排查 Microsoft Intune 中的策略问题Troubleshoot policies in Microsoft Intune

适用于:经典门户中的 IntuneApplies to: Intune in the classic portal
在寻找有关 Azure 门户中 Intune 的文档吗?Looking for documentation about Intune in the Azure portal? 请转到此处Go here.

如果你在部署和管理 Intune 策略时出现问题,请从这里开始。If you are having problems deploying and managing Intune policies, start here. 本主题包含你可能会遇到的一些常见问题以及解决方案。This topic contains some common problems you might encounter together with solutions.

一般问题General Issues

部署的策略是否已应用于该设备?Was a deployed policy applied to the device?

问题:不确定策略是否已得到正确应用。Issue: You are unsure if a policy was correctly applied.

在 Intune 管理控制台中,每个设备的“设备属性”下都有一个策略选项卡 。In the Intune admin console every device has a policy tab under Device Properties. 每个策略都有 “预期值”“状态”Each policy has an Intended Value and a Status. 预期值是指在分配策略时想要获得的值。The intended value is what you meant to achieve when assigning the policy. 状态是指综合考虑应用于设备的所有策略,以及硬件和操作系统的限制及要求时,实际应用的内容。The status is what is actually applied when all of the policies that apply to the device, as well as the restrictions and requirements of the hardware and the operating system, are considered together. 可能的状态为:Possible statuses are:

  • 符合:设备已收到策略,并向服务报告该策略符合设置。Conforms: the device has received the policy and reports to the service that it conforms to the setting.

  • 不适用:策略设置不适用。Not applicable: The policy setting is not applicable. 例如,iOS 设备的电子邮件设置不适用于 Android 设备。For example, email settings for iOS devices would not apply to an Android device.

  • 挂起:策略已发送到设备,但尚未将状态报告给服务。Pending: The policy was sent to the device, but hasn't reported status to the service. 例如,Android 上的加密需要用户启用加密,因此可能会处于挂起状态。For example, encryption on Android requires the user to enable encryption and might therefore be pending.

在下面的屏幕截图中,你可以看到两个清晰的示例:In the screenshot below you can see two clear examples:

  • “允许简单密码” 设置为 “是”(如 “预期值” 列中所示),但其 “状态”“不适用”Allow simple passwords is set to Yes, as shown in the Intended Value column, but its Status is Not applicable. 这是因为 Android 设备不支持简单密码。This is because simple passwords are not supported for Android devices.

  • 同样,扩展的策略项“iOS 设备的电子邮件设置”不适用于此设备,因为这是 Android 设备。Similarly, the expanded policy item Email settings for iOS devices is not applied to this device, as it is an Android device.

Intune 设备策略

备注

请记住,当具有不同限制级别的两个策略应用于同一个设备或用户时,实际会使用限制更严格的策略。Remember that when two policies with different levels of restriction apply to the same device or user, the more restrictive policy applies in practice.

已注册设备的问题Issues with enrolled devices

警报:将访问规则保存到 Exchange 中的操作失败Alert: Saving of Access Rules to Exchange has Failed

问题:你在管理控制台中收到警报“将访问规则保存到 Exchange 中的操作失败” 。Issue: You receive the alert Saving of Access Rules to Exchange has Failed in the admin console.

如果在管理控制台下的 Exchange 内部部署策略工作区中创建了策略,但使用的是 O365,则 Intune 不会强制实施所配置的策略设置。If you created policies in the Exchange On-Premises Policy workspace under the Admin Console but are using O365, the configured policy settings are not enforced by Intune. 记下警报中的策略源。Note the policy source from the alert. 在 Exchange 内部部署策略工作区下删除旧规则,因为这些是 Intune 中用于内部部署 Exchange 的全局 Exchange 规则,与 O365 不相关。Under the Exchange On-premises Policy workspace delete the legacy rules, as these are Global Exchange rules within Intune for on-premises Exchange, and are not relevant to O365. 然后,为 O365 创建新策略。Then, create new policy for O365.

无法更改各种已注册设备的安全策略Cannot change security policy for various enrolled devices

Windows Phone 设备不允许通过 MDM 或 EAS 设置安全策略后降低其安全性。Windows Phone devices do not allow security policies set via MDM or EAS to be reduced in security once you've set them. 例如,将“最小字符密码数” 设置为 8,然后尝试将其减少到 4。For example, you set a Minimum number of character password to 8 then try to reduce it to 4. 已向设备应用更严格的策略。The more restrictive policy has already been applied to the device.

如果要将策略更改为安全级别较低的值,可能需要重置安全策略,具体视设备平台而定。Depending on the device platform, if you want to change the policy to a less secure value you may need to reset security policies. 例如,在 Windows 中,在桌面上从右轻扫打开“超级按钮”栏并选择“设置”>“控制面板”。For example, in Windows, on the desktop swipe in from right to open the Charms bar and choose Settings > Control Panel. 选择“用户帐户”小程序。Select the User Accounts applet. 在左侧导航菜单底部有一个“重置安全策略” 链接。In the left hand navigation menu, there is a Reset Security Policies link at the bottom. 选中它,然后选择重置策略按钮。Choose it and then choose the Reset Policies button. 对于其他 MDM 设备(例如 Android、Windows Phone 8.1 及更高版本以及 iOS),可能需要将其停用并重新注册回服务,这样才能应用限制较少的策略。Other MDM devices, such as Android, Windows Phone 8.1 and later, and iOS, may need to be retired and re-enrolled back into the service for you to be able to apply a less restrictive policy.

运行 Intune 软件客户端的电脑的问题Issues with PCs that run the Intune software client

对于使用 Intune 软件客户端进行管理的 Windows 电脑,policyplatform.log 文件中的策略错误可能是因设备上 Windows 用户帐户控制 (UAC) 中的非默认设置导致的。For Windows PCs managed with the Intune software client, policy errors in the policyplatform.log file may be the result of non-default settings in the Windows User Account Control (UAC) on the device. 某些非默认 UAC 设置会影响 Microsoft Intune 客户端安装和策略执行。Some non-default UAC settings can affect Microsoft Intune client installations and policy execution.

解决 UAC 问题To resolve UAC issues

  1. 停用计算机,如从 Microsoft Intune 管理停用设备中所述。Retire the computer, as described in Retire devices from Microsoft Intune management.

  2. 等待 20 分钟,以便删除客户端软件。Wait 20 minutes for the client software to be removed.

    备注

    请勿尝试从“程序和功能”中删除客户端。Do not attempt to remove the client from Programs and Features.

  3. 在开始菜单上,键入 UAC 以打开用户帐户控制设置。On the start menu type UAC to open the User Account Control settings.

  4. 将通知滑块移动到默认设置。Move the notification slider to the default setting.

错误:无法从计算机中获取值,0x80041013ERROR: Cannot obtain the value from the computer, 0x80041013

如果本地系统上的时间不同步达到或超过五分钟或更多,则会出现此问题。This can occur if the time on the local system is out of sync by five minutes or more. 如果本地计算机上的时间不同步,安全事务将因时间戳无效而失败。If the time on the local computer is out of sync, secure transactions will fail because the time stamps will be invalid.

若要解决此问题,请使设置的本地系统时间尽可能地接近 Internet 时间,或接近网络中域控制器上设置的时间。To resolve this issue, set the local system time as close as possible to Internet time, or to the time set on the domain controllers on the network.

后续步骤Next steps

如果此疑难解答信息没有帮助到你,请联系 Microsoft 支持部门,如如何获取对 Microsoft Intune 的支持中所述。If this troubleshooting information didn't help you, contact Microsoft Support as described in How to get support for Microsoft Intune.