如何:在 Azure AD 中管理陈旧的设备How To: Manage stale devices in Azure AD

理想情况下,若要完成生命周期,应该注销不再需要的已注册设备。Ideally, to complete the lifecycle, registered devices should be unregistered when they are not needed anymore. 但是,在发生遗失、失窃、设备损坏或 OS 重装等情况下,环境中通常就会出现陈旧的设备。However, due to, for example, lost, stolen, broken devices, or OS reinstallations you typically have stale devices in your environment. IT 管理员可能希望通过某种方法来删除陈旧的设备,以便将资源重点投放在真正需要管理的设备上。As an IT admin, you probably want a method to remove stale devices, so that you can focus your resources on managing devices that actually require management.

本文介绍如何有效地在环境中管理陈旧的设备。In this article, you learn how to efficiently manage stale devices in your environment.

什么是陈旧的设备?What is a stale device?

陈旧的设备是指已注册到 Azure AD,但在特定的时间范围内未曾用来访问过任何云应用的设备。A stale device is a device that has been registered with Azure AD but has not been used to access any cloud apps for a specific timeframe. 陈旧的设备会影响对租户中的设备和用户进行管理和支持,因为:Stale devices have an impact on your ability to manage and support your devices and users in the tenant because:

  • 重复的设备可能使支持人员难以识别哪些设备当前处于活动状态。Duplicate devices can make it difficult for your helpdesk staff to identify which device is currently active.
  • 有更多的设备创建不必要的设备写回,增加了 Azure AD Connect 同步时间。An increased number of devices creates unnecessary device writebacks increasing the time for Azure AD connect syncs.
  • 出于整洁与合规性目的,你可能希望设备保持整齐有序。As a general hygiene and to meet compliance, you may want to have a clean state of devices.

Azure AD 中的陈旧设备可能会影响到针对组织中设备实施的常规生命周期策略。Stale devices in Azure AD can interfere with the general lifecycle policies for devices in your organization.

检测陈旧的设备Detect stale devices

由于陈旧设备定义为已注册的、但在特定的时间范围内未曾用来访问过任何云应用的设备,因此,检测陈旧设备需要时间戳相关的属性。Because a stale device is defined as registered device that hasn't been used to access any cloud apps for a specific timeframe, detecting stale devices requires a timestamp-related property. 在 Azure AD 中,此属性称为 ApproximateLastLogonTimestamp活动时间戳In Azure AD, this property is called ApproximateLastLogonTimestamp or activity timestamp. 如果某个设备的当前时间与 活动时间戳 值之间的差超过了为活动设备定义的时间范围,则将该设备视为陈旧设备。If the delta between now and the value of the activity timestamp exceeds the timeframe you have defined for active devices, a device is considered to be stale. 活动时间戳 目前以公共预览版提供。This activity timestamp is now in public preview.

如何管理活动时间戳的值?How is the value of the activity timestamp managed?

设备尝试身份验证时,会触发活动时间戳的评估。The evaluation of the activity timestamp is triggered by an authentication attempt of a device. 在以下情况下,Azure AD 会评估活动时间戳:Azure AD evaluates the activity timestamp when:

  • 触发了要求受管理设备已批准的客户端应用的条件访问策略时。A Conditional Access policies requiring managed devices or approved client apps has been triggered.
  • 已加入 Azure AD 或已加入混合 Azure AD 的 Windows 10 设备在网络中处于活动状态。Windows 10 devices that are either Azure AD joined or hybrid Azure AD joined are active on the network.
  • Intune 受管理设备已签入服务。Intune managed devices have checked in to the service.

如果活动时间戳的现有值与当前值之间的差超过 14 天(+/-5 天方差),则将现有值替换为新值。If the delta between the existing value of the activity timestamp and the current value is more than 14 days (+/-5 day variance), the existing value is replaced with the new value.

如何获取活动时间戳?How do I get the activity timestamp?

可通过两个选项检索活动时间戳的值:You have two options to retrieve the value of the activity timestamp:

规划陈旧设备的清理Plan the cleanup of your stale devices

若要有效清理环境中的陈旧设备,应该定义一个相关的策略。To efficiently clean up stale devices in your environment, you should define a related policy. 此策略可帮助确保捕获陈旧设备相关的所有注意事项。This policy helps you to ensure that you capture all considerations that are related to stale devices. 以下部分提供了有关常见策略注意事项的示例。The following sections provide you with examples for common policy considerations.

