Practice MD-102 Manage and maintain devices questions with full explanations on every answer.
Start practicing
Manage and maintain devices — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
Your organization manages Windows 10 and 11 devices using Microsoft Intune. Users report that after a recent update, the Microsoft Store for Business app 'Company Portal' fails to launch. You verify that the app is assigned as required to all devices. What should you do first to resolve the issue?
2You are designing a Windows 365 Cloud PC provisioning policy. The requirement is that when a user is assigned a Cloud PC, it must automatically have Microsoft Defender for Endpoint configured with real-time protection enabled and a custom firewall rule allowing only specific IPs. Which approach should you use?
3A user's iOS device is enrolled in Microsoft Intune and is compliant. However, the user cannot access corporate email in the Outlook mobile app. The app displays an error that the device is not compliant. What is the most likely cause?
4Your organization uses Microsoft Intune to manage Windows devices. You need to deploy a custom Line-of-Business (LOB) app that is signed with a certificate not trusted by the devices. The app must be available to users in the Company Portal. What should you do?
5You need to ensure that Windows 10 devices in your organization receive the latest quality updates within 7 days of release. You configure a Windows Update for Business policy in Intune with a deferral period of 7 days. After two weeks, some devices have not installed the updates. What is the most likely reason?
6You are troubleshooting a Windows 11 device that cannot connect to the corporate Wi-Fi network. The device is enrolled in Intune and has a Wi-Fi profile assigned. The profile uses SCEP certificate authentication. The user can connect to other Wi-Fi networks. What is the most likely cause?
7Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a configuration profile that enforces FileVault encryption. The profile must allow recovery key escrow to Intune. After deploying the profile, you notice that some devices are not encrypted. What should you check first?
8You need to implement a solution that automatically wipes a company-owned Windows 10 device when it has not connected to Intune for 30 days. Which Intune feature should you configure?
9A user reports that after resetting their Windows 10 device, they cannot re-enroll it in Intune. The device appears as 'Pending' in the admin center. What is the most likely reason?
10Which TWO actions can you take to improve the performance of Microsoft Intune management for Windows devices that are geographically distributed and have limited bandwidth?
11Which THREE conditions must be met for a Windows 10 device to be able to use Windows Autopilot self-deploying mode?
12Which TWO methods can you use to deploy Microsoft 365 Apps to Windows 10 devices managed by Intune?
13Refer to the exhibit. You deploy this compliance policy to a Windows 11 device running OS version 10.0.22621.100. The device has a password set, firewall active, and Defender enabled. However, the device is marked as non-compliant. What is the most likely reason?
14Refer to the exhibit. You run this PowerShell command to retrieve Windows devices. The output shows several devices with lastSyncDateTime older than 30 days and complianceState as 'noncompliant'. What is the most likely cause for these devices to be noncompliant?
15Refer to the exhibit. You apply this device configuration profile to a group of Windows 10 devices. Users report that they receive update notifications outside of active hours. Which setting should you modify to suppress notifications during active hours?
16Your organization uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent update, some devices are no longer receiving compliance policies. You verify that the devices are enrolled and show as active in Intune. What should you check first?
17A company uses Microsoft Intune to manage iOS devices. They need to ensure that corporate data on these devices is protected if a device is lost or stolen. The solution must allow users to continue using personal apps and data after a selective wipe. What should they configure?
18You are managing Windows 10 devices with Intune. You need to deploy a PowerShell script that runs under the system context during device enrollment. Which approach should you use?
19Your organization uses Microsoft Defender for Endpoint (Microsoft Defender XDR). You need to ensure that all Windows 10 devices report their security health to Microsoft Defender for Endpoint. Some devices are showing as inactive. What is the most likely cause?
20A company uses Microsoft Intune to manage Windows 10 devices with a hybrid Azure AD join configuration. Users report that they are unable to access corporate resources on their devices. You verify that the devices are enrolled and that compliance policies are applied. What should you check next?
21You need to enforce encryption on Windows 10 devices managed by Intune. Which policy type should you configure?
22Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that only approved corporate apps can be installed on work profiles. What should you configure?
23A user has an iOS device enrolled in Intune. The device is lost, and you need to immediately prevent unauthorized access to corporate data. The device contains both corporate and personal data. Which action should you take?
24Your organization is planning to deploy Windows 10 updates using Windows Update for Business. You need to ensure that critical security updates are installed within 7 days of release. Which configuration should you use?
25Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a PowerShell script that runs in the user context on a schedule. Which TWO methods can you use? (Choose two.)
26Which THREE are valid device management actions in Microsoft Intune? (Choose three.)
27You are troubleshooting an Intune-managed Windows 10 device that is not receiving a required application. Which THREE steps should you take to diagnose the issue? (Choose three.)
28Refer to the exhibit. You have created the compliance policy shown in JSON format. The policy is assigned to a group containing Windows 10 devices. A device running Windows 10 version 22H2 (build 22621.1) is showing as noncompliant. What is the most likely reason?
29Refer to the exhibit. You run the PowerShell command shown and get the output. You need to force an immediate sync for PC-001. Which cmdlet should you use?
30Refer to the exhibit. You are configuring a bulk enrollment token for Windows 10 devices in Intune. The token is set to expire on June 1, 2025. You need to ensure that devices can enroll using this token until June 30, 2025. What should you do?
31Your organization uses Microsoft Intune to manage devices. You need to configure a policy that automatically retires a device if it does not check in for 30 days. Which policy type should you configure?
32A user reports that their Windows 11 device is not receiving Microsoft 365 Apps updates from Intune. You verify the device is enrolled and compliant. The device has a Microsoft 365 Apps update policy assigned. What is the most likely cause?
33You are designing a device management strategy for a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You need to ensure that devices are managed by Intune and can access on-premises resources. Which approach should you recommend?
34You need to deploy a custom PowerShell script to all Windows 10 devices enrolled in Intune. The script must run under the SYSTEM account. Which Intune feature should you use?
35Your organization has Windows 10 devices managed by Intune. You need to enforce BitLocker encryption on all devices. The devices must use a TPM protector and a recovery password. What should you configure?
36You are troubleshooting a Windows 11 device that fails to install a required application from the Company Portal. The app is assigned as required to the device. The device shows as compliant and has a healthy connection. What is the most likely cause?
37You need to ensure that all Windows 10 devices automatically install critical security updates from Windows Update as soon as they are released. Which Windows Update for Business policy setting should you configure?
38Your organization uses Microsoft Intune to manage iOS devices. You need to prevent users from removing the Intune Company Portal app from their devices. Which setting should you configure?
39You are planning a Windows 11 deployment for 500 new devices using Windows Autopilot. The devices will be shipped directly to users from the manufacturer. You need to ensure that the devices are automatically enrolled in Intune and joined to Microsoft Entra ID. What should you do?
