Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsMD-102DomainsProtect devices
MD-102Free — No Signup

Protect devices

Practice MD-102 Protect devices questions with full explanations on every answer.

163questions

Start practicing

Protect devices — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

MD-102 Domains

Prepare infrastructure for devicesManage and maintain devicesManage applicationsProtect devicesDeploy Windows clientManage identity and complianceManage, maintain, and protect devices

Practice Protect devices questions

10Q20Q30Q50Q

All MD-102 Protect devices questions (163)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. Which step should you take first to resolve the issue?

2

Your company uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data in Microsoft 365 apps is protected even if a device is compromised. Which App Protection Policy setting should you configure?

3

You are implementing Microsoft Defender for Endpoint on Windows Server devices managed by Microsoft Intune. After onboarding, the devices show as 'Inactive' in the Microsoft Defender XDR portal. Which action should you take?

4

Your organization uses Microsoft Entra ID joined devices with Windows 10. You need to ensure that only compliant devices can access corporate email in Microsoft Outlook for Windows. Which integration should you enable?

5

You manage Android Enterprise devices with work profiles. A user reports that corporate apps are not appearing in the work profile after enrollment. The device shows as enrolled in Microsoft Intune. What is the most likely cause?

6

Your organization uses Windows Autopilot for device deployment. After a device completes the user-driven deployment, it appears in Microsoft Entra ID as 'Azure AD registered' instead of 'Azure AD joined'. What should you modify to ensure the device is joined?

7

You are investigating a malware incident on a Windows 10 device managed by Microsoft Intune and protected by Microsoft Defender for Endpoint. Which log should you analyze to determine the initial infection vector?

8

You need to deploy a line-of-business (LOB) iOS app to users in your organization. The app is signed with an enterprise certificate. How should you distribute the app to managed devices?

9

You have enabled Microsoft Defender for Endpoint on macOS devices. Some macOS devices show a status of 'Sensor disconnected' in the Microsoft Defender XDR portal. The devices are online and can communicate with the internet. Which troubleshooting step should you take first?

10

Which TWO of the following are valid methods to wipe a Windows 10 device using Microsoft Intune? (Select TWO.)

11

Which THREE of the following are prerequisites for deploying Microsoft Defender for Endpoint on Windows 10 devices via Microsoft Intune? (Select THREE.)

12

Which TWO of the following are valid reasons to use Windows Autopilot Reset? (Select TWO.)

13

Refer to the exhibit. You deploy this compliance policy to Windows 10 devices. A device running Windows 10 version 20H2 (OS build 19042.1234) reports as compliant. However, the device does not have BitLocker enabled. Why is the device compliant?

14

Refer to the exhibit. You configure this Enrollment Status Page (ESP) policy for Windows Autopilot deployments. During a deployment, a device fails to install a required app. What happens?

15

Refer to the exhibit. You apply this configuration profile to Windows 10 devices. A user reports that their device's diagnostic data level is set to 'Full' in Settings > Diagnostics & feedback. What is the most likely reason?

16

You are configuring a Windows 10 device compliance policy in Microsoft Intune. The policy requires that devices have BitLocker enabled and a minimum OS build version. However, some devices are showing as 'Not compliant' even though they meet the requirements. What is the most likely cause?

17

You manage a fleet of iOS devices enrolled in Microsoft Intune. You need to ensure that only approved corporate devices can access Exchange Online. You configure a Conditional Access policy that requires devices to be compliant with Intune compliance policies. However, some users report that they are still able to access email from personal iOS devices that are not enrolled. What should you check first?

18

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a security baseline that enforces BitLocker encryption and Windows Defender Antivirus settings. What is the recommended approach?

19

A user reports that they cannot install a company-required app from the Company Portal on their Android device. The app is assigned as 'Available for enrolled devices' in Intune. The device is enrolled and compliant. What is the most likely issue?

20

You are troubleshooting an issue where Windows 10 devices are not receiving Windows updates from Intune. The update rings are configured, and the devices are enrolled. However, devices show 'Up to date' even though they are missing critical security updates. What should you verify?

