Practice MD-102 Protect devices questions with full explanations on every answer.
Start practicing
Protect devices — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. Which step should you take first to resolve the issue?
2Your company uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data in Microsoft 365 apps is protected even if a device is compromised. Which App Protection Policy setting should you configure?
3You are implementing Microsoft Defender for Endpoint on Windows Server devices managed by Microsoft Intune. After onboarding, the devices show as 'Inactive' in the Microsoft Defender XDR portal. Which action should you take?
4Your organization uses Microsoft Entra ID joined devices with Windows 10. You need to ensure that only compliant devices can access corporate email in Microsoft Outlook for Windows. Which integration should you enable?
5You manage Android Enterprise devices with work profiles. A user reports that corporate apps are not appearing in the work profile after enrollment. The device shows as enrolled in Microsoft Intune. What is the most likely cause?
6Your organization uses Windows Autopilot for device deployment. After a device completes the user-driven deployment, it appears in Microsoft Entra ID as 'Azure AD registered' instead of 'Azure AD joined'. What should you modify to ensure the device is joined?
7You are investigating a malware incident on a Windows 10 device managed by Microsoft Intune and protected by Microsoft Defender for Endpoint. Which log should you analyze to determine the initial infection vector?
8You need to deploy a line-of-business (LOB) iOS app to users in your organization. The app is signed with an enterprise certificate. How should you distribute the app to managed devices?
9You have enabled Microsoft Defender for Endpoint on macOS devices. Some macOS devices show a status of 'Sensor disconnected' in the Microsoft Defender XDR portal. The devices are online and can communicate with the internet. Which troubleshooting step should you take first?
10Which TWO of the following are valid methods to wipe a Windows 10 device using Microsoft Intune? (Select TWO.)
11Which THREE of the following are prerequisites for deploying Microsoft Defender for Endpoint on Windows 10 devices via Microsoft Intune? (Select THREE.)
12Which TWO of the following are valid reasons to use Windows Autopilot Reset? (Select TWO.)
13Refer to the exhibit. You deploy this compliance policy to Windows 10 devices. A device running Windows 10 version 20H2 (OS build 19042.1234) reports as compliant. However, the device does not have BitLocker enabled. Why is the device compliant?
14Refer to the exhibit. You configure this Enrollment Status Page (ESP) policy for Windows Autopilot deployments. During a deployment, a device fails to install a required app. What happens?
15Refer to the exhibit. You apply this configuration profile to Windows 10 devices. A user reports that their device's diagnostic data level is set to 'Full' in Settings > Diagnostics & feedback. What is the most likely reason?
16You are configuring a Windows 10 device compliance policy in Microsoft Intune. The policy requires that devices have BitLocker enabled and a minimum OS build version. However, some devices are showing as 'Not compliant' even though they meet the requirements. What is the most likely cause?
17You manage a fleet of iOS devices enrolled in Microsoft Intune. You need to ensure that only approved corporate devices can access Exchange Online. You configure a Conditional Access policy that requires devices to be compliant with Intune compliance policies. However, some users report that they are still able to access email from personal iOS devices that are not enrolled. What should you check first?
18Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a security baseline that enforces BitLocker encryption and Windows Defender Antivirus settings. What is the recommended approach?
19A user reports that they cannot install a company-required app from the Company Portal on their Android device. The app is assigned as 'Available for enrolled devices' in Intune. The device is enrolled and compliant. What is the most likely issue?
20You are troubleshooting an issue where Windows 10 devices are not receiving Windows updates from Intune. The update rings are configured, and the devices are enrolled. However, devices show 'Up to date' even though they are missing critical security updates. What should you verify?
21You need to ensure that only compliant devices can access Microsoft 365 resources. You create a Conditional Access policy in Microsoft Entra ID. Which condition should you use?
22You are configuring an app protection policy (MAM) in Intune for iOS and Android devices. The policy should prevent users from copying corporate data to personal apps. Which setting should you configure?
