Intune 的裝置註冊疑難排解Troubleshoot device enrollment in Intune

適用於︰Azure 上的 IntuneApplies to: Intune on Azure
您需要傳統主控台中之 Intune 的相關文件嗎?Looking for documentation about Intune in the classic console? 請移至這裡Go to here.

本主題提供裝置註冊問題的疑難排解建議。This topic provides suggestions for troubleshooting device enrollment issues. 如果此資訊無法解決您的問題,請參閱如何取得 Microsoft Intune 支援,以尋找更多方法來取得協助。If this information does not solve your problem, see How to get support for Microsoft Intune to find more ways to get help.

初始疑難排解步驟Initial troubleshooting steps

在您開始疑難排解問題之前,請確定您的 Intune 設定正確,可以註冊。Before you begin troubleshooting, ensure that you configured Intune correctly to enable enrollment. 如需每個平台的註冊步驟連結,請參閱註冊 Android 與 Standard Knox 裝置See Enroll Android and Standard Knox devices for links to enrollment steps for each platform.

您所管理的裝置使用者可以收集註冊與診斷記錄檔,以供您檢閱。Your managed device users can collect enrollment and diagnostic logs for you to review. 提供有關收集記錄檔使用者指示之處如下:User instructions for collecting logs are provided in:

一般註冊問題General enrollment issues

所有的裝置平台都可能發生這些問題。These issues may occur on all device platforms.

已到達裝置上限Device cap reached

問題:使用者於註冊期間在其裝置上收到錯誤 (例如 iOS 裝置上的 [公司入口網站暫時無法使用] 錯誤),而且 Configuration Manager 上的 DMPdownloader.log 包含錯誤 DeviceCapReachedIssue: A user receives an error on their device during enrollment, such as a Company Portal Temporarily Unavailable error on an iOS device, and the DMPdownloader.log on Configuration Manager contains the error DeviceCapReached.

解決方法:Resolution:

檢查已註冊及允許的裝置數目Check number of devices enrolled and allowed

在 Azure 入口網站中,選擇 [更多服務] > [監視 + 管理] > [Intune]。In the Azure portal, choose More Services > Monitoring + Management > Intune. 在 Azure 入口網站的 [Intune] 刀鋒視窗中,選取 [註冊裝置] > [註冊限制],確定使用者未超過 15 部指派裝置數上限。On the Intune blade of the Azure portal, go to Enroll devices > Enrollment Restrictions and validate that the user has no more than the allowable maximum of 15 devices assigned.

系統管理員可以在 Azure Active Directory 入口網站中刪除裝置。Administrators can delete devices in the Azure Active Directory portal.

若要在 Azure Active Directory 入口網站中刪除裝置:To delete devices in the Azure Active Directory portal

  1. 瀏覽至 http://aka.ms/accessaad,或從 https://portal.office.com 中選擇 [系統管理] > [Azure AD]。Browse to http://aka.ms/accessaad or choose Admin > Azure AD from https://portal.office.com.

  2. 利用頁面左側連結,以您的組織識別碼登入。Log in with your Org ID using the link on the left side of the page.

  3. 如果您沒有 Azure 訂用帳戶,請建立帳戶。Create an Azure Subscription if you don’t have one. 如果您有付費帳戶,應該不需要信用卡或付款 (請選擇 [Register your free Azure Active Directory (註冊免費的 Azure Active Directory)] 訂閱連結)。This should not require a credit card or payment if you have a paid account (choose the Register your free Azure Active Directory subscription link).

  4. 選取 [Active Directory] ,然後選取您的組織。Select Active Directory and then select your organization.

  5. 選取 [使用者] 索引標籤。Select the Users tab.

  6. 選取您要刪除裝置的使用者。Select the user whose devices you want to delete.

  7. 選擇 [裝置]。Choose Devices.

  8. 視需要移除裝置,例如不再使用的裝置,或具有不正確定義的裝置。Remove devices as appropriate, such as those that are no longer in use, or those that have inaccurate definitions.

注意

使用裝置註冊管理員註冊裝置中所述,您可以使用裝置註冊管理員避開裝置註冊上限。You can avoid the device enrollment cap by using Device Enrollment Managers, as described in Enroll devices using device enrollment manager.

如有對新增到裝置註冊管理員群組中的特定使用者帳戶實施條件式存取原則,則該特定使用者登入將無法完成註冊。A user account that is added to Device Enrollment Managers group will not be able to complete enrollment when Conditional Access policy is enforced for that specific user login.

公司入口網站暫時無法使用Company Portal Temporarily Unavailable

問題:使用者在裝置上收到 [公司入口網站暫時無法使用] 錯誤。Issue: A user receives a Company Portal Temporarily Unavailable error on their device.

解決方法:Resolution:

  1. 從裝置移除 Intune 公司入口網站應用程式。Remove the Intune Company Portal app from the device.

