1. What is user affinity?
When users sign into their devices the first time, the device becomes associated with that user. This feature is called user affinity.
Any policies assigned or deployed to the user identity go with the user to all of their devices. When a user is associated with the device, they can access their email accounts, their files, their apps, and more.
When you don’t associate a user with a device, then the device is considered user-less. This scenario is common for kiosks devices
2. What is Zero Trust in Microsoft Intune?
Zero Trust is security strategy that focuses on 3 principles.
Verify explicitly: Always authenticate and authorize based on all available data points.
Use least privilege access: Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection.
Assume Breach: Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
3. What are MDM and MAM?
Mobile Device Management: Users “enroll” their devices and use certificates to communicate with Intune. IT administrators can push apps on devices, restrict devices to a specific operating system, block personal devices, and more. If a device is ever lost or stolen, you can also remove all data from the device.
Mobile Application Management: Users can use their personal devices to access organizational resources. When users open an app, such as Outlook or Teams, they can be prompted to authenticate. If a device is ever lost or stolen, you can remove all organization data from the Intune managed applications.
Combination of MDM and MAM can be used together with Intune.
4. What type of MAM configuration Intune supports?
Intune MAM supports two configurations:
Intune MDM + MAM: IT administrators can manage apps using MAM on devices that are enrolled with Intune mobile device management (MDM). To manage apps using MDM + MAM, customers should use Intune in the Microsoft Intune admin center.
Unenrolled devices with MAM managed applications: IT administrators can manage org data and accounts in apps using MAM on unenrolled devices or devices enrolled with third-party EMM providers. To manage apps using MAM, customers should use Intune in the Microsoft Intune admin center.
5. What are the Operating Systems supported by Intune?
Intune supports the below OS
- Android – Version 10 or later
- iOS/iPadOS – Version 16.X or later
- Linux – Ubuntu and RedHat Enterprise
- macOS – Version 13.x or later
- Windows – Version 10/11
- Chrome OS – Note: App Protection Policies are not supported in Chrome OS.
6. Assume that you are using 3rd Party MDM solutions like Workspace ONE (previously called AirWatch), MobileIron, or MaaS360 and you have to move to Microsoft Intune? How you will Plan the Migration?
Since the Devices should only have one MDM provider, the current 3rd Party MDM provider to Intune Migration requires removing the devices from existing provider and to enroll in Microsoft Intune.
Below are the steps I will follow to migrate to Intune.
- Set up an Intune Tenant with required licenses and configure MDM Authority as Intune.
- Deploy apps used by users and create app protection policies.
- Analyze the currently used Device OS versions and configure Intune to only allow the supported Device OS by setting up Device Restriction
- Validate and Setup the required Device Configuration Profiles
- Set up the Compliance Policies that you want to enforce. This is an optional one which can be configured later once all the devices are enrolled to Intune.
- Pick a Pilot user and ask them to Unenroll the device from 3rd MDM Provider and inform the users to re-enroll in Microsoft Intune by sharing the reference guide.
- Fix the issues if anything is identified by Pilot Users
- Kickstart Migration to Intune in Phases
7. Currently your environment is using Configuration Manager, and your task is to move from Configuration Manager to Microsoft Intune. How will you complete this requirement?
Below are the steps I will follow
- Setup Entra Hybrid Join in Microsoft Entra. Microsoft Entra hybrid joined devices are joined to your on-premises Active Directory, and registered with your Microsoft Entra ID. When devices are in Microsoft Entra ID, they’re also available to Intune.
- Setup Co-management in Configuration Manager
- Setup MDM Authority in Intune
- Slide all the workloads from Configuration Manager to Intune
- On the devices uninstall the configuration manager client. This can be done by Intune app configuration policy.
- Once the configuration manager client is uninstalled, devices are ready to be enrolled in Intune
- Enroll the device in Intune.
8. What are the workloads supported by co-management?
Co-management supports the following workloads.
Compliance policies: Compliance policies define the rules and settings that a device must comply with to be considered compliant by Conditional Access policies.
Windows Update policies: Windows Update client policies let you configure deferral policies for Windows 10 or later feature updates or quality updates for Windows 10 or later devices
Resource access policies: Resource access policies configure VPN, Wi-Fi, email, and certificate settings on devices.
Endpoint Protection: The Endpoint Protection workload includes the Defender suite of protection like Defender AV, Endpoint Protection, smart screen and Firewall.
Device configuration: The device configuration workload includes settings that you manage for devices in your organization.
Note: Switching this workload also moves the Resource Access and Endpoint Protection workloads.
Office Click-to-Run apps: This workload manages Microsoft 365 Apps on co-managed devices
Client apps: Use Intune to manage client apps and PowerShell scripts on co-managed Windows 10 or later devices
9. What is Cloud Attach?
A Configuration Manager environment is considered cloud attached when it uses at least one of the three primary cloud attach features. You can enable these three features in any order you wish, or all at once.
