系統管理員指南:Azure 資訊保護統一標籤用戶端的自訂設定Admin Guide: Custom configurations for the Azure Information Protection unified labeling client

*適用于Azure 資訊保護、Windows 10、Windows 8.1、Windows 8、Windows Server 2019、Windows Server 2016、windows Server 2012 R2、windows server 2012 **Applies to: Azure Information Protection, Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012*

如果您有 Windows 7 或 Office 2010,請參閱 延伸支援中適用于 windows 和 office 版本的 AIPIf you have Windows 7 or Office 2010, see AIP for Windows and Office versions in extended support.

*適用于:適用于 Windows 的 Azure 資訊保護統一標籤用戶端*Relevant for: Azure Information Protection unified labeling client for Windows. 若為傳統用戶端,請參閱 傳統用戶端系統管理員指南。 *For the classic client, see the classic client admin guide.*

針對特定案例或使用者管理 AIP 統一標籤用戶端所需的 advanced 設定,請使用下列資訊。Use the following information for advanced configurations needed for specific scenarios or users when managing the AIP unified labeling client.

注意

這些設定需要編輯登錄或指定 [advanced settings]。These settings require editing the registry or specifying advanced settings. Advanced settings 使用 Office 365 Security & 合規性中心 PowerShellThe advanced settings use Office 365 Security & Compliance Center PowerShell.

透過 PowerShell 設定用戶端的 advanced settingsConfiguring advanced settings for the client via PowerShell

使用 Microsoft 365 安全性 & 合規性中心 PowerShell 來設定自訂標籤原則和標籤的 advanced 設定。Use the Microsoft 365 Security & Compliance Center PowerShell to configure advanced settings for customizing label policies and labels.

在這兩種情況下,當您連線 到 Office 365 Security & 合規性中心 PowerShell之後,請使用原則或標籤的身分識別 (名稱或 GUID) 指定 AdvancedSettings 參數,並在 雜湊表中指定索引鍵/值組。In both cases, after you connect to Office 365 Security & Compliance Center PowerShell, specify the AdvancedSettings parameter with the identity (name or GUID) of the policy or label, with key/value pairs in a hash table.

若要移除 advanced 設定,請使用相同的 AdvancedSettings 參數語法,但請指定 null 字串值。To remove an advanced setting, use the same AdvancedSettings parameter syntax, but specify a null string value.

重要

請勿在字串值中使用空格。Do not use white spaces in your string values. 這些字串值中的白色字串將導致無法套用您的標籤。White strings in these string values will prevent your labels from being applied.

如需詳細資訊,請參閱For more information, see:

標籤原則的 advanced settingsLabel policy advanced settings

標籤原則 advanced 設定的範例是在 Office 應用程式中顯示資訊保護列的設定。An example of a label policy advanced setting is the setting to display the Information Protection bar in Office apps.

為單一字串值,請使用下列語法:For a single string value, use the following syntax:

Set-LabelPolicy -Identity <PolicyName> -AdvancedSettings @{Key="value1,value2"}

針對相同索引鍵的多個字串值,請使用下列語法:For a multiple string value for the same key, use the following syntax:

Set-LabelPolicy -Identity <PolicyName> -AdvancedSettings @{Key=ConvertTo-Json("value1", "value2")}

標籤 advanced settingsLabel advanced settings

標籤 advanced 設定的範例為指定標籤色彩的設定。An example of a label advanced setting is the setting to specify a label color.

為單一字串值,請使用下列語法:For a single string value, use the following syntax:

Set-Label -Identity <LabelGUIDorName> -AdvancedSettings @{Key="value1,value2"}

針對相同索引鍵的多個字串值,請使用下列語法:For a multiple string value for the same key, use the following syntax:

Set-Label -Identity <LabelGUIDorName> -AdvancedSettings @{Key=ConvertTo-Json("value1", "value2")}

設定 advanced settings 的範例Examples for setting advanced settings

範例1: 針對單一字串值設定標籤原則的 advanced 設定:Example 1: Set a label policy advanced setting for a single string value:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissions="False"}

範例2: 針對單一字串值設定標籤的 advanced 設定:Example 2: Set a label advanced setting for a single string value:

Set-Label -Identity Internal -AdvancedSettings @{smimesign="true"}

範例3: 針對多個字串值設定標籤的 advanced 設定:Example 3: Set a label advanced setting for multiple string values:

Set-Label -Identity Confidential -AdvancedSettings @{labelByCustomProperties=ConvertTo-Json("Migrate Confidential label,Classification,Confidential", "Migrate Secret label,Classification,Secret")}

範例4: 藉由指定 null 字串值來移除標籤原則的 advanced 設定:Example 4: Remove a label policy advanced setting by specifying a null string value:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissions=""}

指定標籤原則或標籤身分識別Specifying the label policy or label identity

因為標籤系統管理中心只有一個原則名稱,所以尋找 PowerShell 身分 識別 參數的標籤原則名稱很簡單。Finding the label policy name for the PowerShell Identity parameter is simple because there is only one policy name in the labeling admin center.

不過,針對標籤,標籤系統管理中心會顯示 名稱顯示名稱 值。However, for labels, the labeling admin centers show both a Name and Display name value. 在某些情況下,這些值將會相同,但可能會不同。In some cases, these values will be the same, but they may be different. 若要設定標籤的 advanced 設定,請使用 [ 名稱 ] 值。To configure advanced settings for labels, use the Name value.

例如,若要識別下圖中的標籤,請在 PowerShell 命令中使用下列 -Identity "All Company" 語法:For example, to identify the label in the following picture, use the following syntax in your PowerShell command: -Identity "All Company":

使用 [名稱] 而非 [顯示名稱] 來識別敏感度標籤

如果您想要指定標籤 GUID,此值 會顯示在標籤系統管理中心中。If you prefer to specify the label GUID, this value is not shown in the labeling admin center. 使用 取得標籤 命令來尋找此值,如下所示:Use the Get-Label command to find this value, as follows:

Get-Label | Format-Table -Property DisplayName, Name, Guid

如需標記名稱和顯示名稱的詳細資訊:For more information about labeling names and display names:

  • Name 是標籤的原始名稱,而且在所有標籤中都是唯一的。Name is the original name of the label and it is unique across all your labels.

    即使您稍後已變更標籤名稱,這個值仍會維持不變。This value remains the same even if you've changed your label name later on. 針對從 Azure 資訊保護遷移的敏感度標籤,您可能會看到來自 Azure 入口網站的原始標籤識別碼。For sensitivity labels that were migrated from Azure Information Protection, you might see original label ID from the Azure portal.

  • 顯示名稱 是目前針對標籤顯示給使用者的名稱,在所有標籤中不需要是唯一的。Display name is the name currently displayed to users for the label, and does not need to be unique across all your labels.

    例如,您可能會有 [機密] 標籤下子標籤之 所有員工 的顯示名稱,以及 [高度機密] 標籤下子標籤之 所有員工 的另一個顯示名稱。For example, you might have a display name of All Employees for a sublabel under the Confidential label, and another display name of All Employees for a sublabel under the Highly Confidential label. 這些子標籤都會顯示相同的名稱,但不是相同的標籤,而且具有不同的設定。These sublabels both display the same name, but are not the same label and have different settings.

優先順序-如何解決衝突的設定Order of precedence - how conflicting settings are resolved

您可以使用系統管理中心來設定下列標籤原則設定:You can use the admin centers to configure the following label policy settings:

  • 依預設將此標籤套用至檔和電子郵件Apply this label by default to documents and emails

  • 使用者必須提供理由,才能移除標籤或較低的分類標籤Users must provide justification to remove a label or lower classification label

  • 要求使用者將標籤套用到其電子郵件或檔Require users to apply a label to their email or document

  • 為使用者提供自訂說明頁面的連結Provide users with a link to a custom help page

為使用者設定一個以上的標籤原則時,每個標籤原則都有可能不同的原則設定,則會根據系統管理中心內的原則順序套用最後一個原則設定。When more than one label policy is configured for a user, each with potentially different policy settings, the last policy setting is applied according to the order of the policies in the admin center. 如需詳細資訊,請參閱 標籤原則優先順序 (順序重要) For more information, see Label policy priority (order matters)

使用最後一個原則設定,即可使用相同的邏輯來套用標籤原則的 advanced 設定。Label policy advanced settings are applied using the same logic, using the last policy setting.

Advanced 設定參考Advanced setting references

下列章節適用于標籤原則和標籤的可用 advanced 設定:The following sections the available advanced settings for label policies and labels:

依功能的 Advanced 設定參考Advanced setting reference by feature

下列各節依產品和功能整合列出本頁所述的 advanced 設定:The following sections list the advanced settings described on this page by product and feature integration:

功能Feature 進階設定Advanced settings
Outlook 和電子郵件設定Outlook and email settings - 在 Outlook 中設定標籤以套用 S/MIME 保護- Configure a label to apply S/MIME protection in Outlook
- 自訂 Outlook 快顯視窗訊息- Customize Outlook popup messages
- 在 Outlook 中啟用建議分類- Enable recommended classification in Outlook
- 從強制標記豁免 Outlook 訊息- Exempt Outlook messages from mandatory labeling
- 針對具有附件的電子郵件,套用符合這些附件最高分類的標籤- For emails with attachments, apply a label that matches the highest classification of those attachments
- 搜尋電子郵件收件者時展開 Outlook 通訊群組清單- Expand Outlook distribution lists when searching for email recipients
- 在 Outlook 中執行快顯訊息,以警告、證明或封鎖傳送的電子郵件- Implement pop-up messages in Outlook that warn, justify, or block emails being sent
- 使用 S/MIME 電子郵件防止 Outlook 效能問題- Prevent Outlook performance issues with S/MIME emails
- 為 Outlook 設定不同的預設標籤- Set a different default label for Outlook
PowerPoint 設定PowerPoint settings - 避免從包含指定文字的 PowerPoint 移除圖形,而且不是頁首/頁尾- Avoid removing shapes from PowerPoint that contain specified text, and are not headers / footers
- 從您的 PowerPoint 自訂版面配置中明確移除外部內容標記- Explicitly remove external content markings from inside your PowerPoint custom layouts
- 從標題和頁尾中移除特定圖形名稱的所有圖形,而不是在圖形內依文字移除圖形。- Remove all shapes of a specific shape name from your headers and footers, instead of removing shapes by text inside the shape
檔案總管設定File Explorer settings - 一律在檔案總管中顯示使用者的自訂許可權- Always display custom permissions to users in File Explorer
- 停用檔案總管中的自訂許可權- Disable custom permissions in File Explorer
效能改進設定Performance improvements settings - 限制 CPU 耗用量- Limit CPU consumption
- 限制掃描器所使用的執行緒數目- Limit the number of threads used by the scanner
- 使用 S/MIME 電子郵件防止 Outlook 效能問題- Prevent Outlook performance issues with S/MIME emails
與其他標籤解決方案整合的設定Settings for integrations with other labeling solutions - 從安全孤島和其他標籤解決方案遷移標籤- Migrate labels from Secure Islands and other labeling solutions
- 移除其他標籤解決方案的頁首和頁尾- Remove headers and footers from other labeling solutions
AIP 分析設定AIP analytics settings - 停用將審核資料傳送至 Azure 資訊保護分析- Disable sending audit data to Azure Information Protection analytics
- 將資訊類型相符專案傳送給 Azure 資訊保護分析- Send information type matches to Azure Information Protection analytics
一般設定General settings - 為使用者新增 [回報問題]- Add "Report an Issue" for users
- 套用標籤時套用自訂屬性- Apply a custom property when a label is applied
- 變更本機記錄層級- Change the local logging level
- 變更要保護的檔案類型- Change which file types to protect
- 設定 SharePoint 超時- Configure SharePoint timeouts
- 自訂修改標籤的對齊提示文字- Customize justification prompt texts for modified labels
- 在 Office 應用程式中顯示資訊保護列- Display the Information Protection bar in Office apps
- 啟用從壓縮檔案移除保護- Enable removal of protection from compressed files
- 在標記 (公開預覽期間,保留 NTFS 擁有者) - Preserve NTFS owners during labeling (public preview)
- 當您使用強制標記時,請移除檔的 "Not now"- Remove "Not now" for documents when you use mandatory labeling
- 根據檔案屬性在掃描期間略過或忽略檔案- Skip or ignore files during scans depending on file attributes
- 指定標籤的色彩- Specify a color for the label
- 指定父標籤的預設子標籤- Specify a default sublabel for a parent label
- 支援變更 <EXT> 。.PFILE 至 P<EXT>- Support for changing <EXT>.PFILE to P<EXT>
- 支援已中斷連線的電腦- Support for disconnected computers
- 開啟分類在背景中持續執行- Turn on classification to run continuously in the background
- 關閉檔追蹤功能 (公開預覽) - Turn off document tracking features (public preview)

標籤原則的 advanced 設定參考Label policy advanced setting reference

使用 AdvancedSettings 參數搭配 LabelPolicyLabelPolicy 來定義下列設定:Use the AdvancedSettings parameter with New-LabelPolicy and Set-LabelPolicy to define the following settings:

設定Setting 案例和指示Scenario and instructions
AdditionalPPrefixExtensionsAdditionalPPrefixExtensions 支援變更 <EXT> 。<EXT> 使用這個 advanced 屬性 .pfile 至 PSupport for changing <EXT>.PFILE to P<EXT> by using this advanced property
AttachmentActionAttachmentAction 對於有附件的電子郵件訊息,請套用符合這些附件最高分類的標籤For email messages with attachments, apply a label that matches the highest classification of those attachments
AttachmentActionTipAttachmentActionTip 對於有附件的電子郵件訊息,請套用符合這些附件最高分類的標籤For email messages with attachments, apply a label that matches the highest classification of those attachments
DisableMandatoryInOutlookDisableMandatoryInOutlook 從強制標記豁免 Outlook 訊息Exempt Outlook messages from mandatory labeling
EnableAuditEnableAudit 停用將審核資料傳送至 Azure 資訊保護分析Disable sending audit data to Azure Information Protection analytics
EnableContainerSupportEnableContainerSupport 啟用從 PST、rar、7zip 和 MSG 檔案移除保護Enable removal of protection from PST, rar, 7zip, and MSG files
EnableCustomPermissionsEnableCustomPermissions 停用檔案總管中的自訂許可權Disable custom permissions in File Explorer
EnableCustomPermissionsForCustomProtectedFilesEnableCustomPermissionsForCustomProtectedFiles 對於使用自訂權限保護的檔案,一律在檔案總管中向使用者顯示自訂權限For files protected with custom permissions, always display custom permissions to users in File Explorer
EnableLabelByMailHeaderEnableLabelByMailHeader 從 Secure Islands 和其他標籤解決方案移轉標籤Migrate labels from Secure Islands and other labeling solutions
EnableLabelBySharePointPropertiesEnableLabelBySharePointProperties 從 Secure Islands 和其他標籤解決方案移轉標籤Migrate labels from Secure Islands and other labeling solutions
EnableOutlookDistributionListExpansionEnableOutlookDistributionListExpansion 搜尋電子郵件收件者時展開 Outlook 通訊群組清單Expand Outlook distribution lists when searching for email recipients
EnableTrackAndRevokeEnableTrackAndRevoke 關閉檔追蹤功能 (公開預覽) Turn off document tracking features (public preview)
HideBarByDefaultHideBarByDefault 在 Office 應用程式中顯示資訊保護列Display the Information Protection bar in Office apps
JustificationTextForUserTextJustificationTextForUserText 自訂修改標籤的對齊提示文字Customize justification prompt texts for modified labels
LogMatchedContentLogMatchedContent 將資訊類型相符專案傳送給 Azure 資訊保護分析Send information type matches to Azure Information Protection analytics
>outlookblocktrusteddomainsOutlookBlockTrustedDomains 在 Outlook 中實作快顯訊息,以警告、封鎖傳送的電子郵件,或證實其正當性Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookBlockUntrustedCollaborationLabelOutlookBlockUntrustedCollaborationLabel 在 Outlook 中實作快顯訊息,以警告、封鎖傳送的電子郵件,或證實其正當性Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookCollaborationRuleOutlookCollaborationRule 自訂 Outlook 快顯視窗訊息Customize Outlook popup messages
OutlookDefaultLabelOutlookDefaultLabel 為 Outlook 設定不同的預設標籤Set a different default label for Outlook
OutlookGetEmailAddressesTimeOutMSPropertyOutlookGetEmailAddressesTimeOutMSProperty 修改在通訊群組清單中為收件者執行封鎖訊息時,在 Outlook 中展開通訊群組清單的超時) Modify the timeout for expanding a distribution list in Outlook when implementing block messages for recipients in distribution lists )
>outlookjustifytrusteddomainsOutlookJustifyTrustedDomains 在 Outlook 中實作快顯訊息,以警告、封鎖傳送的電子郵件,或證實其正當性Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookJustifyUntrustedCollaborationLabelOutlookJustifyUntrustedCollaborationLabel 在 Outlook 中實作快顯訊息,以警告、封鎖傳送的電子郵件,或證實其正當性Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookRecommendationEnabledOutlookRecommendationEnabled 在 Outlook 中啟用建議分類Enable recommended classification in Outlook
OutlookOverrideUnlabeledCollaborationExtensionsOutlookOverrideUnlabeledCollaborationExtensions 在 Outlook 中實作快顯訊息,以警告、封鎖傳送的電子郵件,或證實其正當性Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookSkipSmimeOnReadingPaneEnabledOutlookSkipSmimeOnReadingPaneEnabled 使用 S/MIME 電子郵件防止 Outlook 效能問題Prevent Outlook performance issues with S/MIME emails
OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorOutlookUnlabeledCollaborationActionOverrideMailBodyBehavior 在 Outlook 中實作快顯訊息,以警告、封鎖傳送的電子郵件,或證實其正當性Implement pop-up messages in Outlook that warn, justify, or block emails being sent
>outlookwarntrusteddomainsOutlookWarnTrustedDomains 在 Outlook 中實作快顯訊息,以警告、封鎖傳送的電子郵件,或證實其正當性Implement pop-up messages in Outlook that warn, justify, or block emails being sent
OutlookWarnUntrustedCollaborationLabelOutlookWarnUntrustedCollaborationLabel 在 Outlook 中實作快顯訊息,以警告、封鎖傳送的電子郵件,或證實其正當性Implement pop-up messages in Outlook that warn, justify, or block emails being sent
PFileSupportedExtensionsPFileSupportedExtensions 變更要保護的檔案類型Change which file types to protect
PostponeMandatoryBeforeSavePostponeMandatoryBeforeSave 當您使用強制標示時針對文件移除「現在不要」Remove "Not now" for documents when you use mandatory labeling
PowerPointRemoveAllShapesByShapeNamePowerPointRemoveAllShapesByShapeName 從標題和頁尾中移除特定圖形名稱的所有圖形,而不是在圖形內依文字移除圖形。Remove all shapes of a specific shape name from your headers and footers, instead of removing shapes by text inside the shape
PowerPointShapeNameToRemovePowerPointShapeNameToRemove 避免從包含指定文字的 PowerPoint 移除圖形,而且不是頁首/頁尾Avoid removing shapes from PowerPoint that contain specified text, and are not headers / footers
RemoveExternalContentMarkingInAppRemoveExternalContentMarkingInApp 移除來自其他標籤解決方案的頁首和頁尾Remove headers and footers from other labeling solutions
RemoveExternalMarkingFromCustomLayoutsRemoveExternalMarkingFromCustomLayouts 從您的 PowerPoint 自訂版面配置中明確移除外部內容標記Explicitly remove external content markings from inside your PowerPoint custom layouts
ReportAnIssueLinkReportAnIssueLink 為使用者新增 [回報問題]Add "Report an Issue" for users
RunPolicyInBackgroundRunPolicyInBackground 開啟分類以持續在背景執行Turn on classification to run continuously in the background
ScannerMaxCPUScannerMaxCPU 限制 CPU 耗用量Limit CPU consumption
ScannerMinCPUScannerMinCPU 限制 CPU 耗用量Limit CPU consumption
ScannerConcurrencyLevelScannerConcurrencyLevel 限制掃描器所使用的執行緒數目Limit the number of threads used by the scanner
ScannerFSAttributesToSkipScannerFSAttributesToSkip 根據檔案屬性在掃描期間略過或忽略檔案Skip or ignore files during scans depending on file attributes
SharepointWebRequestTimeoutSharepointWebRequestTimeout 設定 SharePoint 超時Configure SharePoint timeouts
SharepointFileWebRequestTimeoutSharepointFileWebRequestTimeout 設定 SharePoint 超時Configure SharePoint timeouts
UseCopyAndPreserveNTFSOwnerUseCopyAndPreserveNTFSOwner 在標記期間保留 NTFS 擁有者Preserve NTFS owners during labeling

