Microsoft 受管理電腦中的安全性技術Security technologies in Microsoft Managed Desktop

Microsoft 受管理的桌面使用數種 Microsoft 技術來協助保護受管理的裝置和資料。Microsoft Managed Desktop uses several Microsoft technologies to help secure managed devices and data. 此外,Microsoft 受管理的桌面安全性運作中心也會搭配這些技術使用不同的 處理 程式。In addition, the Microsoft Managed Desktop Security Operations Center uses various processes in conjunction with these technologies.

特別是:Specifically:

如需 Microsoft Managed Desktop 所使用之資料儲存、使用方式及安全性作法的詳細資訊,請參閱白皮書,網址為 https://aka.ms/mmd-dataFor information about data storage, usage, and security practices used by Microsoft Managed Desktop, see our whitepaper at https://aka.ms/mmd-data.

裝置安全性Device security

Microsoft 受管理的桌面可確保所有受管理的裝置受到保護,並受保護,並儘早使用下列服務偵測威脅:Microsoft Managed Desktop ensures all managed devices are secured and protected, and detects threats as early as possible using the following services:

ServiceService 描述Description
防毒Antivirus 已安裝並設定 Microsoft Defender AVMicrosoft Defender AV is installed and configured
Microsoft Defender AV 定義是最新的Microsoft Defender AV definitions are up to date
整磁片區加密Full Volume Encryption Windows BitLocker 是 Microsoft 受管理桌面裝置的磁片區加密解決方案。Windows BitLocker is the volume encryption solution for Microsoft Managed Desktop devices.

在將組織架至服務後,裝置會以內建信任平臺模組 (TPM) 進行 BitLocker 加密,以防止在裝置處於睡眠模式或關閉時未授權存取本機資料。Once an organization is onboarded into the service, devices will be encrypted using Windows BitLocker with built-in Trust Platform Module (TPM) to prevent unauthorized access to local data when the device is in sleep mode, or off.
監視Monitoring Microsoft Defender for Endpoint 用於跨所有 Microsoft 受管理的桌面裝置進行安全性威脅監控。Microsoft Defender for Endpoint is used for security threat monitoring across all Microsoft Managed Desktop devices. Defender for Endpoint 可讓企業客戶偵測、調查和回應公司網路中的高級威脅。Defender for Endpoint allows enterprise customers to detect, investigate, and respond to advanced threats in their corporate network. 如需詳細資訊,請參閱 Microsoft Defender For Endpoint。For more information, see Microsoft Defender for Endpoint.
作業系統更新Operating system updates Microsoft 受管理的桌面裝置一定會以最新的安全性更新加以保護。Microsoft Managed Desktop devices are always secured with the latest security updates.
安全裝置設定Secure Device Configuration Microsoft 受管理的桌面會實現 Microsoft 安全性基準。Microsoft Managed Desktop implements the Microsoft Security Baseline. 如需詳細資訊,請參閱 Windows 安全性基準。For more information, see Windows security baselines.

身分識別與存取管理Identity and access management

身分識別和存取管理可保護公司資產和業務關鍵型資料。Identity and access management protects corporate assets and business-critical data. Microsoft Managed Desktop 會設定裝置,以確保與 Azure Active Directory (Azure AD) Managed identity 安全搭配使用。Microsoft Managed Desktop configures devices to ensure secure use with Azure Active Directory (Azure AD) managed identities. 客戶在其 Azure AD 租使用者中維護正確資訊的責任。It is the customer's responsibility to maintain accurate information in their Azure AD tenant.

ServiceService 描述Description
生物識別驗證Biometric Authentication Windows Hello 允許使用者利用其面孔或 PIN 碼登入,使密碼難於忘記或盜取。Windows Hello allows users to sign in by using their face or a PIN, making passwords harder to forget or steal. 客戶負責針對其內部部署 Active Directory 實施必要先決條件,以在混合式設定中使用此服務。Customers are responsible for implementing the necessary pre-requisites for their on-premises Active Directory for use of this service in a hybrid configuration. 如需詳細資訊,請參閱 Windows Hello。For more information, see Windows Hello.
標準使用者許可權Standard user permission 若要保護系統並使其更安全,將會指派標準使用者許可權給使用者。To protect the system and make it more secure, the user will be assigned Standard User Permissions. 此許可權會指派為 Windows Autopilot 全新體驗的一部分。This permission is assigned as part of the Windows Autopilot out-of-box experience.

網路安全性Network security

客戶負責網路安全性。Customers are responsible for network security.

ServiceService 描述Description
VPNVPN 客戶擁有其 VPN 基礎結構,以確保有限的公司資源可以公開于內部網路以外。Customers own their VPN infrastructure, to ensure limited corporate resources can be exposed outside the intranet.

最低需求: Microsoft 受管理的桌面需要 Windows 10 相容且支援的 VPN 解決方案。Minimum requirement: Microsoft Managed Desktop requires a Windows 10 compatible and supported VPN solution. 如果您的組織需要 VPN 解決方案,它必須支援 Windows 10,並且可透過 Intune 打包及部署。If your organization needs a VPN solution, it needs to support Windows 10 and be packaged and deployable through Intune. 如需詳細資訊,請與您的軟體發行者聯繫。Contact your software publisher for more information.

建議:Recommendation:
-Microsoft 建議使用可輕鬆透過 Intune 部署的新式 VPN 解決方案,以推送 VPN 設定檔。- Microsoft recommends a modern VPN solution that could be easily deployed through Intune to push VPN profiles. 這種方法提供一種永不間斷、流暢、可靠且安全的方法來存取公司網路。This approach provides an always-on, seamless, reliable, and secure way to access corporate network. 如需詳細資訊,請參閱 [Intune 中的 VPN 設定]For more information, see [VPN settings in Intune].
-使用 Microsoft Managed Desktop 時,Microsoft 不建議使用厚 VPN 用戶端或舊版 VPN 用戶端,因為這會影響使用者環境。- Thick VPN clients, or older VPN clients, are not recommended by Microsoft while using Microsoft Managed Desktop as it can impact the user environment.
-Microsoft 建議您不經 VPN 直接前往網際網路傳送傳出的 web 流量,以避免任何效能問題。- Microsoft recommends that the outgoing web traffic goes directly to Internet without going through the VPN to avoid any performance issues.
-理想情況下,Microsoft 建議使用 Azure Active Directory 應用程式 Proxy,而不是 VPN。- Ideally, Microsoft recommends the use of Azure Active Directory App Proxy instead of a VPN.

資訊安全性Information security

您可以設定這些選用服務,協助保護公司的高價值資產。You can configure these optional services to help protect corporate high-value assets.

ServiceService 描述Description
資料恢復Data recovery 儲存在裝置上重要資料夾中的資訊,會備份至 Business OneDrive。Information stored in key folders on the device is backed up to OneDrive for Business. Microsoft 受管理的桌面不會負責未與 Business OneDrive 同步處理的資料。Microsoft Managed Desktop is not responsible for data that isn’t synchronized with OneDrive for Business.
Windows 資訊保護Windows Information Protection 針對需要高資訊安全性層級的公司,我們建議Windows 資訊保護Azure 資訊保護。For companies that require high levels of information security, we recommend Windows Information Protection and Azure Information Protection..