This chapter covers Microsoft Intune as the core endpoint management solution within Microsoft Endpoint Manager, focusing on its role in securing devices and applications. For the SC-900 exam, Intune appears in roughly 10-15% of questions under objective 3.4 (Microsoft Endpoint Manager and endpoint security). You must understand the difference between MDM and MAM, how compliance policies work, and how Intune integrates with Conditional Access. This chapter provides the precise technical details and exam-focused insights you need to answer those questions correctly.
Jump to a section
Imagine a company that issues 10,000 delivery trucks to its drivers. Each truck must meet safety standards: tire pressure, brake function, cargo locks. Without a fleet manager, every truck is independent — the company cannot enforce that a driver fixes a brake light or updates the GPS. Microsoft Intune is like a centralized fleet manager with two roles: Mobile Device Management (MDM) and Mobile Application Management (MAM). MDM is like requiring each truck to have a telematics box that reports location, speed, and engine health. The fleet manager can remotely lock a truck, wipe its cargo logs, or force a software update. MAM is like the company issuing a branded GPS app that runs on the driver's personal smartphone. The fleet manager doesn't control the phone itself, but they can enforce that the GPS app requires a PIN, cannot copy data to a personal app, and can remotely wipe only the corporate data from that app. In Intune, MDM manages the entire device (like the truck), while MAM manages only the corporate apps and data on a personally owned device (BYOD). The fleet manager uses policies called 'compliance policies' to check if a device meets minimum requirements (e.g., encryption enabled, OS version minimum, jailbreak/root detection). If a device is noncompliant, the manager can block access to corporate resources or even wipe the device. Conditional Access policies in Azure AD work with Intune to enforce these checks before granting access to email or SharePoint. This analogy mirrors Intune's architecture: Intune is the policy engine, Azure AD is the identity provider, and Conditional Access is the gatekeeper that checks device compliance before issuing a token. Managers (IT admins) create policies in Intune, which are enforced by the Intune client agent on the device (MDM) or by app protection policies within the app (MAM).
What is Microsoft Intune and Why Does It Exist?
Microsoft Intune is a cloud-based endpoint management solution that is part of Microsoft Endpoint Manager (MEM). Its primary purpose is to enable organizations to manage devices (Windows, iOS, Android, macOS) and the applications running on them, enforcing security policies without requiring on-premises infrastructure like a Configuration Manager site server. Intune addresses the modern challenge of managing a diverse fleet of corporate-owned and personally-owned devices (BYOD) that access corporate data.
Intune provides two primary management modalities: - Mobile Device Management (MDM): The device is enrolled with Intune, giving the organization full control over device-level settings, security configurations, and compliance. The device is essentially 'managed' – IT can push policies, install required apps, and remotely lock or wipe the device. - Mobile Application Management (MAM): No device enrollment is required. Instead, Intune manages corporate applications and data on the device through App Protection Policies (APP). This is used for BYOD scenarios where the organization does not want to manage the entire device but needs to protect corporate data within apps like Outlook, Teams, or SharePoint.
How Intune Works Internally
Intune is a cloud service hosted in Azure. Its architecture consists of: - Intune Service: The cloud backend that stores policies, reports, and device status. - Intune Management Extension (IME): A client agent installed on Windows devices that handles policy enforcement, app installation, and reporting. - Company Portal App: The user-facing app on enrolled devices that allows users to enroll, view compliance status, install available apps, and perform remote actions. - App Protection Policy (APP) SDK: Integrated into Microsoft and third-party apps to enforce MAM policies at the app level.
When a device is enrolled, the following occurs at a high level: 1. The device registers with Azure AD and enrolls with Intune. 2. The Intune service identifies the user and device, and assigns the appropriate policies based on group membership. 3. The device checks in with Intune periodically (default check-in interval is 8 hours, but can be as low as 1 hour for critical policies). 4. The Intune client downloads and applies policies, installs required apps, and reports compliance status. 5. Conditional Access policies in Azure AD evaluate device compliance before granting access to cloud apps.
Key Components, Values, Defaults, and Timers
Enrollment Methods: - Windows: Automatic enrollment via Group Policy or Azure AD join; manual via Settings > Accounts > Access work or school. - iOS/iPadOS: Apple Automated Device Enrollment (ADE) for corporate devices; manual via Company Portal app. - Android: Android Enterprise (work profile) for BYOD; Android Enterprise (fully managed) for corporate devices. - macOS: Enrollment via Company Portal or Apple ADE.
