Top 20 Intune Interview Questions & Answers (Update 2022)

1. What is Microsoft Intune and what is its use of it?

Microsoft Intune is the MDM/MAM solution developed by Microsoft. Microsoft Intune falls under SAAS (Software as a service) category In Azure. It is used to manage the Mobile devices of all the platforms like Windows, macOS, iOS, and Android. Also, it gives a whole privilege to manage applications. You can perform the below activities.

  • Configure profiles
  • Create, delete, and invite users from other organizations
  • configure device restrictions,
  • Create custom Policies
  • can remotely manage the devices without any end-user interactions.
  • Can create, edit, and deploy applications to all the users in the organization.

2.What are the major differences between Microsoft Intune and MECM?


Microsoft Intune

Can deploy applications/ files above 8 GB Can deploy application/files up to 8 GB
Requires On-premises setup Requires Cloud setup
The Hardware requirement is huge The Hardware requirement is less
Doesn’t support MDM Supports MDM
Can install OS in Bare metal Machines Cannot install OS in Bare metal machines
Have control over Patching Don’t have control over Patching
Have Detailed Reports Very few default reports
Can Manage Servers Cannot Manage Servers
Cheap Licensing compared to Intune Expensive licensing

3. Differentiate between MDM and MAM

MDM – Stands for Mobile Device Management

  • This is the feature that helps us to manage the devices
  • You can configure profiles, policies, restrictions, and provision settings.
  • Can measure the device compliance using reports
  • You can configure the device to meet the company’s security standards
  • You can remotely manage the devices when they enroll in the MDM solution.

MAM – Stands for Mobile Application Management

  • This is the feature that helps us to manage the applications and their contents
  • This allows the admins to deploy the applications to the users
  • Can enable application protection policies for the enrolled devices to prevent unauthorized access
  • You can track the usage of the applications
  • You can do a selective wipe of the company’s data from the application

By using MAM, you can differentiate between personal and company data

4. What are groups in Intune and what types of groups available?

Groups in Intune are equivalent to the collections in MECM. You can add or remove the Users or devices within the group.

There are three types of groups available:

  • Assigned
  • Dynamic User
  • Dynamic Devices

5. What is Azure AD registered?

The Azure AD registered devices are the personal devices (BYOD) that are workplace joined. by this method users can access the company resources. The device is registered to Azure AD without requiring an organizational account to sign into the device.  These devices are Intune managed

The primary audience is applicable to all users with the following criteria:

  • Bring your own device
  • Mobile devices

The device ownership will be either Personal or Organization and the basic requirement for this method is the OS version should be Windows 10, IOS, Android, or macOS.

6. What is Azure AD Joined?

  • The Devices, which are Azure AD, joined are basically company-owned devices. They require the Organizational account to sign in.
  • The primary audience is applicable to all users in both Cloud-only and hybrid Organizations.
  • The device ownership will be Organization and the basic requirement for this method is the OS version should be Windows 10 or 11 with all editions except Home.

7. What is Hybrid Azure AD Joined?

  • The devices, which are hybrid Azure AD joined are in both your on-premises active directory and your Azure active directory.
  • Hybrid Azure AD joined devices require network line of sight to your on-premises domain controllers periodically.
  • They can be managed by either Group Policy or co-management with Microsoft Intune.
  • The primary audience is applicable to all users and is Suitable for hybrid organizations with existing on-premises AD infrastructure.
  • The device ownership will be Organization and the basic requirement for this method is the OS version should be Windows 8.1, 10, 11, Windows Server 2008/R2, 2012/R2, 2016, 2019, and 2022.

8. What are the provisioning methods for Azure AD Registered, Azure AD Join, and Hybrid Azure AD Join?

Azure AD registered Azure AD Join Hybrid Azure AD Joined
Windows 10 or newer – Settings Self-service: Windows Out of Box Experience (OOBE) or Settings Domain join by IT and autojoin via Azure AD Connect or ADFS config
iOS/Android – Company Portal or Microsoft Authenticator app Bulk enrollment Domain join by Windows Autopilot and autojoin via Azure AD Connect or ADFS config
macOS – Company Portal Windows Autopilot Domain join by Windows Autopilot and autojoin via Azure AD Connect or ADFS config

9. What are the types of conditional access available in Intune?

  • Device-based conditional access
  • User-based conditional access

10.Types of MDM Enrollments?

  • Manual Enrollment
  • Automatic Enrollment (Azure AD join)
  • Group Policy
  • Windows Autopilot
  • Co-Management
  • Deep link
  • Company Portal
  • Provisioning Package
  • Device Enrollment Manager

11. Explain Windows Autopilot Enrollment?

This method Automates Azure AD Join and enrolls new corporate-owned devices into Intune. This method simplifies the out-of-box experience and removes the need to apply custom operating system images onto the devices.

When admins use Intune to manage Autopilot devices, they can manage policies, profiles, apps, and more after they’re enrolled.

There are four types of Autopilot deployment:

12. How does a device get registered using Autopilot?

  • The Device’s unique Hardware identity (Hash ID) is captured and uploaded to autopilot services
  • This activity is performed by the OEM, reseller, or distributor from which the device was purchased through a registration platform.
  • This activity can be also performed within the organization by collecting the Hash ID and uploading it manually

13. You have a set of hash ID information provided to you in a .csv file. Explain the process of uploading it to configure the autopilot?