40Which TWO actions can you perform using Microsoft Intune to manage Windows 10 devices?
41Which THREE prerequisites are required to enable Windows Autopilot for existing devices?
42Which TWO methods can be used to enroll Android devices in Microsoft Intune?
43Refer to the exhibit. You have the following compliance policy assigned to a Windows 10 device running version 10.0.22000.0. The device has a password of 8 characters and is encrypted. What is the compliance status of the device?
44Refer to the exhibit. You see the following Intune device properties for a Windows device. The device is noncompliant and the grace period expires on 2025-02-20. Today is 2025-02-15. The compliance policy requires a minimum OS version of 10.0.19041 but the device is on 10.0.18363. What will happen if the device does not become compliant before the grace period expires?
45Refer to the exhibit. You manage a Windows 11 device that is marked as compliant and has OS version 10.0.22621.0. You need to upgrade the device to Windows 11 version 23H2. Which Intune feature should you use?
46A user reports that their Windows 11 device cannot connect to the corporate Wi-Fi network. In Intune, the device shows a status of 'Pending' for the Wi-Fi configuration profile. The profile is assigned to a group that includes the user. What is the most likely cause of the issue?
47You need to ensure that corporate devices automatically install critical Windows updates within 24 hours of release. Which update ring setting should you configure in Intune?
48Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that only approved corporate apps can be installed on these devices. Which restriction profile setting should you configure?
49You are troubleshooting a Windows 10 device that shows as 'Noncompliant' in Intune despite having all required compliance policies applied. The device is domain-joined and configured with hybrid Azure AD join. What is the most likely cause?
50You need to retire a corporate-owned iOS device that is no longer in use. The device is enrolled in Intune with user affinity. Which action should you perform?
51Your organization requires that all Windows 11 devices encrypt their drives with BitLocker. You have configured a BitLocker policy in Intune, but some devices show as 'Not evaluated' for the encryption status. What is the most likely reason?
52You are using Intune to manage macOS devices. You need to deploy a custom configuration profile that sets a preference for a third-party app. Which method should you use?
53A user's Android device is not receiving email from the corporate Microsoft 365 tenant. The device is enrolled in Intune and shows as compliant. The email profile is assigned to the user. What should you check first?
54You have configured a Windows 10 update ring with a deadline of 3 days for quality updates. However, some devices are not installing updates within the deadline. What should you verify?
55You have assigned the above compliance policy to all Windows 10 devices. A user's device shows as noncompliant with a reason of 'TPM not found'. What should you do to resolve the issue?
56You have created the above custom policy but it fails to apply on Windows 10 devices. What is the most likely reason?
57The above PowerShell cmdlet returns the following output: DeviceName: LAPTOP001 LastSyncDateTime: 2025-03-15T08:30:00Z ComplianceState: noncompliant ManagementState: managed OSVersion: 10.0.19044.1288 The device last synced 3 days ago. What is the most likely reason for the noncompliant status?
58You need to ensure that corporate data on lost or stolen iOS devices is protected. Which TWO actions should you configure in Intune?
59You are planning the deployment of Windows 11 using Intune. Which THREE components are required to perform an in-place upgrade from Windows 10?
60You need to configure conditional access for managed devices accessing Exchange Online. Which THREE conditions can be used?
61You are troubleshooting a Windows 11 device that fails to install a required Win32 app deployed via Intune. Which THREE logs or locations should you review?
62Your organization uses Microsoft Intune to manage Windows 11 devices. Users report that after a recent update, the corporate Wi-Fi profile no longer connects automatically. You verify the profile is still assigned and the device shows 'Not compliant' in Intune. What should you check first?
63A company uses Microsoft Intune to manage iOS devices. They want to ensure that only devices with a passcode of at least 6 characters and without jailbreak can access corporate email. Which policy type should they configure?
64You manage Windows 10 devices with Microsoft Intune. You need to deploy a PowerShell script that runs every time a device boots, before the user logs on. The script is signed. What is the correct deployment approach?
65Your organization uses Microsoft Intune for device management. A user reports that their Android device is not receiving a required app that is assigned as 'Required' for all users. The device shows as 'Compliant' in Intune. What is the most likely cause?
66A company uses Microsoft Intune to manage macOS devices. They need to enforce FileVault encryption on all Macs. What should they configure?
67You are troubleshooting a Windows 11 device that fails to install an Intune-managed update. The device has been offline for two weeks. After reconnecting, the update does not install. In the Intune console, the update shows 'Failed to install' with error code 0x800f0831. What is the most likely cause?
68Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only devices with TPM 2.0 and Secure Boot enabled can access Microsoft 365 resources. What is the best approach?
69A user's iOS device is enrolled in Microsoft Intune. The user reports that they cannot install the Company Portal app from the App Store. What is the most likely reason?
70You manage a hybrid Azure AD joined Windows 10 device with Intune. The device is showing as 'Pending' enrollment. You have verified that the user has an Intune license and the device is synced with Azure AD Connect. What is the most likely issue?
71Which TWO actions can you perform to reduce the amount of time it takes for a Windows 10 device to receive a new policy from Microsoft Intune?
72Which THREE factors should you consider when planning the deployment of Windows 10 feature updates using Intune?
73Which TWO methods can you use to enroll a Windows 10 device in Microsoft Intune?
74Refer to the exhibit. You have applied this compliance policy to a Windows 10 device running build 10.0.19044. The device meets all requirements except that the firewall is disabled. What will be the compliance status of the device?
75Refer to the exhibit. You apply this device configuration profile to a Windows 10 device. A user downloads a file that is classified as potentially unwanted application (PUA). What action will Defender take?
76Refer to the exhibit. You have applied this compliance policy to a Windows 10 device running build 10.0.19044. The device meets all requirements except that the firewall is disabled. What will be the compliance status of the device?
77You manage Windows 10 devices enrolled in Microsoft Intune. Users report that the Company Portal app is not installing required apps. You verify that the devices are compliant and checked in recently. What is the most likely cause?
78Your organization uses Microsoft Intune to manage devices. You need to deploy a PowerShell script that runs every time a user logs in to a Windows 10 device. The script must run with administrative privileges. Which deployment approach should you use?
79You need to ensure that Windows 10 devices are automatically upgraded to Windows 11 if they meet hardware requirements. Which policy should you configure in Microsoft Intune?
80Refer to the exhibit. You create a custom configuration profile in Intune for Windows 10 devices. The profile is assigned to a test device, but the telemetry setting is not applied. The device is managed and compliant. What is the most likely reason?