23Your organization uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR) to manage device threat detection. You have integrated Defender for Endpoint with Intune for compliance. Some devices are showing as non-compliant due to 'active threats' that are actually low-risk. How can you adjust the compliance policy to allow low-risk threats?
24You need to wipe a lost corporate-owned iOS device that is enrolled in Intune. Which action should you perform?
25Which TWO conditions must be met for a Windows 10 device to be considered compliant with an Intune compliance policy that requires BitLocker and Secure Boot?
26Which THREE settings must be configured to enable Windows Hello for Business in an Intune policy?
27Which TWO methods can be used to enroll Android devices in Microsoft Intune?
28Refer to the exhibit. A Windows 10 device with OS build 10.0.19041.1 is evaluated against this compliance policy. The device meets all settings except one: the OS version is 10.0.19041.1, which is below the minimum 10.0.19041.0? Actually it is above. But wait, the device has BitLocker enabled, Secure Boot enabled, and firewall enabled. Which setting will cause the device to be non-compliant?
29Refer to the exhibit. You run this PowerShell script using the Microsoft Graph PowerShell SDK. What is the purpose of this script?
30Refer to the exhibit. You are deploying a custom OMA-URI policy to Windows 10 devices. What is the effect of this policy?
31A company uses Microsoft Intune to manage Windows 11 devices. They want to ensure that only devices with a TPM 2.0 and Secure Boot enabled can access corporate resources in Microsoft Entra ID. What should they configure?
32Contoso has iOS/iPadOS devices managed by Intune. They need to prevent users from installing apps from outside the Apple App Store and ensure that devices with a jailbreak are blocked from accessing corporate email. Which two policies should they combine?
33A company uses Microsoft Defender for Endpoint to manage endpoint security. They observe that some devices are not reporting vulnerability data to Microsoft Defender XDR. Which component is most likely misconfigured?
34An organization wants to enforce encryption on all Windows 10/11 devices using Intune. Which policy type should they use?
35A company uses Intune to manage macOS devices. They need to deploy a custom configuration profile that enforces FileVault encryption. What is the recommended approach?
36Your organization uses Windows Defender Application Control (WDAC) to allow only approved apps. After deploying a WDAC policy via Intune, some users report that a critical line-of-business app is blocked. How should you troubleshoot?
37A company wants to prevent users from copying corporate data from managed Microsoft 365 apps to personal apps on iOS devices. What should they configure?
38Contoso uses Microsoft Defender for Endpoint on Windows servers. They need to ensure that antivirus definitions are always up-to-date even if the server is disconnected from the internet for extended periods. What should they configure?
39Your organization uses Microsoft Intune to manage Windows 11 devices. You notice that some devices are not receiving security updates even though update rings are assigned. What is the most likely cause?
40Which TWO actions should you take to ensure that only healthy Windows 10/11 devices can access Microsoft 365 services? (Choose two.)
41Which THREE components are essential for a Microsoft Defender for Endpoint deployment on Windows 10 devices? (Choose three.)
42Which TWO methods can you use to deploy Microsoft Defender for Endpoint on Windows Server 2019? (Choose two.)
43Refer to the exhibit. The Intune device compliance policy shown is assigned to a group of Windows 10 devices. A user reports that their device is marked as noncompliant. The device has a password set, BitLocker enabled, Secure Boot on, and code integrity (HVCI) enabled. What is the most likely reason?
44Refer to the exhibit. A PowerShell script is used to check the encryption compliance state of Windows devices managed by Intune. Some devices return a State of 'notApplicable' for the Encryption setting. What does this indicate?
45Refer to the exhibit. A KQL query in Microsoft Defender XDR returns no results for PC001 and PC002 even though you know there have been antivirus detections on those devices. What is the most likely reason?
