Top Scenario Based Intune Interview Questions to Ace Your Next Tech Interview

Microsoft Intune – Scenario & Troubleshooting Interview Question Bank

Complete package for mid-senior, lead, and architect positions (Windows, iOS/iPadOS, macOS, Android, Autopilot, ABM/ASM, Security, Updates, Apps, Graph, Migration)

Enrollment & Identity

Q: How can you determine if a user is unable to enroll a device because of policy restrictions related to CA, enrollment restrictions, or licensing issues?

• Check Entra sign-in logs and CA evaluation; review Intune enrollment restrictions (platform/min OS/device limit); verify MDM authority; confirm user/device licenses; check device limit per user; validate APNs/Google/ABM tokens as applicable.

Q: When corporate iPhones are assigned to the MDM server but fail to enroll using ABM/DEP, where should you investigate the issue?

• Validate ABM > MDM server mapping; confirm ADE profile assignment and token validity/expiry; sync devices to Intune; check Setup Assistant flow; ensure supervision requirement; inspect network/proxy and activation servers.

Q: Android BYOD users are able to sign in, but the Company Portal indicates 'device not eligible.' What verifications should be conducted?

• Confirm Android Enterprise enrollment type (Work Profile) vs restriction policy; min OS and Play Services; device limit; enrollment restrictions; compliance policy baselines; Managed Google Play binding.

Q: Windows Autopilot enrollment is stuck in a loop at the ESP. Which logs should you retrieve, and how can you stop the loop?

• ESP phase (Device/Apps/Profiles) status; IntuneManagementExtension.log; DM-EDP event logs; Autopilot diagnostics; app dependency chains; required app targeting; temporary ESP bypass/reset; reduce required apps.

Q: How can a user effectively resolve issues caused by multiple outdated device objects leading to CA failures?

• Identify duplicate/stale objects; retire/delete in Intune and Entra ID; run device cleanup rules; correct join type (AADJ vs Hybrid); re-enroll; re-evaluate compliance; update CA filters.

Compliance & Conditional Access

Q: Devices show ‘Not Evaluated’ or ‘Pending’ compliance for hours. What do you check?

• Platform check-in cadence; assignment and filter conflicts; service health; device clock skew; IME health; per-setting status; MDM diagnostic logs.

Q: A compliant device is blocked by CA. Prove where it failed.

• Use Entra sign-in logs (Conditional Access tab); validate device ID/UPN match; compliance freshness; PRT and TPM status; test policies in Report-only; check Named locations/exclusions.

Q: Compliance policy requiring BitLocker is not recognized even though BitLocker is enabled.

• Verify encryption reporting vs actual state; source of policy (GPO vs MDM); key escrow to Entra ID; OS/drive type; CSP errors; detection lag and re-check-in.

Q: Geo/location-based CA exception intermittently blocks.

• Named locations accuracy; VPN egress IP changes; include/exclude logic; sign-in trend analysis; device platform filters; break-glass exclusion.

Configuration Profiles & Kiosk / Shared Use

Q: A device receives conflicting configuration for a Wi Fi profile from two policies. How do you reconcile?

• Identify overlap; consolidate into Settings Catalog; understand CSP merge/override behavior; fix targeting with groups/filters; document precedence.

Q: Single App kiosk for iPad breaks after the app updates. Root cause and fix?

• Ensure app is device-licensed VPP and pre-installed before kiosk; manage update rings/phased release; fall-back home screen; verify ADE/Setup Assistant sequence.

Q: Windows multi-app kiosk intermittently exits assigned access.

• Check assigned access XML; app availability (UWP/Win32); shell crashes; auto-login provisioning; power policies; IME reliability and self-heal.

Q: Shared iPad with ADE: user sessions not clearing or storage not reclaimed.

• Review Shared iPad quota; sign-out policies; iCloud sync; ADE profile options; storage analytics and periodic maintenance.

App Deployment (Win32/MSI/Store/LOB, iOS/macOS/Android)

Q: Win32 app required install fails on Autopilot devices. What is your step-by-step?

• Validate detection rules; dependencies; exit/return codes; content delivery/DO; IME logs; architecture paths; ESP phase inclusion.

Q: Microsoft Store (new) app assignment never installs. What do you verify?

• WinGet/Store integration health; app availability/region; assignment type; license state; include in ESP if needed; user vs device context.

Q: iOS LOB app fails to install on supervised devices.

• Developer cert/provisioning profile validity; min OS/architecture; VPP license stock; network/proxy; MDM installation errors.

Q: Android Managed Play private app not visible.

• Managed Google Play sync; app publishing status/track; enterprise approval; assignment filters; user store refresh.

Q: macOS app signed/notarized but blocked by Gatekeeper.

• Notarization ticket; quarantine flag (xattr); PPPC/TCC profiles; system extension approvals.

Updates & Servicing

Q: Windows Update for Business rings not adhering to deferrals.

