1. Differentiate between the “Corporate-owned, fully managed” and “Personally-owned with work profile” enrollment types for Android?
Corporate-owned, fully managed is for devices owned by the company where Intune has full control over the entire device. It’s intended for standard corporate users with an assigned device.
Personally-owned with work profile is for BYOD scenarios. It creates a separate, containerized work profile on the user’s personal device to secure corporate apps and data, while leaving the personal part of the device unmanaged by IT.
2. A company uses specialized Zebra devices. How can they configure manufacturer-specific settings not available in standard Intune policies?
They can use an OEMConfig policy. This requires deploying the manufacturer’s OEMConfig app from the Google Play store (e.g., Zebra OEMConfig) and then creating an OEMConfig profile in Intune. This profile exposes the device-specific settings made available by the manufacturer for configuration.
3. What is an Android app protection policy, and in what scenario is it primarily used?
An Android app protection policy (MAM policy) applies security controls directly to managed applications to protect corporate data. It can enforce PINs for app access, block copy/paste to unmanaged apps, and require encryption. It is primarily used in BYOD scenarios where the device is not enrolled in MDM, but you still need to secure corporate data within apps like Outlook or Teams.
4. To block unmanaged apps on BYOD Android devices from accessing corporate data, an app protection policy is not enough. What other type of policy must be configured in Entra ID?
You must configure a Conditional Access policy. This policy should be configured to grant access to cloud apps only if the device either is marked as compliant (for MDM devices) or requires an app protection policy (for MAM/BYOD devices). This ensures that apps without the protection policy are blocked from accessing data.
5. What are the three critical certificates/tokens needed to manage corporate Apple devices, and what happens if the MDM push certificate expires?
The three critical items are:
- Apple MDM Push Certificate: Connects devices to the Intune service.
- Apple VPP (Volume Purchase Program) Token: Used to purchase and deploy apps.
- Enrollment Program Token (from Apple Business Manager): Used for automated device enrollment. If the MDM push certificate expires, you will lose the ability to manage all enrolled iOS and macOS devices. If it is not renewed within 30 days (with Apple’s help), the only way to re-establish management is to wipe and re-enroll every single device.
6. What is Apple Business Manager (ABM), and how does it enable “zero-touch” enrollment for corporate iOS devices?
Apple Business Manager (ABM) is a portal for organizations to manage their Apple devices and app licenses. It enables “zero-touch” enrollment by linking your ABM account to Intune. When a new device purchased from Apple or a reseller is added to ABM, it automatically appears in Intune and is assigned an enrollment profile. When the user unboxes the device and turns it on, it automatically enrolls into Intune management during the initial setup assistant.
7. When deploying VPP apps to corporate iOS devices, what is the difference between “User licensing” and “Device licensing,” and which is preferred?
- User licensing assigns the app license to a user’s Apple ID, requiring them to sign in.
- Device licensing assigns the app license directly to the device serial number. Device licensing is preferred for corporate devices because it allows Intune to silently install apps without requiring the user to have or enter an Apple ID, creating a seamless experience.
8. You are configuring an iOS settings catalog policy and notice some settings have dependencies. How does the JSON structure for a policy with a dependency differ from a standalone setting?
A standalone setting uses deviceManagementConfigurationChoiceSettingInstance. A setting with a dependency must be structured as a child item within a deviceManagementConfigurationGroupSettingCollectionInstance, which references the parent setting’s settingDefinitionId. This ensures the parent category is enabled before the child setting is applied.
9. An admin needs to deploy a custom wallpaper to all macOS devices. This requires copying a file and setting a system preference. Which two Intune policy types would they use in combination to achieve this?
They would use two policy types:
- A Shell script to download or place the wallpaper image file onto the device in a specific directory (e.g., /Library/Desktop/Wallpaper.jpg).
- A Custom configuration profile (.mobileconfig file) to set the system preference that points the desktop background to that specific image file.
10. What is the difference between deploying a shell script to run as “system” versus “signed-in user”?
System: The script runs with root privileges and has access to the entire system, but it does not run in the context of the user’s profile. This is for system-wide changes.
Signed-in user: The script runs with the permissions of the currently logged-in user. It can access the user’s profile and settings but will fail if it tries to perform an action that requires administrative rights (unless the user is an admin).
11. An organization wants to deploy Microsoft 365 Apps to their macOS fleet. What is the easiest method in Intune to do this without manual packaging?
The easiest method is to use the built-in Microsoft 365 Apps for macOS app type. This is a pre-configured package in Intune that allows an administrator to deploy the entire suite with a simple GUI configuration, without needing to use the Office Deployment Tool or package it as a DMG file.
