使用 Microsoft Intune 策略管理设备上的设置和功能Manage settings and features on your devices with Microsoft Intune policies

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

Microsoft Intune 策略是控制移动设备和计算机上的功能的设置的组合。Microsoft Intune policies are groups of settings that control features on mobile devices and computers. 使用包含建议设置或自定义设置的模板创建策略,然后将其部署到设备或用户组。You create policies by using templates that contain recommended or custom settings, and then you deploy them to device or user groups.

策略类型Types of policies

Intune 策略划分为以下类别。Intune policies fall into the following categories. 使用的类别会影响创建和部署策略的方式。The category that you use affects how you create and deploy the policy.

  • 配置策略:通常用于管理设备上的安全设置和功能。Configuration policies: These are commonly used to manage security settings and features on your devices. 通过本主题中的信息可了解如何创建和部署这些策略,以及如何查看可用的设置。Use the information in this topic to learn about how to create and deploy these policies and to explore the available settings.
  • 设备合规性策略:定义设备必须遵从的规则和设置,以便将设备视为符合条件性访问策略。Device compliance policies: These define the rules and settings that a device must comply with in order to be considered compliant by conditional access polices. 你也可使用合规性策略来监视和修复与条件性访问无关的设备的合规性。You can also use compliance policies to monitor and remediate the compliance of devices independent of conditional access. 有关详细信息,请参阅 Microsoft Intune 中的设备合规性策略For details, see Device compliance policies in Microsoft Intune.
  • 条件性访问策略:这些策略可根据你指定的条件帮助确保电子邮件和其他服务的安全。Conditional access polices: These policies help you secure email and other services, depending on conditions that you specify. 有关详细信息,请参阅使用 Microsoft Intune 限制对电子邮件和 O365 服务的访问For details, see Restrict access to email and O365 services with Microsoft Intune.
  • 企业设备注册策略:有关企业设备注册策略的信息,请参阅使用 Microsoft Intune 设置 iOS 和 Mac 管理Corporate device enrollment policies: For information about corporate device enrollment policies, see Set up iOS and Mac management with Microsoft Intune.
  • 资源访问策略:这些策略一同协作,帮助你的用户在任何地方都可以获取成功完成其工作所需的文件和资源的访问权限。Resource access policies: These policies work together to help your users gain access to the files and resources that they need to do their work successfully, wherever they are. 有关详细信息,请参阅使用 Microsoft Intune 启用对公司资源的访问For details, see Enable access to company resources with Microsoft Intune.

有关 Intune 策略的完整列表,请参阅 Microsoft Intune 策略参考For a complete list of Intune policies, see Microsoft Intune policy reference.

创建配置策略Create a configuration policy

  1. Microsoft Intune 管理控制台中,选择“策略”>“配置策略”>“添加”。In the Microsoft Intune administration console, choose Policy > Configuration Policies > Add.

  2. 选择你想要的策略,然后选择使用策略的推荐设置(如果可用;可在稍后更改这些设置),或者选择使用自己的设置创建自定义策略。Choose the policy that you want, choose to use the recommended settings for the policy (if available; you can change these settings later), or choose to create a custom policy with your own settings.


    有关选择正确策略的帮助,请参阅 Microsoft Intune 策略参考For help choosing the right policy, see the Microsoft Intune policy reference.

  3. 准备好后,选择“创建策略”。When you are ready, choose Create Policy.

  4. 在“创建策略”页,配置策略名称和可选描述。On the Create Policy page, configure a name and optional description for the policy.

  5. 配置必要的策略设置,然后选择“保存策略”。Configure the required policy settings, and then choose Save Policy.

    如果你需要有关任何策略设置的帮助,请从以下列表中选择策略类型:If you need help with any policy settings, choose your policy type from the following list:

  6. 在确认对话框中,选择“是”以立即部署策略,或选择“否”以创建而不部署策略。In the confirmation dialog box, choose Yes to deploy the policy now, or choose No to create the policy without deploying it.

你可以通过浏览“策略”工作区中的每个策略类型部分来查看和编辑新策略。You can view and edit the new policy by browsing through the sections for each policy type in the Policy workspace.

