运行 Azure 信息保护扫描程序Running the Azure Information Protection scanner

适用范围:Azure 信息保护、Windows Server 2019、Windows Server 2016、Windows Server 2012 R2**Applies to: Azure Information Protection, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2*

相关客户端仅限 AIP 统一标记客户端Relevant for: AIP unified labeling client only. 对于经典扫描程序,请参阅运行 Azure 信息保护经典扫描程序For the classic scanner, see Running the Azure Information Protection classic scanner.

确认符合系统要求并且配置和安装扫描程序后,请运行发现扫描以开始操作。Once you've confirmed your system requirements and configured and installed your scanner, run a discovery scan to get started.

使用下面详述的其他步骤来管理扫描的运行。Use other steps detailed below to manage your scans moving forward.

有关详细信息,请参阅部署 Azure 信息保护扫描程序以自动对文件进行分类和保护For more information, see Deploying the Azure Information Protection scanner to automatically classify and protect files.

运行发现周期并查看扫描程序报告Run a discovery cycle and view reports for the scanner

配置并安装扫描程序后,使用以下过程初步了解你的内容。Use the following procedure after you've configured and installed your scanner to get an initial understanding of your content.

当你的内容更改时,请根据需要再次执行这些步骤。Perform these steps again as needed when your content changes.

  1. 在 Azure 门户上的“Azure 信息保护 - 内容扫描作业”窗格中选择你的内容扫描作业,然后选择“立即扫描”选项: In the Azure portal, on the Azure Information Protection - Content scan jobs pane, select your content scan jobs, and then select the Scan now option:

    启动 Azure 信息保护扫描程序扫描

    或者,在 PowerShell 会话中,运行以下命令:Alternatively, in your PowerShell session, run the following command:

  2. 等待扫描程序完成其周期。Wait for the scanner to complete its cycle. 在扫描程序已爬网式扫描完指定数据存储中的所有文件后,扫描即告完成。The scan completes when the scanner has crawled through all the files in the specified data stores.

    执行以下任一操作来监视扫描程序的进度:Do any of the following to monitor scanner progress:

    • 刷新扫描作业。Refresh the scan jobs. 在“Azure 信息保护 - 内容扫描作业”窗格中,选择“刷新”。 On the Azure Information Protection - Content scan jobs pane, select Refresh.

      请等到“上次扫描结果”和“上次扫描(结束时间)”列中显示了值。 Wait until you see values for the LAST SCAN RESULTS column and the LAST SCAN (END TIME) column.

    • 使用 PowerShell 命令。Use a PowerShell command. 运行 Get-AIPScannerStatus 以监视状态变化。Run Get-AIPScannerStatus to monitor the status change.

  3. 扫描完成后,查看存储在 %localappdata%\Microsoft\MSIP\Scanner\Reports 目录中的报告。When the scan is complete, review the reports stored in the %localappdata%\Microsoft\MSIP\Scanner\Reports directory.

    • .txt 摘要文件包括扫描所用的时间、扫描的文件数以及匹配信息类型的文件数量。The .txt summary files include the time taken to scan, the number of scanned files, and how many files had a match for the information types.

    • .csv 文件包含每个文件的更多详细信息。The .csv files have more details for each file. 此文件夹为每个扫描周期最多存储 60 个报表,并且压缩除最新报表之外的所有报表,以帮助最大程度地减少所需的磁盘空间。This folder stores up to 60 reports for each scanning cycle and all but the latest report is compressed to help minimize the required disk space.

初始配置指导你将“要发现的信息类型”设置为“仅策略”。 Initial configurations instruct you to set the Info types to be discovered to Policy only. 此配置意味着,只有符合为自动分类配置的条件的文件才会包含在详细报告中。This configuration means that only files that meet the conditions you've configured for automatic classification are included in the detailed reports.

如果看不到任何已应用的标签,请检查标签配置是否包含了自动分类而不是建议的分类,或者启用“将建议的标记视为自动”(适用于扫描程序 2.7.x 和更高版本)。If you don't see any labels applied, check that your label configuration includes automatic rather than recommended classification, or enable Treat recommended labeling as automatic (available in scanner version 2.7.x.x and above).

如果结果仍与预期不符,可能需要重新配置你为标签指定的条件。If the results are still not as you expect, you might need to reconfigure the conditions that you specified for your labels. 如果是这样,请根据需要重新配置条件并重复此过程,直到对结果满意为止。If that's the case, reconfigure the conditions as needed, and repeat this procedure until you are satisfied with the results. 然后自动更新配置,并选择性地更新保护设置。Then, update your configuration automatically, and optionally protection.

在 Azure 门户中查看更新Viewing updates in the Azure portal

扫描程序每隔 5 分钟向 Azure 信息保护发送此信息,这样你就可以准实时地在 Azure 门户中查看结果。Scanners send this information to Azure Information Protection every five minutes, so that you can view the results in near real time from the Azure portal. 有关详细信息,请参阅 Azure 信息保护报表For more information, see Reporting for Azure Information Protection.

