Microsoft Intune 中适用于 Windows 10 设备的 Intune 策略设置Intune policy settings for Windows 10 devices in Microsoft Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

本主题包含的信息可帮助你了解可用于管理 Windows 10 设备的 Intune 策略设置。This topic contains information to help you to understand the Intune policy settings that you can use to manage Windows 10 devices. 有关本主题及过程,请参阅使用 Microsoft Intune 策略管理设备上的设置和功能Read this topic alongside the procedures in Manage settings and features on your-devices with Microsoft Intune policies.

可以从两种策略类型中进行选择:You can choose from two policy types:

  • 自定义策略:使用适用于 Windows 10 和 Windows 10 移动版的 Microsoft Intune 自定义策略来部署可用于控制设备上功能的 OMA-URI(开放移动联盟统一资源标识符)设置。Custom policy: Use the Microsoft Intune custom policy for Windows 10 and Windows 10 Mobile to deploy OMA-URI (Open Mobile Alliance Uniform Resource Identifier) settings that can be used to control features on devices. Windows 10 提供了许多 CSP 设置,例如“策略配置服务提供程序(策略 CSP)”。Windows 10 makes many CSP settings available, for example, the Policy Configuration Service Provider (Policy CSP).
  • 常规配置策略:如果想要从 Microsoft Intune 提供的内置列表中选择设置,则使用此策略类型。General configuration policy: Use this policy type when you want to select settings from the built-in list that's supplied with Microsoft Intune.

自定义策略设置Custom policy settings

在自定义策略中提供以下设置。Supply the following settings in a custom policy.

常规设置General settings

输入名称和有助于在 Intune 控制台中识别该策略的描述(后者为可选)。Enter a name and an optional description for this policy to help you identify it in the Intune console.

OMA-URI 设置OMA-URI settings

对于想要添加的每个 OMA URI 设置,请输入以下信息。For each OMA-URI setting you want to add, enter the following information. 使用本主题中的 Windows 10 URI 设置参考了解可以使用的设置:Use the Windows 10 URI settings reference in this topic to learn about the settings you can use:

  • 设置名称:输入 OMA-URI 设置的唯一名称,以帮助你在设置列表中识别它。Setting name: Enter a unique name for the OMA-URI setting to help you identify it in the list of settings.
  • 设置描述 -(可选)输入设置的描述。Setting description: Optionally, enter a description for the setting.
  • 数据类型:从以下数据类型中进行选择:Data type: Choose from the following data types:
    • 字符串String
    • 字符串 (XML)String (XML)
    • 日期和时间Date and time
    • 整数Integer
    • 浮点Floating point
    • 布尔值Boolean
  • OMA-URI(区分大小写):指定想要为其提供设置的 OMA-URI。OMA-URI (case sensitive): Specify the OMA-URI you want to supply a setting for.
  • :指定要与输入的 OMA-URI 关联的值。Value: Specify the value to associate with the OMA-URI that you entered.

示例Example

在以下屏幕截图中,已启用设置 Connectivity/AllowVPNOverCellularIn the following screenshot, the setting Connectivity/AllowVPNOverCellular has been enabled. 这样一来,Windows 10 设备在处于移动电话网络中时会打开 VPN 连接。This lets a Windows 10 device open a VPN connection when it's on a cellular network.

包含 VPN 设置的自定义策略的示例

如何查找可以配置的策略How to find the policies you can configure

可以在 Windows 文档库中的配置服务提供程序参考中找到 Windows 10 支持的所有配置服务提供程序 (CSP) 的完整列表。You’ll find a complete list of all configuration service providers (CSPs) that Windows 10 supports in the Configuration service provider reference in the Windows documentation library.

并非所有设置均兼容所有 Windows 10 版本。Not all settings are compatible with all Windows 10 versions. Windows 主题中的表将告诉你各个 CSP 支持的版本。The table in the Windows topic tells you which versions are supported for each CSP.

此外,Intune 并不支持本主题中列出的所有设置。Additionally, Intune does not support all of the settings listed in the topic. 若要查明 Intune 是否支持所需的设置,请打开适用于该设置的主题。To find out if Intune supports the setting you want, open the topic for that setting. 每个设置页面将显示其支持的操作。Each setting page shows it’s supported operation. 若要使用 Intune,设置必须支持“添加”或“替换”操作。To work with Intune, the setting must support the Add or Replace operations.

