Top Microsoft Intune Interview Questions and Answers-(2024)

1 .

Microsoft Intune (formerly Windows Intune), which is a part of Microsoft Endpoint Manager, is a Microsoft cloud-based management tool for mobile devices.

Microsoft Intune is a cloud-based service that focuses on Mobile Device Management (MDM) and Mobile Application Management (MAM). You control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. For example, you can prevent emails from being sent to people outside your organization. Intune also allows people in your organization to use their personal devices for school or work. On personal devices, Intune helps make sure your organization's data stays protected and can isolate organization data from personal data.

Intune is part of Microsoft's Enterprise Mobility + Security (EMS) suite. Intune integrates with Azure Active Directory (Azure AD) to control who has access and what they can access. It also integrates with Azure Information Protection for data protection. It can be used with the Microsoft 365 suite of products. For example, you can deploy Microsoft Teams, OneNote, and other Microsoft 365 apps to devices.

2 .

What is Intune and how does it work?

In Microsoft's approach to managing mobile devices, Intune uses protocols or APIs available in mobile operating systems to execute tasks, such as enrolling devices. Enrollment lets IT personnel maintain an inventory of devices able to access enterprise services. Other tasks include configuring mobile devices, providing certificates and Wi-Fi and virtual private network profiles, and compliance reporting with regard to corporate standards. Intune integrates with Azure Active Directory to provide access control capabilities.

Microsoft's Intune app management approach, meanwhile, covers areas such as assigning mobile apps to the workforce, configuring those apps with standard settings and removing enterprise data from mobile apps. Intune, when used in conjunction with other EMS suite services, lets an organization provide apps that can access additional mobile app and data security features, such as single sign-on and multifactor authentication.

3 .

What is the difference between Intune and Azure AD?

Microsft Intune :

* Full control over your company’s devices, including mobile phones, tablets and laptops

* Easy to deploy, authenticate and ensure security compliance on every device in the company

* The ability to set policies to control access to company data and applications

* Fully compatible with any device

* Centralised control means there’s no need to spend on additional infrastructure

* Extensive security controls to allow you to meet cybersecurity and data protection requirements

Microsft Azure AD :
* Single sign-on (SSO) for multiple applications allows you to streamline processes and access control

* Azure AD multi-factor authentication and conditional access creates improved application security and protects users from 99.9% of cyber security breaches

* Extend your on-premise directory to the cloud with Azure AD connect to make the most of the cloud enabled benefits

* Efficient management of identities to ensure that the right people have easy access to the right resources

* Pre-integration with your favourite cloud services, such as Salesforce, Microsoft 365, corporate social media, for example, which results in easier onboarding of new products

* Cost effective solution and included in some Microsoft 365 Plans.

Azure Active Directory (Azure AD) is a universal identity management platform that incorporates user credentials and strong authentication policies to safeguard your company’s data, while Microsoft Intune provides cloud-based Mobile Device Management (MDM) and Mobile Application Management (MAM). Combined, these powerful services provide control over your company’s devices and easy access to internal resources, so your team can stay productive from any device.

4 .

Explain Microsoft Intune capabilities.

Microsoft Intune gives businesses the capability to :

Allow a bring your own device (BYOD) policy. Microsoft Intune can be deployed onto personal devices used for work purposes to ensure business data is protected.

Manage access to data and networks. Configure security settings – such as not allowing a device to be connected to an unsecured network – to protect your data.

Set and enforce additional security standards. Require users to consistently follow data security guidelines such as multi-factor authentication on their devices.

Remove organisational data remotely. Intune allows you to wipe company data from a device remotely if it is lost, stolen, or simply not used anymore.

Have visibility over devices your business uses. Intune allows you to see all devices enrolled and able to access company resources, giving you an inventory.

Configure apps on user devices. For example, add and assign apps to users, configure app settings and automatically update apps on relevant devices.

Track usage analytics for business use. See reports on which apps are being used by your employees and track their usage to ensure compliance.

Implement additional protection policies : Intune allows you to control how users share information. For example, you can prevent emails being sent to users outside of your business on the device managed by Intune. These policies can be customised based on user, location and real-time risk to ensure data stays protected.

5 .

Explain Some Benefits of Microsoft Intune.

Microsoft Intune exists as a security measure. The largest benefits of Microsoft Intune are all around how it allows you to ensure all employees are able to keep information safe and secure. It makes compliance with your data security policies compulsory – you can set protocols so that a user cannot use their device without following the rules.

Other benefits of implementing Microsoft Intune as part of your digital transformation include :

Adaptability : Intune is compatible with all devices and operating systems, including Windows, iOS and Android.

Diversity : Intune can be beneficial to all sorts of professional fields that handle sensitive data, from IT professionals to schools and governments.

Flexibility : As any device can be managed, using Intune gives ultimate flexibility to you and your business – allowing people to work from anywhere, at any time.

Security : Using Intune means all apps and devices, and therefore staff, comply with your security requirements to keep all of your business data safe.

Scalability : Once implemented, Intune can grow with your business and seamlessly provide updates and support as your team grows. You won’t outgrow Intune.

Productivity : You can keep on providing the Microsoft experience your employees need to do their jobs with more security without compromising their productivity.

Microsoft Intune gives you the power of security, completely in your control. You can ensure work and personal data are kept safe, secure and separate through the mobile device management and mobile application management principles on which Intune is built.

6 .

What is the difference between Cloud-Based and on-Premise Mobility Solutions?

There are some key differences between on-premises and cloud environments. Which approach is best for your business is entirely dependent on your requirements and the features you seek in a solution. A few differences are given below :

Deployment :

* On-Premise : Resources are deployed in-house and within an enterprise's IT infrastructure in an on-premises environment. The solution, as well as any connected processes, are the responsibility of the enterprise.

* Cloud-Based : While there are several types of cloud computing (public cloud, private cloud, and hybrid cloud), in a public cloud computing environment, resources are hosted on the service provider's premises, but companies can access and utilize as much as they want at any given time.

Cost :

* On-Premise : Companies who deploy software on-premises are responsible for the server hardware, power consumption, and space expenditures.

* Cloud-Based : Businesses who choose to use the cloud computing model just pay for the resources they use, with no maintenance or upkeep charges, and the price moves up or down based on how much is used.

Control :

* On-Premise : In an on-premises environment, businesses keep all of their data and have complete control over how it is used, for better or worse. Because of this, companies in highly regulated industries with additional privacy issues are more likely to be hesitant to get into the cloud before others.

* Cloud-Based : In a cloud computing environment, many firms and providers for that matter – have wrestled with the issue of data ownership. Because data and encryption keys are stored by your third-party provider, you may be unable to access that data if the unexpected occurs and there is downtime.

7 .

What devices can Intune manage?

Microsoft Intune Mobile Device Management (MDM) enables you to manage iOS, Android, and Windows devices securely.

Using Intune MDM, you can fulfill the following requirements :

* Protect both corporate devices and users' mobile devices.

* Manage access to corporate data through corporate devices and users' mobile devices.

* Perform various actions remotely on managed devices through the Intune portal. For example, implementing Conditional Access, locking a device, data encryption, passcode reset, and data wipe for stolen or lost devices.

* Enable Windows Hello for Business.

8 .

How to Create a Windows Hello for Business policy.

1. Sign in to the Microsoft Endpoint Manager admin center.

2. Go to Devices > Enroll devices > Windows enrollment > Windows Hello for Business. The Windows Hello for Business pane opens.

3. Select from the following options for Configure Windows Hello for Business:

* Enabled. Select this setting if you want to configure Windows Hello for Business settings. When you select Enabled, other settings for Windows Hello are visible and can be configured for devices.