檢查標籤原則設定Check label policy settings

針對名為 "Global" 的標籤原則,檢查您的標籤原則設定是否有效的 PowerShell 命令範例:Example PowerShell command to check your label policy settings in effect for a label policy named "Global":

(Get-LabelPolicy -Identity Global).settings

標籤 advanced 設定參考Label advanced setting reference

使用 AdvancedSettings 參數搭配 新標籤設定標籤Use the AdvancedSettings parameter with New-Label and Set-Label.

設定Setting 案例和指示Scenario and instructions
colorcolor 為標籤指定色彩Specify a color for the label
customPropertiesByLabelcustomPropertiesByLabel 套用標籤時套用自訂屬性Apply a custom property when a label is applied
DefaultSubLabelIdDefaultSubLabelId 為父標籤指定預設子標籤Specify a default sublabel for a parent label
labelByCustomPropertieslabelByCustomProperties 從 Secure Islands 和其他標籤解決方案移轉標籤Migrate labels from Secure Islands and other labeling solutions
SMimeEncryptSMimeEncrypt 在 Outlook 中設定標籤以套用 S/MIME 保護Configure a label to apply S/MIME protection in Outlook
SMimeSignSMimeSign 在 Outlook 中設定標籤以套用 S/MIME 保護Configure a label to apply S/MIME protection in Outlook

檢查標籤設定Check label settings

針對名為 "Public" 的標籤,檢查標籤設定是否有效的 PowerShell 命令範例:Example PowerShell command to check your label settings in effect for a label named "Public":

(Get-Label -Identity Public).settings

在 Office 應用程式中顯示資訊保護列Display the Information Protection bar in Office apps

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

根據預設,使用者必須從 [敏感度] 按鈕選取 [顯示 列] 選項,以在 Office 應用程式中顯示資訊保護列。By default, users must select the Show Bar option from the Sensitivity button to display the Information Protection bar in Office apps. 使用 HideBarByDefault 索引鍵,並將值設定為 False ,以自動為使用者顯示此列,讓使用者可以從列或按鈕選取標籤。Use the HideBarByDefault key and set the value to False to automatically display this bar for users so that they can select labels from either the bar or the button.

針對選取的標籤原則,指定下列字串:For the selected label policy, specify the following strings:

  • 機碼: HideBarByDefaultKey: HideBarByDefault

  • 值:FalseValue: False

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{HideBarByDefault="False"}

從強制標記豁免 Outlook 訊息Exempt Outlook messages from mandatory labeling

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

依預設,當您啟用 所有檔和電子郵件 的標籤原則設定時,必須要有標籤,所有儲存的檔和傳送的電子郵件都必須套用標籤。By default, when you enable the label policy setting of All documents and emails must have a label, all saved documents and sent emails must have a label applied. 當您設定下列 advanced 設定時,原則設定只會套用至 Office 檔,而不會套用至 Outlook 訊息。When you configure the following advanced setting, the policy setting applies only to Office documents and not to Outlook messages.

針對選取的標籤原則,指定下列字串:For the selected label policy, specify the following strings:

  • 機碼: DisableMandatoryInOutlookKey: DisableMandatoryInOutlook

  • 值: TrueValue: True

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{DisableMandatoryInOutlook="True"}

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

當您設定建議分類的標籤時,系統會提示使用者接受或關閉 Word、Excel 和 PowerPoint 中的建議標籤。When you configure a label for recommended classification, users are prompted to accept or dismiss the recommended label in Word, Excel, and PowerPoint. 此設定可延伸為在 Outlook 中也顯示此標籤建議。This setting extends this label recommendation to also display in Outlook.

針對選取的標籤原則,指定下列字串:For the selected label policy, specify the following strings:

  • 機碼:OutlookRecommendationEnabledKey: OutlookRecommendationEnabled

  • 值: TrueValue: True

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookRecommendationEnabled="True"}

啟用從壓縮檔案移除保護Enable removal of protection from compressed files

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

當您設定此設定時,會啟用 PowerShell Cmdlet 設定->set-aipfilelabel ,以允許從 PST、RAR、7zip 和 MSG 檔案移除保護。When you configure this setting, the PowerShell cmdlet Set-AIPFileLabel is enabled to allow removal of protection from PST, rar, 7zip, and MSG files.

  • 機碼: EnableContainerSupportKey: EnableContainerSupport

  • 值: TrueValue: True

啟用原則的範例 PowerShell 命令:Example PowerShell command where your policy is enabled:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableContainerSupport="True"}

為 Outlook 設定不同的預設標籤Set a different default label for Outlook

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

當您設定此設定時,Outlook 不會套用預設標籤,此標籤設定為 [ 將此標籤預設套用至檔和電子郵件] 選項的原則設定。When you configure this setting, Outlook doesn't apply the default label that is configured as a policy setting for the option Apply this label by default to documents and emails. 相反地,Outlook 可以套用不同的預設標籤或是沒有標籤。Instead, Outlook can apply a different default label, or no label.

針對選取的標籤原則,指定下列字串:For the selected label policy, specify the following strings:

  • 機碼:OutlookDefaultLabelKey: OutlookDefaultLabel

  • 值: <label GUID> 或 Value: <label GUID> or None

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookDefaultLabel="None"}

變更要保護的檔案類型Change which file types to protect

這些設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定These configurations use a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

根據預設,Azure 資訊保護統一標籤用戶端會保護所有檔案類型,而來自用戶端的掃描器只會保護 Office 檔案類型和 PDF 檔案。By default, the Azure Information Protection unified labeling client protects all file types, and the scanner from the client protects only Office file types and PDF files.

您可以藉由指定下列其中一項,來變更所選標籤原則的預設行為:You can change this default behavior for a selected label policy, by specifying one of the following:

PFileSupportedExtensionPFileSupportedExtension

  • 機碼: PFileSupportedExtensionsKey: PFileSupportedExtensions

  • 價值: <string value>Value: <string value>

使用下表來識別要指定的字串值:Use the following table to identify the string value to specify:

字串值String value 用戶端Client 掃描器Scanner
* 預設值:將保護套用至所有檔案類型Default value: Apply protection to all file types 將保護套用至所有檔案類型Apply protection to all file types
ConvertTo-Json ( ".jpg"、".png" ) ConvertTo-Json(".jpg", ".png") 除了 Office 檔案類型和 PDF 檔案,請將保護套用至指定的副檔名In addition to Office file types and PDF files, apply protection to the specified file name extensions 除了 Office 檔案類型和 PDF 檔案,請將保護套用至指定的副檔名In addition to Office file types and PDF files, apply protection to the specified file name extensions

範例1: 掃描器的 PowerShell 命令,用來保護所有檔案類型,其中的標籤原則命名為「掃描器」:Example 1: PowerShell command for the scanner to protect all file types, where your label policy is named "Scanner":

Set-LabelPolicy -Identity Scanner -AdvancedSettings @{PFileSupportedExtensions="*"}

範例2: 適用于掃描器的 PowerShell 命令,除了 Office 檔案和 PDF 檔案之外,還會保護 .txt 檔案和 .csv 檔案,其中的標籤原則會命名為「掃描器」:Example 2: PowerShell command for the scanner to protect .txt files and .csv files in addition to Office files and PDF files, where your label policy is named "Scanner":

Set-LabelPolicy -Identity Scanner -AdvancedSettings @{PFileSupportedExtensions=ConvertTo-Json(".txt", ".csv")}

您可以使用此設定來變更受保護的檔案類型,但無法將預設保護層級從原生變更為一般。With this setting, you can change which file types are protected but you cannot change the default protection level from native to generic. 例如,針對執行統一標籤用戶端的使用者,您可以變更預設設定,只保護 Office 檔案和 PDF 檔案,而不是所有檔案類型。For example, for users running the unified labeling client, you can change the default setting so that only Office files and PDF files are protected instead of all file types. 但是,您無法將這些檔案類型變更為以 .pfile 副檔名進行一般保護。But you cannot change these file types to be generically protected with a .pfile file name extension.

AdditionalPPrefixExtensionsAdditionalPPrefixExtensions

統一標籤用戶端支援變更 <EXT> 。.PFILE 至 P <EXT> ,方法是使用 advanced 屬性 AdditionalPPrefixExtensionsThe unified labeling client supports changing <EXT>.PFILE to P<EXT> by using the advanced property, AdditionalPPrefixExtensions. 檔案總管、PowerShell 和掃描器都支援這個 advanced 屬性。This advanced property is supported from the File Explorer, PowerShell, and by the scanner. 所有應用程式具有類似的行為。All apps have similar behavior.

  • 機碼: AdditionalPPrefixExtensionsKey: AdditionalPPrefixExtensions

  • 價值: <string value>Value: <string value>

使用下表來識別要指定的字串值:Use the following table to identify the string value to specify:

字串值String value 用戶端和掃描器Client and Scanner
* 所有 .Pfile 延伸模組都會變成 P<EXT>All PFile extensions become P<EXT>
<null value> 預設值的行為就像預設的保護值一樣。Default value behaves like the default protection value.
ConvertTo-Json ( "",".zip" ) ConvertTo-Json(".dwg", ".zip") 除了前一個清單之外,". dwg" 和 ".zip" 變成 P<EXT>In addition to the previous list, ".dwg" and ".zip" become P<EXT>

使用此設定時,下列延伸模組一律會變成 P <EXT> : ".txt"、".xml"、".bmp"、". jt"、".jpg"、".bmp"、". jpe"、". jif"、"jfif"、".jfi"、".png"、".tif"、"tiff"、".gif" ) 。With this setting, the following extensions always become P<EXT>: ".txt", ".xml", ".bmp", ".jt", ".jpg", ".jpeg", ".jpe", ".jif", ".jfif", ".jfi", ".png", ".tif", ".tiff", ".gif") . 值得注意的是,"sample.ptxt" 不會變成 "txt. .pfile"。Notable exclusion is that "ptxt" does not become "txt.pfile".

AdditionalPPrefixExtensions 僅適用于已啟用 advanced 屬性- PFileSupportedExtension 的 PFiles 保護。AdditionalPPrefixExtensions only works if protection of PFiles with the advanced property - PFileSupportedExtension is enabled.

範例1: PowerShell 命令的行為類似于預設行為,其中保護 ". dwg" 會變成 ".pfile":Example 1: PowerShell command to behave like the default behavior where Protect ".dwg" becomes ".dwg.pfile":

Set-LabelPolicy -AdvancedSettings @{ AdditionalPPrefixExtensions =""}

範例2: PowerShell 命令可將一般保護的所有 .Pfile 延伸 (dwg. .pfile) 變更為原生保護 (。當檔案受到保護時,pdwg) :Example 2: PowerShell command to change all PFile extensions from generic protection (dwg.pfile) to native protection (.pdwg) when the files are protected:

Set-LabelPolicy -AdvancedSettings @{ AdditionalPPrefixExtensions ="*"}

範例3: 使用此服務保護此檔案時,用來將 "dwg" 變更為 ". pdwg" 的 PowerShell 命令:Example 3: PowerShell command to change ".dwg" to ".pdwg" when using this service protect this file:

Set-LabelPolicy -AdvancedSettings @{ AdditionalPPrefixExtensions =ConvertTo-Json(".dwg")}

當您使用強制標示時針對文件移除「現在不要」Remove "Not now" for documents when you use mandatory labeling

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

當您使用 所有檔和電子郵件 的標籤原則設定必須有標籤時,系統會在使用者第一次儲存 Office 檔,以及從 Outlook 傳送電子郵件時,提示他們選取標籤。When you use the label policy setting of All documents and emails must have a label, users are prompted to select a label when they first save an Office document and when they send an email from Outlook.

針對文件,使用者可以選取 [現在不要],暫時關閉選取標籤的提示並返回文件。For documents, users can select Not now to temporarily dismiss the prompt to select a label and return to the document. 不過,使用者無法在不為文件加上標籤的情況下,關閉已儲存的文件。However, they cannot close the saved document without labeling it.

當您設定 >postponemandatorybeforesave 設定時,將會移除 [ 非立即 ] 選項,讓使用者必須在第一次儲存檔時選取標籤。When you configure the PostponeMandatoryBeforeSave setting, the Not now option is removed, so that users must select a label when the document is first saved.

提示

>postponemandatorybeforesave 設定也可確保共用檔會在透過電子郵件傳送之前標示。The PostponeMandatoryBeforeSave setting also ensures that shared documents are labeled before they're sent by email.

根據預設,即使您有 所有檔和電子郵件都必須 在您的原則中啟用標籤,還是只會將使用者升級為從 Outlook 內附加至電子郵件的標籤檔案。By default, even if you have All documents and emails must have a label enabled in your policy, users are only promoted to label files attached to emails from within Outlook.

針對選取的標籤原則,指定下列字串:For the selected label policy, specify the following strings:

  • 機碼:PostponeMandatoryBeforeSaveKey: PostponeMandatoryBeforeSave

  • 值:FalseValue: False

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{PostponeMandatoryBeforeSave="False"}

移除來自其他標籤解決方案的頁首和頁尾Remove headers and footers from other labeling solutions

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 設定的原則 advanced 設定This configuration uses policy advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

有兩種方法可以移除其他標籤解決方案的分類:There are two methods to remove classifications from other labeling solutions:

設定Setting 描述Description
WordShapeNameToRemoveWordShapeNameToRemove 從 Word 檔中移除圖形名稱與 WordShapeNameToRemove advanced 屬性中定義的名稱相符的任何圖形。Removes any shape from Word documents where the shape name matches the name as defined in the WordShapeNameToRemove advanced property.

如需詳細資訊,請參閱 使用 WordShapeNameToRemove advanced 屬性For more information, see Use the WordShapeNameToRemove advanced property.
RemoveExternalContentMarkingInAppRemoveExternalContentMarkingInApp

ExternalContentMarkingToRemoveExternalContentMarkingToRemove
讓您從 Word、Excel 和 PowerPoint 檔移除或取代以文字為基礎的標頭或頁尾。Lets you remove or replace text-based headers or footers from Word, Excel, and PowerPoint documents.

如需詳細資訊,請參閱For more information, see:
- 使用 >removeexternalcontentmarkinginapp advanced 屬性- Use the RemoveExternalContentMarkingInApp advanced property
- 如何設定 >externalcontentmarkingtoremove- How to configure ExternalContentMarkingToRemove.

使用 WordShapeNameToRemove advanced 屬性Use the WordShapeNameToRemove advanced property

2.6.101.0 和更新版本支援 WordShapeNameToRemove advanced 屬性The WordShapeNameToRemove advanced property is supported from version 2.6.101.0 and above

這項設定可讓您在其他標籤解決方案套用那些視覺標記時,移除或取代 Word 檔中的形狀型標籤。This setting lets you remove or replace shape-based labels from Word documents when those visual markings have been applied by another labeling solution. 例如,此圖形包含舊標籤的名稱,您現在已將其遷移至敏感度標籤,以使用新的標籤名稱及其本身的圖形。For example, the shape contains the name of an old label that you have now migrated to sensitivity labels to use a new label name and its own shape.

若要使用這個 advanced 屬性,您必須在 Word 檔中尋找圖形名稱,然後在圖形的 [ WordShapeNameToRemove advanced] 屬性清單中加以定義。To use this advanced property, you'll need to find the shape name in the Word document and then define them in the WordShapeNameToRemove advanced property list of shapes. 服務將會移除在 Word 中,以這個 advanced 屬性之圖形清單中定義的名稱開頭的任何圖形。The service will remove any shape in Word that starts with a name defined in list of shapes in this advanced property.

藉由定義要移除的所有圖形名稱,並避免檢查所有圖形中的文字(這是需要大量資源的進程),避免移除包含您想要忽略之文字的圖形。Avoid removing shapes that contain the text that you wish to ignore, by defining the name of all shapes to remove and avoid checking the text in all shapes, which is a resource-intensive process.

