Microsoft Intune 中设备策略和配置文件的常见问题和解答Common questions and answers with device policies and profiles in Microsoft Intune

了解在 Intune 中使用设备配置文件和策略时的常见问题解答。Get answers to common questions when working with device profiles and policies in Intune. 此外,本文还列出了签入时间间隔,详细说明了冲突等。This article also lists the check-in time intervals, provides more detains on conflicts, and more.

策略、配置文件或应用分配完成后,设备需要多长时间获取?How long does it take for devices to get a policy, profile, or app after they are assigned?

Intune 通知设备使用 Intune 服务签入。Intune notifies the device to check in with the Intune service. 通知时间各不相同,包括从立即到长达几个小时。The notification times vary, including immediately up to a few hours. 这些通知时间在平台之间也有所不同。These notification times also vary between platforms.

如果在首次发出通知后设备未签入以获取策略或配置文件,Intune 还会尝试通知 3 次。If a device doesn't check in to get the policy or profile after the first notification, Intune makes three more attempts. 如果设备处于离线状态(例如已关机或未连接至网络),可能无法收到通知。An offline device, such as turned off, or not connected to a network, may not receive the notifications. 在这种情况下,设备将在其下次计划的签入时间使用 Intune 服务获取策略或配置文件。In this case, the device gets the policy or profile on its next scheduled check-in with the Intune service. 这同样适用于不合规性检查,包括从合规状态转变为不合规状态的设备。The same applies to checks for non-compliance, including devices that move from a compliant to a non-compliant state.

预估频率 :Estimated frequencies:

平台Platform 刷新周期Refresh cycle
iOS/iPadOSiOS/iPadOS 大约每 8 小时About every 8 hours
macOSmacOS 大约每 8 小时About every 8 hours
AndroidAndroid 大约每 8 小时About every 8 hours
注册为设备的 Windows 10 PCWindows 10 PCs enrolled as devices 大约每 8 小时About every 8 hours
Windows PhoneWindows Phone 大约每 8 小时About every 8 hours
Windows 8.1Windows 8.1 大约每 8 小时About every 8 hours

如果设备是最近注册的,则会按照以下估计增加运行合规性、不合规性和配置签入的频率 :If the device recently enrolled, the compliance, non-compliance, and configuration check-in runs more frequently, which is estimated at:

平台Platform 频率Frequency
iOS/iPadOSiOS/iPadOS 1 小时内每 15 分钟一次,之后每 8 小时一次Every 15 minutes for 1 hour, and then around every 8 hours
macOSmacOS 1 小时内每 15 分钟一次,之后每 8 小时一次Every 15 minutes for 1 hour, and then around every 8 hours
AndroidAndroid 15 分钟内每 3 分钟一次,接下来的 2 小时内每 15 分钟一次,之后每 8 小时一次Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours
注册为设备的 Windows 10 PCWindows 10 PCs enrolled as devices 15 分钟内每 3 分钟一次,接下来的 2 小时内每 15 分钟一次,之后每 8 小时一次Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours
Windows PhoneWindows Phone 15 分钟内每 5 分钟一次,接下来的 2 小时内每 15 分钟一次,之后每 8 小时一次Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours
Windows 8.1Windows 8.1 15 分钟内每 5 分钟一次,接下来的 2 小时内每 15 分钟一次,之后每 8 小时一次Every 5 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours

用户可以随时打开公司门户应用,并选择“设置” > “同步”以立即检查策略或配置文件更新 。At any time, users can open the Company Portal app, Settings > Sync to immediately check for policy or profile updates.

哪些操作会导致 Intune 立即向设备发送通知?What actions cause Intune to immediately send a notification to a device?

触发通知的操作有不同的操作,例如,当分配(或取消分配)、更新、删除策略、配置文件或应用时。There are different actions that trigger a notification, such as when a policy, profile, or app is assigned (or unassigned), updated, deleted, and so on. 不同平台之间的操作时间各不相同。These action times vary between platforms.

设备收到告知其签入的通知时或者在计划签入期间,设备会签入到 Intune。Devices check in with Intune when they receive a notification to check in, or during the scheduled check-in. 当针对某个设备或用户执行某个操作时,例如锁定、密码重置、应用、配置文件或策略分配,Intune 会立即开始通知设备签入以接收这些更新。When you target a device or user with an action, such as lock, passcode reset, app, profile or policy assignment, then Intune immediately notifies the device to check in to receive these updates.

其他变更(如在公司门户应用中修订合同信息)不会导致立即向设备发送通知。Other changes, such as revising the contact information in the Company Portal app, don't cause an immediate notification to devices.

