Intune 中適用於 Windows 10 (和更新版本) 的 Endpoint Protection 設定Endpoint protection settings for Windows 10 (and later) in Intune

Endpoint Protection 設定檔可讓您控制 Windows 10 裝置上的 BitLocker 和 Windows Defender 等安全性功能。The endpoint protection profile lets you control security features on Windows 10 devices, like BitLocker and Windows Defender.

請使用本文中的資訊,以建立 Endpoint Protection 設定檔。Use the information in this article to create endpoint protection profiles. 若要設定 Windows Defender 防毒軟體,請參閱 Windows 10 裝置限制To configure Windows Defender Antivirus, see Windows 10 Device Restrictions.

Windows Defender 應用程式防護Windows Defender Application Guard

支援下列 Windows 10 版本:Supported on the following Windows 10 editions:

  • 企業Enterprise
  • ProfessionalProfessional

使用 Microsoft Edge 時,Windows Defender 應用程式防護可保護您的環境免受組織不信任之網站的影響。While using Microsoft Edge, Windows Defender Application Guard protects your environment from sites that aren't trusted by your organization. 當使用者瀏覽未列在隔離之網路界限中的網站時,這些網站將在 Hyper-V 虛擬瀏覽工作階段中開啟。When users visit sites that aren’t listed in your isolated network boundary, the sites are opened in a Hyper-V virtual browsing session. 信任的網站是由網路界限定義,可以在 [裝置設定] 中進行設定。Trusted sites are defined by a network boundary, which can be configured in Device Configuration.

應用程式防護只適用於 Windows 10 (64 位元) 裝置。Application Guard is only available for Windows 10 (64-bit) devices. 使用此設定檔會安裝 Win32 元件,以啟動應用程式防護。Using this profile installs a Win32 component to activate Application Guard.

  • 應用程式防護:[啟用] 表示開啟此功能,這會在 Hyper-V 虛擬化的瀏覽容器中開啟未核准的網站。Application Guard: Enable to turn on this feature, which opens unapproved sites in a Hyper-V virtualized browsing container. [未設定] (預設) 表示任何網站 (核准及未核准) 都會在裝置上開啟。Not configured (default) means that any site (approved and unapproved) opens on the device.
  • 剪貼簿行為:選擇本機電腦和應用程式防護虛擬瀏覽器之間允許的複製/貼上動作。Clipboard behavior: Choose what copy/paste actions are allowed between the local PC and the Application Guard virtual browser.
  • 企業網站上的外部內容:[封鎖] 自未經核准的網站載入內容。External content on enterprise sites: Block content from unapproved websites from loading. [未設定] (預設) 表示非企業網站可在裝置上開啟。Not configured (default) means that non-enterprise sites can open on the device.
  • 從虛擬瀏覽器列印:[允許] 表示允許 PDF、XPS、本機及/或網路印表機,以列印虛擬瀏覽器的內容。Print from virtual browser: Allow to allow PDF, XPS, local, and/or network printers to print content from the virtual browser. [未設定] (預設) 會停用所有列印功能。Not configured (default) disables all print features.
  • 收集記錄檔:[允許] 表示收集應用程式防護瀏覽工作階段內發生的事件記錄檔。Collect logs: Allow to collect logs for events that occur within an Application Guard browsing session. [未設定] (預設) 不會收集瀏覽工作階段內的任何記錄檔。Not configured (default) doesn't collect any logs within the browsing session.
  • 保留使用者產生的瀏覽器資料:[允許] 儲存於應用程式防護虛擬瀏覽工作階段期間建立的使用者資料 (例如密碼、我的最愛和 Cookie)。Retain user-generated browser data: Allow saves user data (such as passwords, favorites, and cookies) that is created during an Application Guard virtual browsing session. [未設定] (預設) 會在裝置重新啟動或使用者登出時,捨棄使用者下載的檔案和資料。Not configured (default) discards user-downloaded files and data when the device restarts, or when a user signs out.
  • 圖形加速:[啟用] 表示透過取得對虛擬圖形處理器的存取權,加快載入高圖形效能需求網站和視訊的速度。Graphics acceleration: Enable to load graphic-intensive websites and video faster by getting access to a virtual graphics processing unit. [未設定] (預設) 會使用裝置的 CPU 來處理圖形,而不使用虛擬圖形處理器。Not configured (default) uses the device's CPU for graphics; it doesn't use the virtual graphics processing unit.
  • 將檔案下載到主機檔案系統:[啟用] 會讓使用者將檔案從虛擬化瀏覽器下載到主機作業系統。Download files to host file system: Enable so users download files from the virtualized browser onto the host operating system. [未設定] (預設) 會將檔案保留在本機裝置上,而不將檔案下載到主機檔案系統。Not configured (default) keeps the files local on the device, and doesn't download files to the host file system.

Windows Defender 防火牆Windows Defender Firewall

支援下列 Windows 10 版本:Supported on the following Windows 10 editions:

  • 首頁Home
  • ProfessionalProfessional
  • 商務Business
  • 企業Enterprise
  • 教育Education
  • 行動電話Mobile
  • 行動裝置企業版Mobile Enterprise

全域設定Global settings

這些設定適用於所有網路類型。These settings are applicable to all network types.

  • 檔案傳輸通訊協定:[封鎖] 表示停用可設定狀態的 FTP。File Transfer Protocol: Block to disable stateful FTP. [未設定] (預設) 時,防火牆會執行可設定狀態的 FTP 篩選來允許次要連線。When Not configured (default), the firewall does stateful FTP filtering to allow secondary connections.
  • 刪除前的安全性關聯閒置時間n 秒偵測不到任何網路流量之後,即刪除安全性關聯。Security association idle time before deletion: Security associations are deleted after no network traffic is detected for n seconds. 輸入閒置時間 (以秒為單位)。Enter an idle time in seconds.
  • 預先共用金鑰編碼:[啟用] 表示使用採用 UTF-8 的預先共用金鑰編碼。Pre-shared key encoding: Enable to use preshared key encoding using UTF-8. [未設定] (預設) 會使用本機存放區值。Not configured (default) uses the local store value.
  • IPsec 豁免:設定自 IPsec 豁免的特定流量,包括:IPsec exemptions: Configure specific traffic to be exempt from IPsec, including:
    • 芳鄰探索 IPv6 的 ICMP 類型代碼Neighbor discover IPv6 ICMP type-codes
    • ICMPICMP
    • 路由器探索 IPv6 的 ICMP 類型代碼Router discover IPv6 ICMP type-codes
    • IPv4 和 IPv6 的 DHCP 網路流量Both IPv4 and IPv6 DHCP network traffic
  • 憑證撤銷清單驗證:決定憑證撤銷清單驗證的強制執行方式,包括 [停用 CRL 驗證]、[僅撤銷憑證上的 CRL 驗證會失敗],以及 [發生任何錯誤 CRL 驗證都會失敗]。Certificate revocation list verification: Determine how certificate revocation list verification is enforced, including Disable CRL verification, Fail CRL verification on revoked certificate only, and Fail CRL verification on any error encountered.
  • 每個金鑰處理模組都伺機比對驗證組:[啟用] 會讓金鑰處理模組「只能」忽略不支援的驗證套件。Opportunistically match authentication set per keying module: Enable so keying modules MUST ignore only the authentication suites that they don’t support. [未設定] 時,如果金鑰處理模組不支援驗證組中指定的所有驗證套件,則「必須」忽略整個驗證組。When Not configured, keying modules MUST ignore the entire authentication set if they don't support all of the authentication suites specified in the set.
  • 封包佇列:指定如何啟用接收端軟體的縮放比例,處理 IPsec 通道閘道案例中轉接接收和清除的加密文字。Packet queuing: Enter how software scaling on the receive side is enabled for the encrypted receive and clear text forward for the IPsec tunnel gateway scenario. 此設定可確保保留封包順序。This setting ensures that packet order is preserved.

