This chapter covers Microsoft Intune and Microsoft Endpoint Manager, the core modern management solutions for endpoints in Microsoft 365. For the MS-900 exam, approximately 15-20% of questions in Domain 2 (M365 Productivity) relate to endpoint management, compliance, and device policies. Understanding Intune’s role in MDM, MAM, and co-management with Configuration Manager is essential for passing the exam.
Jump to a section
Imagine you are the operations manager for a delivery company with 10,000 vehicles (devices) and 12,000 drivers (users). Each vehicle needs to be configured with GPS, cargo locks, and safety checks before every trip. Instead of manually configuring each vehicle, you have a central Fleet Management System (Microsoft Intune) that communicates with every vehicle via a cellular link (the internet). When a new vehicle joins the fleet, it automatically connects to the system, downloads its configuration profile (e.g., GPS settings, cargo lock rules), and reports back its status. If you decide to update the safety check protocol, you push a new policy from the central console; the system uses a pull mechanism—the vehicle checks in periodically (every 8 hours by default for Windows devices) and downloads the update. If a vehicle fails to check in for 30 days, it is marked as non-compliant and can be remotely wiped (factory reset) to protect sensitive cargo. The system also integrates with your HR database (Azure AD) so that when a driver leaves the company, their access is revoked and the vehicle is reassigned automatically. This mirrors how Intune uses MDM and MAM policies, Azure AD identity, and compliance rules to manage endpoints at scale.
What is Microsoft Intune and Endpoint Manager?
Microsoft Intune is a cloud-based unified endpoint management (UEM) solution that is part of Microsoft Endpoint Manager (MEM). MEM is an integrated product suite that combines Intune with Configuration Manager (SCCM) and Desktop Analytics to provide a single console for managing endpoints across on-premises, cloud, and hybrid environments. Intune focuses on mobile device management (MDM) and mobile application management (MAM) without requiring on-premises infrastructure. It enforces policies, controls device access, and manages applications on Windows, macOS, iOS/iPadOS, and Android devices.
How Intune Works Internally
Intune operates on a client-server model. The Intune service is hosted in Azure, and devices enroll by installing the Intune Company Portal app (or using built-in MDM enrollment for Windows 10/11). Enrollment creates a certificate-based trust relationship between the device and Intune. The device receives a management certificate that allows Intune to push policies and commands.
Enrollment process: For Windows 10/11, users go to Settings > Accounts > Access work or school > Connect. The device registers with Azure AD (AAD) and enrolls in Intune. A device object is created in AAD (AAD registered or AAD joined) and an Intune device record is created.
Policy delivery: Intune uses a pull mechanism. Devices check in with the Intune service every 8 hours (default for Windows; configurable via the CheckinFrequency policy). During check-in, the device reports its compliance status and downloads any new or updated policies. Policies are XML-based configuration payloads (OMA-URI for Windows, Apple Configurator profiles for iOS, etc.).
Compliance and conditional access: Compliance policies define rules (e.g., require BitLocker, minimum OS version). The device evaluates these rules locally and reports compliance status. Conditional Access policies in Azure AD use that status to allow or block access to cloud apps like Exchange Online and SharePoint.
Key Components, Values, and Defaults
Enrollment restrictions: By default, all platforms are allowed. You can block personal devices (iOS, Android) or require corporate ownership.
Compliance policies: Evaluate at each check-in. Default grace period for non-compliance is 30 days before device is marked as non-compliant.
Configuration profiles: Include device restrictions, endpoint protection, and custom policies. For Windows, many settings use the CSP (Configuration Service Provider) architecture.
App protection policies (MAM): Apply to apps without managing the device. For example, require PIN to open Outlook, prevent copy/paste to personal apps.
Retire/wipe: Retire removes company data and management profile; wipe performs factory reset.
Co-management: Enables simultaneous management of Windows 10/11 devices by both Intune and Configuration Manager. Workloads (e.g., policies, apps) can be shifted gradually to Intune.