清理帐户Cleanup account

若要更新 Azure AD 中的设备,需要一个具有以下角色之一的帐户:To update a device in Azure AD, you need an account that has one of the following roles assigned:

  • 全局管理员角色Global Administrator
  • 云设备管理员Cloud Device Administrator
  • Intune 服务管理员Intune Service Administrator

在清理策略中,选择具有所需角色的帐户。In your cleanup policy, select accounts that have the required roles assigned.

时间范围Timeframe

定义作为陈旧设备指标的时间范围。Define a timeframe that is your indicator for a stale device. 定义时间范围时,请在值中考虑到更新活动时间戳所需的期限。When defining your timeframe, factor the window noted for updating the activity timestamp into your value. 例如,不应将短于 21 天(包括方差)的时间戳视为陈旧设备的指标。For example, you shouldn't consider a timestamp that is younger than 21 days (includes variance) as an indicator for a stale device. 在某些情况下,某个设备看似是陈旧设备,但实际上并不是。There are scenarios that can make a device look like stale while it isn't. 例如,相关设备的所有者可能正在度假或请了病假。For example, the owner of the affected device can be on vacation or on a sick leave. 超过陈旧设备的时间范围。that exceeds your timeframe for stale devices.

禁用设备Disable devices

不建议立即删除看似陈旧的设备,因为如果误删,将无法撤消操作。It is not advisable to immediately delete a device that appears to be stale because you can't undo a deletion in the case of false positives. 最佳做法是,先禁用设备,过了一个宽限期之后再将其删除。As a best practice, disable a device for a grace period before deleting it. 在策略中,定义在删除设备之前禁用设备的时间范围。In your policy, define a timeframe to disable a device before deleting it.

MDM 控制的设备MDM-controlled devices

如果设备受 Intune 或其他任何 MDM 解决方案的控制,请先在管理系统中解除该设备,然后再将其禁用或删除。If your device is under control of Intune or any other MDM solution, retire the device in the management system before disabling or deleting it.

系统管理的设备System-managed devices

不要删除系统管理的设备。Don't delete system-managed devices. 这些通常是 Autopilot 之类的设备。These are generally devices such as Autopilot. 这些设备一旦删除便无法重新进行预配。Once deleted, these devices can't be reprovisioned. 默认情况下,新的 Get-AzureADDevice cmdlet 可以排除系统管理的设备。The new Get-AzureADDevice cmdlet excludes system-managed devices by default.

已加入混合 Azure AD 的设备Hybrid Azure AD joined devices

加入混合 Azure AD 的设备应该遵循本地陈旧设备管理的策略。Your hybrid Azure AD joined devices should follow your policies for on-premises stale device management.

清理 Azure AD:To cleanup Azure AD:

  • Windows 10 设备 - 在本地 AD 中禁用或删除 Windows 10 设备,并让 Azure AD Connect 将更改的设备状态同步到 Azure AD。Windows 10 devices - Disable or delete Windows 10 devices in your on-premises AD, and let Azure AD Connect synchronize the changed device status to Azure AD.
  • Windows 7/8 - 首先在本地 AD 中禁用或删除 Windows 7/8 设备。Windows 7/8 - Disable or delete Windows 7/8 devices in your on-premises AD first. 无法使用 Azure AD Connect 在 Azure AD 中禁用或删除 Windows 7/8 设备。You can't use Azure AD Connect to disable or delete Windows 7/8 devices in Azure AD. 相反,当你在本地进行更改时,必须在 Azure AD 中禁用/删除。Instead, when you make the change in your on-premises, you must disable/delete in Azure AD.

