Windows 10 及更高版本设置,用于保护使用 Intune 的设备Windows 10 and later settings to manage shared devices using Intune

Windows 10 及更高版本的设备(如 Microsoft Surface),可用于多个用户。Windows 10 and later devices, such as the Microsoft Surface, can be used by many users. 具有多个用户的设备称为共享设备,是移动设备管理 (MDM) 解决方案的一部分。Devices that have multiple users are called shared devices, and are a part of mobile device management (MDM) solutions.

通过 Microsoft Intune,终端用户可使用来宾帐户登录这些共享设备。Using Microsoft Intune, end-users can sign in to these shared devices with a guest account. 用户使用设备时,只能访问你允许访问的功能。As they use the device, they only get access to features you allow. 作为 Intune 管理员,你可以为共享 Windows 10 设备配置访问权限、选择删除帐户的时间和控制电源管理设置等。As the Intune administrator, you configure access, choose when accounts are deleted, control power management settings, and more for your shared Windows 10 devices.

本文列出并介绍用于 Windows 10(及更高版本)设备配置文件的设置。This article lists and describes the settings you use in a Windows 10 (and later) device configuration profile. 在 Intune 中创建配置文件时,可以将配置文件部署或分配到贵组织中的设备组。When the profile is created in Intune, you deploy or assign the profile to device groups in your organization. 还可以将此配置文件分配到具有混合设备类型和操作系统版本的设备组。You can also assign this profile to device groups with mixed device types and OS versions.

有关 Intune 中此功能的详细信息,请参阅控制共享电脑或多用户设备上的访问权限、帐户和电源功能For more information on this feature in Intune, see Control access, accounts, and power features on shared PC or multi-user devices. 有关 Windows CSP 的详细信息,请参阅 SharedPC CSPFor more information on the Windows CSP, see SharedPC CSP.

准备工作Before your begin

创建 Windows 10 共享多用户设备配置文件Create a Windows 10 shared multi-user device configuration profile.

共享的多用户设备设置Shared multi-user device settings

这些设置使用 SharedPC CSPThese settings use the SharedPC CSP.

  • 共享电脑模式:“启用”会打开共享电脑模式。Shared PC mode: Enable turns on shared PC mode. 在此模式下,一次只能有一位用户登录设备。In this mode, only one user signs in to the device at a time. 第一位用户注销前,其他用户无法登录。设置为“未配置”(默认)时,Intune 不会更改或更新此设置。Another user can't sign in until the first user signs out. When set to Not configured (default), Intune doesn't change or update this setting.

  • 来宾帐户:选择此模式,在登录屏幕上创建来宾选项。Guest account: Choose to create a Guest option on the sign-in screen. 来宾帐户不需要任何用户凭证或身份验证。Guest accounts don't require any user credentials or authentication. 此设置在每次使用时会创建新的本地帐户。This setting creates a new local account each time it's used. 选项包括:Your options:

    • 来宾:在本地设备上创建来宾帐户。Guest: Creates a guest account locally on the device.
    • :在 Azure Active Directory (AD) 中创建来宾帐户。Domain: Creates a guest account in Azure Active Directory (AD).
    • 来宾和域:在本地设备上和 Azure Active Directory (AD) 中创建来宾帐户。Guest and domain: Creates a guest account locally on the device, and in Azure Active Directory (AD).
  • 帐户管理:选择是否自动删除帐户。Account management: Choose if accounts are automatically deleted. 选项包括:Your options:

    • 未配置(默认):Intune 不会更改或更新此设置。Not configured (default): Intune doesn't change or update this setting.

    • 启用:从设备中自动删除来宾创建的帐户以及 AD 和 Azure AD 中的帐户。Enabled: Accounts created by guests, and accounts in AD and Azure AD are automatically deleted from the devices. 用户注销设备或运行系统维护时,也会从设备中删除这些帐户。When a user signs off the device, or when system maintenance runs, these accounts are removed from the devices.

      此外请输入:Also enter:

      • 帐户删除:选择删除帐户的时间:Account Deletion: Choose when accounts are deleted:
        • 达到存储空间阈值At storage space threshold
        • 达到存储空间阈值和非活动时间阈值At storage space threshold and inactive threshold
        • 注销后立即Immediately after log-out

      此外请输入:Also enter:

      • 开始删除阈值(%) :输入磁盘空间的百分比 (0-100)。Start delete threshold(%): Enter a percentage (0-100) of disk space. 总磁盘/存储空间低于输入的值时,删除缓存的帐户。When the total disk/storage space drops below the value you enter, the cached accounts are deleted. 不断删除帐户以回收磁盘空间。It continuously deletes accounts to reclaim disk space. 首先删除处于非活动状态时间最长的帐户。Accounts that are inactive the longest are deleted first.
      • 停止删除阈值(%) :输入磁盘空间的百分比 (0-100)。Stop delete threshold(%): Enter a percentage (0-100) of disk space. 总磁盘/存储空间达到输入的值时,停止删除缓存的帐户。When the total disk/storage space meets the value you enter, the deleting stops.
      • 非活动帐户阈值:请输入应在帐户连续多少天未登录后将其删除,范围是 0-60 天。Inactive account threshold: Enter the number of consecutive days before deleting the account that hasn't signed in, from 0-60 days.
    • 已禁用:来宾创建的本地、AD 和 Azure AD 帐户保留在设备上,不会被删除。Disabled: The local, AD, and Azure AD accounts created by guests stay on the device, and aren't deleted.

