解决组策略对象 (GPO) 与 Microsoft Intune 之间的策略冲突Resolve Group Policy Objects (GPO) and Microsoft Intune policy conflicts

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

Intune 使用策略来帮助你管理 Windows 电脑上的设置。Intune uses policies that help you manage settings on Windows PCs. 例如,你可以使用策略来控制电脑上 Windows 防火墙的设置。For example, you can use a policy to control settings for the Windows Firewall on PCs. Intune 的许多设置都类似于你可使用 Windows 组策略配置的设置。Many Intune settings are similar to settings that you might configure with Windows Group Policy. 但是,有时可能会有两种方法互相冲突。However, it is possible that, at times, the two methods might conflict with each another.

发生冲突时,除非电脑无法登录到域,否则域级组策略优先于 Intune 策略。When conflicts happen, domain-level Group Policy takes precedence over Intune policy, unless the PC can’t sign in to the domain. 在这种情况下,Intune 策略将应用于客户端电脑。In this case, Intune policy is applied to the client PC.

在使用组策略的情况下要执行的操作What to do if you are using Group Policy

确保你应用的策略不受组策略管理。Make sure that policies that you apply are not being managed by Group Policy. 为了帮助防止冲突,你可以采用下列一种或多种方法:To help prevent conflicts, you can use one or more of the following methods:

  • 在安装 Intune 客户端之前,将电脑移到未应用组策略设置的 Active Directory 组织单位 (OU)。Move your PCs to an Active Directory organizational unit (OU) that does not have Group Policy settings applied before you install the Intune client. 还可以在包含已在 Intune 中注册并且不希望应用组策略设置的电脑的 OU 上阻止组策略继承。You can also block Group Policy inheritance on OUs that contain PCs enrolled in Intune to which you do not want to apply Group Policy settings.

  • 使用安全组筛选器将 GPO 仅限制到未由 Intune 托管的电脑。Use a security group filter to restrict GPOs only to PCs that are not managed by Intune.

  • 禁用或删除与 Intune 策略冲突的组策略对象。Disable or remove the Group Policy Objects that conflict with the Intune policies.

有关 Active Directory 和 Windows 组策略的详细信息,请参阅 Windows Server 文档。For more information about Active Directory and Windows Group Policy, see your Windows Server Documentation.

如何筛选现有 GPO 以避免与 Intune 策略冲突How to filter existing GPOs to avoid conflicts with Intune policy

如果确定了其设置与 Intune 策略冲突的 GPO,则可以使用安全组筛选器将这些 GPO 仅限制到未由 Intune 托管的电脑。If you have identified GPOs whose settings conflict with Intune policies, you can use security group filters to restrict those GPOs only to PCs that are not managed by Intune.

你可以将 GPO 仅应用于在所选 GPO 的组策略管理控制台的“安全筛选”区域中指定的那些安全组。You can apply GPOs to only those security groups that are specified in the Security Filtering area of the Group Policy Management console for a selected GPO. 默认情况下,GPO 应用于“Authenticated Users”。By default, GPOs apply to Authenticated Users.

  • 在“Active Directory 用户和计算机”管理单元中,创建包含不希望使用 Intune 管理的计算机和用户帐户的新安全组。In the Active Directory Users and Computers snap-in, create a new security group that contains computers and user accounts that you do not want Intune to manage. 例如,可以将组命名为 Not In Microsoft IntuneFor example, you might name the group Not In Microsoft Intune.

  • 在组策略管理控制台中所选 GPO 的“委派”选项卡上,右键单击新的安全组以将相应的“读取”和“应用组策略”权限委派给该安全组中的用户和计算机。In the Group Policy Management console, on the Delegation tab for the selected GPO, right-click the new security group to delegate appropriate Read and Apply Group Policy permissions to both users and computers in the security group. (“应用组策略” 权限可在“高级” 对话框上找到。)(Apply Group Policy permissions are available on the Advanced dialog box.)

  • 然后,将新的安全组筛选器应用于所选 GPO,并删除“Authenticated Users”默认筛选器。Then, apply the new security group filter to a selected GPO, and remove the Authenticated Users default filter.

在 Intune 服务中的注册发生更改时,必须对新安全组进行维护。The new security group must be maintained as enrollment in the Intune service changes.

另请参阅See also

使用 Microsoft Intune 管理 Windows 电脑Manage Windows PCs with Microsoft Intune