21

You need to ensure that only compliant devices can access Microsoft 365 resources. You create a Conditional Access policy in Microsoft Entra ID. Which condition should you use?

22

You are configuring an app protection policy (MAM) in Intune for iOS and Android devices. The policy should prevent users from copying corporate data to personal apps. Which setting should you configure?

23

Your organization uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR) to manage device threat detection. You have integrated Defender for Endpoint with Intune for compliance. Some devices are showing as non-compliant due to 'active threats' that are actually low-risk. How can you adjust the compliance policy to allow low-risk threats?

24

You need to wipe a lost corporate-owned iOS device that is enrolled in Intune. Which action should you perform?

25

Which TWO conditions must be met for a Windows 10 device to be considered compliant with an Intune compliance policy that requires BitLocker and Secure Boot?

26

Which THREE settings must be configured to enable Windows Hello for Business in an Intune policy?

27

Which TWO methods can be used to enroll Android devices in Microsoft Intune?

28

Refer to the exhibit. A Windows 10 device with OS build 10.0.19041.1 is evaluated against this compliance policy. The device meets all settings except one: the OS version is 10.0.19041.1, which is below the minimum 10.0.19041.0? Actually it is above. But wait, the device has BitLocker enabled, Secure Boot enabled, and firewall enabled. Which setting will cause the device to be non-compliant?

29

Refer to the exhibit. You run this PowerShell script using the Microsoft Graph PowerShell SDK. What is the purpose of this script?

30

Refer to the exhibit. You are deploying a custom OMA-URI policy to Windows 10 devices. What is the effect of this policy?

31

A company uses Microsoft Intune to manage Windows 11 devices. They want to ensure that only devices with a TPM 2.0 and Secure Boot enabled can access corporate resources in Microsoft Entra ID. What should they configure?

32

Contoso has iOS/iPadOS devices managed by Intune. They need to prevent users from installing apps from outside the Apple App Store and ensure that devices with a jailbreak are blocked from accessing corporate email. Which two policies should they combine?

33

A company uses Microsoft Defender for Endpoint to manage endpoint security. They observe that some devices are not reporting vulnerability data to Microsoft Defender XDR. Which component is most likely misconfigured?

34

An organization wants to enforce encryption on all Windows 10/11 devices using Intune. Which policy type should they use?

35

A company uses Intune to manage macOS devices. They need to deploy a custom configuration profile that enforces FileVault encryption. What is the recommended approach?

36

Your organization uses Windows Defender Application Control (WDAC) to allow only approved apps. After deploying a WDAC policy via Intune, some users report that a critical line-of-business app is blocked. How should you troubleshoot?

37

A company wants to prevent users from copying corporate data from managed Microsoft 365 apps to personal apps on iOS devices. What should they configure?

38

Contoso uses Microsoft Defender for Endpoint on Windows servers. They need to ensure that antivirus definitions are always up-to-date even if the server is disconnected from the internet for extended periods. What should they configure?

39

Your organization uses Microsoft Intune to manage Windows 11 devices. You notice that some devices are not receiving security updates even though update rings are assigned. What is the most likely cause?

40

Which TWO actions should you take to ensure that only healthy Windows 10/11 devices can access Microsoft 365 services? (Choose two.)

41

Which THREE components are essential for a Microsoft Defender for Endpoint deployment on Windows 10 devices? (Choose three.)

42

Which TWO methods can you use to deploy Microsoft Defender for Endpoint on Windows Server 2019? (Choose two.)

43

Refer to the exhibit. The Intune device compliance policy shown is assigned to a group of Windows 10 devices. A user reports that their device is marked as noncompliant. The device has a password set, BitLocker enabled, Secure Boot on, and code integrity (HVCI) enabled. What is the most likely reason?

44

Refer to the exhibit. A PowerShell script is used to check the encryption compliance state of Windows devices managed by Intune. Some devices return a State of 'notApplicable' for the Encryption setting. What does this indicate?

45

Refer to the exhibit. A KQL query in Microsoft Defender XDR returns no results for PC001 and PC002 even though you know there have been antivirus detections on those devices. What is the most likely reason?

