Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsMD-102Exam Questions

Microsoft · Free Practice Questions · Last reviewed May 2026

MD-102 Exam Questions and Answers

42real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

50 exam questions
120 min time limit
Pass: 700/1000 / 1000
7 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Prepare infrastructure for devices2. Manage and maintain devices3. Manage applications4. Protect devices5. Deploy Windows client6. Manage identity and compliance7. Manage, maintain, and protect devices
1

Domain 1: Prepare infrastructure for devices

All Prepare infrastructure for devices questions
Q1
mediumFull explanation →

Your organization has Windows 11 devices used by remote employees. You need to ensure that only devices compliant with your security policies can access corporate email via Microsoft Outlook for Windows. What should you configure?

A

Set up a device compliance policy in Microsoft Purview to block non-compliant devices.

B

Create a Conditional Access policy in Microsoft Entra ID that requires device compliance, and assign the policy to the cloud app 'Office 365 Exchange Online'.

This correctly combines Intune compliance with Entra ID Conditional Access to block non-compliant devices.

C

Configure a device filter in Exchange Online to block devices that are not managed by Intune.

D

Deploy an email security policy via Intune to block access from non-compliant devices.

Why: Conditional Access in Microsoft Entra ID can block access based on device compliance status. Intune compliance policies define the compliance requirements, and Conditional Access policies enforce the access control. Option A is correct. Option B is wrong because device filters don't check compliance. Option C is wrong because it doesn't enforce compliance. Option D is wrong because it's for device enrollment, not access control.
Q2
hardFull explanation →

You are deploying Windows 10 to 500 new devices using a task sequence in Microsoft Configuration Manager. The devices need to be joined to Microsoft Entra ID and enrolled in Intune automatically during OSD. Which method should you use?

A

Add a 'Provision Microsoft Entra ID' step in the task sequence, using a bulk token generated from Microsoft Entra ID.

This step allows Entra ID join and automatic Intune enrollment during OSD.

B

Use a provisioning package (PPKG) with bulk enrollment token, applied during the task sequence.

C

Set a Group Policy that enables automatic MDM enrollment using a discovered AAD token.

D

Configure Windows Autopilot for existing devices and redeploy them.

Why: In Configuration Manager, the 'Provision Microsoft Entra ID' step in a task sequence can be used to perform a bulk token-based join. This is the recommended approach for Windows 10 devices. Option B is correct. Option A is wrong because it's not for bulk OSD. Option C is wrong because Autopilot is for user-driven scenarios. Option D is wrong because MDM enrollment via GPO is not typically used during OSD.
Q3
easyFull explanation →

Your company is deploying Windows 11 devices using Windows Autopilot. You need to ensure that during the first boot, the device automatically joins Microsoft Entra ID, enrolls in Intune, and installs required applications. What should you provide to the device?

A

The device's hardware hash, uploaded to Intune, and an Autopilot deployment profile assigned.

Autopilot requires the hardware hash to identify the device and the profile to define the deployment settings.

B

The Configuration Manager client and a site code for automatic site assignment.

C

A provisioning package containing the MDM enrollment settings.

D

A Group Policy Object that configures automatic MDM enrollment.

Why: Windows Autopilot uses a device-specific hardware hash that is uploaded to Intune. Based on the assigned Autopilot profile and deployment profile, the device automatically joins Entra ID and enrolls in Intune. Option A is correct. Option B is wrong because a provisioning package is not needed for Autopilot. Option C is wrong because a Configuration Manager client is not required. Option D is wrong because Group Policy does not apply during Autopilot.
Q4
mediumFull explanation →

You need to configure device compliance for devices that are not running Windows. The devices include iOS, iPadOS, Android, and macOS. Which compliance settings are common across all platforms?

A

Require device password and not allow simple passwords.

B

Require minimum OS version.

All platforms support a minimum OS version compliance rule.

C

Device must not be jailbroken/rooted.

D

Require BitLocker encryption.

Why: Requiring a minimum OS version is a common compliance setting across all major platforms. Option B is correct. Option A is wrong because BitLocker is Windows-only. Option C is wrong because jailbreak detection is available only on iOS/iPadOS. Option D is wrong because requiring a password is common, but 'simple passwords' is not a standard compliance setting; the setting is 'require password' which is common, but the question asks for common settings, and 'minimum OS version' is universally supported.
Q5
hardFull explanation →

Your organization uses Microsoft Intune to manage devices. You have a compliance policy that requires devices to have a password of at least 6 characters. Some users report that their devices are marked as non-compliant even though they have a password set. What is the most likely cause?

A

The password length setting is set to '6' but the device requires a minimum of 8.

B

The compliance policy is assigned to device groups, but the devices are user-enrolled.

C

The compliance policy is assigned to a user group that does not include the affected users.

If the policy is not assigned to the user or device group containing the users, they won't receive the policy and may be non-compliant by default.

D

The device uses a PIN instead of a password, which is not evaluated.