Configuration and Verification Commands
While Intune is primarily managed via the MEM admin center (https://endpoint.microsoft.com), some tasks can be done via PowerShell or Graph API.
- PowerShell module: Microsoft.Graph.Intune or Microsoft.Graph (v2). Example to get all devices:
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
Get-MgDeviceManagementManagedDeviceGraph API endpoint: https://graph.microsoft.com/beta/deviceManagement/managedDevices
Device check-in command (Windows): dsregcmd /status shows Azure AD join status; Get-MgDeviceManagementManagedDevice -Filter "deviceName eq 'PC001'" shows Intune compliance.
Interaction with Related Technologies
Intune integrates deeply with: - Azure AD: Device identity, Conditional Access, and user/group targeting. - Microsoft Defender for Endpoint: Receives device risk scores that can be used in compliance policies. - Microsoft 365 Apps: Deploys Office updates via Intune or uses update rings. - Windows Autopilot: Automates device provisioning by pre-registering hardware hashes and assigning policies during OOBE. - Configuration Manager: Co-management allows workload transition; distribution points can be used for large content.
Common Exam Numbers
Default check-in frequency: 8 hours for Windows, 6 hours for iOS, 8 hours for Android.
Non-compliance grace period: 30 days (configurable).
Maximum number of devices per user: 15 (default limit, can be increased).
Autopilot: requires Windows 10/11 Pro, Enterprise, or Education; maximum 500 devices per CSV upload.
MAM without enrollment: Supported for iOS/iPadOS and Android; Windows apps require enrollment for full MAM.
Device Enrollment in Intune
The user initiates enrollment by installing the Company Portal app or using OS-native MDM enrollment (e.g., Windows Settings > Access work or school > Connect). The device contacts the Intune service and Azure AD to register. A management certificate is issued. The device becomes managed and receives a device object in both Azure AD and Intune. The Intune service records the device's platform, OS version, serial number, and ownership type (corporate or personal). Enrollment can be user-driven or automated via Windows Autopilot or Apple Automated Device Enrollment (ADE).
Policy Assignment and Check-In
An admin creates a configuration profile or compliance policy in the MEM admin center, targeting a group of users or devices. The policy is stored in the Intune service. When the device checks in (default every 8 hours for Windows), it sends a request to the Intune service endpoint. The service responds with any new or updated policies. The device applies the policies locally, using platform-specific mechanisms (e.g., CSP for Windows, configuration profiles for iOS). The device reports back the result (success or failure).
Compliance Evaluation and Conditional Access
The device evaluates compliance policies at each check-in. For example, the policy may require BitLocker encryption and a minimum OS version. The device checks these conditions and reports compliance status (compliant, non-compliant, or grace period). Azure AD Conditional Access policies reference this status. If the device is non-compliant, access to corporate resources (e.g., Exchange Online, SharePoint) is blocked. The user sees a message to remediate (e.g., enable BitLocker).
Application Management via MAM
Mobile Application Management (MAM) policies protect corporate data within apps without managing the whole device. An admin creates an app protection policy targeting a user group and selects apps (e.g., Outlook, Word). The policy includes settings like require PIN (4 digits), encrypt app data, and prevent copy/paste to unmanaged apps. When the user launches the app, it checks with Intune for any applicable policies. If none, the app may block access. The policies are enforced at the app level, even on personal devices.
Device Retirement or Wipe
When a device is lost, stolen, or a user leaves the organization, an admin can retire or wipe the device. Retire removes all company data and the management profile but leaves personal data intact. Wipe performs a factory reset, removing all data. The action is triggered from the MEM admin center. The device receives the command at its next check-in. For offline devices, the command is queued until the device checks in. If the device never checks in, the admin can manually mark it as 'retired' after 30 days (configurable).
