This chapter covers Intune device management, a core component of Microsoft 365 and a key topic for the MS-102 exam. You will learn how to enroll devices, create and assign compliance policies and configuration profiles, deploy applications, and perform remote actions. Expect approximately 15-20% of exam questions to touch on Intune device management concepts, especially enrollment methods, compliance policies, and conditional access integration. Mastery of these topics is essential for passing the exam and for real-world administration.
Jump to a section
Imagine a company with 500 delivery vehicles (devices) that need to be maintained, secured, and updated. The fleet manager (Intune) does not own the vehicles — employees bring their own cars (BYOD) or use company trucks (corporate-owned). The manager sets policies: every vehicle must have winter tires (encryption), a dashcam (compliance policy), and a speed governor (configuration profile). When a vehicle is reported stolen (lost device), the manager remotely kills the engine (wipe). If a driver installs unauthorized modifications (jailbreak), the manager restricts that vehicle from entering the company garage (conditional access). The manager also pushes out new GPS software (app deployment) to all vehicles at once. Crucially, the manager never drives the vehicles; they just enforce rules and monitor compliance through telemetry. This mirrors Intune's MDM/MAM: you define policies, deploy apps, enforce compliance, and can wipe or retire devices — all without touching the device directly. The enrollment process is like registering each vehicle's VIN with the fleet office: once registered, the manager can see its status and apply rules.
What is Intune Device Management?
Microsoft Intune is a cloud-based unified endpoint management (UEM) solution that is part of the Microsoft Endpoint Manager family. It allows organizations to manage and secure devices, including Windows 10/11, iOS/iPadOS, Android, and macOS, without requiring on-premises infrastructure. Intune provides mobile device management (MDM) and mobile application management (MAM) capabilities. MDM gives full control over devices (enrollment, configuration, compliance, wipe), while MAM focuses on managing apps and data on personal devices without full device control.
Why It Exists
Modern workplaces are increasingly mobile and remote. Employees use a mix of corporate-owned and personal devices (BYOD). Traditional on-premises management tools like System Center Configuration Manager (SCCM) cannot manage devices outside the corporate network without complex VPNs and internet-based management points. Intune solves this by being cloud-native: devices connect directly to Intune over the internet, and policies are applied via push notifications or scheduled check-ins.
How Intune Works Internally
Intune operates on a client-server model. The Intune service runs in Azure, and devices have an Intune management agent (on Windows, it's the MDM client built into Windows; on iOS/Android, it's the Company Portal app or the built-in MDM enrollment). The process involves:
Enrollment: The device registers with Intune and receives a management certificate. This certificate is used for all subsequent communications. Enrollment methods include: user-initiated (Company Portal), automated (Windows Autopilot, Apple Automated Device Enrollment), or bulk enrollment (Windows Configuration Designer).
Policy Assignment: Admin creates policies (compliance, configuration) and assigns them to Azure AD groups (users or devices). Policies are stored in Intune and pushed to devices.
Check-in: Devices check in with Intune periodically (default every 8 hours for Windows, but can be triggered manually). During check-in, the device reports its status and receives any pending policies, profiles, or app installs.
Compliance Evaluation: The device evaluates compliance policies locally (e.g., check if encryption is enabled) and reports the result to Intune. If non-compliant, Intune can trigger conditional access to block access to corporate resources.
Remote Actions: Admin can send commands via Intune console, such as wipe, retire, sync, or locate device. These are delivered via push notifications (WNS for Windows, APNs for iOS, FCM for Android).
Key Components, Values, Defaults, and Timers
- Enrollment Methods:
- Windows: Automatic enrollment via Group Policy or Azure AD join. Default MDM discovery URL: https://enrollment.manage.microsoft.com.
- iOS/iPadOS: Apple Automated Device Enrollment (ADE) requires an MDM push certificate from Apple. Devices are supervised via Apple Business Manager.
- Android: Android Enterprise (work profile, fully managed, dedicated device). Requires an Android Enterprise binding to Intune.
- macOS: User-initiated enrollment via Company Portal or Automated Device Enrollment.