- Tenant attach
- Endpoint analytics
- Co-management
10. What is the difference between enabling co-management for versions 2111 or later and 2107 or earlier versions?
Co-management onboarding experience changes from Configuration manager version 2111. Cloud Attach Configuration Wizard makes it easier to enable co-management and other cloud features, allows you to select the recommended defaults or to customize the cloud attach features.
When enabling co-management in 2107 version or earlier, you will select the cloud attach option from Cloud services in Administrator and you configure the Cloud attach configuration. You will select the Azure Cloud environment by sign-in as Global Admin and configure the Automatic enrollment and Intune Auto Enrollment options. Workloads can be configured as per the requirement.
11. What is Conditional Launch Action?
App Protection Policy has an additional setting called Conditional Launch Action that helps organizations with the ability to block access or wipe org data when certain device or app conditions aren’t met.
Settings under Conditional Launch Actions are specific to Device Platforms and below actions can be configured for Android OS.
- Max PIN attempts
- Offline grace period
- Jailbroken/rooted devices
- Min OS version
- Max OS version
- Min app version
- Min patch version
- Device manufacturer(s)
- Play integrity verdict
- Require threat scan on apps
- Min Company Portal version
- Max allowed device threat level
- Disabled account
- Require device lock
12. What is an App Protection Policy and What is a Managed App?
App protection policies are rules that ensure an organization’s data remains safe or contained in a managed app. These policies control how data is accessed and shared by apps on mobile devices.
A managed app is a protected app that has Intune app protection policies applied to it and is managed by Intune.
Key benefits of App Protection Policy protects corporate data on mobile devices without requiring device enrollment and controls how data is accessed and shared by apps on mobile devices.
13. How will you validate App Protection Policy assignments in Intune?
To validate the App Protection Policy status, check
Users are licensed for app protection – Intune license required
User are licensed for Microsoft 365 – Microsoft 365 license required
Status of users’ app protection apps status should be checked in.
To monitor App Protection status, navigate to
Apps > Monitor > App Protection status and select the assigned user option > on the App reporting page select the required user and groups.
It will show whether user licensed for app protection, and you can see user licensed for M365 and the app status for all the users’ devices.
14. What are the remote device actions available on Intune and which action applicable for which platforms?
Remote device actions helps to manage the devices remotely, without having to physically touch the device. This feature is available for devices that are enrolled in Intune
| Action | Description | Supported OS |
| Autopilot reset | Restores a device to its original settings and removes personal files, apps, and settings. | Windows |
| BitLocker key rotation | Changes the BitLocker recovery key for a device and uploads the new key to Intune. | Windows |
| Collect diagnostics | Collects diagnostic logs from a device and uploads the logs to Intune. | Windows 10 |
| Delete | Removes a device from Intune management, any company data is removed, and the device is retired. | – Android – iOS/iPadOS – macOS – Windows |
| Disable Activation Lock | Removes the Activation Lock from a device that is enrolled with a device enrollment manager (DEM) account. | – iOS/iPadOS – macOS |
| Fresh Start | Reinstalls the latest version of Windows on a device and removes apps that the manufacturer installed. | Windows |
| Full Scan | Initiates a full scan of the device by Microsoft Defender Antivirus. | Windows |
| Locate device | Shows the approximate location of a device on a map. | – Android – iOS/iPadOS – Windows |
| Lost mode | Locks a device with a custom message and disables sound and vibration. | iOS/iPadOS |
| Pause Config Refresh | Pause ConfigRefresh to run remediation on a device for troubleshooting or maintenance or to make changes. | Windows 11 |
| Quick Scan | Initiates a quick scan of the device by Microsoft Defender Antivirus. | Windows |
| Remote control with Team Viewer | Allows you to remotely control a device using TeamViewer. | – Android – iOS/iPadOS – macOS – Windows |
| Remote lock | Locks a device and resets its password. | – Android – iOS/iPadOS – macOS |
| Rename device | Changes the device name in Intune. | – Android – iOS/iPadOS – macOS – Windows |
| Reset passcode | Resets the device passcode. | – Android – iOS/iPadOS |
| Restart | Restarts a device. | – Android – iOS/iPadOS – macOS – Windows |
| Retire | Removes company data and settings from a device, and leaves personal data intact. | – Android – iOS/iPadOS – macOS – Windows |
| Rotate Local admin password | Changes the local administrator password for a device and stores the password in Intune. | Windows |
| Send custom notification | Sends a custom notification message to a device that can be viewed in the Company Portal app. | – Android – iOS/iPadOS |
| Synchronize device | Syncs a device with Intune to apply the latest policies and configurations. | – Android – iOS/iPadOS – macOS – Windows |
| Update cellular data plan | Updates the cellular data plan settings for a device that uses an eSIM profile. | iOS/iPadOS |
| Update Windows Defender Security Intelligence | Updates the security intelligence files for Microsoft Defender Antivirus. | Windows |
| Wipe | This action restores a device to its factory settings and removes all data and settings. | – Android – iOS/iPadOS – macOS – Windows |
15. How will you use conditional access policy for device management?
Conditional Access is a Microsoft Entra capability that works with Intune to help protect devices. Conditional Access policies can use device and compliance details from Intune to enforce access decisions for users and devices for the devices registered in Entra ID.
