如何在 Intune 中為 Windows 裝置建立裝置合規性政策How to create a device compliance policy for Windows devices in Intune

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

每個平台都會建立合規性政策。Compliance policies are created for each platform. 您可以在 Azure 入口網站中建立合規性政策。You can create a compliance policy in the Azure portal. 如需深入了解什麼是合規性政策,請參閱什麼是裝置合規性主題。To learn more about what compliance policy is see What is a device compliance topic. 如需了解建立合規性政策之前必須滿足的先決條件,請參閱裝置合規性入門主題。To learn about the prerequisites that you need to address before creating a compliance policy see Get started with device compliance topic.

下表說明如何搭配使用合規性政策與條件式存取原則時,不合規設定的管理方式。The table below describes how noncompliant settings are managed when a compliance policy is used with a conditional access policy.


原則設定Policy setting Windows 8.1 及更新版本Windows 8.1 and later Windows Phone 8.1 及更新版本Windows Phone 8.1 and later
PIN 或密碼設定PIN or password configuration 已修復Remediated 已修復Remediated
裝置加密Device encryption 不適用Not applicable 已修復Remediated
已越獄或 Root 的裝置Jailbroken or rooted device 不適用Not applicable 不適用Not applicable
電子郵件設定檔Email profile 不適用Not applicable 不適用Not applicable
最低 OS 版本Minimum OS version 已隔離Quarantined 已隔離Quarantined
最高 OS 版本Maximum OS version 已隔離Quarantined 已隔離Quarantined
Windows 健康情況證明Windows health attestation 已隔離:Windows 10 和 Windows 10 行動裝置版Quarantined: Windows 10 and Windows 10 Mobile 不適用:Windows 8.1Not applicable: Windows 8.1

已補救 = 裝置作業系統強制符合規範。Remediated = The device operating system enforces compliance. (例如強制使用者設定 PIN 碼)。(For example, the user is forced to set a PIN.)+

已隔離 = 裝置作業系統不強制符合規範。Quarantined = The device operating system does not enforce compliance. (例如,Android 裝置不強制使用者為裝置加密。)裝置不合規範時,會採取下列動作︰(For example, Android devices do not force the user to encrypt the device.) When the devices is not compliant, the following actions take place:+

  • 如果對使用者套用了條件式存取原則,裝置會遭到封鎖。The device is blocked if a conditional access policy applies to the user.
  • 公司入口網站會通知使用者任何合規性問題的相關事項。The company portal notifies the user about any compliance problems.

在 Azure 入口網站中建立合規性政策Create a compliance policy in the Azure portal

  1. Intune 刀鋒視窗中,選擇 [設定裝置合規性]。From the Intune blade, choose Set Device compliance. 在 [管理] 中選擇 [All device compliance policies](所有裝置合規性政策) 及 [建立]。Under Manage, choose All device compliance policies and choose Create.
  2. 輸入名稱及描述,然後選擇要套用此原則的平台。Type a name, description and choose the platform that you want this policy to apply to.
  3. 選擇 [合規性需求],以開啟 [合規性需求] 刀鋒視窗。Choose Compliance requirements to open the compliance requirements blade. 您可以在此指定 [安全性]、[裝置健全狀況] 及 [裝置屬性]。設定完成後,請選擇 [確定]。You can specify the Security, Device health, and Device property settings here, When you are done, choose Ok.

指派使用者群組Assign user groups

若要將合規性政策指派給使用者,請選擇您先前設定的原則。To assign a compliance policy to users, choose a policy that you have configured. 現有的原則可以在 [合規性 - 政策] 刀鋒視窗中找到。Existing policies can be found in the Compliance –policies blade.

  1. 選擇您想要指派給使用者的原則,然後選擇 [指派]。Choose the policy you want to assign to users and choose Assignments. 這會開啟刀鋒視窗讓您從中選取 [Azure Active Directory 安全性群組],並將其指派給原則。This opens the blade where you can select Azure Active Directory security groups and assign them to the policy.
  2. 選擇 [選取群組] 會開啟刀鋒視窗顯示 Azure AD 安全性群組。Choose Select groups to open the blade that displays the Azure AD security groups. 選擇 [選取] 會將原則部署給使用者。Choosing Select deploys the policy to users.

