Device managementEndpoint and appsLicensing and servicesIntermediate24 min read

What Does Microsoft Intune Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Microsoft Intune is a tool that lets companies manage smartphones, tablets, and computers from the cloud. IT teams can enforce security rules, push apps, and wipe data if a device is lost, all without touching the device. Think of it as a remote control for your organization's devices and data, ensuring everyone stays secure and productive.

Commonly Confused With

Microsoft IntunevsConfiguration Manager (SCCM)

Configuration Manager is an on-premises management tool, while Intune is cloud-based. SCCM is ideal for large, static networks with powerful hardware, while Intune is better for remote workers and mobile devices. They can work together via co-management, but they are different products.

If a company has a secure data center and manages 1000 desktop PCs using SCCM, that is fine. If the same company also has 500 salespeople using iPads on the road, they would add Intune to manage those iPads.

Microsoft IntunevsMicrosoft Entra ID (Azure AD)

Entra ID is an identity and access management service that handles authentication and authorization. Intune uses Entra ID for device identity and conditional access, but Intune’s job is device management, not identity. Entra ID answers 'Who are you?' Intune answers 'Is your device safe?'

When a user signs into Office 365, Entra ID authenticates the user. Intune checks if the device is compliant before allowing access to email. Both are needed, but they do different things.

Defender for Endpoint is a security solution that detects and responds to threats, while Intune manages device configurations and policies. Intune can use Defender's risk scores in conditional access, but Defender itself is not a management tool.

Intune sets a policy requiring antivirus to be enabled. Defender for Endpoint detects a piece of malware on the device. Intune sees that device risk is high and blocks access to SharePoint until the threat is removed.

Microsoft IntunevsWindows Autopilot

Windows Autopilot is a deployment technology that simplifies setting up new Windows devices. It uses Intune to apply policies and apps during first boot, but Autopilot is not a management platform itself, it is a feature that relies on Intune.

Autopilot prepares a new laptop for a user by connecting to Intune automatically. After setup, Intune continues to manage the device for its entire lifecycle.

Must Know for Exams

Microsoft Intune is a core topic in at least three major Microsoft certifications: MD-102 (Microsoft 365 Endpoint Administrator), MS-102 (Microsoft 365 Administrator), and MS-900 (Microsoft 365 Fundamentals). For MD-102, Intune is effectively the central subject. The exam objectives include deploying and managing Windows clients using Intune, configuring compliance policies, managing device enrollment, protecting devices with conditional access, and deploying apps. Questions often present a scenario where you must choose the correct enrollment method for a specific device type (e.g., Android Enterprise work profile for BYOD, or Windows Autopilot for corporate devices). Expect to see tasks like creating a configuration profile for Wi-Fi, configuring a compliance policy that requires BitLocker, or setting up an App Protection Policy for a specific app. The exam also tests troubleshooting, such as why a device shows as noncompliant or why an app fails to install.

For MS-102, Intune is part of the broader Microsoft 365 management domain. Here, Intune appears in questions about identity and compliance, often paired with Conditional Access and Microsoft Entra ID. You might see a question where a company wants to block access to SharePoint from devices that do not have a PIN or are not encrypted. The answer would involve creating a compliance policy in Intune and then configuring a Conditional Access policy in Azure AD that references that policy. MS-102 also tests your understanding of the differences between MDM and MAM and when to use each.

MS-900 is the fundamentals exam, so Intune appears at a higher level. Questions may ask you to identify which Microsoft 365 service provides mobile device management or to describe how Intune helps with security. You will not be asked to configure policies, but you must understand the capabilities and the value proposition. For example, a question might describe an organization with remote employees using personal devices and ask which Microsoft 365 workload can protect company data on those devices. The answer is Microsoft Intune.

Across all exams, the traps are similar: confusing Intune with Configuration Manager, misunderstanding that Intune does not require on-premises servers, or assuming that Intune can manage devices that are not enrolled. Another common mistake is thinking that Intune can manage all settings on a user's personal device when, in fact, MAM only controls the managed apps. Exam questions will often frame scenarios around BYOD vs. corporate-owned devices, and you must select the right enrollment type and management approach accordingly.