Why: Intune compliance policies for password length are specific to the platform. For example, on Android, the password length setting might be interpreted differently. However, the most common issue is that the compliance policy is not assigned to the correct group, or the device has not checked in. But given the options, the most likely cause is that the policy is assigned to a group that the device or user is not a member of. Option C is correct. Option A is wrong because the user may be in the target group but the device might not. Option B is wrong because the policy is correct. Option D is wrong because the password complexity setting is separate.
Q6
easyFull explanation →

You need to deploy a line-of-business (LOB) app to 100 Windows 10 devices managed by Intune. The app is packaged as an .msi file. Which app type should you choose in Intune?

A

Windows app (Win32)

B

Line-of-business app

Intune supports .msi as a line-of-business app.

C

Web link

D

Microsoft Store app

Why: For Windows LOB apps, Intune supports .msi, .exe, .appx, and .msix. The 'Line-of-business app' type is used for .msi files. Option A is correct. Option B is wrong because 'Windows app (Win32)' is for .intunewin files. Option C is wrong because 'Microsoft Store app' is for store apps. Option D is wrong because 'Web link' is for web apps.

Want more Prepare infrastructure for devices practice?

Practice this domain
2

Domain 2: Manage and maintain devices

All Manage and maintain devices questions
Q1
mediumFull explanation →

Your organization manages Windows 10 and 11 devices using Microsoft Intune. Users report that after a recent update, the Microsoft Store for Business app 'Company Portal' fails to launch. You verify that the app is assigned as required to all devices. What should you do first to resolve the issue?

A

Enable automatic updates for Company Portal in Intune.

B

Uninstall and reinstall Company Portal from all devices.

C

Trigger a device sync from the Microsoft Intune admin center.

Forces the device to check in and receive the latest app assignment and configuration.

D

Run Windows Update troubleshooter on affected devices.

Why: The correct first step is to trigger a device sync from the Microsoft Intune admin center. This forces the affected devices to check in with Intune, which can push down any pending policy or app configuration updates that may have been missed after the recent Windows update. Since the Company Portal app is assigned as required, a sync ensures the device receives the latest app version or remediation actions without requiring a full reinstall.
Q2
hardFull explanation →

You are designing a Windows 365 Cloud PC provisioning policy. The requirement is that when a user is assigned a Cloud PC, it must automatically have Microsoft Defender for Endpoint configured with real-time protection enabled and a custom firewall rule allowing only specific IPs. Which approach should you use?

A

Create an Intune device configuration profile using the Settings Catalog and assign it to the Azure AD group containing Cloud PC users.

Settings Catalog allows granular configuration of Defender and firewall settings.

B

Include the settings in the Windows 365 provisioning policy.

C

Create a PowerShell script that runs during provisioning and apply it via Azure Automation.

D

Use a Group Policy Object (GPO) applied via on-premises AD.

Why: Option A is correct because Intune device configuration profiles using the Settings Catalog allow granular control over Microsoft Defender for Endpoint settings (e.g., real-time protection) and custom firewall rules. These profiles can be assigned to an Azure AD group containing Cloud PC users, ensuring the settings are applied automatically after provisioning via the Windows 365 service, which integrates with Intune for post-provisioning management.
Q3
easyFull explanation →

A user's iOS device is enrolled in Microsoft Intune and is compliant. However, the user cannot access corporate email in the Outlook mobile app. The app displays an error that the device is not compliant. What is the most likely cause?

A

The user's Intune license has expired.

B

The Outlook app is not installed on the device.

C

A compliance policy was updated requiring a newer OS version or additional security settings.

Updated policies can cause previously compliant devices to become non-compliant.

D

The device is not enrolled in Intune.

Why: Option C is correct because Intune compliance policies are evaluated in real time when a user attempts to access corporate resources. If an administrator updates a policy to require a newer iOS version or additional security settings (e.g., passcode complexity, encryption), the device may become non-compliant even if it was previously compliant. The Outlook app checks device compliance via the Intune SDK and will block access if the device no longer meets the policy requirements, displaying the 'device not compliant' error.
Q4
hardFull explanation →

Your organization uses Microsoft Intune to manage Windows devices. You need to deploy a custom Line-of-Business (LOB) app that is signed with a certificate not trusted by the devices. The app must be available to users in the Company Portal. What should you do?

A

Upload the app to Microsoft Store for Business and assign it as offline.

B

Enable side-loading of apps on the target devices using Group Policy.

C

Upload the app as a LOB app in Intune and assign it to the target group.

Intune LOB deployment does not require the device to trust the signing certificate; Intune handles trust.

D

Convert the app to a .appx package and sign it with a trusted certificate.