46

You are the endpoint administrator for Contoso, a company with 5,000 Windows 11 devices managed by Microsoft Intune. The company uses Microsoft Defender for Endpoint (MDE) for endpoint detection and response. You need to implement a solution that ensures all devices have the latest Windows security updates installed within 7 days of release. Additionally, you must ensure that if a device misses two consecutive update cycles, it is automatically blocked from accessing corporate resources until it is updated. You have the following requirements: 1. Use Intune update rings to control update deployment. 2. Use MDE vulnerability management to identify missing updates. 3. Device compliance policies should check for missing updates and mark devices noncompliant. 4. Conditional Access should block noncompliant devices. Which combination of actions should you take?

47

You configure Windows Update for Business policies in Intune. Users report that updates are not installing during configured active hours. You verify that the policy is applied. What is the most likely cause?

48

Your organization uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). You need to ensure that when a device is offboarding, all collected forensic data is deleted from Microsoft 365. What should you do?

49

Your company uses Microsoft Intune to manage Windows 11 devices. You need to deploy a configuration that requires users to use Windows Hello for Business (WHfB) and prohibits the use of FIDO2 security keys. Which CSP and value should you configure?

50

A user reports that their iOS device is not receiving email on their work account. The device is enrolled in Intune. You verify that the Exchange ActiveSync profile is assigned correctly. What should you check next?

51

You manage Windows 10 devices with Intune. You need to ensure that only approved apps can run on corporate devices. You configure AppLocker via a custom OMA-URI. However, users can still run unapproved apps. What is the most likely reason?

52

Your organization uses Microsoft Defender for Cloud Apps (part of Microsoft Defender XDR). You need to detect when users access cloud apps from unauthorized locations. Which log source should you integrate to get location information?

53

You need to configure BitLocker encryption for Windows 10 devices managed by Intune. You create a device configuration profile for endpoint protection. After assigning, devices show 'BitLocker not enabled' in the Intune console. What is the most likely cause?

54

Your company uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that work apps are sandboxed from personal apps. Which enrollment type should you use?

55

You manage devices with Microsoft Intune. You need to implement a conditional launch policy for Microsoft Defender for Endpoint that requires the device to have a minimum version of the sensor (10.8049.22439.1043) and a healthy signal. Which JSON policy should you deploy?

56

Your organization uses Microsoft Intune to manage mobile devices. You need to configure compliance policies that trigger conditional access. Which TWO conditions can be used in a device compliance policy?

57

You deploy a Windows Update for Business policy in Intune. You need to ensure that devices install quality updates within 2 days of release and feature updates within 30 days. Which THREE settings should you configure?

58

You need to configure Microsoft Defender for Endpoint on macOS devices. Which THREE components must be installed?

59

A user reports that their Windows 11 device cannot install a required line-of-business (LOB) app from Company Portal. The app is assigned to the user and shows as 'Available' in Intune. The device is compliant and managed. What is the most likely cause?

60

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices automatically install critical updates from Windows Update for Business within 3 days of release. Which configuration should you use?

61

A company uses Microsoft Defender for Endpoint. They want to automatically remediate threats on endpoints using automated investigation and response. They also need to ensure that the remediation actions are approved by the security team before execution. Which configuration should they use?

62

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that users cannot remove the Company Portal app from their devices. Which configuration should you apply?

63

A user has a Windows 10 device that is managed by Intune. The device is compliant but the user reports that they cannot access corporate email on their device. The email profile is deployed via Intune. Other users can access email successfully. What should you check first?

64

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to enforce BitLocker encryption on all devices. Some devices are not encrypting. You check the BitLocker policy and it is assigned correctly. What is the most likely reason?

65

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that corporate data is separated from personal data on the device. Which management approach should you use?

66

A user has a Windows 11 device that is enrolled in Intune. The device is compliant, but the user cannot install apps from the Company Portal. The Company Portal shows 'This app is not available for your device'. The app is assigned to the user and the device meets the minimum requirements. What should you check?

67

Your organization uses Microsoft Defender for Cloud Apps. You need to configure a policy that automatically blocks downloads of sensitive data from SharePoint Online to unmanaged devices. Which policy type should you use?