81You need to remotely wipe a lost corporate-owned iOS device enrolled in Microsoft Intune. The device is currently offline. What will happen when the device comes online?
82Your organization uses Microsoft Intune to manage Windows 10 devices. You need to enforce BitLocker encryption on all devices. Some devices are not encrypting even though the policy is assigned. What should you check first?
83Users report that after updating to Windows 11, their devices are no longer receiving policy updates from Intune. The devices appear as active and compliant in the Intune console. What is the most likely cause?
84You need to block users from enrolling personal Android devices in Microsoft Intune. Which enrollment restriction should you configure?
85Refer to the exhibit. You create a compliance policy for Windows 10 devices. A device is reported as non-compliant. Upon investigation, you find that the device has a password of 6 characters. Which setting is causing the non-compliance?
86Your organization uses Microsoft Intune to manage devices. You need to deploy a line-of-business (LOB) app to iOS devices. Which TWO conditions must be met?
87You need to configure a Microsoft Intune policy to ensure that only devices with a minimum OS version can access corporate email. Which THREE policy types can enforce this requirement?
88You need to deploy a Windows 10 feature update to a pilot group. Which TWO steps are required in Microsoft Intune?
89Refer to the exhibit. You run this Microsoft Graph PowerShell command to retrieve managed devices. The output shows a device with a lastSyncDateTime of 5 days ago. What does this indicate?
90Your organization uses Microsoft Intune to manage devices. You need to ensure that only corporate-owned Windows 10 devices are allowed to access Microsoft 365 services. You have configured a conditional access policy to require compliant devices. What else must you do to identify corporate-owned devices?
91You need to retire a device in Microsoft Intune. What is the effect of retiring a device?
92A company manages Windows 10 and Windows 11 devices using Microsoft Intune. They need to ensure that devices that have not checked in with Intune for more than 30 days are automatically marked as inactive and excluded from compliance policies. Which configuration should be used?
93An organization uses Microsoft Intune to manage Windows devices. They want to deploy a Win32 app that requires admin rights to install. The app must be installed in the system context and should not require user interaction. Which installation behavior should be configured?
94A company uses Microsoft Intune to manage iOS/iPadOS devices. They need to enforce a policy that requires users to set a device passcode of at least 6 characters. Which type of policy should they create?
95An organization manages Windows 10 devices with Microsoft Intune. They need to deploy a PowerShell script that runs once on each device to remediate a security issue. The script should not run again after successful execution. Which configuration should be used?
96A company uses Microsoft Intune for mobile device management. They have a group of Android Enterprise devices that need to be enrolled in a way that allows the device to have a work profile while keeping personal apps separate. Which enrollment method should be used?
97An organization uses Microsoft Intune to manage Windows devices. They want to ensure that only devices with a TPM 2.0 chip can access corporate email. Which policy should be configured?
98A company uses Microsoft Intune to manage macOS devices. They need to deploy a custom plist configuration file to set security settings. Which policy type should they use?
99An organization uses Microsoft Intune for device management. They have a requirement that all Windows devices must have BitLocker enabled. They want to automatically remediate any device that has BitLocker disabled by running a PowerShell script. Which Intune feature should be used?
100A company uses Microsoft Intune to manage devices. They need to report on which devices have a specific Windows update installed. Which reporting method should be used?
101A company manages devices with Microsoft Intune. They need to deploy a line-of-business (LOB) app to iOS devices. Which TWO of the following are required?
102An organization uses Microsoft Intune to manage Windows devices. They need to configure a policy to enforce disk encryption on devices. Which THREE of the following are valid encryption options?
103A company uses Microsoft Intune to manage devices. They want to use a script to collect inventory data from Windows devices. Which TWO methods can be used?
104Refer to the exhibit. The JSON snippet shows a dynamic device group configuration in Microsoft Intune. What is the effect of the 'enrollmentTimeDeviceMembershipLimit' property set to 15?
105Refer to the exhibit. A Microsoft Graph PowerShell cmdlet retrieves devices. What is the purpose of this query?
106Refer to the exhibit. A compliance policy is defined for Windows 10 devices. What is the minimum OS version required?
107Your organization manages Windows 10 and Windows 11 devices with Microsoft Intune. Users report that new Microsoft Store apps are not automatically installing on their devices as expected. You verify that the Intune policy 'Allow Microsoft Store for Business' is set to 'Allow'. What is the most likely reason the apps are not installing?
108A company uses Microsoft Intune to manage macOS devices. A security audit requires that all macOS devices must have FileVault encryption enabled. Compliance policy reports show that 90% of devices are compliant, but 10% are non-compliant. You review the non-compliant devices and find that FileVault is enabled on them. What is the most likely cause of the non-compliance?
109You need to deploy a line-of-business (LOB) iOS app to company-owned devices using Microsoft Intune. The app is signed with an enterprise certificate. Which deployment method should you use?
110Your organization uses Microsoft Intune to manage Windows 11 devices. You need to ensure that devices cannot connect to unsecured Wi-Fi networks. Which policy type should you configure?
111A user has a Windows 10 device that is enrolled in Microsoft Intune. The user reports that they cannot install a required app from the Company Portal. You check the Intune console and see that the app assignment is 'Required' but the installation status shows 'Failed'. The device is compliant. What should you check first?
112You manage Android Enterprise devices with Microsoft Intune. You need to ensure that work profile apps are automatically installed when a user enlists their device. What should you configure?
113Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate Exchange Online email. Which conditional access policy setting should you use?
114You are troubleshooting a Windows 10 device that is not receiving policy updates from Intune. The device shows 'Pending' status in the Intune console. The device is connected to the internet. What is the most likely cause?
115You need to remotely wipe a lost corporate-owned iOS device that is enrolled in Microsoft Intune. Which action should you perform in the Intune console?
116Your organization is planning to use Microsoft Intune to manage Windows 11 devices. Which TWO are prerequisites for enrolling a Windows device in Intune?
117You are configuring app protection policies (MAM) in Microsoft Intune for iOS devices. Which THREE settings can you configure to prevent data leakage?
118You need to deploy Microsoft Defender for Endpoint to Windows 10 devices using Microsoft Intune. Which TWO methods can you use to deploy the Microsoft Defender for Endpoint client?
119Refer to the exhibit. The JSON shows a device queried from Microsoft Graph. The device shows as compliant, but the user reports that they are unable to access corporate resources. The conditional access policy requires device compliance. What is a likely reason for the access issue?
120Refer to the exhibit. The JSON shows a compliance policy for Windows 10 devices. A device is marked as non-compliant even though it has a password of length 8, firewall enabled, and Defender enabled. What is the most likely cause?
121Refer to the exhibit. The ARM template snippet attempts to deploy a Windows 10 Security Baseline policy in Intune. The deployment fails. What is the most likely reason?