注意

如果您未在此 [其他] [advanced] 屬性設定中指定單字圖形,而且 [ >removeexternalcontentmarkinginapp ] 索引鍵值中包含 [word],將會檢查所有圖形是否有您在 >externalcontentmarkingtoremove 值中指定的文字。If you do not specify Word shapes in this additional advanced property setting, and Word is included in the RemoveExternalContentMarkingInApp key value, all shapes will be checked for the text that you specify in the ExternalContentMarkingToRemove value.

若要尋找您所使用且想要排除的圖形名稱:To find the name of the shape that you're using and wish to exclude:

  1. 在 Word 中,顯示 [選取範圍] 窗格: [ 資料夾] 索引標籤 >編輯 群組 >選取[選項] > 選取 窗格In Word, display the Selection pane: Home tab > Editing group > Select option > Selection Pane.

  2. 在頁面上選取您要標示為移除的圖形。Select the shape on the page that you wish to mark for removal. 您標示的圖形名稱現在會在 [ 選取範圍 ] 窗格中反白顯示。The name of the shape you mark is now highlighted in the Selection pane.

您可以使用圖形的名稱,為 * * * * WordShapeNameToRemove * * * * * * * * * * 索引鍵指定字串值。Use the name of the shape to specify a string value for the ****WordShapeNameToRemove**** key.

範例:圖形名稱為 dcExample: The shape name is dc. 若要移除具有此名稱的圖形,您需要指定值:dcTo remove the shape with this name, you specify the value: dc.

  • 機碼: WordShapeNameToRemoveKey: WordShapeNameToRemove

  • 值:<Word shape name>Value: <Word shape name>

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{WordShapeNameToRemove="dc"}

當您要移除一個以上的單字圖形時,請指定要移除的圖形數目。When you have more than one Word shape to remove, specify as many values as you have shapes to remove.

使用 >removeexternalcontentmarkinginapp advanced 屬性Use the RemoveExternalContentMarkingInApp advanced property

這項設定可讓您在其他標籤解決方案套用那些視覺標記時,移除或取代檔中以文字為基礎的頁首或頁尾。This setting lets you remove or replace text-based headers or footers from documents when those visual markings have been applied by another labeling solution. 例如,舊頁尾包含您現在已遷移至敏感度標籤的舊標籤名稱,以使用新的標籤名稱及其本身的頁尾。For example, the old footer contains the name of an old label that you have now migrated to sensitivity labels to use a new label name and its own footer.

當統一標籤用戶端在其原則中取得這項設定時,在 Office 應用程式中開啟檔時,會移除或取代舊的標頭和頁尾,並將任何敏感度標籤套用至檔。When the unified labeling client gets this configuration in its policy, the old headers and footers are removed or replaced when the document is opened in the Office app and any sensitivity label is applied to the document.

Outlook 不支援此設定,並請注意當您搭配 Word、Excel 及 PowerPoint 使用此項目時,可能會在使用者使用這些應用程式時產生負面效能影響。This configuration is not supported for Outlook, and be aware that when you use it with Word, Excel, and PowerPoint, it can negatively affect the performance of these apps for users. 設定可讓您針對每個應用程式定義設定。例如:在 Word 文件的頁首和頁尾中搜尋文字,而不在 Excel 試算表或 PowerPoint 簡報中搜尋。The configuration lets you define settings per application, for example, search for text in the headers and footers of Word documents but not Excel spreadsheets or PowerPoint presentations.

由於模式比對會影響使用者的效能,因此建議您將 Office 應用程式類型限制 (W Ord、E X 資料格、 P owerPoint) 只是需要搜尋的應用程式類型。Because the pattern matching affects the performance for users, we recommend that you limit the Office application types (W ord, E X cel, P owerPoint) to just those that need to be searched. 針對選取的標籤原則,指定下列字串:For the selected label policy, specify the following strings:

  • 機碼:RemoveExternalContentMarkingInAppKey: RemoveExternalContentMarkingInApp

  • 值:<Office application types WXP>Value: <Office application types WXP>

範例:Examples:

  • 若只要搜尋 Word 文件,請指定 WTo search Word documents only, specify W.

  • 若要搜尋 Word 文件和 PowerPoint 簡報,請指定 WPTo search Word documents and PowerPoint presentations, specify WP.

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{RemoveExternalContentMarkingInApp="WX"}

然後,您還需要至少一項進階用戶端設定 (ExternalContentMarkingToRemove) 來指定頁首或頁尾的內容,以及移除或取代它們的方式。You then need at least one more advanced client setting, ExternalContentMarkingToRemove, to specify the contents of the header or footer, and how to remove or replace them.

如何設定 ExternalContentMarkingToRemoveHow to configure ExternalContentMarkingToRemove

當您指定 >externalcontentmarkingtoremove 索引鍵的字串值時,您有三個使用正則運算式的選項。When you specify the string value for the ExternalContentMarkingToRemove key, you have three options that use regular expressions. 針對上述每個案例,使用下表中 [ 範例值 ] 資料行所顯示的語法:For each of these scenarios, use the syntax shown in the Example value column in the following table:

選項Option 範例描述Example description 範例值Example value
部分相符以移除頁首或頁尾中的所有專案Partial match to remove everything in the header or footer 標頭或頁尾包含 要移除 的字串文字,而您想要完全移除這些頁首或頁尾。Your headers or footers contain the string TEXT TO REMOVE, and you want to completely remove these headers or footers. *TEXT*
完全相符,只移除頁首或頁尾中的特定單字Complete match to remove just specific words in the header or footer 頁首或頁尾包含 要移除 的字串文字,而您只想要移除文字 文字 ,請將頁首或頁尾字串保留為 移除Your headers or footers contain the string TEXT TO REMOVE, and you want to remove the word TEXT only, leaving the header or footer string as TO REMOVE. TEXT
完全相符,以移除頁首或頁尾中的所有專案Complete match to remove everything in the header or footer 頁首或頁尾具有 要移除 的字串文字。Your headers or footers have the string TEXT TO REMOVE. 您若想要移除完整包含此字串的頁首或頁尾,You want to remove headers or footers that have exactly this string. ^TEXT TO REMOVE$

您指定字串的模式比對不會區分大小寫。The pattern matching for the string that you specify is case-insensitive. 字串長度上限為255個字元,且不能包含空白字元。The maximum string length is 255 characters, and cannot include white spaces.

因為部分文件可能包含不可見的字元,或是不同種類的空格或定位字元,所以可能無法偵測您為片語或句子指定的字串。Because some documents might include invisible characters or different kinds of spaces or tabs, the string that you specify for a phrase or sentence might not be detected. 可能的話,請為值指定單一區分字組,並務必在於生產中部署前測試結果。Whenever possible, specify a single distinguishing word for the value and be sure to test the results before you deploy in production.

針對相同的標籤原則,請指定下列字串:For the same label policy, specify the following strings:

  • 機碼:ExternalContentMarkingToRemoveKey: ExternalContentMarkingToRemove

  • 值:<string to match, defined as regular expression>Value: <string to match, defined as regular expression>

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{ExternalContentMarkingToRemove="*TEXT*"}

如需詳細資訊,請參閱For more information, see:

多行頁首或頁尾Multiline headers or footers

若頁首或頁尾文字超過一行,請為每一行都建立機碼與值。If a header or footer text is more than a single line, create a key and value for each line. 例如,如果您的下列頁尾有兩行:For example, if you have the following footer with two lines:

The file is classified as ConfidentialThe file is classified as Confidential

Label applied manuallyLabel applied manually

若要移除此多行頁尾,您可以為相同的標籤原則建立下列兩個專案:To remove this multiline footer, you create the following two entries for the same label policy:

  • 機碼:ExternalContentMarkingToRemoveKey: ExternalContentMarkingToRemove

  • 機碼值1: * 機密*Key Value 1: *Confidential*

  • 機碼值2:套用的 * 標籤*Key Value 2: *Label applied*

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{ExternalContentMarkingToRemove="*Confidential*,*Label applied*"}

針對 PowerPoint 最佳化Optimization for PowerPoint

PowerPoint 中的頁首和頁尾會實作為圖形。Headers and footers in PowerPoint are implemented as shapes. 針對 msoTextBoxmsoTextEffectmsoPlaceholdermsoAutoShape 圖形類型,下列 advanced 設定會提供額外的優化:For the msoTextBox, msoTextEffect, msoPlaceholder, and msoAutoShape shape types, the following advanced settings provide additional optimizations:

此外, PowerPointRemoveAllShapesByShapeName 可以根據圖形名稱來移除任何圖形類型。Additionally, the PowerPointRemoveAllShapesByShapeName can remove any shape type, based on the shape name.

如需詳細資訊,請參閱 尋找您要用來作為頁首或頁尾的圖形名稱For more information, see Find the name of the shape that you're using as a header or footer.

避免從包含指定文字的 PowerPoint 移除圖形,而且不是頁首/頁尾Avoid removing shapes from PowerPoint that contain specified text, and are not headers / footers

若要避免移除包含您指定之文字(但不是頁首或頁尾)的圖形,請使用名為 >powerpointshapenametoremove 的其他 advanced 用戶端設定。To avoid removing shapes that contain the text that you have specified, but are not headers or footers, use an additional advanced client setting named PowerPointShapeNameToRemove.

我們也建議使用此設定來避免檢查所有圖形中的文字,因為檢查過程會耗費大量的資源。We also recommend using this setting to avoid checking the text in all shapes, which is a resource-intensive process.

例如:For example:

Set-LabelPolicy -Identity Global -AdvancedSettings @{PowerPointShapeNameToRemove="fc"}
將外部標示移除延伸至自訂版面配置Extend external marking removal to custom layouts

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

根據預設,用來移除外部內容標記的邏輯會忽略 PowerPoint 中設定的自訂版面配置。By default, the logic used to remove external content markings ignores custom layouts configured in PowerPoint. 若要將此邏輯延伸至自訂版面配置,請將 RemoveExternalMarkingFromCustomLayouts advanced 屬性設定為 TrueTo extend this logic to custom layouts, set the RemoveExternalMarkingFromCustomLayouts advanced property to True.

  • 機碼: RemoveExternalMarkingFromCustomLayoutsKey: RemoveExternalMarkingFromCustomLayouts

  • 值: TrueValue: True

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{RemoveExternalMarkingFromCustomLayouts="True"}
移除特定圖形名稱的所有圖形Remove all shapes of a specific shape name

如果您使用 PowerPoint 自訂版面配置,並且想要從頁首和頁尾中移除特定圖形名稱的所有圖形,請使用 PowerPointRemoveAllShapesByShapeName advanced 設定,並以您想要移除的圖形名稱。If you are using PowerPoint custom layouts, and want to remove all shapes of a specific shape name from your headers and footers, use the PowerPointRemoveAllShapesByShapeName advanced setting, with the name of the shape you want to remove.

使用 PowerPointRemoveAllShapesByShapeName 設定會忽略您圖形內的文字,而是使用圖形名稱來識別您想要移除的圖形。Using the PowerPointRemoveAllShapesByShapeName setting ignores the text inside your shapes, and instead uses the shape name identify the shapes you want to remove.

例如:For example:

Set-LabelPolicy -Identity Global -AdvancedSettings @{PowerPointRemoveAllShapesByShapeName="Arrow: Right"}

注意

若要定義 PowerPointRemoveAllShapesByShapeName 設定,您目前還必須定義 >externalcontentmarkingtoremove 設定,即使您不需要 >externalcontentmarkingtoremove 所提供的功能。To define the PowerPointRemoveAllShapesByShapeName setting, you must currently also define the ExternalContentMarkingToRemove setting, even if you do not need the functionality provided by ExternalContentMarkingToRemove.

如果您想要定義 PowerPointRemoveAllShapesByShapeName,建議您同時定義 >externalcontentmarkingtoremove>powerpointshapenametoremove ,以避免移除比您預期更多的圖形。We recommend that if you want to define PowerPointRemoveAllShapesByShapeName, define both ExternalContentMarkingToRemove and PowerPointShapeNameToRemove to avoid removing more shapes than you intend.

如需詳細資訊,請參閱For more information, see:

  1. 在 PowerPoint 中,顯示 [選取項目] 窗格:[格式] 索引標籤 > [排列] 群組 > [選取項目窗格]。In PowerPoint, display the Selection pane: Format tab > Arrange group > Selection Pane.

  2. 選取投影片上包含您頁首或頁尾的圖形。Select the shape on the slide that contains your header or footer. 選取的圖形名稱現在會在 [選取項目] 窗格中以醒目提示呈現。The name of the selected shape is now highlighted in the Selection pane.

使用圖形名稱來指定 PowerPointShapeNameToRemove 機碼的字串值。Use the name of the shape to specify a string value for the PowerPointShapeNameToRemove key.

範例:圖形名稱為 fcExample: The shape name is fc. 若要移除具有此名稱的圖形,您需要指定值:fcTo remove the shape with this name, you specify the value: fc.

  • 機碼:PowerPointShapeNameToRemoveKey: PowerPointShapeNameToRemove

  • 值:<PowerPoint shape name>Value: <PowerPoint shape name>

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{PowerPointShapeNameToRemove="fc"}

當您要移除一個以上的 PowerPoint 圖形時,請指定要移除的圖形數目。When you have more than one PowerPoint shape to remove, specify as many values as you have shapes to remove.

根據預設,只會針對母片投影片檢查頁首和頁尾。By default, only the Master slides are checked for headers and footers. 若要將此搜尋範圍延伸至所有投影片 (更耗費資源的程序),請使用名為 RemoveExternalContentMarkingInAllSlides 的額外進階用戶端設定:To extend this search to all slides, which is a much more resource-intensive process, use an additional advanced client setting named RemoveExternalContentMarkingInAllSlides:

  • 索引鍵:RemoveExternalContentMarkingInAllSlidesKey: RemoveExternalContentMarkingInAllSlides

  • 值: TrueValue: True

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{RemoveExternalContentMarkingInAllSlides="True"}
從 PowerPoint 的自訂版面配置中移除外部內容標示Remove external content marking from custom layouts in PowerPoint

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

根據預設,用來移除外部內容標記的邏輯會忽略 PowerPoint 中設定的自訂版面配置。By default, the logic used to remove external content markings ignores custom layouts configured in PowerPoint. 若要將此邏輯延伸至自訂版面配置,請將 RemoveExternalMarkingFromCustomLayouts advanced 屬性設定為 TrueTo extend this logic to custom layouts, set the RemoveExternalMarkingFromCustomLayouts advanced property to True.

  • 機碼: RemoveExternalMarkingFromCustomLayoutsKey: RemoveExternalMarkingFromCustomLayouts

  • 值: TrueValue: True

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{RemoveExternalMarkingFromCustomLayouts="True"}

停用檔案總管中的自訂許可權Disable custom permissions in File Explorer

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

依預設,當使用者以滑鼠右鍵按一下檔案總管並選擇 [分類並保護] 時,使用者會看到名為 [使用自訂許可權保護] 的選項。By default, users see an option named Protect with custom permissions when they right-click in File Explorer and choose Classify and protect. 此選項可讓他們設定自己的保護設定,以覆寫您可能已包含在標籤設定中的任何保護設定。This option lets them set their own protection settings that can override any protection settings that you might have included with a label configuration. 使用者也可以看到移除保護的選項。Users can also see an option to remove protection. 當您設定此設定時,使用者看不到這些選項。When you configure this setting, users do not see these options.

若要設定此 advanced 設定,請針對選取的標籤原則輸入下列字串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 索引鍵:EnableCustomPermissionsKey: EnableCustomPermissions

  • 值:FalseValue: False

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissions="False"}

對於使用自訂權限保護的檔案,一律在檔案總管中向使用者顯示自訂權限For files protected with custom permissions, always display custom permissions to users in File Explorer

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

當您將 [advanced client] 設定為 停用檔案總管中的自訂許可權時,使用者預設無法看到或變更已在受保護檔中設定的自訂許可權。When you configure the advanced client setting to disable custom permissions in File Explorer, by default, users are not able to see or change custom permissions that are already set in a protected document.

不過,還有另一個您可以指定的 advanced client 設定,在此案例中,使用者可以在使用檔案總管並以滑鼠右鍵按一下檔案時,查看並變更受保護檔的自訂許可權。However, there's another advanced client setting that you can specify so that in this scenario, users can see and change custom permissions for a protected document when they use File Explorer and right-click the file.

若要設定此 advanced 設定,請針對選取的標籤原則輸入下列字串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 機碼: EnableCustomPermissionsForCustomProtectedFilesKey: EnableCustomPermissionsForCustomProtectedFiles

  • 值: TrueValue: True

PowerShell 命令範例:Example PowerShell command:

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableCustomPermissionsForCustomProtectedFiles="True"}

針對具有附件的電子郵件訊息,套用符合這些附件之最高分類的標籤For email messages with attachments, apply a label that matches the highest classification of those attachments

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 設定的原則 advanced 設定This configuration uses policy advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

這項設定適用于使用者將加上標籤的檔附加至電子郵件,且未標示電子郵件訊息本身時。This setting is for when users attach labeled documents to an email, and do not label the email message itself. 在此案例中,系統會根據套用至附件的分類標籤,自動選取標籤。In this scenario, a label is automatically selected for them, based on the classification labels that are applied to the attachments. 已選取最高分類標籤。The highest classification label is selected.

附件必須是實體檔案,且不能是檔案的連結 (例如,在 Microsoft SharePoint 或 OneDrive) 上的檔案連結。The attachment must be a physical file, and cannot be a link to a file (for example, a link to a file on Microsoft SharePoint or OneDrive).

您可以將此設定設為 [ 建議],讓使用者使用可自訂的工具提示,將選取的標籤套用到其電子郵件訊息。You can configure this setting to Recommended, so that users are prompted to apply the selected label to their email message, with a customizable tooltip. 使用者可以接受建議,或予以關閉。Users can accept the recommendation or dismiss it. 或者,您可以將這項設定設定為 [ 自動],其中會自動套用選取的標籤,但使用者可以在傳送電子郵件之前移除標籤或選取不同的標籤。Or, you can configure this setting to Automatic, where the selected label is automatically applied but users can remove the label or select a different label before sending the email.

