使用 Microsoft Intune 的完全擦除或选择性擦除保护数据Help protect your data with full or selective wipe using Microsoft Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

可以从不再需要的、已重新调整用途的或已丢失的 Intune 托管设备中擦除应用和数据。You can wipe apps and data from Intune-managed devices that are no longer needed, are being repurposed, or have gone missing. 若要执行此操作,Intune 将提供选择性擦除和完全擦除功能。To do this, Intune provides selective wipe and full wipe capabilities. 对于在 Intune 中注册的私人所有设备,用户还可从 Intune 公司门户应用中发出远程设备擦除命令。Users can also issue a remote device wipe command from the Intune Company Portal app on privately owned devices enrolled in Intune.

备注

本主题仅涉及擦除通过 Intune 移动设备管理功能管理的设备。This topic is only about wiping devices managed by Intune mobile device management. 还可使用 Azure 门户从应用中擦除公司数据You can also use the Azure portal to wipe company data from apps. 还可以停用使用 Intune 客户端软件管理的计算机You can also retire computers managed with the Intune client software.

完全擦除Full wipe

“完全擦除”将设备还原为其出厂默认设置,同时删除所有公司和用户数据和设置。Full wipe restores a device to its factory default settings, removing all company and user data and settings. 设备从 Intune 删除。The device is removed from Intune. 完全擦除可用于将设备授予新用户前或在设备丢失或被盗的情况下,对设备进行重置。Full wipe is useful for resetting a device before giving it to a new user, or for instances where the device has been lost or stolen. 请谨慎选择完全擦除。无法恢复设备上的数据Be careful about selecting full wipe. Data on the device cannot be recovered.

警告

如果对 RAM 小于 4 GB 的 Windows 10 RTM 设备(早于 Windows 10 版本 1511 的设备)进行了擦除,则可能会变得无法访问。Windows 10 RTM devices (devices earlier than the Windows 10 version 1511) with less than 4 GB of RAM might become inaccessible if wiped. 若要访问已无响应的 Windows 10 设备,可以通过 USB 驱动器启动设备。To access a Windows 10 device that has become unresponsive, you can boot the device from a USB drive.

从 Intune 管理员控制台远程擦除设备Remotely wipe a device from the Intune administrator console

  1. 选择要擦除的设备。Select devices to be wiped. 你可以按用户或设备进行查找。You can find them either by user or by device.

    • 按用户:By user:

      1. Intune 管理员控制台中,依次选择>所有用户In the Intune administrator console, choose Groups > All Users.

      2. 选择要擦除其移动设备的用户的名称。Choose the name of the user whose mobile device you want to wipe. 选择查看属性Choose View Properties.

      3. 在用户的“属性”页,选择“设备”,然后选择要擦除的移动设备的名称。On the user's Properties page, choose Devices, and then choose the name of the mobile device you want to wipe. 若要选择多个设备,请按住 Ctrl 并单击相应设备。To select multiple devices, use Ctrl+click.

    • 按设备:By device:

      1. Intune 管理员控制台中,依次选择>所有移动设备In the Intune administrator console, choose Groups > All Mobile Devices.

        启动停用或擦除操作

      2. 选择“设备”,然后选择要擦除的移动设备的名称。Choose Devices, and then choose the name of the mobile device you want to wipe. 若要选择多个设备,请按住 Ctrl 并单击相应设备。To select multiple devices, use Ctrl+click.

  2. 选择停用/擦除Choose Retire/Wipe.

  3. 此时将出现一条确认消息,询问你是否要停用该设备。A confirmation message appears, asking you whether you want to retire the device.

    • 若要执行仅删除公司应用和数据的“选择性擦除”,请选择“是”。To perform a Selective wipe that only removes company apps and data, choose Yes.

    • 若要执行将擦除所有应用和数据并将设备返回到出厂默认设置的“完全擦除”,请选择“在停用之前擦除设备”。To perform a Full wipe that erases all apps and data and returns the device to factory default settings, choose Wipe the device before retiring. 此操作适用于除 Windows 8.1 外的所有平台。This action applies to all platforms except Windows 8.1. “无法恢复通过完全擦除删除的数据”。You cannot recover data removed by a full wipe.

如果设备已打开并连接,擦除命令会在 15 分钟内跨所有设备类型进行传播。If the device is on and connected, it takes less than 15 minutes for a wipe command to propagate across all device types.

在 Azure Active Directory 门户中删除设备To delete devices in the Azure Active Directory portal

  1. 浏览到 http://aka.ms/accessaad 或从 https://portal.office.com 选择管理> Azure ADBrowse to http://aka.ms/accessaad or choose Admin > Azure AD from https://portal.office.com.