網路設定Network settings

這些設定適用於特定的網路類型,包括網域 (工作場所) 網路私人 (可探索) 網路公用 (非可探索) 網路These settings are applicable to specific network types, including Domain (workplace) network, Private (discoverable) network, and Public (non-discoverable) network.

一般設定General settings

  • Windows Defender 防火牆:[啟用] 表示開啟防火牆和進階安全性。Windows Defender Firewall: Enable to turn on the firewall, and advanced security. [未設定] (預設) 會允許所有網路流量,而不論任何其他原則設定為何。Not configured (default) allows all network traffic, regardless of any other policy settings.
  • 隱形模式:[封鎖] 防火牆在隱形模式下運作。Stealth mode: Block the firewall from operating in stealth mode. 封鎖隱形模式可讓您也封鎖 IPsec 安全封包豁免Blocking stealth mode allows you to also block IPsec secured packet exemption. [未設定] (預設) 會在隱形模式下執行防火牆,這有助於避免回應探查要求。Not configured (default) operates the firewall in stealth mode, which helps prevent responses to probing requests.
  • 受防護:[封鎖] 會關閉此功能。Shielded: Block turns off this feature. [未設定] (預設) 會啟用此設定。Not configured (default) enables this setting. 開啟此設定和 Windows Defender 防火牆時,則會封鎖所有連入流量,而不論任何其他原則設定為何。When this setting and the Windows Defender Firewall are turned on, then all incoming traffic is blocked, regardless of any other policy settings.
  • 多點傳送廣播的單點傳播回應:當設定為 [封鎖] 時,則會停用多點傳送廣播的單點傳播回應。Unicast responses to multicast broadcasts: When set to Block, it disables unicast responses to multicast broadcasts. 一般而言,您不希望接收對多點傳送或廣播訊息的單點傳播回應。Typically, you don't want to receive unicast responses to multicast or broadcast messages. 這些回應可能表示拒絕服務 (DOS) 攻擊,或者攻擊者嘗試探查已知的即時電腦。These responses can indicate a denial of service (DOS) attack, or an attacker attempting to probe a known live computer. [未設定] (預設) 會啟用此設定。Not configured (default) enables this setting.
  • 輸入通知:當設定為 [封鎖] 時,則會在封鎖應用程式接聽連接埠期間向使用者隱藏通知。Inbound notifications: When set to Block, it hides notifications to users when an app is blocked from listening on a port. [未設定] (預設) 會啟用此設定,並可在封鎖應用程式接聽連接埠期間向使用者顯示通知。Not configured (default) enables this setting, and may show a notification to users when an app is blocked from listening on a port.
  • 輸入連線的預設動作:當設定為 [封鎖] 時,不會對輸入連線執行預設防火牆動作。Default action for inbound connections: When set to Block, the default firewall action is not run on inbound connections. 當設定為 [未設定] (預設) 時,則會對輸入連線執行預設防火牆動作。When set to Not configured (default), the default firewall action is run on inbound connections.

規則合併Rule merging

  • 來自本機存放區的已授權應用程式 Windows Defender 防火牆規則:[啟用] 表示套用本機存放區中要辨識並強制執行的防火牆規則。Authorized application Windows Defender Firewall rules from the local store: Enable to apply firewall rules in the local store to be recognized and enforced. [未設定] (預設) 時,則會忽略且不會強制執行本機存放區中的已授權應用程式防火牆規則。When Not configured (default), the authorized application firewall rules in the local store are ignored and not enforced.
  • 來自本機存放區的全域連接埠 Windows Defender 防火牆規則:[啟用] 表示套用本機存放區中要辨識並強制執行的全域連接埠防火牆規則。Global port Windows Defender Firewall rules from the local store: Enable to apply global port firewall rules in the local store to be recognized and enforced. [未設定] (預設) 時,則會忽略且不會強制執行本機存放區中的全域連接埠防火牆規則。When Not configured (default), the global port firewall rules in the local store are ignored and not enforced.
  • 來自本機存放區的 Windows Defender 防火牆規則:[啟用] 表示套用本機存放區中要辨識並強制執行的防火牆規則。Windows Defender Firewall rules from the local store: Enable to apply firewall rules in the local store to be recognized and enforced. [未設定] (預設) 時,則會忽略且不會強制執行來自本機存放區的防火牆規則。When Not configured (default), the firewall rules from the local store are ignored and not enforced.
  • 來自本機存放區的 IPsec 規則:[啟用] 表示套用來自本機存放區的連線安全性規則,而不論結構描述或連線安全性規則版本為何。IPsec rules from the local store: Enable to apply connection security rules from the local store, regardless of schema or connection security rule versions. [未設定] (預設) 時,則會忽略且不會強制執行來自本機存放區的連線安全性規則,而不論結構描述版本和連線安全性規則版本為何。When Not configured (default), the connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version.

Windows Defender SmartScreen 設定Windows Defender SmartScreen settings

支援下列已安裝 Edge 的 Windows 10 版本:Supported on the following Windows 10 editions with Edge installed:

  • 首頁Home
  • ProfessionalProfessional
  • 商務Business
  • 企業Enterprise
  • 教育Education
  • 行動電話Mobile
  • 行動裝置企業版Mobile Enterprise

設定Settings:

  • 應用程式及檔案適用的 SmartScreen:[啟用] Windows SmartScreen 執行檔案,以及執行應用程式。SmartScreen for apps and files: Enable Windows SmartScreen for file execution, and running apps. SmartScreen 是雲端式防網路釣魚和反惡意程式碼元件。SmartScreen is a cloud-based anti-phishing and anti-malware component. [未設定] (預設) 會停用 SmartScreen。Not configured (default) disables SmartScreen.
  • 未經驗證檔案的執行:[封鎖] 終端使用者執行 Windows SmartScreen 尚未驗證的檔案。Unverified files execution: Block end users from running files that haven't been verified by Windows SmartScreen. [未設定] (預設) 會停用此功能,並讓終端使用者執行尚未驗證的檔案。Not configured (default) disables this feature, and allows end users to run files that haven't been verified.

Windows 加密Windows Encryption

Windows 設定Windows Settings

支援下列 Windows 10 版本:Supported on the following Windows 10 editions:

  • ProfessionalProfessional
  • 商務Business
  • 企業Enterprise
  • 教育Education
  • 行動電話Mobile
  • 行動裝置企業版Mobile Enterprise

設定Settings:

  • 加密裝置:[需要] 表示提示使用者啟用裝置加密。Encrypt devices: Require to prompt users to enable device encryption. 根據 Windows 版本和系統設定,可能會要求使用者:Depending on the Windows edition and system configuration, users may be asked:
    • 確認未啟用來自其他提供者的加密To confirm that encryption from another provider isn't enabled

    • 必須關閉 BitLocker 磁碟機加密,然後重新開啟 BitLockerBe required to turn off Bitlocker Drive Encryption, and then turn Bitlocker back on

      如果已在另一種加密方法為使用中時開啟 Windows 加密,裝置可能會變得不穩定。If Windows encryption is turned on while another encryption method is active, the device might become unstable.

  • 加密儲存卡 (僅限行動裝置版):[需要] 表示加密裝置使用的任何抽取式儲存卡。Encrypt storage card (mobile only): Require to encrypt any removable storage cards used by the device. [未設定] (預設) 不需要儲存卡加密,而且不會提示使用者將它開啟。Not configured (default) doesn't require storage card encryption, and doesn't prompt the user to turn it on. 這項設定只適用於 Windows 10 行動裝置版裝置。This setting only applies to Windows 10 mobile devices.