注意

當具有最高分類標籤的附件設定為使用使用者定義許可權的設定進行保護時:When the attachment with the highest classification label is configured for protection with the setting of user-defined permissions:

  • 當標籤的使用者定義許可權包含 Outlook ([無法轉寄) ] 時,就會選取該標籤,並將 [不可轉寄] 保護套用至電子郵件。When the label's user-defined permissions include Outlook (Do Not Forward), that label is selected and Do Not Forward protection is applied to the email.
  • 當標籤的使用者定義許可權僅適用于 Word、Excel、PowerPoint 及檔案總管時,該標籤不會套用至電子郵件訊息,也不會受到保護。When the label's user-defined permissions are just for Word, Excel, PowerPoint, and File Explorer, that label is not applied to the email message, and neither is protection.

若要設定此 advanced 設定,請針對選取的標籤原則輸入下列字串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 金鑰1: AttachmentActionKey 1: AttachmentAction

  • 機碼值1: 建議自動Key Value 1: Recommended or Automatic

  • 機碼2: AttachmentActionTipKey 2: AttachmentActionTip

  • 機碼值2: " <customized tooltip> "Key Value 2: "<customized tooltip>"

自訂工具提示僅支援單一語言。The customized tooltip supports a single language only.

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{AttachmentAction="Automatic"}

為使用者新增 [回報問題]Add "Report an Issue" for users

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

當您指定下列進階用戶端設定時,使用者會看到 [回報問題] 選項,可從 [說明與意見反應] 用戶端對話方塊來選取。When you specify the following advanced client setting, users see a Report an Issue option that they can select from the Help and Feedback client dialog box. 指定連結的 HTTP 字串。Specify an HTTP string for the link. 例如,您可以讓使用者回報問題的自訂網頁,或可連至您技術支援中心的電子郵件地址。For example, a customized web page that you have for users to report issues, or an email address that goes to your help desk.

若要設定此 advanced 設定,請針對選取的標籤原則輸入下列字串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 機碼:ReportAnIssueLinkKey: ReportAnIssueLink

  • 價值: <HTTP string>Value: <HTTP string>

網站的範例值:https://support.contoso.comExample value for a website: https://support.contoso.com

電子郵件地址的範例值:mailto:helpdesk@contoso.comExample value for an email address: mailto:helpdesk@contoso.com

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{ReportAnIssueLink="mailto:helpdesk@contoso.com"}

在 Outlook 中實作快顯訊息,以警告、封鎖傳送的電子郵件,或證實其正當性Implement pop-up messages in Outlook that warn, justify, or block emails being sent

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 設定的原則 advanced 設定This configuration uses policy advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

當您建立及進行下列進階用戶端設定時,使用者可在 Outlook 中查看快顯訊息,這些訊息可在傳送電子郵件前警告他們、要求他們提供傳送此電子郵件的正當理由,或防止他們在下列其中一個情況下傳送電子郵件:When you create and configure the following advanced client settings, users see pop-up messages in Outlook that can warn them before sending an email, or ask them to provide justification why they are sending an email, or prevent them from sending an email for either of the following scenarios:

  • 他們的電子郵件或其附件具有特定標籤Their email or attachment for the email has a specific label:

    • 附件可為任意檔案類型The attachment can be any file type
  • 他們的電子郵件或其附件沒有標籤Their email or attachment for the email doesn't have a label:

    • 附件可為 Office 文件或 PDF 文件The attachment can be an Office document or PDF document

當符合這些條件時,使用者會看到具有下列其中一個動作的快顯視窗訊息:When these conditions are met, the user sees a pop-up message with one of the following actions:

類型Type 描述Description
警告Warn 使用者可確認並傳送,或取消。The user can confirm and send, or cancel.
證明Justify 系統會提示使用者提供理由 (預先定義的選項或自由格式的) ,然後使用者可以傳送或取消電子郵件。The user is prompted for justification (predefined options or free-form), and the user can then send or cancel the email.
對齊文字會寫入電子郵件 x 標頭,以便其他系統可以讀取,例如資料遺失防止 (DLP) 服務。The justification text is written to the email x-header, so that it can be read by other systems, such as data loss prevention (DLP) services.
封鎖Block 在情況持續存在時,防止使用者傳送電子郵件。The user is prevented from sending the email while the condition remains.
訊息包含封鎖電子郵件的原因,以便使用者可以解決問題。The message includes the reason for blocking the email, so the user can address the problem.
例如,移除特定收件者,或標記電子郵件。For example, remove specific recipients, or label the email.

當快顯訊息適用于特定標籤時,您可以設定依功能變數名稱的收件者例外狀況。When the popup-messages are for a specific label, you can configure exceptions for recipients by domain name.

如需如何進行這些設定的逐步解說範例,請參閱影片 Azure 資訊保護 Outlook 快顯視窗 設定。See the video Azure Information Protection Outlook Popup Configuration for a walkthrough example of how to configure these settings.

提示

為了確保即使檔從外部 Outlook 共用時,也會顯示快顯視窗 (檔案 > 共用 > 附加複本),也請設定 >postponemandatorybeforesave advanced 設定。To ensure that popups are displayed even when documents are shared from outside Outlook (File > Share > Attach a copy), also configure the PostponeMandatoryBeforeSave advanced setting.

如需詳細資訊,請參閱For more information, see:

若要針對特定標籤執行警告、論證或封鎖快顯視窗訊息To implement the warn, justify, or block pop-up messages for specific labels

針對選取的原則,請使用下列索引鍵來建立下列一或多個 advanced 設定。For the selected policy, create one or more of the following advanced settings with the following keys. 針對這些值,請依 Guid 指定一或多個標籤,並以逗號分隔每一個標籤。For the values, specify one or more labels by their GUIDs, each one separated by a comma.

多個標籤 Guid 作為逗點分隔字串的範例值:Example value for multiple label GUIDs as a comma-separated string:

dcf781ba-727f-4860-b3c1-73479e31912b,1ace2cc3-14bc-4142-9125-bf946a70542c,3e9df74d-3168-48af-8b11-037e3021813f
訊息類型Message type 索引鍵/值Key/Value
警告Warn 機碼: >outlookwarnuntrustedcollaborationlabelKey: OutlookWarnUntrustedCollaborationLabel

值:<label GUIDs, comma-separated>Value: <label GUIDs, comma-separated>
證明Justify 機碼: OutlookJustifyUntrustedCollaborationLabelKey: OutlookJustifyUntrustedCollaborationLabel

值:<label GUIDs, comma-separated>Value: <label GUIDs, comma-separated>
封鎖Block 機碼: >outlookblockuntrustedcollaborationlabelKey: OutlookBlockUntrustedCollaborationLabel

值:<label GUIDs, comma-separated>Value: <label GUIDs, comma-separated>

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookWarnUntrustedCollaborationLabel="8faca7b8-8d20-48a3-8ea2-0f96310a848e,b6d21387-5d34-4dc8-90ae-049453cec5cf,bb48a6cb-44a8-49c3-9102-2d2b017dcead,74591a94-1e0e-4b5d-b947-62b70fc0f53a,6c375a97-2b9b-4ccd-9c5b-e24e4fd67f73"}

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookJustifyUntrustedCollaborationLabel="dc284177-b2ac-4c96-8d78-e3e1e960318f,d8bb73c3-399d-41c2-a08a-6f0642766e31,750e87d4-0e91-4367-be44-c9c24c9103b4,32133e19-ccbd-4ff1-9254-3a6464bf89fd,74348570-5f32-4df9-8a6b-e6259b74085b,3e8d34df-e004-45b5-ae3d-efdc4731df24"}

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookBlockUntrustedCollaborationLabel="0eb351a6-0c2d-4c1d-a5f6-caa80c9bdeec,40e82af6-5dad-45ea-9c6a-6fe6d4f1626b"}

若要進一步自訂,您也可以 豁免針對特定標籤設定之快顯訊息的功能變數名稱For further customization, you can also exempt domain names for pop-up messages configured for specific labels.

注意

本節中的 advanced 設定 (>outlookwarnuntrustedcollaborationlabelOutlookJustifyUntrustedCollaborationLabel>outlookblockuntrustedcollaborationlabel) 適用於何時使用 特定 標籤。The advanced settings in this section (OutlookWarnUntrustedCollaborationLabel, OutlookJustifyUntrustedCollaborationLabel, and OutlookBlockUntrustedCollaborationLabel) are for when a specific label is in use.

若要執行 unlabled 內容的預設快顯視窗訊息,請使用 OutlookUnlabeledCollaborationAction advanced 設定。To implement default popup messages for unlabled content, use the OutlookUnlabeledCollaborationAction advanced setting. 若要自訂未標記內容的快顯視窗訊息,請使用 json 檔案來定義您的 advanced 設定。To customize your popup messages for unlabeled content, use a .json file to define your advanced settings.

如需詳細資訊,請參閱 自訂 Outlook 快顯視窗訊息For more information, see Customize Outlook popup messages.

提示

為了確保您可以視需要顯示封鎖訊息,即使是位於 Outlook 通訊群組清單內的收件者,也請務必新增 EnableOutlookDistributionListExpansion advanced 設定。To ensure that your block messages are displayed as needed, even for a recipient located inside an Outlook distribution list, make sure to add the EnableOutlookDistributionListExpansion advanced setting.

免除針對特定標籤設定之快顯訊息的功能變數名稱To exempt domain names for pop-up messages configured for specific labels

針對您使用這些快顯訊息指定的標籤,您可以豁免特定的功能變數名稱,讓使用者看不到其電子郵件地址中包含該功能變數名稱的收件者訊息。For the labels that you've specified with these pop-up messages, you can exempt specific domain names so that users do not see the messages for recipients who have that domain name included in their email address. 在此情況下,便可傳送電子郵件而不中斷。In this case, the emails are sent without interruption. 若要指定多個網域,請以單一字串的形式來新增,並以逗點分隔。To specify multiple domains, add them as a single string, separated by commas.

一般設定僅用來對您組織外部或非組織授權夥伴的收件者顯示快顯訊息。A typical configuration is to display the pop-up messages only for recipients who are external to your organization or who aren't authorized partners for your organization. 在此情況下,您可指定您組織及夥伴使用的所有電子郵件網域。In this case, you specify all the email domains that are used by your organization and by your partners.

針對相同的標籤原則,請建立下列 advanced client 設定,並為值指定一或多個網域,並以逗號分隔。For the same label policy, create the following advanced client settings and for the value, specify one or more domains, each one separated by a comma.

以逗點分隔字串表示多個網域的範例值如下:contoso.com,fabrikam.com,litware.comExample value for multiple domains as a comma-separated string: contoso.com,fabrikam.com,litware.com

訊息類型Message type 索引鍵/值Key/Value
警告Warn 機碼: >outlookwarntrusteddomainsKey: OutlookWarnTrustedDomains

價值: <domain names, comma separated>Value: <domain names, comma separated>
證明Justify 機碼: >outlookjustifytrusteddomainsKey: OutlookJustifyTrustedDomains

價值: <domain names, comma separated>Value: <domain names, comma separated>
封鎖Block 機碼: >outlookblocktrusteddomainsKey: OutlookBlockTrustedDomains

價值: <domain names, comma separated>Value: <domain names, comma separated>

例如,假設您已針對 [機密 \ 所有員工] 標籤指定 >outlookblockuntrustedcollaborationlabel advanced client 設定。For example, let's say you have specified the OutlookBlockUntrustedCollaborationLabel advanced client setting for the Confidential \ All Employees label.

您現在可以使用 contoso.com 來指定 >outlookblocktrusteddomains 的其他 advanced 用戶端設定。You now specify the additional advanced client setting of OutlookBlockTrustedDomains with contoso.com. 如此一來,當使用者將電子郵件標示為 [機密] \ [所有員工] 時,就可以傳送電子郵件給該電子郵件, john@sales.contoso.com 但會被封鎖而無法將具有相同標籤的電子郵件傳送給 Gmail 帳戶。 As a result, a user can send an email to john@sales.contoso.com when it is labeled Confidential \ All Employees, but will be blocked from sending an email with the same label to a Gmail account.

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell commands, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookBlockTrustedDomains="contoso.com"}

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookJustifyTrustedDomains="contoso.com,fabrikam.com,litware.com"}

注意

為了確保您可以視需要顯示封鎖訊息,即使是位於 Outlook 通訊群組清單內的收件者,也請務必新增 EnableOutlookDistributionListExpansion advanced 設定。To ensure that your block messages are displayed as needed, even for a recipient located inside an Outlook distribution list, make sure to add the EnableOutlookDistributionListExpansion advanced setting.

針對沒有標籤的電子郵件或附件,執行警告、論證或封鎖快顯訊息To implement the warn, justify, or block pop-up messages for emails or attachments that don't have a label

針對相同的標籤原則,請使用下列其中一個值來建立下列 advanced client 設定:For the same label policy, create the following advanced client setting with one of the following values:

訊息類型Message type 索引鍵/值Key/Value
警告Warn 機碼: OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

值: 警告Value: Warn
證明Justify 機碼: OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

值: 論證Value: Justify
封鎖Block 機碼: OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

值: BlockValue: Block
關閉這些訊息Turn off these messages 機碼: OutlookUnlabeledCollaborationActionKey: OutlookUnlabeledCollaborationAction

值: OffValue: Off

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookUnlabeledCollaborationAction="Warn"}

如需進一步的自訂,請參閱:For futher customization, see:

針對沒有標籤的電子郵件附件,定義警告、論證或封鎖快顯訊息的特定副檔名To define specific file name extensions for the warn, justify, or block pop-up messages for email attachments that don't have a label

根據預設,警告、理由或封鎖快顯訊息會套用至所有 Office 檔和 PDF 檔。By default, the warn, justify, or block pop-up messages apply to all Office documents and PDF documents. 您可以藉由指定要使用額外的 advanced 設定來顯示警告、調整或封鎖訊息的副檔名,以及逗點分隔的副檔名清單,來精簡這份清單。You can refine this list by specifying which file name extensions should display the warn, justify, or block messages with an additional advanced setting and a comma-separated list of file name extensions.

用來定義為逗點分隔字串之多個副檔名的範例值: .XLSX,.XLSM,.XLS,.XLTX,.XLTM,.DOCX,.DOCM,.DOC,.DOCX,.DOCM,.PPTX,.PPTM,.PPT,.PPTX,.PPTMExample value for multiple file name extensions to define as a comma-separated string: .XLSX,.XLSM,.XLS,.XLTX,.XLTM,.DOCX,.DOCM,.DOC,.DOCX,.DOCM,.PPTX,.PPTM,.PPT,.PPTX,.PPTM

在此範例中,未標記的 PDF 檔將不會產生警告、對齊或封鎖快顯訊息。In this example, an unlabeled PDF document will not result in warn, justify, or block pop-up messages.

針對相同的標籤原則,請輸入下列字串:For the same label policy, enter the following strings:

  • 機碼: OutlookOverrideUnlabeledCollaborationExtensionsKey: OutlookOverrideUnlabeledCollaborationExtensions

  • 價值: <file name extensions to display messages, comma separated>Value: <file name extensions to display messages, comma separated>

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookOverrideUnlabeledCollaborationExtensions=".PPTX,.PPTM,.PPT,.PPTX,.PPTM"}

為沒有附件的電子郵件訊息指定不同的動作To specify a different action for email messages without attachments

根據預設,您為 OutlookUnlabeledCollaborationAction 指定的值會套用到警告、論證或封鎖快顯訊息,適用于沒有標籤的電子郵件或附件。By default, the value that you specify for OutlookUnlabeledCollaborationAction to warn, justify, or block pop-up messages applies to emails or attachments that don't have a label.

您可以藉由為沒有附件的電子郵件訊息指定另一個 advanced 設定,來調整此設定。You can refine this configuration by specifying another advanced setting for email messages that don't have attachments.

使用下列其中一個值建立下列進階用戶端設定:Create the following advanced client setting with one of the following values:

訊息類型Message type 索引鍵/值Key/Value
警告Warn 機碼: OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

值: 警告Value: Warn
證明Justify 機碼: OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

值: 論證Value: Justify
封鎖Block 機碼: OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

值: BlockValue: Block
關閉這些訊息Turn off these messages 機碼: OutlookUnlabeledCollaborationActionOverrideMailBodyBehaviorKey: OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior

值: OffValue: Off

如果您未指定此用戶端設定,您針對 OutlookUnlabeledCollaborationAction 指定的值會用於沒有附件的未標記電子郵件訊息,以及具有附件的未標記電子郵件訊息。If you don't specify this client setting, the value that you specify for OutlookUnlabeledCollaborationAction is used for unlabeled email messages without attachments as well as unlabeled email messages with attachments.

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookUnlabeledCollaborationActionOverrideMailBodyBehavior="Warn"}

搜尋電子郵件收件者時展開 Outlook 通訊群組清單Expand Outlook distribution lists when searching for email recipients

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

若要將其他 advanced settings 的支援延伸到 Outlook 通訊群組清單內的收件者,請將 EnableOutlookDistributionListExpansion advanced 設定設為 trueTo extend support from other advanced settings to recipients inside Outlook distribution lists, set the EnableOutlookDistributionListExpansion advanced setting to true.

  • 機碼: EnableOutlookDistributionListExpansionKey: EnableOutlookDistributionListExpansion
  • 值: trueValue: true

例如,如果您已設定 [ >outlookblocktrusteddomains]、[ >outlookblockuntrustedcollaborationlabel advanced settings],然後設定 [ EnableOutlookDistributionListExpansion ] 設定,則會啟用 Outlook 來展開通訊群組清單,以確保封鎖訊息會視需要出現。For example, if you've configured the OutlookBlockTrustedDomains, OutlookBlockUntrustedCollaborationLabel advanced settings, and then also configure the EnableOutlookDistributionListExpansion setting, Outlook is enabled to expand the distribution list to ensuring that a block message appears as needed.

展開通訊群組清單的預設超時時間是 2000 毫秒。The default timeout for expanding the distribution list is 2000 milliseconds.

若要修改此超時,請針對選取的原則建立下列 advanced 設定:To modify this timeout, create the following advanced setting for the selected policy:

  • 機碼: OutlookGetEmailAddressesTimeOutMSPropertyKey: OutlookGetEmailAddressesTimeOutMSProperty
  • 值: 整數(以毫秒為單位)Value: Integer, in milliseconds

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableOutlookDistributionListExpansion="true"} @{OutlookGetEmailAddressesTimeOutMSProperty="3000"}

停用將審核資料傳送至 Azure 資訊保護分析Disable sending audit data to Azure Information Protection analytics

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

Azure 資訊保護統一標籤用戶端支援集中式報告,預設會將其審核資料傳送至 Azure 資訊保護分析The Azure Information Protection unified labeling client supports central reporting and by default, sends its audit data to Azure Information Protection analytics. 如需有關傳送和儲存哪些資訊的詳細資訊,請參閱中央報告檔中的 收集和傳送給 Microsoft 的資訊 一節。For more information about what information is sent and stored, see the Information collected and sent to Microsoft section from the central reporting documentation.

