Intune Interview Questions & Answers (Update 2022)

1. What is Microsoft Intune and what is its use of it?

Microsoft Intune is the MDM/MAM solution developed by Microsoft. Microsoft Intune

falls under SAAS (Software as a service) category In Azure. It is used to manage the
Mobile devices of all the platforms like Windows, macOS, iOS, and Android. Also, it
gives a whole privilege to manage applications. You can perform the below activities.

• Configure profiles

• Create, delete, and invite users from other organizations

• configure device restrictions,

• Create custom Policies

• can remotely manage the devices without any end-user interactions.

• Can create, edit, and deploy applications to all the users in the organization.

2.What are the major differences between Microsoft Intune and MECM?

MECM Microsoft Intune

Can deploy applications/ files above 8

Can deploy application/files up to 8 GB
GB

Requires On-premises setup Requires Cloud setup

The Hardware requirement is huge The Hardware requirement is less

Doesn’t support MDM Supports MDM

Cannot install OS in Bare metal

Can install OS in Bare metal Machines
machines

Have control over Patching Don’t have control over Patching

Have Detailed Reports Very few default reports

Can Manage Servers Cannot Manage Servers

Cheap Licensing compared to Intune Expensive licensing

3. Differentiate between MDM and MAM

MDM – Stands for Mobile Device Management

• This is the feature that helps us to manage the devices

• You can configure profiles, policies, restrictions, and provision settings.

• Can measure the device compliance using reports

• You can configure the device to meet the company’s security standards

• You can remotely manage the devices when they enroll in the MDM solution.

MAM – Stands for Mobile Application Management

• This is the feature that helps us to manage the applications and their contents

• This allows the admins to deploy the applications to the users

• Can enable application protection policies for the enrolled devices to prevent
unauthorized access

• You can track the usage of the applications

• You can do a selective wipe of the company’s data from the application

By using MAM, you can differentiate between personal and company data

4. What are groups in Intune and what types of groups available?

Groups in Intune are equivalent to the collections in MECM. You can add or remove the
Users or devices within the group.

There are three types of groups available:

• Assigned

• Dynamic User

• Dynamic Devices

5. What is Azure AD registered?

The Azure AD registered devices are the personal devices (BYOD) that are workplace
joined. by this method users can access the company resources. The device is
registered to Azure AD without requiring an organizational account to sign into the
device. These devices are Intune managed

The primary audience is applicable to all users with the following criteria:

• Bring your own device

• Mobile devices
The device ownership will be either Personal or Organization and the basic requirement
for this method is the OS version should be Windows 10, IOS, Android, or macOS.

6. What is Azure AD Joined?

• The Devices, which are Azure AD, joined are basically company-owned devices.
They require the Organizational account to sign in.

• The primary audience is applicable to all users in both Cloud-only and hybrid
Organizations.

• The device ownership will be Organization and the basic requirement for this
method is the OS version should be Windows 10 or 11 with all editions except
Home.

7. What is Hybrid Azure AD Joined?

• The devices, which are hybrid Azure AD joined are in both your on-premises
active directory and your Azure active directory.

• Hybrid Azure AD joined devices require network line of sight to your on-premises
domain controllers periodically.

• They can be managed by either Group Policy or co-management with Microsoft

Intune.

• The primary audience is applicable to all users and is Suitable for hybrid
organizations with existing on-premises AD infrastructure.

• The device ownership will be Organization and the basic requirement for this
method is the OS version should be Windows 8.1, 10, 11, Windows Server
2008/R2, 2012/R2, 2016, 2019, and 2022.

8. What are the provisioning methods for Azure AD Registered, Azure AD Join, and
Hybrid Azure AD Join?

Azure AD registered Azure AD Join Hybrid Azure AD Joined

Self-service: Windows Domain join by IT and

Windows 10 or newer –
Out of Box Experience autojoin via Azure AD
Settings
(OOBE) or Settings Connect or ADFS config

Domain join by Windows

iOS/Android – Company
Autopilot and autojoin via
Portal or Microsoft Bulk enrollment
Azure AD Connect or ADFS
Authenticator app
config
 Domain join by Windows
Autopilot and autojoin via
macOS – Company Portal Windows Autopilot
Azure AD Connect or ADFS
config

9. What are the types of conditional access available in Intune?

• Device-based conditional access

• User-based conditional access

10.Types of MDM Enrollments?

• Manual Enrollment

• Automatic Enrollment (Azure AD join)

• Group Policy

• Windows Autopilot

• Co-Management

• Deep link

• Company Portal

• Provisioning Package

• Device Enrollment Manager

11. Explain Windows Autopilot Enrollment?

This method Automates Azure AD Join and enrolls new corporate-owned devices into
Intune. This method simplifies the out-of-box experience and removes the need to apply
custom operating system images onto the devices.

When admins use Intune to manage Autopilot devices, they can manage policies,
profiles, apps, and more after they’re enrolled.

There are four types of Autopilot deployment:

• Self Deploying Mode(for kiosks, digital signage, or a shared device),

• User-Driven Mode(for traditional users),

• Windows Autopilot for pre-provisioned deploymentenables partners or IT staff to

pre-provision a PC running Windows 10 or Windows 11 so that it’s fully
configured and business-ready.
 • Autopilot for existing devices enables you to easily deploy the latest version of
Windows to your existing devices.

12. How does a device get registered using Autopilot?

• The Device’s unique Hardware identity (Hash ID) is captured and uploaded to
autopilot services

• This activity is performed by the OEM, reseller, or distributor from which the
device was purchased through a registration platform.

• This activity can be also performed within the organization by collecting the Hash
ID and uploading it manually

13. You have a set of hash ID information provided to you in a .csv file. Explain the
process of uploading it to configure the autopilot?

• Login to your Microsoft Endpoint manager admin center

• Go to Devices -> Windows -> Windows Enrollment -> under Windows Autopilot
Deployment program -> Click on Devices.

• Click on import and upload the .CSV file which contains the information of the
Devices Hash ID

14. Difference between LOB and Win32?

LOB application objects in Intune are created using: .msi, .appx,. appxbundle, .msix,
and .msixbundle file format.

• LOB Objects limit us from capabilities such as detection methods, configuring

error codes, and dependencies.

• LOB objects must be in a single file format for example an MSI with a transform
cannot be deployed using this method.

Win32 application objects are created using the IntuneWin file format.

• Win32 Objects provide us greater control over the deployment of the app and
allow us to configure additional parameters like ConfigMgr Application Objects
such as detection method & dependencies to later retire, remove or upgrade an
app.

• The IntuneWin wrapper can be used to deploy single or multiple files such as MSI
using a transform and MSP.

• When using a mix of LOB & Win32 during Autopilot the app can fail, therefore
choose carefully which apps are created as LOB and Win32 when using
Autopilot.
15. Limitations of Win32 Apps?

• Security: Only a local server has its address space isolated from that of the
client. An in-process server shares the address space and process context of the
client and can therefore be less robust in the face of faults or malicious
programming.

• Granularity: A local server can host multiple instances of its object across many
different clients, sharing server state between objects in multiple clients in ways
that would be difficult or impossible if implemented as an in-process server,
which is simply a DLL loaded into each client.

• Compatibility: If you choose to implement an in-process server, you relinquish

compatibility with OLE 1, which does not support such servers. This will not be a
consideration for many developers, but if it is, then it is of critical concern.

• Inability to support links: An in-process server cannot serve as a link source.

Since a DLL cannot run by itself, it cannot create a file object to be linked to.

16. What are configuration profiles in Intune?

Configuration Profiles are a defined set of security features that many enterprises use to
have more granular control over the end-user devices. This helps the admins to reduce
the dependency on GPO in the On-premises AD environment and moves security
control to the cloud.

17. What is an App protection policy and what are the requirements to use the
policy to manage Intune apps?

The app protection policy is a feature that helps admins to protect the company’s data.
To assign this policy to the users the user must be satisfying the below requirements.

• The end-user must be part of the Azure AD

• A license must be assigned to the end-user account

• The end-user must sign in to the app using the Azure AD account user Id and
password.

18. Difference between Configuration Profiles and Compliance policies?

Configuration profiles:

• Microsoft Intune includes settings and features you can enable or disable on
different devices within your organization. These settings and features are added
to “configuration profiles”. Then, use Intune to apply or “assign” the profile to the
devices.
 • Intune has many templates that include groups of settings that are specific to a
feature, such as certificates, VPN, email, and more.

Compliance policies:

Mobile device management (MDM) solutions like Intune can help protect organizational
data by requiring users and devices to meet some requirements. In Intune, this feature
is called compliance policies.

• Define the rules and settings that users and devices must meet to be compliant.

• Include actions that apply to devices that are non-compliant. Actions for
noncompliance can alert users to the conditions of noncompliance and
safeguard data on non-compliant devices.

• Can be combined with Conditional Access, which can then block users and
devices that don’t meet the rules.

19. Is Global admin access needed to deploy an application from Intune? If not,
what role needs to be provided?

No, the Global admin role is not mandatory to deploy the application from Intune. You
can assign the user role as “Application Administrator” using this role the user can
create and manage all the aspects of app registration and enterprise apps

20. How to deploy windows updates in a comanaged environment via Intune what
are the configurations that need to be done?

Moving the Workload

• Open your SCCM Admin Console

• Click Administration

• Expand the Cloud Services Folder

• Choose Co-Management

• Go to the Properties of your Existing Co-Management configuration

On the workloads, the tab moves the slider for Windows Update Policies from Config
Manager over to either Pilot Intune or Intune. I recommend always moving to Pilot
Intune first so you can validate the settings with a Pilot Collection before moving to
production.
Once the workload has been moved the configuration for Windows Updates will now be
managed from Intune.

Creating the Update Policy in Intune

• Open the Intune Console

• Choose the Software Updates blade

• Select Windows 10 Update Rings

• Click Create

• Enter a Name

• Enter a Description

• Choose Configure

Now you need to configure the settings which will apply. For an overview of servicing
channels use the following link: https://docs.microsoft.com/en-
gb/windows/deployment/update/waas-overview#servicing-channels

Update Settings
 • Select a Servicing Channel

o Semi Annual Channel

o Semi Annual Channel (Targeted)

o Windows Insider – Fast

o Windows Insider – Slow

o Release Windows Insider

• Allow/Block Microsoft Product Updates

• Allow/Block Driver Update

• Set the Quality Update Deferral Period (0-30 days)

• Set the Feature Update Deferral Period (0-365 Days)

• Set the Uninstall period available for Feature Updates (2-60 Days)

User Experience Settings

Configure the rest of the settings to suit the requirements of your business

You will notice the Delivery Optimization section is greyed out, this is because the
settings have been moved over to a configuration profile.

Once you have created the policy you can now assign this just as you would assign any
other policy in Intune.
The Client Experience

• On The Client

• Navigate to Settings

• Updates & Security

• Windows Update

• Choose “View Configured Update Policies”

Now you will see a lot a new entry which were set by MDM (Intune) so we know the
settings have been applied. You will also notice there are other settings which were not
set by MDM.

Now these settings are your previously configured update settings i.e. WSUS Settings.
You can leave this in place which means dual scan is activated and essentially the
device will go to Windows Update for Windows Product updates and go to WSUS for any
other updates.