在 Intune 中為 Windows 裝置新增裝置合規性原則Add a device compliance policy for Windows devices in Intune

適用於 Windows 的 Intune 裝置合規性政策,會指定 Windows 裝置為被視為符合規範必須滿足的規則與設定。An Intune device compliance policy for Windows specifies the rules and settings that Windows devices must meet to be considered compliant. 您可以使用這些原則搭配條件式存取,以允許或封鎖存取公司資源。You can use these policies with conditional access to allow or block access to company resources. 您也可以取得裝置報表,並針對不相容採取動作。You can also get device reports and take actions for non-compliance. 在 Intune Azure 入口網站中,為每個平台建立裝置相容性原則。You create device compliance policies for each platform in the Intune Azure portal. 若要深入了解合規性原則,以及任何必要條件,請參閱開始使用裝置合規性To learn more about compliance policies, and any prerequisites, see Get started with device compliance.

下表描述搭配使用合規性政策與條件式存取原則時,不相容設定的管理方式。The following table describes how noncompliant settings are managed when a compliance policy is used with a conditional access policy.


原則設定Policy setting Windows 8.1 及更新版本Windows 8.1 and later Windows Phone 8.1 及更新版本Windows Phone 8.1 and later
PIN 或密碼設定PIN or password configuration 已修復Remediated 已修復Remediated
裝置加密Device encryption 不適用Not applicable 已修復Remediated
已越獄或 Root 的裝置Jailbroken or rooted device 不適用Not applicable 不適用Not applicable
電子郵件設定檔Email profile 不適用Not applicable 不適用Not applicable
最低 OS 版本Minimum OS version 已隔離Quarantined 已隔離Quarantined
最高 OS 版本Maximum OS version 已隔離Quarantined 已隔離Quarantined
Windows 健康情況證明Windows health attestation 已隔離:Windows 10 和 Windows 10 行動裝置版Quarantined: Windows 10 and Windows 10 Mobile 不適用:Windows 8.1Not applicable: Windows 8.1

已補救 = 裝置作業系統強制符合規範。Remediated = The device operating system enforces compliance. (例如,強制使用者設定 PIN。)(For example, the user is forced to set a PIN.)

已隔離 = 裝置作業系統不強制符合規範。Quarantined = The device operating system does not enforce compliance. (例如,Android 裝置不強制使用者為裝置加密。)裝置不相容時,會採取下列動作︰(For example, Android devices do not force the user to encrypt the device.) When the device is not compliant, the following actions take place:

  • 如果對使用者套用了條件式存取原則,裝置會遭到封鎖。The device is blocked if a conditional access policy applies to the user.
  • 公司入口網站會通知使用者任何合規性問題的相關事項。The company portal notifies the user about any compliance problems.

建立裝置合規性政策Create a device compliance policy

  1. 登入 Azure 入口網站Sign in to the Azure portal.
  2. 選取 [All services] (所有服務),篩選 [Intune],然後選取 [Microsoft Intune]。Select All services, filter on Intune, and select Microsoft Intune.
  3. 選取 [裝置相容性] > [原則] > [建立原則]。Select Device compliance > Policies > Create Policy.
  4. 輸入 [名稱] 和 [描述]。Enter a Name and Description.
  1. 針對 [平台],選取 [Windows Phone 8.1]、[Windows 8.1 及更新版本] 或 [Windows 10 及更新版本]。For Platform, select Windows Phone 8.1, Windows 8.1 and later, or Windows 10 and later.
  2. 選擇 [組態設定],並輸入 [裝置健全狀況]、[裝置屬性],以及 [系統安全性] 設定。Choose Settings Configure, and enter the Device Health, Device Properties, and System Security settings. 完成後,請選取 [確定] 和 [建立]。When you're done, select OK, and Create.

Windows 8.1 裝置原則設定Windows 8.1 devices policy settings

這些原則設定會套用到執行下列平台的裝置:These policy settings apply to devices running the following platforms:

  • Windows Phone 8.1Windows Phone 8.1
  • Windows 8.1 及更新版本Windows 8.1 and later

裝置內容Device properties

  • 所需的最低 OS︰當裝置不符合最低 OS 版本需求時,它會回報為不符合規範。Minimum OS required: When a device doesn't meet the minimum OS version requirement, it's reported as noncompliant. 會顯示如何升級的資訊連結。A link with information on how to upgrade is displayed. 終端使用者可以選擇升級其裝置,然後便可存取公司資源。The end user can choose to upgrade their device, and then get access to company resources.
  • 允許的最高 OS 版本:當裝置使用的 OS 版本高於規則所指定的版本時,系統會封鎖對公司資源的存取。Maximum OS version allowed: When a device is using an OS version later than the version specified in the rule, access to company resources is blocked. 系統會要求使用者連絡其 IT 管理員。在規則變更為允許該作業系統版本之前,此裝置將無法存取公司資源。The user is asked to contact their IT admin. Until there is a rule change to allow the OS version, this device can't access company resources.

