Microsoft · Free Practice Questions · Last reviewed May 2026
42real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
Your organization has Windows 11 devices used by remote employees. You need to ensure that only devices compliant with your security policies can access corporate email via Microsoft Outlook for Windows. What should you configure?
Set up a device compliance policy in Microsoft Purview to block non-compliant devices.
Create a Conditional Access policy in Microsoft Entra ID that requires device compliance, and assign the policy to the cloud app 'Office 365 Exchange Online'.
This correctly combines Intune compliance with Entra ID Conditional Access to block non-compliant devices.
Configure a device filter in Exchange Online to block devices that are not managed by Intune.
Deploy an email security policy via Intune to block access from non-compliant devices.
You are deploying Windows 10 to 500 new devices using a task sequence in Microsoft Configuration Manager. The devices need to be joined to Microsoft Entra ID and enrolled in Intune automatically during OSD. Which method should you use?
Add a 'Provision Microsoft Entra ID' step in the task sequence, using a bulk token generated from Microsoft Entra ID.
This step allows Entra ID join and automatic Intune enrollment during OSD.
Use a provisioning package (PPKG) with bulk enrollment token, applied during the task sequence.
Set a Group Policy that enables automatic MDM enrollment using a discovered AAD token.
Configure Windows Autopilot for existing devices and redeploy them.
Your company is deploying Windows 11 devices using Windows Autopilot. You need to ensure that during the first boot, the device automatically joins Microsoft Entra ID, enrolls in Intune, and installs required applications. What should you provide to the device?
The device's hardware hash, uploaded to Intune, and an Autopilot deployment profile assigned.
Autopilot requires the hardware hash to identify the device and the profile to define the deployment settings.
The Configuration Manager client and a site code for automatic site assignment.
A provisioning package containing the MDM enrollment settings.
A Group Policy Object that configures automatic MDM enrollment.
You need to configure device compliance for devices that are not running Windows. The devices include iOS, iPadOS, Android, and macOS. Which compliance settings are common across all platforms?
Require device password and not allow simple passwords.
Require minimum OS version.
All platforms support a minimum OS version compliance rule.
Device must not be jailbroken/rooted.
Require BitLocker encryption.
Your organization uses Microsoft Intune to manage devices. You have a compliance policy that requires devices to have a password of at least 6 characters. Some users report that their devices are marked as non-compliant even though they have a password set. What is the most likely cause?
The password length setting is set to '6' but the device requires a minimum of 8.
The compliance policy is assigned to device groups, but the devices are user-enrolled.
The compliance policy is assigned to a user group that does not include the affected users.
If the policy is not assigned to the user or device group containing the users, they won't receive the policy and may be non-compliant by default.
The device uses a PIN instead of a password, which is not evaluated.
You need to deploy a line-of-business (LOB) app to 100 Windows 10 devices managed by Intune. The app is packaged as an .msi file. Which app type should you choose in Intune?
Windows app (Win32)
Line-of-business app
Intune supports .msi as a line-of-business app.
Web link
Microsoft Store app
Want more Prepare infrastructure for devices practice?
Practice this domainYour organization manages Windows 10 and 11 devices using Microsoft Intune. Users report that after a recent update, the Microsoft Store for Business app 'Company Portal' fails to launch. You verify that the app is assigned as required to all devices. What should you do first to resolve the issue?
Enable automatic updates for Company Portal in Intune.
Uninstall and reinstall Company Portal from all devices.
Trigger a device sync from the Microsoft Intune admin center.
Forces the device to check in and receive the latest app assignment and configuration.
Run Windows Update troubleshooter on affected devices.
You are designing a Windows 365 Cloud PC provisioning policy. The requirement is that when a user is assigned a Cloud PC, it must automatically have Microsoft Defender for Endpoint configured with real-time protection enabled and a custom firewall rule allowing only specific IPs. Which approach should you use?
Create an Intune device configuration profile using the Settings Catalog and assign it to the Azure AD group containing Cloud PC users.
Settings Catalog allows granular configuration of Defender and firewall settings.
Include the settings in the Windows 365 provisioning policy.
Create a PowerShell script that runs during provisioning and apply it via Azure Automation.
Use a Group Policy Object (GPO) applied via on-premises AD.
A user's iOS device is enrolled in Microsoft Intune and is compliant. However, the user cannot access corporate email in the Outlook mobile app. The app displays an error that the device is not compliant. What is the most likely cause?