* Disabled. If you don't want to enable Windows Hello for Business during device enrollment, select this option. When disabled, users can't provision Windows Hello for Business. When set to Disabled, you can still configure the subsequent settings for Windows Hello for Business even though this policy won't enable Windows Hello for Business.

* Not configured. Select this setting if you don't want to use Intune to control Windows Hello for Business settings. Any existing Windows Hello for Business settings on 10/11 devices isn't changed. All other settings on the pane are unavailable.

4. If you selected Enabled in the previous step, configure the required settings that are applied to all enrolled Windows 10/11 devices. After you configure these settings, select Save.

* Use a Trusted Platform Module (TPM) :

A TPM chip provides another layer of data security. Choose one of the following values:

* Required (default). Only devices with an accessible TPM can provision Windows Hello for Business.

* Preferred. Devices first attempt to use a TPM. If this option isn't available, they can use software encryption.

* Minimum PIN length and Maximum PIN length :

Configures devices to use the minimum and maximum PIN lengths that you specify to help ensure secure sign-in. The default PIN length is six characters, but you can enforce a minimum length of four characters. The maximum PIN length is 127 characters.

* Lowercase letters in PIN, Uppercase letters in PIN, and Special characters in PIN.

You can enforce a stronger PIN by requiring the use of uppercase letters, lowercase letters, and special characters in the PIN. For each, select from:

* Allowed. Users can use the character type in their PIN, but it isn't mandatory.

* Required. Users must include at least one of the character types in their PIN. For example, it's common practice to require at least one uppercase letter and one special character.

* Not allowed (default). Users must not use these character types in their PIN. (This is also the behavior if the setting isn't configured.)

Special characters include: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

* PIN expiration (days) :

It's a good practice to specify an expiration period for a PIN, after which users must change it. The default is 41 days.

* Remember PIN history :

Restricts the reuse of previously used PINs. By default, the last 5 PINs can't be reused.

* Allow biometric authentication :

Enables biometric authentication, such as facial recognition or fingerprint, as an alternative to a PIN for Windows Hello for Business. Users must still configure a work PIN in case biometric authentication fails. Choose from:

* Yes. Windows Hello for Business allows biometric authentication.

* No. Windows Hello for Business prevents biometric authentication (for all account types).

* Use enhanced anti-spoofing, when available :

Configures whether the anti-spoofing features of Windows Hello are used on devices that support it. For example, detecting a photograph of a face instead of a real face.

When set to Yes, Windows requires all users to use anti-spoofing for facial features when that is supported.

* Allow phone sign-in :

If this option is set to Yes, users can use a remote passport to serve as a portable companion device for desktop computer authentication. The desktop computer must be Azure Active Directory joined, and the companion device must be configured with a Windows Hello for Business PIN.

* Use security keys for sign-in :

When set to Enable, this setting provides the capacity for remotely turning ON/OFF Windows Hello Security Keys for all computers in a customer's organization.

9 .

Explain Windows Holographic for Business support settings.

Windows Holographic for Business supports the following settings for Windows Hello for Business:

* Use a Trusted Platform Module (TPM)

* Minimum PIN length

* Maximum PIN length

* Lowercase letters in PIN

* Uppercase letters in PIN

* Special characters in PIN

* PIN expiration (days)

* Remember PIN history

10 .

What is the use of MDM?

MDM is ideal in two situations :

* To have more control over what your employees do on company-owned devices.

* To have more control over your users' personal gadgets when they enroll. There are many MDM ways depending on what type of device:

* Enable someone to remotely monitor their emails on their iPhone, for example, or limit a device's app selection.

* Fundamentally, MDM allows you to give your users exactly whatever you want them to have, and the assurance that your data is secure.

11 .

What are the advantages of Cloud-Based Mobility Solutions?

Anywhere and anytime access: One can use a web browser from any device to access your applications at any time and from anywhere.

Affordable : Cloud computing has no upfront expenses; instead, you pay monthly, making it an ongoing expense (OpEx). While the monthly fee increases over time, maintenance and support services are included, eliminating the need for annual contracts.

Predictable costs : Benefit from monthly charges that are predictable and cover software licenses, upgrades, support, and daily backups.

High level of security : Because data centers use security procedures that most businesses cannot afford, your data is frequently safer in the cloud than on a server at your office.

Quick deployment : Unlike on-premise programs, which must be installed on a physical server and each PC or laptop, cloud-based software can be delivered in a matter of hours or days over the Internet.

Scalability : Cloud solutions give you more flexibility because you only pay for what you use and can simply scale up or down to suit demand, such as adding or removing licenses.

Lower energy costs : When you migrate to the cloud, you won't have to pay for on-premise servers or their upkeep. This lowers your energy bills tremendously.

12 .

What are the disadvantages of Cloud-Based Mobility Solutions?

Connectivity : To be productive, cloud solutions require consistent internet access.

Long-term costs : Although cloud applications require a cheaper initial investment, they can be more expensive over the length of a system's life cycle, increasing the total cost of ownership (TCO).

Less customizable : While cloud software is often changeable, a cloud solution may not be capable of significant development depending on how it is hosted.

13 .

What is the Comparison between Intune and SCCM?

There are multiple different ways of managing mobile devices. The device and application Management capabilities often differ depending on the device platform under use for managing functionality-related needs in modern management. For your better understanding of enterprise mobility and security, a basic comparison of the capabilities of Intune and Configuration Manager On-premises is as below for a smoother user experience :

Capabilities	Microsoft Intune	SCCM
Platform
Microsoft Windows	Yes	Yes
Microsoft Windows Server	No	Yes
Windows Phone	Yes	Windows 10 only
iOS	Yes	No
Windows RT	Yes	No
Android	Yes	No
Compliance Settings
Deploy and customize Windows PC device configuration settings (e.g., WMI, registry)	No	Yes
Deploy configuration settings to mobile devices.	Yes	No
Deployment
Deploy apps to devices and Windows PCs	Yes	Yes
Deploy Windows operating systems	No	Yes
Security and Privacy
Manage Windows software updates	Yes	Yes
Administration and Reporting
Monitor and report on how often software is being used with software metering	No	Yes
Hardware and software inventory	Yes	Yes
Use role-based administration and reporting to control who has access to product capabilities	No	Yes
Data Protection for mobile devices
Deploy security settings to mobile devices	Yes	Yes
Remote lock	Yes	Yes
Company resource access
Email profiles	Yes	Yes
Mobile application management	Yes	Yes
Manage access to Exchange email and SharePoint with conditional access	Yes	Yes
Managed Internet browser policy	Yes	Yes

14 .

What about Microsoft Intune PROS and CONS?

Intune PROS :
* Cloud native

* Strong in mobile device management (MDM)

* Good at light-weight, smaller applications on mobile devices or mobile OS.

* Auto provisioning of systems – with Microsoftâ€¯Intuneâ€¯and Autopilot, you can give new devices to your end users without the need to build, maintain, and apply custom operating system images to the devices.

* When you useâ€¯Intuneâ€¯to manageâ€¯Autopilotâ€¯devices, you can manage policies, profiles, apps after end users are enrolled

Intune CONS :

* Narrow focus on mobile devices; not a full systems-management platform

* Doesn’t support server-side applications

* Not intended for large applications

* Doesn’t have the feature-set to handle complex package deployments

* Incurs egress or monthly usage fees based on the volume of data transmitted – software deployment is often a reactive activity based on the software provider updates; usage fees add up and get more expensive over time

* Challenges in planning – difficult to predict the number or size of software updates that will occur over time, especially in an environment where most applications are going cloud native with a higher frequency of updates

15 .