Windows 8.1 電腦會傳回版本 3Windows 8.1 PCs return a version of 3. 如果 Windows 的 OS 版本規則設為 Windows 8.1,則即使裝置具有 Windows 8.1,還是會回報為不相容。If the OS version rule is set to Windows 8.1 for Windows, then the device is reported as noncompliant even if the device has Windows 8.1.

系統安全性System security

密碼Password

  • 需要密碼才可解除鎖定行動裝置要求使用者必須輸入密碼以存取其裝置。Require a password to unlock mobile devices: Require users to enter a password before they can access their device.

  • 簡單密碼:設定為 [封鎖] 時,使用者將無法建立 12341111 之類的簡單密碼。Simple passwords: Set to Block so users can't create simple passwords, such as 1234 or 1111. 設定為 [未設定] 時,使用者可以建立 12341111 之類的密碼。Set to Not configured to let users create passwords like 1234 or 1111.

  • 最小密碼長度:輸入密碼至少須包含的位數或字元數。Minimum password length: Enter the minimum number of digits or characters that the password must have.

    對於執行 Windows 並使用 Microsoft 帳戶存取的裝置,合規性原則在下列情況下將無法正確評估:For devices that run Windows and are accessed with a Microsoft account, the compliance policy fails to evaluate correctly:

    • 如果最小密碼長度超過八個字元If minimum password length is greater than eight characters
    • 或者,如果字元集數目下限超過兩個Or, if minimum number of character sets is more than two
  • 密碼類型:選擇密碼是否應該只包含數值字元,或是應該混合數字和其他字元 (英數字元)。Password type: Choose if a password should have only Numeric characters, or if there should be a mix of numbers and other characters (Alphanumeric).

    • 密碼中的非英數字元數目:若將 [需要的密碼類型] 設定為 [英數字元],則此設定可指定密碼至少須包含的最少字元集數目。Number of non-alphanumeric characters in password: If Required password type is set to Alphanumeric, this setting specifies the minimum number of character sets that the password must contain. 四個字元集為:The four character sets are:

      • 小寫字母Lowercase letters
      • 大寫字母Uppercase letters
      • 符號Symbols
      • 數字Numbers

      若設定較高的數目,使用者就必須建立較複雜的密碼。Setting a higher number requires the user to create a password that is more complex. 對於執行 Windows 並使用 Microsoft 帳戶存取的裝置,若密碼長度下限超過八個字元,或字元集數目下限大於二,合規性政策將無法正確進行評估。For devices that run Windows, and are accessed with a Microsoft account, the compliance policy fails to evaluate correctly if minimum password length is greater than eight characters, or if minimum number of character sets is more than two.

  • 停止活動幾分鐘後需要輸入密碼:輸入在閒置多久後,使用者必須重新輸入密碼。Maximum minutes of inactivity before password is required: Enter the idle time before the user must reenter their password.

  • 密碼到期 (天數):選取密碼到期且必須建立新密碼前的天數。Password expiration (days): Select the number of days before the password expires, and they must create a new one.

  • 避免重複使用前幾個密碼:輸入不可使用先前所使用的多少個密碼。Number of previous passwords to prevent reuse: Enter the number of previously used passwords that cannot be used.

加密Encryption

  • 在行動裝置上要求加密要求裝置必須加密以連線至資料存放區資源。Require encryption on mobile device: Require the device to be encrypted to connect to data storage resources.