若要變更此行為,讓統一標籤用戶端不會傳送這項資訊,請為選取的標籤原則輸入下列字串:To change this behavior so that this information is not sent by the unified labeling client, enter the following strings for the selected label policy:

  • 機碼: EnableAuditKey: EnableAudit

  • 值:FalseValue: False

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableAudit="False"}

將資訊類型相符專案傳送給 Azure 資訊保護分析Send information type matches to Azure Information Protection analytics

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

根據預設,統一標籤用戶端不會將機密資訊類型的內容相符專案傳送給 Azure 資訊保護分析By default, the unified labeling client does not send content matches for sensitive info types to Azure Information Protection analytics. 如需有關可傳送之額外資訊的詳細資訊,請參閱中央報表檔中的 內容相符以深入分析 一節。For more information about this additional information that can be sent, see the Content matches for deeper analysis section from the central reporting documentation.

若要在傳送機密資訊類型時傳送內容相符專案,請在標籤原則中建立下列 advanced client 設定:To send content matches when sensitive information types are sent, create the following advanced client setting in a label policy:

  • 機碼: LogMatchedContentKey: LogMatchedContent

  • 值: TrueValue: True

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{LogMatchedContent="True"}

限制 CPU 耗用量Limit CPU consumption

AIP 統一標籤掃描器會限制資源耗用量,以確保整體機器 CPU 絕對不會高於85%。The AIP unified labeling scanner limits resources consumption to ensure that the overall machine CPU is never higher than 85 percent.

從掃描器 2.7. x. x 版開始,建議使用下列 ScannerMaxCPUScannerMinCPU advanced SETTINGS 方法來限制 CPU 耗用量。Starting from scanner version 2.7.x.x, we recommend limiting CPU consumption using the following ScannerMaxCPU and ScannerMinCPU advanced settings method.

重要

使用下列執行緒限制原則時,會忽略 ScannerMaxCPUScannerMinCPU advanced 設定。When the following thread limiting policy is in use, ScannerMaxCPU and ScannerMinCPU advanced settings are ignored. 若要使用 ScannerMaxCPUScannerMinCPU ADVANCED settings 來限制 CPU 耗用量,請取消使用限制執行緒數目的原則。To limit CPU consumption using ScannerMaxCPU and ScannerMinCPU advanced settings, cancel the use of policies that limit the number of threads.

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

為了限制掃描器電腦上的 CPU 耗用量,您可以藉由建立兩個 advanced 設定來管理它:To limit CPU consumption on the scanner machine, it is manageable by creating two advanced settings:

  • ScannerMaxCPUScannerMaxCPU:

    預設設定為 100 ,這表示沒有最大 CPU 耗用量的限制。Set to 100 by default, which means there is no limit of maximum CPU consumption. 在此情況下,掃描器程式將會嘗試使用所有可用的 CPU 時間來最大化您的掃描速率。In this case, the scanner process will try to use all available CPU time to maximize your scan rates.

    如果您將 ScannerMaxCPU 設定為小於100,掃描器將會監視過去30分鐘內的 cpu 耗用量,如果最大 CPU 超過您設定的限制,就會開始減少配置給新檔案的執行緒數目。If you set ScannerMaxCPU to less than 100, scanner will monitor the CPU consumption over the past 30 minutes, and if the max CPU crossed the limit you set, it will start to reduce number of threads allocated for new files.

    只要 CPU 耗用量高於針對 ScannerMaxCPU 所設定的限制,執行緒數目的限制就會繼續。The limit on the number of threads will continue as long as CPU consumption is higher than the limit set for ScannerMaxCPU.

  • ScannerMinCPUScannerMinCPU:

    只有在 ScannerMaxCPU 不等於100時才檢查,而且不能設定為大於 ScannerMaxCPU 值的數位。Only checked if ScannerMaxCPU is not equal to 100, and cannot be set to a number that is higher than the ScannerMaxCPU value. 建議您將 ScannerMinCPU 設定為低於 ScannerMaxCPU 值的至少15個點。We recommend keeping ScannerMinCPU set at least 15 points lower than the value of ScannerMaxCPU.

    預設設定為 50 ,這表示如果過去30分鐘內的 CPU 耗用量低於此值,掃描器將會開始新增執行緒以平行掃描更多檔案,直到 cpu 耗用量達到您為 ScannerMaxCPU-15 設定的層級為止。Set to 50 by default, which means that if CPU consumption in the last 30 minutes when lower than this value, the scanner will start adding new threads to scan more files in parallel, until the CPU consumption reaches the level you have set for ScannerMaxCPU-15.

限制掃描器所使用的執行緒數目Limit the number of threads used by the scanner

重要

使用下列執行緒限制原則時,會忽略 ScannerMaxCPUScannerMinCPU advanced 設定。When the following thread limiting policy is in use, ScannerMaxCPU and ScannerMinCPU advanced settings are ignored. 若要使用 ScannerMaxCPUScannerMinCPU ADVANCED settings 來限制 CPU 耗用量,請取消使用限制執行緒數目的原則。To limit CPU consumption using ScannerMaxCPU and ScannerMinCPU advanced settings, cancel use of policies that limit the number of threads.

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

根據預設,掃描器會在電腦上使用所有可用的處理器資源執行掃描器服務。By default, the scanner uses all available processor resources on the computer running the scanner service. 如果您需要限制此服務掃描時的 CPU 耗用量,請在標籤原則中建立下列 advanced 設定。If you need to limit the CPU consumption while this service is scanning, create the following advanced setting in a label policy.

針對值,請指定掃描器可以平行執行的並行執行緒數目。For the value, specify the number of concurrent threads that the scanner can run in parallel. 掃描器會針對掃描的每個檔案使用個別執行緒,因此此節流設定也會定義可以平行掃描的檔案數目。The scanner uses a separate thread for each file that it scans, so this throttling configuration also defines the number of files that can be scanned in parallel.

第一次設定測試值,建議您針對每一核心指定 2,然後監視結果。When you first configure the value for testing, we recommend you specify 2 per core, and then monitor the results. 例如,如果您在配備 4 個核心的電腦上執行掃描器,請先將值設定為 8。For example, if you run the scanner on a computer that has 4 cores, first set the value to 8. 如有必要,可依據對掃描器電腦要求的效能和掃描速率來增加或減少該數字。If necessary, increase or decrease that number, according to the resulting performance you require for the scanner computer and your scanning rates.

  • 機碼: ScannerConcurrencyLevelKey: ScannerConcurrencyLevel

  • 價值: <number of concurrent threads>Value: <number of concurrent threads>

範例 PowerShell 命令,其中的標籤原則命名為 "掃描器":Example PowerShell command, where your label policy is named "Scanner":

Set-LabelPolicy -Identity Scanner -AdvancedSettings @{ScannerConcurrencyLevel="8"}

從 Secure Islands 和其他標籤解決方案移轉標籤Migrate labels from Secure Islands and other labeling solutions

這項設定會使用標籤 advanced 設定 ,您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定。This configuration uses a label advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

這項設定與副檔名為 .ppdf 的受保護 PDF 檔不相容。This configuration is not compatible with protected PDF files that have a .ppdf file name extension. 用戶端無法使用檔案總管或 PowerShell 來開啟這些檔案。These files cannot be opened by the client using File Explorer or PowerShell.

針對以安全孤島標記的 Office 檔,您可以使用您定義的對應,以敏感度標籤將這些檔重新標記為標籤。For Office documents that are labeled by Secure Islands, you can relabel these documents with a sensitivity label by using a mapping that you define. 當其他解決方案的標籤是在 Office 文件上時,您也可以使用此方法來重複使用來自其他解決方案的標籤。You also use this method to reuse labels from other solutions when their labels are on Office documents.

由於此設定選項的結果,Azure 資訊保護統一標籤用戶端會套用新的敏感度標籤,如下所示:As a result of this configuration option, the new sensitivity label is applied by the Azure Information Protection unified labeling client as follows:

  • 針對 Office 檔: 當檔在桌面應用程式中開啟時,新的敏感度標籤會顯示為已設定,並在儲存檔時套用。For Office documents: When the document is opened in the desktop app, the new sensitivity label is shown as set and is applied when the document is saved.

  • 針對 PowerShell: 設定->set-aipfilelabelAIPFileClassificiation 可以套用新的敏感度標籤。For PowerShell: Set-AIPFileLabel and Set-AIPFileClassificiation can apply the new sensitivity label.

  • 針對檔案總管: 在 [Azure 資訊保護] 對話方塊中,會顯示新的敏感度標籤,但未設定。For File Explorer: In the Azure Information Protection dialog box, the new sensitivity label is shown but isn't set.

這項設定會要求您針對每個要對應到舊標籤的敏感度標籤,指定一個名為 labelByCustomProperties 的 advanced 設定。This configuration requires you to specify an advanced setting named labelByCustomProperties for each sensitivity label that you want to map to the old label. 然後針對每個項目,使用以下語法來設定值:Then for each entry, set the value by using the following syntax:

[migration rule name],[Secure Islands custom property name],[Secure Islands metadata Regex value]

指定您選擇的移轉規則名稱。Specify your choice of a migration rule name. 使用描述性名稱,以協助您識別先前標籤解決方案中的一或多個標籤如何對應至敏感度標籤。Use a descriptive name that helps you to identify how one or more labels from your previous labeling solution should be mapped to sensitivity label.

請注意,此設定不會移除文件的原始標籤,或文件中原始標籤可能已套用的任何視覺標記。Note that this setting does not remove the original label from the document or any visual markings in the document that the original label might have applied. 若要移除頁首和頁尾,請參閱 移除其他標籤解決方案的頁首和頁尾。To remove headers and footers, see Remove headers and footers from other labeling solutions.

範例:Examples:

如需其他自訂,請參閱:For additional customization, see:

範例 1:相同標籤名稱的一對一對應Example 1: One-to-one mapping of the same label name

需求: Azure 資訊保護的 Secure Islands 標籤為「機密」的檔應重新標示為「機密」。Requirement: Documents that have a Secure Islands label of "Confidential" should be relabeled as "Confidential" by Azure Information Protection.

在此範例中:In this example:

  • Secure Islands 標籤名為 機密,且儲存在名為 分類 的自訂屬性中。The Secure Islands label is named Confidential and stored in the custom property named Classification.

Advanced 設定:The advanced setting:

  • 機碼: labelByCustomPropertiesKey: labelByCustomProperties

  • 值: Secure Islands 標籤為機密、分類、機密Value: Secure Islands label is Confidential,Classification,Confidential

範例 PowerShell 命令,其中的標籤名稱為「機密」:Example PowerShell command, where your label is named "Confidential":

Set-Label -Identity Confidential -AdvancedSettings @{labelByCustomProperties="Secure Islands label is Confidential,Classification,Confidential"}

範例 2:不同標籤名稱的一對一對應Example 2: One-to-one mapping for a different label name

需求:依安全孤島標記為「機密」的檔,應該 Azure 資訊保護重新標示為「高度機密」。Requirement: Documents labeled as "Sensitive" by Secure Islands should be relabeled as "Highly Confidential" by Azure Information Protection.

在此範例中:In this example:

  • Secure Islands 標籤名為 敏感,且儲存在名為 分類 的自訂屬性中。The Secure Islands label is named Sensitive and stored in the custom property named Classification.

Advanced 設定:The advanced setting:

  • 機碼: labelByCustomPropertiesKey: labelByCustomProperties

  • 值: 安全的 Islands 標籤為敏感、分類、機密Value: Secure Islands label is Sensitive,Classification,Sensitive

範例 PowerShell 命令,其中的標籤名稱為「高度機密」:Example PowerShell command, where your label is named "Highly Confidential":

Set-Label -Identity "Highly Confidential" -AdvancedSettings @{labelByCustomProperties="Secure Islands label is Sensitive,Classification,Sensitive"}

範例 3:標籤名稱的多對一對應Example 3: Many-to-one mapping of label names

需求:您有兩個安全孤島標籤,其中包含 "Internal" 這個字,而您想要讓具有這些安全孤島標籤的檔,Azure 資訊保護統一標籤用戶端重新標示為「一般」。Requirement: You have two Secure Islands labels that include the word "Internal" and you want documents that have either of these Secure Islands labels to be relabeled as "General" by the Azure Information Protection unified labeling client.

在此範例中:In this example:

  • Secure Islands 標籤包含 內部 一字,且儲存在名為 分類 的自訂屬性中。The Secure Islands labels include the word Internal and are stored in the custom property named Classification.

進階用戶端設定:The advanced client setting:

  • 機碼: labelByCustomPropertiesKey: labelByCustomProperties

  • 值: Secure Islands 標籤包含內部、分類。 *內部。 *Value: Secure Islands label contains Internal,Classification,.*Internal.*

範例 PowerShell 命令,其中的標籤名稱為「一般」:Example PowerShell command, where your label is named "General":

Set-Label -Identity General -AdvancedSettings @{labelByCustomProperties="Secure Islands label contains Internal,Classification,.*Internal.*"}

範例4:相同標籤的多個規則Example 4: Multiple rules for the same label

當您需要多個相同標籤的規則時,請為相同的索引鍵定義多個字串值。When you need multiple rules for the same label, define multiple string values for the same key.

在此範例中,名為「機密」和「秘密」的安全孤島標籤會儲存在名為「 分類」的自訂屬性中,而您希望 Azure 資訊保護統一標籤用戶端套用名為「機密」的敏感度標籤:In this example, the Secure Islands labels named "Confidential" and "Secret" are stored in the custom property named Classification, and you want the Azure Information Protection unified labeling client to apply the sensitivity label named "Confidential":

Set-Label -Identity Confidential -AdvancedSettings @{labelByCustomProperties=ConvertTo-Json("Migrate Confidential label,Classification,Confidential", "Migrate Secret label,Classification,Secret")}

將您的標籤遷移規則延伸至電子郵件Extend your label migration rules to emails

除了 Office 檔之外,您還可以透過指定額外的標籤原則 advanced 設定,使用您所定義的設定搭配 Outlook 電子郵件的 [ labelByCustomProperties advanced] 設定。You can use the configuration you've defined with the labelByCustomProperties advanced setting for Outlook emails, in addition to Office documents, by specifying an additional label policy advanced setting.

不過,這項設定對 Outlook 的效能有已知的負面影響,因此,只有當您對它有強大的商務需求,並記得將它設定為 null 字串值(當您完成從其他標籤解決方案進行遷移時)時,才設定此額外設定。However, this setting has a known negative impact on the performance of Outlook, so configure this additional setting only when you have a strong business requirement for it and remember to set it to a null string value when you have completed the migration from the other labeling solution.

若要設定此 advanced 設定,請針對選取的標籤原則輸入下列字串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 機碼: EnableLabelByMailHeaderKey: EnableLabelByMailHeader

  • 值: TrueValue: True

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableLabelByMailHeader="True"}

將您的標籤遷移規則延伸至 SharePoint 屬性Extend your label migration rules to SharePoint properties

您可以藉由指定額外的標籤原則 advanced 設定,使用您針對 SharePoint 屬性所定義的設定,並以 labelByCustomProperties advanced 設定的方式,將其公開為使用者的資料行。You can use the configuration you've defined with the labelByCustomProperties advanced setting for SharePoint properties that you might expose as columns to users by specifying an additional label policy advanced setting.

當您使用 Word、Excel 和 PowerPoint 時,會支援此設定。This setting is supported when you use Word, Excel, and PowerPoint.

若要設定此 advanced 設定,請針對選取的標籤原則輸入下列字串:To configure this advanced setting, enter the following strings for the selected label policy:

  • 機碼: EnableLabelBySharePointPropertiesKey: EnableLabelBySharePointProperties

  • 值: TrueValue: True

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableLabelBySharePointProperties="True"}

套用標籤時套用自訂屬性Apply a custom property when a label is applied

這項設定會使用標籤 advanced 設定 ,您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定。This configuration uses a label advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

在某些情況下,您可能會想要將一或多個自訂屬性套用至檔或電子郵件訊息,以及敏感度標籤所套用的中繼資料。There might be some scenarios when you want to apply one or more custom properties to a document or email message in addition to the metadata that's applied by a sensitivity label.

例如:For example:

  • 您正在 從另一個標籤解決方案(例如安全孤島)進行遷移。You are in the process of migrating from another labeling solution, such as Secure Islands. 針對在遷移期間的互通性,您希望敏感度標籤也套用其他標籤解決方案所使用的自訂屬性。For interoperability during the migration, you want sensitivity labels to also apply a custom property that is used by the other labeling solution.

  • 針對您的內容管理系統 (例如 SharePoint 或其他廠商的檔管理解決方案) 您想要使用一致的自訂屬性名稱與標籤的不同值,並使用易記的名稱,而不是標籤 GUID。For your content management system (such as SharePoint or a document management solution from another vendor) you want to use a consistent custom property name with different values for the labels, and with user-friendly names instead of the label GUID.

針對使用者使用 Azure 資訊保護統一標籤用戶端標籤的 Office 檔和 Outlook 電子郵件,您可以新增一或多個您定義的自訂屬性。For Office documents and Outlook emails that users label by using the Azure Information Protection unified labeling client, you can add one or more custom properties that you define. 您也可以針對統一標籤用戶端使用此方法,將自訂屬性顯示為其他解決方案的標籤,而這些內容尚未由統一標籤用戶端標記。You can also use this method for the unified labeling client to display a custom property as a label from other solutions for content that isn't yet labeled by the unified labeling client.

由於此設定選項的結果,Azure 資訊保護統一標籤用戶端會套用任何額外的自訂屬性,如下所示:As a result of this configuration option, any additional custom properties are applied by the Azure Information Protection unified labeling client as follows:

環境Environment 描述Description
Office 檔Office documents 當檔在桌面應用程式中標記時,會在儲存檔時套用其他自訂屬性。When the document is labeled in the desktop app, the additional custom properties are applied when the document is saved.
Outlook 電子郵件Outlook emails Outlook 中的電子郵件訊息加上標籤時,會在傳送電子郵件時,將其他屬性套用至 x 標頭。When the email message is labeled in Outlook, the additional properties are applied to the x-header when the email is sent.
PowerShellPowerShell >set-aipfilelabelAIPFileClassificiation 會在標記並儲存檔時套用額外的自訂屬性。Set-AIPFileLabel and Set-AIPFileClassificiation applies the additional custom properties when the document is labeled and saved.