Enterprise Scenario 1: Contoso Manufacturing – 10,000 Windows 10 Devices
Contoso uses Intune to manage Windows 10 Pro devices across 50 factories. They deploy a standard configuration profile that enables BitLocker, Windows Defender Firewall, and sets a 15-minute screen timeout. Compliance policies require all devices to have BitLocker enabled and OS version at least 1909. They use Conditional Access to block access to SAP from non-compliant devices. Initially, they configured the check-in frequency to 1 hour, causing network congestion on the Intune service. They changed it to 8 hours, reducing load. A common issue: some devices failed to enable BitLocker due to missing TPM; they created a remediation script via PowerShell that runs at check-in.
Enterprise Scenario 2: Fabrikam – 5,000 iOS and Android Devices
Fabrikam uses Intune MAM without enrollment for BYOD. Employees install Outlook and Teams on personal phones. App protection policies require a 6-digit PIN, block screenshots, and prevent saving attachments to personal cloud storage. They also use Intune MDM for 500 corporate iPhones with Apple ADE. They had a problem where users bypassed the PIN requirement by using the app without network connectivity; they enabled offline grace period of 720 minutes (12 hours) after which the app requires PIN again. They also discovered that MAM policies for Android require the Company Portal app to be installed, even for MAM-only scenarios.
Scenario 3: Northwind Traders – Co-management with Configuration Manager
Northwind has 20,000 Windows 10 devices managed by Configuration Manager. They are migrating to Intune gradually using co-management. They set up co-management in the MEM admin center, enabling pilot workloads for policies and apps. They use Desktop Analytics to identify devices ready for Intune. They shifted the 'Device compliance' workload to Intune first, then 'Windows Update policies'. They encountered a conflict where both Configuration Manager and Intune deployed a BitLocker policy; they resolved by setting the co-management authority to 'Intune' for that workload. They also use the 'Co-management settings' to automatically enroll eligible devices into Intune.
What MS-900 Tests on Intune and Endpoint Manager
- Objective 2.5: Describe endpoint management capabilities of Microsoft 365. This includes understanding Intune, Endpoint Manager, co-management, and the difference between MDM and MAM. - Common exam questions: 1. 'Which tool is used for mobile device management?' Answer: Intune. Wrong answer: Configuration Manager (which is for on-premises). 2. 'What is the default check-in frequency for Windows devices?' Answer: 8 hours. Wrong answer: 1 hour or 24 hours. 3. 'Which feature allows management of apps without enrolling the device?' Answer: MAM (Mobile Application Management). Wrong answer: MDM. 4. 'What is the purpose of compliance policies?' Answer: To enforce security requirements and enable Conditional Access.
Trap Patterns
MDM vs. MAM: The exam loves to ask which one is used for app-level protection without device enrollment. Many candidates confuse MAM with MDM. Remember: MAM = app protection policies; MDM = full device management.
Co-management: Candidates often think co-management requires all workloads to be split, but actually you can shift workloads one by one. The exam may ask which workload can be shifted first (e.g., compliance, policies, apps).
Autopilot: Not to be confused with Intune enrollment. Autopilot is a provisioning method that uses Intune to apply policies after enrollment. The exam might ask: 'Which feature allows zero-touch deployment?' Answer: Windows Autopilot.
Numbers: Remember the default non-compliance grace period (30 days) and maximum devices per user (15). The exam may present a scenario where a user has 16 devices and ask what happens.
How to Eliminate Wrong Answers
If a question mentions 'on-premises' or 'SCCM', the answer is likely Configuration Manager, not Intune.
If a question says 'without enrolling the device', think MAM.
If a question says 'compliance status used by Azure AD', think Conditional Access.
For numbers, if you don't know the exact value, eliminate extremes (e.g., 1 hour is too frequent for check-in; 30 days is typical for grace).
Microsoft Intune is a cloud-based UEM solution for managing devices and apps.
MDM requires device enrollment; MAM does not.
Default check-in frequency for Windows is 8 hours; for iOS 6 hours; for Android 8 hours.
Non-compliance grace period defaults to 30 days.
Co-management allows shifting workloads from Configuration Manager to Intune gradually.
Windows Autopilot enables zero-touch provisioning using Intune and Azure AD.
App Protection Policies (MAM) require the Company Portal app on Android for policy enforcement.
Conditional Access uses Intune compliance status to allow/block access to cloud apps.