Simple Meaning

Imagine you manage a fleet of delivery vans for a large company. Each van carries expensive equipment and important packages. You need to make sure every van has the right navigation tools, follows safety rules, and that any van that goes missing doesn't put the company at risk.

You wouldn't want to drive to each van every time a new map is released or a security check is needed, that would take forever. Microsoft Intune works like a central command center for your company's digital vans: the laptops, phones, and tablets your team uses. Instead of physically touching each device, Intune lets you set rules from a web dashboard.

For example, you can require that all phones have a screen lock password, automatically install the latest antivirus software, or prevent users from installing unapproved apps. If a device is lost or stolen, you can remotely wipe all company data from it, just like you could remotely disable a stolen van's engine. Intune works with Android, Apple iOS/iPadOS, macOS, and Windows devices.

It is part of a larger Microsoft service called Microsoft Endpoint Manager, which combines Intune with Configuration Manager to manage both cloud and on-premises devices. The key idea is that Intune separates company data from personal data. It creates a container on the device for work stuff, so the user's personal photos or messages stay private, while the company's emails and documents stay protected.

For IT professionals, Intune is the modern way to manage a mobile and remote workforce without needing a traditional server in the office. It is subscription-based and often bundled with Microsoft 365 plans, making it a go-to tool for small businesses and large enterprises alike.

Full Technical Definition

Microsoft Intune is a cloud-based mobile device management (MDM) and mobile application management (MAM) service that is part of the Microsoft Endpoint Manager family. It enables organizations to manage devices and enforce security policies across platforms including Windows, macOS, iOS, iPadOS, and Android. Intune operates on a Software-as-a-Service (SaaS) model, meaning no on-premises infrastructure is required for core operations. Administrators interact through the Azure portal or the Microsoft Endpoint Manager admin center, using REST APIs and Graph API for automation and third-party integration.

Intune communicates with enrolled devices using industry-standard protocols. For iOS/iPadOS, it uses Apple Push Notification Service (APNs) to wake devices and apply policies. Android devices use Google’s Firebase Cloud Messaging (FCM) for similar push-based management. Windows devices use the Windows Push Notification Services (WNS) and, in co-management scenarios, the Configuration Manager client for legacy policy delivery. On macOS, Intune uses the MDM protocol introduced by Apple, requiring a push certificate. All communication between Intune and managed devices is encrypted using TLS 1.2 or higher, and policies are signed with certificates issued by the Intune service.

Device enrollment is a critical component. Intune supports multiple enrollment methods: Corporate Device Enrollment Profiles for Apple devices using Automated Device Enrollment (formerly DEP), Android Enterprise work profiles for personal devices, Google Zero-Touch for corporate Android devices, and Windows Autopilot for OEM-shipped Windows PCs. Users can also self-enroll by installing the Company Portal app and signing in with their work or school account. Once enrolled, devices receive a management certificate that grants Intune permission to read device inventory, apply configuration profiles, and execute remote actions like wipe, retire, or sync.

Configuration profiles are XML or JSON documents that deliver settings such as Wi-Fi profiles, VPN configurations, email server settings, and device restrictions. Compliance policies define conditions the device must meet (e.g., passcode length, encryption, minimum OS version). These policies are evaluated during check-ins and can trigger Conditional Access policies in Microsoft Entra ID (formerly Azure AD). Conditional Access integrates Intune’s device state with sign-in flows, blocking access to corporate resources if the device is noncompliant.

Mobile Application Management (MAM) is a separate but related capability. It allows IT to manage apps on unenrolled devices (BYOD scenarios) by wrapping apps with policies that prevent copy-paste to personal apps, require a PIN, or block data from being saved to unapproved locations. This is done using the Intune App Protection Policies (APP) framework, which relies on the Intune App SDK or built-in app support for major Microsoft apps (Outlook, Teams, Word, etc.).

Intune also handles software updates and application delivery. Windows Update Rings can manage the pace of Windows 10/11 feature and quality updates. Line-of-business (LOB) apps can be uploaded to Intune for deployment, while store apps can be assigned from Microsoft Store for Business or Apple Volume Purchase Program (VPP). Reporting and monitoring are available via the Intune Reports node, which includes noncompliant devices, app installations, and audit logs. Integration with Microsoft Defender for Endpoint provides risk-based conditional access, where a device flagged as high-risk can be blocked.