Why: Option C is correct because Intune natively supports deploying signed Line-of-Business (LOB) apps directly to managed Windows devices, even if the signing certificate is not trusted by the devices. Intune handles the app delivery through the Company Portal, and the app will install as long as the device is enrolled and the app is assigned to the target group. The certificate trust issue is irrelevant for LOB app deployment via Intune because Intune does not validate the certificate chain for LOB apps; it only requires the app to be signed.
Q5
mediumFull explanation →

You need to ensure that Windows 10 devices in your organization receive the latest quality updates within 7 days of release. You configure a Windows Update for Business policy in Intune with a deferral period of 7 days. After two weeks, some devices have not installed the updates. What is the most likely reason?

A

The devices are configured to receive updates from WSUS instead of Windows Update.

B

The deferral period is too short; Microsoft recommends 14 days.

C

The policy is configured to apply only to devices in a specific Azure AD group.

D

Devices have not synced with Intune to receive the updated policy.

Devices must sync to get the policy; if they miss sync, updates are not enforced.

Why: Option D is correct because Windows Update for Business policies in Intune are not applied in real time; devices must check in with the Intune service to receive the updated policy. The default sync interval for Intune-managed Windows 10 devices is approximately 8 hours, and if a device has not synced since the policy was configured, it will not yet have the new deferral settings. This explains why some devices have not installed the updates even after two weeks, as they may have missed the sync window or have a longer check-in cycle.
Q6
easyFull explanation →

You are troubleshooting a Windows 11 device that cannot connect to the corporate Wi-Fi network. The device is enrolled in Intune and has a Wi-Fi profile assigned. The profile uses SCEP certificate authentication. The user can connect to other Wi-Fi networks. What is the most likely cause?

A

The user's password has expired.

B

The root CA certificate required to validate the RADIUS server certificate is not installed on the device.

Without the root CA, the device cannot trust the server's certificate, causing authentication failure.

C

The Wi-Fi profile is not assigned to the user's device.

D

The device's Wi-Fi adapter driver is outdated.

Why: The device can connect to other Wi-Fi networks but not the corporate one, indicating the issue is specific to the corporate network's authentication requirements. Since the profile uses SCEP certificate authentication, the device must trust the root CA that issued the RADIUS server certificate to validate the server during the EAP-TLS handshake. If the root CA certificate is missing, the client will reject the RADIUS server certificate, causing the connection to fail. This is the most likely cause because the profile assignment and driver are not specific to this single network failure.

Want more Manage and maintain devices practice?

Practice this domain
3

Domain 3: Manage applications

All Manage applications questions
Q1
mediumFull explanation →

A company uses Microsoft Intune to manage iOS and Android devices. Users report that some line-of-business (LOB) apps fail to install with error '0x87D1041C'. The apps are signed and deployed as device-required installs. What is the most likely cause?

A

The user is not assigned to the app deployment.

B

The app is not compliant with the device's OS version.

C

The device does not have the required app configuration policy.

D

The app is signed with a different certificate than the one uploaded to Intune.

This error specifically indicates a certificate mismatch.

Why: Error 0x87D1041C in Intune indicates a signature mismatch. When a line-of-business (LOB) app is deployed as a device-required install, the app binary must be signed with a certificate that has been uploaded to the Intune console. If the signing certificate used to sign the app differs from the one uploaded, Intune rejects the installation because it cannot verify the app's integrity and trust chain.
Q2
hardFull explanation →

An organization uses Microsoft Intune for Windows 10 device management. They need to deploy a custom Windows app (.exe) to kiosk devices. The app requires admin privileges to install, and the devices are shared. Which deployment method should be used?

A

Use a Win32 app with install context set to 'system'.

Win32 apps support system context installation, enabling admin-level installs on shared devices.

B

Assign the app as 'available' for user-install.

C

Deploy as a line-of-business app with device context.

D

Package as a Microsoft Store for Business app.

Why: Option A is correct because Win32 apps in Microsoft Intune can be configured with the install context set to 'system', which grants the necessary admin privileges for installation and ensures the app is installed for all users on shared kiosk devices. This method uses the Intune Management Extension to run the installer with SYSTEM account privileges, bypassing user-level restrictions and supporting per-machine installations.
Q3
easyFull explanation →

You manage a fleet of Android Enterprise devices. You need to ensure that only approved apps from the managed Play Store can be installed. What configuration should you enable?

A

Set the device to 'Fully managed' and disable unknown sources.

B

Deploy an app configuration policy that blocks sideloading.

C

Configure a device restriction policy to allow only managed Google Play apps.

This policy enforces that only apps from the managed Play Store can be installed.

D

Use a compliance policy to block non-compliant apps.

Why: Option C is correct because a device restriction policy in Microsoft Intune allows you to restrict app installation to only the managed Google Play store. By configuring the 'Allow only managed Google Play apps' setting, you ensure that users cannot install apps from unapproved sources, effectively controlling the app ecosystem on Android Enterprise devices.
Q4
mediumFull explanation →

A company uses Microsoft Intune to manage Windows 10 devices. They deployed a Win32 app as 'required' but some devices show 'pending install'. The app is configured with a detection rule that checks for a registry key. What should you check first?