The user's Intune license has expired.
The Outlook app is not installed on the device.
A compliance policy was updated requiring a newer OS version or additional security settings.
Updated policies can cause previously compliant devices to become non-compliant.
The device is not enrolled in Intune.
Your organization uses Microsoft Intune to manage Windows devices. You need to deploy a custom Line-of-Business (LOB) app that is signed with a certificate not trusted by the devices. The app must be available to users in the Company Portal. What should you do?
Upload the app to Microsoft Store for Business and assign it as offline.
Enable side-loading of apps on the target devices using Group Policy.
Upload the app as a LOB app in Intune and assign it to the target group.
Intune LOB deployment does not require the device to trust the signing certificate; Intune handles trust.
Convert the app to a .appx package and sign it with a trusted certificate.
You need to ensure that Windows 10 devices in your organization receive the latest quality updates within 7 days of release. You configure a Windows Update for Business policy in Intune with a deferral period of 7 days. After two weeks, some devices have not installed the updates. What is the most likely reason?
The devices are configured to receive updates from WSUS instead of Windows Update.
The deferral period is too short; Microsoft recommends 14 days.
The policy is configured to apply only to devices in a specific Azure AD group.
Devices have not synced with Intune to receive the updated policy.
Devices must sync to get the policy; if they miss sync, updates are not enforced.
You are troubleshooting a Windows 11 device that cannot connect to the corporate Wi-Fi network. The device is enrolled in Intune and has a Wi-Fi profile assigned. The profile uses SCEP certificate authentication. The user can connect to other Wi-Fi networks. What is the most likely cause?
The user's password has expired.
The root CA certificate required to validate the RADIUS server certificate is not installed on the device.
Without the root CA, the device cannot trust the server's certificate, causing authentication failure.
The Wi-Fi profile is not assigned to the user's device.
The device's Wi-Fi adapter driver is outdated.
Want more Manage and maintain devices practice?
Practice this domainA company uses Microsoft Intune to manage iOS and Android devices. Users report that some line-of-business (LOB) apps fail to install with error '0x87D1041C'. The apps are signed and deployed as device-required installs. What is the most likely cause?
The user is not assigned to the app deployment.
The app is not compliant with the device's OS version.
The device does not have the required app configuration policy.
The app is signed with a different certificate than the one uploaded to Intune.
This error specifically indicates a certificate mismatch.
An organization uses Microsoft Intune for Windows 10 device management. They need to deploy a custom Windows app (.exe) to kiosk devices. The app requires admin privileges to install, and the devices are shared. Which deployment method should be used?
Use a Win32 app with install context set to 'system'.
Win32 apps support system context installation, enabling admin-level installs on shared devices.
Assign the app as 'available' for user-install.
Deploy as a line-of-business app with device context.
Package as a Microsoft Store for Business app.
You manage a fleet of Android Enterprise devices. You need to ensure that only approved apps from the managed Play Store can be installed. What configuration should you enable?
Set the device to 'Fully managed' and disable unknown sources.
Deploy an app configuration policy that blocks sideloading.
Configure a device restriction policy to allow only managed Google Play apps.
This policy enforces that only apps from the managed Play Store can be installed.
Use a compliance policy to block non-compliant apps.
A company uses Microsoft Intune to manage Windows 10 devices. They deployed a Win32 app as 'required' but some devices show 'pending install'. The app is configured with a detection rule that checks for a registry key. What should you check first?
Increase the app installation timeout.
Ensure the device has connectivity to Intune.
Reassign the app to a different security group.
Check if the detection rule is incorrectly marking the app as installed.
A pre-existing registry key can cause Intune to skip installation, resulting in 'pending install'.
You need to deploy a Microsoft 365 Apps for enterprise suite to Windows 10 devices using Intune. Users are unlicensed. How should you proceed?
Deploy the suite as 'available' from Company Portal.
Use the built-in Microsoft 365 Apps (Office) app type in Intune.
Assign the Office 365 E3 license to all users.
Create a Win32 app package for Microsoft 365 Apps and deploy it.
Win32 packaging allows you to include a volume license key or use shared activation for unlicensed users.
Which TWO methods can you use to deploy a custom Windows app that is not available in the Microsoft Store to multiple devices managed by Intune?