68

Which TWO actions can you perform using Microsoft Intune to protect devices from malware?

69

Which THREE features are available in Microsoft Intune for managing Windows 10/11 device updates?

70

Which TWO compliance settings can be configured in Microsoft Intune for Android devices?

71

Refer to the exhibit. You deploy this compliance policy to a Windows 11 device running build 10.0.22621.1000. The device has BitLocker enabled, Secure Boot enabled, and code integrity enabled. The device is compliant?

72

Refer to the exhibit. An administrator runs this PowerShell command using the Microsoft Graph PowerShell SDK. The output returns no devices. However, the administrator knows that there are non-compliant Windows devices in Intune. What is the most likely reason?

73

Refer to the exhibit. You deploy this endpoint protection configuration to a Windows 10 device. A user reports that they cannot connect to the device via RDP. What is the most likely cause?

74

You are deploying Windows 10 devices using Autopilot. You need to ensure that during the out-of-box experience (OOBE), users are blocked from bypassing the sign-in screen by clicking 'Skip for now'. Which setting should you configure in the Enrollment Status Page (ESP) profile?

75

You manage Windows 10 devices with Microsoft Intune. A user reports that a device has a red shield icon in the Windows Security Center, indicating tamper protection is off. You need to re-enable tamper protection on the device using Intune. Which profile type should you configure?

76

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Intune. You need to create a device group that dynamically includes all devices with a threat level of 'High' from MDE. You then plan to apply a compliance policy to force those devices to be non-compliant. Which method should you use to create the dynamic group?

77

You have devices enrolled in Microsoft Intune. You need to configure a policy that requires a PIN of at least 6 characters for accessing Microsoft Entra ID resources. Which policy type should you configure?

78

Your organization uses Windows Autopilot and Microsoft Intune. You need to ensure that during the Autopilot deployment, the device automatically installs a set of required applications (Microsoft 365 Apps, company portal, and a line-of-business app) before the user can access the desktop. Which configuration should you use?

79

You have an Intune-managed device that is not receiving compliance policies. You check the Intune console and see the device status is 'Pending'. The device is connected to the internet and can sync. What is the most likely cause?

80

You need to ensure that Windows 10 devices automatically receive Microsoft Defender antivirus definition updates from Microsoft. Which update channel should you configure in the endpoint protection profile?

81

You have a Windows 10 device that is managed by Intune and enrolled in Microsoft Defender for Endpoint. The device is reporting a high number of false positive detections from Microsoft Defender Antivirus. You need to configure an exclusion for a specific folder path to reduce false positives. Where should you configure the exclusion?

82

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to enforce that all devices use a 6-digit passcode and that the device automatically wipes after 10 failed attempts. Which profile type should you configure?

83

You are planning a Windows 10 deployment using Windows Autopilot. You need to ensure that devices are automatically enrolled in Intune during the out-of-box experience. Which two prerequisites must be met? (Choose two.)

84

You have a Microsoft Intune environment with devices running Windows 10 and 11. You need to configure a policy that enforces BitLocker drive encryption with a TPM protector and stores recovery key in Microsoft Entra ID. Which three settings must you configure in the endpoint protection profile? (Choose three.)

85

You are configuring Microsoft Defender for Endpoint for your organization. You need to ensure that devices are onboarded to the service. Which two methods can you use to onboard Windows 10 devices? (Choose two.)

86

You are reviewing an Intune endpoint protection profile for Windows 10. The exhibit shows a JSON snippet of the configuration. A user reports that a device detected malware with moderate severity, but the action taken was 'quarantine'. However, the desired action is 'clean'. Which setting should you modify?

87

You are troubleshooting a Windows 10 device that is showing as non-compliant in Intune. The exhibit shows the PowerShell output from the Microsoft Graph API. Based on the output, what is the most likely reason for the non-compliance?

88

You are reviewing a custom device configuration profile in Intune. The exhibit shows an OMA-URI setting. What is the purpose of this setting?

89

You need to ensure that devices enrolled in Microsoft Intune automatically receive Windows quality updates as soon as they are released. Which update ring setting should you configure?