12. How can you deploy a third-party macOS application that is only available as a .dmg file?
You can use the macOS app (DMG) app type in Intune. This allows you to directly upload the .dmg file. You must then provide a detection rule, which typically involves specifying the app’s bundle ID (CFBundleIdentifier) and version, to verify a successful installation.
13. A company wants to ensure all its Windows devices have BitLocker, Secure Boot, and Code Integrity enabled. However, these settings require a reboot to report their status. How should they configure the “Actions for noncompliance” to avoid immediately blocking new devices during Autopilot?
They should set the “Mark device non-compliant” action to have a grace period, for example, 0.5 days (12 hours) instead of immediately (0 days). The Device Health Attestation service requires a reboot to report on these settings, so a new device will initially report as non-compliant. A grace period allows time for the device to complete its setup and reboot before being marked non-compliant and potentially blocked by Conditional Access.
14. What is the purpose of setting “Mark devices with no compliance policy assigned as” to “Not Compliant”?
Setting this to “Not Compliant” ensures that any device that somehow gets enrolled into Intune without being targeted by a compliance policy is immediately considered a security risk. This prevents unmonitored devices from accessing corporate resources if a Conditional Access policy requiring compliance is in place.
15. What is a “custom compliance policy” for Windows, and what two components are required to create one?
A custom compliance policy allows an administrator to use a PowerShell script to check for any setting on a device and use its output to determine compliance. The two required components are:
A PowerShell detection script that outputs a compressed JSON object containing the values of the settings being checked.
A JSON file uploaded to Intune that defines the rules, operators, and expected values to compare against the output of the PowerShell script.
16. A compliance policy is not enough to protect corporate data on its own. What is the final, critical step to block access from non-compliant devices?
The final step is to create a Conditional Access policy in Entra ID. This policy should be configured to target all users and cloud apps and have a grant control that “Require[s] device to be marked as compliant.” This enforces the compliance state and blocks any non-compliant device from accessing resources.
17. An administrator notices that a required application has a high failure rate in the “App install status” report. Which report should they check next to see if the failures are due to policy conflicts?
They should check the Assignment failures report (under Devices > Configuration profile status). A policy conflict, where two different configuration profiles are applying contradictory settings, can often cause application installations to fail. This report helps identify and resolve those conflicts.
18. In what monitoring report can you see a list of every application installed across your entire fleet, including apps not deployed by Intune?
You can see this in the Discovered apps report (under Apps > Monitor). This report inventories every application found on managed devices, which is useful for identifying unauthorized software or managing software licenses.
19. How can an administrator check the renewal date for critical connectors like the Apple MDM Push certificate and the Apple VPP token?
They can review this in the Connectors and tokens section under Tenant administration. Each connector, such as “Apple VPP Tokens,” has a status page that displays its health, last sync time, and, most importantly, its expiration date.
20. A user reports an issue with their device. What is the first place an administrator should look in the Intune portal for a consolidated view of that user’s devices, policies, and app statuses?
The administrator should use the Troubleshooting + support tool. By selecting the user, the tool provides a comprehensive dashboard with tabs for Devices, Policy, Applications, and Compliance, making it the central starting point for diagnosing user-specific issues.
21. What Intune report would you use to verify if Windows LAPS successfully rotated the local admin password on a device?
You would use the Device actions report. This report provides an audit trail of all remote actions initiated from the Intune console, including “Rotate local admin password,” showing who initiated the action and when.
22. What is Endpoint analytics, and name two key performance indicators it tracks for Windows devices.
Endpoint analytics is a feature in Intune that provides insights into the performance and health of your devices, comparing them against an industry baseline. Two key indicators it tracks are:
Startup performance: This measures the time from power-on to a responsive desktop, breaking it down by GPO time, sign-in time, and identifying slow startup processes.
Application reliability: This tracks application crash rates and mean time to failure, helping to identify problematic apps in the environment.
23. An organization is planning its migration to Windows 11. Which Endpoint analytics report can they use to identify which devices are not compatible and why?
They should use the Work from anywhere report. Specifically, the “Windows” sub-report within it assesses every device for Windows 11 compatibility and lists the specific reason for any failures, such as lack of TPM 2.0 or an unsupported CPU.
24. For deeper, customizable reporting beyond what the Intune portal offers, what two Azure services can Intune diagnostic data be exported to?
Intune diagnostic data, including audit logs and operational logs, can be exported to:
A Log Analytics workspace for advanced querying, analysis, and visualization.
Azure Blob storage for long-term archival.
25. How does connecting the Intune Data Warehouse to Power BI benefit an organization’s reporting capabilities?
Connecting the Intune Data Warehouse to Power BI allows an organization to create powerful, customized, and interactive reports and dashboards. They can move beyond the pre-defined reports in Intune, combine Intune data with other data sources, and visualize trends over time for device compliance, enrollment, and inventory in ways that are more tailored to their business needs.