Line-of-business app
LOB apps support .msi and .intunewin for Windows.
Win32 app management
Win32 apps support .exe, .msi, and scripts.
Microsoft Store for Business app
Web app
Built-in app
Want more Manage applications practice?
Practice this domainA user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. Which step should you take first to resolve the issue?
Disconnect the device from Microsoft Entra ID and rejoin.
On the device, go to Settings > Accounts > Access work or school, select the account, and click Sync.
Forcing a sync triggers a policy evaluation.
Delete and recreate the compliance policy in Microsoft Intune.
Re-enroll the device in Microsoft Intune.
Your company uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data in Microsoft 365 apps is protected even if a device is compromised. Which App Protection Policy setting should you configure?
Configure device compliance policy to require jailbreak detection.
Configure App Protection Policy with 'Restrict cut, copy, and paste' and 'Allow app to transfer data to other apps' set to Policy managed apps.
This restricts data transfer to managed apps only.
Configure device configuration profile to require device PIN.
Configure App Protection Policy to require app PIN.
You are implementing Microsoft Defender for Endpoint on Windows Server devices managed by Microsoft Intune. After onboarding, the devices show as 'Inactive' in the Microsoft Defender XDR portal. Which action should you take?
Modify the Windows Security app configuration policy to enable real-time protection.
Restart the Microsoft Defender for Endpoint service on the devices.
Restarting the service can re-establish communication.
Re-run the onboarding script on the devices.
Uninstall and reinstall the Microsoft Defender for Endpoint agent.
Your organization uses Microsoft Entra ID joined devices with Windows 10. You need to ensure that only compliant devices can access corporate email in Microsoft Outlook for Windows. Which integration should you enable?
Create a Conditional Access policy in Microsoft Entra ID requiring compliant devices for Exchange Online.
Conditional Access integrates with Intune compliance to block non-compliant devices.
Enable App Protection Policies for Outlook for Windows.
Require all devices to be enrolled in Intune before accessing email.
Configure a compliance policy in Intune to mark devices as non-compliant if not updated.
You manage Android Enterprise devices with work profiles. A user reports that corporate apps are not appearing in the work profile after enrollment. The device shows as enrolled in Microsoft Intune. What is the most likely cause?
The device is not connected to the internet.
The device is not compliant with corporate policies.
The work profile was not created or was removed on the device.
Without a work profile, corporate apps have no container to install into.
The corporate apps are not assigned to the user.
Your organization uses Windows Autopilot for device deployment. After a device completes the user-driven deployment, it appears in Microsoft Entra ID as 'Azure AD registered' instead of 'Azure AD joined'. What should you modify to ensure the device is joined?
Modify the Autopilot deployment profile to set 'Join to Azure AD as' to 'Azure AD joined'.
This setting controls whether the device is joined or registered.
Add the device to a hybrid Azure AD join profile.
Modify the Autopilot deployment profile to set 'Join to Azure AD as' to 'Azure AD registered'.
Modify the enrollment restrictions to block personally owned devices.
Want more Protect devices practice?
Practice this domainA company plans to deploy Windows 11 to 500 new devices using Microsoft Deployment Toolkit (MDT). The devices have various hardware configurations. The deployment must include language packs and regional settings. Which deployment method should the administrator use to minimize manual intervention?
Create a custom task sequence in MDT that includes language packs and regional settings.
Task sequences automate deployment including language and region.
Use Windows Configuration Designer to create a provisioning package with language settings.
Create a task sequence in Configuration Manager without MDT integration.
Use Windows Autopilot with a custom profile to deploy language packs.
A company uses Configuration Manager to deploy Windows 11. During the deployment, several devices fail with error code 0x80070002. The administrator suspects the issue is related to missing boot images or content distribution. What should the administrator do first to resolve the issue?
Increase the client cache size on the affected devices.
Check the driver packages in the task sequence.
Verify that the boot image and OS image are distributed to all distribution points.
Missing content on DP causes file not found error.
Recreate the task sequence with new OS image.
An organization needs to deploy Windows 11 to remote users who do not have access to the corporate network. The devices are brand new and have internet connectivity. Which deployment method should the administrator recommend?
Use Configuration Manager with a task sequence over VPN.
Use PXE boot from a distribution point at the local office.
Use Windows Autopilot with user-driven mode.
Autopilot enables cloud-based deployment.