A

Increase the app installation timeout.

B

Ensure the device has connectivity to Intune.

C

Reassign the app to a different security group.

D

Check if the detection rule is incorrectly marking the app as installed.

A pre-existing registry key can cause Intune to skip installation, resulting in 'pending install'.

Why: Option D is correct because the most common reason for a 'pending install' status when a detection rule is configured is that the rule is incorrectly detecting the app as already installed. Intune evaluates the detection rule before attempting installation; if the rule finds the registry key (even if the app is not fully functional), Intune skips the installation and reports 'pending' or 'installed' without actually deploying the app. This is a frequent misconfiguration where the detection rule is too broad or references a key that exists from a previous installation or unrelated software.
Q5
easyFull explanation →

You need to deploy a Microsoft 365 Apps for enterprise suite to Windows 10 devices using Intune. Users are unlicensed. How should you proceed?

A

Deploy the suite as 'available' from Company Portal.

B

Use the built-in Microsoft 365 Apps (Office) app type in Intune.

C

Assign the Office 365 E3 license to all users.

D

Create a Win32 app package for Microsoft 365 Apps and deploy it.

Win32 packaging allows you to include a volume license key or use shared activation for unlicensed users.

Why: Option D is correct because when users are unlicensed, the Microsoft 365 Apps for enterprise suite cannot be deployed via the built-in Intune app type (which relies on license activation). Creating a Win32 app package allows you to bundle the Office Deployment Tool (ODT) with a configuration XML that sets the product ID to 'O365ProPlusRetail' and disables automatic licensing checks, enabling deployment to unlicensed devices.
Q6
hardFull explanation →

Which TWO methods can you use to deploy a custom Windows app that is not available in the Microsoft Store to multiple devices managed by Intune?

A

Line-of-business app

LOB apps support .msi and .intunewin for Windows.

B

Win32 app management

Win32 apps support .exe, .msi, and scripts.

C

Microsoft Store for Business app

D

Web app

E

Built-in app

Why: Line-of-business (LOB) app deployment is correct because it allows you to upload and distribute custom Windows apps (e.g., .msi, .appx, or .exe) that are not in the Microsoft Store to Intune-managed devices. This method is specifically designed for internal or third-party apps that are not publicly available, using Intune's app packaging and assignment capabilities.

Want more Manage applications practice?

Practice this domain
4

Domain 4: Protect devices

All Protect devices questions
Q1
easyFull explanation →

A user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. Which step should you take first to resolve the issue?

A

Disconnect the device from Microsoft Entra ID and rejoin.

B

On the device, go to Settings > Accounts > Access work or school, select the account, and click Sync.

Forcing a sync triggers a policy evaluation.

C

Delete and recreate the compliance policy in Microsoft Intune.

D

Re-enroll the device in Microsoft Intune.

Why: Option B is correct because forcing a sync from the device can refresh the policy evaluation and resolve the 'Not evaluated' status. Option A is wrong because the device is already enrolled. Option C is wrong because the issue is with policy evaluation, not configuration. Option D is wrong because the device is already joined.
Q2
mediumFull explanation →

Your company uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data in Microsoft 365 apps is protected even if a device is compromised. Which App Protection Policy setting should you configure?

A

Configure device compliance policy to require jailbreak detection.

B

Configure App Protection Policy with 'Restrict cut, copy, and paste' and 'Allow app to transfer data to other apps' set to Policy managed apps.

This restricts data transfer to managed apps only.

C

Configure device configuration profile to require device PIN.

D

Configure App Protection Policy to require app PIN.

Why: Option C is correct because the 'Data transfer' settings control how data can be moved between apps, including preventing transfer to unmanaged apps. Option A is wrong because jailbreak detection is a device condition, not an app-level data protection. Option B is wrong because device PIN is a device-level policy. Option D is wrong because app PIN is for access control, not data transfer.
Q3
hardFull explanation →

You are implementing Microsoft Defender for Endpoint on Windows Server devices managed by Microsoft Intune. After onboarding, the devices show as 'Inactive' in the Microsoft Defender XDR portal. Which action should you take?

A

Modify the Windows Security app configuration policy to enable real-time protection.

B

Restart the Microsoft Defender for Endpoint service on the devices.

Restarting the service can re-establish communication.

C

Re-run the onboarding script on the devices.

D

Uninstall and reinstall the Microsoft Defender for Endpoint agent.

Why: Option D is correct because 'Inactive' status often indicates that the sensor data is not being sent, which can be resolved by restarting the Microsoft Defender for Endpoint service. Option A is wrong because the issue is not with the onboarding script. Option B is wrong because modifying a policy is not needed for activation. Option C is wrong because reinstallation is excessive.
Q4
easyFull explanation →

Your organization uses Microsoft Entra ID joined devices with Windows 10. You need to ensure that only compliant devices can access corporate email in Microsoft Outlook for Windows. Which integration should you enable?