BitLocker 基本設定BitLocker base settings

支援下列 Windows 10 版本:Supported on the following Windows 10 editions:

  • 企業Enterprise
  • 教育Education
  • 行動電話Mobile
  • 行動裝置企業版Mobile Enterprise

基底設定是適用於所有資料磁碟機類型的通用 BitLocker 設定。Base settings are universal BitLocker settings for all types of data drives. 這些設定會管理終端使用者在所有資料磁碟機類型上可以修改的磁碟機加密工作或設定選項。These settings manage what drive encryption tasks or configuration options the end user can modify across all types of data drives.

  • 其他磁碟加密警告:選取 [封鎖] 可在裝置上有其他磁碟加密服務時,停用警告提示。Warning for other disk encryption: Select Block to disable the warning prompt if another disk encryption service is on the device. [未設定] (預設) 允許顯示警告。Not configured (default) allows the warning to be shown.
  • 設定加密方法:[啟用] 此設定可設定作業系統、資料和抽取式磁碟機的加密演算法。Configure encryption methods: Enable this setting to configure encryption algorithms for operating system, data, and removable drives. [未設定] (預設) 時,BitLocker 會使用 XTS-AES 128 位元作為預設加密方法,或使用任何安裝指令碼指定的加密方法。When Not configured (default), BitLocker uses XTS-AES 128 bit as the default encryption method, or uses the encryption method specified by any setup script.
    • 作業系統磁碟機的加密:選擇作業系統磁碟機的加密方法。Encryption for operating system drives: Choose the encryption method for operating system drives. 建議您使用 XTS-AES 演算法。We recommend you use the XTS-AES algorithm.
    • 固定式資料磁碟機的加密:選擇固定式 (內建) 資料磁碟機的加密方法。Encryption for fixed data-drives: Choose the encryption method for fixed (built-in) data drives. 建議您使用 XTS-AES 演算法。We recommend you use the XTS-AES algorithm.
    • 抽取式資料磁碟機的加密:選擇抽取式資料磁碟機的加密方法。Encryption for removable data-drives: Choose the encryption method for removable data drives. 如果抽取式磁碟機與不是執行 Windows 10 的裝置搭配使用,則建議您使用 AES-CBC 演算法。If the removable drive is used with devices that aren't running Windows 10, then we recommend you use the AES-CBC algorithm.

BitLocker 作業系統磁碟機設定BitLocker OS drive settings

支援下列 Windows 10 版本:Supported on the following Windows 10 editions:

  • 企業Enterprise
  • 教育Education
  • 行動電話Mobile
  • 行動裝置企業版Mobile Enterprise

這些設定只套用在作業系統資料磁碟機。These settings apply specifically to operating system data drives.

  • 啟動時的其他驗證:選取 [需要] 可設定電腦啟動時的驗證需求,包括使用信賴平台模組 (TPM)。Additional authentication at startup: Select Require to configure the authentication requirements for computer startup, including the use of Trusted Platform Module (TPM). 選取 [未設定] (預設) 可在具有 TPM 的裝置上只設定基本選項。Select Not configured (default) to configure only basic options on devices with a TPM.
    • 具有不相容 TPM 晶片的 BitLocker:當裝置沒有相容 TPM 晶片時,[封鎖] (停用) 使用 BitLocker。BitLocker with non-compatible TPM chip: Block (disable) using BitLocker when a device doesn't have a compatible TPM chip. [未設定] 時,使用者可在不含相容 TPM 晶片的情形下使用 BitLocker。When Not configured, users can use BitLocker without a compatible TPM chip. BitLocker 可能需要密碼或啟動金鑰。BitLocker may require a password or a startup key.
    • 相容的 TPM 啟動:選擇允許、不允許,或需要 TPM 晶片。Compatible TPM startup: Choose to allow, not allow, or require the TPM chip.
    • 相容的 TPM 啟動 PIN:選擇允許、不允許,或需要搭配 TPM 晶片使用啟動 PIN。Compatible TPM startup PIN: Choose to allow, not allow, or require using a startup PIN with the TPM chip. 啟用啟動 PIN 需要與終端使用者互動。Enabling a startup PIN requires interaction from the end user.
    • 相容的 TPM 啟動金鑰:選擇允許、不允許,或需要搭配 TPM 晶片使用啟動金鑰。Compatible TPM startup key: Choose to allow, not allow, or require using a startup key with the TPM chip. 啟用啟動金鑰需要與終端使用者互動。Enabling a startup key requires interaction from the end user.
    • 相容的 TPM 啟動金鑰及 PIN:選擇允許、不允許,或需要搭配 TPM 晶片使用啟動金鑰及 PIN。Compatible TPM startup key and PIN: Choose to allow, not allow, or require using a startup key and PIN with the TPM chip. 啟用啟動金鑰及 PIN 需要與終端使用者互動。Enabling startup key and PIN requires interaction from the end user.
  • 最小 PIN 長度:[啟用] 此設定可設定 TPM 啟動 PIN 的最小長度。Minimum PIN Length: Enable this setting to configure a minimum length for the TPM startup PIN. [未設定] (預設) 時,使用者可以設定介於 6 到 20 位數之任意長度的啟動 PIN。When Not configured (default), users can configure a startup PIN of any length between 6 and 20 digits.
    • 字元數下限:輸入啟動 PIN 所需的字元數 (4-20)。Minimum characters: Enter the number of characters required for the startup PIN from 4-20.
  • OS 磁碟機修復:[啟用] 此設定可控制在未提供必要的啟動資訊時,如何復原受 BitLocker 保護的作業系統磁碟機。OS drive recovery: Enable this setting to control how BitLocker-protected operating system drives are recovered when the required start-up information isn't available. [未設定] (預設) 時,BitLocker 修復支援預設修復選項。When Not configured (default), the default recovery options are supported for BitLocker recovery. 預設允許 DRA,這是使用者指定的修復選項,包括修復密碼和修復金鑰,以及未備份到 AD DS 的修復資訊。By default, a DRA is allowed, the recovery options are specified by the user, including the recovery password and recovery key, and recovery information isn't backed up to AD DS.
    • 憑證式資料修復代理:當設定為 [封鎖] 時,資料修復代理無法與受 BitLocker 保護的 OS 磁碟機搭配使用。Certificate-based data recovery agent: When set to Block, you can't use data recovery agent with BitLocker-protected OS drives. 設定為 [未設定] (預設) 可啟用此設定,這可讓資料修復代理與受 BitLocker 保護的作業系統磁碟機搭配使用。Set to Not configured (default) to enable this setting, which allows data recovery agents to be used with BitLocker-protected operating system drives.
    • 使用者的修復密碼建立:選擇是否允許、需要還是不允許使用者產生 48 位數的修復密碼。User creation of recovery password: Choose if users are allowed, required, or not allowed to generate a 48-digit recovery password.
    • 使用者的修復金鑰建立:選擇是否允許、需要還是不允許使用者產生 256 位元的修復金鑰。User creation of recovery key: Choose if users are allowed, required, or not allowed to generate a 256-bit recovery key.
    • BitLocker 安裝精靈中的修復選項:設定為 [封鎖] 會讓使用者無法看到及變更修復選項。Recovery options in the BitLocker setup wizard: Set to Block so users can't see and change the recovery options. 當設定為 [未設定] (預設) 時,使用者可在開啟 BitLocker 時看到及變更修復選項。When set to Not configured (default), users can see and change the recovery options when they turn on BitLocker.
    • 將 BitLocker 修復資訊儲存到 AD DS:[啟用] 表示將 BitLocker 修復資訊儲存到 Azure Active Directory (AAD)。Save BitLocker recovery information to AD DS: Enable to store the BitLocker recovery information to Azure Active Directory (AAD). 當設定為 [未設定] (預設) 時,不會將修復資訊儲存在 AAD 中。When Not configured (default), the recovery information isn't stored in AAD.
    • 儲存在 AD DS 的 BitLocker 修復資訊:設定 BitLocker 修復資訊的哪些部分會儲存在 Azure AD 中。BitLocker recovery Information stored to AD DS: Configure what parts of BitLocker recovery information are stored in Azure AD. 從下列選項進行選擇:Choose from:
      • 備份修復密碼和金鑰封裝Backup recovery passwords and key packages
      • 只備份修復密碼Backup recovery passwords only
    • 先將修復資訊儲存在 AD DS 再啟用 BitLocker:[需要] 此設定可阻止使用者開啟 BitLocker,除非 BitLocker 修復資訊成功儲存在 Azure Active Directory 中。Store recovery information in AD DS before enabling BitLocker: Require this setting to stop users from turning on BitLocker unless the BitLocker recovery information is successfully stored in Azure Active Directory. [未設定] (預設) 可讓使用者開啟 BitLocker,即使修復資訊未成功儲存在 Azure Active Directory 中也一樣。Not configured (default) allows users to turn on BitLocker, even if recovery information is not successfully stored in Azure Active Directory.
  • 開機前修復訊息及 URL:[啟用] 此設定可設定開機前金鑰修復畫面顯示的訊息及 URL。Pre-boot recovery message and URL: Enable this setting to configure the message and URL that are displayed on the pre-boot key recovery screen. [未設定] (預設) 會停用此功能。Not configured (default) disables this feature.
    • 開機前修復訊息:設定開機前修復訊息會向使用者顯示。Pre-boot recovery message: Configure how the pre-boot recovery message displays to users. 從下列選項進行選擇:Choose from:
      • 使用預設修復訊息及 URLUse default recovery message and URL
      • 使用空白修復訊息及 URLUse empty recovery message and URL
      • 使用自訂修復訊息Use custom recovery message
      • 使用自訂修復 URLUse custom recovery URL

