Identity and endpointIntermediate21 min read

What Does Intune Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

Intune is a tool that lets companies manage company data on phones, tablets, and computers from the cloud. It helps keep information safe by controlling who can access what and can wipe company data from a lost device. It works with both company-owned and personal devices.

Commonly Confused With

IntunevsMicrosoft Configuration Manager (SCCM)

Configuration Manager is an on-premises management tool for large-scale software deployment, patching, and OS imaging. Intune is a cloud-only service focused on device and app management for mobile and modern endpoints. The two can work together via co-management, but they are fundamentally different platforms.

Configuration Manager manages 10,000 Windows computers inside a corporate network, while Intune manages iPhones and remote laptops over the internet.

IntunevsAzure Active Directory (Azure AD) / Microsoft Entra ID

Azure AD provides identity and access management (authentication and authorization). Intune uses Azure AD for user identity and conditional access, but Intune's primary function is endpoint management (devices and apps). Azure AD register devices (Workplace Join) is a lighter device registration than full Intune enrollment.

Azure AD verifies that a user is who they say they are and gives them a token to access email. Intune then checks that the user's device has a lock screen and updated antivirus before allowing the email to open.

IntunevsMobile Device Management (MDM) in general

MDM is the broader category of managing mobile devices (enrolling, configuring, securing). Intune is Microsoft's specific cloud-based MDM and MAM solution. Other MDM vendors include VMware Workspace ONE and Jamf. Intune differentiates itself through deep integration with Microsoft 365 and Azure AD.

A company may use a generic MDM tool to manage its iPads, or it may use Intune specifically to integrate with Office 365 and conditional access.

Must Know for Exams

Microsoft Intune is a core topic for several Microsoft certification exams, especially those in the Modern Work and Security role-based tracks. It is most heavily tested in the MS-100 (Microsoft 365 Identity and Services) and MS-101 (Microsoft 365 Mobility and Security) exams, which together compose the Microsoft 365 Certified: Enterprise Administrator Expert certification. In these exams, candidates are expected to understand Intune's role in device management, policy configuration, and compliance.

Questions often appear in the 'Manage your Microsoft 365 tenant' and 'Manage security and threats' objective domains. For the MS-101 exam specifically, there is an entire domain titled 'Implement Microsoft 365 device management,' which directly covers Intune enrollment, configuration profiles, compliance policies, and conditional access. For other IT certifications like CompTIA Security+ or Cisco CCNA, Intune is not a primary exam objective, but it appears as a 'light supporting' topic, representing a common cloud-based MDM solution that learners should recognize.

For example, a Security+ question might ask about the best way to enforce encryption on mobile devices in a BYOD scenario, and knowing Intune's selective wipe capability would help choose the correct answer. For Azure certifications like AZ-104 (Azure Administrator), Intune is not a primary focus, but it is relevant as part of Azure AD conditional access policies. The exam pattern includes scenario-based questions where you must decide which Intune policy (compliance, configuration, or app protection) to apply based on a specific security requirement.

You may also be asked to differentiate between Intune and Configuration Manager, or between MDM and MAM. Policy conflicts, deployment ring strategies, and integration with Windows Autopilot are also common. The key is to understand that Intune is a cloud-only service and that policy enforcement is automatic once a device enrolls.

Exam questions frequently test your knowledge of enrollment methods (e.g., BYOD vs. corporate-owned), and the distinction between device-level policies and app-level policies.

Simple Meaning

Imagine you work for a company that gives you a work phone and lets you use your personal laptop for work. The company wants to make sure their private files and emails are safe, even if you lose the phone or your laptop gets a virus. Intune is like a remote control for all those devices.

It allows the IT department to set rules from a central cloud dashboard. For instance, they can require a strong password, keep the device's software updated, and make sure data is encrypted. If your phone is stolen, Intune can erase only the company data from it, leaving your personal photos and apps untouched.

It can also control which apps are allowed on your devices. If an app is not approved, the company can block it. The best part is that the company does not need to own the devices.

Intune can manage personal devices used for work, which is called BYOD (Bring Your Own Device). It works on many different types of devices, including Windows, macOS, iOS, and Android. Intune is completely managed from the cloud, so the company does not need extra servers or complicated setups.

