MD-102 Prepare infrastructure for devices • Complete Question Bank
Complete MD-102 Prepare infrastructure for devices question bank — all 0 questions with answers and detailed explanations.
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"passwordRequired": true,
"passwordMinimumLength": 6,
"passwordRequiredType": "deviceDefault",
"passwordMinutesOfInactivityBeforeLock": 5,
"passwordExpirationDays": 90,
"passwordPreviousPasswordCountToBlock": 5,
"secureBootEnabled": true,
"codeIntegrityEnabled": true,
"earlyLaunchAntimalwareDriverProtectionEnabled": true,
"bitLockerEnabled": true,
"bitLockerRecoveryPasswordRotation": "disabled"
}Get-WindowsAutopilotInfo.ps1 -GroupTag "Marketing" -Online
New-IntuneCompliancePolicy -DisplayName "Windows 11 Compliance" -Platform Windows10AndLater -PasswordRequired $true -PasswordMinimumLength 8 -PasswordRequiredType DeviceDefault -PasswordMinutesOfInactivityBeforeLock 15 -PasswordExpirationDays 90 -PasswordPreviousPasswordCountToBlock 5 -SecureBootEnabled $true -CodeIntegrityEnabled $true -EarlyLaunchAntimalwareDriverProtectionEnabled $true -BitLockerEnabled $true -BitLockerRecoveryPasswordRotation Disabled -TpmRequired $true
Refer to the exhibit.
{
"enrollmentTimeDeviceMembershipProcessingStatus": "notStarted",
"displayName": "Windows AutoPilot Deployment Profile",
"description": "Profile for Autopilot devices",
"enrollmentStatusTrackerSettings": {
"blockDeviceWithNotApplicableStatus": false,
"blockDeviceWithPendingRetryStatus": false,
"blockDeviceWithTimeoutStatus": false,
"deviceEnrollmentFailureAction": "block"
}
}Refer to the exhibit.
$devices = Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'"
foreach ($device in $devices) {
if ($device.deviceEnrollmentType -eq 'windowsAzureADJoin') {
Write-Output $device.id
}
}{
"displayName": "Windows Device Compliance Policy",
"scheduledActionsForRule": [
{
"ruleName": "Password",
"scheduledActionConfigurations": [
{
"actionType": "block",
"gracePeriodHours": 24
},
{
"actionType": "retire",
"gracePeriodHours": 72
}
]
}
],
"passwordRequired": true,
"passwordMinimumLength": 6
}{
"displayName": "Windows Update for Business Policy",
"windowsUpdateForBusinessConfiguration": {
"qualityUpdatePauseStartDate": "2026-06-01",
"qualityUpdatePauseExpiryDateTime": "2026-06-30T00:00:00Z",
"featureUpdatePauseStartDate": "2026-07-01",
"featureUpdatePauseExpiryDateTime": "2026-07-15T00:00:00Z"
}
}{
"managementIntent": {
"displayName": "Baseline Security",
"settingsDelta": [
{
"settingDefinitionId": "device_vendor_msft_policy_config_windowsfirewall_publicprofile_enablefirewall",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"choiceSettingValue": {
"value": "device_vendor_msft_policy_config_windowsfirewall_publicprofile_enablefirewall_1"
}
}
}
]
}
}{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#deviceManagement/managedDevices/$entity",
"id": "12345678-1234-1234-1234-123456789012",
"deviceName": "DESKTOP-ABC123",
"managedDeviceOwnerType": "company",
"enrolledDateTime": "2025-01-15T08:00:00Z",
"lastSyncDateTime": "2025-02-01T10:00:00Z",
"operatingSystem": "Windows",
"complianceState": "noncompliant",
"jailBroken": "Unknown",
"managementAgent": "mdm",
"azureADRegistered": true,
"deviceEnrollmentType": "windowsAzureADJoin"
}New-IntuneDeviceCategory -Name "Sales" -Description "Sales department devices"
WmiContext: root\cimv2 Query: SELECT * FROM Win32_EncryptableVolume WHERE ProtectionStatus = 0
Refer to the exhibit.