Combine Conditional Access policy with:
Device compliance policies can require a device to be marked as compliant before that device can be used to access your organization’s resources.
App protection policies can add a security layer that ensures only client apps that support Intune app protection policies can access your online resources, like Exchange or other Microsoft 365 services.
16. What is endpoint privileged management?
Endpoint Privilege Management (EPM) allows admins to keep the Windows users as standard users while elevating privileges only when needed, as designed by organizational rules and parameters set by your organization. This design supports the enforcement of least privileged access.
EPM enables IT teams to manage standard users more efficiently and limit their attack surface by only allowing employees to run as administrators for specific, approved applications or tasks.
Tasks that commonly require administrative privileges are application installs (like Microsoft 365 Applications), updating device drivers, and running certain Windows diagnostics.
17. You are assigned with the Task to configure Device Protection through Intune. What are the things you will take into consideration?
To protect the device, I will create policies like endpoint security, device configuration profiles and device compliance policies.
- Endpoint Security Policy: The Endpoint security policies are designed to help you focus on the security of your devices and mitigate risk. The available tasks can help you identify at-risk devices, to remediate those devices, and restore them to a compliant or more secure state. Antivirus, Disk encryption, Firewall, Endpoint Privileged Management, Endpoint Detection and response, App control for business, Attack surface reduction and Device compliance related settings can be configured.
- Device Configuration profile: Microsoft Intune includes settings and features you can enable or disable on different devices using Device configuration profiles. Profiles can be created for different devices and different platforms, including Android, iOS/iPadOS, macOS, and Windows. Few configuration settings are unique to each platform.
- Device Compliance Policies: Compliance policies are sets of rules and conditions that are used to evaluate the configuration of managed devices. These policies can help secure organizational data and resources from devices that don’t meet those configuration requirements. Compliance policies applied to devices and the devices evaluate the rules in the policy to report a device compliance status. A noncompliant status can result in one or more actions for noncompliance to block access by Conditional Access Policy.
In addition, devices can be configured with additional settings to enhance the security
- Authentications: Setup MFA or Certificate based authentication for your applications.
- Device Encryption: Configure Bitlocker for windows and filevault for macOS.
- Software updates: Manage how and when devices get software updates.
- Security baselines: It is a preconfigured groups of Windows settings that come recommended by the relevant product teams.
- Windows Local Administrator Password Solution (LAPS): Enforce password requirements for local admin accounts and Back up a local admin account from devices to your Active Directory
18. How will you protect data through Intune Policies?
Intune-managed apps and Intune’s app protection policies can help stop data leaks and keep your organization’s data safe. These protections can apply to devices that are enrolled with Intune and to devices that aren’t.
19. Can you call out couple of Device Configuration Profiles your environment configured with?
Allow or prevent access to bluetooth on the device.
Create a WiFi or VPN profile that gives different devices access to your corporate network.
Manage software updates, including when they’re installed.
Run an Android device as dedicated kiosk device that can run one app, or run many apps.
On iOS/iPadOS and macOS devices, allow users to use AirPrint printers in your organization.
20. What is the role of certificates in Intune? Have you deployed it in your organization? How did you deploy it?
Certificates deployed through Intune to endpoints help authenticate users so they can access applications and corporate resources through VPN, Wi-Fi, or email profiles. When certificates authenticate these connections, your end users don’t need to enter usernames and passwords.
Certificates are also used for signing and encrypting email using S/MIME. Common types of certificates used in Intune include trusted root certificates, Simple Certificate Enrollment Protocol (SCEP) certificates, and Public Key Cryptography Standards (PKCS) certificates.
This feature supports:
- Android
- iOS/iPadOS
- macOS
- Windows 11
- Windows 10
Intune supports Simple Certificate Enrollment Protocol (SCEP), Public Key Cryptography Standards (PKCS), and imported PKCS certificates as methods to provision certificates on devices. The different provisioning methods have different requirements,
SCEP provisions certificates that are unique to each request for the certificate.
PKCS provisions each device with a unique certificate.
With Imported PKCS, you can deploy the same certificate that you’ve exported from a source, like an email server, to multiple recipients.
In addition to the three certificate types and provisioning methods, need to deploy trusted root certificate from a trusted Certification Authority using trusted certificate profile. The CA can be an on-premises Microsoft Certification Authority, or a third-party Certification Authority. The trusted root certificate establishes trust from the device to your root or intermediate (issuing) CA from which the other certificates are issued.
In our environment, we have configured the Certificate connector for Microsoft Intune and deployed a Trusted certificate profile with Root CA and SCEP certificate.