The IT team can see all the devices in one place and make changes instantly from anywhere in the world. In short, Intune gives companies a safe and flexible way to manage their data across all kinds of devices, without being too invasive for the user.

Full Technical Definition

Microsoft Intune is a cloud-based endpoint management solution that is part of the Microsoft Enterprise Mobility + Security (EMS) suite. It functions as a Mobile Device Management (MDM) and Mobile Application Management (MAM) service. Intune uses the industry-standard OMA-DM (Open Mobile Alliance Device Management) protocol for device enrollment, configuration, and policy enforcement.

When a device enrolls, it establishes a secure HTTPS connection to the Intune service. The service then pushes configuration profiles and compliance policies down to the device. These policies can control a vast array of settings, including password complexity, encryption requirements, jailbreak detection, and permitted application lists.

Intune also leverages Azure Active Directory (Azure AD) for identity and access management, meaning users and devices must authenticate against Azure AD to access corporate resources. For application management, Intune can deploy line-of-business (LOB) apps and public app store apps, and can create app protection policies that control how data is used within those apps, such as preventing copy-paste to unmanaged apps or requiring a PIN to open the app. Intune integrates with Microsoft Endpoint Configuration Manager (formerly SCCM) for co-management, allowing organizations to split management responsibilities between on-premises tools and the cloud.

The service supports conditional access policies through Microsoft Entra ID (formerly Azure AD), where device compliance status is a condition for accessing resources. For example, a device that is not compliant with Intune policies can be blocked from accessing corporate email in Exchange Online. Intune's reporting capabilities provide detailed compliance and device inventory data, which can be consumed via the admin center or through Graph API for custom reporting.

Key technical components include enrollment tokens, compliance certificates, and the Intune Management Extension (for Windows Win32 app deployment). From a security standpoint, Intune supports certificate-based authentication, S/MIME for email encryption, and VPN configuration profiles. The service is built on a multitenant architecture within Microsoft's global cloud infrastructure, ensuring high availability and scalability.

Updates to policies are typically applied within minutes, and the service provides a comprehensive audit log for compliance and forensics.

Real-Life Example

Think of a large library. The library has many books (corporate data), and many patrons (employees) who want to take books home on their own bookshelves (personal devices). The library's rules (company policies) say that books must be returned on time, cannot be marked up, and must be kept in a dry place.

The library cannot afford to build bookshelves for every patron, nor does it want to. Instead, the library hires a digital manager (Intune). This manager does not own the bookshelves, but he puts a special lock (MDM profile) on each patron's bookshelf.

The lock ensures that the library book is always visible and can be securely removed if the patron's home floods (device lost or stolen). The manager also gives each patron a special library card (Azure AD identity) that they must show before taking a book. The manager can also put a special cover on the library book (app protection policy) that prevents the patron from clipping pages or copying text to other books.

If a patron stops being a member (leaves the company), the manager can instantly remove the library book from the shelf, leaving all the patron's personal books untouched. The manager works from a central office (cloud console) and can see all bookshelves at once. If a new library rule is made, the manager sends an update to every lock at the same time.

This way, the library protects its valuable books without needing to own every patron's bookshelf, and patrons get to use their own shelves comfortably, as long as they follow the rules.

Why This Term Matters

In the modern IT landscape, the way people work has changed drastically. Employees use a mix of company-owned and personal devices, access cloud applications from anywhere, and expect seamless productivity, while organizations must protect sensitive data from breaches and comply with regulations like GDPR, HIPAA, or PCI-DSS. Intune matters because it solves the core challenge of endpoint management in a remote-first, cloud-centric world.

Traditional on-premises management tools like System Center Configuration Manager (SCCM) were designed for devices that are always on the corporate network and domain-joined. They struggle to manage devices that are rarely on the corporate VPN or are personally owned. Intune provides a unified platform to enforce security policies like encryption, password complexity, and conditional access regardless of where the device is located.

For IT professionals, this means they can retire or reduce the footprint of on-premises infrastructure, saving costs and complexity. For organizations with compliance requirements, Intune provides the reporting and enforcement mechanisms to prove that devices meet security baselines. For users, Intune strives to be less intrusive than older MDM solutions, offering a balance between security and privacy, especially with MAM policies that only manage company data.