A

Create a Conditional Access policy in Microsoft Entra ID requiring compliant devices for Exchange Online.

Conditional Access integrates with Intune compliance to block non-compliant devices.

B

Enable App Protection Policies for Outlook for Windows.

C

Require all devices to be enrolled in Intune before accessing email.

D

Configure a compliance policy in Intune to mark devices as non-compliant if not updated.

Why: Option B is correct because Conditional Access can enforce device compliance for cloud apps like Exchange Online. Option A is wrong because App Protection Policies are for mobile apps, not Outlook desktop. Option C is wrong because Compliance Policies alone don't enforce access; they need Conditional Access. Option D is wrong because device enrollment is a prerequisite, not the enforcement mechanism.
Q5
mediumFull explanation →

You manage Android Enterprise devices with work profiles. A user reports that corporate apps are not appearing in the work profile after enrollment. The device shows as enrolled in Microsoft Intune. What is the most likely cause?

A

The device is not connected to the internet.

B

The device is not compliant with corporate policies.

C

The work profile was not created or was removed on the device.

Without a work profile, corporate apps have no container to install into.

D

The corporate apps are not assigned to the user.

Why: Option C is correct because if the work profile is not set up correctly on the device, corporate apps won't appear. Option A is wrong because if apps were assigned, they should deploy; the issue is with the profile. Option B is wrong because assignment not applied would affect all devices, not just one. Option D is wrong because compliance policies don't affect app visibility.
Q6
hardFull explanation →

Your organization uses Windows Autopilot for device deployment. After a device completes the user-driven deployment, it appears in Microsoft Entra ID as 'Azure AD registered' instead of 'Azure AD joined'. What should you modify to ensure the device is joined?

A

Modify the Autopilot deployment profile to set 'Join to Azure AD as' to 'Azure AD joined'.

This setting controls whether the device is joined or registered.

B

Add the device to a hybrid Azure AD join profile.

C

Modify the Autopilot deployment profile to set 'Join to Azure AD as' to 'Azure AD registered'.

D

Modify the enrollment restrictions to block personally owned devices.

Why: Option A is correct because the Autopilot profile determines the join type; setting it to 'Azure AD joined' ensures the device is joined, not registered. Option B is wrong for the same reason. Option C is wrong because enrollment restrictions affect user enrollment, not the join type. Option D is wrong because the domain join profile is for hybrid scenarios.

Want more Protect devices practice?

Practice this domain
5

Domain 5: Deploy Windows client

All Deploy Windows client questions
Q1
mediumFull explanation →

A company plans to deploy Windows 11 to 500 new devices using Microsoft Deployment Toolkit (MDT). The devices have various hardware configurations. The deployment must include language packs and regional settings. Which deployment method should the administrator use to minimize manual intervention?

A

Create a custom task sequence in MDT that includes language packs and regional settings.

Task sequences automate deployment including language and region.

B

Use Windows Configuration Designer to create a provisioning package with language settings.

C

Create a task sequence in Configuration Manager without MDT integration.

D

Use Windows Autopilot with a custom profile to deploy language packs.

Why: Option A is correct because MDT allows the administrator to create a custom task sequence that integrates language packs and regional settings directly into the deployment process. This approach automates the entire deployment with minimal manual intervention, as the task sequence handles all configuration steps without requiring post-deployment adjustments.
Q2
hardFull explanation →

A company uses Configuration Manager to deploy Windows 11. During the deployment, several devices fail with error code 0x80070002. The administrator suspects the issue is related to missing boot images or content distribution. What should the administrator do first to resolve the issue?

A

Increase the client cache size on the affected devices.

B

Check the driver packages in the task sequence.

C

Verify that the boot image and OS image are distributed to all distribution points.

Missing content on DP causes file not found error.

D

Recreate the task sequence with new OS image.

Why: Error code 0x80070002 translates to 'The system cannot find the file specified.' In a Configuration Manager task sequence deployment, this typically indicates that the boot image or OS image content is not available on the distribution point that the client is accessing. Verifying distribution ensures the required content is present and accessible, which is the most direct and common fix for this error.
Q3
easyFull explanation →

An organization needs to deploy Windows 11 to remote users who do not have access to the corporate network. The devices are brand new and have internet connectivity. Which deployment method should the administrator recommend?

A

Use Configuration Manager with a task sequence over VPN.

B

Use PXE boot from a distribution point at the local office.

C

Use Windows Autopilot with user-driven mode.

Autopilot enables cloud-based deployment.

D

Deploy using MDT with a bootable USB drive.

Why: Windows Autopilot with user-driven mode is the correct choice because it enables remote, zero-touch deployment of new Windows 11 devices using only internet connectivity. The devices are pre-registered in Autopilot, and during the out-of-box experience (OOBE), they automatically download the organization-specific configuration, join Azure AD, and enroll in MDM without requiring any VPN or on-premises infrastructure.
Q4
hardFull explanation →

A company uses Configuration Manager to deploy Windows 10 to 2000 devices. After deployment, several devices report that the Start menu layout is not applied. The administrator used a provisioning package to configure Start layout. What is the most likely cause of the issue?