常规配置策略设置General configuration policy settings

使用适用于 Windows 10 的 Microsoft Intune 常规配置策略为已注册的 Windows 10 桌面版和 Windows 10 移动版设备配置内置设置。Use the Microsoft Intune general configuration policy for Windows 10 to configure built-in settings for enrolled Windows 10 desktop and Windows 10 Mobile devices.

PasswordPassword

设置名Setting name 其他信息(如有需要)Additional information (where required)
需要密码才能解锁设备Require a password to unlock devices -
所需的密码类型Required password type 指定密码是否只能是字母数字或数字Specifies whether the password must be alphanumeric or numeric only
所需的密码类型 - 最小字符集数Required password type - Minimum number of character sets 指定密码中必需包含的字符集(小写字母、大写字母、数字和符号)数Specifies how many of the character sets (lowercase letters, uppercase letters, numbers, and symbols) must be included in the password
最短密码长度Minimum password length 仅适用于 Windows 10 移动版Applies to Windows 10 Mobile only
擦除设备前允许的重复登录失败次数Number of repeated sign-in failures to allow before the device is wiped. 对于运行 Windows 10 的设备:如果该设备已启用 BitLocker,在超过指定的登录失败次数后将进入 BitLocker 恢复模式。For devices that are running Windows 10: If the device has BitLocker enabled, it's put into BitLocker recovery mode after sign-in fails the number of times that you specified. 如果该设备未启用 BitLocker,则不会应用此设置。If the device is not BitLocker enabled, then this setting doesn't apply.
对于运行 Windows 10 移动版的设备:超过指定的登录失败次数后,将擦除设备。For devices that are running Windows 10 Mobile: After sign-in fails the number of times you specify, the device is wiped.
屏幕关闭前处于不活动状态的分钟数Minutes of inactivity before screen turns off 指定锁定屏幕之前,设备必须处于空闲状态的时间长度Specifies the length of time a device must be idle before the screen is locked
密码过期(天数)Password expiration (days) 指定必须更改设备密码之前的时间长度Specifies the length of time after which the device password must be changed
记住密码历史记录Remember password history 指定是否限制用户创建以前用过的密码Specifies whether to restrict the user from creating previously used passwords
“记住密码历史记录” - “防止重用以前的密码”Remember password history - Prevent reuse of previous passwords 指定设备记住的以前用过的密码数目Specifies the number of previously used passwords that are remembered by the device
当设备从空闲状态返回时需要密码Require a password when the device returns from an idle state 指定用户必须输入密码以解锁设备(仅限 Windows 10 移动版)Specifies that the user must enter a password to unlock the device (Windows 10 Mobile only)

加密Encryption

设置名Setting name 其他信息(如有需要)Additional information (where required)
需要对移动设备加密Require encryption on mobile device 启用对目标设备的加密Enables encryption on targeted devices
(仅限 Windows 10 移动版)(Windows 10 Mobile only)

System (系统)System

设置名Setting name 其他信息(如有需要)Additional information (where required)
允许屏幕捕获Allow screen capture 让用户以图像形式捕获设备屏幕(仅限 Windows 10 移动版)Lets the user capture the device screen as an image (Windows 10 Mobile only)
允许手动取消注册Allow manual unenrollment 允许用户手动从设备中删除工作区帐户Lets the user manually delete the workplace account from the device
允许手动安装根证书Allow manual root certificate installation 适用于 Windows 10 移动版Applies to Windows 10 Mobile
允许将诊断和使用数据发送给 MicrosoftAllow diagnostic and usage data to be sent to Microsoft 可能的值有:Possible values are:

- 不将数据发送给 MicrosoftNo - No data is sent to Microsoft
基本 - 将有限的信息发送给 MicrosoftBasic - Limited information is sent to Microsoft
增强 - 将增强的诊断数据发送给 MicrosoftEnhanced - Enhanced diagnostic data is sent to Microsoft
完全(建议) - 发送与增强相同的数据,外加有关设备状态的其他数据Full (recommended) - Sends the same data as Enhanced, plus additional data about the device state

帐户和同步Account and synchronization

设置名Setting name 其他信息(如有需要)Additional information (where required)
支持 Microsoft 帐户Allow Microsoft account 使用户可以将 Microsoft 帐户与设备关联Lets the user associate a Microsoft account with the device
允许手动添加非 Microsoft 帐户Allow adding non-Microsoft accounts manually 使用户可以将电子邮件帐户添加到不与 Microsoft 帐户相关联的设备Lets the user add email accounts to the device that are not associated with a Microsoft account
允许 Microsoft 帐户进行设置同步Allow settings synchronization for Microsoft accounts 允许设备和应用设置与 Microsoft 帐户关联以在设备之间进行同步Allow device and app settings that are associated with a Microsoft account to synchronize between devices

Microsoft EdgeMicrosoft Edge

设置名Setting name 其他信息(如有需要)Additional information (where required)
允许 Web 浏览器Allow web browser 允许在设备上使用 Microsoft Edge Web 浏览器Allows the use of the Edge web browser on the device
(仅限 Windows 10 移动版)(Windows 10 Mobile only)
允许在地址栏中显示搜索建议Allow search suggestions in address bar 允许搜索引擎在你键入搜索短语时建议站点Lets your search engine suggest sites as you type search phrases
允许将 Intranet 流量发送到 Internet ExplorerAllow sending intranet traffic to Internet Explorer 允许用户在 Internet Explorer 中打开 Intranet 网站Lets users open intranet websites in Internet Explorer
(仅限 Windows 10 桌面版)(Windows 10 desktop only)
允许使用 Do Not TrackAllow do not track 配置 Microsoft Edge 浏览器以将“不跟踪”标题发送到用户访问的网站Configures the Edge browser to send do not track headers to websites that users visit
启用 SmartScreenEnable SmartScreen
允许使用活动脚本Allow active scripting 允许脚本(如 Javascript)在 Microsoft Edge 浏览器中运行Allows scripts, such as Javascript, to run in the Edge browser
允许弹出窗口Allow pop-ups 仅适用于 Windows 10 桌面版Applies to Windows 10 desktop only
允许使用 CookieAllow cookies
允许自动填充Allow Autofill 允许用户更改浏览器中的自动完成设置Allows users to change autocomplete settings in the browser
(仅限 Windows 10 桌面版)(Windows 10 desktop only)
允许使用密码管理器Allow Password Manager 启用或禁用 Microsoft Edge 密码管理器功能Enables or disables the Edge Password Manager feature
企业模式网站列表位置Enterprise Mode site list location 指定在哪个位置可找到以企业模式打开的网站的列表。Specifies where to find the list of web sites that open in Enterprise mode. 用户无法编辑此列表。Users cannot edit this list.
(仅限 Windows 10 桌面版)(Windows 10 desktop only)

应用Apps

设置名Setting name 其他信息(如有需要)Additional information (where required)
允许应用程序商店Allow application store 仅适用于 Windows 10 移动版Applies to Windows 10 Mobile only

移动电话Cellular

设置名Setting name 其他信息(如有需要)Additional information (where required)
允许数据漫游Allows data roaming 允许在访问数据时进行网络之间的漫游Allow roaming between networks when accessing data
允许通过移动电话网络使用 VPNAllow VPN over cellular 控制设备在连接到移动电话网络时是否能够访问 VPN 连接Controls whether the device can access VPN connections when connected to a cellular network
允许在通过移动电话网络漫游时使用 VPNAllow VPN roaming over cellular 控制设备在移动电话网络上漫游时是否能够访问 VPN 连接Controls whether the device can access VPN connections when roaming on a cellular network

硬件Hardware

设置名Setting name 其他信息(如有需要)Additional information (where required)
允许照相机Allow camera -
允许可移动存储Allow removable storage 指定外部存储设备(如 SD 卡)是否可以与该设备结合使用Specifies whether external storage devices such as an SD card can be used with the device
允许 Wi-FiAllow Wi-Fi 仅适用于 Windows 10 移动版Applies to Windows 10 Mobile only
允许 Internet 共享Allow Internet sharing 允许在设备上使用 Internet 连接共享Allows the use of Internet connection sharing on the device
允许手动配置 Wi-FiAllow manual Wi-Fi configuration 控制用户是否可以配置自己的 Wi-Fi 连接或是否只能使用 Wi-Fi 配置文件配置的连接Controls whether the user can configure their own Wi-Fi connections, or whether they can only use connections configured by a Wi-Fi profile
(仅限 Windows 10 移动版)(Windows 10 Mobile only)
允许自动连接到免费 Wi-Fi 热点Allow automatic connection to free Wi-Fi hotspots 可让设备自动连接到免费 Wi-Fi 热点并自动接受该连接的任何条款和条件Lets the device automatically connect to free Wi-Fi hotspots and automatically accept any terms and conditions for the connection
允许地理位置Allow geolocation 指定设备是否可以使用位置服务信息Specifies whether the device can use location services information
允许 NFCAllow NFC 允许设备使用其近场通信功能Allows the device to use it's Near Field Communications capabilities
允许蓝牙Allow Bluetooth -
允许使用蓝牙可发现模式Allow Bluetooth discoverable mode 让其他已启用蓝牙的设备可发现此设备Lets this device be discovered by other Bluetooth-enabled devices
允许使用蓝牙广告Allow Bluetooth advertising 允许设备通过蓝牙接收广告Allows devices to receive advertisements over Bluetooth
允许重置手机Allow phone reset 控制用户是否可以在设备上恢复出厂设置Controls whether the user can do a factory reset on their device
允许使用 USB 连接Allow USB connection 控制设备是否可以通过 USB 连接访问外部存储设备Controls whether devices can access external storage devices through a USB connection
允许使用防盗模式Allow AntiTheft mode 配置是否启用 Windows 防盗模式Configure whether Windows AntiTheft mode is enabled

功能Features

设置名Setting name 其他信息(如有需要)Additional information (where required)
允许复制和粘贴Allow copy and paste 仅适用于 Windows 10 移动版Applies to Windows 10 Mobile only
允许语音录制Allow voice recording 仅适用于 Windows 10 移动版Applies to Windows 10 Mobile only
允许使用 CortanaAllow Cortana 启用或禁用 Cortana 语音助手Enable or disable the Cortana voice assistant
允许操作中心通知Allow action center notifications 启用或禁用设备锁定屏幕上的操作中心通知Enable or disable action center notifications on the device lock screen
(仅限 Windows 10 移动版)(Windows 10 Mobile only)

Windows DefenderWindows Defender

所有设置都仅适用于 Windows 10 桌面版。All settings are for Windows 10 desktop only.

设置名Setting name 其他信息(如有需要)Additional information (where required)
允许实时监视Allow real-time monitoring 启用对恶意软件、间谍软件和其他不需要的软件的实时扫描Enables real-time scanning for malware, spyware, and other unwanted software
允许行为监视Allow behavior monitoring 允许 Defender 检查设备上是否存在某些已知模式的可疑活动Lets Defender check for certain known patterns of suspicious activity on devices
启用网络检查系统Enable Network Inspection System 网络检查系统 (NIS) 通过使用 Microsoft Endpoint Protection 中心的已知漏洞的签名帮助检测和阻止恶意流量,从而保护设备免受基于网络的攻击The Network Inspection System (NIS) helps to protect devices against network-based exploits by using the signatures of known vulnerabilities from the Microsoft Endpoint Protection Center to help detect and block malicious traffic
扫描所有下载Scan all downloads 控制 Defender 是否扫描从 Internet 下载的所有文件Controls whether Defender scans all files that are downloaded from the Internet
允许脚本扫描Allow script scanning 允许 Defender 扫描在 Internet Explorer 中使用的脚本Lets Defender scan scripts that are used in Internet Explorer
监视文件和程序活动Monitor file and program activity 允许 Defender 监视设备上的文件和程序活动Allows Defender to monitor file and program activity on devices
跟踪已解决的恶意软件的天数Days to track resolved malware 允许 Defender 持续跟踪已解决的恶意软件,跟踪时间为你指定的天数,以便你可以手动检查之前受影响的设备。Lets Defender continue to track resolved malware for the number of days you specify so that you can manually check previously affected devices. 如果你将天数设置为 0,则恶意软件将保留在隔离文件夹中,并且不会自动删除。If you set the number of days to 0, malware remains in the Quarantine folder and is not automatically removed.
允许客户端 UI 访问Allow client UI access 控制是否对用户隐藏 Windows Defender 用户界面。Controls whether the Windows Defender user interface is hidden from users.
此设置更改后,在用户的电脑下次重启时生效。When this setting is changed, it takes effect the next time the user's PC is restarted.
计划每日一次快速扫描Schedule a daily quick scan 允许计划每日在你选择的时间里发生的快速扫描Lets you schedule a quick scan that occurs daily at the time you select
计划系统扫描Schedule a system scan 允许计划定期在选定日期和时间发生的完整或快速系统扫描Lets you schedule a full or quick system scan that occurs regularly on the day and time you select
在扫描期间限制 CPU 使用率Limit CPU usage during a scan 可让你限制允许扫描使用的 CPU 量(从 1100Lets you limit the amount of CPU that scans are allowed to use (from 1 to 100)
扫描存档文件Scan archive files 允许 Defender 扫描存档的文件(如 .zip 或 .cab 文件)。Allows Defender to scan archived files such as .zip or .cab files.
扫描电子邮件Scan email messages 允许 Defender 在电子邮件到达设备时扫描它们Allows Defender to scan email messages as they arrive on the device
扫描可移动驱动器Scan removable drives 允许 Defender 扫描可移动驱动器(如 U 盘)Lets Defender scan removable drives like USB sticks
扫描映射的网络驱动器Scan mapped network drives 允许 Defender 扫描映射网络驱动器上的文件。Lets Defender scan files on mapped network drives.
如果驱动器上的文件是只读的,则 Defender 将无法删除在它们中找到的任何恶意软件。If the files on the drive are read-only, Defender will be unable to remove any malware found in them.
扫描从网络共享文件夹中打开的文件Scan files opened from network shared folders 允许 Defender 扫描共享网络驱动器上的文件(例如,从 UNC 路径访问的那些文件)。Lets Defender scan files on shared network drives (for example, those accessed from a UNC path).
如果驱动器上的文件是只读的,则 Defender 将无法删除在它们中找到的任何恶意软件。If the files on the drive are read-only, Defender will be unable to remove any malware found in them.
签名更新间隔Signature update interval 指定 Defender 检查新签名文件的时间间隔。Specifies the interval at which Defender checks for new signature files.
允许使用云保护Allow cloud protection 允许或阻止 Microsoft Active Protection Service 接收来自你管理的设备的恶意软件活动的相关信息。Allows or blocks the Microsoft Active Protection Service from receiving information about malware activity from devices that you manage. 此信息用于在将来改进本服务。This information is used to improve the service in the future.
提示用户提交示例Prompt users for samples submission 控制是否自动向 Microsoft 发送可能需要 Microsoft 的进一步分析以确定其是否为恶意的文件Controls whether files that might require further analysis by Microsoft to determine if they are malicious are automatically sent to Microsoft
可能不需要的应用程序检测Potentially Unwanted Application Detection 防止已注册的 Windows 桌面版设备运行被 Windows Defender 分类为可能不需要的软件。Protects enrolled Windows desktop devices against running software that's classified by Windows Defender as potentially unwanted. 你可以防止这些应用程序运行,或使用审核模式在安装了不需要的应用程序时进行报告。You can protect against these applications running, or use audit mode to report when a potentially unwanted application is installed.
在运行扫描或使用实时保护时要排除的文件和文件夹Files and folders to exclude when running a scan or using real-time protection 向排除列表添加一个或多个文件和文件夹(如 C:\Path%ProgramFiles%\Path\filename.exe)。Adds one or more files and folders like C:\Path or %ProgramFiles%\Path\filename.exe to the exclusions list. 不会在任何实时或计划的扫描中包括这些文件和文件夹。These files and folders aren't included in any real-time or scheduled scans.
在运行扫描或使用实时保护时要排除的文件扩展名File extensions to exclude when running a scan or using real-time protection 向排除列表添加一个或多个文件扩展名(如 jpgtxt)。Add one or more file extensions like jpg or txt to the exclusions list. 不会在任何实时或计划的扫描中包括具有这些扩展名的任何文件。Any files with these extensions are not included in any real-time or scheduled scans.
在运行扫描或使用实时保护时要排除的进程Processes to exclude when running a scan or using real-time protection 向排除列表添加类型为 .exe.com.scr 的一个或多个进程。Adds one or more processes of the type .exe, .com, or .scr to the exclusions list. 不会在任何实时或计划的扫描中包括这些进程。These processes are not included in any real-time or scheduled scans.

UpdatesUpdates

设置名Setting name 其他信息(如有需要)Additional information (where required)
允许自动更新Allow automatic updates 允许自动更新。Allows automatic updates. 配置以下设置之一以控制更新行为:Configure one of the following settings to control update behavior:
通知下载Notify download
在维护时间自动安装Auto install at maintenance time
在维护时间自动安装并重启Auto install and reboot at maintenance time
在计划时间自动安装和重新启动:请注意,选择此选项时,还可以配置以下设置:禁止向最终用户发送通知定义计划更新的安装日期Auto install and reboot at scheduled time: Note that when this option is selected, you can also configure the following settings: Suppress notification to end user and Define install day for scheduled updates.
(仅限 Windows 10 桌面版)(Windows 10 desktop only)
允许预发布功能Allow pre-release features 允许 Microsoft 将预发行设置和功能部署到 Windows 10 设备。Lets Microsoft deploy pre-release settings and features to Windows 10 devices. 你可以选择仅允许安装设置,或允许安装所有预发行设置和功能。You can select to allow settings only, or all pre-release settings and features to be installed.

另请参阅See also

使用 Microsoft Intune 策略管理设备上的设置和功能Manage settings and features on your devices with Microsoft Intune policies

要提交产品反馈,请访问 Intune Feedback