如果未套用敏感度標籤, >get-aipfilestatus會將自訂屬性顯示為對應的標籤。Get-AIPFileStatus displays custom properties as the mapped label if a sensitivity label isn't applied.
檔案總管File Explorer 當使用者以滑鼠右鍵按一下檔案並套用標籤時,就會套用自訂屬性。When the user right-clicks the file and applies the label, the custom properties are applied.

這項設定會要求您針對要套用其他自訂屬性的每個敏感度標籤,指定名為 customPropertiesByLabel 的 advanced 設定。This configuration requires you to specify an advanced setting named customPropertiesByLabel for each sensitivity label that you want to apply the additional custom properties. 然後針對每個項目,使用以下語法來設定值:Then for each entry, set the value by using the following syntax:

[custom property name],[custom property value]

重要

在字串中使用空白字元將會防止應用程式的標籤。Use of white spaces in the string will prevent application of the labels.

例如:For example:

範例1:新增標籤的單一自訂屬性Example 1: Add a single custom property for a label

需求: Azure 資訊保護統一標籤用戶端標記為「機密」的檔應該具有名為「分類」且值為 "Secret" 的其他自訂屬性。Requirement: Documents that are labeled as "Confidential" by the Azure Information Protection unified labeling client should have the additional custom property named "Classification" with the value of "Secret".

在此範例中:In this example:

  • 敏感度標籤的名稱為「機密」,並以 Secret 的值建立名為「分類」的自訂屬性。The sensitivity label is named Confidential and creates a custom property named Classification with the value of Secret.

Advanced 設定:The advanced setting:

  • 機碼: customPropertiesByLabelKey: customPropertiesByLabel

  • 值: 分類、秘密Value: Classification,Secret

範例 PowerShell 命令,其中的標籤名稱為「機密」:Example PowerShell command, where your label is named "Confidential":

    Set-Label -Identity Confidential -AdvancedSettings @{customPropertiesByLabel="Classification,Secret"}

範例2:新增標籤的多個自訂屬性Example 2: Add multiple custom properties for a label

若要為同一個標籤加入多個自訂屬性,您必須為相同的索引鍵定義多個字串值。To add more than one custom property for the same label, you need to define multiple string values for the same key.

範例 PowerShell 命令,其中您的標籤命名為「一般」,而您想要新增一個名為「分類」的自訂屬性,以及名為一般」和「內部」值的第二個自訂屬性:Example PowerShell command, where your label is named "General" and you want to add one custom property named Classification with the value of General and a second custom property named Sensitivity with the value of Internal:

Set-Label -Identity General -AdvancedSettings @{customPropertiesByLabel=ConvertTo-Json("Classification,General", "Sensitivity,Internal")}

在 Outlook 中設定標籤以套用 S/MIME 保護Configure a label to apply S/MIME protection in Outlook

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 設定的標籤 advanced settingsThis configuration uses label advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

只有當您有使用中的 S/MIME 部署 ,而且想要讓標籤自動將此保護方法套用至電子郵件,而不是從 Azure 資訊保護 Rights Management 保護時,才使用這些設定。Use these settings only when you have a working S/MIME deployment and want a label to automatically apply this protection method for emails rather than Rights Management protection from Azure Information Protection. 產生的保護與使用者從 Outlook 中手動選取 S/MIME 選項是相同的。The resulting protection is the same as when a user manually selects S/MIME options from Outlook.

設定Configuration 索引鍵/值Key/Value
S/MIME 數位簽章S/MIME digital signature 若要設定 S/MIME 數位簽章的 advanced 設定,請為選取的標籤輸入下列字串:To configure an advanced setting for an S/MIME digital signature, enter the following strings for the selected label:

-Key: SMimeSign- Key: SMimeSign

-Value: True- Value: True
S/MIME 加密S/MIME encryption 若要設定 S/MIME 加密的 advanced 設定,請為選取的標籤輸入下列字串:To configure an advanced setting for S/MIME encryption, enter the following strings for the selected label:

-Key: SMimeEncrypt- Key: SMimeEncrypt

-Value: True- Value: True

如果您指定的標籤設定為加密,Azure 資訊保護統一標籤用戶端,S/MIME 保護只會取代 Outlook 中的 Rights Management 保護。If the label you specify is configured for encryption, for the Azure Information Protection unified labeling client, S/MIME protection replaces the Rights Management protection only in Outlook. 用戶端會繼續使用系統管理中心內針對標籤所指定的加密設定。The client continues to use the encryption settings specified for the label in the admin center.

針對具有內建標籤的 Office 應用程式,這些不會套用 S/MIME 保護,而是套用 [ 不可轉寄 ] 保護。For Office apps with built-in labeling, these do not apply the S/MIME protection but instead, apply Do Not Forward protection.

如果您想讓標籤只顯示在 Outlook 中,請設定標籤以只將加密套用至 outlook 中的電子郵件訊息If you want the label to be visible in Outlook only, configure the label to apply encryption to Only email messages in Outlook.

範例 PowerShell 命令,其中的標籤名稱為「僅限收件者」:Example PowerShell commands, where your label is named "Recipients Only":

Set-Label -Identity "Recipients Only" -AdvancedSettings @{SMimeSign="True"}

Set-Label -Identity "Recipients Only" -AdvancedSettings @{SMimeEncrypt="True"}

為父標籤指定預設子標籤Specify a default sublabel for a parent label

這項設定會使用標籤 advanced 設定 ,您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定。This configuration uses a label advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

當您將子標籤新增至標籤時,使用者將無法再將父標籤套用至檔或電子郵件。When you add a sublabel to a label, users can no longer apply the parent label to a document or email. 依預設,使用者會選取父標籤以查看其可套用的子標籤,然後選取其中一個子標籤。By default, users select the parent label to see the sublabels that they can apply, and then select one of those sublabels. 如果您設定此 advanced 設定,當使用者選取父標籤時,系統會自動選取並套用子標籤:If you configure this advanced setting, when users select the parent label, a sublabel is automatically selected and applied for them:

  • 機碼: DefaultSubLabelIdKey: DefaultSubLabelId

  • 價值: <sublabel GUID>Value: <sublabel GUID>

範例 PowerShell 命令,其中您的父標籤名稱為「機密」,而「所有員工」子標籤有 GUID 8faca7b8-8d20-48a3-8ea2-0f96310a848e:Example PowerShell command, where your parent label is named "Confidential" and the "All Employees" sublabel has a GUID of 8faca7b8-8d20-48a3-8ea2-0f96310a848e:

Set-Label -Identity "Confidential" -AdvancedSettings @{DefaultSubLabelId="8faca7b8-8d20-48a3-8ea2-0f96310a848e"}

開啟分類以持續在背景執行Turn on classification to run continuously in the background

這項設定會使用標籤 advanced 設定 ,您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定。This configuration uses a label advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

當您設定此設定時,它會變更 Azure 資訊保護統一標籤用戶端如何將自動和建議標籤套用至檔的預設行為:When you configure this setting, it changes the default behavior of how the Azure Information Protection unified labeling client applies automatic and recommended labels to documents:

針對 Word、Excel 與 PowerPoint,自動分類會在背景持續執行。For Word, Excel, and PowerPoint, automatic classification runs continuously in the background.

針對 Outlook,此行為不會變更。The behavior does not change for Outlook.

當 Azure 資訊保護統一標籤用戶端定期檢查檔中是否有您指定的條件規則時,只要開啟自動儲存功能,此行為就能針對儲存在 SharePoint 或 OneDrive 中的 Office 檔啟用自動和建議的分類和保護。When the Azure Information Protection unified labeling client periodically checks documents for the condition rules that you specify, this behavior enables automatic and recommended classification and protection for Office documents that are stored in SharePoint or OneDrive, as long as auto-save is turned on. 大型檔案的儲存速度也會更快,因為條件規則已經執行。Large files also saved more quickly because the condition rules have already run.

條件規則不會即時執行為使用者類型。The condition rules do not run in real time as a user types. 相反地,如果修改過文件,則它們會定期執行為背景工作。Instead, they run periodically as a background task if the document is modified.

若要設定此進階設定,請輸入下列字串:To configure this advanced setting, enter the following strings:

  • 機碼:RunPolicyInBackgroundKey: RunPolicyInBackground
  • 值: TrueValue: True

PowerShell 命令範例:Example PowerShell command:

Set-LabelPolicy -Identity PolicyName -AdvancedSettings @{RunPolicyInBackground = "true"}

注意

這項功能目前為「預覽」狀態。This feature is currently in PREVIEW. Azure 預覽補充條款 包含適用於 Azure 功能 (搶鮮版 (Beta)、預覽版,或尚未發行的版本) 的其他法律條款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

為標籤指定色彩Specify a color for the label

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 設定的標籤 advanced settingsThis configuration uses label advanced settings that you must configure by using Office 365 Security & Compliance Center PowerShell.

使用這個 advanced 設定來設定標籤的色彩。Use this advanced setting to set a color for a label. 若要指定色彩,請輸入色彩之紅色、綠色和藍色 (RGB) 元件的十六進位三個程式碼。To specify the color, enter a hex triplet code for the red, green, and blue (RGB) components of the color. 例如,#40e0d0 是青的 RGB 十六進位值。For example, #40e0d0 is the RGB hex value for turquoise.

如果您需要這些代碼的參考,您可以從 MSDN web 檔的頁面找到實用的表格 <color> 。您也可以在許多可讓您編輯圖片的應用程式中找到這些程式碼。If you need a reference for these codes, you'll find a helpful table from the <color> page from the MSDN web docs. You also find these codes in many applications that let you edit pictures. 例如,[Microsoft 小畫家] 可讓您從調色盤選擇自訂色彩,並且會自動顯示 RGB 值,您可以加以複製。For example, Microsoft Paint lets you choose a custom color from a palette and the RGB values are automatically displayed, which you can then copy.

若要設定標籤色彩的 advanced 設定,請為選取的標籤輸入下列字串:To configure the advanced setting for a label's color, enter the following strings for the selected label:

  • 索引鍵: 色彩Key: color

  • 價值: <RGB hex value>Value: <RGB hex value>

範例 PowerShell 命令,其中的標籤命名為 "Public":Example PowerShell command, where your label is named "Public":

Set-Label -Identity Public -AdvancedSettings @{color="#40e0d0"}

以不同的使用者身分登入Sign in as a different user

在生產環境中,AIP 不支援使用多個使用者登入。Signing in with multiple users is not supported by AIP in production. 此程式描述如何以不同的使用者登入,以供測試之用。This procedure describes how to sign in as a different user for testing purposes only.

您可以使用 [ Microsoft Azure 資訊保護] 對話方塊來確認您目前登入的帳戶:開啟 Office 應用程式,然後在 [首頁] 索引標籤上,選取 [敏感度] 按鈕,然後選取 [說明 與意見****反應]。You can verify which account you're currently signed in as by using the Microsoft Azure Information Protection dialog box: Open an Office application and on the Home tab, select the Sensitivity button, and then select Help and feedback. 您的帳戶名稱會顯示在 [用戶端狀態] 區段中。Your account name is displayed in the Client status section.

請務必同時檢查所顯示已登入帳戶的網域名稱。Be sure to also check the domain name of the signed in account that's displayed. 使用者很容易在確認帳戶名稱為正確的同時,沒有注意到後方的網域是錯誤的。It can be easy to miss that you're signed in with the right account name but wrong domain. 使用錯誤帳戶的徵兆包括無法下載標籤,或是看不到您預期的標籤或行為。A symptom of using the wrong account includes failing to download the labels, or not seeing the labels or behavior that you expect.

若要以不同的使用者登入To sign in as a different user:

  1. 巡覽至 %localappdata%\Microsoft\MSIP,刪除 TokenCache 檔案。Navigate to %localappdata%\Microsoft\MSIP and delete the TokenCache file.

  2. 重新啟動任何已開啟的 Office 應用程式,然後以不同的使用者帳戶登入。Restart any open Office applications and sign in with your different user account. 如果您在 Office 應用程式中看不到用來登入 Azure 資訊保護服務的提示,請返回 [ Microsoft Azure 資訊保護] 對話方塊,然後從 [已更新的 用戶端狀態] 區段中選取 [登 ]。If you do not see a prompt in your Office application to sign in to the Azure Information Protection service, return to the Microsoft Azure Information Protection dialog box and select Sign in from the updated Client status section.

此外:Additionally:

案例Scenario 描述Description
仍登入舊帳戶Still signed in to the old account 如果在完成這些步驟之後,Azure 資訊保護統一標籤用戶端仍使用舊帳戶登入,請從 Internet Explorer 刪除所有 cookie,然後重複步驟1和2。If the Azure Information Protection unified labeling client is still signed in with the old account after completing these steps, delete all cookies from Internet Explorer, and then repeat steps 1 and 2.
使用單一登入Using single sign-on 如果您是使用單一登入,則必須在刪除權杖檔案之後登出 Windows,並使用不同的使用者帳戶登入。If you are using single sign-on, you must sign out from Windows and sign in with your different user account after deleting the token file.

Azure 資訊保護的統一標籤用戶端接著會使用您目前登入的使用者帳戶自動進行驗證。The Azure Information Protection unified labeling client then automatically authenticates by using your currently signed in user account.
不同的租使用者Different tenants 此解決方案支援以來自相同租用戶的其他使用者身分進行登入。This solution is supported for signing in as another user from the same tenant. 它不支援以來自不同租用戶的其他使用者身分進行登入。It is not supported for signing in as another user from a different tenant.

若要以多個租用戶測試 Azure 資訊保護,請使用不同的電腦。To test Azure Information Protection with multiple tenants, use different computers.
重設設定Reset settings 您可以使用 [說明 與意見 反應] 的 [重設設定] 選項,從 Office 365 安全性 & 合規性中心、Microsoft 365 資訊安全中心或 Microsoft 365 合規性中心,登出並刪除目前下載的標籤和原則設定。You can use the Reset settings option from Help and Feedback to sign out and delete the currently downloaded labels and policy settings from the Office 365 Security & Compliance Center, the Microsoft 365 Security center, or the Microsoft 365 Compliance center.

支援已中斷連線的電腦Support for disconnected computers

重要

下列標籤案例支援已中斷連線的電腦:檔案總管、PowerShell、Office 應用程式和掃描器。Disconnected computers are supported for the following labeling scenarios: File Explorer, PowerShell, your Office apps and the scanner.

根據預設,Azure 資訊保護統一標籤用戶端會自動嘗試連線到網際網路,以從您的標籤管理中心下載標籤和標籤原則設定 (Office 365 安全性 & 合規性中心、Microsoft 365 安全性中心或 Microsoft 365 合規性中心) 。By default, the Azure Information Protection unified labeling client automatically tries to connect to the internet to download the labels and label policy settings from your labeling management center (the Office 365 Security & Compliance Center, the Microsoft 365 security center, or the Microsoft 365 compliance center).

如果您有一段時間無法連線到網際網路的電腦,您可以匯出和複製檔案,以手動方式管理統一標籤用戶端的原則。If you have computers that cannot connect to the internet for a period of time, you can export and copy files that manually manages the policy for the unified labeling client.

若要支援從統一標籤用戶端中斷連線的電腦:To support disconnected computers from the unified labeling client:

  1. 在 Azure AD 中選擇或建立使用者帳戶,您將使用此帳戶來下載您想要在已中斷連線的電腦上使用的標籤和原則設定。Choose or create a user account in Azure AD that you will use to download labels and policy settings that you want to use on your disconnected computer.

  2. 作為此帳戶的其他標籤原則設定,請使用 EnableAudit advanced 設定,停用將 審核資料傳送至 Azure 資訊保護分析As an additional label policy setting for this account, disable sending audit data to Azure Information Protection analytics by using the EnableAudit advanced setting.

    我們建議您這麼做,因為如果已中斷連線的電腦確實具有網際網路連線能力,就會將記錄資訊傳送至包含步驟1中使用者名稱的 Azure 資訊保護分析。We recommend this step because if the disconnected computer does have periodic internet connectivity, it will send logging information to Azure Information Protection analytics that includes the user name from step 1. 該使用者帳戶可能與您在已中斷連線的電腦上使用的本機帳戶不同。That user account might be different from the local account you're using on the disconnected computer.

  3. 從具有已安裝統一標籤用戶端並使用步驟1的使用者帳戶登入之網際網路連線的電腦,下載標籤和原則設定。From a computer with internet connectivity that has the unified labeling client installed and signed in with the user account from step 1, download the labels and policy settings.

  4. 從這部電腦匯出記錄檔。From this computer, export the log files.

    例如,執行 AIPLogs 指令 程式,或從用戶端的 [說明 與意見反應] 對話方塊中使用 [匯出記錄] 選項。For example, run the Export-AIPLogs cmdlet, or use the Export Logs option from the client's Help and Feedback dialog box.

    記錄檔會匯出為單一壓縮檔案。The log files are exported as a single compressed file.

  5. 開啟壓縮的檔案,然後從 [>POLICY.MSIP] 資料夾複製副檔名為 .xml 的所有檔案。Open the compressed file, and from the MSIP folder, copy any files that have an .xml file name extension.

  6. 將這些檔案貼到中斷連線電腦上的 %localappdata%\Microsoft\MSIP 資料夾中。Paste these files into the %localappdata%\Microsoft\MSIP folder on the disconnected computer.

  7. 如果您選擇的使用者帳戶通常會連線到網際網路,請將 EnableAudit 值設為 True,以再次啟用傳送審核資料。If your chosen user account is one that usually connects to the internet, enable sending audit data again, by setting the EnableAudit value to True.

請注意,如果這部電腦上的使用者從 [說明 與意見反應] 選取 [重設設定] 選項,此動作會刪除原則檔案,並使用戶端無法運作,直到您手動取代檔案或用戶端連線到網際網路並下載檔案為止。Be aware that if a user on this computer selects the Reset Settings option from Help and feedback, this action deletes the policy files and renders the client inoperable until you manually replace the files or the client connects to the internet and downloads the files.