  • Login to your Microsoft Endpoint manager admin center
  • Go to Devices -> Windows -> Windows Enrollment -> under Windows Autopilot Deployment program -> Click on Devices.
  • Click on import and upload the .CSV file which contains the information of the Devices Hash ID

14. Difference between LOB and Win32?

LOB application objects in Intune are created using: .msi, .appx,. appxbundle, .msix, and .msixbundle file format.

  • LOB Objects limit us from capabilities such as detection methods, configuring error codes, and dependencies.
  • LOB objects must be in a single file format for example an MSI with a transform cannot be deployed using this method.

Win32 application objects are created using the IntuneWin file format.

  • Win32 Objects provide us greater control over the deployment of the app and allow us to configure additional parameters like ConfigMgr Application Objects such as detection method & dependencies to later retire, remove or upgrade an app.
  • The IntuneWin wrapper can be used to deploy single or multiple files such as MSI using a transform and MSP.
  • When using a mix of LOB & Win32 during Autopilot the app can fail, therefore choose carefully which apps are created as LOB and Win32 when using Autopilot.

15. Limitations of Win32 Apps?

  • Security: Only a local server has its address space isolated from that of the client. An in-process server shares the address space and process context of the client and can therefore be less robust in the face of faults or malicious programming.
  • Granularity: A local server can host multiple instances of its object across many different clients, sharing server state between objects in multiple clients in ways that would be difficult or impossible if implemented as an in-process server, which is simply a DLL loaded into each client.
  • Compatibility: If you choose to implement an in-process server, you relinquish compatibility with OLE 1, which does not support such servers. This will not be a consideration for many developers, but if it is, then it is of critical concern.
  • Inability to support links: An in-process server cannot serve as a link source. Since a DLL cannot run by itself, it cannot create a file object to be linked to.

16. What are configuration profiles in Intune?

Configuration Profiles are a defined set of security features that many enterprises use to have more granular control over the end-user devices. This helps the admins to reduce the dependency on GPO in the On-premises AD environment and moves security control to the cloud.

17. What is an App protection policy and what are the requirements to use the policy to manage Intune apps?

The app protection policy is a feature that helps admins to protect the company’s data. To assign this policy to the users the user must be satisfying the below requirements.

  • The end-user must be part of the Azure AD
  • A license must be assigned to the end-user account
  • The end-user must sign in to the app using the Azure AD account user Id and password.

18. Difference between Configuration Profiles and Compliance policies?

Configuration profiles:

  • Microsoft Intune includes settings and features you can enable or disable on different devices within your organization. These settings and features are added to “configuration profiles”. Then, use Intune to apply or “assign” the profile to the devices.
  • Intune has many templates that include groups of settings that are specific to a feature, such as certificates, VPN, email, and more.


Compliance policies:

Mobile device management (MDM) solutions like Intune can help protect organizational data by requiring users and devices to meet some requirements. In Intune, this feature is called compliance policies.

  • Define the rules and settings that users and devices must meet to be compliant.
  • Include actions that apply to devices that are non-compliant. Actions for noncompliance can alert users to the conditions of noncompliance and safeguard data on non-compliant devices.
  • Can be combined with Conditional Access, which can then block users and devices that don’t meet the rules.

19. Is Global admin access needed to deploy an application from Intune? If not, what role needs to be provided?

No, the Global admin role is not mandatory to deploy the application from Intune. You can assign the user role as “Application Administrator” using this role the user can create and manage all the aspects of app registration and enterprise apps

20. How to deploy windows updates in a comanaged environment via Intune what are the configurations that need to be done?

Moving the Workload

  • Open your SCCM Admin Console
  • Click Administration
  • Expand the Cloud Services Folder
  • Choose Co-Management
  • Go to the Properties of your Existing Co-Management configuration

On the workloads, the tab moves the slider for Windows Update Policies from Config Manager over to either Pilot Intune or Intune. I recommend always moving to Pilot Intune first so you can validate the settings with a Pilot Collection before moving to production.

Once the workload has been moved the configuration for Windows Updates will now be managed from Intune.

Creating the Update Policy in Intune

  • Open the Intune Console
  • Choose the Software Updates blade
  • Select Windows 10 Update Rings
  • Click Create
  • Enter a Name
  • Enter a Description
  • Choose Configure

Now you need to configure the settings which will apply. For an overview of servicing channels use the following link:

Update Settings

  • Select a Servicing Channel
    • Semi Annual Channel
    • Semi Annual Channel (Targeted)
    • Windows Insider – Fast
    • Windows Insider – Slow
    • Release Windows Insider
  • Allow/Block Microsoft Product Updates
  • Allow/Block Driver Update
  • Set the Quality Update Deferral Period (0-30 days)
  • Set the Feature Update Deferral Period (0-365 Days)
  • Set the Uninstall period available for Feature Updates (2-60 Days)

User Experience Settings

Configure the rest of the settings to suit the requirements of your business

You will notice the Delivery Optimization section is greyed out, this is because the settings have been moved over to a configuration profile.

Once you have created the policy you can now assign this just as you would assign any other policy in Intune.

The Client Experience

  • On The Client
  • Navigate to Settings
  • Updates & Security
  • Windows Update
  • Choose “View Configured Update Policies”

Now you will see a lot a new entry which were set by MDM (Intune) so we know the settings have been applied. You will also notice there are other settings which were not set by MDM.

Now these settings are your previously configured update settings i.e. WSUS Settings. You can leave this in place which means dual scan is activated and essentially the device will go to Windows Update for Windows Product updates and go to WSUS for any other updates.

For Real Time – Production Based Intune Training – Check out below Intune Demo Recording and Contact Us for Live Online Training.