What are the Advantages of On-Premise Mobility Solutions?

Full control over your own data : Your data is completely under your control. Your personal information, as well as possible customer information, is never stored on a server belonging to another organization.

Data access even if the Internet fails : Even if the Internet is down, data may be accessed. Even if the Internet is down, direct communication to the server allows access to the company's internal data.

The high degree of customization : Personalized to a great extent Standard software is typically used as a basis before being customized or suited to the specific application.

Own IT infrastructure : Having your own IT infrastructure is a great way to save money. Other service providers have no impact on the organization because it is completely self-contained.

No ongoing software costs : There are no additional software costs in the future. Rather than using a licensing mechanism, the software is usually purchased outright.

16 .

What are the Disadvantages of On-Premise Mobility Solutions?

Special hardware : Hardware that's unique Various capacities and performance classes are required depending on the software.

Special IT know-how : IT knowledge that is unique Maintenance necessitates specialized IT skills in order to effectively secure data.

Delays in case of problems : Delays in the event of a malfunction In the event of an issue, the corporation is responsible for resolving it.

No automatic updates : There are no automatic updates available. When a new version of the software is released, it is not automatically installed in on-premise models; instead, it must be purchased.

Risk of software being discontinued : The possibility of software being phased out On-premise solutions are frequently extensively customized, which implies that, in addition to high acquisition prices, there are no longer any (security) updates or additional advancements after support is ended.

17 .

What is Mobile Application Management(MAM)?

Intune Mobile Application Management(MAM) is a part of Intune management services that allow you to publish, push, configure, protect, monitor, and update mobile apps for your users. MAM enables you to manage and secure your company's data from a single application.

18 .

What are the benefits of MAM app protection?

MAM safeguards data within an application for an organization. A business or school-related app containing sensitive data can be maintained on any MAM device Without Enrollment (MAM-WE), including personal devices in Bring-Your-Own-Device (BYOD) settings. Intune MAM can handle various productivity programs, including Microsoft Office products.

19 .

What device configurations does MAM support?

Two configurations are available in Intune MAM :

Intune MDM + MAM : IT administrators can only manage apps and app protection rules on devices enrolled in Intune mobile device management utilizing MAM and app protection policies (MDM). The Microsoft Endpoint Manager admin center allows customers to manage apps using MDM + MAM.

MAM without device enrollment : enables IT, administrators, to manage apps and app protection policies on devices that aren't registered in Intune MDM. This means that Intune can manage apps on third-party EMM-enabled devices. Customers should use the Microsoft Endpoint Manager admin portal to manage apps that MAM-WE contains. Intune may also control apps on devices that are enrolled with third-party Enterprise Mobility Management (EMM) providers or that aren't enrolled at all.

20 .

Explain some Comparisons Basic Mobility and Security and Intune in Office 365.

Microsoft Intune is a standalone product included with certain Microsoft 365 plans, while Basic Mobility and Security is part of the Microsoft 365 plans.

Availability of Basic Mobility and Security and Intune : Both Basic Mobility and Security and Intune are included in various plans, described in the following table.

Plan	Basic Mobility and Security	Microsoft Intune
Microsoft 365 Apps	Yes	No
Microsoft 365 Business Basic	Yes	No
Microsoft 365 Business Standard	Yes	No
Office 365 E1	Yes	No
Office 365 E3	Yes	No
Office 365 E5	Yes	No
Microsoft 365 Business Premium	Yes	Yes
Microsoft 365 Firstline 3	Yes	Yes
Microsoft 365 Enterprise E3	Yes	Yes
Microsoft 365 Enterprise E5	Yes	Yes
Microsoft 365 Education A1	Yes	Yes
Microsoft 365 Education A3	Yes	Yes
Microsoft 365 Education A5	Yes	Yes
Microsoft Intune	No	Yes
Enterprise Mobility & Security E3	No	Yes
Enterprise Mobility & Security E5	No	Yes

21 .

What is multi-identity support?

Among the new features is multi-identity support “for Word, PowerPoint and OneDrive apps for iOS devices, enabling users to access both their personal and work accounts in the same Office mobile apps while Intune mobile application management policies are only applied to the user’s work account.” An updated Excel app is pending approval in the Apple App Store, they noted.

After the update is applied, the Company Portal app for iOS will display a notification when updated versions of managed apps are available at the app store. Both changes apply to the stand-alone version of Intune and the hybrid implementation with System Center Configuration Manager.

Intune stand-alone also gains the ability to install Windows Store (.appx) apps directly from the Intune Company Portal Website, a capability already offered for hybrid System Center Configuration Manager customers. On the data security front, an updated Endpoint Protection agent helps administrators keep Windows PCs virus-free. The Intune console will also soon display malware-infected file paths, helping administrators monitor the effectiveness of their IT security measures.

22 .

What is Intune a DLP?

If your organization has already put the time into understanding your data, developing a data sensitivity schema, and applying the schema, you might be ready to extend elements of this schema to endpoints by using Microsoft Purview data loss prevention (DLP) policies.

Endpoint data loss prevention (Endpoint DLP) currently applies to :

* Windows 10, Windows 11

* macOS

DLP policies are created by your information protection and governance team. Each DLP policy defines what elements within a data set to look for, like sensitive information types or labels, and how to protect this data.

23 .

What are app protection policies?

App protection policies are guidelines that guarantee an organization's data is kept safe and controlled within a managed app. A policy can be a set of behaviors that are restricted or monitored. At the same time, the user is within the app or regulation that is implemented whenever the user tries to access or move "business" data.

24 .

Which apps can be managed by app protection policies?

Using Intune app protection policies, you may manage any app that has been connected with the Intune App SDK or wrapped with the Intune App Wrapping Tool.

25 .

What are the baseline requirements to use app protection policies on an Intune-managed app?

* The end-user requires an Azure Active Directory (Azure AD) account.

* A Microsoft Intune license must be assigned to the end user's Azure Active Directory account.

* An app protection strategy must target a security group for the end-user. The same app protection policy must be applied to every app. In the Microsoft Endpoint Manager admin center, you can create and deploy app protection policies. The Microsoft 365 admin center now allows users to form security groups.

* The end-user must sign into the app using their Azure AD account.

26 .

How does Intune give users a self-service experience?

To provide your users with a self-service experience, you may design an Intune company portal app for any device type.

* Users check in to the portal and are presented with a list of available applications. You could have 15 business apps, but only 5 of them are required by all users. Make the other ten visible by automatically pushing the five out. Your consumers can choose and download the other apps they desire with just a single click.

* If a user's iPhone is lost, they can use their Windows device to enter the portal, choose the app, and decommission it. They don't need to call their IT team to securely delete work data from their misplaced phone, though they can.

27 .

What happens when I enforce or enroll devices with Intune?

Users will log in with a corporate Office 365 or Azure AD credential to enroll their device, and the policies will be pushed to the device. Policies can include:

* Automatically creating a user's email profile.

* Setting up a VPN to connect to corporate resources.

* Setting up Wi-Fi profiles.

Corporate SSL certificates and apps are also available for deployment. You can use managed app configuration policies to add more constraints to your apps.

28 .

How to monitor app protection policies?

You can monitor the status of the app protection policies that you've applied to users from the Intune app protection pane in the Azure portal. Additionally, you can find information about the users affected by app protection policies, policy compliance status, and any issues that your users might be experiencing.

There are three different places to monitor app protection policies :

* Summary view

* Detailed view

* Reporting view

The retention period for app protection data is 90 days. Any app instances that have checked in to the Intune service within the past 90 days is included in the app protection status report. An app instance is a unique user + app + device.

Source : Github

29 .