122You manage Windows 10 devices with Microsoft Intune. Users report that after a recent Windows update, some devices fail to enroll in mobile device management (MDM). You verify that the devices are domain-joined and can reach the internet. Which configuration should you check first?
123Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that only devices with a passcode of at least 6 characters can access corporate email. What should you create?
124You manage Windows 11 devices with Microsoft Intune. Some users report that their device is marked as noncompliant even though it meets all compliance rules. You discover that the devices have not checked in with Intune for over 30 days. What should you do to prevent this issue?
125Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to deploy a custom app that is not available in the Google Play Store. Which app deployment method should you use?
126You manage devices with Microsoft Intune. You need to ensure that only devices with a specific BIOS serial number can enroll. What should you configure?
127Your organization uses Windows Autopilot for device provisioning. Users report that after initial setup, devices are not automatically enrolled in Microsoft Intune. What should you verify?
128You manage devices with Microsoft Intune. Users report that after a recent policy change, some devices are not receiving updated policies. You verify that the devices are online and have connectivity. What should you do to force a policy refresh?
129Your organization uses Microsoft Intune to manage Windows devices. You need to ensure that only users in the Sales department can enroll their devices. What should you configure?
130Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom shell script that runs once on each device. What should you configure?
131Which TWO actions can you perform in Microsoft Intune to remediate a noncompliant Windows device that has been marked as noncompliant due to missing antivirus? (Choose two.)
132Which THREE conditions can be used to create a dynamic device group in Microsoft Entra ID for Intune management? (Choose three.)
133Which TWO are valid methods to deploy Microsoft 365 Apps to Windows devices using Microsoft Intune? (Choose two.)
134Refer to the exhibit. The JSON snippet shows a device compliance policy for Windows 10. You assign this policy to a device group. Some devices report as noncompliant even though they have BitLocker enabled and meet password requirements. What is the most likely cause?
135Refer to the exhibit. You run the PowerShell cmdlet in Microsoft Graph to list managed Windows devices. The output shows that several devices have a complianceState of 'noncompliant' but lastSyncDateTime is recent. What is the most likely reason for noncompliance?
136Refer to the exhibit. The JSON snippet shows a Windows Update for Business policy assigned to a device group. Users report that quality updates are installed 7 days after release. Which setting controls this behavior?
137You manage Windows 10 devices enrolled in Microsoft Intune. Users report that the Windows Update for Business policy is not applying to some devices. You verify the devices are assigned the correct update ring. What should you check first?
138Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that only approved apps can be installed on corporate-owned devices. Which configuration profile type should you use?
139You need to deploy a line-of-business (LOB) app to Windows 10 devices managed by Intune. The app is a .msi file. Which app type should you select when adding the app in Intune?
140Your organization has a mix of Windows 10 and Windows 11 devices managed by Intune. You need to enforce BitLocker encryption on all devices. Which policy type should you configure?
141Users report that their Android Enterprise fully managed devices are not receiving email profiles pushed from Intune. You confirm the devices are enrolled and show as compliant. What is the most likely cause?
142You need to remotely wipe a lost corporate-owned iOS device that is managed by Intune. Which action should you use?
143You need to configure a Windows 10 device to automatically install updates from a specific branch readiness level. Which setting in the Update ring policy should you configure?
144Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a .pkg app to these devices. What is the recommended method?
145You need to ensure that only compliant devices can access Exchange Online. Which Intune policy should you use?
146Which TWO actions can you perform on a managed device from the Microsoft Intune admin center?
147Which THREE are supported reporting options in Microsoft Intune for device compliance?
148Which TWO are valid methods to enroll Windows devices in Microsoft Intune?
149Refer to the exhibit. You are reviewing a Windows 10 compliance policy JSON. What is the purpose of the 'osMinimumVersion' setting?
150Refer to the exhibit. You run a PowerShell command to retrieve a managed device's details. The ComplianceState is 'compliant' but the device has not synced in 7 days. What is the most likely reason?
151Refer to the exhibit. You are reviewing a Windows 10 update ring configuration JSON. What does the 'automaticUpdateBehavior' setting control?
152Your organization uses Microsoft Intune to manage Windows 11 devices. Users report that after a recent update, the Start menu layout resets to default every time they sign in. Which Intune policy setting is most likely causing this issue?
153You are designing a Windows 11 update strategy for a fleet of 500 devices managed by Intune. The organization requires that critical security updates be applied within 7 days, but feature updates can be delayed up to 60 days. Which Update Rings configuration should you use?
154A user reports that their Microsoft Intune enrolled device is not receiving required compliance policies. The device shows as 'Not evaluated' in the Microsoft Intune admin center. What is the most likely cause?
155You have assigned the compliance policy shown in the exhibit to all Windows devices. A Windows 11 device running build 10.0.22621.1500 reports as noncompliant. Which setting is causing the noncompliance?
156You are troubleshooting a user's Windows 11 device that cannot connect to the corporate Wi-Fi network. The device is managed by Intune and has a Wi-Fi profile assigned. The profile uses SCEP certificate authentication. The certificate is issued by your internal CA. The device shows 'No internet access' though it connects. What is the most likely issue?
157You need to ensure that all iOS devices enrolled in Intune automatically install required apps (e.g., Microsoft Outlook, Teams) during enrollment. Which enrollment profile setting should you configure?
158Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom configuration profile that sets a specific firewall rule. However, the profile fails to apply on a subset of devices. The Intune console shows 'Conflict' status. What is the most likely cause?
159You manage Windows 10 devices with Intune. You need to collect diagnostic logs from a remote device that is experiencing application crashes. Which Intune feature should you use?
160A user reports that their Android Enterprise work profile device is not receiving email from the corporate Exchange Online account. The device is enrolled in Intune and shows as compliant. The Outlook app is installed but cannot connect. What should you check first?
161Which TWO actions can you perform using the Microsoft Intune admin center to manage Windows 11 devices remotely? (Choose two.)
162Which THREE conditions must be met for a Windows device to be able to enroll in Microsoft Intune using Microsoft Entra ID join? (Choose three.)
163Which TWO of the following are valid remote assistance tools for Windows devices managed by Microsoft Intune? (Choose two.)
164You apply the custom policy shown in the exhibit to a Windows 11 device. Users report that they cannot use Bluetooth devices (e.g., mouse, keyboard) after the policy applies. Which setting in the policy is causing this issue?
165You need to deploy a custom Windows 11 feature update to a pilot group of 50 devices before rolling out to the entire organization. The devices are managed by Intune and are in a 'Pilot' Azure AD group. What is the best approach?