  2. 在裝置上開啟瀏覽器,瀏覽至 https://portal.manage.microsoft.com,然後嘗試使用者登入。On the device, open the browser, browse to https://portal.manage.microsoft.com, and attempt a user login.

  3. 如果使用者無法登入,請他們嘗試其他網路。If the user fails to log in, have them try another network.

  4. 如果失敗,請驗證使用者的認證已正確地與 Azure Active Directory 同步處理。If that fails, validate that the user’s credentials have synced correctly with Azure Active Directory.

  5. 如果使用者成功登入,iOS 裝置會提示您安裝並註冊 Intune 公司入口網站應用程式。If the user successfully logs in, an iOS device will prompt you to install the Intune Company Portal app and enroll. 在 Android 裝置上,您必須手動安裝 Intune 公司入口網站應用程式,才能重試註冊。On an Android device you will need to manually install the Intune Company Portal app, after which you can retry enrolling.

MDM 授權單位未定義MDM authority not defined

問題:使用者收到 [MDM 授權單位未定義] 錯誤。Issue: A user receives an MDM authority not defined error.

解決方法:Resolution:

  1. 確認您要使用的 Intune 服務 (亦即 Intune、Office 365 或 Intune 的 System Center Configuration Manager) 類型已正確設定了 MDM 授權單位。Verify that the MDM Authority has been set appropriately for the type of Intune service you are using (that is, Intune, Office 365, or System Center Configuration Manager with Intune). 如需指示,請參閱設定行動裝置管理授權單位See Set the mobile device management authority for instructions.

    注意

    在 Configuration Manager 1610 版或更新版本及 Microsoft Intune 1705 版中,您可以在不需要連絡 Microsoft 支援服務的情況下變更 MDM 授權單位,且不需要取消註冊並重新註冊您現有的受管理裝置。In Configuration Manager version 1610 or later and Microsoft Intune version 1705, you change the MDM authority without having to contact Microsoft Support, and without having to unenroll and reenroll your existing managed devices. 如需詳細資訊,請參閱選擇錯誤的 MDM 授權單位設定時該怎麼辦For details, see What to do if you choose the wrong MDM authority setting.

  2. 確認使用者的認證已正確地與 Azure Active Directory 同步處理,方式是檢查其 UPN 是否符合帳戶入口網站中的 Active Directory 資訊。Verify that the user’s credentials have synced correctly with Azure Active Directory, by checking that their UPN matches the Active Directory information in the Account Portal. 如果 UPN 與 Active Directory 資訊不符:If the UPN does not match the Active Directory information:

    1. 關閉本機伺服器上的 DirSync。Turn off DirSync on the local server.

    2. Intune 帳戶入口網站 使用者清單刪除不相符的使用者。Delete the mismatched user from the Intune Account Portal user list.

    3. 等候約一小時,讓 Azure 服務移除不正確的資料。Wait about one hour to allow the Azure service to remove the incorrect data.

    4. 重新開啟 DirSync,然後檢查使用者現在是否已正確地同步處理。Turn on DirSync again and check if the user is now synced properly.

  3. 如果您使用 System Center Configuration Manager (含 Intune),請確認使用者具有有效的雲端使用者識別碼:In a scenario where you are using System Center Configuration Manager with Intune, verify that the user has a valid Cloud User ID:

    1. 開啟 SQL Management Studio。Open SQL Management Studio.

    2. 連線到適當的資料庫。Connect to the appropriate database.

    3. 開啟資料庫資料夾,然後尋找並開啟 CM_DBName 資料夾,其中 DBName 是客戶資料庫的名稱。Open the databases folder and find and open the CM_DBName folder, where DBName is the name of the customer database.

    4. 選擇頂端的 [新增查詢] 並執行下列查詢:At the top, choose New Query and execute the following queries:

      • 查看所有使用者:select * from [CM_ DBName].[dbo].[User_DISC]To see all users: select * from [CM_ DBName].[dbo].[User_DISC]

      • 若要查看特定使用者,請使用下列查詢,其中 %testuser1% 代表您要查閱之使用者的 username@domain.com:select * from [CM_ DBName].[dbo].[User_DISC] where User_Principal_Name0 like '%testuser1%'To see Specific Users, use the following query, where %testuser1% represents username@domain.com for the user you want to look up: select * from [CM_ DBName].[dbo].[User_DISC] where User_Principal_Name0 like '%testuser1%'

      撰寫查詢之後,請選擇 [!Execute]。After writing the query choose !Execute. 傳回結果之後,請尋找雲端使用者識別碼。Once the results have been returned, look for the clouduser ID. 如果找不到任何識別碼,則不會授權使用者使用 Intune。If no ID is found, the user isn't licensed to use Intune.

如果公司名稱包含特殊字元,就無法建立原則或註冊裝置Unable to create policy or enroll devices if the company name contains special characters

問題︰您無法建立原則或註冊裝置。Issue: You can't create policy or enroll devices.

解決方式︰Office 365 系統管理中心中,移除公司名稱的特殊字元並儲存公司資訊。Resolution: In the Office 365 admin center, remove the special characters from the company name and save the company information.

如果您有多個以驗證的網域,您無法登入或註冊裝置Unable to log in or enroll devices when you have multiple verified domains

問題︰當您將第二個已驗證的網域新增至您的 ADFS,擁有第二個網域之使用者主要名稱 (UPN) 尾碼的使用者可能無法登入入口網站或註冊裝置。Issue: When you add a second verified domain to your ADFS, users with the user principal name (UPN) suffix of the second domain may not be able to log into the portals or enroll devices.

解決方式︰透過 AD FS 2.0 利用單一登入 (SSO),而且在其組織中有多個頂層網域以提供使用者 UPN 尾碼 (例如 @contoso.com 或 @fabrikam.com) 的 Microsoft Office 365 客戶,必須為每個尾碼部署個別的 AD FS 2.0 同盟服務執行個體。Resolution: Microsoft Office 365 customers who utilize single sign-on (SSO) through AD FS 2.0 and have multiple top level domains for users' UPN suffixes within their organization (for example, @contoso.com or @fabrikam.com) are required to deploy a separate instance of the AD FS 2.0 Federation Service for each suffix. 現在有 AD FS 2.0 的彙總套件可搭配 SupportMultipleDomain 切換運作來啟用 AD FS 伺服器,以支援這個案例,而不需要額外的 AD FS 2.0 伺服器。There is now a rollup for AD FS 2.0 that works in conjunction with the SupportMultipleDomain switch to enable the AD FS server to support this scenario without requiring additional AD FS 2.0 servers. 如需詳細資訊,請參閱這個部落格See this blog for more information.

Android 的問題Android issues

裝置無法使用 Intune 服務簽入,並在 Intune 管理主控台中顯示為「狀況不良」Devices fail to check in with the Intune service and display as "Unhealthy" in the Intune admin console

問題:一些執行 Android 版本 4.4.x 和 5.x 的 Samsung 裝置可能會停止使用 Intune 服務來簽入。Issue: Some Samsung devices that are running Android versions 4.4.x and 5.x might stop checking in with the Intune service. 如果裝置未簽入:If devices don't check in:

  • 它們就無法從 Intune 服務接收原則、應用程式及遠端命令。They can't receive policy, apps, and remote commands from the Intune service.
  • 它們會在系統管理員主控台中顯示其管理狀態為狀況不良They show a Management State of Unhealthy in the administrator console.
  • 受條件式存取原則所保護的使用者可能會遺失對公司資源的存取權。Users who are protected by conditional access policies might lose access to corporate resources.

Samsung 已確認 Samsung Smart Manager 軟體 (隨附於某些 Samsung 裝置上) 會停用 Intune 公司入口網站及其元件。Samsung has confirmed that the Samsung Smart Manager software, which ships on certain Samsung devices, can deactivate the Intune Company Portal and its components. 當公司入口網站處於已停用狀態時,就不能在背景中執行,因而無法連絡 Intune 服務。When Company Portal is in a deactivated state, it can't run in the background and therefore can't contact the Intune service.

解決方法 1:Resolution #1:

告知使用者手動啟動公司入口網站應用程式。Tell your users to start the Company Portal app manually. 一旦應用程式重新啟動之後,裝置就會使用 Intune 服務進行簽入。Once the app restarts, the device checks in with the Intune service.

重要

手動開啟公司入口網站應用程式是暫時性解決方案,因為 Samsung Smart Manager 可能會再次停用公司入口網站應用程式。Opening the Company Portal app manually is a temporary solution, because Samsung Smart Manager may deactivate the Company Portal app again.

解決方法 2:Resolution #2:

告訴使用者嘗試升級到 Android 6.0。Tell your users to try upgrading to Android 6.0. 停用問題在 Android 6.0 裝置上不會發生。The deactivation issue doesn't occur on Android 6.0 devices. 若要檢查是否有可用的更新,使用者可以前往 [設定] > [關於裝置] > [手動下載更新],然後依照裝置上的提示執行。To check if an update is available, users can go to Settings > About device > Download updates manually, and follow the prompts on the device.

解決方法 3:Resolution #3:

如果解決方案 2 無法運作,請使用者遵循下列步驟,好讓 Smart Manager 排除公司入口網站應用程式:If Resolution #2 doesn't work, have your users follow these steps to make Smart Manager exclude the Company Portal app:

  1. 在裝置上啟動 Smart Manager 應用程式。Launch the Smart Manager app on the device.

    選取裝置上的 Smart Manager 圖示

  2. 選擇 [電池] 磚。Choose the Battery tile.

    選取 [電池] 磚

  3. 在 [應用程式省電] 或 [應用程式最佳化] 下方,選取 [詳細資料]。Under App power saving or App optimization, select Detail.

    在 [應用程式省電] 或 [應用程式最佳化] 下方選取 [詳細資料]

  4. 從應用程式清單中選擇 [公司入口網站]。Choose Company Portal from the list of apps.