What is Windows Autopatch?

Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. It’s a brand-new, helpful service from Microsoft that updates Windows 10, Windows 11, Microsoft Edge, and Microsoft 365 software according to best practices.

Windows Autopatch can take over software update management of supported devices as soon as an IT admin decides to have their tenant managed by the service.

30 .

What are the Prerequisites for Windows Autopatch?

Let’s understand what prerequisite do you need to set up Windows Autopatch:

* Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users.

* You will also require Azure Active Directory Premium. The user accounts must exist in Azure Active Directory or the accounts must be synchronized from on-premises Active Directory to Azure AD using Azure AD connect.

* Autopatch devices will require connectivity to multiple Microsoft service endpoints from the corporate network.

* Windows Autopatch devices must be managed by Microsoft Intune. Intune should be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

31 .

What is Conditional Access?

The modern security perimeter now extends beyond an organization's network to include user and device identity. Organizations can use identity-driven signals as part of their access control decisions.

Conditional Access brings signals together, to make decisions, and enforce organizational policies. Azure AD Conditional Access is at the heart of the new identity-driven control plane.

Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to do multi-factor authentication to access it.

Administrators are faced with two primary goals:

* Empower users to be productive wherever and whenever

* Protect the organization's assets

Use Conditional Access policies to apply the right access controls when needed to keep your organization secure.

32 .

What are the Common signals that Conditional Access?

Common signals that Conditional Access can take in to account when making a policy decision include the following signals:

* User or group membership

* Policies can be targeted to specific users and groups giving administrators fine-grained control over access.

* IP Location information

* Organizations can create trusted IP address ranges that can be used when making policy decisions.

* Administrators can specify entire countries/regions IP ranges to block or allow traffic from.

* Device

* Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies.

* Use filters for devices to target policies to specific devices like privileged access workstations.

* Application

* Users attempting to access specific applications can trigger different Conditional Access policies.

* Real-time and calculated risk detection

* Signals integration with Azure AD Identity Protection allows Conditional Access policies to identify risky sign-in behavior. Policies can then force users to change their password, do multi-factor authentication to reduce their risk level, or block access until an administrator takes manual action.

* Microsoft Defender for Cloud Apps

* Enables user application access and sessions to be monitored and controlled in real time, increasing visibility and control over access to and activities done within your cloud environment.

33 .

What is Directly blocking legacy authentication?

The easiest way to block legacy authentication across your entire organization is by configuring a Conditional Access policy that applies specifically to legacy authentication clients and blocks access. When assigning users and applications to the policy, make sure to exclude users and service accounts that still need to sign in using legacy authentication. When choosing the cloud apps in which to apply this policy, select All cloud apps, targeted apps such as Office 365 (recommended) or at a minimum, Office 365 Exchange Online. Configure the client apps condition by selecting Exchange ActiveSync clients and Other clients. To block access for these client apps, configure the access controls to Block access.

34 .

What is Indirectly blocking legacy authentication?

Even if your organization isn't ready to block legacy authentication across the entire organization, you should ensure that sign-ins using legacy authentication aren't bypassing policies that require grant controls such as requiring multifactor authentication or compliant/hybrid Azure AD joined devices. During authentication, legacy authentication clients don't support sending MFA, device compliance, or join state information to Azure AD. Therefore, apply policies with grant controls to all client applications so that legacy authentication based sign-ins that can’t satisfy the grant controls are blocked. With the general availability of the client apps condition in August 2020, newly created Conditional Access policies apply to all client apps by default.

35 .

What are the typical use cases for Intune?

Use case one : A user enrolls in Microsoft Intune using their corporate iPad.

Configures the user's email profile automatically, applying server and account settings as well as any security and synchronization constraints you provide. This service is available on iOS, Android, and Windows phones and tablets. When you deploy the profile, it will connect to your email service and synchronize mails according to your settings.

Use case two : Locking down devices.

Ensure that individuals can only access the applications or data that you want them to — for example, a low-cost Windows device in a reception area that displays marketing data or employee surveys.

36 .

When is the user prompted to enter their PIN?

When the user accesses "corporate" data, Intune asks for the user's app PIN. When trying to open a "corporate" document or file in multi-identity apps like Word/Excel/PowerPoint, users are prompted for their PIN. Because the Intune App SDK knows the user's experience is always "corporate," the PIN is required upon launch in single-identity apps, such as line-of-business apps handled with the Intune App Wrapping Tool.

37 .

How does the Intune PIN work with built-in app PINs for Outlook and OneDrive?

The Intune PIN operates based on an inactivity timeout. As a result, Intune PIN prompts differ from the built-in app PIN prompts for Outlook and OneDrive, frequently related to app start by default. The Intune PIN should take precedence if the user receives both PIN initiates simultaneously.

38 .

How does Intune protect my company's data on corporate and personal devices?

Intune assists in protecting your company's data in three ways:

Mobile Device Management (MDM) : Manage which devices have access to which data by controlling device settings. You can also delete data and remove gadgets from your system.

Management of Mobile Apps (MAM) : You protect the information on the devices rather than the devices themselves, such as company emails in the Outlook app.

Managing your desktop (Windows PCs and Macs) : Only secure and compliant PCs should be able to access your company's data. Maintain Windows updates, for example, and the proper system settings.

39 .

Why don't On-Premises (on-prem) services work with Intune protected apps?

The user's identification must be constant between the application and the Intune App SDK for Intune app protection to work. Modern authentication is the only method to guarantee this. Apps may work with an on-premises configuration in some circumstances, but this is neither consistent nor guaranteed.

40 .

Does Intune protect employee-owned and third-party devices?

Yes, Intune safeguards your data and applications even on devices you don't manage. It can be used in three different scenarios:

Company-owned or company-managed devices : Gadgets owned or controlled by your firm, allowing you complete control over your organization's devices. Secure your data and control what users can and cannot do, right down to the wallpaper.

Employee-owned or employee-managed devices : with the rise of BYOD, more employees are accessing company email and cloud services like OneDrive for Business via personal devices. Allow for productivity, ensure that their gadgets are in good working order, and stay on top of your data and security.

Third-party managed devices : Devices handled by a third party are a typical case in lockdown. Data or devices that are protected by a third-party system or MDM. In this case, we can use MAM to safeguard specific programs while the third-party system or MDM still controls the device settings.

41 .

What is the difference between Azure AD and Active Directory Domain Services (AD DS)?

Azure Active Directory (Azure AD) and Active Directory Domain Services (AD DS) are both identity and access management solutions from Microsoft, but they serve different purposes.

AD DS is the traditional on-premises directory service used to manage and authenticate users, computers, and other resources in a Windows domain network. It provides centralized management of objects in a domain, including authentication and authorization services, and can be used to manage access to on-premises resources such as files, folders, and applications.

Azure AD, on the other hand, is a cloud-based directory service that provides identity and access management capabilities for cloud-based and on-premises resources.

It allows users to authenticate and access cloud-based services and applications using their existing corporate credentials, such as their username and password. Azure AD can also be used to manage access to resources outside of the organization's network, including SaaS applications and other cloud-based services.

While AD DS is primarily used for on-premises directory services, Azure AD is focused on providing identity and access management for cloud-based resources. However, it's important to note that Azure AD can also integrate with on-premises AD DS, allowing for a hybrid identity solution that extends on-premises directory services to the cloud.

42 .

How does Microsoft Intune support management of hybrid environments?

Microsoft Intune supports management of hybrid environments through its integration with Azure Active Directory (Azure AD) and Active Directory Domain Services (AD DS). This integration allows organizations to manage both on-premises and cloud-based resources from a single management console.