166A Windows 11 device running build 10.0.22621.500 reports as noncompliant with the policy shown. The device meets all password requirements, has BitLocker enabled, and uses Microsoft Defender for Endpoint with a 'high' security level. What is the most likely cause of noncompliance?
167Your organization uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent software update, the Start menu layout is missing. You need to restore the Start menu layout using Intune. What should you do?
168Your company has iOS/iPadOS devices enrolled in Microsoft Intune. You need to ensure that users cannot remove the Microsoft Intune Company Portal app from their devices. What should you configure?
169You manage Windows 10 devices with Microsoft Intune. You need to deploy a PowerShell script that runs in the user context to configure user settings. What type of script should you use?
170Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. You configure a Conditional Access policy in Microsoft Entra ID targeting Exchange Online. What else must you configure in Intune to enforce compliance?
171Your company has a Microsoft Intune environment with Windows devices. You need to deploy a Microsoft 365 Apps update using the Semi-Annual Enterprise Channel. You have configured the update channel in an Intune administrative template. However, devices are not receiving the updates. What is the most likely cause?
172Which TWO settings can you configure in a Microsoft Intune device compliance policy for Android Enterprise devices?
173Which THREE actions are available in Microsoft Intune's proactive remediations for Windows devices?
174Which TWO methods can you use to enroll macOS devices in Microsoft Intune?
175Refer to the exhibit. You are reviewing an Intune configuration profile JSON for Windows 10. The profile includes BitLocker settings. Which setting will prevent users from enabling BitLocker if another encryption method is already in use?
176Refer to the exhibit. You have a compliance policy for Windows 10 devices. A device reports as non-compliant with the reason 'TPM not found'. The device does have a TPM 2.0 chip but it is disabled in BIOS. What should you do to resolve the compliance issue?
177Refer to the exhibit. You are deploying Microsoft Edge via Intune as a required app for Windows devices. Which setting ensures that any previous version of Microsoft Edge is removed before installing the new version?
178Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to ensure that when a device is determined to be at high risk by Defender, it is automatically blocked from accessing corporate resources. What should you configure?
179Your company uses Microsoft Intune to manage Windows 10 devices. You need to ensure that all devices have Windows Defender Antivirus real-time protection enabled. What should you configure?
180Which THREE features are available in Microsoft Intune's Windows Autopilot for existing devices?
181Which TWO settings can be configured in a Microsoft Intune device compliance policy for iOS/iPadOS?
182A user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. The user has confirmed that the device is enrolled and connected to the internet. Which is the most likely cause?
183Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a PowerShell script that runs during the device provisioning process, before the user signs in. The script should be assigned to a device group containing all Autopilot devices. Which method should you use?
184A company is planning to use Windows Autopilot to deploy new devices. They want to ensure that devices are automatically enrolled in Microsoft Intune when a user signs in with their Microsoft Entra ID credentials. Which configuration is required?
185Your organization uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR) to manage endpoint security. You need to ensure that all Windows 10 devices are onboarded to Defender for Endpoint via Microsoft Intune. Which policy type should you use?
186You manage devices with Microsoft Intune. You need to deploy a line-of-business (LOB) app that is signed with a certificate not trusted by the devices. The app requires installation in the system context. Which deployment method should you use?
187A user's mobile device is lost. You need to remotely wipe the device using Microsoft Intune. What is the correct sequence of actions?
188Your organization uses Microsoft Intune to manage devices. You need to ensure that only devices with a minimum OS version can access corporate email via Microsoft Outlook for iOS. Which policy type should you configure?
189You are troubleshooting a Windows 10 device that is not receiving Intune policies. The device is enrolled and shows as 'Active' in the Intune admin center. You run the Get-MgDeviceManagementManagedDevice cmdlet and the device's managementAgent is 'mdm'. Which of the following is the most likely cause of the issue?
190Your organization wants to use Windows Autopilot for user-driven deployment. Users should be able to self-deploy their devices by signing in with their corporate credentials. Which Autopilot deployment mode should you use?
191Which TWO actions can you perform using Microsoft Intune to manage devices that are not compliant? (Choose two.)
192Which THREE conditions must be met for a Windows 10 device to be co-managed with Microsoft Intune and Microsoft Configuration Manager? (Choose three.)
193Which TWO of the following are device configuration settings you can manage with Microsoft Intune? (Choose two.)
194Refer to the exhibit. You are reviewing a JSON policy for Windows 10 compliance. Which of the following is required by this policy?
195Refer to the exhibit. You run a PowerShell cmdlet to get managed devices and see the output above. The device is noncompliant. What is the most likely reason?
196Refer to the exhibit. You are reviewing a Win32 app configuration in Microsoft Intune. The app is not installing on some Windows 10 devices. Which is the most likely reason?
197A company uses Microsoft Intune to manage Windows 11 devices. Users report that the Company Portal app is not showing required applications. You verify that the devices show as 'Compliant' in Microsoft Intune. Which configuration should you check first?
198You are troubleshooting an iPhone that cannot enroll in Microsoft Intune. The user receives an error stating 'This device is already enrolled in another MDM.' What is the most likely cause?
199A user reports that their Windows 11 device is not receiving security updates. The device is enrolled in Microsoft Intune and shows as compliant. You check the Update Rings policy and see that the device is assigned to a ring that defers updates by 30 days. What should you do to ensure the device gets the latest security updates immediately?
200Your organization uses Microsoft Intune to manage iOS devices. You need to deploy a custom configuration profile to configure Wi-Fi settings for corporate devices. Which method should you use?
201You need to ensure that Windows 10 devices automatically receive Microsoft 365 Apps updates from the Internet when not connected to the corporate network. Which update channel should you configure?
202A user's Windows 11 device is not receiving the Company Portal app after enrollment. The device is enrolled in Microsoft Intune. What is the most likely cause?
203Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that corporate apps are installed automatically on new devices without user interaction. Which enrollment method should you use?
204You are deploying Windows 11 devices using Windows Autopilot. Some devices are not registering in Microsoft Intune. You have verified that the hardware hashes are uploaded correctly. What is the most likely cause?
205A user's device is marked as 'Noncompliant' in Microsoft Intune due to missing required updates. The device is configured with a compliance policy that requires a minimum OS version. The user claims the device is up-to-date. What should you verify first?
206Which THREE actions can you perform using Microsoft Intune's remote assistance feature for Windows devices?
207Which TWO Windows Update for Business policies can you configure using Microsoft Intune?
208Which THREE are valid Windows Autopilot deployment scenarios?
209You have a Windows 10 device running OS version 10.0.19043.1234. The device is compliant with all settings except password requirements. The device does not have a password set. What is the compliance status?
210A Windows 10 device is assigned this update ring policy. A new quality update is released today. When will the device install the update?
