1. Why is it best practice to package an MSI installer as a Win32 application (.intunewin) instead of using the Line-of-business (LOB) app type?
It is best practice because:
Prevents Installation Conflicts: Win32 apps are deployed by the Intune Management Extension (IME), while MSI LOB apps use the standard msiexec service. The IME and msiexec are not aware of each other, which can lead to installation clashes and failures, especially during Autopilot.
Greater Functionality: The Win32 app model offers significantly more control, including advanced detection rules, requirement scripts, dependencies, and supersedence, none of which are available for MSI LOB apps.
2. What is the difference between deploying a Win32 app in the “System” context versus the “User” context?
System context: The installation runs with full administrative permissions as the local SYSTEM account. It is ideal for standard application installations that write to Program Files or HKEY_LOCAL_MACHINE.
User context: The installation runs with the permissions of the logged-in user. It should be used for applications that install into the user’s profile (e.g., %localappdata%) and does not require elevated rights, such as Teams or VS Code.
3. What is application “supersedence,” and in what real-time scenario would you use it?
Supersedence is a feature for Win32 apps that defines an update relationship between two applications. A real-time scenario would be deploying a new version of 7-Zip (e.g., v23.00). You would configure the new application to supersede the old version (e.g., v19.00). When the new app is assigned to a device, Intune will automatically uninstall the old version before installing the new one, ensuring a clean upgrade path.
4. What is an application “dependency,” and provide a scenario where it would be essential.
A dependency ensures that a prerequisite application is installed before a primary application. A scenario would be deploying a business application that requires the .NET Framework or a specific Visual C++ Redistributable to run. You would package the prerequisite as its own application and then set it as a dependency for the main business app. Intune will then ensure the dependency is installed first, preventing the main application from failing.
5. What is the key difference between a “Platform script” and a “Remediation” script in Intune?
A Platform script is designed to run only once on a device, making it ideal for initial setup tasks during Autopilot, like removing bloatware or configuring a specific registry key. A Remediation script, on the other hand, runs on a schedule (e.g., hourly or daily) and consists of two parts: a detection script and a remediation script. The remediation only runs if the detection script exits with a specific code (1), making it perfect for repeatedly checking and fixing configuration drift.
6. A remediation script you deployed is not working. You check the device status in the Intune portal. What two columns should you add to the view to see the output from your script for troubleshooting?
You should add the “Pre-remediation detection output” and “Post-remediation detection output” columns. These columns display any text that was written to the standard output (Write-Output) by your detection script, which can help you understand why it is or is not triggering the remediation.
7. A custom detection script for a Win32 application is failing. What are the two essential outputs that a detection script must provide for Intune to consider the detection successful?
The script must provide both:
An exit code of 0.
Some text written to the standard output (STDOUT), for example, using Write-Output “App Found”. If either of these is missing, Intune will mark the detection and the installation as failed.
8. An administrator needs to deploy a VPN client application, but only to laptops. How could they use a “custom requirements script” to achieve this?
They could write a PowerShell script that queries WMI to check the device’s chassis type (e.g., Get-CimInstance -ClassName Win32_SystemEnclosure). The script would output a specific string like “Laptop” or “Desktop”. In the application’s requirement rules, they would add this script and set the rule to require the output string to be “equal” to “Laptop,” ensuring the app only attempts to install on those devices.
9. What is the difference between a “scope group” and a “scope tag” when configuring a custom Intune role?
A scope group defines which users or devices an administrator can manage or perform actions against. For example, a helpdesk admin could be limited to only managing devices in the “Office Users” group.
A scope tag defines which Intune objects (like policies or apps) an administrator can see or edit. For example, the “Germany IT” team could be assigned a “Germany” scope tag, allowing them to only manage policies and apps that also have that tag.
10. An organization wants to ensure IT staff in a specific office can only reboot devices located in that office. How would you use a combination of custom roles, scope groups, and scope tags?
Create a custom Intune role with only the “Reboot now” permission.
Assign this role to a group containing the “Office IT staff”.
In the role assignment, set the scope group to a group containing only the “Office devices”. This configuration ensures that the IT staff only have the permission to reboot, and they can only perform that action on the specified group of devices.
11. In a real-time scenario, a user is trying to enroll their personal Android device and is being blocked. You have confirmed they are in the correct user group. What is the most likely cause for this in the “Device platform restrictions”?
The most likely cause is that in the Device platform restrictions policy, the setting for Android to “Block personally owned” devices is enabled. This setting overrides any user group assignments and prevents any non-corporate device from enrolling in MDM.
12. What is the purpose of “multi-admin approvals”? Provide a real-world scenario.
Multi-admin approvals require a second administrator to approve any changes to certain Intune objects before they are applied, providing a layer of peer review and preventing accidental or unauthorized changes. A real-world scenario is when a junior admin wants to deploy a new PowerShell script. The policy would require them to submit the script with a business justification, and a senior admin would have to review and approve the request before the script could be assigned to any devices.
13. What is Remote Help, and does it work on unenrolled devices?
Remote Help is a remote assistance tool integrated into Intune that allows helpdesk staff to view or take full control of a user’s device for troubleshooting. Yes, it can be configured to allow sessions to unenrolled devices, making it useful for supporting users on personal machines.
14. What is Endpoint Privilege Management (EPM), and what problem does it solve for standard users?
Endpoint Privilege Management (EPM) allows standard users to run specific, pre-approved applications with administrative privileges without giving them full admin rights on their device. It solves the problem where a standard user needs to run a legacy application or an installer that requires elevation, which would normally require an IT admin to enter credentials. With EPM, the application can be configured to elevate automatically or after user justification.
15. What are “device anomalies” in Advanced Endpoint Analytics?
Device anomalies are potential issues or trends across the device estate that are proactively identified by machine learning. This feature can detect things like a specific application that is crashing more frequently on a certain device model or a driver update that is causing an unusual number of blue screens, helping IT to identify and resolve problems before they become widespread.
16. How does Microsoft Tunnel for Mobile Application Management (MAM) provide secure access to on-premises resources on unenrolled devices?
Microsoft Tunnel for MAM integrates a VPN connection directly into managed applications on unenrolled Android and iOS devices. When a user launches a protected app like Outlook, it can automatically establish a secure, per-app VPN tunnel to the on-premises network, allowing the app to access internal resources like an Exchange server without requiring the entire device to be connected to a VPN.
17. When automating Intune tasks with PowerShell, what is the underlying API you are interacting with?
You are interacting with the Microsoft Graph API. Most Microsoft products, including Intune, use this API to handle commands sent from the web interface, and it provides a powerful endpoint for automation.
18. You are writing a PowerShell script to retrieve a list of all 5,000 devices in your tenant, but the GET request only returns a small number. What is this behavior called, and how do you modify your script to get all the results?
This behavior is called pagination. To get all results, your script must check for the @odata.nextLink property in the response. You then need to run a while loop that continues to make GET requests against the URL provided in @odata.nextLink until that property is null, adding the results from each request to a master array.
19. You need to automate the upload of a PowerShell script or a configuration file. What format must the file content be converted to before being included in the JSON payload?
The file content must be converted to a Base64 encoded string.
20. When automating a policy that is based on the Unified Settings Catalog, why is the process more complex than for older template-based policies?
It is more complex because you first need to discover the categoryId, settingDefinitionId, and settingInstanceTemplateId for each setting you want to configure by querying the Graph API. The JSON structure is also more complex, often involving nested child items, especially for settings that have dependencies on a parent category.
21. An administrator wants to create a dynamic Entra ID group for all corporate-owned iOS devices. What device property could they use in the membership rule?
They could use the enrollmentProfileName property. By creating a rule like (device.enrollmentProfileName -eq “Corporate iOS Devices”), any device enrolled using that specific Intune enrollment profile will be automatically added to the group.
22. If a security baseline is updated by Microsoft, what happens to your existing policy based on the older version, and what must you do to modify it?
Your existing policy will continue to function, but it will become read-only in the Intune console. To make any changes, you must first update the policy to the latest version of the baseline. It is best practice to duplicate the policy and test the new version before applying it to the production policy.
23. A real-time scenario: a zero-day vulnerability is announced, and you need to deploy a critical patch to all Windows devices immediately, forcing a reboot within 8 hours. Which Intune update feature would you use?
You would use a Quality updates for Windows 10 and later policy, also known as an expedited update. This allows you to deploy a specific quality update (patch) to devices as quickly as possible and enforce a deadline for installation and a mandatory reboot, bypassing any standard deferral periods in your update rings.
24. You are using the Invoke-MgGraphRequest cmdlet. What parameter must you add to be able to manipulate the command’s output as a PowerShell object?
You must add the -OutputType PSObject parameter. Without this, the command returns raw JSON, which is harder to parse and manipulate in a script.
25. In a large organization, you want to delegate permissions so that the desktop support team can only sync and restart devices, but not wipe them. How would you configure this using Intune’s RBAC?
You would create a custom Intune role. In the permissions for this role, you would select only the “Sync devices” and “Reboot now” permissions under “Remote tasks” and ensure all other permissions, especially “Wipe,” are unselected. You would then assign this custom role to a group containing the desktop support team members.
26. What is a “break-glass account,” and why is it essential when configuring Conditional Access policies?
A break-glass account is a highly secure administrative account that is excluded from all Conditional Access policies. It is essential because if an administrator accidentally creates a policy that locks everyone out of the tenant, the break-glass account provides an emergency access method to sign in and correct the faulty policy.
27. A company has a policy to block personal iOS device enrollment. A user with a new iPhone needs to access their corporate email. How can they do this securely without enrolling their device in MDM?
The user can install the Microsoft Outlook app from the App Store. When they sign in with their corporate credentials, the app protection policy and Conditional Access policy will be enforced. This will protect the corporate data within Outlook (e.g., by requiring a PIN and blocking data from being copied out) without IT having to manage the user’s personal device.