46You are the endpoint administrator for Contoso, a company with 5,000 Windows 11 devices managed by Microsoft Intune. The company uses Microsoft Defender for Endpoint (MDE) for endpoint detection and response. You need to implement a solution that ensures all devices have the latest Windows security updates installed within 7 days of release. Additionally, you must ensure that if a device misses two consecutive update cycles, it is automatically blocked from accessing corporate resources until it is updated. You have the following requirements: 1. Use Intune update rings to control update deployment. 2. Use MDE vulnerability management to identify missing updates. 3. Device compliance policies should check for missing updates and mark devices noncompliant. 4. Conditional Access should block noncompliant devices. Which combination of actions should you take?
47You configure Windows Update for Business policies in Intune. Users report that updates are not installing during configured active hours. You verify that the policy is applied. What is the most likely cause?
48Your organization uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). You need to ensure that when a device is offboarding, all collected forensic data is deleted from Microsoft 365. What should you do?
49Your company uses Microsoft Intune to manage Windows 11 devices. You need to deploy a configuration that requires users to use Windows Hello for Business (WHfB) and prohibits the use of FIDO2 security keys. Which CSP and value should you configure?
50A user reports that their iOS device is not receiving email on their work account. The device is enrolled in Intune. You verify that the Exchange ActiveSync profile is assigned correctly. What should you check next?
51You manage Windows 10 devices with Intune. You need to ensure that only approved apps can run on corporate devices. You configure AppLocker via a custom OMA-URI. However, users can still run unapproved apps. What is the most likely reason?
52Your organization uses Microsoft Defender for Cloud Apps (part of Microsoft Defender XDR). You need to detect when users access cloud apps from unauthorized locations. Which log source should you integrate to get location information?
53You need to configure BitLocker encryption for Windows 10 devices managed by Intune. You create a device configuration profile for endpoint protection. After assigning, devices show 'BitLocker not enabled' in the Intune console. What is the most likely cause?
54Your company uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that work apps are sandboxed from personal apps. Which enrollment type should you use?
55You manage devices with Microsoft Intune. You need to implement a conditional launch policy for Microsoft Defender for Endpoint that requires the device to have a minimum version of the sensor (10.8049.22439.1043) and a healthy signal. Which JSON policy should you deploy?
56Your organization uses Microsoft Intune to manage mobile devices. You need to configure compliance policies that trigger conditional access. Which TWO conditions can be used in a device compliance policy?
57You deploy a Windows Update for Business policy in Intune. You need to ensure that devices install quality updates within 2 days of release and feature updates within 30 days. Which THREE settings should you configure?
58You need to configure Microsoft Defender for Endpoint on macOS devices. Which THREE components must be installed?
59A user reports that their Windows 11 device cannot install a required line-of-business (LOB) app from Company Portal. The app is assigned to the user and shows as 'Available' in Intune. The device is compliant and managed. What is the most likely cause?
60Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices automatically install critical updates from Windows Update for Business within 3 days of release. Which configuration should you use?
61A company uses Microsoft Defender for Endpoint. They want to automatically remediate threats on endpoints using automated investigation and response. They also need to ensure that the remediation actions are approved by the security team before execution. Which configuration should they use?
62Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that users cannot remove the Company Portal app from their devices. Which configuration should you apply?
63A user has a Windows 10 device that is managed by Intune. The device is compliant but the user reports that they cannot access corporate email on their device. The email profile is deployed via Intune. Other users can access email successfully. What should you check first?
64Your organization uses Microsoft Intune to manage Windows 10 devices. You need to enforce BitLocker encryption on all devices. Some devices are not encrypting. You check the BitLocker policy and it is assigned correctly. What is the most likely reason?
65Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that corporate data is separated from personal data on the device. Which management approach should you use?
66A user has a Windows 11 device that is enrolled in Intune. The device is compliant, but the user cannot install apps from the Company Portal. The Company Portal shows 'This app is not available for your device'. The app is assigned to the user and the device meets the minimum requirements. What should you check?
67Your organization uses Microsoft Defender for Cloud Apps. You need to configure a policy that automatically blocks downloads of sensitive data from SharePoint Online to unmanaged devices. Which policy type should you use?
68Which TWO actions can you perform using Microsoft Intune to protect devices from malware?