211You deployed this endpoint protection policy to a Windows 10 device. A user reports that a known malicious file was downloaded but not blocked. What is the most likely reason?
212You manage a hybrid Microsoft Entra ID environment with 5,000 Windows 10 devices enrolled in Microsoft Intune. You need to deploy a critical security update that requires a reboot to all devices within the next 4 hours. Users must be able to postpone the reboot for up to 8 hours. You configure a device restart policy in Intune. Which deadline and grace period settings should you use?
213Your organization uses Microsoft Intune for Windows device management. Users report that after a recent update, the company VPN client fails to start. You suspect a driver conflict. Which Intune feature should you use to roll back the problematic driver without affecting other updates?
214You need to ensure that all Windows 11 devices in your organization have BitLocker enabled and the recovery key escrowed to Microsoft Entra ID. Which Intune policy should you configure?
215You are troubleshooting a Windows 10 device that is not receiving a required security policy from Intune. The device shows as 'Not compliant' in the Intune console. Which TWO actions should you take to resolve the issue?
216You are designing a Windows 10 update strategy using Windows Update for Business and Intune. Which THREE settings should you configure to ensure updates are delivered efficiently while minimizing user disruption?
217Your organization requires that all managed Windows devices have Microsoft Defender Antivirus enabled and running. Which TWO methods can you use to verify this compliance?
218Refer to the exhibit. You apply this Intune custom OMA-URI policy to a Windows 10 device. What is the expected outcome?
219Refer to the exhibit. A Windows 11 device assigned to this update ring is running a released version. What is the immediate behavior after the policy applies?
220Refer to the exhibit. You run this PowerShell command using the Microsoft Graph PowerShell SDK. What is the primary purpose of this command?
221You need to ensure that users can access corporate resources on their personal iOS devices only if they are jailbroken. Which Intune policy should you configure?
222You manage devices with Microsoft Intune and have enabled co-management with Configuration Manager. You need to ensure that Windows Update policies are managed by Intune for all co-managed Windows 10 devices. Which workload slider should you set in Configuration Manager?
223You deploy a new line-of-business app to Windows 10 devices via Intune. Users report that the app does not appear in the Company Portal. You verify that the app is assigned to the correct group. What is the most likely cause?
224Your organization uses Microsoft Defender for Endpoint. You need to configure automatic investigation and response for devices. Which setting in the Microsoft Defender XDR portal should you adjust?
225You need to wipe a lost corporate-owned Windows 10 device that is enrolled in Intune. Which action should you take?
226Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What is the result?
227Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices that haven't checked in for 30 days are automatically retired. Which configuration should you implement?
228Refer to the exhibit. You are configuring a Windows Update Ring policy in Microsoft Intune. You want the pilot devices to install feature updates 30 days after Microsoft releases them, but you also need to ensure that users cannot postpone updates indefinitely. However, users are reporting that updates are installing outside of active hours. What is the most likely cause?
229You manage a fleet of iOS devices enrolled in Microsoft Intune. You need to ensure that only approved apps can be installed on corporate devices. Which policy type should you configure?
230Your organization uses Microsoft Intune for Windows device management. You need to deploy a PowerShell script to all Windows 10 devices to remediate a security issue. The script must run in the user context. What is the best approach?
231You are troubleshooting a Windows 11 device that is enrolled in Microsoft Intune. The device shows 'Pending' status for a required app deployment. The app is a line-of-business (LOB) app. The device has been online for the past 24 hours. What is the most likely cause?
232Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that corporate data on a device is wiped if the device is reported stolen. Which action should you configure?
233You are implementing Windows Autopilot for your organization. You need to ensure that during the first boot, the device automatically enrolls in Microsoft Intune and joins Microsoft Entra ID. What is the minimum requirement for the device?
234Refer to the exhibit. You are creating a device filter in Microsoft Intune to target a policy to Windows 10 Pro devices. The filter should only apply to devices running OS build 1904x (20H1 or later). However, some devices with build 1904x and SKU Professional are not receiving the policy. What is the most likely reason?
235You need to configure Microsoft Defender for Endpoint on Windows 10 devices managed by Intune. What is the recommended method to onboard devices?
236Which TWO actions should you take to ensure that Windows Update for Business settings are applied to all Windows 10 devices in your organization? (Choose two)
237Which THREE steps are required to configure a Windows 10 device for kiosk mode using Microsoft Intune? (Choose three)
238Which TWO actions can you perform using the Microsoft Intune admin center to manage Windows devices? (Choose two)
239Your organization has 5,000 Windows 10 devices managed by Microsoft Intune. You are planning to upgrade them to Windows 11. The devices must meet the Windows 11 hardware requirements. You need to identify which devices are eligible for upgrade and then deploy Windows 11 using a feature update policy in Intune. You have the following requirements: (1) Generate a report of devices that are not eligible due to TPM 2.0 or CPU incompatibility. (2) Deploy Windows 11 to eligible devices using a phased approach: first to IT department (200 devices), then to pilot users (500 devices), and finally to all remaining devices. (3) Ensure that devices in the IT department receive the update within 7 days of Microsoft's release, while pilot users receive it after 30 days, and remaining devices after 60 days. (4) Monitor deployment progress and roll back if critical issues are detected. What should you do?
240Your organization uses Microsoft Intune to manage 1,000 Windows 10 devices and 500 iOS devices. You need to enforce device compliance policies. For Windows devices, you require BitLocker encryption and Windows Defender Antivirus enabled. For iOS devices, you require a passcode of at least 6 characters and device encryption. Devices that become noncompliant should be marked as such and users should receive a notification email. After 7 days of noncompliance, the device should be blocked from accessing corporate email. You also need to create a report that shows the compliance status of all devices. Which combination of actions should you take?
241Your organization has 200 Windows 10 devices that are not yet managed. You need to enroll them in Microsoft Intune. The devices are already joined to on-premises Active Directory. You want to enable hybrid Azure AD join and automatic enrollment via Group Policy. The devices are located in multiple sites with limited internet bandwidth. You need to minimize the amount of data transferred over the WAN during enrollment. What should you do?
242You manage Windows 10 devices with Microsoft Intune. A user reports that their device is not receiving required compliance policies, and the device status in Intune shows 'Not evaluated' for compliance. You confirm the device is enrolled and able to sync. What should you check first?
243You need to deploy a critical security update to 500 Windows 10 devices managed by Intune. The update must be installed by the end of the week. Which deployment method should you use?
244Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data on these devices is automatically removed when a user is unenrolled from Intune. Which action should you configure?
245You have a Windows 11 device enrolled in Intune that is not receiving configuration profiles. The device shows 'Pending' status for all profiles. You confirm the device is connected to the internet and can reach Microsoft's servers. What is the most likely cause?
