Essential Intune Interview Questions to Ace Your Next Tech Interview - Part 2
- Tek Doyen
- Jan 8
- 4 min read
1. What is an App Protection Policy in Intune and how is it configured?
Answer: App Protection Policies (APP) in Intune are rules that protect corporate data within apps, regardless of whether the device is managed. They enforce restrictions like requiring PINs, preventing data copy/paste to unmanaged apps, and encrypting app data.
Setup Steps:
Go to Intune Admin Center > Apps > App protection policies.
Click Create policy → Select platform (iOS/Android).
Configure settings:
Data protection (e.g., restrict copy/paste, encrypt data).
Access requirements (PIN, biometrics).
Conditional launch (wipe data if jailbroken).
Assign policy to user groups.
2. Company Portal fails to sync with Intune. Offer troubleshooting steps.
Answer: Common causes: network issues, enrollment errors, outdated Company Portal app.
Troubleshooting Steps:
Ensure device is enrolled in Intune.
Manually trigger sync: Settings > Accounts > Access work/school > Info > Sync.
Check internet connectivity and firewall.
Update Company Portal app.
Verify device compliance policies.
Review Intune known issues page for active bugs.
3. Device Freezes During OOBE: Causes and Solutions.
Answer: OOBE (Out-of-Box Experience) issues often occur during Autopilot enrollment.
Reasons:
Enrollment Status Page (ESP) misconfiguration.
App deployment failures.
Network connectivity issues.
TPM or hardware problems.
Troubleshooting:
Collect logs (MDMDiagReport.html).
Check ESP configuration in Intune.
Validate assigned apps/policies.
Restart device and retry enrollment.
4. Distinctions Among AD Registered, AD Joined, and Hybrid Join
Answer:
Type | Description | Use Case |
AD Registered | Personal devices registered with Azure AD. | BYOD scenarios. |
AD Joined | Org-owned devices directly joined to Azure AD. | Cloud-first organizations. |
Hybrid Join | Devices joined to on-prem AD and registered in Azure AD. | Enterprises with on-prem + cloud. |
5. What is BitLocker and how can it be configured using Intune?
Answer: BitLocker is a Windows disk encryption feature that protects data on lost/stolen devices.
Setup via Intune:
Go to Endpoint security > Disk encryption.
Create a BitLocker policy.
Configure settings: encryption method, TPM requirement, recovery key storage.
Assign to device groups.
6. What is MS Defender? Is it possible to configure it using Intune?
Answer: Microsoft Defender for Endpoint is an advanced threat protection solution.
Setup via Intune:
Connect Intune with Defender for Endpoint.
Onboard devices via Intune policies.
Configure compliance policies to enforce risk-based access.
7. What is Endpoint Privilege Management and what is its purpose? How can it be set up?
Answer: Endpoint Privilege Management (EPM) allows users to run as standard users but elevate privileges for specific tasks.
Setup via Intune:
Enable EPM add-on in Intune.
Create Windows elevation settings policy.
Define rules (e.g., allow app installs).
Assign to groups.
8. What is co-management, how do you establish it, and what settings are available?
Answer: Co-management allows devices to be managed by both SCCM and Intune simultaneously.
Setup:
Enable co-management in SCCM console.
Configure auto-enrollment via GPO.
Create pilot groups.
Transition workloads (e.g., compliance, apps, updates).
Settings available:
Compliance policies
Windows updates
Endpoint protection
Device configuration
Resource access
9. What are the different types of app assignments in Intune? Differences explained.
Answer:
Type | Description |
Required | App auto-installed. |
Available (enrolled) | User installs via Company Portal. |
Available (without enrollment) | User installs without device enrollment. |
Uninstall | Removes app from devices. |
10. What is a Conditional Access Policy? When and how should it be used? Example.
Answer: Conditional Access policies enforce access controls based on conditions like device compliance, location, or risk.
Setup:
Go to Azure AD > Security > Conditional Access.
Define conditions (users, apps, device state).
Define controls (MFA, block access).
Example: Require MFA when accessing Exchange Online from outside corporate network.
11. Explain Windows Hello for Business and its necessity. How can it be configured?
Answer: Windows Hello for Business replaces passwords with biometrics/PIN for strong authentication.
Setup via Intune:
Go to Device enrollment > Windows Hello for Business.
Configure tenant-wide policy.
Require PIN/biometric login.
12. Explain Disk Encryption in Intune and its necessity. Configuration and example.
Answer: Disk encryption secures data at rest using BitLocker (Windows) or FileVault (macOS).
Setup:
Go to Endpoint security > Disk encryption.
Create profile for BitLocker/FileVault.
Assign to device groups.
Example: Encrypt laptops in Finance department to protect sensitive data.
13. What are Security Baselines in Intune and how can they be configured?
Answer: Security baselines are preconfigured sets of recommended security settings.
Setup:
Go to Endpoint security > Security baselines.
Select baseline (e.g., MDM Security Baseline).
Customize settings.
Assign to groups.
14. Explain App Categories in Intune, their importance, and how to set them up. Example included.
Answer: App categories help users find apps easily in Company Portal.
Setup:
Go to Apps > App categories.
Create categories (e.g., Productivity, Finance).
Assign apps to categories.
Example: Categorize Outlook under “Productivity.”
15. Explain Policy Sets in Intune, their importance, and how to set them up. Provide an example.
Answer: Policy Sets bundle apps, policies, and configurations for easy deployment.
Setup:
Go to Tenant administration > Policy sets.
Create new set → Add apps, policies, VPNs.
Assign to groups.
Example: Create a “Sales Team Policy Set” with Outlook, Teams, BitLocker, and compliance policies.
Comments