BitLocker 固定式資料磁碟機設定BitLocker fixed data-drive settings

支援下列 Windows 10 版本:Supported on the following Windows 10 editions:

  • 企業Enterprise
  • 教育Education
  • 行動電話Mobile
  • 行動裝置企業版Mobile Enterprise

設定Settings:

  • 不受 BitLocker 保護之固定式資料磁碟機的寫入權限:設定為 [封鎖] 可提供不受 BitLocker 保護之資料磁碟機的唯讀權限。Write access to fixed data-drive not protected by BitLocker: Set to Block to give read-only access to data drives that aren't BitLocker-protected. [未設定] (預設) 時,則會有不受 BitLocker 保護之資料磁碟機的讀取和寫入權限。When Not configured (default), there is read and write access to data drives that aren't BitLocker-protected.
  • 固定式磁碟機修復:[啟用] 此設定可控制在未提供必要的啟動資訊時,如何復原受 BitLocker 保護的固定式磁碟機。Fixed drive recovery: Enable this setting to control how BitLocker-protected fixed drives are recovered when the required start-up information isn't available. [未設定] (預設) 會停用此功能。Not configured (default) disables this feature.
    • 資料修復代理:[封鎖] 資料修復代理與受 BitLocker 保護的固定式磁碟機原則編輯器搭配使用。Data recovery agent: Block the use of data recovery agent with BitLocker-protected fixed drives Policy Editor. [未設定] (預設) 可讓資料修復代理與受 BitLocker 保護的固定式磁碟機搭配使用。Not configured (default) enables using data recovery agents with BitLocker-protected fixed drives.
    • 使用者的修復密碼建立:設定使用者是允許、需要還是不允許產生 48 位數的修復密碼。User creation of recovery password: Configure whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
    • 使用者的修復金鑰建立:設定使用者是允許、需要還是不允許產生 256 位元的修復金鑰。User creation of recovery key: Configure whether users are allowed, required, or not allowed to generate a 256-bit recovery key.
    • BitLocker 安裝精靈中的修復選項:設定為 [封鎖] 會讓使用者無法看到及變更修復選項。Recovery options in the BitLocker setup wizard: Set to Block so users can't see and change the recovery options. 當設定為 [未設定] (預設) 時,使用者可在開啟 BitLocker 時看到及變更修復選項。When set to Not configured (default), users can see and change the recovery options when they turn on BitLocker.
    • 將 BitLocker 修復資訊儲存到 AD DS:[啟用] 表示將 BitLocker 修復資訊儲存到 Azure Active Directory (AAD)。Save BitLocker recovery information to AD DS: Enable to store the BitLocker recovery information in Azure Active Directory (AAD). 當設定為 [未設定] (預設) 時,不會將修復資訊儲存在 AAD 中。When Not configured (default), the recovery information isn't stored in AAD.
    • AD DS 的 BitLocker 修復資訊:設定 BitLocker 修復資訊的哪些部分會儲存在 Azure Active Directory 中。BitLocker recovery Information to AD DS: Configure what parts of BitLocker recovery information are stored in Azure Active Directory. 從下列選項進行選擇:Choose from:
      • 備份修復密碼和金鑰封裝Backup recovery passwords and key packages
      • 只備份修復密碼Backup recovery passwords only
    • 先將修復資訊儲存在 AD DS 再啟用 BitLocker:[需要] 此設定可阻止使用者開啟 BitLocker,除非 BitLocker 修復資訊成功儲存在 Azure Active Directory 中。Store recovery information in AD DS before enabling BitLocker: Require this setting to stop users from turning on BitLocker unless the BitLocker recovery information is successfully stored in Azure Active Directory. [未設定] (預設) 可讓使用者開啟 BitLocker,即使修復資訊未成功儲存在 Azure Active Directory 中也一樣。Not configured (default) allows users to turn on BitLocker, even if recovery information is not successfully stored in Azure Active Directory.

BitLocker 抽取式資料磁碟機設定BitLocker removable data-drive settings

支援下列 Windows 10 版本:Supported on the following Windows 10 editions:

  • 企業Enterprise
  • 教育Education
  • 行動電話Mobile
  • 行動裝置企業版Mobile Enterprise

設定Settings:

  • 不受 BitLocker 保護的抽取式資料磁碟機的寫入權限:設定為 [封鎖] 可提供不受 BitLocker 保護之資料磁碟機的唯讀權限。Write access to removable data-drive not protected by BitLocker: Set to Block to give read-only access to data drives that aren't BitLocker-protected. [未設定] (預設) 時,則會有不受 BitLocker 保護之資料磁碟機的讀取和寫入權限。When Not configured (default), there is read and write access to data drives that aren't BitLocker-protected.
    • 在其他組織中設定的裝置的寫入權限:[封鎖] 允許在其他組織中設定之裝置的寫入權限。Write access to devices configured in another organization: Block allows write access to devices configured in another organization. [未設定] (預設) 會拒絕寫入權限。Not configured (default) denies write access.

Windows Defender 惡意探索防護Windows Defender Exploit Guard

支援下列 Windows 10 版本:Supported on the following Windows 10 editions:

  • 首頁Home
  • ProfessionalProfessional
  • 商務Business
  • 企業Enterprise
  • 教育Education
  • 行動電話Mobile
  • 行動裝置企業版Mobile Enterprise

使用 Windows Defender 惡意探索防護來管理員工所用應用程式並減少受攻擊面。Use Windows Defender Exploit Guard to manage and reduce the attack surface of apps used by your employees.