246You are troubleshooting a Windows 11 device that fails to receive a PowerShell script deployed via Intune. The script is assigned to a group containing the device. Other policies on the device apply successfully. What should you check first?
247You need to ensure that all corporate-owned Windows 11 devices automatically install critical security updates as soon as they are released by Microsoft. Which Intune feature should you configure?
248A user reports that their iOS device is unable to access corporate email after updating to a new iOS version. Other iOS devices are working fine. The device is enrolled in Intune and shows as compliant. What should you check?
249You are planning to deploy a custom line-of-business (LOB) app to 200 Windows 11 devices using Intune. The app requires a specific registry key to be present before installation. What should you do?
250You need to provide remote assistance to a Windows 11 device managed by Intune. The user is not technically savvy. Which Intune feature should you use?
251Which TWO actions can an Intune administrator take to ensure that only compliant devices can access corporate Exchange Online email?
252Which THREE steps are required to deploy a Windows 10 feature update (e.g., version 22H2) to a group of test devices using Intune?
253Which TWO troubleshooting steps should you take when a Windows 11 device fails to enroll in Intune with error code 0x80180014?
254Refer to the exhibit. You have configured the compliance policy shown above. A user reports that their Windows 11 device is compliant with all settings except the threat level. The device has no threat protection agent installed. What will happen when the user tries to access corporate resources?
255Refer to the exhibit. You run the PowerShell command above to get a list of noncompliant devices. The output shows that some devices have a complianceGracePeriodExpirationDateTime in the past. What does this indicate?
256You are the Intune administrator for Contoso Ltd., a company with 5,000 Windows 11 devices and 1,000 iOS devices managed by Microsoft Intune. The company uses Microsoft Defender for Endpoint for threat detection. You need to implement a solution that ensures devices are compliant before they can access corporate resources. You have the following requirements: 1. Windows devices must have Defender for Endpoint running and report a threat level of 'low' or better. 2. iOS devices must have a PIN of at least 6 characters and be jailbreak-detected as 'not jailbroken'. 3. If a device becomes noncompliant, it should be blocked immediately with no grace period. 4. Noncompliant devices should receive a notification to the user. You create compliance policies for Windows and iOS. You also create a conditional access policy in Microsoft Entra ID to require compliant devices. After deploying, you find that some Windows devices that are missing Defender for Endpoint are still able to access email. What should you do to resolve this issue?
257A user reports that their Windows 11 device is not receiving configuration policies from Microsoft Intune. The device shows as 'active' in the Intune admin center. Which troubleshooting step should you take first?
258You are designing a Windows Update for Business deployment for a hybrid environment with 5,000 devices. You need to ensure that critical security updates are deployed within 48 hours while allowing feature updates to be delayed up to 60 days. Which policy configuration should you use?
259Your organization uses Microsoft Intune to manage Windows devices. You need to ensure that only IT administrators can manually install apps from the Microsoft Store. Which setting should you configure in a device restriction policy?
260A company uses Microsoft Intune to manage iOS/iPadOS devices. They require that all corporate data on devices be protected with a passcode of at least 6 digits. Which policy type should you configure?
261You have a Windows 11 device that is co-managed with Configuration Manager and Microsoft Intune. After migrating the Windows Update workload to Intune, users report that they can still manually check for updates in Windows Settings and install optional updates. You need to prevent users from installing optional updates. Which setting should you configure in Intune?
262Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that when a device is lost, an IT admin can remotely wipe only the work profile, leaving the personal data intact. Which remote action should you use?
263A user's device is enrolled in Microsoft Intune and compliant, but they cannot access corporate email via the Outlook mobile app. The app opens and shows 'Cannot connect to server'. Other users with the same device model can access email. What is the most likely cause?
264You are implementing Windows Autopilot for a new fleet of devices. You need to ensure that during the out-of-box experience (OOBE), the device automatically joins Microsoft Entra ID and is enrolled in Intune. Which configuration is required?
265A company uses Microsoft Intune to manage Windows devices. They want to deploy a custom line-of-business (LOB) app as a Win32 app. The app requires .NET Framework 4.8 and must be installed silently. Which file type should you use for the app deployment in Intune?
266Which TWO actions can you perform using the Microsoft Intune admin center to manage a Windows device that is enrolled in Intune?
267Which THREE components are required to deploy a Win32 app via Microsoft Intune?
268Which TWO types of policies can be assigned to user groups in Microsoft Intune?
269Refer to the exhibit. The exhibit shows a JSON representation of a managed device from Microsoft Graph API. The device shows as noncompliant. Which of the following is the most likely reason for the noncompliant status?
270You are the endpoint administrator for Contoso, a company with 10,000 Windows 11 devices managed by Microsoft Intune. The devices are a mix of corporate-owned and bring-your-own-device (BYOD). You need to implement a solution that allows users to access corporate resources only if their devices meet specific security requirements: disk encryption (BitLocker), antivirus (Microsoft Defender), and a minimum OS build. Additionally, you must ensure that users cannot access corporate email from devices that are jailbroken or rooted. The solution should automatically block non-compliant devices from accessing resources and provide a notification to the user explaining the issue. You have already configured compliance policies in Intune. What should you do next to enforce the block?
271Your organization uses Microsoft Intune to manage Windows 10 and Windows 11 devices. You need to deploy a critical security update to all devices within 24 hours. The update is classified as a 'Quality Update' by Microsoft. You have configured a Windows Update for Business policy in Intune with a 'Quality update deadline' of 1 day. However, after 48 hours, some devices still have not installed the update. You verify that the devices are online and have checked in with Intune recently. What should you do to ensure the update is installed immediately on the remaining devices?
272Your company has 500 iOS devices enrolled in Microsoft Intune. The devices are used by sales representatives to access customer data. You need to ensure that if a device is lost or stolen, an administrator can remotely lock the device and display a custom message with a phone number to call. Which remote action should the administrator use?
273Your organization uses Microsoft Intune to manage Windows 10 and Windows 11 devices. Users report that after a recent update, their devices are stuck at the login screen and cannot access corporate resources. You suspect a configuration conflict. Which action should you take first to restore device functionality without affecting other settings?
274Your organization is implementing a zero-trust security model using Microsoft Intune. Devices must be compliant before accessing corporate resources. You need to deploy compliance policies for Windows 10 devices that require BitLocker encryption and a minimum OS version. Which two policy settings should you configure? (Choose two.)
275A company uses Microsoft Intune to manage iOS devices. They need to enforce a policy that requires a passcode of at least 6 characters, allows Touch ID, and automatically wipes the device after 10 failed attempts. Which three settings should be configured in a device restrictions profile for iOS? (Choose three.)
276Refer to the exhibit. You have an Intune configuration that includes a compliance policy and a device configuration policy for Windows 10 devices. You deploy both policies to a group of devices. After deployment, some devices are marked as non-compliant even though they have BitLocker enabled and Windows Defender Antivirus running. Which setting is most likely causing the conflict?
277You are a Microsoft 365 Endpoint Administrator for a medium-sized company that uses Microsoft Intune to manage its Windows 10 devices. The company recently experienced a ransomware attack that encrypted local files on several devices. To mitigate future attacks, management wants to ensure that all devices have real-time protection enabled in Microsoft Defender Antivirus and that Controlled Folder Access is turned on. You need to configure these settings via Intune. You decide to create a device configuration profile for Windows 10. What is the most efficient way to deploy these settings to all existing and future devices?
278Your organization uses Microsoft Intune to manage Windows 11 devices. You have a requirement to ensure that all devices have BitLocker Drive Encryption enabled with a TPM protector and a recovery key escrowed to Azure AD. Additionally, you need to configure a policy that prevents users from changing the BitLocker settings. You create a device configuration profile using the 'Endpoint Protection' template for Windows 10 and later. After deploying the policy to a test group, you notice that BitLocker is not enabled on some devices. The devices meet the hardware requirements and are Azure AD joined. What is the most likely reason for the failure, and how should you resolve it?
279You are an Intune administrator for a large enterprise that uses Microsoft Defender for Endpoint (now Microsoft Defender XDR) for threat protection. You need to ensure that all Windows 10 devices are properly onboarded to Defender for Endpoint and that security settings are enforced via Intune. You have created a device configuration profile that includes the 'Microsoft Defender for Endpoint' settings, but some devices are not appearing in the Defender for Endpoint portal. You verify that the devices are Intune managed and enrolled. What should you do to ensure proper onboarding?
280Your organization uses Microsoft Intune to manage iOS and Android devices. You need to ensure that corporate data on these devices is protected. Specifically, you want to prevent users from copying corporate data from managed apps to personal apps. You also want to ensure that when a device is lost or stolen, the corporate data can be selectively wiped without affecting personal data. Which Intune feature should you use to achieve these requirements?
281You are managing a fleet of Windows 10 devices with Microsoft Intune. You need to deploy a critical security update that Microsoft released out-of-band. The update must be installed on all devices within 24 hours. You have configured Windows Update for Business policies in Intune, but the update is not being installed on many devices. You check the update compliance reports and see that most devices are showing the update as 'pending'. What should you do to expedite the installation?
282Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You have deployed a device configuration profile that configures the device's email settings for the native Mail app. Recently, the organization decided to switch to Microsoft Outlook for iOS as the primary email client. You need to ensure that users can only use Outlook for accessing corporate email, and that the native Mail app is blocked from accessing corporate data. Which combination of Intune policies should you implement?
283You are an Intune administrator for a company that has recently deployed Windows 11 devices. Management wants to ensure that all devices are running the latest feature update (Windows 11 23H2) within 60 days of release. You need to configure a Windows Update for Business policy in Intune to achieve this goal. Which settings should you configure?
284Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a company-specific application (a .pkg file) to all macOS devices. The application requires a specific configuration file that must be placed in the /Library/Application Support/ directory. You also need to ensure that the application is installed silently without user interaction. How should you configure the deployment in Intune?
285Your organization uses Microsoft Intune to manage Android Enterprise devices (work profile). You need to ensure that corporate data on these devices is encrypted. Additionally, you want to enforce a policy that prevents users from disabling the work profile. You have created a device compliance policy that requires encryption, but some devices are marked as non-compliant even though they have encryption enabled. You suspect that the devices are using file-based encryption instead of full-disk encryption. What should you do to ensure that the devices meet the encryption requirement?
286Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a PowerShell script that runs at every device startup to map network drives based on the user's security group membership. The script should run in the system context and should not require user interaction. How should you configure the script deployment in Intune?
287Your organization uses Microsoft Intune to manage Windows 10 and iOS devices. You need to deploy a certificate-based authentication solution for Wi-Fi and VPN access. You have set up a Certificate Connector for Microsoft Intune and issued a root CA certificate. You have created a trusted certificate profile for the root CA and a SCEP certificate profile for client certificates. However, iOS devices are failing to enroll for client certificates. You verify that the SCEP profile is correctly configured and assigned. What is the most likely cause?
288You need to deploy Windows updates to a group of devices using Microsoft Intune. Which TWO policies should you configure to ensure updates are applied within a maintenance window?
289You are managing devices with Microsoft Intune. You need to ensure that only compliant devices can access corporate email. Which THREE components should you configure?
290Your organization uses Microsoft Intune to manage devices. You need to collect diagnostic logs from a remote Windows device without user interaction. Which THREE methods can you use?
291You are troubleshooting a Windows device that is not receiving policies from Intune. Which TWO actions should you take?
292You need to onboard devices to Microsoft Defender for Endpoint using Microsoft Intune. Which THREE methods are supported?
293Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that only devices with a passcode can access corporate resources. Which THREE configurations should you implement?
294You are the endpoint administrator for Contoso Ltd. The company uses Microsoft Intune to manage Windows 11 devices. You need to deploy a critical security update to all devices within 24 hours. The update is a quality update (KB5001234). You have created an update ring policy named 'Critical Ring' assigned to all devices. The policy currently has a deferral period of 7 days. You need to ensure that the update is installed immediately. What should you do?
295You manage devices at Fabrikam Inc. using Microsoft Intune. You have a Windows 11 device that is not compliant because it is missing a required application. The device shows as 'Not evaluated' in Intune for the compliance policy. The user reports that the device syncs manually but still shows as non-compliant. You have verified that the device is enrolled and policy is assigned. What should you do first to resolve the issue?
296Adventure Works uses Microsoft Intune for device management. You need to deploy a custom PowerShell script to all Windows 10 devices to configure a registry key for security compliance. The script is already uploaded to Intune as a PowerShell script. However, the script is not running on some devices. You have confirmed that the devices are enrolled, have the Intune Management Extension installed, and are online. What should you check first?
297You are a Microsoft Intune administrator for Tailwind Traders. The company has enrolled Windows 11 devices. You need to configure BitLocker encryption on all devices using Intune. You have created an endpoint security policy for BitLocker and assigned it to the correct group. After 24 hours, some devices still show as not encrypted. You verify that the devices are compliant with the policy's prerequisites. What should you do to force the policy to apply?
The Manage and maintain devices domain covers the key concepts tested in this area of the MD-102 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all MD-102 domains — no account required.
The Courseiva MD-102 question bank contains 297 questions in the Manage and maintain devices domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Manage and maintain devices domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included