The ability to selectively wipe corporate data from a personal device is a game-changer for BYOD programs. Without Intune, companies would have to either mandate full device encryption and wipe the entire device upon a security incident, which is highly invasive, or compromise on security. In essence, Intune is a foundational component of a modern Zero Trust security strategy, where trust is never assumed and must be continuously verified based on the security posture of the endpoint.

How It Appears in Exam Questions

Exam questions about Intune usually fall into one of three categories: scenario-based, configuration-based, and troubleshooting-based. In scenario-based questions, you are given a business requirement, such as 'The company wants to allow employees to use personal phones for email, but must ensure that corporate email cannot be copied to personal notes. What should you implement?'

The answer would be an App Protection Policy (MAM) without device enrollment. Another scenario might ask, 'You need to remove all corporate data from a lost device without affecting personal data.' The correct answer is 'Selective wipe' in Intune.

Configuration-based questions test your knowledge of specific tools and portals. For example, 'From which portal do you create an Intune compliance policy?' The answer is the Microsoft Intune admin center (endpoint.

microsoft.com). You might be asked to choose between a configuration profile and a compliance policy when a setting like a home screen layout needs to be enforced. The trick is that configuration profiles define settings, while compliance policies mark a device as compliant or not, and can trigger conditional access.

Troubleshooting questions often involve a device that is not applying policies. You may be asked to check the device's enrollment status in the Intune admin center, verify that the user has an appropriate license, or confirm that the device is connected to the internet and the Intune service is accessible. A common question pattern is about co-management: 'If you want to manage Windows updates on-premises using Configuration Manager but enforce compliance policies from the cloud, what workload should you slide to Intune?'

The answer is 'Compliance policies' under co-management settings. Another recurring trick is asking about the difference between device enrollment and app management. For instance, a question might state that a user cannot access the Microsoft Teams app on their phone because it requires a compliance policy, but the user is not enrolled.

The correct answer is to create a MAM policy that does not require enrollment. Be alert for questions about 'Windows Autopilot,' which is often paired with Intune for zero-touch deployments. They might ask which service provides the hardware hash that enables Autopilot.

The answer is the device manufacturer or a bulk enrollment process, not Intune itself.

Practise Intune Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Contoso Pharmaceuticals has 500 employees. The company has a strict data privacy policy because it handles patient records. The IT department wants to allow employees to access email and the company CRM on their personal iPhones and Android devices, but they are worried about data leaking if a phone is lost or an employee leaves.

They decide to use Microsoft Intune. The IT admin, Priya, signs into the Intune admin center. First, she creates a device compliance policy that requires a passcode of at least six digits, encryption on the device, and that the device must not be jailbroken or rooted.

She also creates a configuration profile that pushes the company's Wi-Fi settings and a VPN connection for accessing internal resources. Then, she creates an App Protection Policy (MAM) for the Outlook and CRM apps. This policy prevents users from cutting, copying, or pasting data into other non-corporate apps.

It also requires a PIN to open the corporate apps and can wipe the corporate data from those apps after a number of failed attempts. Priya then publishes the policy to all 500 users. When employee Raj downloads the Outlook app on his personal iPhone, he is prompted to sign in with his Azure AD credentials.

The app then applies the MAM policy. Raj can use his email freely, but he cannot copy a patient ID from the email to his personal notes. Later, Raj loses his phone. He reports it to IT.

Priya goes to the Intune portal and selects Raj's device. She chooses the 'Selective wipe' option. This removes all corporate data from the phone, including the Outlook app configuration and cached emails, but leaves Raj's personal photos and apps untouched.

The company remains compliant, and Raj gets a replacement phone and re-enrolls without any data loss from his personal life. This scenario showcases the power of Intune: security and flexibility are achieved without requiring the company to own or full-wipe the device.

Common Mistakes

Assuming Intune can manage on-premises servers like SCCM.

Intune is a cloud-only MDM/MAM service. It cannot manage servers or deploy software to on-premises computers without the co-management feature using Configuration Manager agents. Treating Intune as a full replacement for an on-premises management tool will lead to incorrect designs.