A

Group Policy settings are overriding the Start layout configuration.

GP can override provisioning package settings.

B

The devices are not Azure AD joined.

C

The provisioning package was not signed properly.

D

The provisioning package was applied after user first logon.

Why: Option C is correct because provisioning packages apply during OOBE and may be overwritten by Group Policy. Option A is wrong because user profile issue would not affect all. Option B is wrong because MDM is not used. Option D is wrong because the package is applied, just overridden.
Q5
mediumFull explanation →

An administrator is deploying Windows 11 using Configuration Manager. The task sequence fails on some devices during the 'Apply Operating System' step with a notice that the image file is not valid. All other devices succeed. What is the most likely cause?

A

The boot image is not compatible with the device firmware.

B

The distribution point is out of disk space.

C

The task sequence variable OSDPackagePath is missing.

D

The OS image download was corrupted on the client.

Corrupted download causes invalid image error on specific clients.

Why: Option D is correct because a corrupted OS image download on the client will cause the 'Apply Operating System' step to fail with an 'image file is not valid' error. Since the issue occurs only on some devices, a per-client download corruption (e.g., due to network interruption or disk I/O errors during BITS transfer) is the most likely cause, while the image itself remains valid on the distribution point.
Q6
mediumFull explanation →

A company is planning to deploy Windows 11 using Microsoft Deployment Toolkit (MDT). The administrator needs to ensure that the deployment can be fully automated without user interaction. Which TWO settings should be configured in the CustomSettings.ini file?

A

SkipTaskSequence=YES

Skips task sequence selection.

B

SkipComputerBackup=YES

C

SkipBitLocker=YES

D

SkipDomainMembership=YES

E

SkipFinalSummary=YES

Suppresses final summary dialog.

Why: Option A is correct because setting SkipTaskSequence=YES in CustomSettings.ini allows MDT to bypass the Task Sequence Wizard, enabling a fully automated, zero-touch deployment. Option E is correct because SkipFinalSummary=YES suppresses the final summary dialog that would otherwise require user acknowledgment to complete the deployment. Together, these two settings eliminate all interactive prompts during the deployment process.

Want more Deploy Windows client practice?

Practice this domain
6

Domain 6: Manage identity and compliance

All Manage identity and compliance questions
Q1
mediumFull explanation →

A company with 500 users uses Microsoft 365 E3 licenses. They want to ensure that all users have multi-factor authentication (MFA) enforced. Currently, 80% of users have MFA enabled through the legacy per-user MFA setting. The security team wants to use Conditional Access policies instead. You need to migrate from per-user MFA to Conditional Access with no disruption to users. What should you do?

A

Create a Conditional Access policy requiring MFA for all cloud apps, including break-glass accounts. Then disable per-user MFA.

B

Create a Conditional Access policy requiring MFA for all users only when accessing from outside the corporate network.

C

Create a Conditional Access policy requiring MFA for all users, excluding break-glass accounts. Disable per-user MFA for all users.

This ensures MFA is always enforced and provides emergency access via break-glass accounts.

D

Disable per-user MFA for all users, then create a Conditional Access policy requiring MFA for all cloud apps.

Why: Option C is correct because you need to exclude the break-glass accounts from the Conditional Access policy to ensure admin access if something goes wrong. You should first create a Conditional Access policy that requires MFA for all users except the break-glass accounts, then disable the per-user MFA for all users. Option A is incorrect because disabling per-user MFA before creating the policy would leave users without MFA. Option B is incorrect because using a Conditional Access policy to require MFA from outside the network only would not enforce MFA for internal access. Option D is incorrect because creating a policy without excluding break-glass accounts could lock out administrators.
Q2
hardFull explanation →

You are an endpoint administrator for a company that uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access Exchange Online. You have configured a Conditional Access policy that grants access to Exchange Online only if the device is marked as compliant. A user reports that they cannot access email from their iOS device, which is enrolled in Intune and shows as compliant. The user can access other Microsoft 365 services. What is the most likely cause?

A

The user does not have an Exchange Online license assigned.

B

The Conditional Access policy is configured to block access from non-corporate networks.

C

The device compliance policy is not set to require a PIN or password.

D

The Exchange Online workload is not enabled in Intune for mobile device management.

If the workload is not enabled, Intune cannot enforce compliance for Exchange Online access, causing the block.

Why: The most likely cause is that the Exchange Online workload is not enabled in Intune for mobile device management (MDM). Even though the device is enrolled and compliant, Intune must have the Exchange Online workload enabled to apply Conditional Access policies that govern email access. Without this, the Conditional Access policy cannot enforce compliance checks specifically for Exchange Online, resulting in access being blocked despite the device showing as compliant.
Q3
easyFull explanation →

A company is implementing Windows Hello for Business and wants to use certificate-based authentication. They have an on-premises Active Directory and are using Azure AD Connect for hybrid identity. Which prerequisites must be met to support certificate-based Windows Hello for Business?

