1. A company is setting up Intune for the first time. What is the difference between Intune Plan 1, Intune Plan 2, and the Intune Suite, and what critical dependency does Intune have on another Microsoft service?
Intune Plan 1 provides standard Intune functionality, including device and app management, reporting, and Endpoint analytics.
Intune Plan 2 adds features like Microsoft Tunnel for app-level VPNs on iOS/Android and support for specialty devices.
The Intune Suite includes everything from Plans 1 and 2, plus premium add-ons like Remote Help, Endpoint Privilege Management, and Advanced Endpoint Analytics. Intune is part of the Microsoft 365 suite but relies heavily on Microsoft Entra ID for managing users, groups, and conditional access policies.
2. Explain the difference between a static and a dynamic group in Entra ID. Provide a real-time scenario for when you would use each.
A static group is one where members (users or devices) are manually added and removed. A real-time scenario is creating a group for a small pilot project where the members are specific individuals who need access to a new application.
A dynamic group automatically populates its members based on a query or filter. A real-time scenario is creating a group for all devices enrolled in Autopilot by querying for the ZTID property (device.devicePhysicalIds -any (_ -startsWith “[ZTDid]”)), which ensures all new Autopilot devices automatically receive the correct policies and applications.
3. What are the Key features of Microsoft Intune?
Intune provides many features, which includes
Manage users and devices: Both the Personal owned and organization owned devices are managed by Intune. Intune supports, Android, iOS/iPadOS, Linux, macOS and Windows devices.
Simplified Application Management: Apps can be distributed to devices from Private App stores that include Microsoft 365 Apps and Teams. Win32 and LOB apps can be deployed, and the App protection policies can be applied to protect data within the app.
Policy deployments: New Policies for Apps, Security, Device configuration, Compliance and Conditional Access can be deployed to user and devices groups.
Self Service: User can use the Company Portal and website to reset a PIN/password, install apps and join groups.
Mobile Threat Defense: Microsoft Defender for Endpoint and 3rd party partner services be integrated with Intune to improve the endpoint security. Threat Policies can be deployed to respond to threats, do real-time analysis and automate remediation.
Microsoft Copilot for AI-generated Analysis: Copilot can summarize existing policies and share recommended values and potential conflicts.
Integration with other Microsoft services: Services like Configuration Manager, Windows Autopilot, Endpoint Analytics, Microsoft 365 and Windows Autopatch are integrated with Microsoft Intune.
4. What is the difference between Mobile Device Management (MDM) and Mobile Application Management (MAM) scopes in Entra ID?
MDM scope is used for enrolling corporate-owned devices into full Intune management. This allows IT to apply configuration profiles, security policies, and manage the entire device.
MAM scope is designed for bring-your-own-device (BYOD) scenarios where you want to protect corporate data within applications without managing the entire personal device. It uses policies like Windows app protection to create a secure container for corporate data.
5. A user reports they cannot enroll their device, and you suspect they’ve hit a device limit. Where are the two places in the Microsoft portals an administrator must check for device enrollment limits?
An administrator must check in two places:
Entra ID Device Settings: This setting defines the maximum number of devices a user can register or join to Entra ID.
Intune Device Limit Restrictions: This setting, configured in the Intune portal under device enrollment, specifies the maximum number of devices a user can enroll specifically into Intune management.
6. What is Enterprise State Roaming (ESR), and how does it work to improve the user experience?
Enterprise State Roaming (ESR) automatically backs up certain user settings from Windows devices and Microsoft Edge to Azure Storage. This creates a more seamless experience for users when they move between different Windows devices, as settings like Wi-Fi profiles, language preferences, web credentials, and browser favorites are automatically synchronized.
7. When creating a user via Microsoft Graph, why is it important to pay attention to case sensitivity in the JSON payload?
The Microsoft Graph API is case-sensitive for item names in the JSON payload. For example, using AccountEnabled or accountenabled instead of the correct accountEnabled will cause the request to fail with a “malformed request” error.
8. An administrator wants to configure OneDrive Known Folder Move silently for all users. Which policy type in Intune is the modern, recommended approach, and what are the key settings?
The recommended approach is to use a Settings catalog policy. The key settings to enable are:
- Silently move Windows known folder to OneDrive.
- Silently sign in users to the OneDrive sync app with their Windows credentials.
- Use OneDrive Files On-Demand. You will also need to provide your tenant ID for the Known Folder Move setting.
9. You need to configure a specific device setting that isn’t available in the Settings catalog. What is this type of policy called, what does it use to apply the setting, and what’s a critical character to remember when entering its path?
This is a Custom policy that uses an Open Mobile Alliance Uniform Resource Identifier (OMA-URI) to directly configure Configuration Service Provider (CSP) settings on a device. It is critical to remember the dot (.) at the beginning of the OMA-URI path (e.g., ./Vendor/MSFT/…) as the policy will fail without it.
10. A company uses a third-party application (e.g., Mozilla Firefox) that provides ADMX templates for management. How can you use these templates in a cloud-only Intune environment?
You can use the Import ADMX feature in Intune. This involves a two-step process:
Import the ADMX and its corresponding language ADML file into Intune.
Create a policy using the “Imported Administrative templates” profile type, which will then expose the settings from the ingested ADMX file for configuration.
11. An organization is migrating from on-premises Active Directory to Intune. What tool can help them understand which of their existing Group Policy Objects (GPOs) are compatible with Intune?
They should use Group Policy analytics. This tool allows an administrator to import an XML export of an on-premises GPO. Intune then analyzes the settings and provides a report detailing which settings have 100% MDM support and can be migrated directly into a Settings catalog policy.
12. What is a security baseline in Intune, and what is one advantage of managing security settings in the dedicated Endpoint security blade?