• Confirm MDM vs GPO authority; ring vs feature update policy precedence; local diagnostics; USO behavior; servicing channel and safeguards.

Q: iOS/iPadOS update deferrals configured but devices auto-update.

• Supervision requirement; deferral semantics; user override; ABM sync; charging window auto-updates; restrictions profile scope.

Q: Android OS patching fragmented across OEMs.

• AE device types; OEM-specific controls; zero-touch/Knox ties; target by device manufacturer/model filters; realistic SLAs.

Certificates, Wi Fi, VPN, SCEP/PKCS

Q: SCEP certificates intermittently fail to issue.

• NDES connector health; service accounts; CRL/OCSP reachability; template EKU/SAN; device vs user context; retry/backoff.

Q: Wi Fi EAP TLS failing on macOS while Windows works.

• macOS payload correctness; trust chain including intermediate; keychain scope; EAP type; identity mapping (CN/UPN/SAN).

Q: VPN profile connects but no routing.

• Split/full tunnel; routing table; DNS suffix/search; per-app VPN on iOS; Always-On vs user-driven; proxy conflicts.

Security Baselines, Defender, and EDR

Q: Security Baseline settings revert unexpectedly.

• Baseline layering; Settings Catalog conflicts; CSP failures; local admin tampering; RSOP-equivalent; merge strategy and documentation.

Q: MDE shows device onboarded but Intune missing security signals.

• Connector health; licensing; onboarding duplication; device identity mismatch; tamper protection; timelines for signal ingestion.

Q: BitLocker policy applied but keys not in Entra ID.

• Escrow timing; silent enablement prerequisites; TPM; AAD device write; key rotation; GPO vs MDM conflict.

Q: FileVault policy fails on subset of macOS.

• Secure token/bootstrap token; deferral prompts; escrow location; PPPC prompts; user interaction requirements.

Monitoring, Reporting, and Log Collection

Q: Compliance report shows sudden drop overnight. Triage workflow?

• Service health advisories; recent policy/app changes; token expiries (APNs/ABM/Google); IME content delivery; platform-specific check-ins.

Q: Collect logs at scale for failing Win32 deployment.

• Collect diagnostics; proactive remediations; Log Analytics/MDE; IME log paths; scripted collection and timeline correlation.

Q: Proving policy delivery success vs user-claimed failure.

• Device configuration status; per-setting report; MDM logs; assignment/filter membership; event IDs.

Windows Autopilot, ESP & Hybrid Join

Q: Hybrid AAD Join Autopilot stuck.

• Intune Connector for AD; on-prem network; OU permissions; object pre-create; name collisions; VPN in OOBE.

Q: ESP completes but LOB app missing for standard users.

• Assignment scope (user/device); requirement rules; dependencies; Delivery Optimization; required vs available; UAC context.

Q: Device enrolled as user-driven AADJ but should be pre-provisioned.

• Profile type and assignment; hardware hash association; pre-provisioning steps; reseal/reset flow; device group membership.

macOS Management

Q: macOS Profiles ‘payload not applicable’. Root-cause flow.

• OS version gates; PPPC/TCC requirements; device vs user scope; supervised-equivalent concepts; profile conflicts.

Q: System Extensions/KEXT approvals inconsistent.

• Team IDs/Bundle IDs; user-approved MDM; bootstrap token; legacy KEXT constraints and deprecation timelines.

iOS/iPadOS + ABM/ASM Deep Dive

Q: ABM tokens expired—what breaks and how to recover without losing management?

• ADE sync stops; VPP license assignment fails; renew token steps; avoid app removal; validate server mappings and re-sync.

Q: Shared iPad with Managed Apple IDs: users cannot sign in.

• Federation; MAID provisioning; quotas; region/language; time skew; ADE profile specifics; network at activation.

Q: Switching VPP from user to device licensing—impact and gotchas.

• Potential reinstall; data persistence; license reclaim; assignment updates; App Store deprecation effects.

Android Enterprise (Work Profile, Fully Managed, COPE)

Q: Work Profile policies bleeding into personal side.

• Ensure correct AE policy scope; MAM vs MDM distinction; OEM restrictions; DPC role correctness.

Q: COPE: camera blocked for work, Teams camera fails.

• Work profile camera policy; app permissions; OEM privacy toggles; per-app VPN/split tunneling.

Q: Zero-touch enrollment fails to apply correct DPC.

• ZT portal configuration; reseller propagation; EMM token validity; profile mismatch; QR/NFC fallback.

App Protection Policies (MAM) – Without Enrollment

Q: Outlook on BYOD asks for device enrollment despite MAM target.

• CA requires compliant device vs approved app; App Control; ‘Require approved client’ vs ‘Require compliant device’; exclusion strategies.

Q: Data leakage despite MAM policy.

• Open-in restrictions; Save-as to personal storage; managed browser; SDK/wrapped coverage; exceptions for LOB apps.