Compliance Policies: - Evaluate device settings against rules. Typical rules:
Require device encryption (BitLocker for Windows, FileVault for macOS).
Minimum OS version (e.g., Windows 10 21H2).
Maximum OS version (to avoid untested updates).
Jailbreak/root detection (iOS/Android).
Password policy (minimum length, complexity, lockout duration).
Default check-in interval: 8 hours. Can be reduced to 1 hour via the Intune console (Device check-in frequency).
Noncompliant devices can be:
Marked as noncompliant in Intune.
Blocked from accessing corporate resources via Conditional Access.
Sent a notification to the user.
After a grace period (default 30 days, configurable), the device can be retired or wiped.
App Protection Policies (MAM): - Applied to apps, not devices. - Key settings:
Require PIN (length, type).
Block screenshot.
Prevent copy/paste between managed and unmanaged apps.
Encrypt app data on device.
Wipe corporate data from app without affecting personal data.
MAM without enrollment (MAM-WE) is the most common BYOD scenario.
Configuration Profiles: - Used to configure device settings (e.g., Wi-Fi, VPN, email, certificates). - Can be assigned to groups of users or devices. - Settings are enforced via MDM channel.
Remote Actions: - Retire: Removes Intune management and corporate data, but keeps personal data. - Wipe: Factory resets the device (full wipe) or removes corporate data (selective wipe). - Sync: Forces device to check in with Intune immediately. - Lock: Locks the device remotely.
Configuration and Verification Commands
For Windows devices, you can verify enrollment and compliance using PowerShell or command-line tools:
- Check enrollment status:
Get-MgDeviceManagementManagedDevice -Filter "userId eq '$userId'"- Force sync:
Sync-MgDeviceManagementManagedDevice -ManagedDeviceId $deviceIdOn the device, run dsregcmd /status to verify Azure AD join and Intune enrollment status.
For iOS/Android, the Company Portal app shows compliance status.
How Intune Interacts with Related Technologies
Azure AD: Intune relies on Azure AD for identity. Devices are registered in Azure AD. Conditional Access policies reference Intune compliance status.
Microsoft Defender for Endpoint (MDE): Intune can integrate MDE for threat detection. Device risk scores from MDE can be used as a compliance condition.
Configuration Manager: In a co-management scenario, Intune can take over workloads from Configuration Manager (e.g., compliance policies, resource access).
Windows Autopilot: Intune is the management plane for Autopilot-deployed devices.
Exchange Online and SharePoint Online: Conditional Access policies enforce that only compliant devices can access these services.
Exam-Relevant Details
SC-900 tests the conceptual understanding of Intune, not deep technical configuration. You need to know:
The difference between MDM and MAM.
How Compliance Policies work with Conditional Access.
What App Protection Policies (APP) are and when to use them.
The term 'co-management' and its role.
Common exam numbers: default check-in interval is 8 hours (not 24). Grace period default is 30 days.
Trap: 'Intune can manage on-premises servers' – FALSE; Intune is cloud-only and manages endpoints (client devices).
Trap: 'MAM requires device enrollment' – FALSE; MAM works without enrollment.
Trap: 'Intune replaces all on-premises management' – FALSE; co-management allows hybrid.
Summary of Core Concepts
Intune is a cloud-based MDM/MAM solution.
MDM manages entire devices; MAM manages apps/data.
Compliance policies check device health; Conditional Access enforces access based on compliance.
App Protection Policies protect data within apps without managing the device.
Integration with Azure AD and Defender for Endpoint enhances security.
Device Enrollment in Intune
The user or IT administrator initiates enrollment. For corporate Windows devices, this often happens automatically via Azure AD join during Autopilot. The device registers with Azure AD and creates an enrollment certificate. The Intune client (Management Extension) is installed. The device receives a unique device ID and is added to the Intune console. For iOS, the user installs the Company Portal app and signs in. The device's UDID is sent to Apple Push Notification service (APNs) to enable management. Enrollment must be completed within 24 hours or the request expires. Once enrolled, the device appears in Intune as 'managed' and policies begin to apply.