90

A user reports that their Windows 11 device cannot access corporate resources after a recent update. The device is enrolled in Intune. You check the device compliance status and find it is marked as non-compliant. Which two actions should you take?

91

Your organization uses Microsoft Defender for Endpoint (now part of Defender XDR) and Intune. You need to create a device compliance policy that triggers automatic remediation when a device has a 'Medium' severity alert from Defender. Which setting should you configure?

92

You need to deploy a Microsoft 365 Apps for enterprise configuration to devices managed by Intune. Which policy type should you use?

93

You manage Windows 10 devices with Intune. After deploying a new compliance policy requiring BitLocker, many devices show as non-compliant. You verify that BitLocker is enabled on the system drive. What is the most likely cause?

94

Refer to the exhibit. You deploy this compliance policy to Windows 10 devices. A device reports as compliant, but you suspect it may have a weak password policy because the password type is 'deviceDefault'. What is the effect of 'deviceDefault' on the password requirement?

95

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data in Microsoft Outlook is protected even if the device is not enrolled in MDM. Which policy should you deploy?

96

You have a hybrid Microsoft Entra ID joined Windows 10 device that is co-managed with Configuration Manager and Intune. You want Intune to manage Windows Update for Business settings. Which slider setting should you configure in Configuration Manager?

97

You configure a Windows 10 device compliance policy in Intune that requires 'Firewall' to be enabled. The device has Windows Defender Firewall enabled, but the device reports as non-compliant. You verify that the firewall is active. What is the most likely cause?

98

Which TWO settings can be configured in a Windows 10 device restriction profile in Intune to enhance security?

99

Which THREE actions can you perform from the Microsoft Intune admin center to remediate a non-compliant Windows device?

100

Which TWO conditions in a Conditional Access policy can be used to enforce device compliance for access to Microsoft 365 services?

101

Refer to the exhibit. You deploy this custom OMA-URI policy to Windows 10 devices. What is the expected outcome?

102

Refer to the exhibit. You run a PowerShell command to check the assignment status of device configuration profiles. The 'BitLocker Policy' shows 'Pending'. What does 'Pending' indicate?

103

Refer to the exhibit. You run this KQL query in Microsoft Defender XDR to investigate a device. The result shows RiskScore = 0. What does this indicate about the device?

104

A user reports that their Windows 10 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. Which of the following is the most likely cause?

105

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to ensure that only devices with a Trusted Platform Module (TPM) version 2.0 and Secure Boot enabled can access corporate email. What should you configure?

106

A company uses Microsoft Intune to manage iOS devices. Users report that they cannot install the required Microsoft Defender for Endpoint app from the Company Portal. The app shows as 'Not available' in the Company Portal. Which of the following is the most likely reason?

107

Your organization wants to deploy Windows Update for Business policies using Microsoft Intune to Windows 10 devices. Which policy type should you use?

108

A user's Android device is enrolled in Microsoft Intune. The device reports as 'Compliant' but the user cannot access corporate resources that require compliant devices. The conditional access policy is configured to require a compliant device. What is the most likely cause?

109

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Intune. You want to automatically remediate devices that are found to be missing critical security updates during a vulnerability assessment. What should you configure?

110

You need to ensure that only authorized users can enroll devices in Microsoft Intune. Which setting should you configure?

111

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a custom PowerShell script that runs during enrollment to configure network settings. What should you use?

112

Your organization uses Microsoft Intune with co-management and Configuration Manager. Some Windows 10 devices are enrolled in Intune but also managed by Configuration Manager. You need to ensure that the Intune compliance policy is evaluated and enforced on these devices. What should you configure?

113

Which TWO of the following are valid enrollment methods for Windows 10 devices in Microsoft Intune?

114

Which THREE of the following are features of Microsoft Defender for Endpoint that help protect devices?

115

Which TWO of the following are required to configure Windows Hello for Business using Microsoft Intune?

116

Refer to the exhibit. A Windows 10 device is enrolled in Intune and has the above compliance policy assigned. The device reports as non-compliant. The device has TPM version 2.0, Secure Boot enabled, and a password of 8 characters. Which of the following is the most likely reason for non-compliance?