Windows 10 及更新版本的原則設定Windows 10 and later policy settings

Device healthDevice health

  • 需要 BitLocker:開啟 BitLocker 時,裝置能夠在系統已關閉或進入休眠狀態的情況下,保護存放在磁碟機中的資料不受未經授權的存取。Require BitLocker: When BitLocker is on, the device can protect data stored on the drive from unauthorized access when the system is turned off, or goes to hibernation. Windows BitLocker 磁碟機加密會加密儲存在 Windows 作業系統磁碟區上的所有資料。Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker 使用 TPM 協助保護 Windows 作業系統和使用者資料。BitLocker uses the TPM to help protect the Windows operating system and user data. 它也能協助確保電腦不受竄改,即使該電腦是處於無人看管、遺失或遭竊的情況。It also helps to ensure that a computer is not tampered with, even if it's left unattended, lost, or stolen. 如果電腦配備相容的 TPM,BitLocker 會使用 TPM 來鎖定可保護資料的加密金鑰。If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. 因此,除非 TPM 驗證電腦的狀態,否則無法存取金鑰。As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
  • 要求在裝置上啟用安全開機:啟用安全開機時,會強迫系統開機到原廠信任狀態。Require Secure Boot to be enabled on the device: When Secure Boot is enabled, the system is forced to boot to a factory trusted state. 此外,啟用安全開機時,用來啟動電腦的核心元件必須具有製造裝置之組織所信任的正確密碼編譯簽章。Also, when Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. UEFI 韌體會在讓電腦啟動之前先驗證簽章。The UEFI firmware verifies the signature before it lets the machine start. 如果有任何檔案已遭竄改 (即中斷其簽章),則無法啟動系統。If any files have been tampered with, breaking their signature, the system will not boot.
  • 要求程式碼完整性:程式碼完整性是一種功能,可在每次將驅動程式或系統檔案載入記憶體時驗證其完整性。Require code integrity: Code integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. 程式碼完整性會偵測核心是否正在載入未簽署的驅動程式或系統檔案。Code integrity detects whether an unsigned driver or system file is being loaded into the kernel. 或者是否有具系統管理員權限的使用者帳戶執行惡意軟體以修改系統檔案。Or whether a system file has been modified by malicious software run by a user account with administrator privileges.

如需 HAS 服務如何運作的詳細資料,請參閱健全狀況證明 CSPSee Health Attestation CSP for details about how the HAS service works.

若要將 Windows Defender ATP (進階威脅防護) 設定為防禦威脅服務,請參閱使用條件式存取啟用 Windows Defender ATPTo set up Windows Defender ATP (Advanced Threat Protection) as your defense threat service, see Enable Windows Defender ATP with conditional access.

裝置內容Device properties

  • 最低 OS 版本:輸入允許的最低版本 (格式為 major.minor.build.CU 編號)。Minimum OS version: Enter the minimum allowed version in the major.minor.build.CU number format. 若要取得正確值,請開啟命令提示字元,然後鍵入 verTo get the correct value, open a command prompt, and type ver. ver 命令會傳回格式如下的版本:The ver command returns the version in the following format:

    Microsoft Windows [Version 10.0.17134.1]

    若裝置上的 OS 版本較指定版本舊,會將其回報為不相容。When a device has an earlier version that the specified OS version, it is reported as noncompliant. 會顯示如何升級的資訊連結。A link with information on how to upgrade is displayed. 終端使用者可以選擇升級其裝置,之後便可以存取公司資源。The end user can choose to upgrade their device after which they can access company resources.

  • 最高 OS 版本:輸入允許的最高版本 (格式為 major.minor.build.revision 編號)。Maximum OS version: Enter the maximum allowed version, in the major.minor.build.revision number format. 若要取得正確值,請開啟命令提示字元,然後鍵入 verTo get the correct value, open a command prompt, and type ver. ver 命令會傳回格式如下的版本:The ver command returns the version in the following format:

    Microsoft Windows [Version 10.0.17134.1]

    當裝置使用的 OS 版本晚於規則中所指定的版本時,系統便會封鎖對公司資源的存取權,並要求使用者連絡其 IT 管理員。在將規則變更為允許該 OS 版本之前,此裝置無法用來存取公司資源。When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in rule to allow the OS version, this device cannot be used to access company resources.

  • 針對行動裝置所需的最低 OS:輸入允許的最低版本 (格式為 major.minor.build 編號格式)。Minimum OS required for mobile devices: Enter the minimum allowed version, in the major.minor.build number format.

    若裝置上的 OS 版本較指定版本舊,會將其回報為不相容。When a device has an earlier version that the specified OS version, it is reported as noncompliant. 會顯示如何升級的資訊連結。A link with information on how to upgrade is displayed. 終端使用者可以選擇升級其裝置,之後便可以存取公司資源。The end user can choose to upgrade their device after which they can access company resources.