在创建使用建议设置的策略时,新策略的名称是模板名称、日期和时间的组合。When you create a policy that uses the recommended settings, the name of the new policy is a combination of the template name, date, and time. 编辑该策略时,名称将更新为包含编辑的时间和日期。When you edit the policy, the name is updated with the time and date of the edit.

创建策略后,你通常想要将其部署到一个或多个用户或设备组。After you create a policy, you will typically want to deploy it to one or more groups of users or devices.


你不会部署所有策略类型。You don't deploy all policy types. 例如,不会部署移动应用管理 (MAM) 策略。For example, the mobile application management (MAM) policy is not deployed. 相反,此策略类型将与应用关联,之后你就可部署。This policy type is instead associated with an app, which you then deploy.

部署配置策略Deploy a configuration policy

  1. 在“策略”工作区中,选择想要部署的策略,然后选择“管理部署”。In the Policy workspace, select the policy that you want to deploy, and then choose Manage Deployment.

  2. 在“管理部署” 对话框中:In the Manage Deployment dialog box:

    • 若要部署策略,选择想要向其部署策略的一个或多个组,然后选择“添加”>“确定”。To deploy the policy, select one or more groups to which you want to deploy the policy, and then choose Add > OK.

    • 若要关闭对话框而不部署策略,请选择“取消”。To close the dialog box without deploying the policy, choose Cancel.

如果你选择的是已部署的策略,则可以在策略列表的下半部分查看有关部署的详细信息。When you select a deployed policy, you can view further information about the deployment in the lower part of the policies list.

管理策略Manage policies

  1. 在“Microsoft Intune 管理控制台”中,选择“策略”,然后浏览到并选择你想要管理的策略。In the Microsoft Intune administration console, choose Policy, and then browse to and select the policy that you want to manage.

  2. 选择下列其中一项操作:Select one of the following actions:

  • 编辑:打开所选策略的属性以便进行更改。Edit: Open the properties for the selected policy so that you can make changes.
  • 删除:删除所选的策略。Delete: Delete the selected policy.
    在删除策略时,会将该策略从它已部署到的所有组中删除。When you delete a policy, it is removed from all groups to which it was deployed.
  • 管理部署:选中要对其部署策略的组,然后选择“添加”。Manage Deployment: Select the group that you want to deploy the policy to, and then choose Add.

有关 Intune 策略的常见问题Frequently asked questions about Intune policies

策略或应用部署完成后,移动设备需要多长时间获取?How long does it take for mobile devices to get a policy or apps after they have been deployed?

策略或应用部署完成后,Intune 会立即开始尝试通知设备其应签入到 Intune 服务。When a policy or an app is deployed, Intune immediately begins attempting to notify the device that it should check in with the Intune service. 这通常可在五分钟内完成。This typically takes less than five minutes.

如果首次发出通知后设备未签入以获取策略,则 Intune 还会尝试通知 3 次。If a device doesn't check in to get the policy after the first notification is sent, Intune makes three more attempts. 如果设备脱机(例如设备已关机或未连接至网络),则可能无法收到通知。If the device is offline (for example, it is turned off or not connected to a network), it might not receive the notifications. 在这种情况下,设备将按照以下设置在下次计划的签入到 Intune 服务时获取策略:In this case, the device will get the policy on its next scheduled check-in with the Intune service as follows:

  • iOS 和 Mac OS X:每 6 小时。iOS and Mac OS X: Every 6 hours.
  • Android:每 8 小时。Android: Every 8 hours.
  • Windows Phone:每 8 小时。Windows Phone: Every 8 hours.
  • 注册为设备的 Windows 8.1 和 Windows 10 电脑 - 每 8 小时。Windows 8.1 and Windows 10 PCs enrolled as devices: Every 8 hours.

如果设备刚进行注册,则签入会更频繁,具体如下:If the device has just enrolled, the check-in frequency will be more frequent, as follows:

  • iOS 和 Mac OS X:6 小时内每 15 分钟一次,之后每 6 小时一次。iOS and Mac OS X: Every 15 minutes for 6 hours, and then every 6 hours.
  • Android:15 分钟内每 3 分钟一次,接下来的 2 小时内每 15 分钟一次,之后每 8 小时一次。Android: Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours.
  • Windows Phone:15 分钟内每 5 分钟一次,接下来的 2 小时内每 15 分钟一次,之后每 8 小时一次。Windows Phone: Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then every 8 hours.
  • 注册为设备的 Windows 电脑:30 分钟内每 3 分钟一次,之后每 8 小时一次。Windows PCs enrolled as devices: Every 3 minutes for 30 minutes, and then every 8 hours.