117

Refer to the exhibit. A Windows 10 device shows a compliance state of 'noncompliant'. The last sync was 2 hours ago. The device is managed by Intune (mdm). You have verified that the assigned compliance policy requires a device threat level of 'high' from Microsoft Defender for Endpoint. Which of the following is the most likely cause of non-compliance?

118

Refer to the exhibit. You have assigned the above compliance policy to a Windows 10 device group. A user reports that their device is non-compliant even though BitLocker is enabled on the system drive. Which of the following is the most likely reason?

119

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to configure a device compliance policy that requires devices to run Windows version 22H2 or later. When you create the policy, which option must you select for the OS version requirement?

120

Your company deploys Microsoft Defender for Endpoint (Defender XDR) to all Windows devices. You need to create a custom detection rule that triggers an alert when a specific PowerShell script is executed on any device. Which action should you take in the Microsoft 365 Defender portal?

121

You manage devices with Microsoft Intune. You need to deploy a Windows 10 feature update to a pilot group of devices. Which profile type should you use?

122

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that all devices have a passcode of at least 6 characters and that devices are updated to the latest iOS version. You create a compliance policy. After assigning the policy, some devices are marked as non-compliant even though they have a passcode. What is the most likely cause?

123

Your company uses Microsoft Intune for device management. You need to configure a Windows 10 device restriction policy that blocks the use of the camera and microphone on all devices. Which settings should you configure?

124

You need to enroll a Windows 11 device into Microsoft Intune using a work or school account. The device is already joined to Microsoft Entra ID. What is the simplest enrollment method?

125

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to deploy a managed Google Play app to work profile devices. After deploying, users report that the app is not available in the work profile. What is the most likely cause?

126

Your company uses Microsoft Defender for Endpoint (Defender XDR). You need to configure an automated investigation and remediation (AIR) rule that automatically quarantines a file when a specific alert is triggered. Which action should you take?

127

You need to ensure that only approved iOS apps can be installed on company-owned devices. Which Intune feature should you use?

128

Your organization uses Microsoft Intune to manage Windows devices. You need to deploy a PowerShell script that runs in the user context during device enrollment. Which two conditions must be met? (Select TWO.)

129

Your company uses Microsoft Defender for Cloud Apps (Microsoft 365 Defender). You need to create a session policy that monitors and controls access to a specific cloud app. Which three components must you configure? (Select THREE.)

130

You are configuring Microsoft Intune for Windows 10 devices. Which two settings can you enforce using a device restrictions profile? (Select TWO.)

131

You review the compliance policy JSON for Windows 10 devices. A device running Windows 10 version 22H2 (build 22621.0) with a numeric-only password of 10 characters, BitLocker enabled, firewall enabled, and Microsoft Defender running reports as non-compliant. What is the most likely reason?

132

You are the endpoint administrator for Contoso Ltd., a global company with 5,000 Windows 11 devices managed by Microsoft Intune. The company has a strict security policy requiring that all devices must have BitLocker Drive Encryption enabled on the operating system drive. Additionally, devices must be compliant with the policy to access corporate resources via Conditional Access. Recently, an audit revealed that 200 devices are non-compliant because BitLocker is not enabled. You investigate and find that these devices are all personal devices enrolled as 'Windows bring your own device' (BYOD). The BitLocker policy is configured as a device configuration profile targeting 'All Devices'. The compliance policy requires 'Storage encryption' to be enabled. You need to resolve the non-compliance for these BYOD devices. What should you do?

133

Your organization, Fabrikam, uses Microsoft Intune to manage iOS/iPadOS and Android devices. You need to implement a solution that ensures company email can only be accessed from the Outlook mobile app, and that data from the Outlook app cannot be copied to personal apps. You also need to ensure that when a user leaves the company, the corporate data in Outlook is removed without affecting personal data. You plan to use app protection policies (MAM). The devices are not enrolled in Intune (unmanaged). You configure the app protection policies for Outlook on iOS and Android. However, users report that they can still copy email content to personal apps. What should you check?