攻擊表面縮減Attack Surface Reduction

預防 Office 巨集威脅的規則Rules to prevent Office Macro threats

禁止 Office 應用程式採取下列動作:Block Office apps from taking the following actions:

  • Office 應用程式插入其他處理序 (沒有例外狀況)Office apps injecting into other processes (no exceptions)
  • Office 應用程式/巨集建立可執行檔內容Office apps/macros creating executable content
  • Office 應用程式啟動子處理序Office apps launching child processes
  • Win32 從 Office 巨集程式碼匯入Win32 imports from Office macro code

預防指令碼威脅的規則Rules to prevent script threats

請封鎖下列項目以協助防止指令碼威脅:Block the following to help prevent against script threats:

  • 混淆的 js/vbs/ps/巨集程式碼Obfuscated js/vbs/ps/macro code
  • js/vbs 從網際網路執行裝載下載 (無例外狀況)js/vbs executing payload downloaded from Internet (no exceptions)
  • 從 PSExec 與 WMI 命令建立的程序Process creation from PSExec and WMI commands
  • 從 USB 執行的未受信任及未簽署程序Untrusted and unsigned processes that run from USB
  • 未符合普遍性、年齡或受信任清單準則的可執行檔Executables that don’t meet a prevalence, age, or trusted list criteria

預防電子郵件威脅的規則Rules to prevent email threats

請封鎖下列項目以協助防止電子郵件威脅:Block the following to help prevent email threats:

  • 執行自電子郵件 (webmail/郵件用戶端) 卸除的可執行檔內容 (exe、dll、ps、js、vbs 等) (沒有例外狀況)Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)

可預防勒索軟體的規則Rules to protect against Ransomware

  • 進階勒索軟體保護Advanced ransomware protection

提示

使用 Windows Defender 惡意探索防護來減少受攻擊面 (英文) 提供有關這些規則的更多詳細資料。Reduce attack surfaces with Windows Defender Exploit Guard provides more details on these rules.

攻擊表面縮減例外狀況Attack Surface Reduction exceptions

  • 從攻擊介面降低規則中排除的檔案和資料夾:匯入/新增要從設定規則中排除的位置清單。Files and folder to exclude from attack surface reduction rules: Import/add a list of locations to exclude from the configured rules.

受控資料夾存取權Controlled folder access

協助保護寶貴的資料不受惡意應用程式和威脅侵害,例如勒索軟體。Help protect valuable data from malicious apps and threats, such as ransomware.

  • 資料夾防護:保護檔案和資料夾不受惡意應用程式進行不想要的變更。Folder protection: Protect files and folders from unwanted changes by malicious apps. 您可以匯入可存取受保護資料夾的應用程式清單或手動新增它們。You can import a List of apps that have access to protected folders or add them manually. 您也可以上傳來新增其他需要保護的資料夾清單或手動新增它們。You can also add a List of additional folders that need to be protected with an upload or adding them manually.

網路篩選Network filtering

封鎖任何應用程式對低評價 IP/網域的輸出連線。Block outbound connections from any app to low reputation IP/domains.

惡意探索保護Exploit protection

若要啟用惡意探索保護,請建立包含所需系統和應用程式風險降低設定的 XML 檔案。To enable exploit protection, create an XML file that includes the system and application mitigation settings you want. 有兩種方法可供使用:There are two methods:

  1. PowerShell:使用一或多個 Get-ProcessMitigation、Set-ProcessMitigation 和 ConvertTo-ProcessMitigationPolicy PowerShell Cmdlet。PowerShell: Use one or more of the Get-ProcessMitigation, Set-ProcessMitigation, and ConvertTo-ProcessMitigationPolicy PowerShell cmdlets. Cmdlet 會設定安全防護功能設定,並匯出它們的 XML 表示法。The cmdlets configure mitigation settings, and export an XML representation of them.

  2. Windows Defender 資訊安全中心 UI:Windows Defender 資訊安全中心,按一下 [App 與瀏覽器控制],然後捲動至結果畫面的底部,找到 [惡意探索保護]。Windows Defender Security Center UI: In the Windows Defender Security Center, click on App & browser control and then scroll to the bottom of the resulting screen to find Exploit Protection. 首先,使用 [系統設定] 與 [程式設定] 索引標籤來進行低風險的設定。First, use the System settings and Program settings tabs to configure mitigation settings. 然後,在畫面底部找到 [匯出設定] 連結,匯出它們的 XML 表示。Then, find the Export settings link at the bottom of the screen to export an XML representation of them.

上載 XML 檔案,讓您設定記憶體、控制流程以及原則限制,以封鎖使用者編輯的惡意探索保護介面Block User editing of the exploit protection interface by uploading an XML file that allows you to configure memory, control flow, and policy restrictions. XML 檔案中的設定可用來封鎖惡意探索應用程式。The settings in the XML file can be used to block an application from exploits. [未設定] (預設) 不會推送自訂設定。Not configured (default) doesn't push out a custom configuration.

Windows Defender 應用程式控制Windows Defender Application Control

支援下列 Windows 10 版本:Supported on the following Windows 10 editions:

行動裝置管理 (MDM)Mobile Device Management (MDM):

  • ProfessionalProfessional
  • 商務Business
  • 企業Enterprise
  • 教育Education
  • 行動電話Mobile
  • 行動裝置企業版Mobile Enterprise

群組原則管理Group policy management:

  • 企業Enterprise

使用應用程式控制程式碼完整性原則,選擇其他由 Windows Defender 應用程式控制稽核或信任執行的應用程式。Use Application control code integrity policies to choose additional apps that are audited, or are trusted to run by Windows Defender Application Control. Windows 元件和所有 Windows 市集的應用程式都自動受信任執行。Windows components and all apps from the Windows store are automatically trusted to run.

僅稽核模式中執行時,不會封鎖應用程式。Applications aren't blocked when running in audit only mode. 僅稽核模式會在本機用戶端記錄檔中記錄所有事件。Audit only mode logs all events in local client logs.

應用程式控制一經啟用,就只能透過從強制變更為僅稽核模式來停用。Once enabled, Application Control can only be disabled by changing the mode from Enforce to Audit only. 強制變更為未設定模式的結果會是在指派的裝置上繼續強制使用應用程式控制。Changing the mode from Enforce to Not Configured results in Application Control continuing to be enforced on assigned devices.

Windows Defender Credential GuardWindows Defender Credential Guard

支援下列 Windows 10 版本:Supported on the following Windows 10 editions:

  • 企業Enterprise

Windows Defender Credential Guard 可防止認證遭竊的攻擊。Windows Defender Credential Guard protects against credential theft attacks. 它會隔離機密資料,因此只有特殊權限的系統軟體可以存取它們。It isolates secrets so that only privileged system software can access them.

Credential Guard 設定包括:The Credential Guard settings include:

  • 停用:如果先前是以 [在不含 UEFI 鎖定情況下啟用] 選項開啟 Credential Guard,此選項就會從遠端關閉它。Disable: Turns off Credential Guard remotely, if it was previously turned on with the Enabled without UEFI lock option.

  • 在包含 UEFI 鎖定的情況下啟用:此選項無法使用登錄機碼或群組原則從遠端停用 Credential Guard。Enable with UEFI lock: Credential Guard can't be disabled remotely by using a registry key or group policy.