Policy Assignment and Check-In
After enrollment, the Intune service evaluates group memberships and assigns applicable compliance policies, configuration profiles, and app installations. The device checks in with Intune every 8 hours by default (configurable to 1 hour). During check-in, the device sends its current state (installed apps, compliance status, hardware inventory). Intune responds with any new or updated policies. If a policy is marked as 'required', the device immediately applies it. For example, a compliance policy requiring BitLocker encryption will trigger encryption on the device if not already enabled. The device reports back success or failure. If the device fails to check in for 30 days, it is considered 'stale' and can be automatically retired.
Compliance Evaluation and Conditional Access
When a user attempts to access a cloud app (e.g., Outlook, SharePoint), Azure AD Conditional Access checks the device compliance status. The Conditional Access policy requires the device to be marked as 'compliant' in Intune. Intune evaluates the device against the assigned compliance policies. For example, if the device is jailbroken on iOS, the compliance policy marks it noncompliant. This status is stored in Azure AD. If noncompliant, Conditional Access blocks access and can redirect the user to the Company Portal to remediate. The user sees a message like 'Your device does not meet your company's security requirements.' The grace period (default 30 days) allows the user to fix issues before access is fully blocked. After the grace period, the device may be retired or wiped.
App Protection Policy (MAM) Enforcement
For BYOD devices not enrolled in MDM, App Protection Policies (APP) are applied to Microsoft apps (Outlook, Teams, etc.) and can be extended to third-party apps via the Intune SDK. When a user opens a managed app, the app checks for the presence of an APP policy. The policy is downloaded from Intune and enforced at runtime. For example, if the policy requires a PIN, the app prompts the user to set a PIN before accessing corporate data. The PIN is stored in a secure enclave on the device. If the user attempts to copy data from the managed app to an unmanaged app, the operation is blocked. If the device is lost, IT can trigger a selective wipe of corporate data from the managed apps without affecting personal data like photos or personal emails.
Remote Actions and Device Retirement
IT administrators can perform remote actions from the Intune console. For example, if a device is lost or stolen, the admin can select 'Wipe' to factory reset the device, removing all data. For a device that is being reassigned, 'Retire' removes Intune management and corporate data but leaves personal data intact. The admin can also 'Sync' a device to force an immediate check-in, useful when deploying critical updates. When a device is retired, the Intune management certificate is revoked, the device is unenrolled from Azure AD, and all policies are removed. The device becomes unmanaged. If the device was enrolled via Apple ADE, it can be automatically re-enrolled if wiped and reactivated. These actions are logged in the Intune audit log.
Enterprise Scenario 1: Corporate Windows Devices with Autopilot
A large enterprise with 5,000 employees uses Windows Autopilot to deploy new laptops. IT configures Autopilot profiles in Intune. When a user receives a new laptop, they power it on, connect to Wi-Fi, and sign in with their corporate credentials. The device automatically joins Azure AD and enrolls in Intune. During enrollment, Intune pushes compliance policies (e.g., require BitLocker, Windows Defender Antivirus enabled, OS version 21H2 or later). The device also receives required apps like Microsoft 365 Apps, Teams, and company-specific line-of-business apps. Conditional Access policies ensure that only compliant devices can access internal SharePoint sites. If a laptop falls out of compliance (e.g., user disables BitLocker), access is blocked until remediation. IT can monitor compliance from the Intune dashboard and send notifications to users. Common issues: users delaying updates, leading to noncompliance. IT sets a grace period of 7 days to enforce updates, after which the device is remotely wiped if still noncompliant. At scale, Intune handles thousands of devices with minimal overhead; the main performance consideration is network bandwidth for initial app downloads. Misconfiguration of Autopilot profiles (e.g., wrong group tag) can cause devices to receive incorrect policies, but this is rare with proper testing.
Enterprise Scenario 2: BYOD with MAM for a Sales Team
A company with 200 sales representatives allows them to use personal iPhones and Android phones. The company does not want to manage personal devices but needs to protect corporate email and CRM data. They deploy App Protection Policies (MAM) for Outlook, Teams, and a custom CRM app. The policy requires a 6-digit PIN, encrypts app data, and prevents copy/paste to personal apps. When a sales rep opens Outlook on their personal phone, they are prompted to set a PIN. They can access corporate email without enrolling the device. If the phone is lost, IT can selectively wipe corporate data from the managed apps without affecting personal photos or contacts. This scenario is common in industries with strict data protection regulations (e.g., healthcare, finance). Common pitfall: users may try to bypass the PIN by using a different email client; IT blocks non-compliant apps via Conditional Access. Performance is not an issue since policies are lightweight. Misconfiguration of MAM policies (e.g., overly restrictive copy/paste rules) can frustrate users, requiring careful balance between security and usability.