- Check-in Interval:
- Windows: Every 8 hours (configurable via policy). - iOS: Every 6 hours (configurable). - Android: Every 8 hours. - macOS: Every 8 hours. - Retry Interval: If a check-in fails, the device retries after 30 minutes, then exponential backoff up to 24 hours. - Certificate Lifetimes:
MDM certificate: 1 year, auto-renewed 30 days before expiry.
SCEP certificates: Typically 1 year, configurable.
Policy Refresh: When an admin modifies a policy, devices receive a push notification within 15 minutes (on supported platforms). Otherwise, they pick it up at next check-in.
Compliance Evaluation: Devices evaluate compliance at every check-in and also when triggered by policy change. Non-compliance grace periods can be set (e.g., 6 hours).
App Deployment: Apps can be required (mandatory install) or available (user installs from Company Portal). Intune uses app protection policies (MAM) to control data sharing, encryption, and PIN requirements for apps on unenrolled devices.
Configuration and Verification Commands
- Check Intune connection status on Windows:
dsregcmd /status Look for AzureAdJoined : YES and MdmUrl : https://enrollment.manage.microsoft.com.
- Force sync from device:
- Windows: Settings > Accounts > Access work or school > Info > Sync. - iOS/Android: Company Portal app > Devices > Sync. - Verify enrollment in Intune portal: In Microsoft Endpoint Manager admin center, go to Devices > All devices. Check the enrollment status, compliance, and last check-in time. - PowerShell for Intune: Use the Microsoft Graph PowerShell SDK:
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All"
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'"Interaction with Related Technologies
Azure AD: Intune relies on Azure AD for user and group identities. Device enrollment creates a device object in Azure AD (Azure AD join or registered). Conditional access policies use Intune compliance status.
Microsoft Defender for Endpoint: Integrates with Intune for device risk scoring. Compliance policies can require a low device risk level.
Windows Autopilot: Automates device provisioning. Devices are pre-registered in Intune via hardware hash, then during OOBE they auto-enroll and receive policies.
Configuration Manager (SCCM): Co-management allows you to manage devices with both SCCM and Intune. Workloads (e.g., compliance, app deployment) can be shifted to Intune.
Update Management: Intune can manage Windows updates via Update Rings for Windows 10/11. For third-party updates, use Microsoft Intune Update Management or integrate with WSUS.
Conditional Access: The most critical integration. Conditional access policies can block access to Exchange Online, SharePoint, etc., if a device is not compliant or not enrolled. This requires the device to be Azure AD joined or registered and compliant.
Detailed Breakdown of Enrollment Methods
Windows Enrollment: - Azure AD Join + Auto-enrollment: When a device joins Azure AD, it can automatically enroll in Intune if auto-enrollment is configured. This is the most common method for corporate Windows devices. - Windows Autopilot: Devices are pre-registered in Intune. During first boot, they connect to Windows Update, download the Autopilot profile, and join Azure AD + enroll in Intune automatically. No IT intervention needed. - Bulk Enrollment: Use Windows Configuration Designer to create a provisioning package that includes enrollment settings. Apply the package during OOBE or via USB. - Group Policy: On-premises AD-joined devices can be configured to auto-enroll via Group Policy (requires hybrid Azure AD join).
iOS/iPadOS Enrollment: - Automated Device Enrollment (ADE): Devices are purchased through Apple Business Manager (ABM). In ABM, assign devices to Intune MDM server. During setup, the device enrolls automatically and becomes supervised. - User-Initiated Enrollment: User downloads Company Portal and enrolls. This can be device enrollment (full MDM) or user enrollment (limited, for BYOD). - Device Enrollment: Admin creates an enrollment profile with a token from Apple. Users authenticate via Company Portal.
Android Enrollment: - Android Enterprise Work Profile: For BYOD. Creates a separate work profile on the device. Intune manages only the work profile. - Fully Managed: For corporate-owned devices. The entire device is managed. Must be enrolled via QR code, NFC, or zero-touch. - Dedicated Device: For kiosk-style devices. Single-app or multi-app kiosk mode. - Android Open Source Project (AOSP): For devices that don't support Google Mobile Services.
macOS Enrollment: - Automated Device Enrollment: Similar to iOS, via Apple Business Manager. - User-Initiated: Company Portal app.