  • 本地存储:使用本地存储,用户可以保存并查看该设备的硬盘上的文件。Local Storage: With local storage, users can save and view files on the device's hard drive. 选项包括:Your options:

    • 未配置(默认):Intune 不会更改或更新此设置。Not configured (default): Intune doesn't change or update this setting.
    • 启用:阻止用户保存和查看设备硬盘上的文件。Enabled: Prevents users from saving and viewing files on the device's hard drive.
    • 已禁用:允许用户使用文件资源管理器查看和保存本地文件。Disabled: Allows users to see and save files locally using File Explorer.
  • 电源策略:允许或阻止用户更改电源设置。Power Policies: Allow or prevent users from changing the power settings. 选项包括:Your options:

    • 未配置(默认):Intune 不会更改或更新此设置。Not configured (default): Intune doesn't change or update this setting.
    • 启用:用户不能关闭“休眠”、不能替代所有睡眠操作(比如合上设备盖),也不能更改电源设置。Enabled: Users can't turn off hibernate, can't override all sleep actions (such as closing the lid), and can't change the power settings.
    • 已禁用:用户可以让设备进入休眠状态、可以合上设备盖让设备进入睡眠模式,也可以更改电源设置。Disabled: Users can hibernate the device, can close the lid to sleep the device, and change the power settings.
  • 睡眠超时(秒) :输入设备进入休眠模式前的非活动状态秒数 (0-18000)。Sleep time out (in seconds): Enter the number of inactive seconds (0-18000) before the device goes into sleep mode. 0 表示设备永不休眠。0 means the device never sleeps. 如果未设定秒数,设备会在 3600 秒(60 分钟)后进入睡眠状态。If you don't set a time, the device goes to sleep after 3600 seconds (60 minutes).

  • 电脑唤醒时登录:选择在设备退出休眠模式后用户是否必须登录。Sign-in when PC wakes: Choose if users must sign in after the device comes out of sleep mode. 选项包括:Your options:

    • 未配置(默认):Intune 不会更改或更新此设置。Not configured (default): Intune doesn't change or update this setting.
    • 启用:在设备退出休眠模式时要求用户使用密码登录。Enabled: Requires users to sign in with a password when device comes out of sleep mode.
    • 已禁用:用户无需输入其用户名和密码。Disabled: Users don't have to enter their username and password.
  • 维护开始时间(从午夜开始计算的分钟数) :自动维护任务(如 Windows 更新)运行时,输入分钟数 (0-1440)。Maintenance start time (in minutes from midnight): Enter the time in minutes (0-1440) when automatic maintenance tasks, such as Windows Update, run. 默认开始时间为午夜,或零 (0) 分钟。The default start time is midnight, or zero (0) minutes. 通过输入从午夜开始计算的开始时间(分钟数),更改开始时间。Change the start time by entering a start time in minutes from midnight. 例如,如果希望从凌晨 2 点开始维护,请输入 120For example, if you want maintenance to begin at 2 AM, enter 120. 如果希望从晚上 8 点开始维护,请输入 1200If you want maintenance to begin at 8 PM, enter 1200.

    设置为“未配置”(默认)时,Intune 不会更改或更新此设置。When set to Not configured (default), Intune doesn't change or update this setting.

  • 教育策略:选择是否启用教育环境策略。Education policies: Choose if policies for education environment are enabled. 选项包括:Your options:

    • 未配置(默认):Intune 不会更改或更新此设置。Not configured (default): Intune doesn't change or update this setting.
    • 启用:将更严格的推荐设置用于在学校使用的设备。Enabled: Uses the recommended settings for devices used in schools, which are more restrictive.
    • 已禁用:不使用默认和推荐教育策略。Disabled: The default and recommended education policies aren't used.

    有关教育策略作用的详细信息,请参阅面向教育行业客户的 Windows 10 配置建议For more information on what the education policies do, see Windows 10 configuration recommendations for education customers.

提示

设置共享或来宾电脑(打开另一个文档网站)是此 Windows 10 功能的出色资源,包括可在共享模式下设置的概念和组策略。Set up a shared or guest PC (opens another docs web site) is a great resource on this Windows 10 feature, including concepts and group policies that can be set in shared mode.

后续步骤Next steps