Enterprise Scenario 3: Co-management with Configuration Manager
A mid-size organization with 1,000 on-premises Windows devices currently managed by System Center Configuration Manager (SCCM). They want to transition to cloud management but need to keep some on-premises workloads (e.g., software updates for legacy apps). They set up co-management in Intune. The devices are already managed by SCCM, but Intune takes over specific workloads like compliance policies and conditional access. Devices are enrolled in Intune while still reporting to SCCM. IT can gradually move workloads to Intune. For example, they start with compliance policies in Intune and later move device configuration. This hybrid approach allows a smooth migration. Common issues: conflicting policies between SCCM and Intune; IT must ensure that the same setting is not configured in both. The co-management slider in Intune controls which workload is authoritative. Performance is similar to pure Intune, but the dual management overhead requires careful planning.
What SC-900 Tests on Intune
The SC-900 exam covers Intune under objective 3.4: 'Describe the capabilities of Microsoft Endpoint Manager and endpoint security.' Specifically, you need to:
Understand the difference between MDM and MAM.
Know that Intune is a cloud-based service, not on-premises.
Recognize that Intune is part of Microsoft Endpoint Manager, which also includes Configuration Manager (for co-management).
Describe how compliance policies work with Conditional Access.
Identify scenarios where MAM (App Protection Policies) is used for BYOD.
Know that Intune can manage Windows, iOS, Android, and macOS devices.
Most Common Wrong Answers and Why
'Intune requires an on-premises server.' – Wrong because Intune is 100% cloud-based. Candidates confuse it with Configuration Manager, which has an on-premises component. The exam tests that Intune is SaaS.
'MAM requires device enrollment.' – Wrong because MAM can work without enrollment (MAM-WE). Candidates think management always requires enrollment, but MAM policies apply at the app level.
'Compliance policies are enforced directly by Conditional Access.' – Wrong. Compliance policies are evaluated by Intune; Conditional Access uses the compliance status from Intune to block or allow access. Candidates conflate the two.
'Intune can manage on-premises servers.' – Wrong. Intune manages client endpoints, not servers. Server management is done via Azure Arc or Configuration Manager.
Specific Numbers, Values, and Terms That Appear on the Exam
Default device check-in frequency: 8 hours.
Default grace period for noncompliance: 30 days.
Terms: 'Compliance policy,' 'App Protection Policy (APP),' 'Conditional Access,' 'co-management,' 'Mobile Device Management (MDM),' 'Mobile Application Management (MAM).'
Platforms: Windows 10/11, iOS, iPadOS, Android, macOS.
Enrollment methods: 'Azure AD join,' 'Autopilot,' 'Company Portal,' 'Apple ADE,' 'Android Enterprise.'
Edge Cases and Exceptions the Exam Loves to Test
MAM without enrollment: The exam may present a scenario where an organization wants to protect corporate data on personal devices without managing the device. The correct answer is MAM (App Protection Policies), not MDM.
Co-management: The exam may ask which tool manages devices when both Intune and Configuration Manager are used. The answer is 'co-management' where the workload slider determines authority.
Jailbreak detection: The exam may state that a compliance policy can detect jailbroken devices and mark them noncompliant, triggering Conditional Access block.
Windows Information Protection (WIP): Although deprecated, WIP is sometimes confused with Intune MAM. The exam tests that WIP is being replaced by Microsoft Purview Information Protection and Intune APP.
How to Eliminate Wrong Answers
If the question mentions 'on-premises' or 'server,' eliminate Intune as the sole answer unless co-management is mentioned.
If the question says 'manage apps and data without managing the device,' the answer is MAM.
If the question says 'device must be compliant to access company resources,' the flow is: Intune compliance policy → Conditional Access.
If the question lists platforms, remember Intune supports Windows, iOS, Android, macOS – not Linux servers.
By focusing on these exam patterns, you can answer Intune questions confidently.
Intune is a cloud-based MDM/MAM solution; no on-premises infrastructure required.
MDM manages the whole device; MAM manages apps and data without device enrollment.