Compliance Policies
Compliance policies define the rules a device must meet to be considered compliant. Common settings: - Device health: Require BitLocker (Windows), require FileVault (macOS), require encryption (iOS/Android). - Device properties: Minimum OS version, maximum OS version, device model. - System security: Require password, minimum password length, device lock timeout. - Microsoft Defender for Endpoint: Require device risk score (low, medium, high). - Actions for noncompliance: Mark device noncompliant, send notification, block access via conditional access. Grace periods can be set (e.g., 6 hours to become compliant before blocking).
Note: A device can be compliant but still blocked by conditional access if the user is not licensed or the device is not Azure AD joined.
Configuration Profiles
Configuration profiles are settings that configure features on devices. Types: - Device restrictions: Control hardware/software features (e.g., disable camera, require encryption). - Email profiles: Configure Exchange ActiveSync settings. - VPN profiles: Configure VPN connections (native, third-party, or Microsoft Tunnel). - Wi-Fi profiles: Configure wireless network settings. - Custom profiles: Use OMA-URI (Windows) or custom plist (macOS) for settings not exposed in the UI. - Administrative Templates: For Windows, use ADMX-backed policies.
App Management
Required apps: Installed automatically on devices. Can be assigned to users or devices.
Available apps: Users install from Company Portal.
App configuration policies: Provide settings for apps (e.g., allow or block specific features).
App protection policies (MAM): Apply to apps on unenrolled devices. Control data transfer, encryption, PIN, and jailbreak detection.
Managed Google Play: For Android Enterprise, apps are deployed via Managed Google Play.
Volume Purchase Program (VPP): For iOS/macOS, deploy paid apps via Apple Business Manager.
Remote Actions
Retire: Removes Intune management and company data. For BYOD, this removes work data; for corporate devices, it can also wipe the device.
Wipe: Factory reset the device. For Windows, it can be a full wipe or an autopilot reset (keeps provisioning data).
Sync: Forces device to check in immediately.
Locate device: For iOS and Android, show device location on a map.
Lock device: Remotely lock the device.
Reset passcode: Generate a temporary passcode for iOS/Android.
Monitoring and Reporting
Device compliance status: In Endpoint Manager, Devices > Monitor > Device compliance.
Enrollment failures: Devices > Monitor > Enrollment failures.
App install status: Apps > Monitor > App install status.
Logs: Devices can be configured to send diagnostic logs. Windows devices can collect MDM logs via Get-MmDiagnosticLogs.
Best Practices for MS-102 Exam
Understand the difference between MDM and MAM.
Know the enrollment methods for each platform.
Be able to configure auto-enrollment via Azure AD.
Understand how compliance policies and conditional access work together.
Know the default check-in intervals and how to force a sync.
Be familiar with the Intune admin center layout: Devices, Apps, Security, Administration.
Know that Intune licensing is included in Microsoft 365 E3/E5, Enterprise Mobility + Security E3/E5, and standalone Intune.
Common Pitfalls
Mixing up device compliance and conditional access: Compliance policies only mark a device as compliant or not. Conditional access policies use that status to allow/block access. If a device is compliant but still blocked, check the conditional access policy.
Forgetting to assign licenses: Users must have an Intune license to enroll devices. If enrollment fails, check licensing first.
Assuming all devices support all features: For example, Windows Autopilot requires a supported hardware hash and network connectivity. iOS ADE requires a valid MDM push certificate.
Ignoring check-in delays: Policies are not applied instantly. For immediate effect, force a sync from the device.
Integration with Conditional Access
This is a critical exam topic. Conditional access policies can require:
Device to be marked as compliant.
Device to be Azure AD joined or hybrid joined.
App protection policy to be applied (for MAM).
Example: A conditional access policy for Exchange Online that blocks access unless the device is compliant. If a user's device is not enrolled, they cannot access email. Once enrolled and compliant, access is granted.
Troubleshooting
Device not enrolling: Check DNS (device must resolve enrollment.manage.microsoft.com). Check firewall (allow TCP 443 to Intune endpoints). Check user license.