134

A company uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent update, the Start menu layout is not enforced. The administrator verified the policy is assigned to the correct device groups. What should the administrator check next?

135

An organization uses Microsoft Defender for Endpoint (MDE) with Microsoft Intune for device management. The security team wants to automatically remediate risks detected by MDE on Windows devices. Which Intune feature should be used to trigger remediation actions based on MDE alerts?

136

An IT administrator needs to ensure that iOS devices enrolled in Intune require a PIN of at least 6 digits. Where should the administrator configure this setting?

137

A company uses Intune to manage Android Enterprise devices. The administrator deployed a compliance policy that requires encryption and a minimum OS version. Some devices are not showing as compliant even though they meet the requirements. The administrator suspects a time delay. What is the default compliance check interval for Android Enterprise devices in Intune?

138

Refer to the exhibit. An Intune administrator finds this configuration on a Windows 10 device. What is the purpose of this setting?

139

An administrator needs to ensure that only devices with a specific manufacturer are allowed to enroll in Intune. Which setting should the administrator configure?

140

A hospital uses Intune to manage Windows 10 devices used by doctors. The devices should automatically install critical updates from Windows Update for Business. Which type of policy should the administrator create?

141

An organization uses Microsoft Defender for Cloud Apps to monitor cloud app usage. The security team wants to automatically apply an Intune app protection policy (APP) when a user accesses a risky app from an unmanaged device. What should the administrator use?

142

A company wants to prevent corporate data from being copied from managed apps to personal apps on iOS devices. Which Intune policy should the administrator configure?

143

An Intune administrator needs to ensure that Windows 10 devices are compliant with security requirements. Which TWO options are valid compliance settings for Windows 10?

144

A company uses Intune to manage Android Enterprise devices. The administrator wants to deploy a set of required apps silently to fully managed devices. Which THREE steps are necessary?

145

An organization uses Microsoft Defender for Endpoint to detect threats on Windows devices. The security team wants Intune to automatically increase the device's risk score when a threat is detected. Which TWO components are required?

146

Your organization has 5,000 Windows 10 devices managed by Microsoft Intune. You are implementing a new security policy that requires all devices to have BitLocker enabled with TPM validation. You create a device configuration profile for BitLocker and assign it to all devices. After two days, you notice that only 3,200 devices are compliant with the BitLocker policy. The remaining devices show 'Not applicable' for the setting. You verify that all devices are Windows 10 Pro or Enterprise and have TPM 2.0. What is the most likely cause of the 'Not applicable' status?

147

Your company uses Intune to manage iOS devices. You need to deploy a new app that is available in the Apple App Store. You create an iOS store app in Intune and assign it as 'Required' to a group of users. After 24 hours, some users report that the app is not installed. You verify that the app is available in the App Store and that the devices are online. The devices are supervised and enrolled via Apple Business Manager. What should you do first to troubleshoot the issue?

148

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices are compliant with a new security policy that requires Windows Defender Antivirus to be enabled and up-to-date. You create a device compliance policy with the setting 'Require' for Windows Defender Antivirus. After assigning the policy, you see that 90% of devices are compliant. The remaining 10% show 'Not evaluated'. You check the devices and find that they are online, enrolled, and have Windows Defender Antivirus enabled. What is the most likely reason for the 'Not evaluated' status?

149

Your organization uses Microsoft Entra ID joined devices and Microsoft Intune for mobile device management. A user reports that their device is not receiving compliance policies. The device shows as 'Compliant' in Intune but the Conditional Access policy still blocks access. What should you verify first?

150

Which TWO actions should you take to ensure that devices are automatically enrolled in Microsoft Intune when users sign in with a work account on Windows 10/11?

151

Which THREE conditions can be used in a Conditional Access policy to require a compliant device?

152

Refer to the exhibit. The JSON shows a compliance policy for Windows 10 devices. Devices that do not meet the policy are marked as non-compliant. Which diagnostic step would you take to identify why a specific device is non-compliant despite having BitLocker enabled?