您已對使用者套用此原則。You have applied the policy to users. 要套用原則之使用者的裝置將會接受合規性評估。The devices used by the users who are targeted by the policy will be evaluated for compliance.

系統安全性設定System security settings

密碼Password

  • 需要密碼來解除鎖定行動裝置︰將此設定為 [是],以要求使用者在存取他們的裝置前輸入密碼。Require a password to unlock mobile devices: Set this to Yes to require users to enter a password before they can access their device.
  • 允許簡單密碼︰將此項目設定為 [是] 可允許使用者建立簡單密碼,例如 12341111Allow simple passwords: Set this to Yes to let users create simple passwords such as ' '1234'; or ' 1111'.
  • 最小密碼長度:指定使用者密碼中至少須包含的數字位數或字元數。Minimum password length: Specify the minimum number of digits or characters that the user's password must contain.
  • 需要的密碼類型:指定使用者必須建立英數字元數字密碼。Required password type: Specify whether users must create an Alphanumeric , or a Numeric password.

對於執行 Windows 並使用 Microsoft 帳戶存取的裝置,若密碼長度下限超過八個字元,或字元集數目下限大於二,合規性政策將無法正確進行評估。For devices that run Windows and accessed with a Microsoft account, the compliance policy will fail to evaluate correctly if minimum password length is greater than eight characters or if minimum number of character sets is more than two.

  • 字元集數目下限:若將 [需要的密碼類型] 設定為 [英數字元],則此設定可指定密碼至少須包含的最少字元集數。Minimum number of character sets: If Required password type is set to Alphanumeric , this setting specifies the minimum number of character sets that the password must contain. 四個字元集為:The four character sets are:
    • 小寫字母Lowercase letters
    • 大寫字母Uppercase letters
    • 符號Symbols
    • 數字Numbers

若要將此設定設為較高的數目,使用者必須建立更複雜的密碼。Setting a higher number for this setting will require users to create passwords that are more complex. 對於執行 Windows 並使用 Microsoft 帳戶存取的裝置,若密碼長度下限超過八個字元,或字元集數目下限大於二,合規性政策將無法正確進行評估。For devices that run Windows and accessed with a Microsoft account, the compliance policy will fail to evaluate correctly if minimum password length is greater than eight characters or if minimum number of character sets is more than two.

  • 停止活動幾分鐘後需要輸入密碼:指定閒置多久後使用者必須重新輸入密碼。Minutes of inactivity before password is required: Specifies the idle time before the user must re-enter their password.
  • 密碼到期 (天數):選取使用者密碼到期,必須建立新密碼前的天數。Password expiration (days): Select the number of days before the user's password expires and they must create a new one.
  • 記住密碼歷程記錄:此設定請與 [不得重複使用以前用過的密碼] 一起使用,以限制使用者建立以前用過的密碼。Remember password history: Use this setting in conjunction with Prevent reuse of previous passwords to restrict the user from creating previously used passwords.
  • 不得重複使用以前用過的密碼:如果已選取 [記住密碼歷程記錄],請指定不得重複使用的舊密碼數目。Prevent reuse of previous passwords: If Remember password history is selected, specify the number of previously used passwords that cannot be re-used.
  • 當裝置從閒置狀態返回時,需要密碼:這項設定應該與 [在非使用狀態幾分鐘後需要輸入密碼] 設定一起使用。Require a password when the device returns from an idle state: This setting should be used together with the Minutes of inactivity before password is required setting. 系統會提示使用者輸入密碼,來存取 [在非使用狀態幾分鐘後需要輸入密碼] 設定所指定時間未作用的裝置。The end users are prompted to enter a password to access a device that has been inactive for the time specified in the Minutes of inactivity before password is required setting.

這項設定只適用於 Windows 10 行動裝置版裝置。This setting only applies to Windows 10 Mobile devices.