Policy not applying: Force sync. Check if policy is assigned to the correct group. Check if the device meets the policy's platform requirements.
Compliance status unknown: Device may not have checked in recently. Check last sync time. If over 30 days, device may be retired or wiped.
App installation fails: Check if app is supported on the device OS version. Check if the device has enough storage. For iOS VPP, check token validity.
Configure Azure AD auto-enrollment
In the Azure AD admin center, go to Mobility (MDM and MAM) > Microsoft Intune. Under MDM user scope, select All or a specific group. This ensures that when a user joins a device to Azure AD, it automatically enrolls in Intune. Also configure MAM user scope if needed. This step is a prerequisite for automatic enrollment. If you skip this, devices will not enroll automatically even if Azure AD joined. The default MDM discovery URL is set automatically. You can verify enrollment by checking the device's Azure AD registration status.
Create device compliance policy
In Endpoint Manager, go to Devices > Compliance policies > Create policy. Select platform (e.g., Windows 10 and later). Configure settings like requiring BitLocker, minimum OS version (e.g., 10.0.19041 for Windows 10 2004), and password length (e.g., 6 characters). Set actions for noncompliance: mark device noncompliant, send email, and optionally set a grace period (e.g., 6 hours). Assign the policy to a group (e.g., All devices). Once assigned, devices will evaluate compliance at next check-in. Noncompliant devices will be blocked by conditional access.
Create a configuration profile
Go to Devices > Configuration profiles > Create profile. Select platform (e.g., Windows 10 and later) and profile type (e.g., Device restrictions). Configure settings such as requiring encryption, disabling the camera, or setting a lock screen timeout (e.g., 15 minutes). For more granular control, use Administrative Templates (ADMX) to configure settings like 'Allow Cortana' or 'Turn off Windows Store'. Assign the profile to a group. Profiles are applied at the next check-in. You can verify application by checking the device's settings or using the Intune console.
Deploy a required application
Go to Apps > All apps > Add. Select app type (e.g., Windows app (Win32)). Upload the app package (e.g., .intunewin file). Configure installation and uninstallation commands (e.g., `msiexec /i app.msi /qn`). Set requirements (e.g., 64-bit OS, minimum OS version). Assign the app as Required to a group. Intune will push the app to devices. For line-of-business apps, use the LOB app type. For store apps, use 'Microsoft Store app (new)'. Monitor installation status under Apps > Monitor.
Configure conditional access with device compliance
In Azure AD admin center, go to Security > Conditional Access > New policy. Name it (e.g., 'Require compliant device for Exchange Online'). Under Assignments, select users/groups and cloud apps (e.g., Office 365 Exchange Online). Under Access controls, Grant: select 'Require device to be marked as compliant' and 'Require device to be Azure AD joined' (optional). Enable policy and set to On. This integrates with Intune: only compliant devices will be allowed. If a device is not compliant, access is blocked with a message to enroll/comply.
Enterprise Scenario 1: Windows Autopilot for New Hires
A large enterprise with 10,000 employees orders new Dell laptops directly from the manufacturer. The IT team registers the device hardware hashes in Intune via a CSV file uploaded to Endpoint Manager. They create an Autopilot deployment profile that joins the device to Azure AD, auto-enrolls in Intune, and assigns a device name prefix like 'CORP-WIN-'. When a new employee receives the laptop, they power it on, connect to Wi-Fi, and sign in with their corporate credentials. The device automatically enrolls, receives compliance policies (BitLocker, Windows Defender), configuration profiles (VPN, Wi-Fi), and required apps (Office 365, Teams). The entire process takes under 30 minutes with zero IT touch. Common issues: if the hardware hash is incorrect, the device may not recognize the Autopilot profile and will go through standard OOBE. Also, if the user's license is missing, enrollment fails.