For IT professionals preparing for exams, it is essential to understand that Intune is not a standalone product in the traditional sense. It is deeply integrated with Microsoft 365, Azure Active Directory, and Microsoft Defender. The MD-102 (Endpoint Administrator) exam covers deployment, management, and security configuration in depth. MS-102 (Microsoft 365 Administrator) includes Intune as part of broader identity and compliance scenarios. MS-900 (Microsoft 365 Fundamentals) touches Intune at a higher level, focusing on its role in modern device management and security.

Real-Life Example

Think of a large library that lends out e-readers to its patrons. The library wants to ensure that each e-reader stays secure, has the latest digital books, and cannot be used to access harmful content. If a patron loses an e-reader, the library must protect the digital books stored on it. This is exactly what Microsoft Intune does for company devices. The library is the organization, the e-readers are the laptops or phones, and the digital books are the apps, emails, and documents.

The library sets up a digital policy: every e-reader must have a screen lock, a strong password, and automatic updates. This is like Intune’s compliance policies. The library can also remotely add new bestsellers to all e-readers at once, that is like deploying a corporate app through Intune. If a patron reports a lost e-reader, the library can instantly delete all library books from that device, protecting the digital collection. This is exactly the remote wipe capability in Intune.

Now imagine patrons want to use their own personal e-readers for library books. The library can create a special protected reading app that prevents copying text to personal notes or sharing it via social media. Without controlling the whole device, the library manages just the app, this is Mobile Application Management (MAM). The patron’s personal photos and games remain private, but the library’s digital books are safe. This is the BYOD (Bring Your Own Device) scenario that Intune handles so well.

This analogy shows how Intune separates corporate control from personal privacy. The library doesn’t need to own the e-readers to protect its content, and patrons can still enjoy their own apps. Intune brings that same balance to the modern workplace.

Why This Term Matters

Microsoft Intune matters because the traditional model of keeping all computers inside an office with a locked door is gone. Employees work from home, coffee shops, and airports. They use their own phones for work emails. IT can no longer physically secure every device, but they are still responsible for company data security. Intune solves this by shifting the control from the hardware to the cloud. You can manage a fleet of thousands of devices from a single web portal, regardless of where the devices are or who owns them.

From a practical IT perspective, Intune reduces support tickets. When a user forgets their Wi-Fi password, IT can push a new profile without asking the user to type anything. When a new hire needs the company app suite, IT can assign apps in Intune, and they appear automatically on the device. Compliance rules ensure devices that are out of date or jailbroken cannot access company email, automatically reducing risk.

Intune also helps with compliance and legal requirements. Industries like healthcare and finance must follow regulations like HIPAA or GDPR. Intune’s data loss prevention features, like preventing copy-paste from Outlook to a personal note app, help meet those requirements. The remote wipe feature is essential for lost devices, preventing data breaches that could cost millions.

For IT professionals, knowing Intune is a career requirement. Most organizations that use Microsoft 365 also use Intune, either directly or through co-management with Configuration Manager. The shift to modern management is irreversible, and Intune is the flagship tool. Exam candidates see Intune across multiple certification paths, making it a high-yield study topic.

How It Appears in Exam Questions

In MD-102, the most common question pattern is a scenario-driven multiple choice where you must select the appropriate enrollment method. For example, a question might describe a company that just purchased 200 Windows laptops from an OEM with Windows 10 Pro preinstalled. The company wants to deploy them without manual setup. The answer: use Windows Autopilot with Intune. Another scenario: employees use personal Android phones for work, and the company must protect Outlook email without managing the entire phone. The correct answer: use App Protection Policies (MAM) without enrolling the device.

Configuration questions often present a list of requirements. For instance: You need to ensure all iOS devices require a 6-digit passcode, disable the camera, and automatically update apps from the Volume Purchase Program. The correct answer is to create a device compliance policy for the passcode, a configuration profile to disable the camera, and a VPP app assignment for automatic updates. Troubleshooting questions might show a user who cannot access email on a compliant device. You would check whether the Conditional Access policy is correctly linked to the Intune compliance policy and whether the device has a valid compliance state.