加密Encryption

  • 行動裝置需要加密︰將此設為 [是],以要求裝置加密才能連線到資源。Require encryption on mobile device: Set this to Yes to require the device to be encrypted in order to connect to resources.

裝置健全狀況設定Device health settings

  • 需要裝置回報為狀況良好:您可以設定規則,要求在新的或現有的合規性政策中,Windows 10 Mobile 裝置必須回報為狀況良好。Require devices to be reported as healthy: You can set a rule to require that Windows 10 Mobile devices must be reported as healthy in new or existing Compliance Policies. 如有啟用此設定,將會透過健全情況證明服務 (HAS) 在下列資料點時評估 Windows 10 裝置︰If this setting is enabled, Windows 10 devices are evaluated via the Health Attestation Service (HAS) for the following data points:
    • 啟用 BitLocker:如果開啟 BitLocker,則系統已關閉或進入休眠時,裝置可以保護磁碟機上所儲存的資料不受未經授權地存取。BitLocker is enabled: When BitLocker is on, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. Windows BitLocker 磁碟機加密會加密儲存在 Windows 作業系統磁碟區上的所有資料。Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker 使用 TPM 來協助保護 Windows 作業系統和使用者資料,並可協助確保電腦即使無人看管、遺失或遭竊,也不會遭到竄改。BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen. 如果電腦配備相容的 TPM,BitLocker 會使用 TPM 來鎖定可保護資料的加密金鑰。If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. 因此,除非 TPM 驗證電腦的狀態,否則無法存取金鑰As a result, the keys cannot be accessed until the TPM has verified the state of the computer
    • 啟用程式碼完整性:程式碼完整性是一種功能,可在每次將驅動程式或系統檔案載入記憶體時驗證其完整性。Code integrity is enabled: Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. 程式碼完整性會偵測是否將未簽署的驅動程式或系統檔案載入到核心;或者,以具有系統管理員權限的使用者帳戶所執行的惡意軟體是否已修改系統檔案。Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
    • 啟用安全開機:啟用安全開機時,強迫系統開機到原廠信任狀態。Secure Boot is enabled: When Secure Boot is enabled, the system is forced to boot to a factory trusted state. 此外,啟用安全開機時,用來啟動電腦的核心元件必須具有製造裝置之組織所信任的正確密碼編譯簽章。Also, when Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. UEFI 韌體會在讓電腦啟動之前先驗證此簽章。The UEFI firmware verifies this before it lets the machine start. 如果有任何檔案已遭竄改 (即中斷其簽章),則無法啟動系統。If any files have been tampered with, breaking their signature, the system will not boot.

如需 HAS 服務運作方式的資訊,請參閱 Health Attestation CSP (健全情況證明 CSP)For information on how the HAS service works, see Health Attestation CSP.

裝置屬性設定Device property settings

  • 最低作業系統版本需求︰當裝置不符合最低作業系統版本需求時,它會回報為不相容。Minimum OS required: When a device does not meet the minimum OS version requirement, it is reported as noncompliant. 會顯示如何升級的資訊連結。A link with information on how to upgrade is displayed. 終端使用者可以選擇升級其裝置,之後便可以存取公司資源。The end user can choose to upgrade their device after which they can access company resources.
  • 允許的最高作業系統版本:當裝置使用的作業系統版本高於規則指定的版本時,會封鎖對公司資源的存取,並要求使用者連絡其 IT 管理員。Maximum OS version allowed: When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. 在將規則變更為允許該 OS 版本之前,此裝置無法用來存取公司資源。Until there is a change in rule to allow the OS version, this device cannot be used to access company resources.

系統安全性設定System security settings

密碼Password

  • 密碼長度下限︰ - Windows 8.1 上支援。Minimum password length: - Supported on Windows 8.1.

指定使用者密碼中至少須包含的數字位數或字元數。Specify the minimum number of digits or characters that the user's password must contain.

對於使用 Microsoft 帳戶存取的裝置,若 [密碼長度下限] 超過 8 個字元,或 [字元集數目下限] 大於兩個字元,合規性政策將無法正確進行評估。For devices that are accessed with a Microsoft Account, the compliance policy will fail to evaluate correctly if Minimum password length is greater than 8 characters or if Minimum number of character sets is more than two characters.