Enterprise Scenario 2: BYOD iOS with App Protection Policies
A healthcare organization allows nurses to use personal iPhones to access patient records via a custom app. They do not want to manage the entire device (MDM) due to privacy concerns. Instead, they deploy app protection policies (MAM) to the app. The policy requires a PIN (6 digits) to open the app, encrypts data at rest, and prevents copying/pasting data to other apps. The app is made available via the Company Portal. Nurses install the app and sign in with their work account. The policy is applied automatically. If the device is jailbroken, the app will not launch. This approach protects corporate data without giving IT full control over personal devices. Common misconfiguration: forgetting to assign the app protection policy to the correct group, or not enabling the policy for the app.
Enterprise Scenario 3: Android Fully Managed for Retail Kiosks
A retail chain uses Android tablets as kiosks for price checking. The tablets are corporate-owned and run a single app. IT uses Android Enterprise fully managed mode. They enroll devices using a QR code during setup. Intune pushes a device restrictions profile that locks the device to kiosk mode (single app). The app is deployed as a required app from Managed Google Play. Updates are managed via Intune. If a tablet is stolen, IT can remotely wipe it. Performance considerations: tablets should have enough storage for the app and future updates. Common issues: if the QR code is expired or incorrect, enrollment fails. Also, if the app is not published to Managed Google Play, deployment fails.
What MS-102 Tests
The MS-102 exam objective 2.4 covers 'Manage devices with Intune'. Specifically:
Configure enrollment for Windows, iOS, Android, macOS.
Create and manage compliance policies.
Create and manage configuration profiles.
Deploy and manage applications.
Manage device compliance and conditional access integration.
Perform remote device actions.
Monitor device health and compliance.
Common Wrong Answers and Why
'Enrollment requires the device to be on the corporate network.' – Wrong. Intune is cloud-based; devices enroll over the internet. The correct answer is that enrollment works from anywhere with internet access.
'Compliance policies automatically block access to resources.' – Wrong. Compliance policies only mark the device as noncompliant. Conditional access policies use that status to block access. Without a conditional access policy, a noncompliant device can still access resources.
'Windows Autopilot requires Configuration Manager.' – Wrong. Autopilot is independent; it uses Intune and Azure AD. Co-management is optional.
'App protection policies require the device to be enrolled in MDM.' – Wrong. MAM policies work on unenrolled devices. That's their key advantage.
Specific Numbers and Terms
Default check-in interval: 8 hours for Windows, 6 hours for iOS, 8 hours for Android.
Policy push notification: within 15 minutes.
MDM certificate renewal: 30 days before expiry.
Grace period for compliance: configurable (typical 6 hours).
Autopilot reset: keeps provisioning data.
Enrollment methods: automatic, user-initiated, bulk, ADE, zero-touch.
Compliance actions: mark noncompliant, send email, block.
Edge Cases and Exceptions
Hybrid Azure AD joined devices: These devices are joined to on-premises AD and registered with Azure AD. They can be auto-enrolled via Group Policy. The exam may test the difference between Azure AD joined and hybrid joined.
Windows 10/11 in S mode: Cannot enroll in Intune? Actually, they can, but some policies may not apply. Know that S mode restricts app installation to Store apps.
macOS enrollment: Requires Company Portal app from Mac App Store. Automated enrollment requires Apple Business Manager.
Dedicated devices (Android): Cannot be used by a user; they are kiosk devices. No user affinity.
Conditional access with MAM: Can require an app protection policy instead of device compliance. This is for BYOD without MDM.
How to Eliminate Wrong Answers
If the question is about blocking access, look for conditional access in the answer choices. If it's about device settings, look for compliance policy or configuration profile.
If the question mentions 'without enrolling the device', the answer involves app protection policies (MAM).
If the question mentions 'new device out of box', think Autopilot.
If the question mentions 'corporate-owned iOS devices', think Apple Business Manager and ADE.
If the question mentions 'user chooses to enroll', think Company Portal.
Look for key words: 'automatically' vs 'manually', 'required' vs 'available', 'device' vs 'app'.
Intune is a cloud-based UEM service; no on-premises infrastructure required.
Enrollment methods vary by platform: Windows (Autopilot, Azure AD join), iOS (ADE, Company Portal), Android (Android Enterprise work profile, fully managed).
Default device check-in interval is 8 hours for Windows and Android, 6 hours for iOS.
Compliance policies mark devices as compliant/noncompliant; conditional access policies use that status to block/allow access.