69Which THREE features are available in Microsoft Intune for managing Windows 10/11 device updates?
70Which TWO compliance settings can be configured in Microsoft Intune for Android devices?
71Refer to the exhibit. You deploy this compliance policy to a Windows 11 device running build 10.0.22621.1000. The device has BitLocker enabled, Secure Boot enabled, and code integrity enabled. The device is compliant?
72Refer to the exhibit. An administrator runs this PowerShell command using the Microsoft Graph PowerShell SDK. The output returns no devices. However, the administrator knows that there are non-compliant Windows devices in Intune. What is the most likely reason?
73Refer to the exhibit. You deploy this endpoint protection configuration to a Windows 10 device. A user reports that they cannot connect to the device via RDP. What is the most likely cause?
74You are deploying Windows 10 devices using Autopilot. You need to ensure that during the out-of-box experience (OOBE), users are blocked from bypassing the sign-in screen by clicking 'Skip for now'. Which setting should you configure in the Enrollment Status Page (ESP) profile?
75You manage Windows 10 devices with Microsoft Intune. A user reports that a device has a red shield icon in the Windows Security Center, indicating tamper protection is off. You need to re-enable tamper protection on the device using Intune. Which profile type should you configure?
76Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Intune. You need to create a device group that dynamically includes all devices with a threat level of 'High' from MDE. You then plan to apply a compliance policy to force those devices to be non-compliant. Which method should you use to create the dynamic group?
77You have devices enrolled in Microsoft Intune. You need to configure a policy that requires a PIN of at least 6 characters for accessing Microsoft Entra ID resources. Which policy type should you configure?
78Your organization uses Windows Autopilot and Microsoft Intune. You need to ensure that during the Autopilot deployment, the device automatically installs a set of required applications (Microsoft 365 Apps, company portal, and a line-of-business app) before the user can access the desktop. Which configuration should you use?
79You have an Intune-managed device that is not receiving compliance policies. You check the Intune console and see the device status is 'Pending'. The device is connected to the internet and can sync. What is the most likely cause?
80You need to ensure that Windows 10 devices automatically receive Microsoft Defender antivirus definition updates from Microsoft. Which update channel should you configure in the endpoint protection profile?
81You have a Windows 10 device that is managed by Intune and enrolled in Microsoft Defender for Endpoint. The device is reporting a high number of false positive detections from Microsoft Defender Antivirus. You need to configure an exclusion for a specific folder path to reduce false positives. Where should you configure the exclusion?
82Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to enforce that all devices use a 6-digit passcode and that the device automatically wipes after 10 failed attempts. Which profile type should you configure?
83You are planning a Windows 10 deployment using Windows Autopilot. You need to ensure that devices are automatically enrolled in Intune during the out-of-box experience. Which two prerequisites must be met? (Choose two.)
84You have a Microsoft Intune environment with devices running Windows 10 and 11. You need to configure a policy that enforces BitLocker drive encryption with a TPM protector and stores recovery key in Microsoft Entra ID. Which three settings must you configure in the endpoint protection profile? (Choose three.)
85You are configuring Microsoft Defender for Endpoint for your organization. You need to ensure that devices are onboarded to the service. Which two methods can you use to onboard Windows 10 devices? (Choose two.)
86You are reviewing an Intune endpoint protection profile for Windows 10. The exhibit shows a JSON snippet of the configuration. A user reports that a device detected malware with moderate severity, but the action taken was 'quarantine'. However, the desired action is 'clean'. Which setting should you modify?
87You are troubleshooting a Windows 10 device that is showing as non-compliant in Intune. The exhibit shows the PowerShell output from the Microsoft Graph API. Based on the output, what is the most likely reason for the non-compliance?
88You are reviewing a custom device configuration profile in Intune. The exhibit shows an OMA-URI setting. What is the purpose of this setting?
89You need to ensure that devices enrolled in Microsoft Intune automatically receive Windows quality updates as soon as they are released. Which update ring setting should you configure?