Understand that Intune is for managing client endpoints (Windows 10/11, macOS, iOS, Android). For server management, use tools like Azure Arc, or for on-premises client management with the cloud, use co-management with Configuration Manager.

Confusing App Protection Policies (MAM) with Compliance Policies.

Compliance policies work at the device level and require the device to be enrolled. App Protection Policies work at the app level and do not require device enrollment. For BYOD scenarios where you cannot enforce full device control, MAM policies are the correct choice, not compliance policies.

Always ask: Is this a company-owned device I can fully manage? If yes, use compliance policies. Is it a personal device and I only want to control the app? If yes, use App Protection Policies without enrollment.

Thinking that Intune can wipe all data from a personal device.

Intune offers two wipe options: 'Retire' (also called selective or corporate wipe) and 'Wipe' (full factory reset). On a personally owned device, you should only use 'Retire' to remove only corporate data and settings. Using 'Wipe' will erase all personal data, which is invasive and often against company policy for BYOD.

For BYOD devices, always choose 'Retire' from the Intune admin center to remove only managed corporate data. Reserve the 'Wipe' option for fully company-owned devices.

Assuming all Intune policies apply instantly to all users.

Intune policies have a scheduled check-in cycle. Devices check for new policies every 8 hours by default, though this can be changed or a manual sync can be triggered by the user. New policies may not apply immediately, which can lead to a false sense of security.

Know the default check-in interval. When testing, trigger a manual sync from the device (e.g., Settings > Accounts > Access work or school > Info > Sync). Also, be aware of the policy rollback behavior if a non-compliant device is marked as compliant after a policy change.

Exam Trap — Don't Get Fooled

{"trap":"The exam presents a scenario where a user needs to access corporate email on a personal device, and the requirement is 'prevent the user from saving attachments to personal cloud storage.' The options include 'Device Compliance Policy' and 'App Protection Policy.' Many learners pick 'Device Compliance Policy' because they think about securing the device."

,"why_learners_choose_it":"Learners often over-focus on the device itself. They assume that if the device is compliant (has encryption, a password, etc.), then the data will be safe.

They may not realize that compliance policies do not control data behavior within apps (like saving attachments).","how_to_avoid_it":"Remember that data control within an app, like preventing save-as operations, is a function of App Protection Policies (MAM), not device compliance. Device compliance only evaluates the device's security posture (e.

g., is it encrypted? is there a passcode?). For granular data loss prevention within apps, always look for MAM policies in the answer."

Step-by-Step Breakdown

1

Enable automatic enrollment

The IT admin configures Intune to automatically enroll devices when a user adds a work or school account in Windows 10/11 settings. This step is done in Azure AD > Mobility > Microsoft Intune. Without this, devices may not register at all.

2

User adds work account on device

On their Windows, iOS, or Android device, the user goes to Settings > Accounts > Access work or school and clicks 'Connect.' They sign in with their corporate Azure AD credentials. This triggers the enrollment process.

3

Device registers with Intune service

The device contacts the Intune service and downloads a certificate (MDM device certificate). The device is now 'enrolled' and appears as a managed object in the Intune admin center. The device's hardware inventory is also sent.

4

Intune pushes configuration profiles

Based on the device's group membership (e.g., an Azure AD dynamic group), Intune applies configuration profiles. These can set Wi-Fi networks, VPN, email settings, and certificate profiles. The device applies these settings automatically.

5

Intune evaluates compliance policies

The device's state (is it encrypted? does it have a password?) is compared against the compliance policies. If the device is non-compliant, Intune marks it as such and can apply a grace period or block access to corporate resources via conditional access.

6

Conditional access enforcement

When the user tries to access Exchange Online or SharePoint, Azure AD checks the device compliance status. If the device is non-compliant, the user is blocked or redirected to enroll and remediate the issue. This provides a 'security gate' that protects data.

Practical Mini-Lesson

To use Intune effectively in the real world, IT professionals need to think about the full lifecycle of device management, not just the initial enrollment. The most critical practical knowledge revolves around two concepts: policy conflict resolution and co-management. First, policy conflicts.