如果您已中斷連線的電腦正在執行 Azure 資訊保護掃描器,則必須採取額外的設定步驟。If your disconnected computer is running the Azure Information Protection scanner, there are additional configuration steps you must take. 如需詳細資訊,請參閱 限制:掃描器伺服器無法 從掃描器部署指示進行網際網路連線。For more information, see Restriction: The scanner server cannot have internet connectivity from the scanner deployment instructions.

變更本機記錄層級Change the local logging level

根據預設,Azure 資訊保護統一標籤用戶端會將用戶端記錄檔寫入 %localappdata%\Microsoft\MSIP 資料夾。By default, the Azure Information Protection unified labeling client writes client log files to the %localappdata%\Microsoft\MSIP folder. 這些檔案的目的是供 Microsoft 支援服務進行疑難排解。These files are intended for troubleshooting by Microsoft Support.

若要變更這些檔案的記錄層級,請在登錄中找出下列值名稱,並將值資料設定為所需的記錄層級:To change the logging level for these files, locate the following value name in the registry and set the value data to the required logging level:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\LogLevelHKEY_CURRENT_USER\SOFTWARE\Microsoft\MSIP\LogLevel

將記錄層級設定為下列其中一個值:Set the logging level to one of the following values:

  • Off:沒有本機記錄。Off: No local logging.

  • 錯誤:只發生錯誤。Error: Errors only.

  • 警告:錯誤和警告。Warn: Errors and warnings.

  • 資訊:最低限度記錄,其中不包含任何事件識別碼 (掃描器) 的預設設定。Info: Minimum logging, which includes no event IDs (the default setting for the scanner).

  • Debug:完整資訊。Debug: Full information.

  • 追蹤:詳細記錄 (用戶端) 的預設設定。Trace: Detailed logging (the default setting for clients).

此登錄設定不會變更傳送給 中央報表Azure 資訊保護的資訊。This registry setting does not change the information that's sent to Azure Information Protection for central reporting.

根據檔案屬性在掃描期間略過或忽略檔案Skip or ignore files during scans depending on file attributes

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

根據預設,Azure 資訊保護統一標籤掃描器會掃描所有相關檔案。By default, the Azure Information Protection unified labeling scanner scans all relevant files. 不過,您可能會想要定義要略過的特定檔案,例如用於封存的檔案或已移動的檔案。However, you may want to define specific files to be skipped, such as for archived files or files that have been moved.

使用 ScannerFSAttributesToSkip advanced 設定,讓掃描器根據檔案的檔案屬性來略過特定檔案。Enable the scanner to skip specific files based on their file attributes by using the ScannerFSAttributesToSkip advanced setting. 在 [設定] 值中,列出將在全部都設為 true 時,將會略過該檔案的檔案屬性。In the setting value, list the file attributes that will enable the file to be skipped when they are all set to true. 這份檔案屬性清單會使用和邏輯。This list of file attributes uses the AND logic.

下列 PowerShell 命令範例說明如何搭配使用此 advanced 設定和名為 "Global" 的標籤。The following sample PowerShell commands illustrate how to use this advanced setting with a label named "Global".

略過唯讀和封存的檔案Skip files that are both read-only and archived

Set-LabelPolicy -Identity Global -AdvancedSettings @{ ScannerFSAttributesToSkip =" FILE_ATTRIBUTE_READONLY, FILE_ATTRIBUTE_ARCHIVE"}

略過唯讀或封存的檔案Skip files that are either read-only or archived

若要使用或邏輯,請多次執行相同的屬性。To use an OR logic, run the same property multiple times. 例如:For example:

Set-LabelPolicy -Identity Global -AdvancedSettings @{ ScannerFSAttributesToSkip =" FILE_ATTRIBUTE_READONLY"}
Set-LabelPolicy -Identity Global -AdvancedSettings @{ ScannerFSAttributesToSkip =" FILE_ATTRIBUTE_ARCHIVE"}

提示

建議您考慮啟用掃描器,以略過具有下列屬性的檔案:We recommend that you consider enabling the scanner to skip files with the following attributes:

  • FILE_ATTRIBUTE_SYSTEMFILE_ATTRIBUTE_SYSTEM
  • FILE_ATTRIBUTE_HIDDENFILE_ATTRIBUTE_HIDDEN
  • FILE_ATTRIBUTE_DEVICEFILE_ATTRIBUTE_DEVICE
  • FILE_ATTRIBUTE_OFFLINEFILE_ATTRIBUTE_OFFLINE
  • FILE_ATTRIBUTE_RECALL_ON_DATA_ACCESSFILE_ATTRIBUTE_RECALL_ON_DATA_ACCESS
  • FILE_ATTRIBUTE_RECALL_ON_OPENFILE_ATTRIBUTE_RECALL_ON_OPEN
  • FILE_ATTRIBUTE_TEMPORARYFILE_ATTRIBUTE_TEMPORARY

如需可在 ScannerFSAttributesToSkip advanced 設定中定義的所有檔案屬性清單,請參閱 Win32 檔案屬性常數For a list of all file attributes that can be defined in the ScannerFSAttributesToSkip advanced setting, see the Win32 File Attribute Constants

在標記 (公開預覽期間,保留 NTFS 擁有者) Preserve NTFS owners during labeling (public preview)

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

根據預設,掃描器、PowerShell 和檔案總管擴充標記不會保留標記之前定義的 NTFS 擁有者。By default, scanner, PowerShell, and File Explorer extension labeling do not preserve the NTFS owner that was defined before the labeling.

若要確保保留 NTFS 擁有者的值,請將所選標籤原則的 [ UseCopyAndPreserveNTFSOwner advanced] 設定設為 [ true ]。To ensure that the NTFS owner value is preserved, set the UseCopyAndPreserveNTFSOwner advanced setting to true for the selected label policy.

警告

只有當您可以確保掃描器與掃描的儲存機制之間有低延遲、可靠的網路連線時,才定義此 advanced 設定。Define this advanced setting only when you can ensure a low-latency, reliable network connection between the scanner and the scanned repository. 自動標記程式期間發生網路失敗,可能會導致檔案遺失。A network failure during the automatic labeling process can cause the file to be lost.

當您的標籤原則命名為 "Global" 時,範例 PowerShell 命令:Sample PowerShell command, when your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{ UseCopyAndPreserveNTFSOwner ="true"}

注意

這項功能目前為「預覽」狀態。This feature is currently in PREVIEW. Azure 預覽補充條款 包含適用於 Azure 功能 (搶鮮版 (Beta)、預覽版,或尚未發行的版本) 的其他法律條款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

自訂修改標籤的對齊提示文字Customize justification prompt texts for modified labels

自訂當使用者變更檔和電子郵件上的分類標籤時,在 Office 和 AIP 用戶端中顯示的理由提示。Customize the justification prompts that are displayed in both Office and the AIP client, when end users change classification labels on documents and emails.

例如,以系統管理員身分,您可能會想要提醒您的使用者不要將任何客戶識別資訊新增到此欄位:For example, as an administrator, you may want to remind your users not to add any customer identifying information into this field:

自訂的理由提示文字

若要修改所顯示的預設 其他 文字,請使用 JustificationTextForUserText advanced 屬性搭配 LabelPolicy Cmdlet。To modify the default Other text that's displayed, use the JustificationTextForUserText advanced property with the Set-LabelPolicy cmdlet. 將值設定為您想要使用的文字。Set the value to the text you want to use instead.

當您的標籤原則命名為 "Global" 時,範例 PowerShell 命令:Sample PowerShell command, when your label policy is named "Global":


[Set-LabelPolicy](/powershell/module/exchange/set-labelpolicy) -Identity Global -AdvancedSettings @{JustificationTextForUserText="Other (please explain) - Do not enter sensitive info"}

自訂 Outlook 快顯視窗訊息Customize Outlook popup messages

AIP 系統管理員可以自訂在 Outlook 中顯示給終端使用者的快顯視窗,例如:AIP administrators can customize the popup messages that appear to end users in Outlook, such as:

  • 已封鎖電子郵件的訊息Messages for blocked emails
  • 提示使用者確認正在傳送之內容的警告訊息Warning messages that prompt users to verify the content that they're sending
  • 要求使用者證明正在傳送之內容的理由訊息Justification messages that request users to justify the content that they're sending

重要

此程式將會覆寫您已經使用 OutlookUnlabeledCollaborationAction advanced 屬性定義的任何設定。This procedure will override any settings you've already defined using the OutlookUnlabeledCollaborationAction advanced property.

在生產環境中,我們建議您藉由使用 OutlookUnlabeledCollaborationAction advanced 屬性來定義您的規則, 使用如下定義的 json 檔案來定義複雜的規則,而 不是兩者 都能避免複雜。In production, we recommend that you avoid complications by either using the OutlookUnlabeledCollaborationAction advanced property to define your rules, or defining complex rules with a json file as defined below, but not both.

自訂 Outlook 快顯視窗訊息To customize your Outlook popup messages:

  1. 建立 json 檔案,每個檔案都有一項規則,可設定 Outlook 如何顯示快顯視窗訊息給您的使用者。Create .json files, each with a rule that configures how Outlook displays popup messages to your users. 如需詳細資訊,請參閱 規則值. json 語法 和範例快顯 自訂。 json 程式碼For more information, see Rule value .json syntax and Sample popup customization .json code.

  2. 使用 PowerShell 來定義控制您正在設定之快顯訊息的 advanced 設定。Use PowerShell to define advanced settings that control the popup messages you're configuring. 針對您想要設定的每個規則執行一組個別的命令。Run a separate set of commands for each rule you want to configure.

    每一組 PowerShell 命令都必須包含您要設定之原則的名稱,以及用來定義規則的金鑰和值。Each set of PowerShell commands must include the name of the policy you're configuring, as well as the key and value that defines your rule.

    使用下列語法:Use the following syntax:

    $filedata = Get-Content "<Path to json file>”
    Set-LabelPolicy -Identity <Policy name> -AdvancedSettings @{<Key> ="$filedata"}
    

    其中:Where:

    • <Path to json file> 是您所建立之 json 檔案的路徑。<Path to json file> is the path to the json file you created. 例如: C:\Users\msanchez\Desktop\ \dlp\OutlookCollaborationRule_1.jsonFor example: C:\Users\msanchez\Desktop\ \dlp\OutlookCollaborationRule_1.json.

    • <Policy name> 這是您想要設定的原則名稱。<Policy name> is the name of the policy you want to configure.

    • <Key> 是規則的名稱。<Key> is a name for your rule. 使用下列語法,其中 <#> 是您的規則序號:Use the following syntax, where <#> is the serial number for your rule:

      OutlookCollaborationRule_<x>

    如需詳細資訊,請參閱 排序 Outlook 自訂規則規則值 json 語法For more information, see Ordering your Outlook customization rules and Rule value json syntax.

提示

針對其他組織,請使用與 PowerShell 命令中使用的金鑰相同的字串來命名您的檔案。For additional organization, name your file with the same string as the key used in your PowerShell command. 例如,將您的檔案命名為 OutlookCollaborationRule_1.js,然後也使用 OutlookCollaborationRule_1 作為金鑰。For example, name your file OutlookCollaborationRule_1.json, and then also use OutlookCollaborationRule_1 as your key.

為了確保即使檔從外部 Outlook 共用時,也會顯示快顯視窗 (檔案 > 共用 > 附加複本),也請設定 >postponemandatorybeforesave advanced 設定。To ensure that popups are displayed even when documents are shared from outside Outlook (File > Share > Attach a copy), also configure the PostponeMandatoryBeforeSave advanced setting.

排序 Outlook 自訂規則Ordering your Outlook customization rules

AIP 會使用您輸入的索引鍵中的序號來決定處理規則的順序。AIP uses the serial number in the key you enter to determine the order in which the rules are processed. 在定義用於每個規則的金鑰時,請以較低的數位定義更嚴格的規則,然後以較高的數目限制較低的規則。When defining the keys used for each rule, define your more restrictive rules with lower numbers, followed by less restrictive rules with higher numbers.

一旦找到特定規則相符,AIP 就會停止處理規則,並執行與比對規則相關聯的動作。Once a specific rule match is found, AIP stops processing the rules, and performs the action associated with the matching rule. (第一個相符-> 結束邏輯) (First match - > Exit logic)

範例Example:

假設您想要使用特定的 警告 訊息來設定所有 內部 電子郵件,但通常不會想要封鎖它們。Say you want to configure all Internal emails with a specific Warning message, but you don't generally want to block them. 不過,您想要封鎖使用者傳送分類為 秘密 的附件,甚至是 內部 電子郵件。However, you do want to block users from sending attachments classified as Secret, even as Internal emails.

在此案例中,請先訂購您的 區塊秘密 規則金鑰,也就是更明確的規則,在內部規則索引鍵 上的一般警告 之前:In this scenario, order your Block Secret rule key, which is the more specific rule, before your more generic Warn on Internal rule key:

  • 針對 封鎖 訊息: OutlookCollaborationRule_1For the Block message: OutlookCollaborationRule_1
  • 警告 訊息: OutlookCollaborationRule_2For the Warn message: OutlookCollaborationRule_2

規則值. json 語法Rule value .json syntax

定義規則的 json 語法,如下所示:Define your rule's json syntax as follows:

"type" : "And",
"nodes" : []

您至少必須有兩個節點,第一個代表規則的條件,最後表示規則的動作。You must have at least two nodes, the first representing your rule's condition, and the last representing the rule's action. 如需詳細資訊,請參閱For more information, see:

規則條件語法Rule condition syntax

規則條件節點必須包含節點類型,然後是條件本身。Rule condition nodes must include the node type, and then the conditions themselves.

支援的節點類型包括:Supported node types include:

節點類型Node type 描述Description
And 在所有子節點上執行 Performs and on all child nodes
OrOr 在所有子節點上執行 Performs or on all child nodes
Not 不會 為其本身的子系執行Performs not for its own child
ExceptExcept 針對本身的子系傳回 not ,使其行為Returns not for its own child, causing it to behave as All
SentTo,後面接著 定義域: listOfDomainsSentTo, followed by Domains: listOfDomains 檢查下列其中一項:Checks one of the following:
-如果父系為 Except,則檢查 所有 收件者是否在其中一個網域- If the Parent is Except, checks whether All of the recipients are in one of the domains
-如果父系是其他任何其他,但 除外,則檢查 任何 收件者是否在其中一個網域中。- If the Parent is anything else but Except, checks whether Any of the recipients are in one of the domains.
EMailLabel,後面接著標籤EMailLabel, followed by label 下列其中之一:One of the following:
-標籤識別碼- The label ID
-null,如果未加上標籤- null, if not labeled
AttachmentLabel,後面接著 標籤 和支援的 延伸 模組AttachmentLabel, followed by Label and supported Extensions 下列其中之一:One of the following:

真:true:
-如果父系為 例外,則會檢查標籤中是否有一個支援的延伸模組的 所有 附件- If the Parent is Except, checks whether All of the attachments with one supported extension exists within the label
-如果父系是其他任何其他,但 除外,則會檢查標籤中是否有一個支援的 副檔名的附件- If the Parent is anything else but Except, checks whether Any of the attachments with one supported extension exists within the label
-如果未加上標籤,而且 標籤 = null- If not labeled, and label = null

false: 適用于所有其他案例false: For all other cases

注意:如果 延伸 模組屬性是空的或遺漏,則規則中包含所有支援的檔案類型 (延伸模組) 。Note: If the Extensions property is empty or missing, all supported file types (extensions) are included in the rule.

規則動作語法Rule action syntax

規則動作可以是下列其中一項:Rule actions can be one of the following:

動作Action 語法Syntax 範例訊息Sample message
封鎖Block Block (List<language, [title, body]>) *封鎖的電子郵件 _*Email Blocked _

_You 即將將分類為 秘密 的內容傳送給一或多個不受信任的收件者:
rsinclair@contoso.com

您的組織原則不允許此動作。
_You are about to send content classified as Secret to one or more untrusted recipients:
rsinclair@contoso.com

Your organization policy does not allow this action.
請考慮移除這些收件者或取代內容。 *Consider removing these recipients or replace the content.*
警告Warn Warn (List<language,[title,body]>) *需要確認 _*Confirmation Required _

_You 即將將分類為 一般 分類的內容傳送給一或多個不受信任的收件者:
rsinclair@contoso.com

您的組織原則需要確認才能傳送此內容。 *
_You are about to send content classified as General to one or more untrusted recipients:
rsinclair@contoso.com

Your organization policy requires confirmation for you to send this content.*
證明Justify Justify (numOfOptions, hasFreeTextOption, List<language, [Title, body, options1,options2….]> )

包含最多三個選項。Including up to three options.
*需要理由 _*Justification Required _

_Your 的組織原則需要理由,才能將分類為 一般 的內容傳送至不受信任的收件者。

-我確認收件者已核准共用此內容
-我的管理員已核准共用此內容
-其他,如所述 *
_Your organization policy requires justification for you to send content classified as General to untrusted recipients.

- I confirm the recipients are approved for sharing this content
- My manager approved sharing of this content
- Other, as explained*
動作參數Action parameters

如果未提供任何參數給某個動作,快顯視窗將會有預設文字。If no parameters are provided for an action, the pop-ups will have the default text.

所有文字都支援下列動態參數:All texts support the following dynamic parameters:

參數Parameter 描述Description
${MatchedRecipientsList} SentTo 條件的最後一個相符項The last match for the SentTo conditions
${MatchedLabelName} 郵件/附件 標籤,具有來自原則的當地語系化名稱The mail/attachment Label, with the localized name from the policy
${MatchedAttachmentName} AttachmentLabel 條件最後一個相符項的附件名稱The name of the attachment from the last match for the AttachmentLabel condition

注意

所有訊息都包含 [告訴我更多] 選項,以及 [說明與****意見 反應] 對話方塊。All messages include the Tell Me More option, as well as the Help and Feedback dialogs.

語言 是地區設定名稱的 CultureName ,例如:英文 = en-us ;西班牙 文 = es-esThe Language is the CultureName for the locale name, such as: English = en-us; Spanish = es-es

也支援僅限父系的語言名稱,例如 en 只有。Parent-only language names are also supported, such as en only.