备注

  • 删除本地 AD 或 Azure AD 中的设备不会删除客户端上的注册。Deleting devices in your on-premises AD or Azure AD does not remove registration on the client. 该操作只会阻止使用设备作为标识访问资源(例如条件访问)。It will only prevent access to resources using device as an identity (e.g. Conditional Access). 阅读有关如何删除客户端上的注册的其他信息。Read additional information on how to remove registration on the client.
  • 如果仅在 Azure AD 中删除 Windows 10 设备,则将使用 Azure AD Connect(但作为处于“挂起”状态的新对象)从本地重新同步该设备。Deleting a Windows 10 device only in Azure AD will re-synchronize the device from your on-premises using Azure AD connect but as a new object in "Pending" state. 需要在设备上重新注册。A re-registration is required on the device.
  • 从 Windows 10/Server 2016 设备的同步作用域中删除该设备将删除 Azure AD 设备。Removing the device from sync scope for Windows 10/Server 2016 devices will delete the Azure AD device. 将其重新添加到同步作用域会将新对象置于“挂起”状态。Adding it back to sync scope will place a new object in "Pending" state. 需要重新注册该设备。A re-registration of the device is required.
  • 如果未使用 Windows 10 设备的 Azure AD Connect 进行同步(例如,仅使用 AD FS 进行注册),则必须管理类似于 Windows 7/8 设备的生命周期。If you not using Azure AD Connect for Windows 10 devices to synchronize (e.g. ONLY using AD FS for registration), you must manage lifecycle similar to Windows 7/8 devices.

Azure AD 加入设备Azure AD joined devices

在 Azure AD 中禁用或删除已加入 Azure AD 的设备。Disable or delete Azure AD joined devices in the Azure AD.

备注

  • 删除 Azure AD 设备不会删除客户端上的注册。Deleting an Azure AD device does not remove registration on the client. 该操作只会阻止使用设备作为标识访问资源(例如条件访问)。It will only prevent access to resources using device as an identity (e.g Conditional Access).
  • 详细了解如何在 Azure AD 上取消联接Read more on how to unjoin on Azure AD

Azure AD 注册设备Azure AD registered devices

在 Azure AD 中禁用或删除 Azure AD 注册的设备。Disable or delete Azure AD registered devices in the Azure AD.

备注

  • 在 Azure AD 中删除 Azure AD 注册的设备不会删除客户端上的注册。Deleting an Azure AD registered device in Azure AD does not remove registration on the client. 该操作只会阻止使用设备作为标识访问资源(例如条件访问)。It will only prevent access to resources using device as an identity (e.g. Conditional Access).
  • 详细了解如何删除客户端上的注册Read more on how to remove a registration on the client

在 Azure 门户中清理陈旧的设备Clean up stale devices in the Azure portal

可以在 Azure 门户中清理陈旧的设备,但使用 PowerShell 脚本可以更高效地处理此过程。While you can cleanup stale devices in the Azure portal, it is more efficient, to handle this process using a PowerShell script. 在最新的 PowerShell V1 模块中可以使用时间戳筛选器,并可以筛选出系统管理的设备,例如 Autopilot。Use the latest PowerShell V1 module to use the timestamp filter and to filter out system-managed devices such as Autopilot. 目前不建议使用 PowerShell V2。At this point, using PowerShell V2 is not recommended.

典型的例程包括以下步骤:A typical routine consists of the following steps:

  1. 使用 Connect-AzureAD cmdlet 连接到 Azure Active DirectoryConnect to Azure Active Directory using the Connect-AzureAD cmdlet
  2. 获取设备列表Get the list of devices
  3. 使用 Set-AzureADDevice cmdlet 禁用设备(通过使用 -AccountEnabled 选项禁用)。Disable the device using the Set-AzureADDevice cmdlet (disable by using -AccountEnabled option).
  4. 在删除设备之前,将等待所选天数的宽限期。Wait for the grace period of however many days you choose before deleting the device.
  5. 使用 Remove-AzureADDevice cmdlet 删除设备。Remove the device using the Remove-AzureADDevice cmdlet.

获取设备列表Get the list of devices

获取所有设备并将返回的数据存储在 CSV 文件中:To get all devices and store the returned data in a CSV file:

Get-AzureADDevice -All:$true | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-summary.csv

如果目录中包含大量的设备,请使用时间戳筛选器缩小返回的设备数。If you have a large number of devices in your directory, use the timestamp filter to narrow down the number of returned devices. 获取时间戳超过特定日期的所有设备并将返回的数据存储在 CSV 文件中:To get all devices with a timestamp older than specific date and store the returned data in a CSV file:

$dt = [datetime]’2017/01/01’
Get-AzureADDevice -All:$true | Where {$_.ApproximateLastLogonTimeStamp -le $dt} | select-object -Property Enabled, DeviceId, DisplayName, DeviceTrustType, ApproximateLastLogonTimestamp | export-csv devicelist-olderthan-Jan-1-2017-summary.csv

要点What you should know

为何时间戳不经常更新?Why is the timestamp not updated more frequently?