A security baseline is a pre-configured group of settings recommended by Microsoft to quickly secure a product like Windows, Edge, or Defender for Endpoint. A key advantage of using the Endpoint security blade is that it enables role-based access control (RBAC), allowing you to create a specific role for a security team with restricted access to only this area, without giving them full Intune admin rights.
13. When configuring a BitLocker policy for silent encryption during Autopilot, what are three critical settings you must enable?
To enable silent BitLocker encryption during Autopilot, the following three settings are critical:
- Require devices to be encrypted.
- Warning for other disk encryption set to Block.
- Allow standard users to enable encryption during Azure AD Join set to Allow.
14. What is the purpose of Attack Surface Reduction (ASR) rules, and what is “Audit mode”?
ASR rules are built-in rules that block common malware attack vectors, such as Office macros creating executable content or scripts from running obfuscated code. Audit mode allows an administrator to enable a rule without actually blocking anything; instead, any action that would have been blocked is logged for review. This is useful for testing the impact of a rule on line-of-business applications before enforcing it.
15. What is Windows LAPS, and what security problem does it solve on Entra ID joined devices?
Windows Local Administrator Password Solution (LAPS) is a system that regularly rotates the password of a local administrator account on a device and stores it securely in Intune or Entra ID. It solves the security problem of having a static, shared local admin password across multiple machines, which could allow an attacker who compromises one machine to easily move laterally to others.
16. What is Application Control (WDAC), and how does enabling “Managed Installer” work with it?
Application Control, which extends Windows Defender Application Control (WDAC), is a feature that restricts which applications can run on a device. When you enable the Managed Installer feature, you designate the Intune Management Extension as a trusted installer. This allows any application deployed via Intune to run without restriction, while all other applications (not from the Microsoft Store or with a good reputation) would be blocked.
17. In a real-time scenario, an ASR rule is blocking a legitimate finance application from creating a child process. How would you create an exception for this application?
Within the Attack Surface Reduction policy where the specific rule is configured, you would locate that rule setting. Below the setting, there is an option for ASR Only Per Rule Exclusions. Here, you would enter the full path to the executable of the finance application to exclude it specifically from that one rule.
18. When designing Windows update rings, what is a “broad ring,” and how would you configure its group assignment to ensure it only targets devices not in pilot rings?
A “broad ring” is the deployment ring for the general population of devices, which receives updates after they have been tested by preview and pilot rings. To configure its assignment, you would set the “Included groups” to a group containing all devices (e.g., Autopilot Devices) and then add the preview, pilot, and VIP groups to the “Excluded groups” section. This ensures the policy applies to every device except those in the earlier testing rings.
19. What is Windows Autopatch, and what is a key licensing prerequisite to use it?
Windows Autopatch is a semi-managed service from Microsoft that automates updates for Windows, Microsoft 365 Apps, Teams, and Edge. It handles the creation of update rings and can pause problematic updates centrally. A key prerequisite is that devices must be licensed with Windows Enterprise, which is included in SKUs like Microsoft 365 E3/E5.
20. What are the two primary methods for configuring Windows Hello for Business (WHfB), and which one is recommended for more granular control?
The two methods are:
Settings Catalog Policy: A configuration profile that can be assigned to specific user or device groups. The Settings catalog policy is recommended for more granular control, as it allows you to apply different PIN complexities or biometric settings to different groups of users.
21. What is an Autopilot Enrollment Status Page (ESP), and why would you select specific “blocking apps”?
The Enrollment Status Page (ESP) is the screen shown to users during OOBE that displays the progress of device configuration and app installation. You would select specific blocking apps to ensure that critical applications (like security software or a VPN client) are fully installed before the user is allowed to access the desktop, ensuring the device is secure and functional from its first use.
22. In a real-time Autopilot failure, what keyboard shortcut can you use during the ESP to open a command prompt for troubleshooting?
You can press Shift + F10 to open an elevated Command Prompt during the ESP. This allows you to run tools like Task Manager or access logs to diagnose what is causing the failure.
23. An IT admin is preparing a device for a user with a slow internet connection. What Autopilot feature can they use to pre-install all device-targeted apps and policies before shipping the device?
The admin can use pre-provisioned deployment (formerly known as White Glove). During OOBE, the admin presses the Windows key five times to enter the technician phase, where all device-targeted apps and policies are installed. The device is then “resealed,” and when the user receives it, they only need to complete the user-specific setup, significantly speeding up their experience.
24. When setting up Android device management, what is the purpose of linking Intune to a Managed Google Play account?
Linking Intune to a Managed Google Play account is required to manage Android Enterprise devices. This connection is used for enrolling corporate devices and for deploying applications from the Google Play Store in a managed way, without requiring users to have personal Google accounts on their devices.
25. You are assigned with a Task to secure Identities in Intune. How will you secure it?
User accounts access organization resources, and we need to keep these identities secure and prevent malicious access. We can implement the security features below,
Windows Hello for Business: WHFB replaces username and password sign-in and is part of a password-less authentication method. When passwords are entered on a device and then transmitted over the network to the server, they can be intercepted and used by anyone and anywhere which is a security risk.
With Windows Hello for Business, users sign in and authenticate with a PIN or biometric, like facial and fingerprint recognition. This information is stored locally on the device and isn’t sent to external devices or servers. Intune can be used to configure WHFB policies like PIN settings or biometrics.
Certificate-based authentication: CBA is also a part of a password-less strategy. You can use certificates to authenticate your users to applications and organization resources through a VPN, a Wi-Fi connection, or email profiles.
Multifactor authentication: MFA is a feature available with Microsoft Entra ID. For users to successfully authenticate, at least two different verification methods are required.