Intune policies are evaluated based on an order of priority. If two policies set the same setting (e.g., password length), the user will receive a compliance error. The admin console displays a 'settings catalog' that shows conflicts.

As a professional, you should always check the 'Devices > All devices' list for compliance errors and the 'Device configuration > Profiles' for policy precedence. When multiple policies are assigned to a user, they are merged, but if two are contradictory, neither may apply. The common mistake is to assume the last policy wins.

In reality, the most restrictive setting often takes effect, but it is best to design a single baseline policy per device type and use group policy assignments for exceptions. Second, co-management is where Intune and Configuration Manager share responsibilities. For example, you can keep Configuration Manager for software updates (Patch Tuesday) and move compliance policies to Intune for cloud-based conditional access.

The workload slider in the Configuration Manager console determines which service is authoritative. You must know that patching, compliance, and resource access can be split. A practical scenario: a device is managed by Configuration Manager, but you want to enforce that the device must have BitLocker enabled before accessing OneDrive.

You would slide the 'Compliance policies' workload to Intune. If you slide it incorrectly, the device might show as compliant in one tool but not the other, creating confusion. Third, Windows Autopilot is a key pairing with Intune for deploying new Windows devices.

The device's hardware hash is uploaded to Intune, and when the user unboxes the device and connects to the internet, it automatically enrolls in Intune and applies all policies without requiring manual imaging. The common pitfall here is forgetting to reset the device after the Autopilot profile is applied, which can lead to a 'first sign-in' failure if the user account is not prepped in Azure AD. Finally, monitoring is fundamental: use the 'Device compliance' dashboard to spot trends, and the 'Troubleshoot + support' pane to check individual device errors.

Always verify that users have the proper Intune license (often part of Microsoft 365 E3 or E5). If a device shows 'Not enrolled' but the user says they enrolled, check for license absence. Practical Intune proficiency requires understanding policy hierarchy, co-management workload distribution, Autopilot integration, and proactive monitoring.

Memory Tip

Think of Intune as a 'remote control for work data on any device', it manages the data and settings, not the entire device, especially for BYOD.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

MS-100MS-102(current version)
MS-101MS-102(current version)

Related Glossary Terms

Frequently Asked Questions

Do I need to own the device to use Intune?

No, Intune supports both corporate-owned and personally owned (BYOD) devices. You can manage corporate data without managing the entire personal device.

Can Intune replace my antivirus software?

No, Intune is not an antivirus. It can enforce that Windows Defender is on and up to date, but for full endpoint detection and response, you need Microsoft Defender for Endpoint.

How does Intune handle Wi-Fi settings on a phone?

Intune can push a Wi-Fi configuration profile that automatically connects the device to the corporate Wi-Fi with the correct authentication. The user does not need to manually enter the password.

What happens if a user leaves the company?

The admin can retire the device, which removes all corporate data, apps, and configuration profiles from the device, leaving personal data intact.

Is Intune available for macOS devices?

Yes, Intune supports macOS enrollment and management, including configuration profiles, compliance policies, and app deployment.

Do I need a separate license for Intune?

Yes, an Intune license is required per user. It is included in Microsoft 365 E3 and E5 subscriptions, or can be purchased as a standalone plan.

Summary

Microsoft Intune is a cloud-based endpoint management service that provides a modern, secure way for organizations to manage their devices and applications, regardless of location or ownership. It is a cornerstone of the Microsoft 365 security and compliance ecosystem. For IT professionals and certification candidates, understanding Intune means grasping the difference between device-level control (MDM) and app-level control (MAM).

It is the tool that bridges the gap between the flexibility of remote work and the necessity of data protection. In the exam context, Intune is most heavily tested in Microsoft 365 role-based certifications like MS-101, where scenario questions test your ability to choose between compliance policies, configuration profiles, and app protection policies. The key takeaway is that Intune is not just about managing hardware; it is about managing policy and access to corporate data.

A common exam trap is to confuse device compliance with app protection, so always remember that only app protection policies can control data behavior like copy-paste. For personal experience, knowing how to use selective wipe and co-management with Configuration Manager will set you apart. As remote work and BYOD become the norm, Intune's role will only grow.

Mastering it will not only help you pass exams but also equip you to design and maintain a resilient, modern IT environment.