153

Your company has 500 Windows 10 devices that are Hybrid Azure AD joined and managed by Microsoft Intune. You need to deploy a new line-of-business (LOB) app to all devices. The app is packaged as a .msi file. You create a new app in Intune and assign it to a device group containing all devices. After 24 hours, some devices report the app as 'Installed' but others show 'Failed'. You verify that the devices are online and have network connectivity. What should you do next to resolve the installation failures?

154

Your organization uses Microsoft Intune to manage iOS and Android devices. You have a compliance policy that requires a minimum OS version: iOS 16.0 and Android 12.0. You also have a Conditional Access policy that requires compliant devices. Several users report that they cannot access corporate email on their personal Android devices. The devices are Android 11.0. You need to allow these users to access email while ensuring that corporate data is protected. What should you do?

155

Your company uses Microsoft Intune to manage 1,000 Windows 10 devices. You need to deploy a security baseline that includes BitLocker encryption, Windows Defender Antivirus settings, and firewall rules. You create a security baseline policy in Intune and assign it to a group containing all devices. After 48 hours, you notice that only 800 devices have applied the baseline. The remaining 200 devices show 'Pending' status. These devices are online and have network connectivity. What is the most likely cause and solution?

156

Your organization uses Microsoft Intune to manage devices. You need to configure a policy that prevents users from disabling the camera on their corporate iOS devices. You create a device restrictions profile and set the 'Enable camera' setting to 'No'. You assign the profile to a group containing all iOS devices. After 24 hours, users report that the camera is still functional. What should you check first?

157

Your company uses Microsoft Intune to manage Windows 10 devices. You have a compliance policy that requires devices to have a minimum of 4GB RAM and 64GB disk space. Several devices are marked non-compliant due to disk space. You check the devices and find they have 60GB free. The compliance policy checks total disk capacity, not free space. You need to allow these devices to be compliant. What should you do?

158

Your organization uses Microsoft Intune to manage devices. You have a Windows 10 device that is Azure AD joined and enrolled in Intune. The device is compliant, but the user cannot access corporate resources due to a Conditional Access policy requiring a compliant device. The user can access other cloud apps that do not require compliance. You check the Conditional Access policy and find it is configured correctly. What is the most likely issue?

159

Your organization uses Microsoft Intune to manage Android devices. You need to ensure that corporate data on these devices is protected in case the device is lost or stolen. You configure a compliance policy that requires device encryption and a device lock screen. However, you also want to be able to selectively wipe corporate data without wiping personal data. What should you do?

160

Your company uses Microsoft Intune to manage Windows 10 devices. You need to deploy a custom Windows 10 update ring that delays feature updates by 60 days and quality updates by 14 days. You create the update ring and assign it to a device group. After a week, you notice that devices are not receiving the quality updates as expected. What should you verify first?

161

Your organization uses Microsoft Intune to manage devices. You have a Windows 10 device that is co-managed with Configuration Manager. You need to configure a policy that requires BitLocker encryption. You create a BitLocker policy in Intune and assign it to the device. After 24 hours, BitLocker is not enabled on the device. You verify that the device is online and the policy is assigned. What is the most likely cause?

162

Your company uses Microsoft Intune to manage iOS devices. You have an app protection policy that requires a PIN to access corporate data. Users report that they can access corporate data without entering a PIN after the first time. You want to ensure that the PIN is required every time the app is opened. What should you configure?

163

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that all devices have Windows Defender Antivirus enabled and up to date. You create a security baseline that includes antivirus settings and assign it to all devices. After a week, you find that some devices still have outdated antivirus definitions. What should you check first?

Practice all 163 Protect devices questions

Other MD-102 exam domains

Prepare infrastructure for devicesManage and maintain devicesManage applicationsDeploy Windows clientManage identity and complianceManage, maintain, and protect devices

Frequently asked questions

What does the Protect devices domain cover on the MD-102 exam?

The Protect devices domain covers the key concepts tested in this area of the MD-102 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all MD-102 domains — no account required.

How many Protect devices questions are in the MD-102 question bank?

The Courseiva MD-102 question bank contains 163 questions in the Protect devices domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Protect devices for MD-102?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Protect devices questions for MD-102?

Yes — the session launcher on this page draws questions exclusively from the Protect devices domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your MD-102 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide