Microsoft Intune 中適用於 Windows 10 和更新版本的 Endpoint Protection 設定Endpoint protection settings for Windows 10 and later in Microsoft Intune

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

Endpoint Protection 設定檔可讓您控制 Windows 10 裝置上 BitLocker 等安全性功能。The endpoint protection profile let you control security features on Windows 10 devices, like BitLocker.

請使用本主題中的資訊,以了解如何建立 Endpoint Protection 設定檔。Use the information in this topic to learn how to create endpoint protection profiles.

建立 Endpoint Protection 設定檔Create an endpoint protection profile

  1. 登入 Azure 入口網站。Sign into the Azure portal.
  2. 選擇 [更多服務] > [監視 + 管理] > [Intune]。Choose More Services > Monitoring + Management > Intune.
  3. 在 [Intune] 刀鋒視窗中,選擇 [裝置設定]。On the Intune blade, choose Device configuration.
  4. 在 [裝置設定] 刀鋒視窗中,選擇 [管理] > [設定檔]。On the Device Configuration blade, choose Manage > Profiles.
  5. 在設定檔刀鋒視窗中,選擇 [建立設定檔]。On the profiles blade, choose Create Profile.
  6. 在 [建立設定檔] 刀鋒視窗上,為裝置功能設定檔輸入 [名稱] 及 [描述]。On the Create Profile blade, enter a Name and Description for the device features profile.
  7. 從 [平台] 下拉式清單中,選取 [Windows 10 及更新版本]。From the Platform drop-down list, select Windows 10 and later.
  8. 從 [設定檔類型] 下拉式清單中,選擇 [Endpoint Protection]。From the Profile type drop-down list, choose Endpoint protection.
  9. 在 [Windows 加密] 刀鋒視窗中,設定想要的設定。On the Windows encryption blade, configure the settings you want. 請使用本主題中的詳細資料,以協助您了解每個設定的用途。Use the details in this topic to help you understand what each setting does. 完成之後,請選擇 [確定]。When you are finished, choose OK.
  10. 返回 [建立設定檔] 刀鋒視窗,然後選擇 [建立]。Go back to the Create Profile blade, and choose Create.

設定檔隨即建立,並出現在 [設定檔清單] 刀鋒視窗上。The profile is created and appears on the profiles list blade.

Endpoint Protection 設定檔設定參考Endpoint protection profile settings reference

Windows 設定Windows Settings

  • 要求裝置加密 (僅限桌面版) - 啟用時,系統會提示使用者啟用裝置加密。Require devices to be encrypted (Desktop only) - If enabled, users are prompted to enable device encryption. 此外,還會要求他們確認尚未啟用來自其他提供者的加密。Additionally, they are asked to confirm that encryption from another provider has not been enabled. 如果已在另一種加密方法為使用中時開啟 Windows 加密,裝置可能會變得不穩定。If Windows encryption is turned on while another encryption method is active, the device might become unstable.
  • 要求儲存卡加密 (僅限行動裝置) - 啟用此設定可加密裝置使用的任何抽取式儲存卡。Require Storage Card to be encrypted (mobile only) - Enable this setting to encrypt any removable storage cards used by the device.

BitLocker 基本設定BitLocker base settings

  • 設定加密方法 - 啟用此設定可設定作業系統、資料和抽取式磁碟機的加密演算法。Configure encryption methods - Enable this setting to configure encryption algorithms for operating system, data, and removable drives.
    • 作業系統磁碟機的加密 - 選擇作業系統磁碟機的加密方法。Encryption for operating system drives - Choose the encryption method for operating system drives. 建議您使用 XTS-AES 演算法。We recommend you use the XTS-AES algorithm.
    • 固定式資料磁碟機的加密 - 選擇固定式 (內建) 資料磁碟機的加密方法。Encryption for fixed data-drives - Choose the encryption method for fixed (built-in) data drives. 建議您使用 XTS-AES 演算法。We recommend you use the XTS-AES algorithm.
    • 抽取式資料磁碟機的加密 - 選擇抽取式資料磁碟機的加密方法。Encryption for removable data-drives - Choose the encryption method for removable data drives. 如果抽取式磁碟機與不是執行 Windows 10 的裝置搭配使用,建議您使用 AES-CBC 演算法。If the removable drive is used with devices that are not running Windows 10, we recommend you use the AES-CBC algorithm.