Deploy using MDT with a bootable USB drive.
A company uses Configuration Manager to deploy Windows 10 to 2000 devices. After deployment, several devices report that the Start menu layout is not applied. The administrator used a provisioning package to configure Start layout. What is the most likely cause of the issue?
Group Policy settings are overriding the Start layout configuration.
GP can override provisioning package settings.
The devices are not Azure AD joined.
The provisioning package was not signed properly.
The provisioning package was applied after user first logon.
An administrator is deploying Windows 11 using Configuration Manager. The task sequence fails on some devices during the 'Apply Operating System' step with a notice that the image file is not valid. All other devices succeed. What is the most likely cause?
The boot image is not compatible with the device firmware.
The distribution point is out of disk space.
The task sequence variable OSDPackagePath is missing.
The OS image download was corrupted on the client.
Corrupted download causes invalid image error on specific clients.
A company is planning to deploy Windows 11 using Microsoft Deployment Toolkit (MDT). The administrator needs to ensure that the deployment can be fully automated without user interaction. Which TWO settings should be configured in the CustomSettings.ini file?
SkipTaskSequence=YES
Skips task sequence selection.
SkipComputerBackup=YES
SkipBitLocker=YES
SkipDomainMembership=YES
SkipFinalSummary=YES
Suppresses final summary dialog.
Want more Deploy Windows client practice?
Practice this domainA company with 500 users uses Microsoft 365 E3 licenses. They want to ensure that all users have multi-factor authentication (MFA) enforced. Currently, 80% of users have MFA enabled through the legacy per-user MFA setting. The security team wants to use Conditional Access policies instead. You need to migrate from per-user MFA to Conditional Access with no disruption to users. What should you do?
Create a Conditional Access policy requiring MFA for all cloud apps, including break-glass accounts. Then disable per-user MFA.
Create a Conditional Access policy requiring MFA for all users only when accessing from outside the corporate network.
Create a Conditional Access policy requiring MFA for all users, excluding break-glass accounts. Disable per-user MFA for all users.
This ensures MFA is always enforced and provides emergency access via break-glass accounts.
Disable per-user MFA for all users, then create a Conditional Access policy requiring MFA for all cloud apps.
You are an endpoint administrator for a company that uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access Exchange Online. You have configured a Conditional Access policy that grants access to Exchange Online only if the device is marked as compliant. A user reports that they cannot access email from their iOS device, which is enrolled in Intune and shows as compliant. The user can access other Microsoft 365 services. What is the most likely cause?
The user does not have an Exchange Online license assigned.
The Conditional Access policy is configured to block access from non-corporate networks.
The device compliance policy is not set to require a PIN or password.
The Exchange Online workload is not enabled in Intune for mobile device management.
If the workload is not enabled, Intune cannot enforce compliance for Exchange Online access, causing the block.
A company is implementing Windows Hello for Business and wants to use certificate-based authentication. They have an on-premises Active Directory and are using Azure AD Connect for hybrid identity. Which prerequisites must be met to support certificate-based Windows Hello for Business?
All users must have the Microsoft Authenticator app installed.
Conditional Access policies must be configured to require Windows Hello for Business.
An enterprise certification authority (CA) must be deployed and all devices must be Azure AD joined or hybrid Azure AD joined.
Certificate-based Windows Hello requires a CA and hybrid or Azure AD joined devices.
All users must be configured for passwordless sign-in.
You manage a Microsoft 365 tenant with 10,000 users. You are planning a Conditional Access policy to require MFA for all users. However, you need to ensure that users who have not yet registered for MFA are not blocked. What should you do to handle unregistered users?
Configure the Conditional Access policy in 'Report-only' mode to identify unregistered users.
Enable the Azure AD Identity Protection MFA registration policy to require users to register for MFA within 14 days.
This policy ensures users register before they are required to use MFA, preventing lockout.
Exclude all users who have not registered for MFA from the Conditional Access policy.
Create a separate Conditional Access policy that requires MFA only for users who have not registered for MFA.
A company uses Microsoft Intune to manage Windows 10 devices. They need to ensure that only devices that have a BitLocker encryption status of 'fully encrypted' are allowed to access corporate resources. They create a device compliance policy that requires BitLocker. However, some devices are still accessing resources even though they are not fully encrypted. What should you check?
The devices are running Windows 10 Home edition, which does not support BitLocker.