  • 針對行動裝置所需的最高 OS:輸入允許的最高版本 (編號格式為 major.minor.build)。Maximum OS required for mobile devices: Enter the maximum allowed version, in the major.minor.build number.

    當裝置使用的 OS 版本晚於規則中所指定的版本時,系統便會封鎖對公司資源的存取權,並要求使用者連絡其 IT 管理員。在將規則變更為允許該 OS 版本之前,此裝置無法用來存取公司資源。When a device is using an OS version later than the one specified in the rule, access to company resources is blocked and the user is asked to contact their IT admin. Until there is a change in rule to allow the OS version, this device cannot be used to access company resources.

  • 有效的作業系統組建:輸入可接受的作業系統版本範圍,包括最低和最高。Valid operating system builds: Enter a range for the acceptable operating systems versions, including a minimum and maximum. 您也可以將這些可接受的 OS 組建編號清單匯出逗號分隔值 (CSV) 檔案。You can also Export a comma-separated values (CSV) file list of these acceptable OS build numbers.

系統安全性設定System security settings

密碼Password

  • 需要密碼才可解除鎖定行動裝置要求使用者必須輸入密碼以存取其裝置。Require a password to unlock mobile devices: Require users to enter a password before they can access their device.

  • 簡單密碼:設定為 [封鎖] 時,使用者將無法建立 12341111 之類的簡單密碼。Simple passwords: Set to Block so users can't create simple passwords, such as 1234 or 1111. 設定為 [未設定] 時,使用者可以建立 12341111 之類的密碼。Set to Not configured to let users create passwords like 1234 or 1111.

  • 密碼類型:選擇密碼是否應該只包含數值字元,或是應該混合數字和其他字元 (英數字元)。Password type: Choose if a password should have only Numeric characters, or if there should be a mix of numbers and other characters (Alphanumeric).

    • 密碼中的非英數字元數目:若將 [需要的密碼類型] 設定為 [英數字元],則此設定可指定密碼至少須包含的最少字元集數目。Number of non-alphanumeric characters in password: If Required password type is set to Alphanumeric, this setting specifies the minimum number of character sets that the password must contain. 四個字元集為:The four character sets are:

      • 小寫字母Lowercase letters
      • 大寫字母Uppercase letters
      • 符號Symbols
      • 數字Numbers

      若設定較高的數目,使用者就必須建立較複雜的密碼。Setting a higher number requires the user to create a password that is more complex.

  • 最小密碼長度:輸入密碼至少須包含的位數或字元數。Minimum password length: Enter the minimum number of digits or characters that the password must have.

  • 停止活動幾分鐘後需要輸入密碼:輸入在閒置多久後,使用者必須重新輸入密碼。Maximum minutes of inactivity before password is required: Enter the idle time before the user must reenter their password.

  • 密碼到期 (天數):選取密碼到期且必須建立新密碼前的天數。Password expiration (days): Select the number of days before the password expires, and they must create a new one.

  • 避免重複使用前幾個密碼:輸入不可使用先前所使用的多少個密碼。Number of previous passwords to prevent reuse: Enter the number of previously used passwords that cannot be used.

  • 於裝置從閒置狀態回復時要求密碼 (行動裝置版和 Holographic):強制使用者於每次裝置從閒置狀態回復時輸入密碼。Require password when device returns from idle state (Mobile and Holographic): Force users to enter the password every time the device returns from an idle state.

加密Encryption

  • 對裝置上的資料存放區加密:選擇 [需要] 來將裝置上的資料存放區加密。Encryption of data storage on a device: Choose Require to encrypt data storage on your devices.

裝置安全性Device Security

  • 防毒:當設定為 [必要] 時,您可以使用向 Windows 資訊安全中心註冊的防毒解決方案 (例如 Symantec 和 Windows Defender) 來檢查合規性。Antivirus: When set to Require, you can check compliance using antivirus solutions that are registered with Windows Security Center, such as Symantec and Windows Defender. 未設定時,Intune 不會檢查裝置上是否有任何安裝的 AV 解決方案。When Not configured, Intune doesn't check for any AV solutions installed on the device.
  • 反間諜功能:當設定為 [必要] 時,您可以使用向 Windows 資訊安全中心註冊的防毒解決方案 (例如 Symantec 和 Windows Defender) 來檢查合規性。AntiSpyware: When set to Require, you can check compliance using antispyware solutions that are registered with Windows Security Center, such as Symantec and Windows Defender. 未設定時,Intune 不會檢查裝置上是否有任何安裝的反間諜軟體解決方案。When Not configured, Intune doesn't check for any antispyware solutions installed on the device.