Maximum devices per user default is 15 (configurable).
Intune is included in Microsoft 365 E3, E5, and Business Premium licenses.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Intune (Cloud)
Cloud-based, no on-premises infrastructure required.
Uses pull-based check-in (default every 8 hours).
Supports MDM for mobile platforms (iOS, Android).
Integrates natively with Azure AD and Conditional Access.
Licensed as part of Microsoft 365 E3/E5 or standalone.
Configuration Manager (On-Premises)
Requires on-premises servers and SQL database.
Uses push-based client notification (near real-time).
Primarily manages Windows desktops and servers.
Integrates with on-prem AD and can connect to Azure AD.
Licensed separately (System Center CALs).
MDM (Mobile Device Management)
Manages the entire device (settings, compliance, wipe).
Requires device enrollment.
Can apply device-level restrictions (e.g., camera disable).
Supports corporate-owned and BYOD with full management.
Enforces compliance for Conditional Access.
MAM (Mobile Application Management)
Manages only applications (e.g., Outlook, Word).
Does not require device enrollment.
Applies app-level policies (e.g., PIN, copy/paste restrictions).
Ideal for BYOD where users retain control of device.
Protects corporate data even on personal devices.
Mistake
Intune requires on-premises infrastructure like Configuration Manager.
Correct
Intune is a cloud-only service. It does not require any on-premises servers. Configuration Manager is a separate product that can be used with Intune via co-management.
Mistake
MAM policies require the device to be enrolled in Intune MDM.
Correct
MAM policies (App Protection Policies) can be applied to apps on devices that are not enrolled in MDM. This is a key differentiator for BYOD scenarios.
Mistake
The default check-in frequency for Intune is 1 hour.
Correct
The default check-in frequency for Windows devices is 8 hours. For iOS it is 6 hours, and for Android it is 8 hours.
Mistake
Compliance policies can block access to on-premises applications directly.
Correct
Compliance policies themselves do not block access. They generate a compliance status that is used by Azure AD Conditional Access to block access to cloud apps. For on-premises apps, you need Azure AD App Proxy or VPN with Conditional Access.
Mistake
Windows Autopilot requires devices to be already enrolled in Intune.
Correct
Autopilot is a deployment method that automates the enrollment process. Devices are pre-registered in Autopilot, and during OOBE they automatically enroll in Intune and Azure AD. Autopilot does not require prior enrollment.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Microsoft Endpoint Manager (MEM) is the umbrella brand that includes Intune, Configuration Manager, and Desktop Analytics. Intune is the cloud component of MEM. On the MS-900 exam, 'Endpoint Manager' refers to the integrated suite, while 'Intune' specifically means the cloud MDM/MAM service.
No, Intune is designed for client devices (Windows, iOS, Android, macOS). For servers, use Configuration Manager or Azure Arc. However, Intune can manage Windows 10/11 and Windows 365 Cloud PCs.
On Windows, go to Settings > Accounts > Access work or school > select the account > Info > Sync. Alternatively, use the command: `Start-Process -FilePath "C:\Program Files\Microsoft Online Services\SignInAssistance\SignInAssistance.exe" -ArgumentList "sync"` or the Graph API endpoint. In the admin center, you can also select the device and click 'Sync'.
Retire removes all company data and the management profile from the device, but leaves personal data intact. Wipe performs a factory reset, removing all data (both corporate and personal). Use retire for BYOD scenarios; use wipe for corporate-owned devices.
As of the current exam, Intune does not support managing Linux devices. It supports Windows, macOS, iOS/iPadOS, and Android. Linux support may appear in future updates, but for MS-900, assume it is not supported.
Intune compliance policies generate a compliance status for each device (compliant, non-compliant, unknown). Azure AD Conditional Access policies can use this status as a condition. For example, 'Require device to be marked as compliant' blocks access from non-compliant devices.
The default limit is 15 devices per user. This can be increased by contacting Microsoft support. The exam may test this number.
You've just covered Microsoft Intune and Endpoint Manager — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?