  2. 单击页面左侧的链接,使用组织 ID 登录。Login with your Org ID using the link on the left side of the page.

  3. 创建 Azure 订阅(如果没有)。Create an Azure Subscription if you don’t have one. 如果有付费帐户,应该不会要求提供信用卡或付款(请选择注册免费的 Azure Active Directory订阅链接)。This should not require a credit card or payment if you have a paid account (choose the Register your free Azure Active Directory subscription link).

  4. 选择“Active Directory”,然后选择你的组织。Select Active Directory and then select your organization.

  5. 选择“用户” 选项卡。Select the Users tab.

  6. 选择要删除其设备的用户。Select the user whose devices you want to delete.

  7. 选择设备Choose Devices.

  8. 根据需要删除设备,例如那些不再使用的设备或者定义不准确的设备。Remove devices as appropriate, such as those that are no longer in use, or those that have inaccurate definitions.

“选择性擦除”Selective wipe

选择性擦除将删除公司数据,包括设备中的移动应用管理 (MAM) 数据(适用的)、设置和电子邮件配置文件。Selective wipe removes company data, including mobile app management (MAM) data (where applicable), settings, and email profiles from a device. 选择性擦除会将用户的个人数据保留在设备上。Selective wipe leaves the user's personal data on the device. 设备从 Intune 删除。The device is removed from Intune. 下表描述了将删除什么数据,以及在选择性擦除之后对设备上保留的数据的影响。The following tables describe what data is removed, and the effect on data that remains on the device after a selective wipe. (这些表按平台进行组织。)(The tables are organized by platform.)

iOSiOS

数据类型Data type iOSiOS
Intune 安装的公司应用和关联数据Company apps and associated data installed by Intune 卸载应用。Apps are uninstalled. 删除公司应用数据。Company app data is removed.

来自使用移动应用程序管理的 Microsoft 应用程序的应用程序数据被删除。App data from Microsoft apps that use mobile app management is removed. 应用程序不会删除。The app is not removed.
设置Settings 不再强制实施通过 Intune 策略设置的配置,用户可以更改设置。Configurations that were set by Intune policy are no longer enforced, and users can change the settings.
Wi-Fi 和 VPN 配置文件设置Wi-Fi and VPN profile settings 删除。Removed.
证书配置文件设置Certificate profile settings 已删除并吊销证书。Certificates are removed and revoked.
管理代理Management Agent 删除管理配置文件。Management profile is removed.
EmailEmail 已删除通过 Intune 设置的电子邮件配置文件并删除设备上缓存的电子邮件。Email profiles that are provisioned through Intune are removed, and cached email on the device is deleted.
OutlookOutlook 已删除适用于 iOS 的 Microsoft Outlook 应用接收到的电子邮件。Email received by the Microsoft Outlook app for iOS is removed.
Azure Active Directory (AAD) 脱离Azure Active Directory (AAD) Unjoin 已删除 AAD 记录。AAD Record is removed.
联系人Contacts 将删除从应用直接同步到本机通讯簿的联系人。Contacts synced directly from the app to the native address book are removed. 无法擦除从本机通讯簿同步到另一个外部源中的任何联系人。Any contacts synced from the native address book to another external source cannot be wiped.

目前仅支持 Outlook 应用。Currently, only Outlook app is supported.

AndroidAndroid

数据类型Data type AndroidAndroid Android Samsung KNOX 标准版Android Samsung KNOX Standard
Web 链接Web links 删除。Removed. 删除。Removed.
非托管的 Google Play 应用Unmanaged Google Play apps 保留已安装的应用和数据。Apps and data remain installed. 保留已安装的应用和数据。Apps and data remain installed.
非托管的业务线应用Unmanaged line of business apps 保留已安装的应用和数据。Apps and data remain installed. 已卸载应用并由此删除了应用的本地数据。Apps are uninstalled and data local to the app is removed as a result. 未删除应用外的数据(例如 SD 卡上的数据)。No data outside the app (for example, on an SD card) is removed.
托管的 Google Play 应用Managed Google Play apps 删除应用数据。App data is removed. 不删除应用。App is not removed. 应用(例如 SD 卡)外由 MAM 加密保护的数据仍然进行加密处理且不可用,但不删除。Data protected by MAM encryption outside the app (for example, an SD card) remain encrypted and unusable, but aren't removed. 删除应用数据。App data is removed. 不删除应用。App is not removed. 应用(例如 SD 卡)外由 MAM 加密保护的数据仍然进行加密处理,但不删除。Data protected by MAM encryption outside the app (for example, an SD card) remain encrypted, but aren't removed.
托管的业务线应用Managed line of business apps 删除应用数据。App data is removed. 不删除应用。App is not removed. 应用(例如 SD 卡)外由 MAM 加密保护的数据仍然进行加密处理且不可用,但不删除。Data protected by MAM encryption outside the app (for example, an SD card) remain encrypted and unusable, but aren't removed. 删除应用数据。App data is removed. 不删除应用。App is not removed. 应用(例如 SD 卡)外由 MAM 加密保护的数据仍然进行加密处理且不可用,但不删除。Data protected by MAM encryption outside the app (for example, an SD card) remain encrypted and unusable, but aren't removed.
设置Settings 不再强制实施通过 Intune 策略设置的配置,用户可以更改设置。Configurations that were set by Intune policy are no longer enforced, and users can change the settings. 不再强制实施通过 Intune 策略设置的配置,用户可以更改设置。Configurations that were set by Intune policy are no longer enforced, and users can change the settings.
Wi-Fi 和 VPN 配置文件设置Wi-Fi and VPN profile settings 删除。Removed. 删除。Removed.
证书配置文件设置Certificate profile settings 已吊销证书,但未删除。Certificates revoked, but not removed. 已删除并吊销证书。Certificates removed and revoked.
管理代理Management Agent 撤销设备管理员权限。Device Administrator privilege is revoked. 撤销设备管理员权限。Device Administrator privilege is revoked.
EmailEmail N/A。N/A. 查看 Outlook 项。See the Outlook item. 已删除通过 Intune 设置的电子邮件配置文件并删除设备上缓存的电子邮件。Email profiles that are provisioned through Intune are removed, and cached email on the device is deleted.
OutlookOutlook 仅当 Outlook 由 MAM 策略保护时,才会删除 Android 版 Microsoft Outlook 应用接收的电子邮件。Email received by the Microsoft Outlook app for Android is removed, but only if Outlook is protected by MAM policies. 否则取消注册时不会擦除 Outlook。Otherwise, Outlook is not wiped on unenrollment. 仅当 Outlook 由 MAM 策略保护时,才会删除 Android 版 Microsoft Outlook 应用接收的电子邮件。Email received by the Microsoft Outlook app for Android is removed, but only if Outlook is protected by MAM policies. 否则取消注册时不会擦除 Outlook。Otherwise, Outlook is not wiped on unenrollment.
Azure Active Directory (AAD) 脱离Azure Active Directory (AAD) Unjoin 已删除 AAD 记录。AAD Record removed. 已删除 AAD 记录。AAD Record removed.
联系人Contacts 将删除从应用直接同步到本机通讯簿的联系人。Contacts synced directly from the app to the native address book are removed. 无法擦除从本机通讯簿同步到另一个外部源中的任何联系人。Any contacts synced from the native address book to another external source cannot be wiped.

目前仅支持 Outlook 应用。Currently, only Outlook app is supported.
将删除从应用直接同步到本机通讯簿的联系人。Contacts synced directly from the app to the native address book are removed. 无法擦除从本机通讯簿同步到另一个外部源中的任何联系人。Any contacts synced from the native address book to another external source cannot be wiped.

目前仅支持 Outlook 应用。Currently, only Outlook app is supported.

Android for WorkAndroid for Work

在 Android for Work 设备上执行选择性擦除将删除该设备上工作配置文件中的所有数据、应用和设置。Performing selective wipe on an Android for Work device removes all data, apps, and settings in the work profile on that device. 这将从 Intune 管理中停用设备。This retires the device from management with Intune. Android for Work 不支持完全擦除。Full wipe is not supported for Android for Work.

WindowsWindows

数据类型Data type Windows 8.1 (MDM) 和 Windows RT 8.1Windows 8.1 (MDM) and Windows RT 8.1 Windows RTWindows RT Windows Phone 8 和 Windows Phone 8.1Windows Phone 8 and Windows Phone 8.1 Windows 10Windows 10
Intune 安装的公司应用和关联数据Company apps and associated data installed by Intune 通过 EFS 保护的文件的密钥将被吊销,用户将无法打开文件。Files protected by EFS will have their key revoked and the user will not be able to open the files. 不会删除公司应用。Will not remove company apps. 卸载最初通过公司门户安装的应用。Apps originally installed through the company portal are uninstalled. 删除公司应用数据。Company app data is removed. 将卸载应用并删除旁加载密钥。Apps are uninstalled and sideloading keys are removed.
设置Settings 不再强制实施通过 Intune 策略设置的配置,用户可以更改设置。Configurations that were set by Intune policy are no longer enforced, and users can change the settings. 不再强制实施通过 Intune 策略设置的配置,用户可以更改设置。Configurations that were set by Intune policy are no longer enforced, and users can change the settings. 不再强制实施通过 Intune 策略设置的配置,用户可以更改设置。Configurations that were set by Intune policy are no longer enforced, and users can change the settings. 不再强制实施通过 Intune 策略设置的配置,用户可以更改设置。Configurations that were set by Intune policy are no longer enforced, and users can change the settings.
Wi-Fi 和 VPN 配置文件设置Wi-Fi and VPN profile settings 删除。Removed. 删除。Removed. 不支持。Not supported. 删除。Removed.
证书配置文件设置Certificate profile settings 已删除并吊销证书。Certificates removed and revoked. 已删除并吊销证书。Certificates removed and revoked. 不支持。Not supported. 已删除并吊销证书。Certificates removed and revoked.
EmailEmail 删除启用了 EFS 的电子邮件,包括 Windows 电子邮件的邮件应用以及附件。Removes email that is EFS enabled, which includes the Mail app for Windows email and attachments. 不支持。Not supported. 已删除通过 Intune 设置的电子邮件配置文件并删除设备上缓存的电子邮件。Email profiles that are provisioned through Intune are removed, and cached email on the device is deleted. 删除启用了 EFS 的电子邮件,包括 Windows 电子邮件的邮件应用以及附件。Removes email that is EFS enabled, which includes the Mail app for Windows email and attachments. 删除由 Intune 预配的邮件帐户。Removes mail accounts that were provisioned by Intune.
Azure Active Directory (AAD) 脱离Azure Active Directory (AAD) Unjoin 否。No. 否。No. 已删除 AAD 记录。AAD Record removed. 不适用。Not applicable. Windows 10 不支持对已加入 Azure Active Directory 的设备使用选择性擦除。Windows 10 does not support selective wipe for Azure Active Directory joined devices.

擦除启用了加密文件系统 (EFS) 的内容Wipe encryption file system (EFS)-enabled content

Windows 8.1 和 Windows RT 8.1 支持选择性擦除 EFS 加密内容。Selective wipe of EFS-encrypted content is supported by Windows 8.1 and Windows RT 8.1. 以下几点适用于启用 EFS 的内容的选择性擦除:The following points apply to a selective wipe of EFS-enabled content:

  • 仅选择性擦除使用同一 Internet 域作为 Intune 帐户通过 EFS 保护的应用和数据。Only apps and data that are protected by EFS using the same Internet domain as the Intune account are selectively wiped. 有关详细信息,请参阅设备数据管理的 Windows 选择性擦除For more information, see Windows Selective Wipe for Device Data Management.

  • 如果对与 EFS 关联的域进行了任何更改,则更改可能要花费长达 48 小时,之后才能对使用新域的应用和数据进行选择性擦除。If there are any changes are made to the domain associated with EFS, the changes can take up to 48 hours before apps and data using the new domain can be selectively wiped.

  • 将擦除向 Intune 注册的每个域。Each domain that is registered with Intune will be wiped.

EFS 选择性擦除当前支持下列数据和应用:The data and apps that are currently supported by EFS selective wipe are:

  • Windows 相关邮件应用程序Mail app for Windows

  • 工作文件夹Work folders

  • 使用 EFS 加密的文件和文件夹。Files and folders encrypted by EFS. 有关详细信息,请参阅加密文件系统的最佳方案For more information, see Best practices for the Encrypting File System.

  • 如果你的组织维护其在 Active Directory 中的标识,它必须使用目录同步工具 (DirSync) 同步信息到 EFS 选择性擦除的 AAD 才能正常工作。If your organization maintains its identity in Active Directory, it must use the Directory Sync (DirSync) tool to sync information into AAD for EFS selective wipe to work correctly. 有关目录同步的详细信息,请参阅 Azure Active Directory 文档中的目录同步方案For more information on DirSync, see Directory Sync Scenario in the Azure Active Directory documentation.

监视器停用、擦除和删除操作Monitor retire, wipe, and delete actions

获取已停用、擦除或删除的设备的报告:To get a report of devices that have been retired, wiped, or deleted:

  1. Intune 管理员控制台中,依次选择报表>设备历史记录报表In the Intune administrator console, choose Reports > Device History Reports.

  2. 为报表提供开始和结束日期,然后选择“查看报表”。Provide a start and end date for the report, and then choose View Report.

此报表还会显示执行该操作的人员。This report also shows who performed the action.

另请参阅See also

停用设备Retire devices

Windows Selective Wipe for Device Data Management(设备数据管理的 Windows 选择性擦除)Windows Selective Wipe for Device Data Management

要提交产品反馈,请访问 Intune Feedback