    注意

    如果您使用此設定,而稍後想要停用 Credential Guard,則必須將群組原則設定為 [停用]。If you use this setting, and then later want to disable Credential Guard, you must set the Group Policy to Disabled. 此外,從每一部電腦實際清除 UEFI 設定資訊。And, physically clear the UEFI configuration information from each computer. 只要 UEFI 設定持續存在,就會啟用 Credential Guard。As long as the UEFI configuration persists, Credential Guard is enabled.

  • 在不含 UEFI 鎖定情況下啟用:此選項可使用群組原則從遠端停用 Credential Guard。Enable without UEFI lock: Allows Credential Guard to be disabled remotely by using Group Policy. 使用此設定的裝置必須執行 Windows 10 1511 版及更新版本。The devices that use this setting must be running Windows 10 version 1511 and newer.

當您啟用 Credential Guard 時,也會啟用下列必要的功能:When you enable Credential Guard, the following required features are also enabled:

  • 虛擬化型安全性 (VBS):在下次重新開機期間開啟。Virtualization-based Security (VBS): Turns on during the next reboot. 虛擬化型安全性會使用 Windows Hypervisor 來提供安全性服務的支援。Virtualization-based security uses the Windows Hypervisor to provide support for security services.
  • 安全開機與直接記憶體存取:使用安全開機和直接記憶體存取 (DMA) 保護開啟 VBS。Secure Boot with Directory Memory Access: Turns on VBS with Secure Boot and direct memory access (DMA) protections. DMA 保護需要硬體支援,而且只能在正確設定的裝置上啟用。DMA protections require hardware support, and are only enabled on correctly configured devices.

Windows Defender 資訊安全中心Windows Defender Security Center

支援下列 Windows 10 版本:Supported on the following Windows 10 editions:

  • 首頁Home
  • ProfessionalProfessional
  • 商務Business
  • 企業Enterprise
  • 教育Education
  • 行動電話Mobile
  • 行動裝置企業版Mobile Enterprise

Windows Defender 資訊安全中心是以個別的應用程式或各個功能的處理序運行。Windows Defender Security Center operates as a separate app or process from each of the individual features. 它會透過重要訊息中心顯示通知。It displays notifications through the Action Center. 它充當收集器,或查看狀態及執行每項功能一些設定的單一位置。It acts as a collector or single place to see the status and perform some configuration for each of the features. 詳細資訊請參閱 Windows Defender 文件。Find out more in the Windows Defender docs.

Windows Defender 資訊安全中心應用程式和通知Windows Defender Security Center app and notifications

封鎖使用者對「Windows Defender 資訊安全中心」應用程式之各種區域的存取。Block end-user access to the various areas of the Windows Defender Security Center app. 隱藏區段也會封鎖相關通知。Hiding a section also blocks related notifications.

  • 病毒與威脅防護Virus and threat protection
  • 裝置效能與健全狀況Device performance and health
  • 防火牆與網路保護Firewall and network protection
  • 應用程式與瀏覽器控制App and browser control
  • 家長監護選項Family options
  • 應用程式顯示區中的通知:選擇要向使用者顯示的通知。Notifications from the displayed areas of app: Choose which notifications to display to end users. 非重大通知包括 Windows Defender 防毒軟體活動摘要,包括掃描完成時的通知。Non-critical notifications include summaries of Windows Defender Antivirus activity, including notifications when scans have completed. 所有其他通知都被視為重大通知。All other notifications are considered critical.

IT 連絡人資訊IT contact Information

提供要顯示在「Windows Defender 資訊安全中心」應用程式和應用程式通知中的 IT 連絡人資訊。Provide IT contact information to appear in the Windows Defender Security Center app and the app notifications. 您可以選擇 [Display in app and in notifications] (在應用程式和通知中顯示)、[Display only in app] (只在應用程式中顯示)、[Display only in notifications] (只在通知中顯示) 或 [Don't display] (不顯示)。You can choose to Display in app and in notifications, Display only in app, Display only in notifications, or Don't display. 輸入 IT 組織名稱,以及至少下列其中一個連絡選項:Enter the IT organization name, and at least one of the following contact options:

  • IT 部門電話號碼或 Skype 識別碼IT department phone number or Skype ID
  • IT 部門電子郵件地址IT department email address
  • IT 支援網站 URLIT support website URL

本機裝置安全性選項Local device security options

支援下列 Windows 10 版本:Supported on the following Windows 10 editions:

  • 首頁Home
  • ProfessionalProfessional
  • 商務Business
  • 企業Enterprise
  • 教育Education

您可以使用這些選項來設定 Windows 10 裝置上的本機安全性設定。Use these options to configure the local security settings on Windows 10 devices.

帳戶Accounts

  • 新增 Microsoft 帳戶:設定為 [封鎖] 可防止使用者在裝置上新增 Microsoft 帳戶。Add new Microsoft accounts: Set to Block to prevent users from adding new Microsoft accounts to the device. 當設定為 [未設定] (預設) 時,使用者可在裝置上使用 Microsoft 帳戶。When set to Not configured (default), users can use Microsoft accounts on the device.
  • 不使用密碼進行遠端登入:[啟用] 可讓具有空白密碼的本機帳戶使用裝置的鍵盤登入。Remote log on without password: Enable allows local accounts with blank passwords to sign in using the device's keyboard. [未設定] (預設) 可讓具有空白密碼的本機帳戶從實體裝置以外的位置登入。Not configured (default) allows local accounts with blank passwords to sign in from locations other than the physical device.

系統管理員Admin

  • 本機系統管理員帳戶:設定為 [啟用] 可允許本機系統管理員帳戶。Local admin account: Set to Enabled to allow the local administrator account. 設定為 [未設定] (預設) 可停用本機系統管理員帳戶。Set to Not configured (default) to disable the local administrator account.
  • 重新命名系統管理員帳戶:定義與系統管理員帳戶的安全性識別碼 (SID) 相關聯的其他帳戶名稱。Rename admin account: Define a different account name to be associated with the security identifier (SID) for the Administrator account.

GuestGuest

  • 來賓帳戶:設定為 [啟用] 可允許本機來賓帳戶。Guest account: Set to Enabled to allow the local guest account. 設定為 [未設定] (預設) 可停用本機來賓帳戶。Set to Not configured (default) to disable the local guest account.
  • 重新命名來賓帳戶:定義與來賓帳戶的安全性識別碼 (SID) 相關聯的其他帳戶名稱。Rename guest account: Define a different account name to be associated with the security identifier (SID) for the Guest account.

裝置Devices

  • 卸除未登入的裝置:設定為 [封鎖] 可讓使用者按停駐可攜式裝置的實體退出按鈕,安全地卸除裝置。Undock device without logon: Set to Block so users can press a docked portable device's physical eject button to safely undock the device. [未設定] (預設) 需要使用者登入裝置並收到權限,才能卸除裝置。Not configured (default) requires the user to sign in to the device, and receive permission to undock the device.
  • 安裝共用印表機的印表機驅動程式:[啟用] 時,任何使用者都可以安裝印表機驅動程式作為連線到共用印表機的一部分。Install printer drivers for shared printers: When Enabled, any user can install a printer driver as part of connecting to a shared printer. [未設定] (預設) 時,只有系統管理員可以安裝印表機驅動程式作為連線到共用印表機的一部分。When Not configured (default), only Administrators can install a printer driver as part of connecting to a shared printer.
  • 限制本機作用中使用者的 CD-ROM 存取:[啟用] 時,只有以互動方式登入的使用者可以使用 CD-ROM 媒體。Restrict CD-ROM access to local active user: When Enabled, only the interactively logged-on user can use the CD-ROM media. 如果啟用此原則,而且沒有任何人以互動方式登入,則會透過網路存取 CD-ROM。If this policy is enabled, and no one is logged on interactively, then the CD-ROM is accessed over the network. [未設定] (預設) 時,任何人都可以存取 CD-ROM。When Not configured (default), anyone has access to the CD-ROM.
  • 格式化及退出卸除式媒體:定義可以格式化並退出卸除式 NTFS 媒體的人員:Format and eject removable media: Define who is allowed to format and eject removable NTFS media:
    • 未設定Not configured
    • 系統管理員Administrators
    • 系統管理員與進階使用者Administrators and Power Users
    • 系統管理員和互動式使用者Administrators and Interactive Users

互動式登入Interactive Logon

  • 鎖定畫面閒置,直到螢幕保護裝置啟動的分鐘數:輸入互動式桌面登入畫面閒置,直到螢幕保護裝置執行的最長分鐘數。Minutes of lock screen inactivity until screen saver activates: Enter the maximum minutes of inactivity on the interactive desktop’s login screen until the screen saver runs.

  • 需要 CTRL+ALT+DEL 才能登入:設定為 [啟用] 可讓使用者不需要按 CTRL+ALT+DEL 就能登入。Require CTRL+ALT+DEL to log on: Set to Enable so pressing CTRL+ALT+DEL isn't required for users to sign in. 設定為 [未設定] (預設) 則需要使用者按 CTRL+ALT+DEL 才能登入 Windows。Set to Not configured (default) to require users to press CTRL+ALT+DEL before logging on to Windows.

  • 智慧卡移除行為:判斷從智慧卡讀卡機中移除登入使用者的智慧卡時會發生的情況。Smart card removal behavior: Determines what happens when the smart card for a logged-on user is removed from the smart card reader. 選項包括:Your options:

    • 鎖定工作站:移除智慧卡時鎖定工作站。Lock Workstation: The workstation is locked when the smart card is removed. 此選項可讓使用者離開該區域、攜帶智慧卡,並且仍然維持受保護的工作階段。This option allows users to leave the area, take their smart card with them, and still maintain a protected session.

    • 強制登出:移除智慧卡時,使用者會自動登出。Force Logoff: The user is automatically logged off when the smart card is removed.

    • 在遠端桌面服務工作階段時中斷連線:移除智慧卡會中斷工作階段的連線,但無需登出使用者。Disconnect if a Remote Desktop Services session: Removal of the smart card disconnects the session without logging off the user. 此選項可讓使用者插入智慧卡並在稍後繼續工作階段,或在另一部配備智慧卡讀取器的電腦上,而不需要再次登入。This option allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to sign in again. 如果工作階段是本機,則此原則的功能與鎖定工作站相同。If the session is local, this policy functions identically to Lock Workstation.

      LocalPoliciesSecurity 選項提供更多詳細資料。LocalPoliciesSecurity options provides more details.

顯示Display

  • 鎖定螢幕上的使用者資訊:設定在工作階段鎖定時顯示的使用者資訊。User information on lock screen: Configure the user information that is displayed when the session is locked. 如果未設定,則會顯示使用者顯示名稱、網域及使用者名稱。If not configured, user display name, domain, and username are shown.
    • 未設定Not configured
    • 使用者顯示名稱、網域及使用者名稱User display name, domain, and user name
    • 僅使用者顯示名稱User display name only
    • 不顯示使用者資訊Do not display user information
  • 隱藏上次登入的使用者:[啟用] 會隱藏使用者名稱。Hide last signed-in user: Enable hides the username. [未設定] (預設) 會顯示使用者名稱。Not configured (default) shows the username.
  • 在登入時隱藏使用者名稱:[啟用] 會隱藏使用者名稱。Hide username at sign-in: Enable hides the username. [未設定] (預設) 會顯示使用者名稱。Not configured (default) shows the username.
  • 登入訊息標題:設定給登入之使用者的訊息標題。Logon message title: Set the message title for users signing in.
  • 登入訊息文字:設定給登入之使用者的訊息文字。Logon message text: Set the message text for users signing in.

網路存取與安全性Network access and security

  • 具名管道和共用的匿名存取:[未設定] (預設) 會限制共用和具名管道設定的匿名存取。Anonymous access to Named Pipes and Shares: Not configured (default) restricts anonymous access to share and Named Pipe settings. 適用於可以匿名存取的設定。Applies to the settings that can be accessed anonymously.
  • SAM 帳戶的匿名列舉:[允許] 匿名使用者列舉 SAM 帳戶。Anonymous enumeration of SAM accounts: Allow anonymous users to enumerate the SAM accounts. Windows 允許匿名使用者列舉網域帳戶和網路共用的名稱。Windows allows anonymous users to enumerate the names of domain accounts and network shares.
  • SAM 帳戶和共用的匿名列舉:[未設定] (預設) 表示匿名使用者可以列舉網域帳戶和網路共用的名稱。Anonymous enumeration of SAM accounts and shares: Not configured (default) means anonymous users can enumerate the names of domain accounts and network shares. 若要防止 SAM 帳戶和共用的匿名列舉,請設定為 [封鎖]。To prevent anonymous enumeration of SAM accounts and shares, set to Block.
  • 密碼變更時儲存的 LAN Manager 雜湊值:在下次密碼變更時,選擇 [允許] LAN Manager (LM) 儲存新密碼的雜湊值。LAN Manager hash value stored on password change: At the next password change, choose to Allow the LAN Manager (LM) to store the hash value for the new password. 當設定為 [未設定] (預設) 時,不會儲存雜湊值。When set to Not configured (default), the hash value isn't stored.
  • PKU2U 驗證要求:[封鎖] 此裝置的 PKU2U 驗證要求以使用線上身分識別。PKU2U authentication requests: Block PKU2U authentication requests to the device to use online identities. [未設定] (預設) 可允許這些要求。Not configured (default) allows these requests.
  • 限制 SAM 的遠端 RPC 連線:[允許] 預設安全性描述元定義語言字串,以拒絕使用者和群組進行 SAM 的遠端呼叫。Restrict remote RPC connections to SAM: Allow the default Security Descriptor Definition Language string to deny users and groups to make remote calls to the SAM. [未設定] (預設) 預設安全性描述元定義語言字串,以允許使用者和群組進行 SAM 的遠端呼叫。Not configured (default) the default Security Descriptor Definition Language string to allow users and groups to make remote calls to the SAM.
    • 安全性描述元Security descriptor

修復主控台和關閉Recovery console and shutdown

  • 關閉時清除虛擬記憶體分頁檔:設定為 [啟用] 可在裝置關機時清除虛擬記憶體分頁檔。Clear virtual memory pagefile when shutting down: Set to Enable to clear the virtual memory pagefile when the device is powered down. [未設定] 不會清除虛擬記憶體。Not configured doesn't clear the virtual memory.
  • 未登入關閉:[封鎖] 會隱藏 Windows 登入畫面上的關機選項。Shut down without log on: Block hides the shutdown option on the Windows logon screen. 使用者必須登入裝置,再關機。Users must sign in to the device, and then shut down. [未設定] (預設) 可讓使用者從 Windows 登入畫面關閉裝置。Not configured (default) allows users to shut down the device from the Windows logon screen.