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"description": "Windows 10 compliance policy",
"passwordRequired": true,
"passwordMinimumLength": 8,
"passwordRequiredType": "alphanumeric",
"passwordMinutesOfInactivityBeforeLock": 5,
"passwordExpirationDays": 90,
"passwordPreviousPasswordBlockCount": 5,
"osMinimumVersion": "10.0.19042.0",
"osMaximumVersion": "10.0.19045.999",
"storageRequireEncryption": true,
"activeFirewallRequired": true,
"defenderEnabled": true
}Refer to the exhibit. Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'" | Select-Object Id, DeviceName, LastSyncDateTime, ComplianceState Id DeviceName LastSyncDateTime ComplianceState -- ---------- ---------------- --------------- 12345678-1234-1234-1234-123456789abc Laptop-01 2025-03-15T10:30:00Z compliant 87654321-4321-4321-4321-123456789abc Laptop-02 2025-03-14T09:15:00Z noncompliant 11223344-5566-7788-99aa-bbccddeeff00 Laptop-03 2025-03-10T08:00:00Z compliant
Refer to the exhibit.
{
"@odata.type": "#microsoft.graph.windows10EnrollmentStatusPageConfiguration",
"displayName": "ESP Configuration",
"description": "Block device use until required apps install",
"trackInstallProgressForAutopilotOnly": true,
"blockDeviceSetupRetryByUser": true,
"allowDeviceResetOnInstallFailure": false,
"allowLogCollectionOnInstallFailure": true,
"customErrorMessage": "",
"installProgressTimeoutInMinutes": 60,
"allowDeviceUseOnInstallFailure": false,
"selectedMobileAppIds": [
"appId1",
"appId2"
]
}Refer to the exhibit.
{
"@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
"id": "dummy-id",
"passwordBlockSimple": true,
"passwordMinimumLength": 8,
"passwordRequired": true,
"passwordRequiredType": "alphanumeric",
"passwordExpirationDays": 90,
"passwordMinimumCharacterSetCount": 3
}Refer to the exhibit. Device configuration profile: macOSEndpointProtection FileVault settings: - Encryption type: Full disk encryption - Recovery key type: Personal recovery key - Personal recovery key rotation: On - Escrow location description: Intune - Show recovery key: Not configured
Refer to the exhibit. PowerShell output: Get-AutopilotDiagnostics -SerialNumber "ABC123" | Format-List SerialNumber : ABC123 RegistrationStatus : NotRegistered ProfileAssignmentStatus : NotAssigned DeploymentStatus : NotStarted LastCheckInDateTime : 2026-03-01 10:00:00
Refer to the exhibit.
```json
{
"Name": "Windows 10 - Device Restrictions",
"Description": "Block consumer features",
"Settings": [
{
"Setting": "Microsoft Store",
"Value": "Block"
},
{
"Setting": "Cortana",
"Value": "Block"
},
{
"Setting": "Camera",
"Value": "Allow"
}
]
}
```Refer to the exhibit.
```json
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"passwordRequired": true,
"passwordMinimumLength": 6,
"passwordRequiredType": "deviceDefault",
"osMinimumVersion": "10.0.19041.0",
"osMaximumVersion": "10.0.19045.0",
"storageRequireEncryption": true
}
```Refer to the exhibit.