更新时间戳是为了支持设备生命周期方案。The timestamp is updated to support device lifecycle scenarios. 这并非审核。This is not an audit. 使用登录审核日志可以在设备上进行更频繁的更新。Use the sign-in audit logs for more frequent updates on the device.

为何需要注意保管 BitLocker 密钥?Why should I worry about my BitLocker keys?

为 Windows 10 设备配置的 BitLocker 密钥存储在 Azure AD 中的设备对象上。When configured, BitLocker keys for Windows 10 devices are stored on the device object in Azure AD. 如果删除某个陈旧设备,则也会删除该设备上存储的 BitLocker 密钥。If you delete a stale device, you also delete the BitLocker keys that are stored on the device. 在删除陈旧设备之前,应该确定清理策略是否与设备的实际生命周期相一致。You should determine whether your cleanup policy aligns with the actual lifecycle of your device before deleting a stale device.

为何需要注意 Windows Autopilot 设备?Why should I worry about Windows Autopilot devices?

删除与 Windows Autopilot 对象关联的 Azure AD 设备后,如果在将来重新使用该设备,则可能会出现以下三种情况:When you delete an Azure AD device that was associated with a Windows Autopilot object the following three scenarios can occur if the device will be repurposed in future:

  • 使用 Windows Autopilot 用户驱动的部署而不使用预配置,将创建一个新的 Azure AD 设备,但它不会被标记为 ZTDID。With Windows Autopilot user-driven deployments without using pre-provisioning, a new Azure AD device will be created, but it won’t be tagged with the ZTDID.
  • 使用 Windows Autopilot 自部署模式部署时,它们将失败,因为找不到关联的 Azure AD 设备。With Windows Autopilot self-deploying mode deployments, they will fail because an associate Azure AD device cannot be found. (这是一种安全机制,用于确保没有“冒名顶替者”设备尝试在没有凭据的情况下联接 Azure AD。)失败则表明 ZTDID 不匹配。(This is a security mechanism to make sure that no “imposter” devices try to join Azure AD with no credentials.) The failure will indicate a ZTDID mismatch.
  • 使用 Windows Autopilot 预配部署时,它们将失败,因为找不到关联的 Azure AD 设备。With Windows Autopilot pre-provisioning deployments, they will fail because an associated Azure AD device cannot be found. (后台预配部署使用相同的自部署模式进程,因此它们强制实施相同的安全机制。)(Behind the scenes, pre-provisioning deployments use the same self-deploying mode process, so they enforce the same security mechanisms.)

如何知道所有已加入的设备类型?How do I know all the type of devices joined?

若要详细了解不同的类型,请参阅设备管理概述To learn more about the different types, see the device management overview.

禁用某个设备时会发生什么情况?What happens when I disable a device?

将拒绝使用该设备在 Azure AD 中进行身份验证。Any authentication where a device is being used to authenticate to Azure AD are denied. 常见示例包括:Common examples are:

  • 已建立混合 Azure AD 联接的设备 - 用户也许可以使用该设备登录到其本地域。Hybrid Azure AD joined device - Users might be able to use the device to sign-in to their on-premises domain. 但是,他们无法访问 Microsoft 365 等 Azure AD 资源。However, they can't access Azure AD resources such as Microsoft 365.
  • 已加入 Azure AD 的设备 - 用户无法使用该设备登录。Azure AD joined device - Users can't use the device to sign in.
  • 移动设备 - 用户无法访问 Microsoft 365 等 Azure AD 资源。Mobile devices - User can't access Azure AD resources such as Microsoft 365.

后续步骤Next steps

若要大致了解如何在 Azure 门户中管理设备,请参阅使用 Azure 门户管理设备To get an overview of how to manage device in the Azure portal, see managing devices using the Azure portal