With Microsoft Intune, organizations can manage mobile devices, PCs, and servers, as well as control access to corporate data and resources.

In a hybrid environment, Intune can manage devices that are either on-premises or in the cloud, including devices that are joined to on-premises AD DS and synced to Azure AD.

Intune can also manage Windows Virtual Desktop deployments, as well as manage access to resources such as files, folders, and applications. This is accomplished through policies and profiles that can be configured and deployed to devices and users in the organization.

Intune also supports co-management with System Center Configuration Manager (SCCM) to enable organizations to manage both on-premises and cloud-based resources through a single management console. This allows organizations to leverage existing investments in SCCM while taking advantage of the cloud-based management capabilities of Intune.

In addition, Intune can integrate with other Microsoft services, such as Microsoft Defender Advanced Threat Protection (ATP), to provide additional security features and enhance overall management capabilities in a hybrid environment.

43 .

How does Microsoft Intune integrate with other Microsoft products, such as Office 365 and Azure AD?

Microsoft Intune integrates with other Microsoft products such as Office 365 and Azure Active Directory (Azure AD) to provide a seamless end-to-end experience for managing devices, apps, and data in a modern workplace.

Intune and Office 365 integration allows administrators to control access to Office 365 apps and data, enforce data protection policies, and manage Office 365 apps on mobile devices.

This integration provides a unified experience for managing both devices and Office 365 data, ensuring that data is protected and secure, while still enabling employees to be productive.

Intune and Azure AD integration enables organizations to extend their on-premises identity infrastructure to the cloud. This integration allows administrators to manage access to cloud-based resources, enforce policies, and control access to data. With Intune and Azure AD integration, administrators can also enable single sign-on (SSO) for cloud-based apps, simplifying the sign-in process for users and reducing helpdesk calls.

Intune can also integrate with other Microsoft products, such as Microsoft Defender ATP, to provide additional security features and enhance overall management capabilities. For example, Intune and Microsoft Defender ATP integration allows administrators to detect and respond to security threats on mobile devices and PCs, providing a comprehensive endpoint protection solution.

Overall, Microsoft Intune's integration with other Microsoft products provides a holistic approach to managing devices, apps, and data, ensuring that organizations can provide a secure and productive modern workplace for their employees.

44 .

How does Microsoft Intune support mobile device management (MDM)?

Microsoft Intune supports mobile device management (MDM) by providing a cloud-based solution that enables organizations to manage and secure mobile devices and applications across multiple platforms, including iOS, Android, Windows, and macOS.

Intune's MDM capabilities include the following :

1. Device enrollment : Intune allows for easy device enrollment, including bulk enrollment, using methods such as Apple's Device Enrollment Program (DEP), Android Enterprise, and Windows Autopilot.

2. Device management : Intune provides policy-based management of devices, including the ability to enforce passcodes and device encryption, configure Wi-Fi and VPN profiles, and manage certificates.

3. Application management : Intune enables the distribution of applications to managed devices, including the ability to control access to sensitive data within apps and to remotely wipe apps and app data.

4. Conditional access : Intune supports conditional access policies to ensure that only authorized devices and users can access corporate data and resources.

5. Mobile threat defense : Intune can integrate with Microsoft Defender ATP to detect and remediate threats on mobile devices, providing advanced threat protection.

6. Reporting and analytics : Intune provides detailed reporting and analytics on device and app usage, compliance, and security issues, allowing administrators to monitor and manage their mobile environment effectively.

45 .

What is conditional access in Microsoft Intune, and how does it work?

Conditional access in Microsoft Intune is a policy-based approach to controlling access to corporate resources, based on specific conditions or criteria. It allows administrators to control access to corporate data and resources, ensuring that only authorized users and devices can access sensitive data.

Conditional access policies in Intune can be based on a range of conditions, including :

1. Device compliance : ensuring that the device meets the organization's security and compliance requirements, such as having the latest software updates, having a passcode set, and having encryption enabled.

2. Location : controlling access based on the user's location, such as only allowing access from within the organization's network or from a specific geographic location.

3. User risk : assessing the level of risk associated with the user, such as whether the user has been flagged as a high-risk user based on their previous behavior or security incidents.

4. Application : controlling access to specific applications, such as allowing access to a cloud-based application but not allowing access to on-premises applications.

Conditional access works by requiring users and devices to meet specific conditions before they can access corporate data and resources. If a user or device does not meet the conditions specified in the policy, they will be denied access.

Conditional access policies can be applied to a range of resources, including Microsoft 365 services, Azure AD-connected apps, and on-premises applications, and can be configured through the Intune console.

Overall, conditional access in Microsoft Intune provides a powerful mechanism for controlling access to corporate data and resources, ensuring that organizations can maintain a secure and compliant environment.

46 .

What is the difference between device-based and user-based licensing for Microsoft Intune?

Device-based and user-based licensing are two licensing options for Microsoft Intune. The main difference between them is how the licenses are assigned and which features are included.

Device-based licensing means that licenses are assigned to specific devices, regardless of the number of users who access the device. With device-based licensing, each device that is managed by Intune requires a separate license, regardless of how many users access that device. Device-based licensing includes basic management features such as device enrollment, policy management, and app management.

User-based licensing means that licenses are assigned to individual users, regardless of the number of devices they use. With user-based licensing, each user who needs access to corporate data and resources on their device requires a license. User-based licensing includes advanced management features such as conditional access, mobile threat defense, and reporting and analytics.

In general, device-based licensing is more cost-effective for organizations that have multiple users sharing a single device, such as shift workers, while user-based licensing is more cost-effective for organizations where users need to access corporate resources from multiple devices, such as smartphones, tablets, and laptops.

It's also worth noting that Microsoft Intune offers a hybrid licensing option, which allows organizations to mix and match device-based and user-based licenses, depending on their specific needs. This can provide organizations with more flexibility and cost-effectiveness when managing their mobile devices and applications.

47 .

What are some of the key security features in Microsoft Intune?

Microsoft Intune provides a range of security features that help organizations manage and secure their mobile devices and applications. Here are some key security features in Microsoft Intune :

1. Conditional access : Intune enables administrators to define policies that control access to corporate resources based on specific conditions or criteria, such as device compliance, location, user risk, or application. This helps ensure that only authorized users and devices can access sensitive data.

2. Mobile threat defense : Intune can integrate with Microsoft Defender ATP to detect and remediate threats on mobile devices, providing advanced threat protection.

3. Device compliance : Intune provides a range of device compliance policies that can be configured to ensure that devices meet specific security and compliance requirements, such as having the latest software updates, having a passcode set, and having encryption enabled.

4. App protection policies : Intune enables administrators to define policies that protect corporate data within apps, such as preventing data leakage or unauthorized access to sensitive data.

5. Data encryption : Intune provides the ability to encrypt data on mobile devices, both at rest and in transit, to help ensure that sensitive data is protected.

6. Remote wipe : Intune enables administrators to remotely wipe corporate data from managed devices in the event of loss, theft, or other security incidents.

7. Reporting and analytics : Intune provides detailed reporting and analytics on device and app usage, compliance, and security issues, allowing administrators to monitor and manage their mobile environment effectively.

48 .

How does Microsoft Intune support application management?

Microsoft Intune provides a range of application management features that enable organizations to manage and distribute mobile applications securely. Here are some of the ways that Intune supports application management:

1. App deployment : Intune enables administrators to deploy apps to managed devices and users in a variety of ways, such as through the Microsoft Store, the Apple App Store, or the Google Play Store.

2. App management policies : Intune provides app management policies that can be configured to control how managed apps behave on mobile devices, such as disabling app features or preventing data leakage.

