Enroll devices using Intune

Question 1

What are the four stages of the MDM lifecycle?

Answer 1

Enrol, Configure, Protect, Retire

Question 2

What must be configured in the ‘Device Enrolment’ section of Intune before devices can enroll?

Answer 2

The MDM authority

Question 3

Which device types is Intune configured to allow by default?

Answer 3

Windows, Android, and standard Samsung Knox devices

Question 4

What do iOS and MacOS devices require to be set up in Intune before enrolment can occur?

Answer 4

Apple MDM Push Certificate

Question 5

What does CSR stand for and what does it do?

Answer 5

Certificate Signing Request

File downloaded from Intune and uploaded to the Apple Certificate Portal

Question 6

What requirements must a user meet in order to generate a certificate file in the Apple Certificate Portal?

Answer 6

An Apple ID that is a member of the Apple Developer Program

Question 7

For Windows devices already joined to on-prem AD-DS, how can you automatically enroll them in MDM?

Answer 7

Using Group Policy

Question 8

What are the manual methods of enrolling Windows devices in MDM?

Answer 8

-Settings app
-Provisioning Packages
-Company Portal app

Question 9

True or false: automatic enrolment in MDM only works for Windows devices

Answer 9

True

Question 10

Why does automatic enrolment in MDM only work for Windows devices?

Answer 10

Only Windows devices can be joined to on-prem AD-DS or Entra ID.

Question 11

What is automatic enrolment for Windows devices?

Answer 11

Devices automatically enrol in MDM when they join or register with Entra ID

Question 12

What Entra ID license is required for automatic MDM enrollment

Answer 12

Entra ID P1/P2

Question 13

What does WIP stand for?

Answer 13

Windows Information Protection

Question 14

True or false: MFA is enabled for automatic enrolment by default

Answer 14

False

Question 15

What is the earliest Android version Intune supports for device enrolment?

Answer 15

8.0

Question 16

What is the earliest iOS version Intune supports for device enrolment?

Answer 16

14.0

Question 17

What is the earliest MacOS version Intune supports through device enrolment?

Answer 17

11.0

Question 18

True or false: all users with an Intune license are allowed to enrol supported devices by default

Answer 18

True

Question 19

What Enrolment Restrictions can be configured to allow/deny enrolment for certain devices?

Answer 19

-Maximum number of enrolled devices for a user
-Device platform
-Required OS version
-Restrict enrolment of personally owned devices

Question 20

What is the default maximum number of enrolled devices for a user?

Answer 20

5

Question 21

What are the supported Corporate Identifiers you can upload to specify company-owned devices?

Answer 21

Serial number & IMEI

Question 22

What action would you take in Intune to only allow enrolled devices to access company resources?

Answer 22

Conditional access policy

Question 23

What is the difference between a Compliance Policy and a Conditional Access Policy?

Answer 23

Compliance Policy - defines the configuration required to be considered compliant

Conditional Access Policy - controls access to company resources (can be based on Compliance Policies).

Question 24

What Group Policy would you use to MDM-enrol devices joined to an on-prem AD-DS which is synced to Entra?

Answer 24

‘Enable automatic MDM enrolment using default Entra credentials’

Question 25

Why is it recommended not to use the .onmicrosoft.com domain?

Answer 25

Using a custom domain lets users sign in with the credentials they use to access other domain resources.

Question 26

Where in the Intune portal can you configure Automatic enrolment?

Answer 26

Devices -> Enroll Devices -> Automatic enrollment

Question 27

What enrolment method can be used if you don’t have Entra ID P1/P2?

Answer 27

CNAME enrolment

Question 28

What is the Intune MDM server address?

Answer 28

enrollment.manage.microsoft.com

Question 29

What are the 8 methods of Windows enrolment?

Answer 29

-Add Work or School account
-Enrol only in device management
-Entra join (OOBE)
-Entra join (Autopilot - user-driven deployment mode)
-Entra join (Autopilot - self-deploying mode)
-Enrol in MDM only (DEM user)
-Configuration Manager co-management
-Entra join (bulk enrollment)

Question 30

True or false: The ‘Enrol only in device management’ Windows enrolment method enrolls the device in Intune and joins it to Entra

Answer 30

False - it only enrols in Intune and does not Entra-join the device

Question 31

When would the ‘Enrol only in device management’ Windows enrolment method be used?

Answer 31

When the environment doesn’t have the P1/P2 Entra ID licenses required for auto-enrollment

Question 32

What is the preferred Windows enrollment method?

Answer 32

-Entra join (Autopilot - user-driven deployment mode)

Question 33

What is the difference between the Autopilot user-driven & self-deploying modes?