用户还可以打开公司门户应用并同步设备以立即随时检查策略。Users can also open the Company Portal app and sync the device to immediately check for the policy anytime.

哪些操作会导致 Intune 立即向设备发送通知?What actions cause Intune to immediately send a notification to a device?

当设备收到告知它们签入的通知时或者在定期的计划签入期间,设备会签入到 Intune。Devices check in with Intune either when they receive a notification that tells them to check in or during their regularly scheduled check-in. 当你针对某个设备或用户执行特定操作时,例如擦除、锁定、密码重置、应用部署、配置文件部署(Wi-Fi、VPN、电子邮件等)或策略部署,Intune 会立即开始尝试通知设备其应签入到 Intune 服务以接收这些更新。When you target a device or user specifically with an action such as a wipe, lock, passcode reset, app deployment, profile deployment (Wi-Fi, VPN, email, etc.), or policy deployment, Intune will immediately begin trying to notify the device that it should check in with the Intune service to receive these updates.

其他变更(如在公司门户中修订合同信息)不会导致立即向设备发送通知。Other changes, such as revising the contact information in the company portal, do not cause an immediate notification to devices.

如果多个策略被部署到同一用户或设备,如何知道会应用哪些设置?If multiple policies are deployed to the same user or device, how do I know which settings will get applied?

当两个或多个策略被部署到同一用户或设备时,将在单个设置级别上评估具体应用哪个设置。When two or more policies are deployed to the same user or device, the evaluation for which setting is applied happens at the individual setting level:

  • 合规性策略设置始终优先于配置策略设置。Compliance policy settings always have precedence over configuration policy settings.

  • 如果针对不同合规性策略中的相同设置进行评估,则应用限制最严格的合规性策略设置。The most restrictive compliance policy setting is applied if it is evaluated against the same setting in a different compliance policy.

  • 如果配置策略设置与不同配置策略中的设置冲突,则将在 Intune 控制台中显示此冲突。If a configuration policy setting conflicts with a setting in a different configuration policy, this conflict will be displayed in the Intune console. 必须手动解决此类冲突。You must manually resolve such conflicts.

移动应用管理策略相互冲突时会发生什么情况?What happens when mobile application management policies conflict with each other? 哪一种策略将应用于应用?Which one will be applied to the app?

除数字输入字段(如重置之前尝试 PIN)外,冲突值是 MAM 策略中限制最严格的设置。Conflict values are the most restrictive settings available in a MAM policy, except for the number entry fields (like PIN attempts before reset). 数字输入字段将设定为与你使用建议的设置选项在控制台中创建 MAM 策略时一样的值。The number entry fields will be set the same as the values, as if you created a MAM policy in the console by using the recommended settings option.

两个策略设置相同时即会发生冲突。Conflicts occur when two policy settings are the same. 例如,除复制/粘贴设置外,你配置了两个完全相同的 MAM 策略。For example, you configured two MAM policies that are identical except for the copy/paste setting. 在此方案中,复制/粘贴设置将设定为限制最严格的值,但其余设置将应用配置的值。In this scenario, the copy/paste setting will be set to the most restrictive value, but the rest of the settings will be applied as configured.

如果一个策略部署到应用且生效,然后部署第二个策略,则第一个策略的优先级更高并且会继续应用该策略,而第二个策略将显示冲突。If one policy is deployed to the app and takes effect, and then a second one is deployed, the first one will take precedence and stay applied, while the second shows in conflict. 如果两个策略同时应用,即它们的优先级一样,则两个都会显示冲突。If they are both applied at the same time, meaning that there is no preceding policy, then they will both be in conflict. 任何冲突的设置都将设定为限制最严格的值。Any conflicting settings will be set to the most restrictive values.

iOS 自定义策略冲突时会发生什么情况?What happens when iOS custom policies conflict?