3. App protection policies : Intune enables administrators to define policies that protect corporate data within managed apps, such as preventing data leakage or unauthorized access to sensitive data.

4. App inventory : Intune provides an app inventory that enables administrators to monitor and manage the apps that are installed on managed devices, providing visibility and control over the mobile app landscape.

5. App reporting and analytics : Intune provides detailed reporting and analytics on app usage and issues, allowing administrators to monitor and manage their app environment effectively.

6. App updates : Intune enables administrators to manage app updates for managed apps, ensuring that users have access to the latest versions of apps and security patches.

49 .

What is the difference between an app protection policy and an app configuration policy in Microsoft Intune?

An app protection policy and an app configuration policy are two different types of policies in Microsoft Intune that serve different purposes.

An app protection policy is a policy that is applied to a specific app on a mobile device to protect corporate data within that app. This type of policy enables administrators to define rules that control how data is accessed, used, and shared within the app, such as preventing data leakage, restricting copying and pasting, and requiring encryption. App protection policies are typically applied to apps that are managed by Intune, such as Microsoft Office apps, and can be targeted to specific users or groups.

An app configuration policy, on the other hand, is a policy that is applied to a specific app to configure its settings and behavior. This type of policy enables administrators to define settings that are specific to the app, such as enabling or disabling certain features, configuring server settings, or setting default values. App configuration policies are typically applied to apps that are not managed by Intune, such as third-party apps, and can be targeted to specific users or groups.

50 .

How does Microsoft Intune support management of non-Microsoft devices?

Microsoft Intune supports management of non-Microsoft devices through its Mobile Device Management (MDM) capabilities. Intune provides MDM support for a variety of non-Microsoft devices, including iOS, Android, and macOS devices.

Here are some ways that Microsoft Intune supports management of non-Microsoft devices:

1. Enrollment : Intune enables users to enroll their devices in management, which allows the administrator to configure device policies and security settings.

2. Device configuration : Intune provides a range of device configuration policies that can be used to configure settings such as device passcodes, network settings, and email profiles.

3. App management : Intune enables administrators to manage apps on non-Microsoft devices, such as pushing out updates or removing apps from devices.

4. Conditional access : Intune can be used to apply conditional access policies to non-Microsoft devices, enabling administrators to control access to corporate resources based on device compliance and other criteria.

5. Compliance management : Intune enables administrators to define policies that ensure non-Microsoft devices meet specific security and compliance requirements, such as having the latest software updates, having a passcode set, and having encryption enabled.

6. Reporting and analytics : Intune provides detailed reporting and analytics on device and app usage, compliance, and security issues for non-Microsoft devices, allowing administrators to monitor and manage their mobile environment effectively.

51 .

What is Microsoft Autopilot, and how does it work with Microsoft Intune?

Microsoft Autopilot is a cloud-based deployment and enrollment service that enables organizations to set up and pre-configure new Windows 10 devices, making them ready for productive use. With Autopilot, IT administrators can automate the Windows 10 deployment process, streamline device setup, and reduce end-user downtime.

Microsoft Intune can work with Autopilot to manage and secure the devices that are enrolled through Autopilot. Here's how it works:

1. Device enrollment : When a new Windows 10 device is powered on, it connects to the internet and checks to see if it is registered with Autopilot. If the device is registered, it will automatically enroll in Intune and receive device policies and configuration settings.

2. Device provisioning : After the device is enrolled, Intune can provision the device with apps, settings, and configurations. This process can include installing apps, configuring network settings, and applying security policies.

3. Device management : Once the device is provisioned, Intune can manage and secure the device throughout its lifecycle, providing ongoing monitoring, updates, and support. This includes the ability to manage apps, enforce security policies, and perform remote actions, such as wiping a device or resetting a passcode.

By integrating with Autopilot, Microsoft Intune provides organizations with a streamlined and automated way to deploy and manage Windows 10 devices, making it easier for IT administrators to manage large fleets of devices and reducing end-user downtime.

52 .

What is a security baseline in Microsoft Intune?

A security baseline in Microsoft Intune is a collection of recommended security settings that are designed to provide a baseline level of protection for devices and applications in an organization. Security baselines are used to help organizations meet their security and compliance requirements by providing a standardized set of security settings that can be applied to devices and applications.

Microsoft Intune provides pre-defined security baselines that can be applied to devices running Windows 10 and Microsoft Edge. These baselines include recommended settings for device security, network security, and application security. Organizations can also create custom security baselines that are tailored to their specific needs and requirements.

Here are some examples of security settings that might be included in a security baseline :

* Enabling BitLocker encryption on Windows devices
* Disabling insecure network protocols, such as SMBv1
* Enabling Windows Defender Antivirus and configuring its settings
* Configuring Microsoft Edge to use the highest level of security for browsing
* Enabling password complexity requirements and other security settings for Windows devices

Once a security baseline is created, it can be applied to devices and applications in an organization using Intune policies. Intune provides tools for monitoring compliance with security baselines and for reporting on any issues or exceptions.

53 .

What is a Windows Autopilot deployment profile, and how does it work with Microsoft Intune?

A Windows Autopilot deployment profile is a configuration file that specifies how a Windows 10 device will be provisioned and customized during the Autopilot deployment process. The deployment profile contains settings such as the device name, language and region, network settings, and privacy settings.

Microsoft Intune can be used to create and assign Autopilot deployment profiles to devices in an organization. Here's how it works:

1. Create a deployment profile : In the Intune console, an administrator can create a deployment profile that specifies the desired settings for the Windows 10 device during the Autopilot deployment process.

2. Assign the deployment profile : The deployment profile can then be assigned to one or more devices in Intune. When the device is enrolled in Autopilot, it will automatically receive the assigned deployment profile and apply the specified settings during the deployment process.

3. Customize the deployment profile : The deployment profile can be customized for different scenarios or user groups by creating multiple deployment profiles with different settings. For example, one deployment profile may be used for kiosks or shared devices, while another may be used for personal devices.

By using Intune to manage Autopilot deployment profiles, organizations can streamline the deployment process and ensure that devices are properly provisioned and configured with the desired settings. This can help reduce end-user downtime and improve the overall user experience.

54 .

What is a device compliance policy in Microsoft Intune?

A device compliance policy in Microsoft Intune is a set of rules and settings that are applied to devices to ensure that they meet certain security and compliance requirements. These policies are used to monitor and enforce compliance with organizational policies, industry regulations, and other security standards.

Device compliance policies can be configured to check for various settings on devices, such as :

* Device encryption
* Password complexity and length
* Jailbroken or rooted devices
* Minimum OS version
* Device health and security settings
* App and software inventory

When a device is evaluated against a device compliance policy, it is assigned a compliance status based on the policy rules. The compliance status can be used to determine whether a device is allowed to access certain resources, such as email or corporate data.

Device compliance policies can be created and managed in the Microsoft Intune console. Administrators can create custom policies to meet their organization's specific requirements, or use pre-defined policies provided by Intune.

55 .

How does Microsoft Intune support management of IoT devices?

Microsoft Intune can be used to manage and secure Internet of Things (IoT) devices in addition to traditional endpoint devices such as PCs and mobile devices.

To support IoT device management, Intune provides the following features:

1. Device enrollment : Intune supports device enrollment for a variety of IoT devices, including those running Windows 10 IoT Core and other embedded operating systems.

2. Device configuration : Once an IoT device is enrolled in Intune, administrators can use Intune to configure device settings and apply policies, such as device security settings and network configurations.

3. Application management : Intune can also be used to manage applications and software on IoT devices. This includes the ability to deploy and manage line-of-business (LOB) applications, as well as update and manage firmware and software updates.