A

All users must have the Microsoft Authenticator app installed.

B

Conditional Access policies must be configured to require Windows Hello for Business.

C

An enterprise certification authority (CA) must be deployed and all devices must be Azure AD joined or hybrid Azure AD joined.

Certificate-based Windows Hello requires a CA and hybrid or Azure AD joined devices.

D

All users must be configured for passwordless sign-in.

Why: Certificate-based Windows Hello for Business requires an enterprise PKI to issue and validate certificates for authentication. Devices must be Azure AD joined or hybrid Azure AD joined to enroll these certificates and support the certificate trust model. On-premises Active Directory and Azure AD Connect provide the hybrid identity foundation, but the CA and appropriate device join state are the critical prerequisites.
Q4
hardFull explanation →

You manage a Microsoft 365 tenant with 10,000 users. You are planning a Conditional Access policy to require MFA for all users. However, you need to ensure that users who have not yet registered for MFA are not blocked. What should you do to handle unregistered users?

A

Configure the Conditional Access policy in 'Report-only' mode to identify unregistered users.

B

Enable the Azure AD Identity Protection MFA registration policy to require users to register for MFA within 14 days.

This policy ensures users register before they are required to use MFA, preventing lockout.

C

Exclude all users who have not registered for MFA from the Conditional Access policy.

D

Create a separate Conditional Access policy that requires MFA only for users who have not registered for MFA.

Why: Option B is correct because the Azure AD Identity Protection MFA registration policy automatically enforces MFA registration for all users within a specified grace period (default 14 days), ensuring that users who have not yet registered are prompted to register before being blocked by a Conditional Access policy. This policy works in conjunction with Conditional Access by pre-registering users, so when the CA policy requiring MFA is enabled, all users already have MFA credentials available, preventing lockout.
Q5
easyFull explanation →

A company uses Microsoft Intune to manage Windows 10 devices. They need to ensure that only devices that have a BitLocker encryption status of 'fully encrypted' are allowed to access corporate resources. They create a device compliance policy that requires BitLocker. However, some devices are still accessing resources even though they are not fully encrypted. What should you check?

A

The devices are running Windows 10 Home edition, which does not support BitLocker.

B

The compliance policy is not assigned to the user or device groups.

Without assignment, the policy does not apply, and non-compliant devices can still access resources.

C

The compliance policy is set to 'Report non-compliant' instead of 'Block non-compliant'.

D

The compliance policy has a grace period configured that allows access for non-compliant devices.

Why: Option B is correct because a device compliance policy must be assigned to the appropriate user or device groups to take effect. If the policy is not assigned, Intune will not evaluate the devices against the BitLocker requirement, and non-compliant devices will continue to access corporate resources. The scenario indicates that the policy was created but not enforced, which points directly to a missing assignment.
Q6
mediumFull explanation →

Which TWO of the following are required to implement Azure AD Join for Windows 10 devices in a hybrid environment with on-premises Active Directory?

A

Active Directory Federation Services (AD FS) deployed.

B

Windows 10 devices that are domain-joined to the on-premises Active Directory.

Devices must be domain-joined to be hybrid Azure AD joined.

C

Azure AD Connect with device writeback enabled.

Device writeback is required for hybrid Azure AD join.

D

Azure AD Premium P1 licenses for all users.

E

Windows Hello for Business configured for all users.

Why: Option B is correct because Azure AD Join in a hybrid environment requires devices to be domain-joined to on-premises Active Directory first. This allows Azure AD Connect to synchronize the device objects and, with device writeback enabled, register them in Azure AD, enabling seamless single sign-on and conditional access.

Want more Manage identity and compliance practice?

Practice this domain
7

Domain 7: Manage, maintain, and protect devices

All Manage, maintain, and protect devices questions
Q1
mediumFull explanation →

A company deploys Windows 10 Enterprise devices managed by Microsoft Intune. Users report that after a recent Windows update, the Start menu layout is reset to default on some devices. The company uses a custom Start menu layout XML policy. How should the administrator ensure the custom layout is reapplied automatically after feature updates?

A

Use a Feature Update policy in Intune to set the 'Start layout XML' setting.

B

Deploy a provisioning package with the custom layout to all devices via Intune.

C

Configure the 'Start layout' policy under User Configuration > Administrative Templates > Start Menu and Taskbar to point to the XML file.

The Start layout policy is reapplied during policy refresh, which occurs after feature updates.

D

Reapply the Start layout policy manually after each feature update.