    從應用程式清單中選取 [公司入口網站]

  5. 選擇 [關閉]。Choose Turned off.

    從 [應用程式最佳化] 對話方塊中選取 [關閉]

  6. 在 [應用程式省電] 或 [應用程式最佳化] 下方,確認公司入口網站已關閉。Under App power saving or App optimization, confirm that Company Portal is turned off.

    確認公司入口網站已關閉

設定檔安裝失敗Profile installation failed

問題:使用者的 Android 裝置收到「設定檔安裝失敗」錯誤。Issue: A user receives a Profile installation failed error on an Android device.

解決方法:Resolution:

  1. 確認已將您使用之 Intune 服務版本的適當授權指派給使用者。Confirm that the user has been assigned an appropriate license for the version of the Intune service you are using.

  2. 確認未向其他 MDM 提供者註冊裝置,而且裝置尚未安裝管理設定檔。Confirm that the device is not already enrolled with another MDM provider or that it does not already have a management profile installed.

  3. 確認 Chrome (適用於 Android) 是預設瀏覽器,而且已啟用 Cookie。Confirm that Chrome for Android is the default browser and that cookies are enabled.

Android 憑證問題Android certificate issues

問題:使用者在裝置上收到下列訊息:「您無法登入,因為您的裝置缺少必要的憑證」。Issue: Users receive the following message on their device: You cannot sign in because your device is missing a required certificate.

解決方法 1Resolution 1:

要求您的使用依照您的裝置遺漏必要的憑證中的指示解決問題。Ask your users to follow the instructions in Your device is missing a required certificate. 如果使用者依照指示進行之後仍出現錯誤,請嘗試「解決方法 2」。If the error still appears after users follow the instructions, try Resolution 2.

解決方法 2Resolution 2:

如果使用者輸入其公司認證並被重新導向至聯盟登入體驗之後,仍看到遺漏憑證的錯誤,表示您的 Active Directory 同盟服務 (AD FS) 伺服器可能遺失中繼憑證。If users still see the missing certificate error after entering their corporate credentials and getting redirected for the federated login experience, an intermediate certificate may be missing from your Active Directory Federation Services (AD FS) server.

出現憑證錯誤是因為 Android 裝置需要在 SSL Server hello 中包含中繼憑證,但目前預設的 AD FS 伺服器或 AD FS Proxy 伺服器安裝只會在對 SSL Client hello 的 SSL Server hello 回應中傳送 AD FS 的服務 SSL 憑證。The certificate error occurs because Android devices require intermediate certificates to be included in an SSL Server hello, but currently a default AD FS server or AD FS Proxy server installation sends only the AD FS’s service SSL certificate in the SSL server hello response to an SSL Client hello.

若要修正問題,請按照下列步驟將憑證匯入 AD FS 伺服器或 Proxy 上的 Computers Personal Certificates:To fix the issue, import the certificates into the Computers Personal Certificates on the AD FS server or proxies as follows:

  1. 在 ADFS 和 Proxy 伺服器上,以滑鼠右鍵按一下 [開始] 按鈕,選擇 [執行] 並輸入 certlm.msc,以啟動本機電腦的「憑證管理」主控台。On the ADFS and proxy servers, launch the Certificate Management console for the local computer by right-clicking the Start button, choosing Run and typing certlm.msc.
  2. 展開 [個人] 並選取 [憑證]。Expand Personal and select Certificates.
  3. 尋找您的 AD FS 服務通訊的憑證 (公開簽署的憑證),然後按兩下來檢視其內容。Find the certificate for your AD FS service communication (a publicly signed certificate), and double-click to view its properties.
  4. 選取 [憑證路徑] 索引標籤來查看憑證的父憑證。Select the Certification Path tab to see the certificate’s parent certificate/s.
  5. 在每個父憑證上,選取 [檢視憑證]。On each parent certificate, select View Certificate.
  6. 按一下 [詳細資料] 索引標籤,然後按一下 [複製到檔案]。Select the Details tab and choose Copy to file….
  7. 按照精靈的提示將憑證的公開金鑰匯出或儲存到想要的檔案位置。Follow the wizard prompts to export or save the public key of the certificate to the desired file location.
  8. 以滑鼠右鍵按一下 [憑證],選取 [所有工作] > [匯入]並按照精靈的提示進行,以將在步驟 3 匯出的父憑證匯入到 Computer\Personal\Certificates。Import the parent certificates that were exported in Step 3 to Local Computer\Personal\Certificates by right-clicking Certificates, selecting All Tasks > Import, and then following the wizard prompts to import the certificate(s).
  9. 重新啟動 AD FS 伺服器。Restart the AD FS servers.
  10. 在您的所有 AD FS 和 Proxy 伺服器上重複上述步驟。Repeat the above steps on all of your AD FS and proxy servers. 使用者現在應該能夠在 Android 裝置上登入公司入口網站。The user should now be able to sign in to the Company Portal on the Android device.