90A user reports that their Windows 11 device cannot access corporate resources after a recent update. The device is enrolled in Intune. You check the device compliance status and find it is marked as non-compliant. Which two actions should you take?
91Your organization uses Microsoft Defender for Endpoint (now part of Defender XDR) and Intune. You need to create a device compliance policy that triggers automatic remediation when a device has a 'Medium' severity alert from Defender. Which setting should you configure?
92You need to deploy a Microsoft 365 Apps for enterprise configuration to devices managed by Intune. Which policy type should you use?
93You manage Windows 10 devices with Intune. After deploying a new compliance policy requiring BitLocker, many devices show as non-compliant. You verify that BitLocker is enabled on the system drive. What is the most likely cause?
94Refer to the exhibit. You deploy this compliance policy to Windows 10 devices. A device reports as compliant, but you suspect it may have a weak password policy because the password type is 'deviceDefault'. What is the effect of 'deviceDefault' on the password requirement?
95Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data in Microsoft Outlook is protected even if the device is not enrolled in MDM. Which policy should you deploy?
96You have a hybrid Microsoft Entra ID joined Windows 10 device that is co-managed with Configuration Manager and Intune. You want Intune to manage Windows Update for Business settings. Which slider setting should you configure in Configuration Manager?
97You configure a Windows 10 device compliance policy in Intune that requires 'Firewall' to be enabled. The device has Windows Defender Firewall enabled, but the device reports as non-compliant. You verify that the firewall is active. What is the most likely cause?
98Which TWO settings can be configured in a Windows 10 device restriction profile in Intune to enhance security?
99Which THREE actions can you perform from the Microsoft Intune admin center to remediate a non-compliant Windows device?
100Which TWO conditions in a Conditional Access policy can be used to enforce device compliance for access to Microsoft 365 services?
101Refer to the exhibit. You deploy this custom OMA-URI policy to Windows 10 devices. What is the expected outcome?
102Refer to the exhibit. You run a PowerShell command to check the assignment status of device configuration profiles. The 'BitLocker Policy' shows 'Pending'. What does 'Pending' indicate?
103Refer to the exhibit. You run this KQL query in Microsoft Defender XDR to investigate a device. The result shows RiskScore = 0. What does this indicate about the device?
104A user reports that their Windows 10 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. Which of the following is the most likely cause?
105Your organization uses Microsoft Intune to manage Windows 11 devices. You need to ensure that only devices with a Trusted Platform Module (TPM) version 2.0 and Secure Boot enabled can access corporate email. What should you configure?
106A company uses Microsoft Intune to manage iOS devices. Users report that they cannot install the required Microsoft Defender for Endpoint app from the Company Portal. The app shows as 'Not available' in the Company Portal. Which of the following is the most likely reason?
107Your organization wants to deploy Windows Update for Business policies using Microsoft Intune to Windows 10 devices. Which policy type should you use?
108A user's Android device is enrolled in Microsoft Intune. The device reports as 'Compliant' but the user cannot access corporate resources that require compliant devices. The conditional access policy is configured to require a compliant device. What is the most likely cause?
109Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Intune. You want to automatically remediate devices that are found to be missing critical security updates during a vulnerability assessment. What should you configure?
110You need to ensure that only authorized users can enroll devices in Microsoft Intune. Which setting should you configure?
111Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a custom PowerShell script that runs during enrollment to configure network settings. What should you use?
112Your organization uses Microsoft Intune with co-management and Configuration Manager. Some Windows 10 devices are enrolled in Intune but also managed by Configuration Manager. You need to ensure that the Intune compliance policy is evaluated and enforced on these devices. What should you configure?
113Which TWO of the following are valid enrollment methods for Windows 10 devices in Microsoft Intune?
114Which THREE of the following are features of Microsoft Defender for Endpoint that help protect devices?
115Which TWO of the following are required to configure Windows Hello for Business using Microsoft Intune?