範例快顯自訂。 json 程式碼Sample popup customization .json code

下列一組 json 程式碼示範如何定義各種不同的規則,以控制 Outlook 如何為您的使用者顯示快顯視窗訊息。The following sets of .json code show how you can define a variety of rules that control how Outlook displays popup messages for your users.

範例1:封鎖內部電子郵件或附件Example 1: Block Internal emails or attachments

下列 json 程式碼將會封鎖分類為 內部 的電子郵件或附件,使其無法設定為外部收件者。The following .json code will block emails or attachments that are classified as Internal from being set to external recipients.

在此範例中, 89a453df-5df4-4976-8191-259d0cf9560a內部 標籤的識別碼,而內部網域包括 contoso.commicrosoft.comIn this example, 89a453df-5df4-4976-8191-259d0cf9560a is the ID of the Internal label, and internal domains include contoso.com and microsoft.com.

由於未指定任何特定的擴充功能,因此會包含所有支援的檔案類型。Since no specific extensions are specified, all supported file types are included.

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                  
              "microsoft.com"
                ]               
            }       
        },
        {           
            "type" : "Or",          
            "nodes" : [                 
                {           
                    "type" : "AttachmentLabel",             
                    "LabelId" : "89a453df-5df4-4976-8191-259d0cf9560a"      
                },{                     
                    "type" : "EmailLabel",                  
                    "LabelId" : "89a453df-5df4-4976-8191-259d0cf9560a"              
                }
            ]
        },      
        {           
            "type" : "Block",           
            "LocalizationData": {               
                "en-us": {                
                    "Title": "Email Blocked",                 
                    "Body": "The email or at least one of the attachments is classified as <Bold>${MatchedLabelName}</Bold>. Documents classified as <Bold> ${MatchedLabelName}</Bold> cannot be sent to external recipients (${MatchedRecipientsList}).<br><br>List of attachments classified as <Bold>${MatchedLabelName}</Bold>:<br><br>${MatchedAttachmentName}<br><br><br>This message will not be sent.<br>You are responsible for ensuring compliance with classification requirements as per Contoso’s policies."               
                },              
                "es-es": {                
                    "Title": "Correo electrónico bloqueado",                  
                    "Body": "El correo electrónico o al menos uno de los archivos adjuntos se clasifica como <Bold> ${MatchedLabelName}</Bold>."                
                }           
            },          
            "DefaultLanguage": "en-us"      
        }   
    ] 
}

範例2:封鎖非分類的 Office 附件Example 2: Block unclassified Office attachments

下列 json 程式碼會封鎖非分類的 Office 附件或電子郵件傳送給外部收件者。The following .json code blocks unclassified Office attachments or emails from being sent to external recipients.

在下列範例中,需要加上標籤的附件清單為: .doc、. docm、.docx、.dot、normal.dotm、。 dotx、. potm、potx、.pps、ppsm、. ppsx、.ppt、. pptm、.pptx、. vdw、.vsd、. .vsdm、.vsdx、.vss、.vssm、 .vstm、.xls、.vssx、.xlt、. .vstx、.xlsx、.xlsb、. xlsm、. xltm、. xltx、。In the following example, the attachment list that requires labeling is: .doc,.docm,.docx,.dot,.dotm,.dotx,.potm,.potx,.pps,.ppsm,.ppsx,.ppt,.pptm,.pptx,.vdw,.vsd,.vsdm,.vsdx,.vss,.vssm,.vst,.vstm,.vssx,.vstx,.xls,.xlsb,.xlt,.xlsm,.xlsx,.xltm,.xltx

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                  
                    "microsoft.com"
                ]               
            }       
        },
        {           
            "type" : "Or",          
            "nodes" : [                 
                {           
                    "type" : "AttachmentLabel",
                     "LabelId" : null,
                    "Extensions": [
                                    ".doc",
                                    ".docm",
                                    ".docx",
                                    ".dot",
                                    ".dotm",
                                    ".dotx",
                                    ".potm",
                                    ".potx",
                                    ".pps",
                                    ".ppsm",
                                    ".ppsx",
                                    ".ppt",
                                    ".pptm",
                                    ".pptx",
                                    ".vdw",
                                    ".vsd",
                                    ".vsdm",
                                    ".vsdx",
                                    ".vss",
                                    ".vssm",
                                    ".vst",
                                    ".vstm",
                                    ".vssx",
                                    ".vstx",
                                    ".xls",
                                    ".xlsb",
                                    ".xlt",
                                    ".xlsm",
                                    ".xlsx",
                                    ".xltm",
                                    ".xltx"
                                 ]
                    
                },{                     
                    "type" : "EmailLabel",
                     "LabelId" : null
                }
            ]
        },      
        {           
            "type" : "Email Block",             
            "LocalizationData": {               
                "en-us": {                
                    "Title": "Emailed Blocked",                   
                    "Body": "Classification is necessary for attachments to be sent to external recipients.<br><br>List of attachments that are not classified:<br><br>${MatchedAttachmentName}<br><br><br>This message will not be sent.<br>You are responsible for ensuring compliance to classification requirement as per Contoso’s policies.<br><br>For MS Office documents, classify and send again.<br><br>For PDF files, classify the document or classify the email (using the most restrictive classification level of any single attachment or the email content) and send again."               
                },              
                "es-es": {                
                    "Title": "Correo electrónico bloqueado",                  
                    "Body": "La clasificación es necesaria para que los archivos adjuntos se envíen a destinatarios externos."              
                }           
            },          
            "DefaultLanguage": "en-us"      
        }   
    ] 
}

範例3:要求使用者接受傳送機密電子郵件或附件Example 3: Require the user to accept sending a Confidential email or attachment

下列範例會讓 Outlook 顯示一則訊息,警告使用者他們正在將 機密 電子郵件或附件傳送給外部收件者,也需要使用者選取 [ 我接受]。The following example causes Outlook to display a message that warns the user that they are sending a Confidential email or attachment to external recipients, and also requires that the user selects I accept.

這類的警告訊息在技術上是視為一個理由,因為使用者必須選取 [ 我接受]。This sort of warning message is technically considered to be a justification, as the user must select I accept.

由於未指定任何特定的擴充功能,因此會包含所有支援的檔案類型。Since no specific extensions are specified, all supported file types are included.

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                  
                    "microsoft.com"
                ]               
            }       
        },
        {           
            "type" : "Or",          
            "nodes" : [                 
                {           
                    "type" : "AttachmentLabel",             
                    "LabelId" : "3acd2acc-2072-48b1-80c8-4da23e245613"      
                },{                     
                    "type" : "EmailLabel",                  
                    "LabelId" : "3acd2acc-2072-48b1-80c8-4da23e245613"              
                }
            ]
        },      
        {           
            "type" : "Justify",             
            "LocalizationData": {               
                "en-us": {                
                    "Title": "Warning",                   
                    "Body": "You are sending a document that is classified as <Bold>${MatchedLabelName}</Bold> to at least one external recipient. Please make sure that the content is correctly classified and that the recipients are entitled to receive this document.<br><br>List of attachments classified as <Bold>${MatchedLabelName}</Bold>:<br><br>${MatchedAttachmentName}<br><br><Bold>List of external email addresses:</Bold><br>${MatchedRecipientsList})<br><br>You are responsible for ensuring compliance to classification requirement as per Contoso’s policies.<br><br><Bold>Acknowledgement</Bold><br>By clicking <Bold>I accept<\Bold> below, you confirm that the recipient is entitled to receive the content and the communication complies with CS Policies and Standards",
                    "Options": [                        
                        "I accept"              
                    ] 
                },              
                "es-es": {                
                    "Title": "Advertencia",                   
                    "Body": "Está enviando un documento clasificado como <Bold>${MatchedLabelName}</Bold> a al menos un destinatario externo. Asegúrese de que el contenido esté correctamente clasificado y que los destinatarios tengan derecho a recibir este documento.",
                    "Options": [                        
                        "Acepto"                    
                    ]                   
                }           
            },          
            "HasFreeTextOption":"false",            
            "DefaultLanguage": "en-us"      
        }   
    ] 
}

範例4:在沒有標籤的郵件上發出警告,並使用特定標籤的附件發出警告Example 4: Warn on mail with no label, and an attachment with a specific label

下列程式 代碼 會讓 Outlook 在傳送內部電子郵件沒有標籤時警告使用者,其中包含具有特定標籤的附件。The following .json code causes Outlook to warn the user when they are sending an internal email has no label, with an attachment that has a specific label.

在此範例中, bcbef25a-c4db-446b-9496-1b558d9edd0e 是附件標籤的識別碼,而規則會套用至 .docx、.xlsx 和 .pptx 檔案。In this example, bcbef25a-c4db-446b-9496-1b558d9edd0e is the ID of the attachment's label, and the rule applies to .docx, .xlsx, and .pptx files.

依預設,已加上標籤之附件的電子郵件不會自動收到相同的標籤。By default, emails that have labeled attachments do not automatically receive the same label.

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "EmailLabel",
                     "LabelId" : null           
        },
        {
          "type": "AttachmentLabel",
          "LabelId": "bcbef25a-c4db-446b-9496-1b558d9edd0e",
          "Extensions": [
                ".docx",
                ".xlsx",
                ".pptx"
             ]
        },
    {           
            "type" : "SentTo",              
            "Domains" : [               
                "contoso.com",              
            ]           
        },      
        {           
            "type" : "Warn" 
        }   
    ] 
}

範例5:提示輸入理由,有兩個預先定義的選項,以及一個額外的自由文字選項Example 5: Prompt for a justification, with two predefined options, and an extra free-text option

下列程式碼會讓 Outlook 提示使用者輸入其動作的 理由。The following .json code causes Outlook to prompt the user for a justification for their action. 理由文字包含兩個預先定義的選項,以及第三個自由文字選項。The justification text includes two predefined options, as well as a third, free-text option.

由於未指定任何特定的擴充功能,因此會包含所有支援的檔案類型。Since no specific extensions are specified, all supported file types are included.

{   
    "type" : "And",     
    "nodes" : [         
        {           
            "type" : "Except" ,             
            "node" :{               
                "type" : "SentTo",                  
                "Domains" : [                   
                    "contoso.com",                                  
                ]               
            }       
        },      
        {           
            "type" : "EmailLabel",          
            "LabelId" : "34b8beec-40df-4219-9dd4-553e1c8904c1"      
        },      
        {           
            "type" : "Justify",             
            "LocalizationData": {               
                "en-us": {                  
                    "Title": "Justification Required",                  
                    "Body": "Your organization policy requires justification for you to send content classified as <Bold> ${MatchedLabelName}</Bold>,to untrusted recipients:<br>Recipients are: ${MatchedRecipientsList}",                     
                    "Options": [                        
                        "I confirm the recipients are approved for sharing this content",                   
                        "My manager approved sharing of this content",                      
                        "Other, as explained"                   
                    ]               
                },              
                "es-es": {                  
                    "Title": "Justificación necesaria",                     
                    "Body": "La política de su organización requiere una justificación para que envíe contenido clasificado como <Bold> ${MatchedLabelName}</Bold> a destinatarios que no sean de confianza.",                  
                    "Options": [                        
                        "Confirmo que los destinatarios están aprobados para compartir este contenido.",
                        "Mi gerente aprobó compartir este contenido",
                        "Otro, como se explicó"                     
                    ]               
                }           
            },          
            "HasFreeTextOption":"true",             
            "DefaultLanguage": "en-us"      
        }   
    ] 
}

設定 SharePoint 超時Configure SharePoint timeouts

根據預設,SharePoint 互動的超時時間是兩分鐘,在這之後,嘗試的 AIP 作業就會失敗。By default, the timeout for SharePoint interactions is two minutes, after which the attempted AIP operation fails.

版本 2.8.85.0開始,AIP 系統管理員可以使用下列 advanced 屬性來控制此超時時間,使用 hh: mm: ss 語法來定義超時:Starting in version 2.8.85.0, AIP administrators can control this timeout using the following advanced properties, using an hh:mm:ss syntax to define the timeouts:

  • SharepointWebRequestTimeoutSharepointWebRequestTimeout. 決定對 SharePoint 的所有 AIP web 要求的超時時間。Determines the timeout for all AIP web requests to SharePoint. 預設值 = 2 分鐘。Default = 2 minutes.

    例如,如果您的原則命名為 Global,則下列範例 PowerShell 命令會將 web 要求超時更新為5分鐘。For example, if your policy is named Global, the following sample PowerShell command updates the web request timeout to 5 minutes.

    Set-LabelPolicy -Identity Global -AdvancedSettings @{SharepointWebRequestTimeout="00:05:00"}
    
  • SharepointFileWebRequestTimeoutSharepointFileWebRequestTimeout. 透過 AIP web 要求,明確判斷 SharePoint 檔案的超時時間。Determines the timeout specifically for SharePoint files via AIP web requests. 預設值 = 15 分鐘Default = 15 minutes

    例如,如果您的原則命名為 Global,則下列範例 PowerShell 命令會將檔案 web 要求的超時時間更新為10分鐘。For example, if your policy is named Global, the following sample PowerShell command updates the file web request timeout to 10 minutes.

    Set-LabelPolicy -Identity Global -AdvancedSettings @{SharepointFileWebRequestTimeout="00:10:00"}
    

避免 SharePoint 中的掃描器超時Avoid scanner timeouts in SharePoint

如果您在 SharePoint 2013 版或更高版本中有較長的檔案路徑,請確定您的 SharePoint 伺服器 HTTPRuntime. maxUrlLength 值超過預設的260個字元。If you have long file paths in SharePoint version 2013 or higher, ensure that your SharePoint server's httpRuntime.maxUrlLength value is larger than the default 260 characters.

此值定義于設定的 HttpRuntimeSection 類別中 ASP.NETThis value is defined in the HttpRuntimeSection class of the ASP.NET configuration.

若要更新 HttpRuntimeSection 類別: * *To update the HttpRuntimeSection class:**

  1. 備份您的 web.config 設定。Back up your web.config configuration.

  2. 視需要更新 maxUrlLength 值。Update the maxUrlLength value as needed. 例如:For example:

    <httpRuntime maxRequestLength="51200" requestValidationMode="2.0" maxUrlLength="5000"  />
    
  3. 重新開機您的 SharePoint web 伺服器,並確認它是否正確載入。Restart your SharePoint web server and verify that it loads correctly.

    例如,在 Windows Internet Information Server (IIS) 管理員] 中,選取您的網站,然後在 [ 管理網站] 下,選取 [ 重新開機]。For example, in Windows Internet Information Servers (IIS) Manager, select your site, and then under Manage Website, select Restart.

使用 S/MIME 電子郵件防止 Outlook 效能問題Prevent Outlook performance issues with S/MIME emails

在讀取窗格中開啟 S/MIME 電子郵件時,Outlook 可能會發生效能問題。Performance issues may occur in Outlook when the S/MIME emails are opened in Reading Pane. 若要避免這些問題,請啟用 OutlookSkipSmimeOnReadingPaneEnabled advanced 屬性。To prevent these issues, enable the OutlookSkipSmimeOnReadingPaneEnabled advanced property.

啟用此屬性可防止在 [閱讀] 窗格中顯示 AIP 列和電子郵件分類。Enabling this property prevents the AIP bar and the email classifications from being shown in the Reading Pane.

例如,如果您的原則命名為 Global,則下列範例 PowerShell 命令會啟用 OutlookSkipSmimeOnReadingPaneEnabled 屬性:For example, if your policy is named Global, the following sample PowerShell command enables the OutlookSkipSmimeOnReadingPaneEnabled property:

Set-LabelPolicy -Identity Global -AdvancedSettings @{OutlookSkipSmimeOnReadingPaneEnabled="true"}

關閉檔追蹤功能 (公開預覽) Turn off document tracking features (public preview)

根據預設,您的租使用者會開啟檔追蹤功能。By default, document tracking features are turned on for your tenant. 若要關閉這些功能(例如組織或區域中的隱私權需求),請將 EnableTrackAndRevoke 值設定為 FalseTo turn them off, such as for privacy requirements in your orgnization or region, set the EnableTrackAndRevoke value to False.

關閉之後,您的組織將無法再使用檔追蹤資料,使用者將不會再于其 Office 應用程式中看到 [撤銷] 功能表選項。Once turned off, document tracking data will not longer be available in your organization, and users will no longer see the Revoke menu option in their Office apps.

針對選取的標籤原則,指定下列字串:For the selected label policy, specify the following strings:

  • 機碼: EnableTrackAndRevokeKey: EnableTrackAndRevoke

  • 值:FalseValue: False

範例 PowerShell 命令,其中的標籤原則命名為 "Global":Example PowerShell command, where your label policy is named "Global":

Set-LabelPolicy -Identity Global -AdvancedSettings @{EnableTrackAndRevoke="False"}

將此值設定為 False 之後,會關閉追蹤和撤銷,如下所示:After setting this value to False, track and revoke is turned off as follows:

  • 使用 AIP 統一標籤用戶端開啟受保護的檔時,不會再註冊檔以進行追蹤和撤銷。Opening protected documents with the AIP unified labeling client no longer registers the documents for track and revoke.
  • 使用者將不會再于其 Office 應用程式中看到 [撤銷] 功能表選項。End-users will no longer see the Revoke menu option in their Office apps.

不過,已註冊進行追蹤的受保護檔將繼續進行追蹤,而且系統管理員仍可從 PowerShell 撤銷存取權。However, protected documents that are already registered for tracking will continue to be track, and administrators can still revoke access from PowerShell. 若要完整關閉追蹤和撤銷功能,也請執行 AipServiceDocumentTrackingFeature Cmdlet。To full turn off track and revoke features, also run the Disable-AipServiceDocumentTrackingFeature cmdlet.

這項設定會使用您必須使用 Office 365 Security & 合規性中心 PowerShell 進行設定的原則 advanced 設定This configuration uses a policy advanced setting that you must configure by using Office 365 Security & Compliance Center PowerShell.

注意

若要開啟追蹤和撤銷,請將 EnableTrackAndRevoke 設定為 true,並同時執行 AipServiceDocumentTrackingFeature Cmdlet。To turn track and revoke back on, set the EnableTrackAndRevoke to true, and also run the Enable-AipServiceDocumentTrackingFeature cmdlet.

後續步驟Next steps

既然您已經自訂 Azure 資訊保護的統一標籤用戶端,請參閱下列資源,以取得支援此用戶端可能需要的其他資訊:Now that you've customized the Azure Information Protection unified labeling client, see the following resources for additional information that you might need to support this client: