針對 Intune 中的原則和設定檔進行疑難排解Troubleshoot policies and profiles and in Intune

Microsoft Intune 包含一些內建的疑難排解功能。Microsoft Intune includes some built-in troubleshooting features. 使用這些功能可協助您針對環境中的合規性政策和組態設定檔進行疑難排解。Use these features to help troubleshoot compliance policies and configuration profiles in your environment.

本文列出一些常見的疑難排解技術,並描述您可能會遇到的一些問題。This article lists some common troubleshooting techniques, and describes some issues you may experience.

檢查租用戶狀態Check tenant status

檢查租用戶狀態,並確認訂用帳戶為 [使用中]。Check the Tenant Status and confirm the subscription is Active. 您也可以檢視可能會影響您的原則或設定檔部署之作用中事件與建議的詳細資料。You can also view details for active incidents and advisories that may impact your policy or profile deployment.

使用內建的疑難排解Use built-in troubleshooting

  1. Microsoft 端點管理員系統管理中心中,選取 [疑難排解 + 支援] > [疑難排解]:In the Microsoft Endpoint Manager admin center, select Troubleshooting + support > Troubleshoot:

    在端點管理系統管理中心和 Intune 中,前往 [疑難排解與支援]。

  2. 選擇 [選取使用者] > 選取發生問題的使用者 > [選取]。Choose Select user > select the user having an issue > Select.

  3. 確認 [Intune 授權] 和 [帳戶狀態] 同時顯示綠色核取記號:Confirm that Intune License and Account Status both show green checks:

    在 Intune 中選取使用者,並確認 [帳戶狀態] 和 [Intune 授權] 都顯示綠色核取記號狀態。

    實用的連結Helpful links:

  4. 在 [裝置] 下,尋找有問題的裝置。Under Devices, find the device having an issue. 檢閱不同欄位:Review the different columns:

    • 受控:若要讓裝置接收合規性或設定原則,此屬性必須顯示 [MDM] 或 [EAS/MDM]。Managed: For a device to receive compliance or configuration policies, this property must show MDM or EAS/MDM.

      • 如果未將 [受控] 設定為 [MDM] 或 [EAS/MDM],則不會註冊裝置。If Managed isn't set to MDM or EAS/MDM, then the device isn't enrolled. 在註冊之前,它不會接收合規性或設定原則。It doesn't receive compliance or configuration policies until it's enrolled.

      • 應用程式防護原則 (行動應用程式管理) 不需要註冊裝置。App protection policies (mobile application management) don't require devices to be enrolled. 如需詳細資訊,請參閱建立及指派應用程式防護原則For more information, see create and assign app protection policies.

    • Azure AD 聯結類型:應設定為 [Workplace] 或 [AzureAD]。Azure AD Join Type: Should be set to Workplace or AzureAD.

      • 如果此欄位是 [未註冊],則可能有註冊問題。If this column is Not Registered, there may be an issue with enrollment. 一般而言,取消註冊再重新註冊裝置會解決此狀態。Typically, unenrolling and re-enrolling the device resolves this state.
    • 符合 Intune 規範:應為 [是]。Intune compliant: Should be Yes. 如果顯示 [否],則可能有合規性政策問題,或裝置未連線到 Intune 服務。If No is shown, there may be an issue with compliance policies, or the device isn't connecting to the Intune service. 例如,裝置可能已關機或可能沒有網路連線。For example, the device may be turned off, or may not have a network connection. 裝置最終會變成不符合規範,可能是 30 天後。Eventually, the device becomes non-compliant, possibly after 30 days.

      如需詳細資訊,請參閱裝置合規性政策入門For more information, see get started with device compliance policies.

    • 符合 Azure AD 規範:應為 [是]。Azure AD compliant: Should be Yes. 如果顯示 [否],則可能有合規性政策問題,或裝置未連線到 Intune 服務。If No is shown, there may be an issue with compliance policies, or the device isn't connecting to the Intune service. 例如,裝置可能已關機或可能沒有網路連線。For example, the device may be turned off, or may not have a network connection. 裝置最終會變成不符合規範,可能是 30 天後。Eventually, the device becomes non-compliant, possibly after 30 days.

      如需詳細資訊,請參閱裝置合規性政策入門For more information, see get started with device compliance policies.

    • 上次簽入時間:應為最近的時間和日期。Last check in: Should be a recent time and date. 根據預設,Intune 裝置會每 8 小時檢查一次。By default, Intune devices check in every 8 hours.

      • 如果 [上次簽入時間] 超過 24 小時,則可能是裝置發生問題。If Last check in is more than 24 hours, there may be an issue with the device. 無法簽入的裝置將無法從 Intune 接收原則。A device that can't check in can't receive your policies from Intune.

      • 若要強制簽入:To force check-in:

        • 在 Android 裝置上,開啟公司入口網站應用程式 > [裝置] > 從清單中選擇裝置 > [檢查裝置設定]。On the Android device, open the Company Portal app > Devices > Choose the device from list > Check Device Settings.
        • 在 iOS/iPadOS 裝置上,開啟公司入口網站應用程式 > [裝置] > 從清單中選擇裝置 > [檢查設定]。On the iOS/iPadOS device, open the Company portal app > Devices > Choose the device from list > Check Settings.
      • 在 Windows 裝置上,開啟 [設定] > [帳戶] > [存取公司或學校資源] > 選取帳戶或 MDM 註冊 > [資訊] > [同步]。On a Windows device, open Settings > Accounts > Access Work or School > Select the account or MDM enrollment > Info > Sync.

    • 選取裝置以查看原則特定資訊。Select the device to see policy-specific information.

      [裝置合規性] 顯示指派給裝置的合規性政策狀態。Device Compliance shows the states of compliance policies assigned to the device.

      [裝置設定] 顯示指派給裝置的設定原則狀態。Device Configuration shows the states of configuration policies assigned to the device.

      如果 [裝置合規性] 或 [裝置設定] 下未顯示預期的原則,則設為目標的原則不正確。If the expected policies aren't shown under Device Compliance or Device Configuration, then the policies aren't targeted correctly. 開啟原則,然後將原則指派給此使用者或裝置。Open the policy, and assign the policy to this user or device.

      原則狀態Policy states:

      • 不適用:此平台不支援此原則。Not Applicable: This policy isn't supported on this platform. 例如,iOS/iPadOS 原則不適用於 Android。For example, iOS/iPadOS policies don't work on Android. Samsung KNOX 原則不適用於 Windows 裝置。Samsung KNOX policies don't work on Windows devices.
      • 衝突:裝置上有 Intune 無法覆寫的現有設定。Conflict: There's an existing setting on the device that Intune can't override. 或者,您使用不同值部署了兩個具有相同設定的原則。Or, you deployed two policies with the same setting using different values.
      • Pending:裝置尚未簽入 Intune,因此無法取得原則。Pending: The device hasn't checked into Intune to get the policy. 或者,裝置已收到原則,但尚未對 Intune 回報狀態。Or, the device received the policy but hasn't reported the status to Intune.
      • 錯誤:在公司資源存取問題的疑難排解中查詢錯誤和可能的解決方法。Errors: Look up errors and possible resolutions at Troubleshoot company resource access problems.

      實用的連結Helpful links:

您不確定設定檔是否已正確套用You're unsure if a profile is correctly applied

  1. 登入 Microsoft Endpoint Manager 系統管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 選取 [裝置] > [所有裝置] > 選取裝置 > [裝置設定]。Select Devices > All devices > select the device > Device configuration.

    每部裝置都會列出其設定檔。Every device lists its profiles. 每個設定檔都有 [狀態]。Each profile has a Status. 狀態是將所有指派的設定檔 (包括硬體和 OS 的限制與需求) 全部一起考慮時所達成的情況。The status applies when all of the assigned profiles, including hardware and OS restrictions and requirements, are considered together. 可能的狀態包括:Possible statuses include:

    • 符合:裝置已收到設定檔,並對 Intune 回報其符合設定。Conforms: The device received the profile and reports to Intune that it conforms to the setting.

    • 不適用:該設定檔設定不適用。Not applicable: The profile setting isn't applicable. 例如,iOS/iPadOS 裝置的電子郵件設定不會套用至 Android 裝置。For example, email settings for iOS/iPadOS devices don't apply to an Android device.

    • Pending:設定檔已傳送至裝置,但尚未對 Intune 回報狀態。Pending: The profile is sent to the device, but hasn't reported the status to Intune. 例如,Android 上的加密需要使用者啟用加密,因此可能顯示為擱置。For example, encryption on Android requires the user to enable encryption, and might show as pending.

實用的連結監視裝置組態設定檔Helpful link: Monitor configuration device profiles

注意

當兩個不同限制等級的原則套用至同一部裝置或同一個使用者時,系統會套用較嚴格的原則。When two policies with different levels of restriction apply to the same device or user, the more restrictive policy applies.

原則疑難排解資源Policy troubleshooting resources

警示:將存取規則儲存到 Exchange 失敗Alert: Saving of Access Rules to Exchange has Failed

問題:您在管理主控台中收到警示:將存取規則儲存到 Exchange 失敗Issue: You receive the alert Saving of Access Rules to Exchange has Failed in the admin console.

如果在 [Exchange 內部部署原則] 工作區 (管理主控台) 中建立原則,但正在使用 Microsoft 365,則 Intune 不會強制執行已設定的原則設定。If you create policies in the Exchange On-Premises Policy workspace (Admin console), but are using Microsoft 365, then the configured policy settings aren't enforced by Intune. 記下警示中的原則來源。In the alert, note the policy source. 在 [Exchange 內部部署原則] 工作區下,刪除舊版規則。Under the Exchange On-premises Policy workspace, delete the legacy rules. 舊版規則是 Intune 內適用於內部部署 Exchange 的全域 Exchange 規則,且與 Microsoft 365 不相關。The legacy rules are Global Exchange rules within Intune for on-premises Exchange, and aren't relevant to Microsoft 365. 接著,建立適用於 Microsoft 365 的新原則。Then, create new policy for Microsoft 365.

針對 Intune On-Premises Exchange Connector 進行疑難排解可能是不錯的資源。Troubleshoot the Intune on-premises Exchange connector may be a good resource.

無法變更已註冊裝置的安全性原則Can't change security policies for enrolled devices

當您使用 MDM 或 EAS 設定安全性原則之後,Windows Phone 裝置不允許降低這些原則的安全性。Windows Phone devices don't allow security policies set using MDM or EAS to be reduced in security once you've set them. 例如,您將 [字元密碼字元數下限] 設定為 8 個,然後嘗試減少為 4 個。For example, you set a Minimum number of character password to 8, and then try to reduce it to 4. 此裝置已套用較嚴格的原則。The more restrictive policy is applied to the device.

當您取消指派原則 (停止部署) 時,Windows 10 裝置可能不會移除安全性原則。Windows 10 devices may not remove security policies when you unassign the policy (stop deployment). 您可能需要將原則維持為已指派,然後將安全性設定變更回預設值。You may need to leave the policy assigned, and then change the security settings back to the default values.

根據裝置平台,如果您想要將原則變更為較不安全的值,您可能需要重設安全性原則。Depending on the device platform, if you want to change the policy to a less secure value, you may need to reset the security policies.

例如,在 Windows 8.1 中的桌面上,從右向內撥動以開啟 [常用鍵] 列。For example, in Windows 8.1, on the desktop, swipe in from right to open the Charms bar. 選擇 [設定] > [控制台] > [使用者帳戶]。Choose Settings > Control Panel > User Accounts. 在左側,選取 [重設安全性原則] 連結,然後選擇 [重設原則]。On the left, select Reset Security Policies link, and choose Reset Policies.

可能需要先淘汰其他平台 (例如 Android 與 iOS/iPadOS) 並重新註冊,才能套用較不嚴格的原則。Other platforms, such as Android, and iOS/iPadOS may need to be retired and re-enrolled to apply a less restrictive policy.

裝置註冊疑難排解可能是不錯的資源。Troubleshoot device enrollment may be a good resource.

使用 Intune 軟體用戶端的電腦 - 傳統入口網站PCs using the Intune software client - classic portal

注意

本節適用於傳統入口網站。This section applies to the classic portal.

針對使用 Intune 軟體用戶端管理的 Windows 電腦,policyplatform.log 檔案中的原則錯誤可能來自裝置上 Windows 使用者帳戶控制 (UAC) 的非預設設定。For Windows PCs managed with the Intune software client, policy errors in the policyplatform.log file may be from non-default settings in the Windows User Account Control (UAC) on the device. 某些非預設的 UAC 設定可能會影響 Microsoft Intune 用戶端安裝和原則執行。Some non-default UAC settings can affect Microsoft Intune client installations and policy execution.

解決 UAC 問題Resolve UAC issues

  1. 將電腦淘汰。Retire the computer. 請參閱移除裝置See Remove devices.

  2. 等候 20 分鐘讓用戶端軟體被移除。Wait 20 minutes for the client software to be removed.

    注意

    請勿嘗試從 [程式和功能] 移除用戶端。Don't attempt to remove the client from Programs and Features.

  3. 在 [開始] 功能表中鍵入 UAC,開啟 [使用者帳戶控制] 設定。On the start menu, type UAC to open the User Account Control settings.

  4. 將通知滑桿移至預設設定。Move the notification slider to the default setting.

ERROR:無法從電腦取得值,0x80041013ERROR: Cannot obtain the value from the computer, 0x80041013

在本機系統時間不同步的程度超過五分鐘以上時便會發生。Occurs if the time on the local system is out of sync by five minutes or more. 如果本機電腦上的時間不同步,因為時間戳記無效,安全交易會失敗。If the time on the local computer is out of sync, secure transactions fail because the time stamps are invalid.

若要解決這個問題,設定本機系統時間時請盡可能接近網際網路時間。To resolve this issue, set the local system time as close as possible to Internet time. 或者,將它設定為網路上網域控制站的時間。Or, set it to the time on the domain controllers on the network.

後續步驟Next steps

有關電子郵件設定檔的常見問題和解決方式Common issues and resolutions with email profiles

取得來自 Microsoft 的支援說明或使用社群論壇Get support help from Microsoft, or use the community forums.