The compliance policy is not assigned to the user or device groups.
Without assignment, the policy does not apply, and non-compliant devices can still access resources.
The compliance policy is set to 'Report non-compliant' instead of 'Block non-compliant'.
The compliance policy has a grace period configured that allows access for non-compliant devices.
Which TWO of the following are required to implement Azure AD Join for Windows 10 devices in a hybrid environment with on-premises Active Directory?
Active Directory Federation Services (AD FS) deployed.
Windows 10 devices that are domain-joined to the on-premises Active Directory.
Devices must be domain-joined to be hybrid Azure AD joined.
Azure AD Connect with device writeback enabled.
Device writeback is required for hybrid Azure AD join.
Azure AD Premium P1 licenses for all users.
Windows Hello for Business configured for all users.
Want more Manage identity and compliance practice?
Practice this domainA company deploys Windows 10 Enterprise devices managed by Microsoft Intune. Users report that after a recent Windows update, the Start menu layout is reset to default on some devices. The company uses a custom Start menu layout XML policy. How should the administrator ensure the custom layout is reapplied automatically after feature updates?
Use a Feature Update policy in Intune to set the 'Start layout XML' setting.
Deploy a provisioning package with the custom layout to all devices via Intune.
Configure the 'Start layout' policy under User Configuration > Administrative Templates > Start Menu and Taskbar to point to the XML file.
The Start layout policy is reapplied during policy refresh, which occurs after feature updates.
Reapply the Start layout policy manually after each feature update.
A company uses Microsoft Intune to manage Windows 10 devices. They have a compliance policy that requires BitLocker to be enabled. Some devices are marked as non-compliant even though BitLocker appears to be on. The administrator runs 'manage-bde -status' on a non-compliant device and sees that the protection status is 'Protection Off'. What is the most likely cause?
The BitLocker key protectors are missing or have been removed.
Without key protectors, BitLocker protection is suspended.
The TPM is not initialized.
The device has a recovery password protector but no TPM protector.
The device uses a different encryption method (e.g., XTS-AES 256 vs AES 128).
A company uses Microsoft Intune to manage devices. They want to ensure that when a device is reported as lost or stolen, the IT admin can remotely wipe the device. Which action should the admin take in the Intune console?
Select the device and choose 'Retire'.
Select the device and choose 'Wipe'.
Wipe performs a factory reset, removing all data.
Select the device and choose 'Reset'.
Select the device and choose 'Delete'.
An organization uses Microsoft Intune to manage Windows 10 devices. They deploy a PowerShell script via Intune to install a custom application. The script runs successfully on some devices but fails on others with error code 0x80070002. What is the most likely cause?
The script execution exceeds the 60-minute timeout.
The user does not have local administrator privileges on the failing devices.
The script references a file path that does not exist on the failing devices.
Error 0x80070002 is 'File not found'.
The PowerShell execution policy is set to Restricted on the failing devices.
A company uses Microsoft Intune to manage iOS devices. They want to enforce a policy that requires a passcode of at least 6 characters and auto-lock after 5 minutes. Which configuration profile type should they use?
Device restrictions profile.
Device restrictions contain security settings like passcode and auto-lock.
Wi-Fi profile.
VPN profile.
Email profile.
A company uses Microsoft Intune to manage Windows 10 devices. They need to deploy a line-of-business (LOB) app that is not available in the Microsoft Store. The app is packaged as an .msi file. Which TWO steps are required to deploy this app via Intune?
Upload the .msi file directly as a Microsoft Store for Business app.
Install the app on a file server and configure a shortcut.
Assign the app to a group of users or devices.
App must be assigned to a target group.
Convert the .msi file to the .intunewin format using the Microsoft Win32 Content Prep Tool.
Intune requires .intunewin for Win32 apps.
Create a PowerShell script to install the app silently.
Want more Manage, maintain, and protect devices practice?
Practice this domainThe MD-102 exam has 50 questions and must be completed in 120 minutes. The passing score is 700/1000.
Endpoint administration scenario questions covering Windows 11, Microsoft Intune, Autopilot, Microsoft Entra join, and device compliance policies.
The exam covers 7 domains: Prepare infrastructure for devices, Manage and maintain devices, Manage applications, Protect devices, Deploy Windows client, Manage identity and compliance, Manage, maintain, and protect devices. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Microsoft MD-102 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.