116Refer to the exhibit. A Windows 10 device is enrolled in Intune and has the above compliance policy assigned. The device reports as non-compliant. The device has TPM version 2.0, Secure Boot enabled, and a password of 8 characters. Which of the following is the most likely reason for non-compliance?
117Refer to the exhibit. A Windows 10 device shows a compliance state of 'noncompliant'. The last sync was 2 hours ago. The device is managed by Intune (mdm). You have verified that the assigned compliance policy requires a device threat level of 'high' from Microsoft Defender for Endpoint. Which of the following is the most likely cause of non-compliance?
118Refer to the exhibit. You have assigned the above compliance policy to a Windows 10 device group. A user reports that their device is non-compliant even though BitLocker is enabled on the system drive. Which of the following is the most likely reason?
119Your organization uses Microsoft Intune to manage Windows 11 devices. You need to configure a device compliance policy that requires devices to run Windows version 22H2 or later. When you create the policy, which option must you select for the OS version requirement?
120Your company deploys Microsoft Defender for Endpoint (Defender XDR) to all Windows devices. You need to create a custom detection rule that triggers an alert when a specific PowerShell script is executed on any device. Which action should you take in the Microsoft 365 Defender portal?
121You manage devices with Microsoft Intune. You need to deploy a Windows 10 feature update to a pilot group of devices. Which profile type should you use?
122Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that all devices have a passcode of at least 6 characters and that devices are updated to the latest iOS version. You create a compliance policy. After assigning the policy, some devices are marked as non-compliant even though they have a passcode. What is the most likely cause?
123Your company uses Microsoft Intune for device management. You need to configure a Windows 10 device restriction policy that blocks the use of the camera and microphone on all devices. Which settings should you configure?
124You need to enroll a Windows 11 device into Microsoft Intune using a work or school account. The device is already joined to Microsoft Entra ID. What is the simplest enrollment method?
125Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to deploy a managed Google Play app to work profile devices. After deploying, users report that the app is not available in the work profile. What is the most likely cause?
126Your company uses Microsoft Defender for Endpoint (Defender XDR). You need to configure an automated investigation and remediation (AIR) rule that automatically quarantines a file when a specific alert is triggered. Which action should you take?
127You need to ensure that only approved iOS apps can be installed on company-owned devices. Which Intune feature should you use?
128Your organization uses Microsoft Intune to manage Windows devices. You need to deploy a PowerShell script that runs in the user context during device enrollment. Which two conditions must be met? (Select TWO.)
129Your company uses Microsoft Defender for Cloud Apps (Microsoft 365 Defender). You need to create a session policy that monitors and controls access to a specific cloud app. Which three components must you configure? (Select THREE.)
130You are configuring Microsoft Intune for Windows 10 devices. Which two settings can you enforce using a device restrictions profile? (Select TWO.)
131You review the compliance policy JSON for Windows 10 devices. A device running Windows 10 version 22H2 (build 22621.0) with a numeric-only password of 10 characters, BitLocker enabled, firewall enabled, and Microsoft Defender running reports as non-compliant. What is the most likely reason?
132You are the endpoint administrator for Contoso Ltd., a global company with 5,000 Windows 11 devices managed by Microsoft Intune. The company has a strict security policy requiring that all devices must have BitLocker Drive Encryption enabled on the operating system drive. Additionally, devices must be compliant with the policy to access corporate resources via Conditional Access. Recently, an audit revealed that 200 devices are non-compliant because BitLocker is not enabled. You investigate and find that these devices are all personal devices enrolled as 'Windows bring your own device' (BYOD). The BitLocker policy is configured as a device configuration profile targeting 'All Devices'. The compliance policy requires 'Storage encryption' to be enabled. You need to resolve the non-compliance for these BYOD devices. What should you do?
133Your organization, Fabrikam, uses Microsoft Intune to manage iOS/iPadOS and Android devices. You need to implement a solution that ensures company email can only be accessed from the Outlook mobile app, and that data from the Outlook app cannot be copied to personal apps. You also need to ensure that when a user leaves the company, the corporate data in Outlook is removed without affecting personal data. You plan to use app protection policies (MAM). The devices are not enrolled in Intune (unmanaged). You configure the app protection policies for Outlook on iOS and Android. However, users report that they can still copy email content to personal apps. What should you check?
134A company uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent update, the Start menu layout is not enforced. The administrator verified the policy is assigned to the correct device groups. What should the administrator check next?
135An organization uses Microsoft Defender for Endpoint (MDE) with Microsoft Intune for device management. The security team wants to automatically remediate risks detected by MDE on Windows devices. Which Intune feature should be used to trigger remediation actions based on MDE alerts?
136An IT administrator needs to ensure that iOS devices enrolled in Intune require a PIN of at least 6 digits. Where should the administrator configure this setting?
137A company uses Intune to manage Android Enterprise devices. The administrator deployed a compliance policy that requires encryption and a minimum OS version. Some devices are not showing as compliant even though they meet the requirements. The administrator suspects a time delay. What is the default compliance check interval for Android Enterprise devices in Intune?
138Refer to the exhibit. An Intune administrator finds this configuration on a Windows 10 device. What is the purpose of this setting?
139An administrator needs to ensure that only devices with a specific manufacturer are allowed to enroll in Intune. Which setting should the administrator configure?
140A hospital uses Intune to manage Windows 10 devices used by doctors. The devices should automatically install critical updates from Windows Update for Business. Which type of policy should the administrator create?
141An organization uses Microsoft Defender for Cloud Apps to monitor cloud app usage. The security team wants to automatically apply an Intune app protection policy (APP) when a user accesses a risky app from an unmanaged device. What should the administrator use?
142A company wants to prevent corporate data from being copied from managed apps to personal apps on iOS devices. Which Intune policy should the administrator configure?
143An Intune administrator needs to ensure that Windows 10 devices are compliant with security requirements. Which TWO options are valid compliance settings for Windows 10?
144A company uses Intune to manage Android Enterprise devices. The administrator wants to deploy a set of required apps silently to fully managed devices. Which THREE steps are necessary?
145An organization uses Microsoft Defender for Endpoint to detect threats on Windows devices. The security team wants Intune to automatically increase the device's risk score when a threat is detected. Which TWO components are required?
146Your organization has 5,000 Windows 10 devices managed by Microsoft Intune. You are implementing a new security policy that requires all devices to have BitLocker enabled with TPM validation. You create a device configuration profile for BitLocker and assign it to all devices. After two days, you notice that only 3,200 devices are compliant with the BitLocker policy. The remaining devices show 'Not applicable' for the setting. You verify that all devices are Windows 10 Pro or Enterprise and have TPM 2.0. What is the most likely cause of the 'Not applicable' status?
147Your company uses Intune to manage iOS devices. You need to deploy a new app that is available in the Apple App Store. You create an iOS store app in Intune and assign it as 'Required' to a group of users. After 24 hours, some users report that the app is not installed. You verify that the app is available in the App Store and that the devices are online. The devices are supervised and enrolled via Apple Business Manager. What should you do first to troubleshoot the issue?
148Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices are compliant with a new security policy that requires Windows Defender Antivirus to be enabled and up-to-date. You create a device compliance policy with the setting 'Require' for Windows Defender Antivirus. After assigning the policy, you see that 90% of devices are compliant. The remaining 10% show 'Not evaluated'. You check the devices and find that they are online, enrolled, and have Windows Defender Antivirus enabled. What is the most likely reason for the 'Not evaluated' status?
149Your organization uses Microsoft Entra ID joined devices and Microsoft Intune for mobile device management. A user reports that their device is not receiving compliance policies. The device shows as 'Compliant' in Intune but the Conditional Access policy still blocks access. What should you verify first?
150Which TWO actions should you take to ensure that devices are automatically enrolled in Microsoft Intune when users sign in with a work account on Windows 10/11?
151Which THREE conditions can be used in a Conditional Access policy to require a compliant device?
152Refer to the exhibit. The JSON shows a compliance policy for Windows 10 devices. Devices that do not meet the policy are marked as non-compliant. Which diagnostic step would you take to identify why a specific device is non-compliant despite having BitLocker enabled?
153Your company has 500 Windows 10 devices that are Hybrid Azure AD joined and managed by Microsoft Intune. You need to deploy a new line-of-business (LOB) app to all devices. The app is packaged as a .msi file. You create a new app in Intune and assign it to a device group containing all devices. After 24 hours, some devices report the app as 'Installed' but others show 'Failed'. You verify that the devices are online and have network connectivity. What should you do next to resolve the installation failures?
154Your organization uses Microsoft Intune to manage iOS and Android devices. You have a compliance policy that requires a minimum OS version: iOS 16.0 and Android 12.0. You also have a Conditional Access policy that requires compliant devices. Several users report that they cannot access corporate email on their personal Android devices. The devices are Android 11.0. You need to allow these users to access email while ensuring that corporate data is protected. What should you do?
155Your company uses Microsoft Intune to manage 1,000 Windows 10 devices. You need to deploy a security baseline that includes BitLocker encryption, Windows Defender Antivirus settings, and firewall rules. You create a security baseline policy in Intune and assign it to a group containing all devices. After 48 hours, you notice that only 800 devices have applied the baseline. The remaining 200 devices show 'Pending' status. These devices are online and have network connectivity. What is the most likely cause and solution?
156Your organization uses Microsoft Intune to manage devices. You need to configure a policy that prevents users from disabling the camera on their corporate iOS devices. You create a device restrictions profile and set the 'Enable camera' setting to 'No'. You assign the profile to a group containing all iOS devices. After 24 hours, users report that the camera is still functional. What should you check first?
157Your company uses Microsoft Intune to manage Windows 10 devices. You have a compliance policy that requires devices to have a minimum of 4GB RAM and 64GB disk space. Several devices are marked non-compliant due to disk space. You check the devices and find they have 60GB free. The compliance policy checks total disk capacity, not free space. You need to allow these devices to be compliant. What should you do?
158Your organization uses Microsoft Intune to manage devices. You have a Windows 10 device that is Azure AD joined and enrolled in Intune. The device is compliant, but the user cannot access corporate resources due to a Conditional Access policy requiring a compliant device. The user can access other cloud apps that do not require compliance. You check the Conditional Access policy and find it is configured correctly. What is the most likely issue?
159Your organization uses Microsoft Intune to manage Android devices. You need to ensure that corporate data on these devices is protected in case the device is lost or stolen. You configure a compliance policy that requires device encryption and a device lock screen. However, you also want to be able to selectively wipe corporate data without wiping personal data. What should you do?
160Your company uses Microsoft Intune to manage Windows 10 devices. You need to deploy a custom Windows 10 update ring that delays feature updates by 60 days and quality updates by 14 days. You create the update ring and assign it to a device group. After a week, you notice that devices are not receiving the quality updates as expected. What should you verify first?
161Your organization uses Microsoft Intune to manage devices. You have a Windows 10 device that is co-managed with Configuration Manager. You need to configure a policy that requires BitLocker encryption. You create a BitLocker policy in Intune and assign it to the device. After 24 hours, BitLocker is not enabled on the device. You verify that the device is online and the policy is assigned. What is the most likely cause?
162Your company uses Microsoft Intune to manage iOS devices. You have an app protection policy that requires a PIN to access corporate data. Users report that they can access corporate data without entering a PIN after the first time. You want to ensure that the PIN is required every time the app is opened. What should you configure?
163Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that all devices have Windows Defender Antivirus enabled and up to date. You create a security baseline that includes antivirus settings and assign it to all devices. After a week, you find that some devices still have outdated antivirus definitions. What should you check first?
The Protect devices domain covers the key concepts tested in this area of the MD-102 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all MD-102 domains — no account required.
The Courseiva MD-102 question bank contains 163 questions in the Protect devices domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Protect devices domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included