Compliance policies in Intune check device health (encryption, OS version, jailbreak status).
Conditional Access in Azure AD uses Intune compliance status to block/allow access to cloud apps.
Default device check-in interval is 8 hours; can be reduced to 1 hour.
Default grace period for noncompliance is 30 days, configurable per policy.
App Protection Policies (MAM) can be applied to Microsoft and third-party apps that integrate the Intune SDK.
Co-management allows Intune and Configuration Manager to manage devices together, with a workload slider to determine authority.
Intune supports Windows, iOS/iPadOS, Android, and macOS devices.
Remote actions include wipe (factory reset), retire (remove management and corporate data), sync (force check-in), and lock.
These come up on the exam all the time. Here's how to tell them apart.
Intune MDM
Manages the entire device (OS-level settings).
Requires device enrollment (Azure AD join or Company Portal).
Can remotely wipe the entire device.
Can enforce device-level compliance (encryption, OS version).
Best for corporate-owned devices.
Intune MAM (App Protection Policies)
Manages only corporate apps and data within them.
Does not require device enrollment (MAM-WE).
Can selectively wipe corporate data from managed apps only.
Enforces app-level policies (PIN, copy/paste restrictions).
Best for BYOD scenarios.
Mistake
Intune requires a VPN connection to function.
Correct
Intune communicates over the internet using standard HTTPS (port 443). No VPN is required for the management channel. However, some features like device compliance checking may require internet access to reach Intune endpoints.
Mistake
MAM policies can only be applied to Microsoft apps.
Correct
MAM policies can be applied to third-party apps if they integrate the Intune SDK or use the App Protection Policy framework. Many popular enterprise apps support MAM.
Mistake
Intune can manage devices that are not joined to Azure AD.
Correct
Intune can manage devices that are registered with Azure AD (workplace join) or enrolled via the Company Portal without full Azure AD join. For example, iOS devices can be enrolled using the Company Portal app without being joined to Azure AD.
Mistake
Compliance policies can force a device to install updates immediately.
Correct
Compliance policies can require a minimum OS version, but they cannot force an immediate update installation. They can mark the device noncompliant if the update is not installed within a grace period. The actual update installation depends on Windows Update or other update mechanisms.
Mistake
Intune is only for mobile devices.
Correct
Intune manages desktops (Windows, macOS), tablets, and mobile phones. The name 'Intune' historically implied mobile, but it now manages all endpoint types.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Intune is a cloud-only MDM/MAM solution that manages devices via internet. Configuration Manager (SCCM) is an on-premises management tool for servers and clients. They can be used together via co-management, where Intune handles cloud-based workloads (compliance, conditional access) and Configuration Manager handles on-premises workloads (software updates, OS deployment). For SC-900, remember that Intune is cloud-based, while Configuration Manager is on-premises.
No, Intune does not natively manage Linux devices as of the current version. It supports Windows, macOS, iOS/iPadOS, and Android. Linux servers can be managed via Azure Arc, but that is not part of Intune. The exam may test this by listing unsupported platforms.
The device is marked noncompliant in Intune. If Conditional Access is configured to require compliant devices, access to corporate resources (email, SharePoint) is blocked. The user receives a notification to remediate (e.g., enable encryption, update OS). After a configurable grace period (default 30 days), the device can be retired or wiped automatically.
Using App Protection Policies (MAM). These policies are applied to managed apps (e.g., Outlook, Teams) and enforce rules like requiring a PIN, encrypting app data, and preventing copy/paste to unmanaged apps. If the device is lost, IT can selectively wipe corporate data from the managed apps without affecting personal data.
The default check-in interval is 8 hours. Administrators can reduce it to as low as 1 hour for critical policies. This is a common exam fact. If a device does not check in for 30 days, it is considered stale and may be retired.
Yes, through compliance policies and configuration profiles. For MDM-enrolled devices, you can require a password of minimum length, complexity, and lockout duration. For MAM-managed apps, you can require an app-level PIN. The exam tests that password policies are part of device compliance.
Co-management is a configuration where devices are managed by both Configuration Manager (on-premises) and Intune (cloud). A workload slider determines which tool is authoritative for specific workloads (e.g., compliance policies, device configuration). This allows a gradual migration to cloud management. The exam may ask which scenario uses both tools.
You've just covered Microsoft Intune for Endpoint Security — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?