Another pattern involves understanding policy precedence. If there are two compliance policies assigned to the same device, Intune evaluates both, and the device must meet all requirements to be compliant. A typical question might say: A device meets Policy A but not Policy B. What is the compliance state? The answer: Noncompliant. Questions also test the difference between retire and wipe. Retire removes company data and management, but leaves personal data. Wipe restores the device to factory defaults. A question might ask: An employee is leaving the company and wants to keep their personal photos. Which action should you use? Answer: Retire.

For MS-900, questions are simpler scenario-to-solution matches. For example: A company wants to ensure that company emails can only be read on devices that have a screen lock. Which Intune feature is needed? Answer: Compliance policy. Or: Which Microsoft service allows IT to manage apps without managing the entire device? Answer: Microsoft Intune (MAM). There are also comparison questions, such as: What is the difference between Microsoft Intune and Configuration Manager? The correct answer: Intune is cloud-based, Configuration Manager is on-premises.

Study MD-102

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Contoso, a mid-sized marketing firm, has 50 employees. Twenty use company-issued Windows laptops, and thirty use their own personal iPhones and Android phones for work email and Teams. The IT manager, Sarah, needs to ensure that all devices accessing company data have a password or Face ID, that the Windows laptops always have the latest security updates, and that if a personal phone is lost, the company email can be removed without deleting the user's personal photos.

Sarah decides to use Microsoft Intune. For the company laptops, she enrolls them using Windows Autopilot: she uploads the hardware IDs from the manufacturer to Intune, and when the laptops arrive, employees just connect to Wi-Fi and log in with their Microsoft 365 credentials. Intune automatically installs all required apps and enforces a policy that forces BitLocker encryption and sets Windows Update to install updates automatically.

For the personal phones, Sarah chooses a lighter approach. She does not want to manage the whole device because these are employee-owned. Instead, she sets up App Protection Policies (MAM) for Outlook and Teams. Now, when an employee opens Outlook on their phone, they must enter a PIN that Sarah defined. They cannot copy text from an email into a personal note app or save attachments to the camera roll. If an employee loses their phone, Sarah can use Intune to wipe all company data from Outlook and Teams, leaving the rest of the phone untouched.

One day, an employee reports that they cannot send emails from their iPhone. Sarah checks the Intune console and sees the device is marked as noncompliant because the employee had removed the passcode. Sarah sends a notification reminding the employee to set a passcode. Once the employee does, the device syncs, becomes compliant, and email works again. This scenario demonstrates exactly how Intune balances security with user flexibility, a core concept tested in the MD-102 exam.

Common Mistakes

Thinking Intune needs an on-premises server to work.

Intune is a cloud-only service; it does not require any on-premises infrastructure. While you can co-manage with Configuration Manager, Intune itself runs entirely in Microsoft's cloud.

Understand that Intune is SaaS. All policies and data are stored in Azure, and devices communicate directly with the cloud using push notifications.

Confusing Intune with a traditional VPN or antivirus solution.

Intune manages devices and enforces policies, but it is not a VPN service nor does it detect malware directly. It can integrate with Microsoft Defender for Endpoint for threat detection, but the core function is management and policy enforcement.

Remember that Intune is a management platform, not a security scanner. Its job is to ensure devices meet your policies, not to block attacks in real time.

Assuming Intune can manage any application on any device without the Intune SDK or built-in support.

App Protection Policies only work with apps that have integrated the Intune App SDK or are part of the Microsoft 365 app family. Third-party apps like a random PDF reader cannot be managed unless they are wrapped with the Intune App Wrapping Tool for iOS/Android.

For custom or third-party apps, you must use the App Wrapping Tool or ask the vendor to integrate the Intune SDK. Always verify app compatibility before planning MAM policies.

Believing that Intune can enforce compliance on devices that are not enrolled.

Compliance policies apply only to enrolled devices. App Protection Policies (MAM) can work on unenrolled devices, but compliance evaluation requires full enrollment.