  • 需要的密碼類型︰Windows RT、Windows RT 8.1 及 Windows 8.1 支援此設定Required password type: - Supported on Windows RT, Windows RT 8.1, and Windows 8.1

指定使用者必須建立英數字元數字密碼。Specify whether users must create an Alphanumeric , or a Numeric password.

  • 字元集數目下限︰Windows RT、Windows RT 8.1 及 Windows 8.1 支援此設定。Minimum number of character sets: - Supported on Windows RT, Windows RT 8.1, and Windows 8.1. 如若將 [需要的密碼類型] 設定為 [英數字元],則此設定可指定密碼至少須包含的最少字元集數。If Required password type is set to Alphanumeric , this setting specifies the minimum number of character sets that the password must contain. 四個字元集為:The four character sets are:
    • 小寫字母Lowercase letters
    • 大寫字母Uppercase letters
    • 符號Symbols
    • 數字:若要將此設定設為較高的數目,使用者必須建立更複雜的密碼。Numbers: Setting a higher number for this setting will require users to create passwords that are more complex.

對於使用 Microsoft 帳戶存取的裝置,若 [密碼長度下限] 超過 8 個字元,或 [字元集數目下限] 大於 2 個字元,合規性政策將無法正確進行評估。For devices that are accessed with a Microsoft Account, the compliance policy will fail to evaluate correctly if Minimum password length is greater than 8 characters or if Minimum number of character sets is more than 2 characters.

  • 要求密碼前的閒置分鐘數︰ - Windows RT、Windows RT 8.1 和 Windows 8.1 上支援Minutes of inactivity before password is required: - Supported on Windows RT, Windows RT 8.1, and Windows 8.1

指定使用者必須重新輸入密碼之前的閒置時間。Specify the idle time before the user must re-enter their password.

  • 密碼到期 (天數)︰Windows RT、Windows RT 8.1 及 Windows 8.1 支援此設定。Password expiration (days): -Supported on Windows RT, Windows RT 8.1, and Windows 8.1.

選取使用者密碼到期,必須建立新密碼前的天數。Select the number of days before the user's password expires and they must create a new one.

  • 所需的密碼歷程記錄︰ - Windows RT、Windows RT 和 Windows 8.1 上支援。Remember password history: - Supported on Windows RT, Windows RT, and Windows 8.1.

共同使用此設定與 [不得重複使用以前用過的密碼] 可限制建立先前使用過的密碼。Use this setting in conjunction with Prevent reuse of previous passwords to restrict the user from creating previously used passwords.

  • 不得重複使用以前用過的密碼︰ - Windows RT、Windows RT 8.1 和 Windows 8.1 上支援Prevent reuse of previous passwords: - Supported on Windows RT, Windows RT 8.1, and Windows 8.1

若選取 [記住密碼歷程記錄],必須指定不得重複使用的舊密碼數。If Remember password history: is selected, specify the number of previously used passwords that cannot be re-used.

