排查 Intune 中的设备注册问题Troubleshoot device enrollment in Intune

适用于:经典控制台中的 IntuneApplies to: Intune in the classic console
正在查找有关 Azure 中的 Intune 的文档?Looking for documentation about Intune on Azure? 请转到此处Go here.

本主题提供有关设备注册问题故障排除的建议。This topic provides suggestions for troubleshooting device enrollment issues. 如果此信息未解决你的问题,请参阅如何获取对 Microsoft Intune 的支持,了解更多获得帮助的方法。If this information does not solve your problem, see How to get support for Microsoft Intune to find more ways to get help.

初始故障排除步骤Initial troubleshooting steps

开始故障排除之前,请检查确保你已正确配置 Intune 以启用注册。Before you begin troubleshooting, check to make sure that you've configured Intune properly to enable enrollment. 可以在此处了解这些配置要求:You can read about those configuration requirements in:

托管的设备用户可收集注册和诊断日志以供你查看。Your managed device users can collect enrollment and diagnostic logs for you to review. 以下提供了有关收集日志的用户说明:User instructions for collecting logs are provided in:

常规注册问题General enrollment issues

所有设备平台上都可能发生这些问题。These issues may occur on all device platforms.

已达到设备上限Device cap reached

问题:注册期间,用户在设备上收到一个错误,例如 iOS 设备上的“公司门户暂时不可用”错误,并且 Configuration Manager 上的 DMPdownloader.log 包含错误“DeviceCapReached”。Issue: A user receives an error on their device during enrollment, such as a Company Portal Temporarily Unavailable error on an iOS device, and the DMPdownloader.log on Configuration Manager contains the error DeviceCapReached.

解决方法:Resolution:

检查已注册的和允许的设备数量Check number of devices enrolled and allowed

  1. 在 Intune 管理门户中,确保用户分配的设备不超过允许的最大数量 15 台。Validate in the Intune admin portal that the user has no more than the allowable maximum of 15 devices assigned.

  2. 在 Intune 管理控制台中的“管理” > “移动设备管理” > “注册规则”下,确保设备注册限制设置为 15。Under Admin > Mobile Device Management > Enrollment Rules in the Intune admin console, check that the Device enrollment limit is set to 15.

管理员可以在 Azure Active Directory 门户中删除设备。Administrators can delete devices in the Azure Active Directory portal.

在 Azure Active Directory 门户中删除设备To delete devices in the Azure Active Directory portal

  1. 浏览到 http://aka.ms/accessaad 或从 https://portal.office.com 选择管理> Azure ADBrowse to http://aka.ms/accessaad or choose Admin > Azure AD from https://portal.office.com.

  2. 单击页面左侧的链接,使用组织 ID 登录。Log in with your Org ID using the link on the left side of the page.

  3. 如果还没有 Azure 订阅,请选择“注册免费 Azure Active Directory”订阅链接创建一个。If you don't already have one, create an Azure subscription by choosing the Register your free Azure Active Directory subscription link. 如果已有付费帐户,则无需使用信用卡或进行付款。If you have a paid account, you shouldn't need to use a credit card or payment.

  4. 选择“Active Directory” ,然后选择你的组织。Select Active Directory and then select your organization.

  5. 选择“用户” 选项卡。Select the Users tab.

  6. 选择要删除其设备的用户。Select the user whose devices you want to delete.

  7. 选择设备Choose Devices.

  8. 根据需要删除设备,例如那些不再使用的设备或者定义不准确的设备。Remove devices as appropriate, such as those that are no longer in use, or those that have inaccurate definitions.

备注

可通过使用设备注册管理器帐户避免达到设备注册上限,如使用 Microsoft Intune 中的设备注册管理器注册企业自有设备中所述。You can avoid the device enrollment cap by using Device Enrollment Manager account, as described in Enroll corporate-owned devices with the Device Enrollment Manager in Microsoft Intune.

如果对添加到设备注册管理器帐户的用户帐户强制实施条件访问策略,该特定用户登录将无法完成注册。A user account that is added to Device Enrollment Managers account will not be able to complete enrollment when Conditional Access policy is enforced for that specific user login.

公司门户暂时不可用Company Portal Temporarily Unavailable

问题:用户的设备上收到“公司门户暂时不可用”错误。Issue: Users receive a Company Portal Temporarily Unavailable error on their device.

解决方法:Resolution:

  1. 从设备中删除 Intune 公司门户应用。Remove the Intune Company Portal app from the device.

  2. 在设备上,打开浏览器,浏览到 https://portal.manage.microsoft.com,然后尝试用户登录。On the device, open the browser, browse to https://portal.manage.microsoft.com, and attempt a user login.

  3. 如果用户无法登录,请让她尝试另一个网络。If the user fails to log in, have her try another network.

  4. 如果仍然失败,请确保用户的凭据已与 Azure Active Directory 正确同步。If that fails, validate that the user’s credentials have synced correctly with Azure Active Directory.

  5. 如果用户成功登录,iOS 设备将提示你安装 Intune 公司门户应用并注册。If the user successfully logs in, an iOS device will prompt you to install the Intune Company Portal app and enroll. 在 Android 设备上,需要手动安装 Intune 公司门户应用,之后才能重试注册。On an Android device, you will need to manually install the Intune Company Portal app, after which you can retry enrolling.

未定义 MDM 机构MDM authority not defined

问题:用户收到“未定义 MDM 机构”错误。Issue: A user receives an MDM authority not defined error.

解决方法:Resolution:

  1. 验证是否已针对使用的 Intune 服务类型(即 Intune、Office 365 或 System Center Configuration Manager with Intune)正确设置 MDM 机构。Verify that the MDM Authority has been set appropriately for the type of Intune service you are using (that is, Intune, Office 365, or System Center Configuration Manager with Intune. 对于 Intune,请在“管理员”>“移动设备管理”中设置 MDM 机构。For Intune, the MDM Authority is set in Admin > Mobile Device Management. 对于 Configuration Manager with Intune,请在配置 Intune 连接器时对其进行设置,在 Office 365 中则对“移动设备”进行设置。For Configuration Manager with Intune, you set it when configuring the Intune connector, and in Office 365, it's a setting Mobile Devices.

    备注

    在 Configuration Manager 版本 1610 或更高版本和 Microsoft Intune 版本 1705 中,你将可以更改 MDM 颁发机构,而无需联系 Microsoft 支持部门,并且无需取消注册并重新注册现有的受管理设备。In Configuration Manager version 1610 or later and Microsoft Intune version 1705, you change the MDM authority without having to contact Microsoft Support, and without having to unenroll and reenroll your existing managed devices. 有关详细信息,请参阅如果选择了错误的 MDM 颁发机构设置怎么办For details, see What to do if you choose the wrong MDM authority setting.

  2. 通过检查用户的 UPN 是否与 Office 365 门户中的 Active Directory 信息匹配,验证该用户的凭据是否已与 Azure Active Directory 正确同步。Verify that the user’s credentials have synced correctly with Azure Active Directory by checking that the user's UPN matches the Active Directory information in the Office 365 portal. 如果 UPN 与 Active Directory 信息不匹配:If the UPN does not match the Active Directory information:

    1. 关闭本地服务器上的目录同步。Turn off DirSync on the local server.

    2. 从“Intune 帐户门户” 用户列表中删除不匹配的用户。Delete the mismatched user from the Intune Account Portal user list.

    3. 等待大约一小时,让 Azure 服务删除不正确的数据。Wait about one hour to allow the Azure service to remove the incorrect data.

    4. 再次打开目录同步,并检查该用户现在是否已正确同步。Turn on DirSync again and check if the user is now synced properly.

  3. 如果使用的是 System Center Configuration Manager with Intune,请确保该用户具有有效的云用户 ID:In a scenario where you are using System Center Configuration Manager with Intune, verify that the user has a valid Cloud User ID:

    1. 打开 SQL Management Studio。Open SQL Management Studio.

    2. 连接到相应的数据库。Connect to the appropriate DB.

    3. 打开数据库文件夹,找到并打开 CM_DBName 文件夹,其中 DBName 是客户数据库的名称。Open the databases folder and find and open the CM_DBName folder, where DBName is the name of the customer database.

    4. 在顶部选择新建查询并执行以下查询:At the top, choose New Query and execute the following queries:

      • 查看所有用户:select * from [CM_ DBName].[dbo].[User_DISC]To see all users: select * from [CM_ DBName].[dbo].[User_DISC]

      • 若要查看特定用户,请使用下面的查询,其中 %testuser1% 表示要查找的用户的 username@domain.com:select * from [CM_ DBName].[dbo].[User_DISC] where User_Principal_Name0 like '%testuser1%'To see Specific Users, use the following query, where %testuser1% represents username@domain.com for the user you want to look up: select * from [CM_ DBName].[dbo].[User_DISC] where User_Principal_Name0 like '%testuser1%'

      编写查询后,选择!执行After writing the query choose !Execute. 返回结果后,即可查找云用户 ID。Once the results have been returned, look for the clouduser ID. 如果找不到任何 ID,则表示未授权该用户使用 Intune。If no ID is found, the user isn't licensed to use Intune.

如果公司名称包含特殊字符,则无法创建策略或注册设备Unable to create policy or enroll devices if the company name contains special characters

问题:无法创建策略或注册设备。Issue: You can't create policy or enroll devices.

解决方法:Office 365 管理中心,删除公司名称中的特殊字符并保存公司信息。Resolution: In the Office 365 admin center, remove the special characters from the company name and save the company information.

如果有多个已验证的域,则无法登录或注册设备Unable to log in or enroll devices when you have multiple verified domains

问题:向 ADFS 添加第二个已验证的域时,具有第二个域的用户主体名称 (UPN) 后缀的用户可能无法登录门户或注册设备。Issue: When you add a second verified domain to your ADFS, users with the user principal name (UPN) suffix of the second domain may not be able to log into the portals or enroll devices.

解决方法:对于通过 AD FS 2.0 使用单一登录 (SSO) 且其组织中拥有用户 UPN 后缀的多个顶级域(如 @contoso.com 或 @fabrikam.com)的 Microsoft Office 365 客户,他们需要为每个后缀部署 AD FS 2.0 联合身份验证服务的一个单独实例。Resolution: Microsoft Office 365 customers who use single sign-on (SSO) through AD FS 2.0 and have multiple top level domains for users' UPN suffixes within their organization (for example, @contoso.com or @fabrikam.com) are required to deploy a separate instance of the AD FS 2.0 Federation Service for each suffix. 现在有了 AD FS 2.0 汇总,其与SupportMultipleDomain 切换结合使用可启用 AD FS 服务器,以在无需其他 AD FS 2.0 服务器的情况下支持此方案。There is now a rollup for AD FS 2.0 that works in conjunction with the SupportMultipleDomain switch to enable the AD FS server to support this scenario without requiring additional AD FS 2.0 servers. 有关详细信息,请参阅此博客See this blog for more information.

Android 的问题Android issues

Android 注册错误Android enrollment errors

下表列出了在 Intune 中注册 Android 设备时最终用户可能会遇到的错误。The following table lists errors that end users might see while enrolling Android devices in Intune.

错误消息Error message 问题Issue 解决方法Resolution
IT 管理员需要分配许可证才能进行访问IT admin needs to assign license for access
IT 管理员未授予你使用此应用的权限。Your IT admin has not given you access to use this app. 请向 IT 管理员寻求帮助或稍后重试。Please get help from your IT admin or try again later.
无法注册设备,因为该用户的帐户没有必要的许可证。The device cannot be enrolled because the user's account does not have the necessary license. 必须先为用户分配必要的许可证,用户才能注册其设备。Before users can enroll their devices, they must have been assigned the necessary license. 此消息表明用户持有的指定移动设备管理机构许可证类型不正确。This message means that they have the wrong license type for the designated mobile device management authority. 例如,如果已将 Intune 指定为移动设备管理机构,并且用户正在使用 System Center 2012 R2 Configuration Manager 许可证,则将收到此错误消息。For example, if Intune has been designated as the mobile device management authority, and they are using a System Center 2012 R2 Configuration Manager license, they will see this error.

请参阅有关如何将 Intune 许可证分配给用户帐户的信息。See information about how to assign Intune licenses to your user accounts.
IT 管理员需要设置 MDM 机构IT admin needs to set MDM authority
看起来 IT 管理员并未设置 MDM 机构。Looks like your IT admin has not set an MDM authority. 请向 IT 管理员寻求帮助或稍后重试。Please get help from your IT admin or try again later.
尚未定义移动设备管理机构。The mobile device management authority has not been defined. 尚未在 Intune 中指定移动设备管理机构。The mobile device management authority has not been designated in Intune. 请参阅有关如何设置移动设备管理机构的信息。See information about how to set the mobile device management authority.

设备无法签入 Intune 服务,并在 Intune 管理控制台中显示为“不正常”Devices fail to check in with the Intune service and display as "Unhealthy" in the Intune admin console

问题:运行 Android 版本 4.4.x 和 5.x 的某些 Samsung 设备可能会停止签入 Intune 服务。Issue: Some Samsung devices that are running Android versions 4.4.x and 5.x might stop checking in with the Intune service. 如果设备不签入:If devices don't check in:

  • 它们将无法从 Intune 服务接收策略、应用和远程命令。They can't receive policy, apps, and remote commands from the Intune service.
  • 它们在管理控制台中显示的管理状态为“不正常”。They show a Management State of Unhealthy in the administrator console.
  • 受条件访问策略保护的用户可能失去对公司资源的访问权限。Users who are protected by conditional access policies might lose access to corporate resources.

Samsung 已经确认 Samsung Smart Manager 软件(预装在某些 Samsung 设备上)会停用 Intune 公司门户及其组件。Samsung has confirmed that the Samsung Smart Manager software, which ships on certain Samsung devices, can deactivate the Intune Company Portal and its components. 当公司门户处于停用状态时,它无法在后台运行,因此无法联系 Intune 服务。When Company Portal is in a deactivated state, it can't run in the background and therefore can't contact the Intune service.

解决方法 #1:Resolution #1:

告知你的用户手动启动公司门户应用。Tell your users to start the Company Portal app manually. 应用重启后,设备将签入 Intune 服务。Once the app restarts, the device checks in with the Intune service.

重要

手动打开公司门户应用只是一种临时解决方案,因为 Samsung Smart Manager 可能会再次停用公司门户应用。Opening the Company Portal app manually is a temporary solution, because Samsung Smart Manager may deactivate the Company Portal app again.

解决方法 #2:Resolution #2:

告知你的用户尝试升级到 Android 6.0。Tell your users to try upgrading to Android 6.0. 停用问题不会发生在 Android 6.0 设备上。The deactivation issue doesn't occur on Android 6.0 devices. 若要检查是否有可用的更新,用户可以转到“设置” > “关于设备” > “手动下载更新”,然后按照设备上的提示进行操作。To check if an update is available, users can go to Settings > About device > Download updates manually, and follow the prompts on the device.

解决方法 #3:Resolution #3:

如果解决方案 #2 无效,请让你的用户按照以下步骤操作,使 Smart Manager 排除公司门户网站应用:If Resolution #2 doesn't work, have your users follow these steps to make Smart Manager exclude the Company Portal app:

  1. 在设备上启动 Smart Manager 应用。Launch the Smart Manager app on the device.

    选择设备上的“Smart Manager”图标

  2. 选择“电池”磁贴。Choose the Battery tile.

    选择“电池”磁贴

  3. 在“应用省电”或“应用优化”下,选择“详细信息”。Under App power saving or App optimization, select Detail.

    在“应用省电”或“应用优化”下选择“详细信息”

  4. 从应用列表中选择“公司门户”。Choose Company Portal from the list of apps.

    从应用列表中选择“公司门户”

  5. 选择“关闭”。Choose Turned off.

    从“应用优化”对话框中选择“关闭”

  6. 在“应用省电”或“应用优化”下,确认公司门户已关闭。Under App power saving or App optimization, confirm that Company Portal is turned off.

    验证公司门户已关闭

配置文件安装失败Profile installation failed

问题:用户在 Android 设备上收到配置文件安装失败错误。Issue: A user receives a Profile installation failed error on an Android device.

解决方法:Resolution:

  1. 确认针对你在使用的 Intune 服务版本,该用户分配有适当的许可证。Confirm that the user has been assigned an appropriate license for the version of the Intune service you are using.

  2. 确认尚未向另一个 MDM 提供程序注册该设备,或者该设备尚未安装管理配置文件。Confirm that the device is not already enrolled with another MDM provider or that it does not already have a management profile installed.

  3. 确认默认浏览器为适用于 Android 的 Chrome,并且已启用 Cookie。Confirm that Chrome for Android is the default browser and that cookies are enabled.

Android 证书问题Android certificate issues

问题:用户在其设备上收到以下消息:无法登录,因为设备缺少必需的证书。Issue: Users receive the following message on their device: You cannot sign in because your device is missing a required certificate.

解决方法 1Resolution 1:

让用户按照设备缺少必需的证书中的说明操作。Ask your users to follow the instructions in Your device is missing a required certificate. 如果用户按照此说明操作后仍出现此错误,请尝试解决方法 2。If the error still appears after users follow the instructions, try Resolution 2.

解决方法 2Resolution 2:

如果用户输入其公司凭据并在联合登录体验中重定向后仍然看到缺少证书的错误,那么 Active Directory 联合服务 (AD FS) 服务器可能缺失中间证书。If users still see the missing certificate error after entering their corporate credentials and getting redirected for the federated login experience, an intermediate certificate may be missing from your Active Directory Federation Services (AD FS) server.

此证书错误的发生是因为 Android 设备需要在 SSL 服务器问候中包含中间证书,但是当前默认的 AD FS 服务器或 AD FS 代理服务器安装仅向 SSL 客户端问候发送 SSL 服务器问候响应中的 AD FS 的服务 SSL 证书。The certificate error occurs because Android devices require intermediate certificates to be included in an SSL Server hello, but currently a default AD FS server or AD FS Proxy server installation sends only the AD FS’s service SSL certificate in the SSL server hello response to an SSL Client hello.

若要解决此问题,请按以下步骤将证书导入 AD FS 服务器或代理上的计算机个人证书:To fix the issue, import the certificates into the Computers Personal Certificates on the AD FS server or proxies as follows:

  1. 在 ADFS 服务器和代理服务器上,右键单击“开始”按钮,选择“运行”,然后键入“certlm.msc”,以启动本地计算机的证书管理控制台。On the ADFS and proxy servers, launch the Certificate Management console for the local computer by right-clicking the Start button, choosing Run and typing certlm.msc.
  2. 展开“个人”,然后选择“证书”。Expand Personal and select Certificates.
  3. 查找用于 AD FS 服务通信的证书(公共签名证书),然后双击以查看其属性。Find the certificate for your AD FS service communication (a publicly signed certificate), and double-click to view its properties.
  4. 选择“证书路径”选项卡以查看证书的父证书。Select the Certification Path tab to see the certificate’s parent certificate/s.
  5. 在每个父证书上,选择“查看证书”。On each parent certificate, select View Certificate.
  6. 选择“详细信息”选项卡,然后选择“复制到文件...”。Select the Details tab and choose Copy to file….
  7. 按照向导提示将证书的公钥导出或保存到所需的文件位置。Follow the wizard prompts to export or save the public key of the certificate to the desired file location.
  8. 将步骤 3 中导出的父证书导入到本地计算机\个人\证书,方法是右键单击“证书”,选择“所有任务” > “导入”,然后按照向导提示导入证书。Import the parent certificates that were exported in Step 3 to Local Computer\Personal\Certificates by right-clicking Certificates, selecting All Tasks > Import, and then following the wizard prompts to import the certificate(s).
  9. 重启 AD FS 服务器。Restart the AD FS servers.
  10. 在所有 AD FS 和代理服务器上重复上述步骤。Repeat the above steps on all of your AD FS and proxy servers. 现在用户应能够在 Android 设备上登录到公司门户。The user should now be able to sign in to the Company Portal on the Android device.

若要验证是否正确安装证书To validate that the certificate installed correctly:

以下步骤只描述了用于验证是否正确安装证书的许多方法和工具中的一种。The follow steps describe just one of many methods and tools that you can use to validate that the certificate installed correctly.

  1. 转到免费的 Digicert 工具Go to the free Digicert tool.
  2. 输入 AD FS 服务器的完全限定域名(例如,sts.contoso.com),并选择“检查服务器”。Enter your AD FS server’s fully qualified domain name (e.g., sts.contoso.com) and select CHECK SERVER.

如果已正确安装服务器证书,则会在结果中看见所有复选标记。If the Server certificate is installed correctly, you see all check marks in the results. 如果存在上述问题,则会在报告的“证书名称匹配”和“已正确安装 SSL 证书”部分看见红色的 X。If the problem above exists, you see a red X in the "Certificate Name Matches" and the “SSL Certificate is correctly Installed” sections of the report.

iOS 的问题iOS issues

iOS 注册错误iOS enrollment errors

下表列出了在 Intune 中注册 iOS 设备时最终用户可能遇到的错误。The following table lists errors that end users might see while enrolling iOS devices in Intune.

错误消息Error message 问题Issue 解决方法Resolution
NoEnrollmentPolicyNoEnrollmentPolicy 找不到注册策略No enrollment policy found 检查是否已设置所有注册必备组件(如 Apple Push Notification 服务 (APNs) 证书),并确保已启用“iOS 平台”。Check that all enrollment prerequisites, like the Apple Push Notification Service (APNs) certificate, have been set up and that "iOS as a platform" is enabled. 有关说明,请参阅设置 iOS 和 Mac 设备管理For instructions, see Set up iOS and Mac device management.
DeviceCapReachedDeviceCapReached 已注册太多的移动设备。Too many mobile devices are enrolled already. 注册其他移动设备前,用户必须从公司门户中删除当前已注册的移动设备之一。The user must remove one of his or her currently enrolled mobile devices from the Company Portal before enrolling another. 请参阅你使用的设备类型的说明:Android iOSWindowsSee the instructions for the type of device you're using: Android, iOS, Windows.
APNSCertificateNotValidAPNSCertificateNotValid 移动设备用于与公司网络通信的证书存在问题。There is a problem with the certificate that lets the mobile device communicate with your company’s network.

Apple Push Notification 服务 (APNs) 提供与已注册 iOS 设备通信的通道。The Apple Push Notification Service (APNs) provides a channel to reach out to enrolled iOS devices. 如果未执行获取 APNs 证书的步骤,或者 APNs 证书已过期,则注册尝试将失败并将显示此消息。If the steps to get an APNs certificate were not performed, or if the APNs certificate has expired, then enrollment attempts will fail, and this message will appear.

查看同步 Active Directory 并将用户添加到 Intune组织用户和设备中有关如何设置用户的信息。Review the information about how to set up users in Sync Active Directory and add users to Intune and organizing users and devices.
AccountNotOnboardedAccountNotOnboarded 移动设备用于与公司网络通信的证书存在问题。There is a problem with the certificate that lets the mobile device communicate with your company’s network.

Apple Push Notification 服务 (APNs) 提供与已注册 iOS 设备通信的通道。The Apple Push Notification Service (APNs) provides a channel to reach out to enrolled iOS devices. 如果未执行获取 APNs 证书的步骤,或者 APNs 证书已过期,则注册尝试将失败并将显示此消息。If the steps to get an APNs certificate were not performed, or if the APNs certificate has expired, then enrollment attempts will fail, and this message will appear.

有关详细信息,请查看使用 Microsoft Intune 设置 iOS 和 Mac 管理For more information, review Set up iOS and Mac management with Microsoft Intune.
DeviceTypeNotSupportedDeviceTypeNotSupported 用于可能已尝试使用非 iOS 设备进行注册。The user might have tried to enroll using a non-iOS device. 不支持你正在尝试注册的移动设备类型。The mobile device type that you are trying to enroll is not supported.

确认设备正在运行 iOS 版本 8.0 或更高版本。Confirm that device is running iOS version 8.0 or later.

请确保用户的设备正在运行 iOS 版本 8.0 或更高版本。Ensure that your user's device is running iOS version 8.0 or later.
UserLicenseTypeInvalidUserLicenseTypeInvalid 无法注册设备,因为用户帐户还不是所需用户组的成员。The device cannot be enrolled because the user's account is not yet a member of a required user group.

用户必须是相应用户组的成员才能注册其设备。Before users can enroll their devices, they must be members of the right user group. 此消息表明用户持有的指定移动设备管理机构许可证类型不正确。This message means that they have the wrong license type for the designated mobile device management authority. 例如,如果已将 Intune 指定为移动设备管理机构,并且用户正在使用 System Center 2012 R2 Configuration Manager 许可证,则将收到此错误消息。For example, if Intune has been designated as the mobile device management authority, and they are using a System Center 2012 R2 Configuration Manager license, they will see this error.

有关详细信息,请查看以下内容:Review the following for more information:

查看同步 Active Directory 并将用户添加到 Intune组织用户和设备中的使用 Microsoft Intune 设置 iOS 和 Mac 管理以及有关如何设置用户的信息。Review Set up iOS and Mac management with Microsoft Intune and information about how to set up users in Sync Active Directory and add users to Intune and organizing users and devices.
MdmAuthorityNotDefinedMdmAuthorityNotDefined 尚未定义移动设备管理机构。The mobile device management authority has not been defined.

尚未在 Intune 中指定移动设备管理机构。The mobile device management authority has not been designated in Intune.

查看开始使用 Microsoft Intune 的 30 天试用版中的“步骤 6:注册移动设备并安装应用”部分的第 1 项。Review item #1 in the "Step 6: Enroll mobile devices and install an app" section in Get started with a 30-day trial of Microsoft Intune.

设备处于非活动状态,或管理控制台不能与其通信Devices are inactive or the admin console cannot communicate with them

问题:iOS 设备未使用 Intune 服务签入。Issue: iOS devices aren’t checking in with the Intune service. 设备必须定期使用该服务签入,以保持对受保护的公司资源的访问权限。Devices must check in periodically with the service to maintain access to protected corporate resources. 如果设备不签入:If devices don’t check in:

  • 它们将无法从 Intune 服务接收策略、应用和远程命令。They can't receive policy, apps, and remote commands from the Intune service.
  • 它们在管理控制台中显示的管理状态为“不正常”。They show a Management State of Unhealthy in the administrator console.
  • 受条件访问策略保护的用户可能失去对公司资源的访问权限。Users who are protected by conditional access policies might lose access to corporate resources.

解决方法:与最终用户共享以下解决方法,帮助他们重新获得公司资源的访问权限。Resolution: Share the following resolutions with your end users to help them regain access to corporate resources.

如果用户启动了 iOS 公司门户应用,则可确定他们的设备是否与 Intune 失去联系。When users start the iOS Company Portal app, it can tell if their device has lost contact with Intune. 如果没有检测到任何联系,则会自动尝试与 Intune 同步以重新连接,用户将看到“正在尝试同步...”If it detects that there is no contact, it automatically tries to sync with Intune to reconnect, and users will see the Trying to sync… 内联通知。inline notification.

尝试同步通知

如果同步成功,将在 iOS 公司门户应用中看到“同步成功”内联通知,指示你的设备处于正常状态。If the sync is successful, you see a Sync successful inline notification in the iOS Company Portal app, indicating that your device is in a healthy state.

同步成功通知

如果同步失败,用户将在 iOS 公司门户应用中看到“无法同步”内联通知。If the sync is unsuccessful, users see an Unable to sync inline notification in the iOS Company Portal app.

无法同步通知

若要解决此问题,用户必须选择“设置”按钮,该按钮位于“无法同步”通知的右侧。To fix the issue, users must select the Set up button, which is to the right of the Unable to sync notification. 通过“设置”按钮,用户可转到“公司访问设置”流屏幕,在此处,用户可按提示注册设备。The Set up button takes users to the Company Access Setup flow screen, where they can follow the prompts to enroll their device.

“公司访问设置”屏幕

注册后,设备将恢复到正常状态,并重新获得对公司资源的访问权限。Once enrolled, the devices return to a healthy state and regain access to company resources.

确认已启用 WS-Trust 1.3Verify WS-Trust 1.3 is enabled

问题无法注册设备注册计划 (DEP) iOS 设备Issue Device Enrollment Program (DEP) iOS devices cannot be enrolled

注册具有用户相关性的设备注册计划设备要求启用 WS-Trust 1.3 Username/Mixed 终结点以请求用户令牌。Enrolling Device Enrollment Program devices with user affinity requires WS-Trust 1.3 Username/Mixed endpoint to be enabled to request user tokens. 默认情况下,Active Directory 启用此终结点。Active Directory enables this endpoint by default. 通过使用 Get-AdfsEndpoint PowerShell cmdlet 和查找 trust/13/UsernameMixed 终结点可获取已启用的终结点列表。You get a list of enabled endpoints by using the Get-AdfsEndpoint PowerShell cmdlet and looking for the trust/13/UsernameMixed endpoint. 例如:For example:

  Get-AdfsEndpoint -AddressPath “/adfs/services/trust/13/UsernameMixed”

有关详细信息,请参阅 Get-AdfsEndpoint 文档For more information, see Get-AdfsEndpoint documentation.

有关详细信息,请参阅保护 Active Directory 联合身份验证服务安全的最佳做法For more information, see Best practices for securing Active Directory Federation Services. 如果你需要更多的帮助来确定联合身份验证提供程序中是否启用了 WS-Trust 1.3 Username/Mixed,并且你使用的是 ADFS,请联系 Microsoft 支持部门或第三方身份标识供应商。If you need additional assistance in determining if WS-Trust 1.3 Username/Mixed is enabled in your identity federation provider, please contact Microsoft Support if you use ADFS, or your 3rd party identity vendor.

配置文件安装失败Profile installation failed

问题:用户的 iOS 设备上收到配置文件安装失败错误。Issue: A user receives a Profile installation failed error on an iOS device.

失败配置文件安装的故障排除步骤Troubleshooting steps for failed profile installation

  1. 确认针对你在使用的 Intune 服务版本,该用户分配有适当的许可证。Confirm that the user has been assigned an appropriate license for the version of the Intune service you are using.

  2. 确认尚未向另一个 MDM 提供程序注册该设备,或者该设备尚未安装管理配置文件。Confirm that the device is not already enrolled with another MDM provider or that it does not already have a management profile installed.

  3. 导航到 https://portal.manage.microsoft.com,并根据提示尝试安装配置文件。Navigate to https://portal.manage.microsoft.com and try to install the profile when prompted.

  4. 确认默认浏览器为适用于 iOS 的 Safari,并且已启用 Cookie。Confirm that Safari for iOS is the default browser and that cookies are enabled.

通过 Intune 使用 System Center Configuration Manager 时,注册的 iOS 设备不会在控制台中显示Enrolled iOS device doesn't appear in console when using System Center Configuration Manager with Intune

问题:用户注册了 iOS 设备,但它未出现在 Configuration Manager 管理控制台中。Issue: User enrolls iOS device but it does not appear in the Configuration Manager admin console. 该设备未指示已注册。The device does not indicate that it's been enrolled. 可能的原因:Possible causes:

  • Configuration Manager 站点中的 Microsoft Intune 连接器当前未与 Intune 服务进行通信。The Microsoft Intune Connector in your Configuration Manager site isn't communicating with the Intune service.
  • 数据发现管理器 (ddm) 组件或状态管理器 (statmgr) 组件当前未处理来自 Intune 服务的消息。Either the Data Discovery Manager (ddm) component or the State Manager (statmgr) component is not processing messages from the Intune service.
  • 你可能已从某个帐户下载了 MDM 证书,而在其他帐户上使用了它。You may have downloaded the MDM certificate from one account and used it on another account.

解决方法:查看以下日志文件是否存在错误:Resolution: Review the following log files for possible errors:

  • dmpdownloader.logdmpdownloader.log
  • ddm.logddm.log
  • statmgr.logstatmgr.log

即将增添有关在这些日志文件中查找哪些内容的示例。Examples will be added soon about what to look for in these log files.

使用 System Center Configuration Manager with Intune 时的问题Issues when using System Center Configuration Manager with Intune

移动设备消失Mobile devices disappear

问题: 在向 Configuration Manager 成功注册移动设备后,它从移动设备集合中消失,但该设备仍然具有管理配置文件,并且列示在 CSS 网关中。Issue: After successfully enrolling a mobile device to Configuration Manager it disappears from the mobile device collection, but the device still has the Management Profile and is listed in CSS Gateway.

解决方法:这可能是因为你有一个自定义进程用于删除未加入域的设备,或者是因为该用户已从订阅停用该设备。Resolution: This may occur because you have a custom process removing non-domain-joined devices, or because the user has retired the device from the subscription. 若要验证并检查从 Configuration Manager 控制台中删除了该设备的是哪个进程或用户帐户,请执行以下步骤。To validate and check which process or user account removed the device from the Configuration Manager console, perform the following steps.

检查设备的删除途径Check how device was removed

  1. 在 Configuration Manager 管理控制台中,选择监视 > 系统状态 > 状态消息查询In the Configuration Manager admin console select Monitoring > System Status > Status Message Queries.

  2. 右键单击“已手动删除的集合成员资源”,并选择“显示消息”。Right-click Collection Member Resources Manually Deleted and select Show Messages.

  3. 选取适当的时间/日期或过去 12 小时。Pick an appropriate time/date or the last 12 hours.

  4. 找到有问题的设备,并查看该设备的删除途径。Find the device in question and review how the device was removed. 下面的示例显示帐户 SCCMInstall 是通过某个未知应用程序删除设备的。The Example below shows that the account SCCMInstall deleted the device via an Unknown Application.

    设备删除诊断的屏幕快照

  5. 确保 Configuration Manager 没有计划的任务、脚本或其他可能自动清除非域设备、移动设备或相关设备的进程。Check that Configuration Manager does not have a scheduled task, script, or other process which could be automatically purging non-domain, mobile, or related devices.

其他 iOS 注册错误Other iOS enrollment errors

有关 iOS 注册错误的列表,请查看我们的设备用户文档中的尝试在 Intune 中注册设备时遇到错误A list of iOS enrollment errors is provided in our device-user documentation, in You see errors while trying to enroll your device in Intune.

PC 问题PC Issues

该计算机已注册 - 错误 hr 0x8007064cThe machine is already enrolled - Error hr 0x8007064c

问题:注册失败,出现“该计算机已注册”错误。Issue: Enrollment fails with the error The machine is already enrolled. 注册日志显示错误 hr 0x8007064cThe enrollment log shows error hr 0x8007064c.

可能的原因是计算机先前已注册,或具有某台已注册的计算机的克隆映像。This may be because the computer had been previously enrolled, or has the cloned image of a computer that had been enrolled. 先前帐户的帐户证书仍在此计算机上。The account certificate of the previous account is still present on the computer.

解决方法:Resolution:

  1. 在“开始”菜单中,键入“运行” -> “MMC”。From the Start menu, type Run -> MMC.
  2. 选择“文件” > “添加/删除管理单元”。Choose File > Add/ Remove Snap-ins.
  3. 双击“证书”,选择“计算机帐户” > “下一步”,然后选择“本地计算机”。Double-click Certificates, choose Computer account > Next, and select Local Computer.
  4. 双击“证书(本地计算机)”,然后选择“个人/证书”。Double-click Certificates (Local computer) and choose Personal/ Certificates.
  5. 查找 Sc_Online_Issuing 发布的 Intune 证书,并将其删除(若存在)。Look for the Intune cert issued by Sc_Online_Issuing, and delete it, if present.
  6. 如果以下注册表项存在,请将其删除:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OnlineManagement regkey 及所有子项。If the following registry key exists, delete it: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OnlineManagement regkey and all sub keys.
  7. 尝试重新注册。Try to re-enroll.
  8. 如果仍无法注册电脑,请查找并删除此项(若存在):KEY_CLASSES_ROOT\Installer\Products\6985F0077D3EEB44AB6849B5D7913E95If the PC still cannot enroll, look for and delete this key, if it exists: KEY_CLASSES_ROOT\Installer\Products\6985F0077D3EEB44AB6849B5D7913E95.
  9. 尝试重新注册。Try to re-enroll.

    重要

    此部分、方法或任务包含教你如何修改注册表的步骤。This section, method, or task contains steps that tell you how to modify the registry. 但是,如果注册表修改不正确,可能会发生严重问题。However, serious problems might occur if you modify the registry incorrectly. 因此,请确保认真遵循这些步骤。Therefore, make sure that you follow these steps carefully. 为提高保护程度,请在修改之前备份注册表。For added protection, back up the registry before you modify it. 那么,如果发生问题,你也可以恢复注册表。Then, you can restore the registry if a problem occurs. 有关如何备份和还原注册表的详细信息,请参阅 如何在 Windows 中备份和还原注册表For more information about how to back up and restore the registry, read How to back up and restore the registry in Windows

常规注册错误代码General enrollment Error codes

错误代码Error code 可能的问题Possible problem 建议的解决方法Suggested resolution
0x80CF04370x80CF0437 未将客户端计算机上的时钟设置为正确的时间。The clock on the client computer is not set to the correct time. 确保将客户端计算机上的时钟和时区设置为正确的时间和时区。Make sure that the clock and the time zone on the client computer are set to the correct time and time zone.
0x80240438、0x80CF0438、0x80CF402C0x80240438, 0x80CF0438, 0x80CF402C 无法连接到 Intune 服务。Cannot connect to the Intune service. 检查客户端代理设置。Check the client proxy settings. 验证 Intune 是否支持客户端计算机上的代理配置,以及客户端计算机是否能够访问 Internet。Verify that the proxy configuration on the client computer is supported by Intune, and that the client computer has Internet access.
0x80240438,0x80CF04380x80240438, 0x80CF0438 未配置 Internet Explorer 和本地系统中的代理设置。Proxy settings in Internet Explorer and Local System are not configured. 无法连接到 Intune 服务。Cannot connect to the Intune service. 检查客户端代理设置,确认客户端计算机的代理配置受 Intune 支持,且客户端计算机拥有 Internet 访问。Check the client proxy settings and confirm that the proxy configuration on the client computer is supported by Intune, and that the client computer has Internet access.
0x80043001、0x80CF3001、0x80043004、0x80CF30040x80043001, 0x80CF3001, 0x80043004, 0x80CF3004 注册程序包过期。Enrollment package is out of date. 从“管理”工作区中下载并安装最新的客户端软件包。Download and install the current client software package from the Administration workspace.
0x80043002、0x80CF30020x80043002, 0x80CF3002 帐户处于维护模式。Account is in maintenance mode. 当帐户处于维护模式时,你无法注册新客户端计算机。You cannot enroll new client computers when the account is in maintenance mode. 若要查看帐户设置,请登录到你的帐户。To view your account settings, sign in to your account.
0x80043003、0x80CF30030x80043003, 0x80CF3003 帐户被删除。Account is deleted. 验证你的帐户和 Intune 订阅是否仍处于活动状态。Verify that your account and subscription to Intune is still active. 若要查看帐户设置,请登录到你的帐户。To view your account settings, sign in to your account.
0x80043005、0x80CF30050x80043005, 0x80CF3005 客户端计算机已停用。The client computer has been retired. 等几个小时并从计算机中删除任何较旧版本的客户端软件,然后重试客户端软件安装。Wait a few hours, remove any older versions of the client software from the computer, and then retry the client software installation.
0x80043006、0x80CF30060x80043006, 0x80CF3006 已达到允许此帐户拥有的最大座位数。The maximum number of seats allowed for the account has been reached. 贵组织必须购买附加的座位,你才能在服务中注册更多客户端计算机。Your organization must purchase additional seats before you can enroll more client computers in the service.
0x80043007、0x80CF30070x80043007, 0x80CF3007 在安装程序所在的文件夹中找不到证书文件。Could not find the certificate file in the same folder as the installer program. 在开始安装之前提取所有文件。Extract all files before you start the installation. 请不要重命名或重新定位任何提取的文件:所有文件必须位于同一文件夹中,否则安装将失败。Do not rename or relocate any of the extracted files: all files must exist in the same folder or the installation will fail.
0x8024D015、0x00240005、0x80070BC2、0x80070BC9、0x80CFD0150x8024D015, 0x00240005, 0x80070BC2, 0x80070BC9, 0x80CFD015 无法安装软件,因为客户端计算机的重启处于挂起状态。The software cannot be installed because a restart of the client computer is pending. 重启计算机,然后重试客户端软件安装。Restart the computer and then retry the client software installation.
0x800700320x80070032 在客户端计算机上未找到用于安装客户端软件的一个或多个先决条件。One or more prerequisites for installing the client software were not found on the client computer. 确保所有必需的更新都已安装在客户端计算机上,然后重试客户端软件安装。Make sure that all required updates are installed on the client computer and then retry the client software installation.
0x80043008、0x80CF30080x80043008, 0x80CF3008 未能启动 Microsoft Online Management 更新服务。Failed to start the Microsoft Online Management Updates service. 请联系 Microsoft 支持部门,如如何获取对 Microsoft Intune 的支持中所述。Contact Microsoft Support as described in How to get support for Microsoft Intune.
0x80043009、0x80CF30090x80043009, 0x80CF3009 已在服务中注册客户端计算机。The client computer is already enrolled into the service. 你必须先停用客户端计算机,然后才能在服务中重新注册该客户端计算机。You must retire the client computer before you can re-enroll it in the service.
0x8004300B、0x80CF300B0x8004300B, 0x80CF300B 无法运行客户端软件安装包,因为不支持客户端上运行的 Windows 的版本。The client software installation package cannot run because the version of Windows that is running on the client is not supported. Intune 不支持客户端计算机上运行的 Windows 的版本。Intune does not support the version of Windows that is running on the client computer.
0xAB20xAB2 Windows Installer 无法针对自定义操作访问 VBScript 运行时。The Windows Installer could not access VBScript run time for a custom action. 此错误是由基于动态链接库 (DLL) 的自定义操作引起的。This error is caused by a custom action that is based on Dynamic-Link Libraries (DLLs). 对 DLL 进行疑难解答时,可能必须使用 Microsoft 支持 KB198038:用于打包和部署问题的有用工具中描述的工具。When troubleshooting the DLL, you might have to use the tools that are described in Microsoft Support KB198038: Useful Tools for Package and Deployment Issues.
0x80cf04400x80cf0440 到服务终结点的连接已终止。The connection to the service endpoint terminated. 试用或付费帐户处于挂起状态。Trial or paid account is suspended. 创建一个新的试用或付费帐户,并重新注册。Create a new trial or paid account and re-enroll.

后续步骤Next steps

如果此疑难解答信息没有帮助到你,请联系 Microsoft 支持部门,如如何获取对 Microsoft Intune 的支持中所述。If this troubleshooting information didn't help you, contact Microsoft Support as described in How to get support for Microsoft Intune.

要提交产品反馈,请访问 Intune Feedback