Answer 33

Self-deploying skips all OOBE screens and requires minimal user interaction, most commonly used for Kiosks.

Question 34

What is the maximum number of devices that can be enrolled by a DEM?

Answer 34

1000

Question 35

What is the process of the ‘Enroll in MDM only’ Windows enrolment method?

Answer 35

A DEM enrolls the device and installs apps before handing to the user

Question 36

What is the preferred way to enroll pre-existing Windows devices already in Configuration Manager?

Answer 36

Co-management

Question 37

How does the Entra Join(Bulk enrollment) Windows enrollment method work?

Answer 37

Users are provided a Provisioning Package which automatically enrolls devices.

Question 38

How can a user with an Intune license enrol an Android device?

Answer 38

Download the Intune Company Portal app through Google Play

Question 39

What does the Android Enterprise Work Profile achieve?

Answer 39

Separation of work and personal information on an Android device. Deploys apps & configuration to only the work profile.

Question 40

What is Android Enterprise Dedicated?

Answer 40

Single function devices locked down to specific apps

Question 41

What is Android Enterprise Fully Managed?

Answer 41

Corporate owned, single function devices used exclusively for work

Question 42

What is a prerequisite to setting up Android Enterprise?

Answer 42

Link your Intune tenant account to your managed Google Play account and set up an enrollment profile

Question 43

How can a user enrol an iOS device?

Answer 43

Download the Intune Company Portal app through the Apple App Store

Question 44

What enrollment methods does Intune support for company-owned iOS devices?

Answer 44

-ABM
-ADE
-Apple School Manager
-Apple Configurator
-Intune DEM account
-Device Enrollment Program

Question 45

What does ADE stand for?

Answer 45

Automated Device Enrollment

Question 46

How does Apple DEP work?

Answer 46

Companies purchase iOS devices directly and can configure settings or Intune enrollment from the DEP portal

Question 47

What device information is needed to assign Apple devices to Intune for management?

Answer 47

A list of serials or a Purchase Order number

Question 48

True or False: iOS devices enrolled in DEP still need to download the Company Portal app

Answer 48

False

Question 49

What is iOS Supervised Mode for?

Answer 49

Corporate owned devices - provides more controls.

Question 50

From what version of iOS onwards is Supervised Mode mandatory for DEP configured devices?

Answer 50

11.0

Question 51

When is a DEM account most useful?

Answer 51

When devices are enrolled and prepared before distribution to users

Question 52

If a user requires individual configuration such as an email profile, should a DEM enroll the device?

Answer 52

No - users should enroll it themselves

Question 53

True or False: A DEM shouldn’t be an admin for security reasons

Answer 53

True

Question 54

With what Apple features can a DEM account NOT be used?

Answer 54

-Apple Configurator with Setup Assistant
-Apple Configurator with Direct Enrollment
-Apple School Manager
-Device Enrollment Program

Question 55

What does DEP stand for?

Answer 55

Device Enrollment Program

Question 56

What does ASM stand for?

Answer 56

Apple School Manager

Question 57

What is the maximum number of devices a DEM can enroll?

Answer 57

1000

Question 58

What are the limitations on a device enrolled by a DEM?

Answer 58

-No per-user access (no assigned user)
-The DEM user can’t unenroll DEM-enrolled devices on the device itself (only an Intune admin can unenroll)
-Users can’t use VPP apps with user licenses because of per-user Apple ID requirements for app management
-You can’t use Apple Configurator/ASM/DEP to enroll devices, so no Supervised Mode

Question 59

What is the maximum number of Android Work Profile devices a DEM can enroll?

Answer 59

10

Question 60

What does Apple VPP stand for and what does it do?

Answer 60

Apple Volume Purchase Program

A service that allows organizations or educational institutions to purchase corporate apps in bulk, and silently deploy and manage them on devices.

Question 61

What deprecated services does Apple Business Manager combine?

Answer 61

VPP & DEP

Question 62

Where in Intune can you find reports about device status?

Answer 62

Devices -> Monitor

Question 63

What does the Retire device action do?

Answer 63

Removes company data and removes the device from Intune management.

Question 64

Which device types support the Remote Lock action?

Answer 64

Android, iOS, MacOS

Question 65

Which device types support the Reset Passcode action?

Answer 65

Android and iOS

Question 66

What does the Fresh Start device action do?

Answer 66

Windows only - removes all apps, including preinstalled OEM apps

Question 67

What does the Autopilot Reset device action do?

Answer 67

Windows only - initiates the device reset process but retains Entra ID and Intune connection, WiFi details, provisioning packages, and SCEP certificates

Question 68

Which device types support the Locate Device action?

Answer 68

Windows, iOS, Android Enterprise Dedicated