BitLocker 作業系統磁碟機設定BitLocker OS drive settings

  • 啟動時需要其他驗證 -Require additional authentication at startup -
    • 禁止在沒有相容 TPM 晶片的裝置上使用 BitLocker -Block BitLocker on devices without a compatible TPM chip -
    • TPM 啟動 - 設定 TPM 晶片是已允許、不允許還是必要。TPM startup - Configure whether the TPM chip is allowed, not allowed, or required.
    • TPM 啟動 PIN - 設定搭配 TPM 晶片使用啟動 PIN 是已允許、不允許還是必要。TPM startup PIN - Configure whether using a startup PIN with the TPM chip is allowed, not allowed, or required.
    • TPM 啟動金鑰 - 設定搭配 TPM 晶片使用啟動金鑰是已允許、不允許還是必要。TPM startup key - Configure whether using a startup key with the TPM chip is allowed, not allowed, or required.
    • TPM 啟動金鑰及 PIN - 設定搭配 TPM 晶片使用啟動金鑰及 PIN 是已允許、不允許還是必要。TPM startup key and PIN - Configure whether using a startup key and PIN with the TPM chip is allowed, not allowed, or required.
  • 最小 PIN 長度 - 啟用此設定可設定 TPM 啟動 PIN 的最小長度。Minimum PIN Length - Enable this setting to configure a minimum length for the TPM startup PIN.
    • 字元數下限 - 輸入啟動 PIN 所需的字元數 (4-20)。Minimum characters - Enter the number of characters required for the startup PIN from 4-20.
  • 啟用 OS 磁碟機修復 - 啟用此設定可控制在未提供必要的啟動資訊時,如何復原受 BitLocker 保護的作業系統磁碟機。Enable OS drive recovery - Enable this setting to control how BitLocker-protected operating system drives are recovered when the required start-up information is not available.
    • 允許以憑證為基礎的資料修復代理 - 如果您希望資料修復代理能夠與受 BitLocker 保護的作業系統磁碟機搭配使用,請啟用此設定。Allow certificate-based data recovery agent - Enable this setting if you want data recovery agents to be able to be used with BitLocker-protected operating system drives.
    • 使用者的修復密碼建立 - 設定使用者是允許、需要還是不允許產生 48 位數的修復密碼。User creation of recovery password - Configure whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
    • 使用者的修復金鑰建立 - 設定使用者是允許、需要還是不允許產生 256 位元的修復金鑰。User creation of recovery key - Configure whether users are allowed, required, or not allowed to generate a 256-bit recovery key.
    • 在 BitLocker 安裝精靈中隱藏修復選項 - 啟用此設定可防止使用者在開啟 BitLocker 時看到或變更修復選項。Hide recovery options in the BitLocker setup wizard - Enable this setting to prevent users from seeing, or changing recovery options when they turn on BitLocker.
    • 將 BitLocker 修復資訊儲存到 AD DS - 啟用在 Active Directory 中儲存 BitLocker 修復資訊的功能。Save BitLocker recovery information to AD DS - Enables the storage of BitLocker recovery information in Active Directory.
    • 設定目標為 AD DS 的 BitLocker 修復資訊儲存 - 設定 BitLocker 修復資訊的哪些部分會儲存在 Active Directory 中。Configure storage of BitLocker recovery Information to AD DS - Configure what parts of BitLocker recovery information are stored in Active Directory. 從下列選項進行選擇:Choose from:
      • 備份修復密碼和金鑰封裝Backup recovery passwords and key packages
      • 只備份修復密碼Backup recovery passwords only
    • 要求先將修復資訊儲存在 AD DS 再啟用 BitLocker - 啟用此設定可阻止使用者開啟 BitLocker,除非裝置已加入網域,且 BitLocker 修復資訊成功儲存在 Active Directory 中。Require recovery information to be stored in AD DS before enabling BitLocker - Enable this setting to stop users from turning on BitLocker unless the device is domain-joined, and BitLocker recovery information is successfully stored in Active Directory.
  • 啟用開機前修復訊息及 URL - 啟用此設定可設定開機前金鑰修復畫面顯示的訊息及 URL。Enable pre-boot recovery message and URL - Enable this setting to configure the message and URL that are displayed on the pre-boot key recovery screen.
    • 開機前修復訊息 - 設定開機前修復訊息會向使用者顯示。Pre-boot recovery message - Configure how the pre-boot recovery message displays to users. 從下列選項進行選擇:Choose from:
      • 使用預設修復訊息及 URLUse default recovery message and URL
      • 使用空白修復訊息及 URLUse empty recovery message and URL
      • 使用自訂修復訊息Use custom recovery message
      • 使用自訂修復 URLUse custom recovery URL

BitLocker 固定式資料磁碟機設定BitLocker fixed data-drive settings

  • 拒絕對未受 BitLocker 保護的固定式資料磁碟機擁有寫入權限 - 啟用時,必須在所有固定式或內建的資料磁碟機中啟用 BitLocker 保護,才能進行寫入。Deny write access to fixed data-drive not protected by BitLocker - If enabled, BitLocker protection must be enabled on all fixed, or built-in data drives to be able to write to them.
  • 啟用固定式磁碟機修復 - 啟用此設定可控制在未提供必要的啟動資訊時,如何復原受 BitLocker 保護的固定式磁碟機。Enable fixed drive recovery - Enable this setting to control how BitLocker-protected fixed drives are recovered when the required start-up information is not available.
    • 允許資料修復代理 - 如果您希望資料修復代理能夠與受 BitLocker 保護的固定式磁碟機搭配使用,請啟用此設定。Allow data recovery agent - Enable this setting if you want data recovery agents to be used with BitLocker-protected fixed drives.
    • 使用者的修復密碼建立 - 設定使用者是允許、需要還是不允許產生 48 位數的修復密碼。User creation of recovery password - Configure whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
    • 使用者的修復金鑰建立 - 設定使用者是允許、需要還是不允許產生 256 位元的修復金鑰。User creation of recovery key - Configure whether users are allowed, required, or not allowed to generate a 256-bit recovery key.
    • 在 BitLocker 安裝精靈中隱藏修復選項 - 啟用此設定可防止使用者在開啟 BitLocker 時看到或變更修復選項。Hide recovery options in the BitLocker setup wizard - Enable this setting to prevent users from seeing, or changing recovery options when they turn on BitLocker.
    • 將 BitLocker 修復資訊儲存到 AD DS - 啟用在 Active Directory 中儲存 BitLocker 修復資訊的功能。Save BitLocker recovery information to AD DS - Enables the storage of BitLocker recovery information in Active Directory.
    • 設定目標為 AD DS 的 BitLocker 修復資訊儲存 - 設定 BitLocker 修復資訊的哪些部分會儲存在 Active Directory 中。Configure storage of BitLocker recovery Information to AD DS - Configure what parts of BitLocker recovery information are stored in Active Directory. 從下列選項進行選擇:Choose from:
      • 備份修復密碼和金鑰封裝Backup recovery passwords and key packages
      • 只備份修復密碼Backup recovery passwords only
    • 要求先將修復資訊儲存在 AD DS 再啟用 BitLocker - 啟用此設定可阻止使用者開啟 BitLocker,除非裝置已加入網域,且 BitLocker 修復資訊已成功儲存在 Active Directory 中。Require recovery information to be stored in AD DS before enabling BitLocker - Enable this setting to stop users from turning on BitLocker unless the device is domain-joined, and BitLocker recovery information has been successfully stored in Active Directory.

BitLocker 抽取式資料磁碟機設定BitLocker removable data-drive settings

  • 拒絕對未受 BitLocker 保護的抽取式資料磁碟機擁有寫入權限 - 指定是否需要抽取式存放磁碟機的 BitLocker 加密。Deny write access to removable data-drive not protected by BitLocker - Specify whether BitLocker encryption is required for removable storage drives.
    • 禁止對其他組織中設定的裝置擁有寫入權限 - 指定屬於其他組織的抽取式資料磁碟機是否可以寫入。Block write access to devices configured in another organization - Specify whether removable data drives that belong to another organization can be written to.

後續步驟Next steps

若想繼續,並將此設定檔指派給群組,請參閱如何指派裝置設定檔If you want to go ahead and assign this profile to groups, see How to assign device profiles.

若要提交意見反應,請前往 Intune Feedback