Wednesday, 25 June 2025

Advanced Intune Interview Questions

         

 

Advanced Intune Troubleshooting Questions

๐Ÿ”ง Device Enrollment & Management

  1. How do you troubleshoot a device that fails to enroll into Intune?

    • Check MDM authority, licensing, time sync, event logs (DeviceManagement-Enterprise-Diagnostics-Provider).

  2. A device is Azure AD joined but not showing in Intune. What do you check?

    • Confirm auto-enrollment is enabled, MDM URLs in registry, licensing, and sync status.

  3. Where do you find logs for Windows 10/11 enrollment issues?

    • Event Viewer > Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider

    • Also use mdmdiagnosticstool.exe -area DeviceEnrollment -cab <path>

  4. What happens if a device has both SCCM and Intune co-management enabled but is not syncing policies?

    • Check co-management workload slider, device sync status, and registry path HKLM\SOFTWARE\Microsoft\DeviceManageabilityCSP.

๐Ÿ’ผ App Deployment

  1. How do you troubleshoot a Win32 app that fails to install via Intune?

    • Review IntuneManagementExtension.log, check detection rules, install command, and return codes.

  2. What does "Not Applicable" mean under app installation status?

    • The app didn’t meet the assignment criteria (e.g., OS version, architecture).

  3. Why is a required app stuck in “Pending”?

    • Device hasn't checked in, content not downloaded, or assignment not targeted correctly.

  4. Where are Win32 app logs stored on a device?

    • C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log

๐Ÿ“œ Policy & Profile Troubleshooting

  1. How do you troubleshoot a configuration profile not applying?

    • Check Settings > Accounts > Work/School, Event Viewer logs, and dsregcmd /status output.

  2. How do you verify a configuration profile was applied?

  • Intune portal → Devices → Configuration profiles → Device status

  • Use Get-CimInstance -Namespace root\cimv2\mdm\dmmap (WMI).

  1. How do you check for failed PowerShell script deployments?

  • Review IntuneManagementExtension.log

  • Ensure correct execution context (System vs User)

  1. Why would a compliance policy not mark a device as non-compliant?

  • Check if device sync is current, policy is assigned, and conditions are matched.

๐Ÿ” Security & Conditional Access

  1. A device is compliant but access to email is blocked. Why?

  • Check Conditional Access policy priority, filters, and sign-in logs in Azure AD.

  1. How do you troubleshoot BitLocker not applying via Intune?

  • Check if TPM is enabled, profile settings are correct, and Event Viewer > Microsoft-Windows-BitLocker-API.

  1. Why is Defender Antivirus policy not being enforced?

  • May be overridden by GPO or not meeting assignment conditions. Check logs at:

    • C:\ProgramData\Microsoft\Windows Defender\Platform\*\MpCmdRun.log

  1. How do you confirm a device is using MDM for Windows Update management?

  • Settings > Update & Security > View configured update policies

  • Registry: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

๐Ÿงช Reporting & Monitoring

  1. What are the key places to check device compliance?

  • Intune > Devices > Compliance policies

  • Azure AD > Devices > Compliance state

  1. How do you generate a device compliance report?

  • Intune > Reports > Device compliance > Export

  • Or use PowerShell + Microsoft Graph API

  1. What logs help troubleshoot Autopilot failures?

  • C:\Windows\Logs\Autopilot

  • C:\ProgramData\Microsoft\Windows\Provisioning\Logs\Setupact.log

  1. How do you troubleshoot Company Portal not showing apps?

  • Confirm device is enrolled, app assignments are correct, and user is licensed.

๐Ÿ› ️ Misc & Deep-Dive

  1. What’s the difference between device sync and policy refresh?

  • Sync fetches policies from Intune; refresh applies or re-applies them on the device.

  1. Why would a profile apply on some devices and not others in the same group?

  • Check filters, group membership, OS version, and license availability.

  1. How do you re-trigger app deployment or policy application manually?

  • Run intune device sync via Company Portal or PowerShell:

    powershell

    Invoke-IntuneDeviceSync

  1. How do you capture all Intune diagnostic logs from a device?

  • Run:

    powershell

    mdmdiagnosticstool.exe -area all -cab C:\Temp\IntuneLogs.cab

  1. Why is Intune not removing a retired device’s corporate data?

  • The device may be offline, or the retire command hasn’t reached the device yet. Wait or trigger a manual sync.