Fundamentals
1. What is Microsoft Intune, and what are its primary functions?
Microsoft Intune is a cloud-based endpoint management solution that provides mobile device management (MDM) and mobile application management (MAM). It helps organizations manage the devices and apps employees use to access corporate data.
Primary Functions:
Device enrollment and compliance
App deployment and protection
Policy management (security, configuration)
Conditional Access enforcement
2. What is the difference between MDM and MAM? When would you use each?
MDM (Mobile Device Management) manages the entire device, enforcing security and compliance settings.
MAM (Mobile Application Management) manages only corporate applications and data.
Use Case: Use MAM for BYOD scenarios where full device control is not acceptable; use MDM for corporate-owned devices.
3. Explain the role of Azure AD in Intune. Azure AD is used for identity and access management. It supports device registration, Conditional Access, user and group targeting for policies, and integrates with Intune to enforce policy compliance.
4. What are compliance policies and configuration profiles in Intune? Give examples.
Compliance Policies: Define rules that a device must meet (e.g., minimum OS version, encryption enabled).
Configuration Profiles: Push settings to devices (e.g., Wi-Fi, email, VPN).
5. What is Conditional Access, and how does it work with Intune? Conditional Access evaluates conditions (like device compliance, location, app) before granting access to corporate resources. Intune provides compliance data to Azure AD, which is used to enforce Conditional Access policies.
6. Describe the different device enrollment methods available in Intune.
Manual Enrollment
Apple Automated Device Enrollment (via ABM)
Windows Autopilot
Android Enterprise (Work Profile, Fully Managed, COPE)
Bulk enrollment using provisioning packages
7. What are App Protection Policies (APP), and how do they work? APPs apply data protection settings to corporate apps without managing the entire device. Policies control actions like copy/paste, encryption, and authentication within managed apps.
8. How does Intune handle device retirement or decommissioning? Devices can be:
Retired: Removes company data but leaves personal data.
Wiped: Factory resets the device.
Selective wipe: Removes corporate data from apps managed via MAM.
Setup and Configuration
1. How would you enroll iOS devices using Apple Business Manager (ABM) in Intune?
Link ABM with Intune using an MDM server token.
Assign devices to the Intune MDM server in ABM.
Create an enrollment profile in Intune.
Devices will auto-enroll during setup.
2. How would you enroll Windows devices using Windows Autopilot in Intune?
Gather hardware hashes and upload to Intune.
Create and assign Autopilot profiles.
Devices will automatically enroll during OOBE.
3. How do you deploy applications to devices using Intune? What are the different application types you can deploy?
Upload app packages or link to Microsoft Store apps.
Assign apps to users or devices.
Application Types: Win32, MSI, Microsoft Store, Web Apps, iOS (IPA), Android (APK), macOS (PKG).
4. How would you configure a Wi-Fi profile for devices using Intune?
Go to Configuration profiles > Create Profile.
Choose platform and Wi-Fi settings.
Configure SSID, security type, authentication.
Assign to groups.
5. How would you configure a VPN profile for devices using Intune?
Create a Configuration Profile.
Choose VPN settings: connection name, server, authentication.
Specify the VPN client (e.g., IKEv2, Cisco AnyConnect).
Assign to devices or users.
6. How do you troubleshoot device enrollment issues in Intune?
Use Intune Portal: Devices > Troubleshoot.
Check Enrollment logs: Company Portal, Event Viewer, MDM Diagnostic Logs.
Confirm license assignment and group targeting.
7. How do you configure Conditional Access policies to require MFA for accessing corporate resources?
In Azure AD > Conditional Access:
Create a new policy
Assign to users/groups
Target cloud apps (e.g., Exchange Online)
Require MFA under Access Controls
8. How do you create and deploy a compliance policy to enforce a minimum operating system version?
Intune > Endpoint security > Compliance Policies > Create Policy
Set Minimum OS version
Assign to target group
Link to Conditional Access (optional)
Troubleshooting
1. A user is unable to enroll their device in Intune. What are some potential causes and troubleshooting steps?
Missing license
Device already enrolled in another MDM
Enrollment restrictions
Device compliance issues
Check Company Portal and logs for details
2. An application is not installing on a device. How would you troubleshoot this issue?
Confirm app deployment status in Intune
Check install requirements and dependencies
View Intune Management Extension logs (Win32 apps)
Check device connectivity and sync status
3. A device is marked as non-compliant in Intune. How would you investigate the cause?
Review compliance policies assigned
Check device's compliance status in portal
Ensure sync completed successfully
Review Intune and local device logs
4. Users are reporting issues with accessing corporate resources after a Conditional Access policy was implemented. How would you troubleshoot this?
Review Conditional Access policy assignments
Check sign-in logs in Azure AD
Verify device compliance and registration
Test with different user scenarios
Advanced Topics
1. How does Intune integrate with other Microsoft services, such as Microsoft 365 and Azure Information Protection?
Integrates with M365 Defender for threat protection
Uses AIP for data classification and protection
Leverages Azure AD for Conditional Access and Identity
2. What are some best practices for securing devices with Intune?
Use Conditional Access and Compliance policies
Enable encryption and password requirements
Apply App Protection and Endpoint Security policies
Regularly review reports and audit logs
3. How do you manage updates for devices using Intune?
Use Update Rings for Windows Updates
Set active hours, deadlines, restart behavior
Monitor via Update Compliance dashboard
4. How do you use Intune to manage devices in a hybrid environment (i.e., devices joined to both Azure AD and on-premises Active Directory)?
Enable Hybrid Azure AD Join
Use Group Policy/Intune Connector to auto-enroll
Manage with both Intune and ConfigMgr (co-management)
5. Explain the concept of co-management between Intune and Configuration Manager.
Co-management allows devices to be managed by both Intune and SCCM
Gradually shift workloads like compliance, updates, and apps to Intune
Useful during migration to modern management
6. How do you use Intune to manage macOS devices?
Use MDM for enrollment
Deploy profiles (Wi-Fi, VPN, certificates)
Deploy PKG apps and manage security settings
7. How do you use Intune to manage Android Enterprise devices?
Support for Work Profile, Fully Managed, and COPE
Integrate with Managed Google Play
Configure policies, deploy apps, and secure data with APP