When you need to check OS version, encryption, or jailbreak status, the device must be enrolled in MDM. For app-level controls only, MAM is enough without enrollment.

Selecting 'Wipe' instead of 'Retire' when an employee leaves voluntarily and wants to keep personal data.

Wipe performs a factory reset, deleting everything. Retire removes company data and management, preserving personal content.

Always choose Retire for employee-owned devices where they need to keep personal data. Wipe is for lost devices or corporate-owned devices being reassigned.

Exam Trap — Don't Get Fooled

{"trap":"The question describes a BYOD scenario where employees use personal iPhones, and the correct answer is to enroll them in MDM using device enrollment. Many candidates see BYOD and automatically think only MAM is appropriate, missing that you can still use MDM with a user enrollment type that preserves privacy.","why_learners_choose_it":"Learners often assume BYOD means no MDM enrollment at all, and that MAM alone is the answer.

They forget that Apple's user enrollment in Intune allows MDM management of a limited scope (like a work partition) without accessing personal data.","how_to_avoid_it":"Always read the question carefully. If it mentions managing work apps and data but explicitly requires the ability to enforce device-level controls like a passcode or encryption, full MDM (user enrollment on iOS) is correct.

If it says there should be no management of the device itself, only the apps, then MAM alone is the answer."

Step-by-Step Breakdown

1

Prepare the infrastructure

Ensure you have a Microsoft 365 or Intune license for each user. Configure DNS records for enrollment (e.g., Apple MDM push certificates, Android Enterprise binding). In the Microsoft Endpoint Manager admin center, set up the environment by adding connectors for Apple, Google, and Windows Autopilot as needed.

2

Create device enrollment profiles

Define how devices will be enrolled. For corporate devices, use profiles like Apple Automated Device Enrollment, Windows Autopilot, or Android Enterprise corporate-owned. For personal devices, configure user self-enrollment via the Company Portal app. This step determines the level of control Intune will have over the device.

3

Configure compliance policies

Compliance policies define the minimum security requirements a device must meet. Set rules for OS version, password complexity, encryption, jailbreak detection, and device health (e.g., BitLocker enabled). These policies are evaluated during every device check-in and are used by Conditional Access to grant or deny access to resources.

4

Deploy configuration profiles

Configuration profiles deliver settings that make devices usable and secure. Examples include Wi-Fi profiles (so users automatically connect), VPN profiles, email profiles, and restrictions (e.g., disable camera on iOS, block app store on Android). Create separate profiles for each platform and user group.

5

Deploy applications

Assign required apps to users or devices. For Microsoft 365 apps, assign from the built-in store. For line-of-business apps, upload the installer package. For Apple VPP and Android managed Google Play, assign licensed apps. For personal devices, use required or available assignments so users can install via Company Portal.

6

Set up App Protection Policies (MAM)

For unenrolled BYOD devices, create App Protection Policies to protect company data in apps. Configure settings like require a PIN for work apps, block copy/paste between work and personal apps, and encrypt app data. These policies are applied at the app level and do not require device enrollment.

7

Monitor and report

Use the Intune console to view compliance status, app installations, and configuration errors. Set up alerts for noncompliant devices. Use audit logs for changes. Integration with Microsoft Defender for Endpoint provides risk-based insights. Regularly review and update policies based on emerging threats and organizational changes.

Practical Mini-Lesson

When you work as an endpoint administrator, your daily tasks often revolve around policy management in Microsoft Intune. The first thing you need to master is the difference between Configuration Profiles and Compliance Policies. Configuration Profiles are like a set of instructions that tell the device how to behave: which Wi-Fi network to join, what lock screen message to display, which keyboard settings to enable. Compliance Policies are like a checklist that the device must pass to be considered healthy. For example, a compliance policy might require a password length of at least 8 characters, while a configuration profile might set the password length to exactly 8 characters. The compliance policy checks what you set in the profile or what the user set manually.