Intune 不会评估 Apple 配置文件或自定义开放移动联盟统一资源标识符 (OMA-URI) URI 策略的负载。Intune does not evaluate the payload of Apple Configuration files or a custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy. 它只作为传送机制。It merely serves as the delivery mechanism.

部署自定义策略时,请确保配置的设置不会与合规性、配置或其他自定义策略冲突。When you deploy a custom policy, ensure that the configured settings do not conflict with compliance, configuration, or other custom policies. 如果自定义策略与设置冲突,则应用设置的顺序是随机的。In the case of a custom policy with settings conflicts, the order in which settings are applied is random.

当策略被删除,或不再适用时,会发生什么情况?What happens when a policy is deleted or no longer applicable?

当你删除某个策略,或从策略部署到的组中删除设备时,策略和设置将会根据下表从设备中删除。When you delete a policy, or you remove a device from a group to which a policy was deployed, the policy and settings will be removed from the device according to the following lists.

“注册的设备”Enrolled devices

  • Wi-Fi、VPN、证书和电子邮件配置文件:这些配置文件会从所有支持的已注册设备中删除。Wi-Fi, VPN, certificate, and email profiles: These profiles are removed from all supported enrolled devices.
  • 所有其他策略类型:All other policy types:

    • Windows 和 Android 设备:设置不会从设备中删除。Windows and Android devices: Settings are not removed from the device.
    • Windows Phone 8.1 设备:会删除以下设置:Windows Phone 8.1 devices: The following settings are removed:

      • 需要密码才可解锁移动设备Require a password to unlock mobile devices
      • 允许简单密码Allow simple passwords
      • 最短密码长度Minimum password length
      • 所需的密码类型Required password type
      • 密码过期(天数)Password expiration (days)
      • 记住密码历史记录Remember password history
      • 擦除设备前允许的重复登录失败次数Number of repeated sign-in failures to allow before the device is wiped
      • 需要提供密码之前处于非活动状态的分钟数Minutes of inactivity before password is required
      • 所需密码类型 - 最小字符集数Required password type – minimum number of character sets
      • 允许相机Allow camera
      • 需要对移动设备加密Require encryption on mobile device
      • 允许可移动存储Allow removable storage
      • 允许 Web 浏览器Allow web browser
      • 允许应用程序商店Allow application store
      • 允许屏幕捕获Allow screen capture
      • 允许地理位置Allow geolocation
      • 支持 Microsoft 帐户Allow Microsoft account
      • 允许复制和粘贴Allow copy and paste
      • 允许 Wi-Fi tetheringAllow Wi-Fi tethering
      • 允许自动连接到免费 Wi-Fi 热点Allow automatic connection to free Wi-Fi hotspots
      • 允许 Wi-Fi 热点报告Allow Wi-Fi hotspot reporting
      • 允许恢复出厂设置Allow factory reset
      • 允许蓝牙Allow Bluetooth
      • 允许 NFCAllow NFC
      • 允许 Wi-FiAllow Wi-Fi
    • iOS:删除所有设置,但不包括:iOS: All settings are removed, except:

      • 允许语音漫游Allow voice roaming
      • 允许数据漫游Allow data roaming
      • 允许漫游时自动同步Allow automatic synchronization while roaming

运行 Intune 客户端软件的 Windows PCWindows PCs running the Intune client software

如何刷新设备的策略以确保是最新的策略(仅适用于运行 Intune 客户端软件的 Windows 电脑)?How can I refresh the policies on a device to ensure that they are current (applies to Windows PCs running the Intune client software only)?

  1. 在任一设备组中,选择要在其上刷新策略的设备,然后选择“远程任务”>“刷新策略”。In any device group, select the devices on which you want to refresh the policies, and then choose Remote Tasks > Refresh Policies.
  2. 选择 Intune 管理控制台右下角的“远程任务”可检查任务状态。Choose Remote Tasks in the lower-right corner of the Intune administration console to check the task status.

在哪里可以找到有关排查策略问题的帮助?Where can I find help troubleshooting policies?

请参阅 Microsoft Intune 中的故障排除策略See Troubleshoot policies in Microsoft Intune.