Q: MAM wipe not removing corporate data.

• App not MAM-capable; wrong identity; multiple identities; offline grace period; assignment scope.

Graph API, Automation & Proactive Remediations (Tailored)

Q: Bulk-renaming iPads based on serial/location via Graph—your approach?

• List devices; map serial->naming standard; PATCH displayName; handle throttling; idempotency; Graph SDK vs REST; logging and rollback.

Q: Detect and remediate a broken Win32 service.

• Detection exits; remediation script; safe retries; assignment cadence; reporting and alerting.

Q: Export and reconcile app assignments across tenants.

• Graph queries for mobileApps and assignments; filters; CSV export; tag-based governance; drift detection.

Q: Create a dashboard for compliance, update currency, and app success.

• Data via Intune reports/Graph; refresh cadence; KPI definitions; outlier detection; drill-down links for helpdesk.

Migration & Co-management

Q: Migrate GPOs to Intune without conflicts.

• MDM GPO analytics; CSP mapping; pilot rings; rollback; documentation; measure via reporting.

Q: SCCM co-management: compliance unreliable after workload move.

• Source of authority; enrollment method; device identity; client health; pilot collections; workload sliders.

Q: Tenant-to-tenant Intune migration with minimal disruption.

• Identity strategy; device re-enrollment; ABM/VPP/Google token moves; Autopilot hash re-association; comms and sequencing.

RBAC, Scope Tags, Multi Admin Tenants

Q: Operators can see devices but cannot retire/wipe subset.

• Role permissions; scope tags vs dynamic groups; object-tag mismatches; custom roles; least privilege.

Q: Partner-managed multi-tenant: avoid cross-customer impact from scripts.

• Per-tenant app registrations; least privilege; scoping; deployment rings; approvals and change control.

Network/Proxy/Firewall Constraints

Q: Policy delivery slow/offline in high-proxy environment.

• Microsoft endpoints allowlist; TLS inspection bypass; Delivery Optimization ports; CDN reachability; BITS throttling.

Q: Company Portal cannot sign in on guest Wi Fi though browsers work.

• MSAL endpoints; captive portal; modern auth endpoints; SSL inspection; device clock skew.

Life-Cycle, Retire/Wipe, Lost/Stolen

Q: Device retired but still accessing email.

• MAM vs MDM; EXO vs on-prem; ActiveSync partnerships; CA scope; token cache; selective wipe.

Q: Wipe command stuck ‘pending’.

• Device offline; APNs/FCM reachability; MDM channel broken; last check-in; push certificate expiries.

Troubleshooting Methodology (Meta)

Q: ‘Intune is broken’—walk your triage tree.

• Scope isolation; platform; identity/auth; assignment; network; service health; logs; replication timing; recent changes.

Q: Build a reproducible test for an intermittent global issue.

• Controlled rings; time windows; verbose logs; synthetic transactions; regional comparisons; device diversity.

Q: Rollback/mitigation playbook for a bad policy/app.

• Ringed deployments; emergency exclusion; report-only CA; versioning; communication; PIR and action items.

Leadership / Design Scenarios (Architect & Manager)

Q: Design an Intune baseline for 6,000 Windows and 1,000 iPads with kiosk use cases.

• Pilot/prod rings; ESP phases; assignment via dynamic groups/filters; update rings; compliance+CA; telemetry; runbooks.

Q: Measure endpoint program success MoM.

• KPIs: enrollment/compliance/app success/update currency/MTTR; ticket trends; user satisfaction; executive dashboards.

Q: Deliver multi-OS training and documentation for support teams.

• SOPs; runbooks; escalation; change notices; KEDB; proactive remediation library; visuals.

Additional Edge/Pending Scenarios

Q: Windows LAPS (Intune) rotation failing on subset of devices.

• Policy vs legacy LAPS conflict; account presence; rotation schedule; MDM vs GPO; event logs; escrow to Entra ID.

Q: Delivery Optimization saturates branch network during large app rollouts.

• DO groups; boundary config; cache servers; background vs foreground modes; rate limits; staggered assignments.

Q: Filter-based assignments exclude newly enrolled devices unexpectedly.

• Filter rule logic; device properties available at enrollment; timing/race conditions; fallback dynamic groups; monitoring and alerts.

Q: macOS kernel to system extensions migration plan.

• Vendor mapping; TeamID approvals; PPPC; user communication; staged rollout; rollback.

Q: iPad home screen layout profile conflicts with single-app mode.

• Order of application; supervised requirement; fallback layout; testing with phased app deployment.

Q: Android compliance with SafetyNet/Play Integrity failing intermittently.

• Device integrity checks; rooted/jailbroken signals; Google Play services health; OEM-specific issues; CA grace periods.

Q: Graph throttling when exporting large app inventories.

• Use $top/$skip; retry-after; exponential backoff; delta queries; parallelization with limits; idempotent writes.