A common real-world task is configuring Windows 10 update rings. You create a ring for pilot users who get updates immediately, and a ring for the rest of the company who get updates after a two-week delay. Intune uses Windows Update for Business, which means the device gets updates directly from Microsoft rather than a WSUS server. You can set deadlines for feature updates and quality updates. If a device misses the deadline, Intune can force a restart outside of active hours.

Another practical scenario is managing iOS devices with Apple Business Manager. You must upload an Apple MDM push certificate to Intune and connect to Apple Business Manager. Once done, you can configure automatic enrollment so that as soon as an iPhone is turned on and connected to Wi-Fi, it is automatically enrolled in Intune with no user interaction. This is critical for fleet deployments.

One area where things often go wrong is Conditional Access integration. You set up a conditional access policy in Microsoft Entra ID that says 'Require device to be marked as compliant.' But if the Intune compliance policy is not assigned to the right user group, or if the device has not checked in recently, the user will be blocked. Always ensure that the compliance policy is assigned to the same users as the conditional access policy. Also, remember that conditional access policies do not apply to the Intune enrollment itself by default, users can enroll without compliance, but then the conditional access policy blocks them from accessing Exchange Online until they are compliant.

Professionals also need to handle device revocation. When an employee leaves, you use the Retire action to remove company data and management from their personal device. For corporate-owned devices, you use Wipe to erase everything and prepare for the next user. A mistake here can accidentally destroy personal data, leading to legal issues. Always verify the device ownership type before executing a wipe.

keep in mind that Intune is not just for small fleets. Large enterprises with tens of thousands of devices use co-management with Configuration Manager. In this setup, you can shift specific workloads (like Windows Update or device configuration) to Intune gradually. This is called a gradual migration approach and is tested in MD-102. The idea is to move from on-premises management to cloud management without a big bang cutover.

Memory Tip

Think of Intune as the 'settings and security cop' for your devices: it never touches the device physically, but it enforces every rule from the cloud.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Do I need a server to run Microsoft Intune?

No. Intune is a cloud-only service. You only need an internet connection and appropriate licenses. There is no on-premises server required.

Can Intune manage personal devices without full control?

Yes. You can use Mobile Application Management (MAM) to manage apps on personal devices without enrolling the whole device. This protects company data while preserving user privacy.

What is the difference between Intune and Configuration Manager?

Intune is cloud-based, while Configuration Manager (SCCM) runs on premises. Intune is best for mobile devices and remote workers. They can be used together via co-management.

Does Intune work with Linux devices?

Currently, Intune does not support managing Linux devices through MDM, but you can manage Linux via Microsoft Defender for Endpoint for security, and some app-level management may be possible in the future.

What happens if a device loses connectivity to Intune?

Policies already applied remain in effect. When connectivity resumes, the device checks in and reapplies any new or changed policies. Conditional Access policies will block access to cloud resources until the device is compliant and connected again.

Can Intune install apps silently on user devices?

On corporate-owned managed devices, Intune can install apps silently without user interaction if configured correctly. On BYOD devices, the user may need to accept installation prompts depending on the platform.

Do I need a separate Intune license if I have Microsoft 365 Business Premium?

Microsoft 365 Business Premium includes Intune. You do not need a separate license. Some other plans like Microsoft 365 E3 or E5 also include Intune.

Summary

Microsoft Intune is the cornerstone of modern endpoint management in the Microsoft ecosystem. It allows organizations to secure and manage devices and applications from the cloud, regardless of where the device is located or who owns it. This glossary page has covered everything from the simple idea of Intune as a remote control for devices to the technical details of enrollment protocols, compliance policies, and Conditional Access integration.

For IT certification candidates, Intune appears heavily in MD-102, MS-102, and MS-900 exams, with questions ranging from choosing the correct enrollment method to configuring App Protection Policies. The most common mistakes involve confusing Intune with on-premises tools like Configuration Manager, or underestimating the difference between MDM and MAM. To succeed, focus on understanding the enrollment process for each platform, the role of compliance policies in Conditional Access, and the practical scenarios that test your ability to balance security with user privacy.

Intune is not just a feature of Microsoft 365; it is the bridge that connects identity, security, and device management into a single, cloud-driven workflow. Master this tool, and you will be well prepared to manage any modern endpoint environment.