Windows Defender ATPWindows Defender ATP

  • 要求裝置不高於電腦風險分數:使用此設定進行來自您防禦威脅服務的風險評估,以作為合規性的條件。Require the device to be at or under the machine risk score: Use this setting to take the risk assessment from your defense threat services as a condition for compliance. 選擇允許的最高威脅層級:Choose the maximum allowed threat level:
    • 清除:此選項最安全,因為裝置不能有任何威脅。Clear: This option is the most secure, as the device can't have any threats. 如果在裝置上偵測到任何等級的威脅,即評估為不符合規範。If the device is detected as having any level of threats, it is evaluated as noncompliant.
    • ︰如果只有低等級的威脅,則會將裝置評估為相容。Low: The device is evaluated as compliant if only low-level threats are present. 任何更高等級的威脅都會使裝置處於不相容狀態。Anything higher puts the device in a noncompliant status.
    • ︰如果裝置上的現有威脅是低等級或中等級,則會將裝置評估為符合規範。Medium: The device is evaluated as compliant if existing threats on the device are low or medium level. 如果在裝置上偵測到高等級的威脅,則會判斷為不相容。If the device is detected to have high-level threats, it is determined to be noncompliant.
    • :此選項最不安全,且允許所有威脅層級。High: This option is the least secure, and allows all threat levels. 如果此解決方案只用於報告用途,則此設定可能很實用。It may be useful if you're using this solution only for reporting purposes.

Windows Holographic for BusinessWindows Holographic for Business

Windows Holographic for Business 使用 Windows 10 及更新版本平台。Windows Holographic for Business uses the Windows 10 and later platform. Windows Holographic for Business 支援下列設定:Windows Holographic for Business supports the following setting:

  • [系統安全性] > [加密] > [對裝置上的資料存放區加密]。System Security > Encryption > Encryption of data storage on device.

若要在 Microsoft HoloLens 上驗證裝置加密,請參閱驗證裝置加密To verify device encryption on the Microsoft HoloLens, see Verify device encryption.

Surface HubSurface Hub

Surface Hub 使用 Windows 10 及更新版本平台。Surface Hub uses the Windows 10 and later platform. Surface Hub 支援合規性和條件式存取。Surface Hubs are supported for both compliance and conditional access. 若要在 Surface Hub 上啟用這些功能,建議您在 Intune 中啟用 Windows 10 自動註冊 (也需要 Azure Active Directory (AAD)),並將 Surface Hub 裝置以裝置群組的形式設定為目標。To enable these features on Surface Hubs, we recommend you enable Windows 10 automatic enrollment in Intune (also requires Azure Active Directory (AAD)) and target the Surface Hub devices as device groups. Surface Hub 需要加入 Azure Active Directory,合規性和條件式存取才能運作。Surface Hubs are required to be Azure Active Directory joined for compliance and conditional access to function.

請參閱設定 Windows 裝置的註冊以取得指引。See set up enrollment for Windows devices for guidance.

指派使用者或裝置群組Assign user or device groups

  1. 選擇您已設定的原則。Choose a policy that you've configured. 現有的原則位於 [裝置合規性] > [原則]。Existing policies are in Device compliance > Policies.
  2. 選擇原則,然後選擇 [指派]。Choose the policy, and choose Assignments. 您可以包含或排除 Azure AD 安全性群組。You can include or exclude Azure AD security groups.
  3. 選擇 [選取的群組] 以查看您的 Azure AD 安全性群組。Choose Selected groups to see your Azure AD security groups. 選取要套用這項原則的使用者或裝置群組,然後選擇 [儲存] 以部署原則。Select the user or device groups you want this policy to apply, and choose Save to deploy the policy.

您已套用此原則。You have applied the policy. 要套用原則之使用者的裝置將會接受相容性評估。The devices used by the users who are targeted by the policy are evaluated for compliance.

接下來的步驟Next steps

將電子郵件自動化,並為不符合規範的裝置新增動作Automate email and add actions for noncompliant devices
監視 Intune 裝置合規性原則Monitor Intune Device compliance policies