App protection policies (MAM) work on unenrolled devices and protect corporate app data.
Windows Autopilot automates device provisioning using hardware hash registered in Intune.
Conditional access can require a device to be compliant, Azure AD joined, or have an app protection policy.
Remote actions include wipe, retire, sync, locate, lock, and reset passcode.
Licensing: Intune is included in Microsoft 365 E3/E5, EMS E3/E5, or standalone Intune.
Co-management allows splitting workloads between Configuration Manager and Intune.
These come up on the exam all the time. Here's how to tell them apart.
MDM (Mobile Device Management)
Manages the entire device: settings, compliance, apps, remote wipe.
Requires device enrollment (enrollment in Intune).
Can enforce device-level policies like encryption, password, and OS version.
Best for corporate-owned devices (COBO/COPE).
Device must be Azure AD joined or registered.
MAM (Mobile Application Management)
Manages only corporate apps and data within them.
Does not require device enrollment; works on personal devices.
Can enforce app-level policies like PIN, data encryption, and copy-paste restrictions.
Best for BYOD scenarios where privacy is key.
No Azure AD join required; user signs into app with work account.
Mistake
Intune requires an on-premises server like Configuration Manager.
Correct
Intune is a cloud-only service. It does not require any on-premises infrastructure. Configuration Manager is a separate product that can be used alongside Intune via co-management, but Intune itself is fully cloud-based.
Mistake
Device compliance policies block access to Office 365 automatically.
Correct
Compliance policies only mark a device as compliant or noncompliant. They do not enforce access control. To block access, you must create a conditional access policy that references the compliance status.
Mistake
All devices must be enrolled in Intune to receive app protection policies.
Correct
App protection policies (MAM) work on devices that are not enrolled in MDM. They protect corporate data within apps without requiring device enrollment. This is ideal for BYOD scenarios.
Mistake
Windows Autopilot requires the device to be joined to an on-premises domain.
Correct
Windows Autopilot typically joins devices to Azure AD (cloud-only). Hybrid Azure AD join is possible but requires additional configuration and connectivity to a domain controller. The default is Azure AD join.
Mistake
Once a policy is assigned, it applies instantly to all devices.
Correct
Policies are applied at the next device check-in, which occurs every 8 hours by default. For immediate application, you can force a sync from the device or wait for a push notification (up to 15 minutes).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
MDM manages the entire device (enrollment, policies, compliance, remote wipe). MAM manages only corporate apps and data within them, without enrolling the device. MDM is for corporate-owned devices or full control; MAM is for BYOD where you want to protect data without managing the personal device. Both can be used together: an enrolled device can also have app protection policies.
On Windows, go to Settings > Accounts > Access work or school > select your account > Info > Sync. On iOS/Android, open Company Portal > Devices > select device > Sync. Alternatively, you can trigger a sync from the Intune admin center by selecting the device and clicking 'Sync'. The device will receive a push notification and check in within minutes.
Intune requires internet connectivity to manage devices. If a device is offline, it cannot check in, receive policies, or be remotely wiped. Policies are applied at the next check-in when the device comes online. There is no offline management capability.
There is no default grace period; you must configure it in the compliance policy. You can set a grace period in hours (e.g., 6 hours) before the device is marked noncompliant and actions are taken. During the grace period, the device is still considered compliant for conditional access.
You can use user-initiated enrollment via the Company Portal app. The user downloads Company Portal from the App Store, signs in with their work account, and follows the prompts to enroll. This enrolls the device in MDM but does not make it supervised (ADE is required for supervision).
A configuration profile configures device settings (e.g., VPN, Wi-Fi, restrictions). A compliance policy defines rules that the device must meet to be considered compliant (e.g., encryption, OS version). Configuration profiles are applied regardless of compliance; compliance policies are used for conditional access.
Yes, Intune supports Win32 app deployment. You need to convert the app to the .intunewin format using the Microsoft Win32 Content Prep Tool. Then upload it in the Intune admin center, specify installation and uninstallation commands, and assign it as required or available. Intune will download and install the app on Windows devices.
You've just covered Intune Device Management — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?