4. Device compliance : Intune supports device compliance policies for IoT devices, which can be used to ensure that IoT devices meet specific security and compliance requirements.

5. Conditional access : With Intune, administrators can also set up conditional access policies to control access to resources based on IoT device compliance and other factors.

56 .

What is the process for enrolling a device in Microsoft Intune?

The process for enrolling a device in Microsoft Intune depends on the type of device being enrolled. Here are the general steps for enrolling a device:

1. Prepare the device : Before enrolling a device in Intune, ensure that it meets the minimum requirements for device enrollment. For example, for Windows devices, the device must be running Windows 10 Pro, Enterprise, or Education. For mobile devices, the device must be running a supported version of the operating system.

2. Create an Intune tenant : If your organization doesn't already have an Intune tenant, you'll need to create one.

3. Configure Intune : Set up Intune with the necessary policies and settings for your organization.

4. Enroll the device : Depending on the device type, there are different ways to enroll a device in Intune. For Windows devices, you can enroll the device by joining it to Azure AD. For mobile devices, you can enroll the device by downloading the Intune Company Portal app and following the enrollment prompts.

5. Apply policies : Once the device is enrolled, policies and settings can be applied to the device. This may include policies related to security, applications, and network configurations.

6. Monitor and manage the device : After the device is enrolled and policies are applied, you can monitor the device's compliance status and troubleshoot any issues as needed.

57 .

How does Microsoft Intune support Windows 10 management?

Microsoft Intune provides a comprehensive set of features to manage and secure Windows 10 devices. Here are some of the ways Intune supports Windows 10 management:

1. Device enrollment : Windows 10 devices can be enrolled in Intune using Azure AD join, domain join, or Autopilot. This allows administrators to manage and secure Windows 10 devices with Intune policies and settings.

2. Configuration policies : Intune allows administrators to apply configuration policies to Windows 10 devices. These policies can be used to configure settings such as Windows Update, firewall settings, and Windows Hello for Business.

3. Software deployment : Intune can be used to deploy software and updates to Windows 10 devices. This includes the ability to deploy traditional Win32 applications, modern Universal Windows Platform (UWP) applications, and Microsoft Store apps.

4. Patch management : Intune provides the ability to manage and deploy Windows 10 updates and patches, including feature updates, security updates, and quality updates.

5. Endpoint protection : Intune includes endpoint protection capabilities for Windows 10 devices, including antivirus and antimalware protection, as well as device and application control policies.

6. Conditional access : With Intune, administrators can set up conditional access policies for Windows 10 devices, which can be used to control access to resources based on device compliance and other factors.

58 .

How does Microsoft Intune support device compliance?

Microsoft Intune supports device compliance by allowing administrators to create device compliance policies that can be used to enforce specific security requirements and configurations on managed devices. Here are some of the key features of device compliance in Intune:

1. Policy creation : Intune allows administrators to create device compliance policies that define the security and configuration requirements for managed devices. These policies can be used to enforce requirements such as password complexity, encryption, and device health.

2. Compliance assessment : Once a device compliance policy is applied, Intune continuously monitors the device's compliance status and reports any issues. Compliance assessment can be done using built-in compliance rules, or custom rules can be created to meet specific organizational requirements.

3. Conditional access : Intune can be used to enforce conditional access policies that require devices to be compliant with device compliance policies before accessing corporate resources. This helps ensure that only compliant devices are accessing corporate data and services.

4. Remediation : If a device is found to be non-compliant with a policy, Intune can automatically remediate the issue by applying the necessary configuration changes or security settings to bring the device into compliance.

5. Reporting and analytics : Intune provides detailed reporting and analytics on device compliance, allowing administrators to track compliance status over time and identify potential compliance issues or trends.

59 .

What is a device configuration package in Microsoft Intune?

A device configuration package in Microsoft Intune is a set of configuration settings that can be applied to managed devices. These settings can include a variety of configuration options for Windows 10, macOS, iOS, and Android devices, such as network settings, security settings, and device feature settings.

Device configuration packages can be created in the Intune console, and then assigned to groups of devices or users. Once assigned, the configuration settings in the package are automatically pushed to the devices or users.

Device configuration packages can be used to standardize device configurations and ensure that devices comply with organizational security policies and requirements. They can also be used to automate the deployment of new devices or settings, reducing the amount of manual configuration that administrators need to perform.

In addition to creating custom device configuration packages, Intune also includes built-in templates for common device configuration scenarios, such as Wi-Fi and VPN profiles, certificate profiles, and email profiles. These templates can be customized to meet specific organizational requirements.

60 .

What is a compliance setting in Microsoft Intune?

In Microsoft Intune, a compliance setting is a configuration option that can be used to manage and enforce specific security and configuration requirements on managed devices. Compliance settings can be used to configure various settings for devices, including Windows 10, macOS, iOS, and Android devices.

Compliance settings can be created in the Intune console and can be configured to enforce policies such as password complexity, encryption, and device health. Compliance settings can also be used to ensure that devices are up to date with the latest security patches and software updates.

Once a compliance setting is configured, it can be assigned to a group of devices or users. Intune continuously monitors the compliance status of the devices and reports any non-compliance issues. If a device is found to be non-compliant, Intune can take automated actions, such as sending an email notification to the user or administrator, or blocking access to corporate resources until the issue is remediated.

Compliance settings are an important aspect of device management and security, and they provide a way to enforce consistent security policies and configurations across all managed devices. They can help organizations protect sensitive data and prevent unauthorized access to corporate resources.

61 .

How does Microsoft Intune support management of virtual machines (VMs)?

Microsoft Intune supports management of virtual machines (VMs) in several ways, including:

1. Azure VMs : Microsoft Intune can manage VMs that are hosted in the Azure cloud. This includes managing software updates, enforcing compliance policies, and deploying software to Azure VMs.

2. VMs in on-premises data centers : Microsoft Intune can manage VMs that are hosted in on-premises data centers. This includes managing software updates, enforcing compliance policies, and deploying software to on-premises VMs.

3. Virtual desktop infrastructure (VDI) : Microsoft Intune can manage VDI environments, including virtual desktops and applications hosted on Remote Desktop Services (RDS) or Windows Virtual Desktop (WVD).

4. Third-party virtualization solutions : Microsoft Intune supports management of virtual machines hosted on third-party virtualization solutions, including VMware and Citrix.

In all of these scenarios, Microsoft Intune can be used to manage and secure virtual machines just like physical devices. This includes deploying software updates, enforcing compliance policies, configuring security settings, and managing applications.

Microsoft Intune also integrates with other Microsoft technologies, such as System Center Configuration Manager (SCCM) and Azure Automation, to provide a comprehensive solution for managing VMs and other types of devices.

62 .

How does Microsoft Intune support management of legacy Windows devices?

Microsoft Intune supports management of legacy Windows devices in several ways, including:

1. Configuration Manager co-management : Microsoft Intune can be used in conjunction with System Center Configuration Manager (SCCM) to enable co-management of Windows devices. This allows organizations to manage both legacy and modern Windows devices from a single console, with the flexibility to use Intune for management tasks that are better suited to a cloud-based approach.

2. Group Policy management : Microsoft Intune can be used to manage Group Policy settings on legacy Windows devices, ensuring that they meet specific security and configuration requirements.

3. Software deployment : Microsoft Intune can be used to deploy software packages to legacy Windows devices, including updates, patches, and line-of-business applications.

4. Compliance policies : Microsoft Intune can be used to enforce compliance policies on legacy Windows devices, ensuring that they meet specific security and configuration requirements.