Why: Option C is correct because the 'Start layout' policy under User Configuration > Administrative Templates > Start Menu and Taskbar in a Group Policy Object (GPO) or Intune Administrative Template profile is designed to persistently enforce a custom Start layout XML. When a Windows feature update resets the Start menu to default, this policy automatically reapplies the custom layout at next user logon or policy refresh, ensuring consistency without manual intervention.
Q2
hardFull explanation →

A company uses Microsoft Intune to manage Windows 10 devices. They have a compliance policy that requires BitLocker to be enabled. Some devices are marked as non-compliant even though BitLocker appears to be on. The administrator runs 'manage-bde -status' on a non-compliant device and sees that the protection status is 'Protection Off'. What is the most likely cause?

A

The BitLocker key protectors are missing or have been removed.

Without key protectors, BitLocker protection is suspended.

B

The TPM is not initialized.

C

The device has a recovery password protector but no TPM protector.

D

The device uses a different encryption method (e.g., XTS-AES 256 vs AES 128).

Why: The compliance policy requires BitLocker to be enabled, but 'manage-bde -status' shows 'Protection Off'. This indicates that while the drive is encrypted, BitLocker is not actively protecting the data because the key protectors (such as the TPM protector) are missing or have been removed. Intune checks the protection status, not just encryption state, so when protectors are absent, the device is marked non-compliant.
Q3
easyFull explanation →

A company uses Microsoft Intune to manage devices. They want to ensure that when a device is reported as lost or stolen, the IT admin can remotely wipe the device. Which action should the admin take in the Intune console?

A

Select the device and choose 'Retire'.

B

Select the device and choose 'Wipe'.

Wipe performs a factory reset, removing all data.

C

Select the device and choose 'Reset'.

D

Select the device and choose 'Delete'.

Why: The 'Wipe' action in Microsoft Intune restores a device to its factory default settings, removing all corporate and personal data. This is the appropriate action for a lost or stolen device to prevent unauthorized access to company data. The 'Retire' action only removes managed app data and policies but leaves personal data intact, which is insufficient for a security breach scenario.
Q4
hardFull explanation →

An organization uses Microsoft Intune to manage Windows 10 devices. They deploy a PowerShell script via Intune to install a custom application. The script runs successfully on some devices but fails on others with error code 0x80070002. What is the most likely cause?

A

The script execution exceeds the 60-minute timeout.

B

The user does not have local administrator privileges on the failing devices.

C

The script references a file path that does not exist on the failing devices.

Error 0x80070002 is 'File not found'.

D

The PowerShell execution policy is set to Restricted on the failing devices.

Why: Option B is correct because the script likely references a file that is not present. Option A is wrong because execution policy can be bypassed by Intune. Option C is wrong because admin rights are granted. Option D is wrong because script timeout would give a different error.
Q5
easyFull explanation →

A company uses Microsoft Intune to manage iOS devices. They want to enforce a policy that requires a passcode of at least 6 characters and auto-lock after 5 minutes. Which configuration profile type should they use?

A

Device restrictions profile.

Device restrictions contain security settings like passcode and auto-lock.

B

Wi-Fi profile.

C

VPN profile.

D

Email profile.

Why: A Device restrictions profile is the correct configuration profile type because it contains the security settings for iOS devices, including passcode requirements (minimum length, complexity) and device lock timeouts (auto-lock after minutes). This profile type enforces device-level security policies directly managed by Intune, making it the appropriate choice for requiring a 6-character passcode and 5-minute auto-lock.
Q6
mediumFull explanation →

A company uses Microsoft Intune to manage Windows 10 devices. They need to deploy a line-of-business (LOB) app that is not available in the Microsoft Store. The app is packaged as an .msi file. Which TWO steps are required to deploy this app via Intune?

A

Upload the .msi file directly as a Microsoft Store for Business app.

B

Install the app on a file server and configure a shortcut.

C

Assign the app to a group of users or devices.

App must be assigned to a target group.

D

Convert the .msi file to the .intunewin format using the Microsoft Win32 Content Prep Tool.

Intune requires .intunewin for Win32 apps.

E

Create a PowerShell script to install the app silently.

Why: Option C is correct because after preparing the Win32 app, you must assign it to a group of users or devices in Intune to trigger deployment. Without assignment, the app is uploaded but not installed on any target. This step is mandatory for any Intune-managed app deployment.

Want more Manage, maintain, and protect devices practice?

Practice this domain

Frequently asked questions

How many questions are on the MD-102 exam?

The MD-102 exam has 50 questions and must be completed in 120 minutes. The passing score is 700/1000.

What types of questions appear on the MD-102 exam?

Endpoint administration scenario questions covering Windows 11, Microsoft Intune, Autopilot, Microsoft Entra join, and device compliance policies.

How are MD-102 questions organised by domain?

The exam covers 7 domains: Prepare infrastructure for devices, Manage and maintain devices, Manage applications, Protect devices, Deploy Windows client, Manage identity and compliance, Manage, maintain, and protect devices. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual MD-102 exam questions?

No. These are original exam-style practice questions written against the official Microsoft MD-102 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 60 MD-102 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all MD-102 questionsTake a timed practice test