驗證憑證已正確安裝To validate that the certificate installed correctly:

下列步驟僅描述可用來驗證憑證以正確安裝之數種方法和工具的其中一種。The follow steps describe just one of many methods and tools that you can use to validate that the certificate installed correctly.

  1. 移至免費的 Digicert 工具Go to the free Digicert tool.
  2. 輸入您的 AD FS 伺服器的完整網域名稱 (例如,sts.contoso.com) 並選取 [CHECK SERVER]。Enter your AD FS server’s fully qualified domain name (e.g., sts.contoso.com) and select CHECK SERVER.

如果伺服器憑證已正確安裝,您就會在結果中看到所有核取記號。If the Server certificate is installed correctly, you see all check marks in the results. 如果上述問題存在,您會看到報告的 [Certificate Name Matches] 和 [SSL Certificate is correctly Installed] 區段中有紅色 X。If the problem above exists, you see a red X in the "Certificate Name Matches" and the “SSL Certificate is correctly Installed” sections of the report.

iOS 問題iOS issues

裝置處於非使用狀態或管理員主控台無法與它們通訊Devices are inactive or the admin console cannot communicate with them

問題︰iOS 裝置未簽入 Intune 服務。Issue: iOS devices aren’t checking in with the Intune service. 裝置必須定期簽入服務,才能維護受保護公司資源的存取權。Devices must check in periodically with the service to maintain access to protected corporate resources. 如果裝置未簽入:If devices don’t check in:

  • 它們就無法從 Intune 服務接收原則、應用程式及遠端命令。They can't receive policy, apps, and remote commands from the Intune service.
  • 它們會在系統管理員主控台中顯示其管理狀態為狀況不良They show a Management State of Unhealthy in the administrator console.
  • 受條件式存取原則所保護的使用者可能會遺失對公司資源的存取權。Users who are protected by conditional access policies might lose access to corporate resources.

解決方式︰與您的使用者共用下列解決方法,協助他們重新取得公司資源的存取權。Resolution: Share the following resolutions with your end users to help them regain access to corporate resources.

當使用者啟動 iOS 公司入口網站應用程式時,它會通知您裝置是否與 Intune 失去連絡。When users start the iOS Company Portal app, it can tell if their device has lost contact with Intune. 如果偵測到沒有連絡,它會自動嘗試與 Intune 同步處理以重新連線,使用者會看到正在嘗試同步...If it detects that there is no contact, it automatically tries to sync with Intune to reconnect, and users will see the Trying to sync… 內嵌的通知。inline notification.

正在嘗試同步通知

如果同步處理成功,您會在 iOS 公司入口網站應用程式中看到同步處理成功內嵌通知,指出裝置處於狀況良好狀態。If the sync is successful, you see a Sync successful inline notification in the iOS Company Portal app, indicating that your device is in a healthy state.

同步處理成功通知

如果同步處理失敗,使用者會在 iOS 公司入口網站應用程式中看到無法同步內嵌通知。If the sync is unsuccessful, users see an Unable to sync inline notification in the iOS Company Portal app.

無法同步通知

若要修正此問題,使用者必須選取位在無法同步通知右邊的 [設定] 按鈕。To fix the issue, users must select the Set up button, which is to the right of the Unable to sync notification. [設定] 按鈕會將使用者帶到公司存取設定流程畫面,他們可以在這裡遵循提示以註冊裝置。The Set up button takes users to the Company Access Setup flow screen, where they can follow the prompts to enroll their device.

公司存取設定畫面

註冊完成後,裝置會回復到正常狀態,並重新取得公司資源的存取權。Once enrolled, the devices return to a healthy state and regain access to company resources.

設定檔安裝失敗Profile installation failed

問題:使用者的 iOS 裝置收到「設定檔安裝失敗」錯誤。Issue: A user receives a Profile installation failed error on an iOS device.

設定檔安裝失敗的疑難排解步驟Troubleshooting steps for failed profile installation

  1. 確認已將您使用之 Intune 服務版本的適當授權指派給使用者。Confirm that the user has been assigned an appropriate license for the version of the Intune service you are using.

  2. 確認未向其他 MDM 提供者註冊裝置,而且裝置尚未安裝管理設定檔。Confirm that the device is not already enrolled with another MDM provider or that it does not already have a management profile installed.

  3. 請瀏覽至 https://portal.manage.microsoft.com,並在出現提示時嘗試安裝設定檔。Navigate to https://portal.manage.microsoft.com and try to install the profile when prompted.

  4. 確認適用於 iOS 的 Safari 是預設瀏覽器,而且已啟用 Cookie。Confirm that Safari for iOS is the default browser and that cookies are enabled.

使用 System Center Configuration Manager (含 Intune) 時,已註冊的 iOS 裝置不會出現在主控台Enrolled iOS device doesn't appear in console when using System Center Configuration Manager with Intune

問題︰使用者會註冊 iOS 裝置,但它不會出現在 Configuration Manager 管理員主控台。Issue: User enrolls iOS device but it does not appear in the Configuration Manager admin console. 裝置並未指出它已註冊。The device does not indicate that it's been enrolled. 可能的原因:Possible causes:

  • 您可能已將 Intune 連接器註冊到一個帳戶,然後將它註冊到另一個帳戶。You may have enrolled your Intune Connector into one account, and then enrolled it into another account.
  • 您可能已從一個帳戶下載 MDM 憑證,然後將其用於另一個帳戶。You may have downloaded the MDM certificate from one account and used it on another account.

解決方式:執行下列步驟:Resolution: Perform the following steps:

  1. 在 Windows Intune 連接器內部停用 iOS。Disable iOS inside of the Windows Intune Connector.

    1. 以滑鼠右鍵按一下 Intune 訂閱,然後選取 [內容]。Right-click the Intune subscription and select Properties.
    2. 在 [iOS] 索引標籤,取消核取 [啟用 iOS 註冊]。On the "iOS" tab, uncheck "Enable iOS Enrollment".
  2. 在 SQL 中,在 CAS DB 上執行下列步驟In SQL, run the following steps on the CAS DB

    1. 更新 SC_ClientComponent_Property set Value2 = '' where Name like '%APNS%'update SC_ClientComponent_Property set Value2 = '' where Name like '%APNS%'
    2. 從 MDMPolicy where PolicyType = 7 刪除delete from MDMPolicy where PolicyType = 7
    3. 從 MDMPolicyAssignment where PolicyType = 7 刪除delete from MDMPolicyAssignment where PolicyType = 7
    4. 更新 SC_ClientComponent_Property set Value2 = '' where Name like '%APNS%'update SC_ClientComponent_Property set Value2 = '' where Name like '%APNS%'
    5. 從 MDMPolicy where PolicyType = 11 刪除delete from MDMPolicy where PolicyType = 11
    6. 從 MDMPolicyAssignment where PolicyType = 11 刪除delete from MDMPolicyAssignment where PolicyType = 11
    7. 刪除 Drs_SignalsDELETE Drs_Signals
  3. 重新啟動 SMS Executive 服務,或重新啟動 CM 伺服器。Restart the SMS Executive Service or restart the CM Server.

  4. 取得新的 APN 憑證並予以上傳。Get a new APN certificate and upload it. 若要執行此動作,請在 Configuration Manager 左窗格中的 Intune 訂閱上按一下滑鼠右鍵。To do that, right-click the Intune subscription in the left pane of Configuration Manager. 選取 [建立 APN 憑證要求] 並遵循指示。Select Create APNs certificate request and follow the instructions. 5.

    使用具有 Intune 的 System Center Configuration Manager 時發生問題Issues when using System Center Configuration Manager with Intune

行動裝置消失Mobile devices disappear

問題:成功向 Configuration Manager 註冊行動裝置之後,該裝置會從行動裝置集合中消失,但仍有管理設定檔,並會繼續列名於 CSS 閘道中。Issue: After successfully enrolling a mobile device to Configuration Manager, the device disappears from the mobile device collection, but the device still has the Management Profile and is listed in CSS Gateway.

解決方法:您如有自訂處理序會移除未加入網域的裝置,或使用者淘汰了訂用帳戶中的裝置,即可能發生此問題。Resolution: This issue might occur if you use you have a custom process removing non-domain-joined devices, or because the user has retired the device from the subscription. 若要驗證及檢查哪個處理序或使用者帳戶從 Configuration Manager 主控台移除了裝置,請執行下列步驟,確認裝置的移除方式。To validate and check which process or user account removed the device from the Configuration Manager console, perform the following steps to check how the device was removed.

  1. 在 Configuration Manager 系統管理主控台中,選取 [監視] > [系統狀態] > [狀態訊息查詢]。In the Configuration Manager admin console, select Monitoring > System Status > Status Message Queries.

  2. 以滑鼠右鍵按一下 [手動刪除的集合成員資源],然後選取 [顯示訊息]。Right-click Collection Member Resources Manually Deleted and select Show Messages.

  3. 選擇適當的時間/日期或 [過去 12 小時]。Choose an appropriate time/date or the last 12 hours.

  4. 尋找有問題的裝置並檢閱裝置的移除方式。Find the device in question and review how the device was removed. 下列範例顯示帳戶 SCCMInstall 透過未知的應用程式刪除了裝置。The example below shows that the account SCCMInstall deleted the device via an Unknown Application.

    裝置刪除診斷的螢幕擷取畫面

  5. 確認 Configuration Manager 未排程任何可能會自動清除不屬於網域、行動裝置或相關裝置的工作、指令碼或其他處理序。Check that Configuration Manager does not have a scheduled task, script, or other process that could be automatically purging non-domain, mobile, or related devices.

其他 iOS 註冊錯誤Other iOS enrollment errors

您可以檢視可能會對使用者顯示的 iOS 註冊錯誤清單。You can view a list of iOS enrollment errors that end users might see. 此清單提供的資訊包括可能會對使用者顯示的錯誤訊息,以及您解決此問題所要採取的步驟。The list provides information about error messages that end users might see and the steps that you take to resolve the issue.

電腦問題PC Issues

電腦已註冊 - 錯誤 hr 0x8007064cThe machine is already enrolled - Error hr 0x8007064c

問題 ︰註冊失敗,並顯示電腦已註冊錯誤。Issue: Enrollment fails with the error The machine is already enrolled. 註冊記錄檔會顯示錯誤 hr 0x8007064cThe enrollment log shows error hr 0x8007064c.

此錯誤能是因為電腦先前已經註冊過,或具有已經註冊之電腦的複製映像。This error might occur because the computer had been previously enrolled, or has the cloned image of a computer that had been enrolled. 上一個帳戶的帳戶憑證仍存在於電腦上。The account certificate of the previous account is still present on the computer.

解決方法:Resolution:

1.1.. 從 [開始] 功能表,鍵入 [執行] -> [MMC]。From the Start menu, type Run -> MMC.

  1. 選擇 [檔案] > [Add/ Remove Snap-ins](新增/移除嵌入式管理單元)。Choose File > Add/ Remove Snap-ins.
  2. 按兩下 [憑證],並選擇 [電腦帳戶] > [下一步],然後選取 [本機電腦]。Double-click Certificates, choose Computer account > Next, and select Local Computer.
  3. 按兩下 [憑證 (本機電腦)],然後選擇 [個人/憑證]。Double-click Certificates (Local computer) and choose Personal/ Certificates.
  4. 尋找 Sc_Online_Issuing 發出的 Intune 憑證,然後在它出現時刪除。Look for the Intune cert issued by Sc_Online_Issuing, and delete it, if present.
  5. 如果下列登錄機碼存在,請刪除它︰HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OnlineManagement regkey 和所有子機碼。If the following registry key exists, delete it: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OnlineManagement regkey and all sub keys.
  6. 嘗試重新註冊。Try to re-enroll.
  7. 如果仍然無法註冊電腦,請尋找並刪除此機碼 (如果它存在)︰KEY_CLASSES_ROOT\Installer\Products\6985F0077D3EEB44AB6849B5D7913E95If the PC still cannot enroll, look for and delete this key, if it exists: KEY_CLASSES_ROOT\Installer\Products\6985F0077D3EEB44AB6849B5D7913E95.
  8. 嘗試重新註冊。Try to re-enroll.

    重要

    此節、方法或工作包含告訴您如何修改登錄的步驟。This section, method, or task contains steps that tell you how to modify the registry. 然而,如果您不當修改登錄,可能會發生嚴重的問題。However, serious problems might occur if you modify the registry incorrectly. 因此,請務必小心遵循下列步驟。Therefore, make sure that you follow these steps carefully. 為加強保護,請在修改登錄之前先加以備份。For added protection, back up the registry before you modify it. 之後如果發生問題,您還可以還原登錄。Then, you can restore the registry if a problem occurs. 如需如何備份及還原登錄的詳細資訊,請參閱如何備份及還原 Windows 中的登錄For more information about how to back up and restore the registry, read How to back up and restore the registry in Windows.

常見註冊錯誤代碼General enrollment error codes

錯誤碼Error code 可能的問題Possible problem 建議的解決方式Suggested resolution
0x80CF04370x80CF0437 用戶端電腦上的時鐘未設定成正確的時間。The clock on the client computer is not set to the correct time. 確定用戶端電腦上的時鐘和時區已設成正確的時間和時區。Make sure that the clock and the time zone on the client computer are set to the correct time and time zone.
0x80240438、0x80CF0438、0x80CF402C0x80240438, 0x80CF0438, 0x80CF402C 無法連線至 Intune 服務。Cannot connect to the Intune service. 請檢查用戶端 Proxy 設定。Check the client proxy settings. 確認 Intune 支援用戶端電腦上的 Proxy 設定,而且用戶端電腦可以存取網際網路。Verify that the proxy configuration on the client computer is supported by Intune, and that the client computer has Internet access.
0x80240438、0x80CF04380x80240438, 0x80CF0438 未設定 Internet Explorer 和本機系統中的 Proxy 設定。Proxy settings in Internet Explorer and Local System are not configured. 無法連線至 Intune 服務。Cannot connect to the Intune service. 請檢查用戶端 Proxy 設定,並確認 Intune 所支援的用戶端電腦上的 Proxy 組態,且用戶端電腦可以存取網際網路。Check the client proxy settings and confirm that the proxy configuration on the client computer is supported by Intune, and that the client computer has Internet access.
0x80043001、0x80CF3001、0x80043004、0x80CF30040x80043001, 0x80CF3001, 0x80043004, 0x80CF3004 註冊套件已過期。Enrollment package is out of date. 從 [系統管理] 工作區下載並安裝最新的用戶端軟體套件。Download and install the current client software package from the Administration workspace.
0x80043002、0x80CF30020x80043002, 0x80CF3002 帳戶處於維護模式。Account is in maintenance mode. 您不能在帳戶處於維護模式時註冊新的用戶端電腦。You cannot enroll new client computers when the account is in maintenance mode. 若要檢視您的帳戶設定,請登入您的帳戶。To view your account settings, sign in to your account.
0x80043003、0x80CF30030x80043003, 0x80CF3003 已刪除帳戶。Account is deleted. 確認您的帳戶和 Intune 訂閱仍然有效。Verify that your account and subscription to Intune is still active. 若要檢視您的帳戶設定,請登入您的帳戶。To view your account settings, sign in to your account.
0x80043005、0x80CF30050x80043005, 0x80CF3005 已淘汰用戶端電腦。The client computer has been retired. 等待幾個小時,並從電腦移除所有的舊版用戶端軟體,然後再次嘗試安裝用戶端軟體。Wait a few hours, remove any older versions of the client software from the computer, and then retry the client software installation.
0x80043006、0x80CF30060x80043006, 0x80CF3006 已達到帳戶允許的基座數目上限。The maximum number of seats allowed for the account has been reached. 貴組織必須購買額外的基座,您才可以在服務中註冊更多用戶端電腦。Your organization must purchase additional seats before you can enroll more client computers in the service.
0x80043007、0x80CF30070x80043007, 0x80CF3007 在與安裝程式相同的資料夾中找不到憑證檔案。Could not find the certificate file in the same folder as the installer program. 在開始安裝之前先解壓縮所有檔案。Extract all files before you start the installation. 請勿重新命名任何已解壓縮的檔案或改變其位置:所有檔案都必須位於同一個資料夾,否則安裝將會失敗。Do not rename or relocate any of the extracted files: all files must exist in the same folder or the installation will fail.
0x8024D015、0x00240005、0x80070BC2、0x80070BC9、0x80CFD0150x8024D015, 0x00240005, 0x80070BC2, 0x80070BC9, 0x80CFD015 由於用戶端電腦仍在等待重新啟動,因此無法安裝軟體。The software cannot be installed because a restart of the client computer is pending. 重新啟動電腦,然後再次嘗試安裝用戶端軟體。Restart the computer and then retry the client software installation.
0x800700320x80070032 用戶端電腦不符合安裝用戶端軟體的一或多個必要條件。One or more prerequisites for installing the client software were not found on the client computer. 確定用戶端電腦已安裝所有必要更新,然後再次嘗試安裝用戶端軟體。Make sure that all required updates are installed on the client computer and then retry the client software installation.
0x80043008、0x80CF30080x80043008, 0x80CF3008 無法啟動 Microsoft Online Management Updates 服務。Failed to start the Microsoft Online Management Updates service. 連絡 Microsoft 支援服務 (如如何取得 Microsoft Intune 支援所述)。Contact Microsoft Support as described in How to get support for Microsoft Intune.
0x80043009、0x80CF30090x80043009, 0x80CF3009 用戶端電腦已註冊到服務中。The client computer is already enrolled into the service. 您必須先淘汰用戶端電腦,才能重新將它註冊到服務中。You must retire the client computer before you can re-enroll it in the service.
0x8004300B、0x80CF300B0x8004300B, 0x80CF300B 用戶端軟體安裝套件無法執行,因為不支援用戶端上執行的 Windows 版本。The client software installation package cannot run because the version of Windows that is running on the client is not supported. Intune 不支援用戶端電腦上執行的 Windows 版本。Intune does not support the version of Windows that is running on the client computer.
0xAB20xAB2 Windows Installer 無法存取自訂動作的 VBScript 執行階段。The Windows Installer could not access VBScript run time for a custom action. 這個錯誤是由以動態連結程式庫 (DLL) 為基礎的自訂動作所造成。This error is caused by a custom action that is based on Dynamic-Link Libraries (DLLs). 在為 DLL 疑難排解時,您可能必須使用 Microsoft 支援服務 KB198038:實用的封裝與部署工具中所述的工具。When troubleshooting the DLL, you might have to use the tools that are described in Microsoft Support KB198038: Useful Tools for Package and Deployment Issues.
0x80cf04400x80cf0440 與服務端點的連線已終止。The connection to the service endpoint terminated. 試用或付費帳戶已暫止。Trial or paid account is suspended. 建立新的試用或付費帳戶,然後重新註冊。Create a new trial or paid account and re-enroll.

後續步驟Next steps

如果此疑難排解資訊對您沒有幫助,請連絡 Microsoft 支援服務 (如如何取得 Microsoft Intune 支援中所述)。If this troubleshooting information didn't help you, contact Microsoft Support as described in How to get support for Microsoft Intune.

若要提交意見反應,請前往 Intune Feedback