```json
{
"enrollmentProfile": "Microsoft Intune Windows Enrollment",
"deviceName": "DESKTOP-%RAND:5%",
"groupTag": "Marketing",
"orderID": "12345",
"serialNumber": "ABC123"
}
```{
"displayName": "Windows Enrollment Restriction",
"description": "Block personal Windows devices",
"@odata.type": "#microsoft.graph.deviceEnrollmentPlatformRestriction",
"platformType": "windows",
"personalDeviceEnrollmentBlocked": true,
"osMinimumVersion": null,
"osMaximumVersion": null
}{
"displayName": "Windows Autopilot Profile",
"description": "Self-deploying for kiosks",
"deploymentProfile": {
"deploymentMode": "selfDeploying",
"languageLocale": "en-US",
"keyboardLocale": "en-US",
"applicationGroupAssignments": []
},
"deviceNameTemplate": "KIOSK-%RAND:5%"
}{
"@odata.type": "#microsoft.graph.windows10EnrollmentCompletionPageConfigurationPolicy",
"id": "00000000-0000-0000-0000-000000000000",
"displayName": "ESP for Autopilot",
"description": "Required apps must install",
"showInstallationProgress": true,
"blockDeviceSetupRetryByUser": true,
"allowDeviceResetOnInstallFailure": false,
"trackInstallProgressForAutopilotOnly": true,
"selectedMobileAppIds": [
"App1",
"App2"
]
}{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"description": "Windows 10 compliance policy",
"passwordRequired": true,
"passwordMinimumLength": 8,
"passwordRequireToUnlockFromIdle": true,
"passwordMinutesOfInactivityBeforeLock": 15,
"osMinimumVersion": "10.0.19041.0",
"osMaximumVersion": "10.0.22621.0",
"storageRequireEncryption": true,
"activeFirewallRequired": true,
"validOperatingSystemBuildRanges": []
}{
"@odata.type": "#microsoft.graph.windowsUpdateForBusinessConfiguration",
"description": "Windows 10 update ring",
"updateNotificationLevel": "default",
"featureUpdateDeferralInDays": 30,
"featureUpdatePauseStartDate": null,
"qualityUpdateDeferralInDays": 7,
"qualityUpdatePauseStartDate": "2025-03-01",
"qualityUpdatePauseExpiryDate": "2025-03-15",
"automaticUpdateMode": "autoInstallAtMaintenanceTime"
}{
"deviceEnrollmentConfiguration": {
"@odata.type": "#microsoft.graph.windows10EnrollmentProfile",
"displayName": "Autopilot Profile",
"description": "Standard user-driven Autopilot",
"enrollmentType": "azureAdJoined",
"language": "en-US",
"outOfBoxExperienceSettings": {
"hidePrivacySettings": false,
"hideEULA": false,
"userType": "standard",
"deviceUsageType": "singleUser"
}
}
}Refer to the exhibit.
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"description": "Compliance policy for Windows 10 devices",
"passwordRequired": true,
"passwordMinimumLength": 6,
"passwordRequiredType": "deviceDefault",
"osMinimumVersion": "10.0.19041.0",
"osMaximumVersion": "10.0.22621.0",
"storageRequireEncryption": true,
"activeFirewallRequired": true,
"defenderEnabled": true,
"defenderVersion": "1.0.0.0"
}Refer to the exhibit.
$autopilotDevices = Get-AutopilotDevice -GroupTag 'Sales'
$autopilotDevices | ForEach-Object {
Set-AutopilotDevice -Id $_.Id -GroupTag 'Marketing'
}Refer to the exhibit.
{
"@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration",
"bitLockerSettings": {
"encryptionMethod": "AES256",
"requireDeviceEncryption": true,
"requireEncryptionForOsDrive": true
}
}{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"passwordRequired": true,
"passwordMinimumLength": 6,
"passwordRequiredType": "deviceDefault",
"passwordMinutesOfInactivityBeforeLock": 5,
"passwordExpirationDays": 90,
"passwordPreviousPasswordBlockCount": 5,
"osMinimumVersion": "10.0.15063",
"osMaximumVersion": "10.0.17134.1",
"storageRequireEncryption": true
}Get-AutopilotInfo -Online SerialNumber : ABC123 HardwareHash : 1234567890ABCDEF... ProductName : Surface Pro 7 Manufacturer : Microsoft DeviceState : AutopilotClientState = Unknown AssignmentStatus : NotAssigned
New-DeviceConfigurationPolicy -Name 'Windows Update Ring' -Windows10UpdateRing -FeatureUpdateDeferralInDays 60 -QualityUpdateDeferralInDays 0 -FeatureUpdatePauseStartDate $null -QualityUpdatePauseStartDate $null
Refer to the exhibit.