策略或配置文件中的设置将在每次签入时应用。The settings in the policy or profile are applied at every check-in. Windows 10 MDM 策略刷新博客文章可能是不错的资源。The Windows 10 MDM policy refresh blog post may be a good resource.

如果多个策略被分配到同一用户或设备,如何知道会应用哪些设置?If multiple policies are assigned to the same user or device, how do I know which settings gets applied?

当两个或更多个策略被分配到同一用户或设备时,将在单个设置级别上应用适用的设置:When two or more policies are assigned to the same user or device, then the setting that applies happens at the individual setting level:

  • 符合性策略设置始终优先于配置的配置文件设置。Compliance policy settings always have precedence over configuration profile settings.

  • 如果某个符合性策略针对不同符合性策略中的相同设置进行评估,则应用限制最严格的符合性策略设置。If a compliance policy evaluates against the same setting in another compliance policy, then the most restrictive compliance policy setting applies.

  • 如果配置策略设置与其他配置策略设置冲突,此冲突会显示在 Intune 中。If a configuration policy setting conflicts with a setting in another configuration policy, this conflict is shown in Intune. 手动解决这些冲突。Manually resolve these conflicts.

应用保护策略互相冲突时会发生什么情况?What happens when app protection policies conflict with each other? 哪一种策略将应用于应用?Which one is applied to the app?

除数字输入字段(如重置之前尝试 PIN)外,冲突值是应用保护策略中限制最严格的设置 。Conflict values are the most restrictive settings available in an app protection policy except for the number entry fields, such as PIN attempts before reset. 数字输入字段将设定为与你使用建议的设置选项创建 MAM 策略时一样的值。The number entry fields are set the same as the values, as if you created a MAM policy using the recommended settings option.

两个配置文件设置相同时即会发生冲突。Conflicts happen when two profile settings are the same. 例如,除复制/粘贴设置外,你配置了两个完全相同的 MAM 策略。For example, you configured two MAM policies that are identical except for the copy/paste setting. 在此方案中,复制/粘贴设置将设定为限制最严格的值,但其余设置将应用配置的值。In this scenario, the copy/paste setting is set to the most restrictive value, but the rest of the settings are applied as configured.

将一个策略部署到应用,并应用它。A policy is deployed to the app and takes effect. 部署第二个策略。A second policy is deployed. 在此场景中,第一个策略优先,并始终应用。In this scenario, the first policy takes precedence, and stays applied. 第二个策略将显示冲突。The second policy shows a conflict. 如果同时应用两个策略,即它们的优先级一样,则两个都会显示冲突。If both are applied at the same time, meaning that there isn't preceding policy, then both are in conflict. 任何冲突的设置都将设定为限制最严格的值。Any conflicting settings are set to the most restrictive values.

iOS/iPadOS 自定义策略冲突时会发生什么情况?What happens when iOS/iPadOS custom policies conflict?

Intune 不会评估 Apple 配置文件或自定义开放移动联盟统一资源标识符 (OMA-URI) 策略的负载。Intune doesn't evaluate the payload of Apple Configuration files or a custom Open Mobile Alliance Uniform Resource Identifier (OMA-URI) policy. 它只作为传送机制。It merely serves as the delivery mechanism.

分配自定义策略时,请确认配置的设置不会与符合性、配置或其他自定义策略冲突。When you assign a custom policy, confirm that the configured settings don't conflict with compliance, configuration, or other custom policies. 如果自定义策略与其设置发生冲突,则会随机应用这些设置。If a custom policy and its settings conflict, then the settings are applied randomly.

当配置文件被删除,或不再适用时,会发生什么情况?What happens when a profile is deleted or no longer applicable?

删除配置文件或将设备从包含配置文件的组删除时,将从设备删除配置文件和设置,如下所示:When you delete a profile, or you remove a device from a group that has the profile, then the profile and settings are removed from the device as described:

  • Wi-Fi、VPN、证书和电子邮件配置文件:这些配置文件会从所有支持的已注册设备中删除。Wi-Fi, VPN, certificate, and email profiles: These profiles are removed from all supported enrolled devices.

  • 所有其他配置文件类型:All other profile types:

    • Windows 和 Android 设备:不会从设备删除设置Windows and Android devices: Settings aren't removed from the device

    • Windows Phone 8.1 设备:删除了下列设置:Windows Phone 8.1 devices: The following settings are removed:

      • 需要密码才可解锁移动设备Require a password to unlock mobile devices
      • 允许简单密码Allow simple passwords
      • 最短密码长度Minimum password length
      • 所需的密码类型Required password type
      • 密码过期(天数)Password expiration (days)
      • 记住密码历史记录Remember password history
      • 擦除设备前允许的重复登录失败次数Number of repeated sign-in failures to allow before the device is wiped
      • 需要提供密码之前处于非活动状态的分钟数Minutes of inactivity before password is required
      • 所需密码类型 - 最小字符集数Required password type – minimum number of character sets
      • 允许相机Allow camera
      • 需要对移动设备加密Require encryption on mobile device
      • 允许可移动存储Allow removable storage
      • 允许 Web 浏览器Allow web browser
      • 允许应用程序商店Allow application store
      • 允许屏幕捕获Allow screen capture
      • 允许地理位置Allow geolocation
      • 支持 Microsoft 帐户Allow Microsoft account
      • 允许复制和粘贴Allow copy and paste
      • 允许 Wi-Fi tetheringAllow Wi-Fi tethering
      • 允许自动连接到免费 Wi-Fi 热点Allow automatic connection to free Wi-Fi hotspots
      • 允许 Wi-Fi 热点报告Allow Wi-Fi hotspot reporting
      • 允许擦除Allow wipe
      • 允许蓝牙Allow Bluetooth
      • 允许 NFCAllow NFC
      • 允许 Wi-FiAllow Wi-Fi
    • iOS/iPadOS:删除所有设置,但不包括:iOS/iPadOS: All settings are removed, except:

      • 允许语音漫游Allow voice roaming
      • 允许数据漫游Allow data roaming
      • 允许漫游时自动同步Allow automatic synchronization while roaming

我更改了设备限制配置文件,但更改尚未生效I changed a device restriction profile, but the changes haven't taken effect

Windows Phone 设备不允许使用 MDM 或 EAS 设置安全策略后降低其安全性。Once set, Windows Phone devices don't allow security policies set using MDM or EAS to be reduced in security. 例如,将“最小字符密码数” 设置为 8。For example, you set a Minimum number of character password to 8. 尝试将其减小到 4。You try to reduce it to 4. 已向设备应用限制更严格的配置文件。The more restrictive profile is already applied to the device.

如果要将配置文件更改为安全级别较低的值,则需要重置安全策略。To change the profile to a less secure value, then reset security policies. 例如,在 Windows 8.1 桌面上,从右轻扫,选择“设置” > “控制面板” 。For example, in Windows 8.1, on the desktop, swipe in from right > select Settings > Control Panel. 选择“用户帐户” 小程序。Select the User Accounts applet. 左侧导航菜单中有一个“重置安全策略”链接(接近底部) 。In the left-hand navigation menu, there's a Reset Security Policies link (toward the bottom). 选中它,然后选择“重置策略” 。Select it, and then choose Reset Policies.

对于其他 MDM 设备(例如 Android、Windows Phone 8.1 及更高版本、iOS/iPadOS 和 Windows 10),可能需要将其停用并重新注册到 Intune,这样才能应用限制较少的配置文件。Other MDM devices, such as Android, Windows Phone 8.1 and later, iOS/iPadOS, and Windows 10 may need to be retired, and re-enrolled in to Intune to apply a less restrictive profile.

Windows 10 配置文件中的某些设置返回“不适用”Some settings in a Windows 10 profile return "Not Applicable"

Windows 10 设备上的某些设置可能显示为“不适用”。Some settings on Windows 10 devices may show as "Not Applicable". 发生这种情况时,设备上运行的 Windows 的版本或版次不支持该特定设置。When this happens, that specific setting isn't supported on the version or edition of Windows running on the device. 出现此消息的可能原因如下:This message can occur for the following reasons:

  • 设置仅适用于较新版本的 Windows,而不适用于设备上的当前操作系统 (OS) 版本。The setting is only available for newer versions of Windows, and not the current operating system (OS) version on the device.
  • 设置仅适用于特定 Windows 版本或特定 SKU,如家庭版、专业版、企业版和教育版。The setting is only available for specific Windows editions or specific SKUs, such as Home, Professional, Enterprise, and Education.

若要了解不同设置的版本和 SKU 要求的详细信息,请参阅配置服务提供程序 (CSP) 参考To learn more about the version and SKU requirements for the different settings, see the Configuration Service Provider (CSP) reference.

后续步骤Next steps

需要更多帮助?Need extra help? 请参阅如何获取对 Microsoft Intune 的支持See How to get support for Microsoft Intune.