Azure 门户仅显示有关上次扫描的信息。The Azure portal displays information about the last scan only. 如果需要查看先前扫描的结果,请返回到扫描程序计算机上存储的报表,它位于 %localappdata%\Microsoft\MSIP\Scanner\Reports 文件夹中。If you need to see the results of previous scans, return to the reports that are stored on the scanner computer, in the %localappdata%\Microsoft\MSIP\Scanner\Reports folder.

更改日志级别或位置Changing log levels or locations

ReportLevel 参数与 Set-AIPScannerConfiguration 配合使用来更改日志记录级别。Change the level of logging by using the ReportLevel parameter with Set-AIPScannerConfiguration.

无法更改报告文件夹位置或名称。The report folder location or name cannot be changed. 若要将报告存储到其他位置,请考虑对文件夹使用目录接合。If you want to store reports in a different location, consider using a directory junction for the folder.

例如,使用 Mklink 命令:mklink /j D:\Scanner_reports C:\Users\aipscannersvc\AppData\Local\Microsoft\MSIP\Scanner\ReportsFor example, use the Mklink command: mklink /j D:\Scanner_reports C:\Users\aipscannersvc\AppData\Local\Microsoft\MSIP\Scanner\Reports

如果在完成初始配置和安装后执行了这些步骤,请继续阅读配置扫描程序以应用分类和保护If you've performed these steps after an initial configuration and installation, continue with Configure the scanner to apply classification and protection.

停止扫描Stopping a scan

若要停止当前仍在运行的扫描,请使用以下方法之一:To stop a currently running scan before it's complete, use one of the following methods:

  • Azure 门户。Azure portal. 选择“停止扫描”:Select Stop scan:

    停止 Azure 信息保护扫描程序的扫描

  • 运行 PowerShell 命令。Run a PowerShell command. 运行下面的命令:Run the following command:


重新扫描文件Rescanning files

对于第一个扫描周期,扫描程序会检查所配置的数据存储中的所有文件。For the first scan cycle, the scanner inspects all files in the configured data stores. 对于后续扫描,只会检查新文件或已修改的文件。For subsequent scans, only new or modified files are inspected.

当你希望报表能包含所有文件、更改都能应用到所有文件中以及扫描程序以发现模式运行时,再次检查所有文件会非常有用。Inspecting all files again is typically useful when you want the reports to include all files, when you have changes that you want to apply across all files, and when the scanner runs in discovery mode.

要手动运行完全重新扫描:To manually run a full rescan:

  1. 在 Azure 门户中导航到“Azure 信息保护 - 内容扫描作业”窗格。Navigate to the Azure Information Protection - Content scan jobs pane in the Azure portal.

  2. 从列表中选择你的内容扫描作业,然后选择“重新扫描所有文件”选项:Select your content scan job from the list, and then select the Rescan all files option:

    启动 Azure 信息保护扫描程序重新扫描

完成完全扫描后,扫描类型将自动更改为增量扫描,这样,后续扫描只会再次扫描新文件或已修改的文件。When a full scan is complete, the scan type automatically changes to incremental so that for subsequent scans, only new or modified files are scanned again.


如果你已对 AIP 内容扫描作业进行更改,Azure 门户将提示你跳过完整重新扫描。If you've made changes to your AIP content scan job, the Azure portal will prompt you to skip a full rescan. 若要确保进行重新扫描,请确保在显示的提示中选择“否”。To ensure that your rescan occurs, make sure to select No in the prompt that appears.

通过修改设置触发完整重新扫描(版本 或更低)Trigger a full rescan by modifying your settings (versions and lower)

在扫描程序版本 或更低版本中,无论扫描程序是否为自动标签和推荐的标签检测新的或已更改的设置,它都会扫描所有文件。In scanner versions and lower, all files are scanned whenever the scanner detects new or changed settings for automatic and recommended labeling. 扫描程序每 4 小时自动刷新一次策略。The scanner automatically refreshes the policy every four hours.

若要尽快刷新策略(例如在测试时),请手动删除 %LocalAppData%\Microsoft\MSIP\mip<processname>\mip 目录中的内容,然后重启 Azure 信息保护服务。To refresh the policy sooner, such as while testing, manually delete the contents of the %LocalAppData%\Microsoft\MSIP\mip<processname>\mip directory and restart the Azure Information Protection service.

如果你还更改了标签的保护设置,请从保存已更新的保护设置时开始算起额外等待 15 分钟,然后重启 Azure 信息保护服务。If you've also changed protection settings for your labels, wait an extra 15 minutes from when you saved the updated protection settings before restarting the Azure Information Protection service.


如果已升级到版本 或更高版本,AIP 会为已更新的设置跳过完整重新扫描,以确保性能一致。If you've upgraded to version or later, AIP skips the full rescan for updated settings to ensure consistent performance. 如果已升级,请确保根据需要手动运行完全重新扫描If you've upgraded, make sure to run a full rescan manually as needed.

例如,如果已将“敏感度策略”设置从“Enforce = Off”更改为“Enforce = On”,请确保运行完全重新扫描以在内容中应用标签。 For example, if you’ve changed Sensitivity policy settings from Enforce = Off to Enforce = On, make sure to run a full rescan to apply your labels across your content.

后续步骤Next steps