{
"enrollmentTimeDeviceMembershipProcessingStatus": "pending",
"deviceConfiguration": {
"omaSettings": [
{
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock",
"value": "15"
}
]
},
"enrollmentState": "Enrolled",
"complianceState": "compliant"
}Refer to the exhibit.
{
"resources": [
{
"type": "Microsoft.Intune/deviceConfigurations",
"properties": {
"@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
"appsAllowTrustedAppsSideloading": "blocked",
"developerUnlockSetting": "blocked",
"enableAutomaticUpdate": false
}
}
]
}Refer to the exhibit. Get-MgDeviceManagementManagedDevice -DeviceId "12345" | Select-Object -Property DeviceName, OperatingSystem, ComplianceState, LastSyncDateTime DeviceName : DESKTOP-ABC OperatingSystem : Windows ComplianceState : noncompliant LastSyncDateTime : 2026-01-15T10:30:00Z
Refer to the exhibit.
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"description": "Compliance policy for managed devices",
"displayName": "Windows 10 Compliance Policy",
"passwordRequired": true,
"passwordMinimumLength": 8,
"passwordExpirationDays": 90,
"osMinimumVersion": "10.0.19041.0",
"osMaximumVersion": "10.0.22621.0",
"storageRequireEncryption": true,
"activeFirewallRequired": true,
"defenderEnabled": true
}Refer to the exhibit.
$devices = Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'"
foreach ($device in $devices) {
if ($device.ComplianceState -ne 'compliant') {
Invoke-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id -Action wipe
}
}You are the endpoint administrator for Contoso, a company with 5,000 employees. The organization uses Microsoft Intune for device management and Microsoft Entra ID for identity. The current environment includes: - 3,000 Windows 11 Enterprise devices (corporate-owned, managed via Intune) - 1,500 iOS devices (corporate-owned, managed via Intune) - 500 Android devices (BYOD, managed via Intune with work profile) - 200 macOS devices (corporate-owned, managed via Intune)
You need to implement a solution to automatically enroll new Windows 11 devices purchased from a vendor. The devices should be pre-provisioned with the organization's configuration and applications without requiring IT staff to touch them. Additionally, you need to ensure that only compliant devices can access corporate email and documents. The solution must minimize manual effort and leverage cloud-based services.
You have the following requirements: 1. Zero-touch enrollment for new Windows 11 devices. 2. Devices must be automatically configured with security policies and required applications. 3. Conditional access to Microsoft 365 resources based on device compliance. 4. Support for both corporate and BYOD devices.
Which of the following actions should you take FIRST to meet the zero-touch enrollment requirement?
{
"deviceEnrollmentWindows": {
"enrollmentType": "azureADJoin",
"requireDeviceAuthentication": true,
"deviceTypeFilter": {
"includeDevices": ["windows10AndLater", "windowsHolographicForBusiness"],
"excludeDevices": []
},
"enrollmentRestrictions": {
"maxDevicesPerUser": 5,
"allowedPlatforms": ["windows"]
}
}
}{
"displayName": "Windows 10 Security Baseline",
"settings": [
{
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_windowsdefender_scan_enablelowcpupriority",
"settingInstanceTemplateReference": null,
"choiceSettingInstance": {
"choiceSettingValue": {
"value": "device_vendor_msft_policy_config_windowsdefender_scan_enablelowcpupriority_1",
"children": []
}
}
}
}
]
}