裝置健全狀況設定Device health settings

  • 需要裝置回報為狀況良好︰ - Windows 10 裝置上支援。Require devices to be reported as healthy: - Supported on Windows 10 devices. 您可以設定規則,要求在新的或現有的合規性政策中,Windows 10 裝置必須回報為狀況良好。You can set a rule to require that Windows 10 devices must be reported as healthy in new or existing Compliance Policies. 如有啟用此設定,將會透過健全情況證明服務 (HAS) 在下列資料點時評估 Windows 10 裝置︰If this setting is enabled, Windows 10 devices are evaluated via the Health Attestation Service (HAS) for the following data points:
    • 啟用 BitLocker:如果開啟 BitLocker,則系統已關閉或進入休眠時,裝置可以保護磁碟機上所儲存的資料不受未經授權地存取。BitLocker is enabled: When BitLocker is on, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation. Windows BitLocker 磁碟機加密會加密儲存在 Windows 作業系統磁碟區上的所有資料。Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker 使用 TPM 來協助保護 Windows 作業系統和使用者資料,並可協助確保電腦即使無人看管、遺失或遭竊,也不會遭到竄改。BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen. 如果電腦配備相容的 TPM,BitLocker 會使用 TPM 來鎖定可保護資料的加密金鑰。If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. 因此,除非 TPM 驗證電腦的狀態,否則無法存取金鑰As a result, the keys cannot be accessed until the TPM has verified the state of the computer
    • 啟用程式碼完整性:程式碼完整性是一種功能,可在每次將驅動程式或系統檔案載入記憶體時驗證其完整性。Code integrity is enabled: Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. 程式碼完整性會偵測是否將未簽署的驅動程式或系統檔案載入到核心;或者,以具有系統管理員權限的使用者帳戶所執行的惡意軟體是否已修改系統檔案。Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
    • 啟用安全開機:啟用安全開機時,強迫系統開機到原廠信任狀態。Secure Boot is enabled: When Secure Boot is enabled, the system is forced to boot to a factory trusted state. 此外,啟用安全開機時,用來啟動電腦的核心元件必須具有製造裝置之組織所信任的正確密碼編譯簽章。Also, when Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. UEFI 韌體會在讓電腦啟動之前先驗證此簽章。The UEFI firmware verifies this before it lets the machine start. 如果有任何檔案已遭竄改 (即中斷其簽章),則無法啟動系統。If any files have been tampered with, breaking their signature, the system will not boot.
    • 啟用早期啟動反惡意程式碼:早期啟動反惡意程式碼 (ELAM) 可在啟動電腦時,以及協力廠商驅動程式初始化之前,保護網路中的電腦。Early-launch antimalware is enabled: Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third party drivers initialize.

如需 HAS 服務運作方式的資訊,請參閱 Health Attestation CSP (健全情況證明 CSP)For information on how the HAS service works, see Health Attestation CSP.

裝置屬性設定Device property settings

  • 所需的 OS 下限︰ - Windows 8.1 和 Windows 10 上支援。Minimum OS required: - Supported on Windows 8.1, and Windows 10.

在此指定 major.minor.build 數目。Specify the major.minor.build number here. 此版本號碼與 winver 命令傳回的版本必須一致。The version number must correspond to the version returned by the winver command.

若裝置上的 OS 版本較指定版本舊,會將其回報為不符合規範。When a device has a earlier version that the specified OS version, it is reported as noncompliant. 會顯示如何升級的資訊連結。A link with information on how to upgrade is displayed. 終端使用者可以選擇升級其裝置,之後便可以存取公司資源。The end user can choose to upgrade their device after which they can access company resources.

  • 允許的最高 OS 版本︰ - Windows 8.1 和 Windows 10 上支援。Maximum OS version allowed: - Supported on Windows 8.1, and Windows 10.

當裝置使用的 OS 版本晚於規則中所指定的版本時,系統便會封鎖對公司資源的存取權,並要求使用者連絡其 IT 管理員。When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. 在將規則變更為允許該 OS 版本之前,此裝置無法用來存取公司資源。Until there is a change in rule to allow the OS version, this device cannot be used to access company resources.

若要尋找 [Minimum OS required](需要的最低 OS) 及 [Maximum OS version allowed](允許的最大 OS 版本) 設定所使用的作業系統版本,可執行從命令提示字元執行 winver命令。To find the OS version to use for the Minimum OS required , and Maximum OS version allowed settings, run the winver command from the command prompt. winver 命令會傳回回報的 OS 版本。The winver command returns the reported version of the OS.+

  • Windows 8.1 電腦會傳回版本 3Windows 8.1 PCs return a version of 3. 如果 Windows 的 OS 版本規則設為 Windows 8.1,則即使裝置具有 Windows 8.1,還是會回報為不相容。If the OS version rule is set to Windows 8.1 for Windows, then the device is reported as noncompliant even if the device has Windows 8.1.
  • 執行 Windows 10 之電腦的版本應設定為 "10.0"+ winver 命令傳回的 OS 組建編號。PCs running Windows 10, the version should be set as "10.0"+ the OS Build number returned by the winver command.
若要提交意見反應,請前往 Intune Feedback