5. Integration with other Microsoft technologies : Microsoft Intune can be integrated with other Microsoft technologies, such as System Center Configuration Manager (SCCM), to provide a comprehensive solution for managing legacy Windows devices.

63 .

How does Microsoft Intune support management of VPN profiles?

Microsoft Intune supports management of VPN profiles for both iOS and Android devices, as well as Windows 10 devices. Here's how it works:

1. Create VPN profile : In Microsoft Intune, an administrator can create a VPN profile that includes the necessary configuration settings for connecting to a VPN server.

2. Assign profile to devices : The VPN profile can then be assigned to specific devices or groups of devices.

3. Automatic deployment : Once the profile is assigned, the devices will automatically receive and install the VPN profile.

4. Configure settings : The administrator can configure various settings for the VPN profile, including the type of VPN, authentication settings, connection properties, and more.

5. Monitor and manage : After the profile is deployed, the administrator can monitor and manage the VPN connection from the Microsoft Intune console, including revoking access, configuring access rules, and more.

64 .

How does Microsoft Intune support management of rugged devices?

Microsoft Intune provides several features to manage rugged devices, which are typically used in industrial or field environments. Here are some of the key ways that Intune supports rugged device management:

1. Device enrollment : Rugged devices can be enrolled in Intune in the same way as other devices, using methods such as Azure AD join or device enrollment manager.

2. Configuration management : Intune can be used to configure settings and policies for rugged devices, including Wi-Fi and cellular connectivity, device security settings, and application deployments.

3. Device health and status monitoring : Intune provides device health and status monitoring capabilities, including device inventory, device compliance checks, and device troubleshooting.

4. Remote wipe and lock : Intune allows administrators to remotely wipe or lock rugged devices that are lost or stolen, helping to protect sensitive data.

5. Integration with device management tools : Intune can be integrated with other device management tools, such as System Center Configuration Manager (SCCM), to provide a comprehensive solution for managing rugged devices.

65 .

How does Microsoft Intune support management of kiosk devices?

Microsoft Intune provides several features to manage kiosk devices, which are typically used in public or shared environments. Here are some of the key ways that Intune supports kiosk device management:

1. Device enrollment : Kiosk devices can be enrolled in Intune in the same way as other devices, using methods such as Azure AD join or device enrollment manager.

2. Kiosk mode configuration : Intune can be used to configure kiosk mode settings for the device, including which apps can be accessed and which device features are available.

3. App deployment and management : Intune allows administrators to deploy and manage apps on kiosk devices, including custom line-of-business apps.

4. Device health and status monitoring : Intune provides device health and status monitoring capabilities, including device inventory, device compliance checks, and device troubleshooting.

5. Remote wipe and lock : Intune allows administrators to remotely wipe or lock kiosk devices that are lost or stolen, helping to protect sensitive data.

66 .

How does Microsoft Intune support management of printers and other peripherals?

Microsoft Intune provides some limited support for managing printers and other peripherals on enrolled devices. Here are some of the ways that Intune can help with printer and peripheral management:

1. Driver deployment : Intune can be used to deploy printer drivers to managed devices, making it easier to set up and manage printers.

2. Printer configuration : Intune can also be used to configure printer settings on managed devices, including default printer settings and printer permissions.

3. Device inventory : Intune provides detailed inventory information about managed devices, including the connected printers and other peripherals, making it easier to track and manage these devices.

4. Policy management : Intune can be used to create policies that control how devices interact with peripherals, such as restricting access to specific printers or disabling USB ports.

However, it's worth noting that Intune's support for printer and peripheral management is limited compared to more specialized management solutions. For more advanced printer and peripheral management, organizations may want to consider using dedicated printer management software or other third-party solutions.

67 .

How does Microsoft Intune support management of Microsoft Defender ATP?

Microsoft Intune integrates closely with Microsoft Defender Advanced Threat Protection (ATP) to provide a comprehensive security management solution for enrolled devices. Here are some of the ways that Intune supports management of Defender ATP:

1. Device compliance : Intune can be used to create compliance policies that require devices to have specific security features enabled, such as Windows Defender Antivirus, BitLocker, or Firewall. If a device falls out of compliance, it can be automatically quarantined or remediated.

2. Threat detection and response : Intune provides a dashboard that allows administrators to view security alerts and threat intelligence from Defender ATP. This can help identify and respond to security incidents on managed devices.

3. Configuration management : Intune can be used to manage security settings on enrolled devices, such as configuring Windows Defender ATP settings or defining firewall rules.

4. Reporting and analysis : Intune provides detailed reporting and analysis capabilities for Defender ATP, allowing administrators to track security incidents and analyze security data.

By integrating with Microsoft Defender ATP, Intune provides a powerful security management solution that can help organizations protect their devices from a wide range of threats.

68 .

How does Microsoft Intune support management of Windows Information Protection (WIP)?

Microsoft Intune provides management capabilities for Windows Information Protection (WIP), which is a data loss prevention feature in Windows 10 that helps protect corporate data from unauthorized access.

Here are some ways that Intune supports management of WIP :

1. Policy creation and enforcement : Intune allows administrators to create and enforce WIP policies for devices that are enrolled in Intune. These policies can control how corporate data is handled on the device, such as whether data is encrypted, which apps are allowed to access corporate data, and how data is shared.

2. Device compliance : Intune can be used to create compliance policies that require devices to have WIP policies enabled. If a device falls out of compliance, it can be automatically quarantined or remediated.

3. Reporting and analysis : Intune provides detailed reporting and analysis capabilities for WIP, allowing administrators to track how corporate data is being used on managed devices and identify potential security risks.

By providing management capabilities for WIP, Intune helps organizations protect their sensitive corporate data from unauthorized access and data leaks.

69 .

What is the process for configuring and deploying a custom script in Microsoft Intune?

To configure and deploy a custom script in Microsoft Intune, follow these steps:

1. Prepare your script : Create the custom script that you want to deploy. The script can be a PowerShell script, a shell script, or a batch file. Make sure that the script is tested and validated before deploying it.

2. Create a script configuration policy : In the Microsoft Endpoint Manager admin center, go to Devices > Windows > Configuration profiles and click on "+ Create profile". Select "Windows 10 and later" as the platform and "Script" as the profile type. Configure the settings for the script, including the name of the script, the script content, and any parameters that need to be passed to the script.

3. Assign the script configuration policy : In the Assignments section of the policy, choose the group of devices or users that you want to apply the script to. You can also set a specific schedule for when the script should be run.

4. Monitor the script deployment : Once the script configuration policy is assigned, you can monitor the deployment status and track any errors or issues that arise during the deployment process.

By following these steps, you can configure and deploy custom scripts in Microsoft Intune to automate tasks and customize the management of devices and applications.

70 .

What is the process for configuring and deploying a custom app in Microsoft Intune?

To configure and deploy a custom app in Microsoft Intune, follow these steps :

1. Prepare your app : Create and package the custom app that you want to deploy. The app can be a line-of-business app, web app, or a store app. Ensure that the app is tested and validated before deploying it.

2. Create an app package : In the Microsoft Endpoint Manager admin center, go to Apps > All apps > "+ Add" and choose the app package type you want to add. Upload the app package, and then fill out the necessary fields, such as app name, description, and publisher. You can also set any dependencies and deployment settings for the app.

3. Assign the app package : In the Assignments section of the app package, choose the group of devices or users that you want to apply the app to. You can also set a specific schedule for when the app should be deployed.

4. Monitor the app deployment : Once the app package is assigned, you can monitor the deployment status and track any errors or issues that arise during the deployment process.

By following these steps, you can configure and deploy custom apps in Microsoft Intune to manage and control the distribution of your organization's applications to managed devices.