使用者帳戶控制User account control

  • 不安全位置的 UIA 完整性:當設定為 [啟用] 時,只有檔案系統安全位置中的應用程式才能以 UIAccess 完整性執行。UIA integrity without secure location: When set to Enable, apps in a secure location in the file system run only with UIAccess integrity. [未設定] (預設) 可讓應用程式以 UIAccess 完整性執行,即使應用程式不在檔案系統的安全位置中也一樣。Not configured (default) enables apps to run with UIAccess integrity, even if the apps aren't in a secure location in the file system.
  • 將檔案及登錄寫入失敗虛擬化並儲存至每一使用者位置:當設定為 [封鎖] 時,會在執行階段將應用程式寫入失敗重新導向至檔案系統和登入的定義使用者位置。Virtualize file and registry write failures to per-user locations: When set to Block, application write failures are redirected at run time to defined user locations for the file system and registry. 當設定為 [未設定] (預設) 時,將資料寫入保護位置的應用程式會失敗。When set to Not configured (default), applications that write data to protected locations fail.
  • 僅針對已簽署與驗證過的可執行檔,提升其權限:設定為 [啟用] 會對可執行檔強制執行 PKI 憑證路徑驗證,之後其才能執行。Only elevate executable files that are signed and validated: Set to Enabled to enforce the PKI certification path validation for an executable file before it can run. 設定為 [未設定] (預設) 不會強制執行 PKI 憑證路徑驗證,可執行檔就能執行。Set to Not configured (default) to not enforce PKI certification path validation before an executable file can run.

UIA 提高權限提示的行為設定UIA elevation prompt behavior settings

  • 針對系統管理員的提高權限提示:在管理員核准模式中定義系統管理員提高權限提示的行為:Elevation prompt for admins: Define the behavior of the elevation prompt for admins in Admin Approval Mode:
    • 提高權限而不提示Elevate without prompting
    • 在安全桌面提示輸入認證Prompt for credentials on the secure desktop
    • 在安全桌面提示要求同意Prompt for consent on the secure desktop
    • 提示輸入認證Prompt for credentials
    • 提示決定是否同意Prompt for consent
    • 未設定:提示要求同意非 Windows 二進位檔案Not configured: Prompt for consent for non-Windows binaries
  • 針對標準使用者的提高權限提示:定義標準使用者提高權限提示的行為:Elevation prompt for standard users: Define the behavior of the elevation prompt for standard users:
    • 自動拒絕提高權限要求Automatically deny elevation requests
    • 在安全桌面提示輸入認證Prompt for credentials on the secure desktop
    • 未設定:認證的提示Not configured: Prompt for credentials
  • 將提高權限提示路由傳送至使用者的互動式桌面:[啟用] 可讓所有的提高權限要求前往互動式使用者的桌面,而不是安全桌面。Route elevation prompts to user’s interactive desktop: Enable so all elevation requests go to the interactive user's desktop, not the secure desktop. 系統會使用系統管理員和標準使用者的任何提示行為原則設定。Any prompt behavior policy settings for administrators and standard users are used. [未設定] (預設) 會強制所有提高權限要求前往安全桌面,而不論系統管理員和標準使用者的任何提示行為原則設定為何。Not configured (default) forces all elevation requests go to the secure desktop, regardless of any prompt behavior policy settings for administrators and standard users.
  • 針對應用程式安裝的提高權限提示:當設定為 [封鎖] 時,不會偵測應用程式安裝套件,也不會提示提高權限。Elevated prompt for app installations: When set to Block, application installation packages aren't detected or prompted for elevation. 當設定為 [未設定] (預設) 時,若應用程式安裝套件需要較高的權限,則會提示使用者輸入系統管理使用者名稱和密碼。When set to Not configured (default), the user is prompted for an administrative user name and password when an application installation package requires elevated privileges.
  • UIA 提高權限提示不使用安全桌面:[啟用] 表示允許 UIAccess 應用程式不使用安全桌面來提示提高權限。UIA elevation prompt without secure desktop: Enable to allow UIAccess apps to prompt for elevation, without using the secure desktop. [未設定] (預設) 時,提高權限提示會使用安全桌面。When Not configured (default), the elevation prompts use a secure desktop.

管理員核准模式設定Admin Approval Mode settings

  • 內建系統管理員的管理員核准模式:[啟用] 可讓內建系統管理員帳戶使用「管理員核准模式」。Admin approval Mode for Built-in Administrator: Enabled allows the built-in Administrator account to use Admin Approval Mode. 任何需要提高權限的作業會提示使用者核准該作業。Any operation that requires elevation of privilege prompts the user to approve the operation. [未設定] (預設) 會以完整管理員權限執行所有應用程式。Not configured (default) runs all apps with full admin privileges.
  • 以管理員核准模式執行所有管理:設定為 [封鎖] 可停用「管理員核准模式」及所有相關 UAC 原則設定。Run all admins in Admin Approval Mode: Set to Block to disable Admin Approval Mode and all related UAC policy settings. [未設定] (預設) 會啟用「管理員核准模式」。Not configured (default) enables Admin Approval Mode.

Microsoft 網路用戶端Microsoft Network Client

  • 數位簽章通訊 (如果伺服器同意):判斷 SMB 用戶端是否會交涉 SMB 封包簽署。Digitally sign communications (if server agrees): Determines if the SMB client negotiates SMB packet signing. [未設定] 或啟用 (預設) 時,Microsoft 網路用戶端會要求伺服器在工作階段設定期間執行 SMB 封包簽署。When Not configured or enabled (default), the Microsoft network client asks the server to run SMB packet signing upon session setup. 如果在伺服器上啟用封包簽署,則會交涉封包簽署。If packet signing is enabled on the server, packet signing is negotiated. 若設定為 [停用],SMB 用戶端永遠不會交涉 SMB 封包簽署。If set to Disable, the SMB client never negotiates SMB packet signing.
  • 將未加密的密碼傳送到協力廠商 SMB 伺服器:當設定為 [啟用] 時,伺服器訊息區 (SMB) 重新導向程式可將純文字密碼傳送給驗證期間不支援密碼加密的非 Microsoft SMB 伺服器。Send unencrypted password to third-party SMB servers: When set to Enable, the Server Message Block (SMB) redirector can send plaintext passwords to non-Microsoft SMB servers that don't support password encryption during authentication. [未設定] (預設) 時,則會加密密碼。When Not configured (default), the passwords are encrypted.

Microsoft 網路伺服器Microsoft Network Server

  • 數位簽章通訊 (如果用戶端同意):判斷 SMB 伺服器是否會與要求 SMB 封包簽署的用戶端協商 SMB 封包簽署。Digitally sign communications (if client agrees): Determines if the SMB server negotiates SMB packet signing with clients that request it. 當設定為 [啟用] 時,Microsoft 網路伺服器會根據用戶端要求交涉 SMB 封包簽署。When set to Enable, the Microsoft network server negotiates SMB packet signing as requested by the client. 就是說,如果用戶端已啟用封包簽署,則會交涉封包簽署。That is, if packet signing is enabled on the client, packet signing is negotiated. [未設定] 或停用 (預設) 時,SMB 用戶端永遠不會交涉 SMB 封包簽署。When Not configured or disabled (default), the SMB client never negotiates SMB packet signing.
  • 數位簽章通訊 (自動):判斷 SMB 伺服器元件是否需要封包簽署。Digitally sign communications (always): Determines if packet signing is required by the SMB server component. 當設定為 [啟用] 時,Microsoft 網路伺服器不會與 Microsoft 網路用戶端通訊,除非該用戶端同意 SMB 封包簽署。When set to Enable, the Microsoft network server doesn't communicate with a Microsoft network client unless that client agrees to SMB packet signing. [未設定] 或停用 (預設) 時,用戶端和伺服器之間會交涉 SMB 封包簽署。When Not configured or disabled (default), SMB packet signing is negotiated between the client and server.

接下來的步驟Next steps

若要將此設定檔指派給群組,請參閱如何指派裝置設定檔To assign this profile to groups, see How to assign device profiles.