關的伺服器陣列,然後選取 [ 管理許可權原則層級]。Choose the relevant farm and then select Manage Permissions Policy Levels.

  5. 在 [網站集合許可權] 選項中選取 [網站集合審核 程式],然後在 [許可權] 清單中授與 View Application Pages ,最後將新的原則層級命名為 AIP 掃描器網站集合審核程式和檢視器Select Site Collection Auditor in the Site Collection Permissions options, then grant View Application Pages in the Permissions list, and finally, name the new policy level AIP scanner site collection auditor and viewer.

  6. 將您的掃描器使用者新增至新的原則,並授與許可權清單中的 網站集合Add your scanner user to the new policy and grant Site collection in the Permissions list.

  7. 新增 SharePoint 的 URL,以裝載需要掃描的網站或子網站。Add a URL of the SharePoint that hosts sites or subsites that need to be scanned. 如需詳細資訊,請參閱在 Azure 入口網站中設定掃描器For more information, see Configure the scanner in the Azure portal.

若要深入瞭解如何管理您的 SharePoint 原則層級,請參閱 管理 web 應用程式的許可權原則To learn more about how to manage your SharePoint policy levels see, manage permission policies for a web application.

限制:掃描器伺服器無法具有網際網路連線能力Restriction: The scanner server cannot have internet connectivity

雖然統一標籤用戶端無法在沒有網際網路連線的情況下套用保護,但掃描器仍然可以根據匯入的原則套用標籤。While the unified labeling client cannot apply protection without an internet connection, the scanner can still apply labels based on imported policies.

若要支援已中斷連線的電腦,請使用下列其中一種方法:To support a disconnected computer, use one of the following methods:

使用 Azure 入口網站與已中斷連線的電腦Use the Azure portal with a disconnected computer

若要支援從 Azure 入口網站中斷連線的電腦,請執行下列步驟:To support a disconnected computer from the Azure portal, perform the following steps:

  1. 在您的原則中設定標籤,然後使用此程式 來支援已中斷 連線的電腦,以啟用離線分類和標籤。Configure labels in your policy, and then use the procedure to support disconnected computers to enable offline classification and labeling.

  2. 啟用內容和網路掃描工作的離線管理,如下所示:Enable offline management for content and network scan jobs as follows:

    啟用內容掃描工作的離線管理Enable offline management for content scan jobs:

    1. 使用 >set-aipscannerconfiguration指令程式,將掃描器設定為在 離線 模式下運作。Set the scanner to function in offline mode, using the Set-AIPScannerConfiguration cmdlet.

    2. 藉由建立掃描器叢集,在 Azure 入口網站中設定掃描器。Configure the scanner in the Azure portal by creating a scanner cluster. 如需詳細資訊,請參閱在 Azure 入口網站中設定掃描器For more information, see Configure the scanner in the Azure portal.

    3. 使用 [匯出] 選項,從 [ Azure 資訊保護內容掃描工作] 窗格中匯出內容工作。Export your content job from the Azure Information Protection - Content scan jobs pane using the Export option.

    4. 使用 >set-aipscannerconfiguration Cmdlet 匯入原則。Import the policy using the Import-AIPScannerConfiguration cmdlet.

    離線內容掃描工作的結果位於: %localappdata%\Microsoft\MSIP\Scanner\ReportsResults for offline content scan jobs are located at: %localappdata%\Microsoft\MSIP\Scanner\Reports

    啟用網路掃描工作的離線管理Enable offline management of network scan jobs:

    1. 使用 MIPNetworkDiscoveryConfiguration 指令 Cmdlet,將網路探索服務設定為在離線模式下運作。Set the Network Discovery service to function in offline mode using the Set-MIPNetworkDiscoveryConfiguration cmdlet.

    2. 在 Azure 入口網站中設定網路掃描工作。Configure the network scan job in the Azure portal. 如需詳細資訊,請參閱 建立網路掃描工作For more information, see Creating a network scan job.

    3. 使用 [匯出] 選項,從 [ Azure 資訊保護-網路掃描工作] ([預覽]) 窗格中匯出網路掃描工作。Export your network scan job from the Azure Information Protection - Network scan jobs (Preview) pane using the Export option.

    4. 使用 MIPNetworkDiscoveryConfiguration 指令程式,使用符合叢集名稱的檔案匯入網路掃描工作。Import the network scan job using the file that matches our cluster name using the Import-MIPNetworkDiscoveryConfiguration cmdlet.

    離線網路掃描工作的結果位於: %localappdata%\Microsoft\MSIP\Scanner\ReportsResults for offline network scan jobs are located at: %localappdata%\Microsoft\MSIP\Scanner\Reports

使用 PowerShell 搭配已中斷連線的電腦Use PowerShell with a disconnected computer

執行下列程式,僅使用 PowerShell 支援已中斷連線的電腦。Perform the following procedure to support a disconnected computer using PowerShell only.

重要

Azure 中國世紀掃描器伺服器的系統管理員 必須 使用此程式才能管理其內容掃描工作。Admins of Azure China 21Vianet scanner servers must use this procedure in order to manage their content scan jobs.

使用 PowerShell 僅管理內容掃描工作Manage your content scan jobs using PowerShell only:

  1. 使用 >set-aipscannerconfiguration指令程式,將掃描器設定為在 離線 模式下運作。Set the scanner to function in offline mode, using the Set-AIPScannerConfiguration cmdlet.

  2. 使用 AIPScannerContentScanJob 指令 Cmdlet 建立新的內容掃描工作,並務必使用強制 -Enforce On 參數。Create a new content scan job using the Set-AIPScannerContentScanJob cmdlet, making sure to use the mandatory -Enforce On parameter.

  3. 使用 >set-aipscannerrepository 指令程式新增您的儲存機制,以及您想要新增之存放庫的路徑。Add your repositories using the Add-AIPScannerRepository cmdlet, with the path to the repository you want to add.

    提示

    若要防止存放庫從內容掃描工作繼承設定,請新增 OverrideContentScanJob On 參數,以及其他設定的值。To prevent the repository from inheriting settings from your content scan job, add the OverrideContentScanJob On parameter, as well as values for additional settings.

    若要編輯現有存放庫的詳細資料,請使用 >set-aipscannerrepository 命令。To edit details for an existing repository, use the Set-AIPScannerRepository command.

  4. 使用 AIPScannerContentScanJob>set-aipscannerrepository 指令程式,以傳回有關內容掃描工作目前設定的資訊。Use the Get-AIPScannerContentScanJob and Get-AIPScannerRepository cmdlets to return information about your content scan job's current settings.

  5. 使用 >set-aipscannerrepository 命令來更新現有存放庫的詳細資料。Use the Set-AIPScannerRepository command to update details for an existing repository.

  6. 如有需要,請使用 >start-aipscan 指令程式立即執行內容掃描工作。Run your content scan job immediately if needed, using the Start-AIPScan cmdlet.

    離線內容掃描工作的結果位於: %localappdata%\Microsoft\MSIP\Scanner\ReportsResults for offline content scan jobs are located at: %localappdata%\Microsoft\MSIP\Scanner\Reports

  7. 如果您需要移除存放庫或整個內容掃描工作,請使用下列 Cmdlet:If you need to remove a repository or an entire content scan job, use the following cmdlets:

限制:您無法獲得授與系統管理員,或必須手動建立和設定資料庫Restriction: You cannot be granted Sysadmin or databases must be created and configured manually

使用下列程式手動建立資料庫,並視需要授與 db_owner 角色。Use the following procedures to manually create databases and grant the db_owner role, as needed.

如果您可以 暫時 授與系統管理員(Sysadmin)角色安裝掃描器,則可以在掃描器安裝完成時移除此角色。If you can be granted the Sysadmin role temporarily to install the scanner, you can remove this role when the scanner installation is complete.

根據組織的需求,執行下列其中一項作業:Do one of the following, depending on your organization's requirements:

限制Restriction 描述Description
您可以暫時擁有系統管理員(Sysadmin)角色You can have the Sysadmin role temporarily 如果您暫時擁有系統管理員(Sysadmin)角色,系統會自動為您建立資料庫,且會自動將所需的許可權授與掃描器的服務帳戶。If you temporarily have the Sysadmin role, the database is automatically created for you and the service account for the scanner is automatically granted the required permissions.

不過,設定掃描器的使用者帳戶仍然需要掃描器設定資料庫的 db_owner 角色。However, the user account that configures the scanner still requires the db_owner role for the scanner configuration database. 如果您只有系統管理員(Sysadmin)角色才能完成掃描器安裝,請以手動方式將 db_owner 角色授與使用者帳戶。If you only have the Sysadmin role until the scanner installation is complete, grant the db_owner role to the user account manually.
您完全無法擁有系統管理員(Sysadmin)角色You cannot have the Sysadmin role at all 如果您暫時無法授與系統管理員(Sysadmin)角色,您必須先要求具有系統管理員(Sysadmin)許可權的使用者,才能在安裝掃描器之前手動建立資料庫。If you cannot be granted the Sysadmin role even temporarily, you must ask a user with Sysadmin rights to manually create a database before you install the scanner.

針對此設定,必須將 db_owner 角色指派給下列帳戶:For this configuration, the db_owner role must be assigned to the following accounts:
-掃描器的服務帳戶- Service account for the scanner
-掃描器安裝的使用者帳戶- User account for the scanner installation
-掃描器設定的使用者帳戶- User account for scanner configuration

一般而言,您會使用相同的使用者帳戶來安裝和設定掃描器。Typically, you will use the same user account to install and configure the scanner. 如果您使用不同的帳戶,則兩者都需要掃描器設定資料庫的 db_owner 角色。If you use different accounts, they both require the db_owner role for the scanner configuration database. 視需要建立此使用者和許可權。Create this user and rights as needed. 如果您指定自己的叢集名稱,設定資料庫的名稱 AIPScannerUL_<cluster_name>If you specify your own cluster name, the configuration database is named AIPScannerUL_<cluster_name>.

此外:Additionally:

  • 您必須是將執行掃描器之伺服器上的本機系統管理員You must be a local administrator on the server that will run the scanner

  • 將執行掃描器的服務帳戶必須被授與下列登錄機碼的「完全控制」許可權:The service account that will run the scanner must be granted Full Control permissions to the following registry keys:

    • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\MSIPC\Server
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\Server

如果在設定這些許可權之後,您會在安裝掃描器時看到錯誤,可能會忽略此錯誤,而且您可以手動啟動掃描器服務。If, after configuring these permissions, you see an error when you install the scanner, the error can be ignored and you can manually start the scanner service.

手動建立掃描器的資料庫和使用者,並授與 db_owner 許可權Manually create a database and user for the scanner, and grant db_owner rights

如果您需要手動建立掃描器資料庫及/或建立使用者並授與資料庫的 db_owner 許可權,請要求您的系統管理員執行下列步驟:If you need to manually create your scanner database and/or create a user and grant db_owner rights on the database, ask your Sysadmin to perform the following steps:

  1. 建立掃描器的資料庫:Create a database for scanner:

    **CREATE DATABASE AIPScannerUL_[clustername]**
    
    **ALTER DATABASE AIPScannerUL_[clustername] SET TRUSTWORTHY ON**
    
  2. 將許可權授與執行安裝命令的使用者,用來執行掃描器管理命令。Grant rights to the user that runs the installation command and is used to run scanner management commands. 使用下列指令碼:Use the following script:

    if not exists(select * from master.sys.server_principals where sid = SUSER_SID('domain\user')) BEGIN declare @T nvarchar(500) Set @T = 'CREATE LOGIN ' + quotename('domain\user') + ' FROM WINDOWS ' exec(@T) END
    USE DBName IF NOT EXISTS (select * from sys.database_principals where sid = SUSER_SID('domain\user')) BEGIN declare @X nvarchar(500) Set @X = 'CREATE USER ' + quotename('domain\user') + ' FROM LOGIN ' + quotename('domain\user'); exec sp_addrolemember 'db_owner', 'domain\user' exec(@X) END
    
  3. 授與掃描器服務帳戶的許可權。Grant rights to scanner service account. 使用下列指令碼:Use the following script:

    if not exists(select * from master.sys.server_principals where sid = SUSER_SID('domain\user')) BEGIN declare @T nvarchar(500) Set @T = 'CREATE LOGIN ' + quotename('domain\user') + ' FROM WINDOWS ' exec(@T) END
    

手動建立網路探索服務的資料庫和使用者,並授與 db_owner 許可權Manually create a database and user for the Network Discovery service, and grant db_owner rights

如果您需要手動建立 網路探索 資料庫及/或建立使用者並授與資料庫的 db_owner 許可權,請要求您的系統管理員執行下列步驟:If you need to manually create your Network Discovery database and/or create a user and grant db_owner rights on the database, ask your Sysadmin to perform the following steps:

  1. 建立網路探索服務的資料庫:Create a database for the Network Discovery service:

    **CREATE DATABASE AIPNetworkDiscovery_[clustername]**
    
    **ALTER DATABASE AIPNetworkDiscovery_[clustername] SET TRUSTWORTHY ON**
    
  2. 將許可權授與執行安裝命令的使用者,用來執行掃描器管理命令。Grant rights to the user that runs the installation command and is used to run scanner management commands. 使用下列指令碼:Use the following script:

    if not exists(select * from master.sys.server_principals where sid = SUSER_SID('domain\user')) BEGIN declare @T nvarchar(500) Set @T = 'CREATE LOGIN ' + quotename('domain\user') + ' FROM WINDOWS ' exec(@T) END
    USE DBName IF NOT EXISTS (select * from sys.database_principals where sid = SUSER_SID('domain\user')) BEGIN declare @X nvarchar(500) Set @X = 'CREATE USER ' + quotename('domain\user') + ' FROM LOGIN ' + quotename('domain\user'); exec sp_addrolemember 'db_owner', 'domain\user' exec(@X) END
    
  3. 授與掃描器服務帳戶的許可權。Grant rights to the scanner service account. 使用下列指令碼:Use the following script:

    if not exists(select * from master.sys.server_principals where sid = SUSER_SID('domain\user')) BEGIN declare @T nvarchar(500) Set @T = 'CREATE LOGIN ' + quotename('domain\user') + ' FROM WINDOWS ' exec(@T) END
    

限制:掃描器的服務帳戶無法獲得授與 本機登入 權限Restriction: The service account for the scanner cannot be granted the Log on locally right

如果您的組織原則禁止在 本機登 入服務帳戶,請使用 OnBehalfOf 參數搭配針對 set-aipauthentication。If your organization policies prohibit the Log on locally right for service accounts, use the OnBehalfOf parameter with Set-AIPAuthentication.

如需詳細資訊,請參閱如何針對 Azure 資訊保護以非互動方式為檔案加上標籤 (英文)。For more information, see How to label files non-interactively for Azure Information Protection.

限制:掃描器服務帳戶無法同步處理至 Azure Active Directory 但伺服器具有網際網路連線能力Restriction: The scanner service account cannot be synchronized to Azure Active Directory but the server has internet connectivity

您能用一個帳戶執行掃描器服務,並使用另一個帳戶來向 Azure Active Directory 驗證:You can have one account to run the scanner service and use another account to authenticate to Azure Active Directory:

限制:您的標籤沒有自動標記條件Restriction: Your labels do not have auto-labeling conditions

如果您的標籤沒有任何自動標記條件,請在設定掃描器時,規劃使用下列其中一個選項:If your labels do not have any auto-labeling conditions, plan to use one of the following options when configuring your scanner:

選項Option 描述Description
探索所有資訊類型Discover all info types 內容掃描工作中,將 [ 要探索的資訊類型 ] 選項設定為 [ 全部]。In your content scan job, set the Info types to be discovered option to All.

此選項會設定內容掃描工作,以掃描所有機密資訊類型的內容。This option sets the content scan job to scan your content for all sensitive information types.
使用建議的標籤Use recommended labeling 內容掃描工作中,將 [將建議的卷 標視為自動 選項] 設定為 [ 開啟]。In your content scan job, set the Treat recommended labeling as automatic option to On.

此設定會將掃描器設定為自動在您的內容上套用所有建議的標籤。This setting configures the scanner to automatically apply all recommended labels on your content.
定義預設標籤Define a default label 在您的 原則內容掃描工作或存放 中定義預設標籤。Define a default label in your policy, content scan job, or repository.

在此情況下,掃描器會在找到的所有檔案上套用預設標籤。In this case the scanner applies the default label on all files found.

後續步驟Next steps

確認系統符合掃描器必要條件之後,請繼續 部署 Azure 資訊保護掃描器,以自動分類和保護檔案。Once you've confirmed that your system complies with the scanner prerequisites, continue with Deploying the Azure Information Protection scanner to automatically classify and protect files.

如需掃描器的總覽,請參閱 部署 Azure 資訊保護掃描器以自動分類和保護檔案。For an overview about the scanner, see Deploying the Azure Information Protection scanner to automatically classify and protect files.

詳細資訊More information: