共同管理工作负载Co-management workloads

不必切换工作负载,或可以在准备好后单独执行这些工作负载。You don't have to switch the workloads, or you can do them individually when you're ready. Configuration Manager 持续管理所有其他工作负载(其中包括不切换到 Intune 的那些工作负载)以及共同管理不支持的的所有其他 Configuration Manager 功能。Configuration Manager continues to manage all other workloads, including those workloads that you don't switch to Intune, and all other features of Configuration Manager that co-management doesn't support.

如果将工作负载切换到 Intune,但后来改了主意,则可以将其切换回 Configuration Manager。If you switch a workload to Intune, but later change your mind, you can switch it back to Configuration Manager.

共同管理支持以下工作负载:Co-management supports the following workloads:

相容性策略Compliance policies

符合性策略定义设备必须遵从的规则和设置,以便将设备视为符合条件访问策略。Compliance policies define the rules and settings that a device must comply with to be considered compliant by conditional access policies. 也可使用符合性策略来监视和修正独立于条件访问的设备符合性问题。Also use compliance policies to monitor and remediate compliance issues with devices independently of conditional access. 自 Configuration Manager 版本 1910 开始,可以将自定义配置基线评估添加为合规性策略评估规则。Beginning in Configuration Manager version 1910, you can add evaluation of custom configuration baselines as a compliance policy assessment rule. 有关详细信息,请参阅将自定义配置基线包含在合规性策略评估中For more information, see Include custom configuration baselines as part of compliance policy assessment.

有关 Intune 功能的详细信息,请参阅设备符合性策略For more information on the Intune feature, see Device compliance policies.

Windows 更新策略Windows Update policies

通过适用于企业的 Windows 更新策略,可以针对 Windows 10 功能更新或直接由适用于企业的 Windows 更新托管的 Windows 10 设备的质量更新,配置延迟策略。Windows Update for Business policies let you configure deferral policies for Windows 10 feature updates or quality updates for Windows 10 devices managed directly by Windows Update for Business.

有关 Intune 功能的详细信息,请参阅配置适用于企业的 Windows 更新延迟策略For more information on the Intune feature, see Configure Windows Update for Business deferral policies.

资源访问策略Resource access policies

资源访问策略在设备上配置 VPN、Wi-Fi、电子邮件以及证书设置。Resource access policies configure VPN, Wi-Fi, email, and certificate settings on devices.

有关 Intune 功能的详细信息,请参阅部署资源访问配置文件For more information on the Intune feature, see Deploy resource access profiles.

备注

资源访问工作负载也是设备配置的一部分。The resource access workload is also part of device configuration. 切换设备配置工作负载时,这些策略由 Intune 托管。These policies are managed by Intune when you switch the Device Configuration workload.

Endpoint ProtectionEndpoint Protection

Endpoint Protection 工作负载包括 Windows Defender 反恶意软件保护功能套件:The Endpoint Protection workload includes the Windows Defender suite of antimalware protection features:

  • Windows Defender 反恶意软件Windows Defender Antimalware
  • Windows Defender 应用程序防护Windows Defender Application Guard
  • Windows Defender 防火墙Windows Defender Firewall
  • Windows Defender SmartScreenWindows Defender SmartScreen
  • Windows 加密Windows Encryption
  • Windows Defender 攻击防护Windows Defender Exploit Guard
  • Windows Defender 应用程序控制Windows Defender Application Control
  • Windows Defender 安全中心Windows Defender Security Center
  • Windows Defender 高级威胁防护(现称为 Microsoft Defender 威胁防护)Windows Defender Advanced Threat Protection (now known as Microsoft Defender Threat Protection)

有关 Intune 功能的详细信息,请参阅 Microsoft Intune 的 Endpoint ProtectionFor more information on the Intune feature, see Endpoint Protection for Microsoft Intune.

备注

在切换此工作负载时,Configuration Manager 策略将保留在设备上,直到 Intune 策略覆盖它们。When you switch this workload, the Configuration Manager policies stay on the device until the Intune policies overwrite them. 此行为可确保设备在过渡期间仍具有保护策略。This behavior makes sure that the device still has protection policies during the transition.

Endpoint Protection 工作负载也是设备配置的一部分。The Endpoint Protection workload is also part of device configuration. 当切换设备配置工作负载时,同样的行为适用。The same behavior applies when you switch the Device Configuration workload. 切换设备配置工作负载时,它还包括“Windows 信息保护”功能策略,但其未包含在 Endpoint Protection 工作负载中。When you switch the device configuration workload, it also includes policies for the Windows Information Protection feature, which isn't included in the endpoint protection workload.

如果 Microsoft Defender 防病毒设置属于 Intune 设备配置的设备限制配置文件类型,则这些设置不在 Endpoint Protection 滑块的范围内。The Microsoft Defender Antivirus settings that are part of the Device restrictions profile type for Intune Device configuration are not included in scope of the Endpoint protection slider. 要为启用了 Endpoint Protection 滑块的共同管理的设备管理 Microsoft Defender 防病毒设置,请使用“Microsoft Endpoint 管理中心” > “终结点安全性” > “防病毒”中新的防病毒策略 。To manage Microsoft Defender Antivirus for co-managed devices with the endpoint protection slider enabled, use the new Antivirus policies in Microsoft Endpoint manager admin center > Endpoint security > Antivirus. 此策略类型提供了改进后的新选项,还支持可在设备限制配置文件中使用的设置。The new policy type has new and improved options available, and support all of the same settings available in the Device restrictions profile.

Windows 加密功能包括 BitLocker 管理。The Windows Encryption feature includes BitLocker management. 要详细了解此功能与共同管理一起使用时的行为,请参阅部署 BitLocker 管理For more information on the behavior of this feature with co-management, see Deploy BitLocker management.

设备配置Device configuration

设备配置工作负载包括管理组织中的设备的设置。The device configuration workload includes settings that you manage for devices in your organization. 切换此工作负载时一并移动“资源访问”和“Endpoint Protection”工作负载 。Switching this workload also moves the Resource Access and Endpoint Protection workloads.

即使设备配置颁发机构是 Intune,你仍可将 Configuration Manager 中的设置部署到共同托管的设备。You can still deploy settings from Configuration Manager to co-managed devices even though Intune is the device configuration authority. 此异常可用于配置组织需要但在 Intune 中尚不可用的设置。This exception might be used to configure settings that your organization requires but aren't yet available in Intune. Configuration Manager 配置基线上指定此异常。Specify this exception on a Configuration Manager configuration baseline. 创建基线时,启用“即使是共同托管客户端也要始终应用此基线”选项 。Enable the option to Always apply this baseline even for co-managed clients when creating the baseline. 稍后,可以在现有基线属性的“常规” 选项卡上进行更改。You can change it later on the General tab of the properties of an existing baseline.

有关 Intune 功能的详细信息,请参阅在 Microsoft Intune 中创建设备配置文件For more information on the Intune feature, see Create a device profile in Microsoft Intune.

备注

切换设备配置工作负载时,它还包括“Windows 信息保护”功能策略,但其未包含在 Endpoint Protection 工作负载中。When you switch the device configuration workload, it also includes policies for the Windows Information Protection feature, which isn't included in the endpoint protection workload.

Office 即点即用应用Office Click-to-Run apps

此工作负荷管理共同管理的设备上的 Microsoft 365 Apps。This workload manages Microsoft 365 Apps on co-managed devices.

  • 移动工作负荷后,此应用将显示在设备上的“公司门户”中 After moving the workload, the app shows up in the Company Portal on the device

  • 除非重启设备,否则 Office 更新可能约在 24 小时后才能显示在客户端上Office updates may take around 24 hours to show up on client unless the devices are restarted

  • 存在一个新的全局条件,即“Office 365 应用程序是否在设备上由 Intune 进行托管” 。There's a new global condition, Are Office 365 applications managed by Intune on the device. 默认情况下将此条件作为一项要求添加到新的 Microsoft 365 应用程序中。This condition is added by default as a requirement to new Microsoft 365 applications. 如果在转换此工作负荷时,共同托管客户端不满足应用程序的要求。When you transition this workload, co-managed clients don't meet the requirement on the application. 则不会安装通过 Configuration Manager 部署的 Microsoft 365。Then they don't install Microsoft 365 deployed via Configuration Manager.

可以使用 Microsoft 终结点管理器中的管理模板Microsoft Endpoint Configuration Manager 中的软件更新管理来管理更新。Updates can be managed using Administrative Templates in Microsoft Endpoint Manager or Software Update management in Microsoft Endpoint Configuration Manager.

有关 Intune 功能的详细信息,请参阅将 Microsoft 365 应用版分配给具有 Microsoft Intune 的 Windows 10 设备For more information on the Intune feature, see Assign Microsoft 365 apps to Windows 10 devices with Microsoft Intune.

客户端应用Client apps

使用 Intune 在共同管理的 Windows 10 设备上管理客户端应用和 PowerShell 脚本。Use Intune to manage client apps and PowerShell scripts on co-managed Windows 10 devices. 转移此工作负荷之后,任何从 Intune 部署的可用应用在公司门户中也变得可用。After you transition this workload, any available apps deployed from Intune are available in the Company Portal. 从 Configuration Manager 部署的应用在软件中心可用。Apps that you deploy from Configuration Manager are available in Software Center.

有关 Intune 功能的详细信息,请参阅什么是 Microsoft Intune 应用管理?For more information on the Intune feature, see What is Microsoft Intune app management?.

备注

在 Windows 10 版本 1903 及更高版本中,即使尚未将客户端应用工作负载切换到 Intune,PowerShell 脚本仍会在共同管理的设备上运行。In Windows 10 version 1903 and later, PowerShell scripts still run on co-managed devices even if you haven't switched the Client Apps workload to Intune.

提示

此功能在版本 1806 中作为预发行功能首次引入。This feature was first introduced in version 1806 as a pre-release feature. 从版本 2002 开始,此功能不再属于预发行功能。Beginning with version 2002, it's no longer a pre-release feature.

此功能可能以“适用于共同托管设备的移动应用”的形式在功能列表中显示 。This feature may appear in the list of features as Mobile apps for co-managed devices.

自版本 1910 开始,在 Configuration Manager 分发点上启用 Microsoft Connected Cache 后,现在可以为共同管理的客户端提供 Microsoft Intune Win32 应用。Starting in version 1910, when you enable Microsoft Connected Cache on your Configuration Manager distribution points, they can now serve Microsoft Intune Win32 apps to co-managed clients. 有关详细信息,请参阅 Configuration Manager 中的 Microsoft Connected CacheFor more information, see Microsoft Connected Cache in Configuration Manager.

应用工作负载的关系图Diagram for app workloads

共同管理应用工作负载的关系图

提示

从版本 2006 开始,可以将公司门户配置为同时显示 Configuration Manager 应用。Starting in version 2006, you can configure the Company Portal to also show Configuration Manager apps. 如果改变此应用门户的体验,就会改变上图中所述的行为。If you change this app portal experience, it changes the behaviors described in the above diagram. 有关详细信息,请参阅在共同受管理设备上使用公司门户应用For more information, see Use the Company Portal app on co-managed devices.

已知问题Known issues

在将 Endpoint Protection 工作负载移动到 Intune 时,客户端可能仍会采用 Configuration Manager 和 Microsoft Defender 设置的策略。When the Endpoint Protection workload is moved over to Intune, the client may still honor policies set by Configuration Manager and Microsoft Defender.

要解决此问题,请在客户端收到 Intune 策略之后,按照以下步骤使用 ConfigSecurityPolicy.exe 来应用 CleanUpPolicy.xml:To work around this issue, apply the CleanUpPolicy.xml using ConfigSecurityPolicy.exe after the Intune policies have been received by the client using the steps below:

  1. 复制以下文本并将它保存为 CleanUpPolicy.xmlCopy and save the below text as CleanUpPolicy.xml.

    <?xml version="1.0" encoding="UTF-8"?>
    <SecurityPolicy xmlns="http://forefront.microsoft.com/FEP/2010/01/PolicyData" Name="FEP clean-up policy"><PolicySection Name="FEP.AmPolicy"><LocalGroupPolicySettings><IgnoreKey Name="SOFTWARE\Policies\Microsoft\Microsoft Antimalware"/><IgnoreKey Name="SOFTWARE\Policies\Microsoft\Windows Defender"/></LocalGroupPolicySettings></PolicySection></SecurityPolicy>
    
  2. 打开提升的命令提示符来转到 ConfigSecurityPolicy.exeOpen an elevated command prompt to ConfigSecurityPolicy.exe. 通常,该可执行文件位于下列目录之一:Typically this executable is in one of the following directories:

    • C:\Program Files\Windows DefenderC:\Program Files\Windows Defender
    • C:\Program Files\Microsoft Security ClientC:\Program Files\Microsoft Security Client
  3. 从命令提示符处,传入 xml 文件以清理策略。From the command prompt, pass in the xml file to clean up the policy. 例如,ConfigSecurityPolicy.exe C:\temp\CleanUpPolicy.xmlFor example, ConfigSecurityPolicy.exe C:\temp\CleanUpPolicy.xml.

后续步骤Next steps

如何切换工作负载How to switch workloads