Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Prepare infrastructure for devices practice sets

MD-102 Prepare infrastructure for devices • Complete Question Bank

MD-102 Prepare infrastructure for devices — All Questions With Answers

Complete MD-102 Prepare infrastructure for devices question bank — all 0 questions with answers and detailed explanations.

254
Questions
Free
No signup
Certifications/MD-102/Practice Test/Prepare infrastructure for devices/All Questions
Question 1mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization has Windows 11 devices used by remote employees. You need to ensure that only devices compliant with your security policies can access corporate email via Microsoft Outlook for Windows. What should you configure?

Question 2hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are deploying Windows 10 to 500 new devices using a task sequence in Microsoft Configuration Manager. The devices need to be joined to Microsoft Entra ID and enrolled in Intune automatically during OSD. Which method should you use?

Question 3easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your company is deploying Windows 11 devices using Windows Autopilot. You need to ensure that during the first boot, the device automatically joins Microsoft Entra ID, enrolls in Intune, and installs required applications. What should you provide to the device?

Question 4mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to configure device compliance for devices that are not running Windows. The devices include iOS, iPadOS, Android, and macOS. Which compliance settings are common across all platforms?

Question 5hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage devices. You have a compliance policy that requires devices to have a password of at least 6 characters. Some users report that their devices are marked as non-compliant even though they have a password set. What is the most likely cause?

Question 6easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to deploy a line-of-business (LOB) app to 100 Windows 10 devices managed by Intune. The app is packaged as an .msi file. Which app type should you choose in Intune?

Question 7mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Defender for Endpoint (part of Microsoft Defender XDR) on all Windows devices. You need to ensure that devices that are not actively reporting to Defender for Endpoint are flagged as non-compliant in Intune. What should you configure?

Question 8hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are planning a Windows 11 deployment for 200 devices using Microsoft Configuration Manager (current branch). The devices are currently running Windows 10. You need to perform an in-place upgrade while preserving user data and settings. The devices are located in remote offices with limited bandwidth. Which deployment method should you use?

Question 9easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage devices. You need to ensure that all Windows 11 devices automatically install critical and security updates from Windows Update. Which policy should you configure?

Question 10mediummulti select
Read the full wireless explanation →

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy a custom SSL certificate to all devices to authenticate to a corporate Wi-Fi network. Which TWO methods can you use to deploy the certificate?

Question 11hardmulti select
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to configure a policy that prevents users from installing apps from outside the Microsoft Store. Which TWO settings can you use?

Question 12easymulti select
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to configure a policy that restricts the device from taking screenshots. Which THREE settings can you use?

Question 13mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You are reviewing an Intune compliance policy JSON for Windows 10. A device reports as non-compliant, and the compliance status details indicate that the setting 'Secure Boot' is not compliant. The device is a virtual machine. What is the most likely reason?

Exhibit

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "passwordRequired": true,
  "passwordMinimumLength": 6,
  "passwordRequiredType": "deviceDefault",
  "passwordMinutesOfInactivityBeforeLock": 5,
  "passwordExpirationDays": 90,
  "passwordPreviousPasswordCountToBlock": 5,
  "secureBootEnabled": true,
  "codeIntegrityEnabled": true,
  "earlyLaunchAntimalwareDriverProtectionEnabled": true,
  "bitLockerEnabled": true,
  "bitLockerRecoveryPasswordRotation": "disabled"
}
Question 14hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. An administrator runs the PowerShell cmdlet shown on a new Windows 11 device. The cmdlet completes successfully, but the device does not appear in Intune under Windows Autopilot devices. What is the most likely cause?

Exhibit

Get-WindowsAutopilotInfo.ps1 -GroupTag "Marketing" -Online
Question 15mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You run the PowerShell command shown to create a compliance policy. However, when you check the compliance status of a Windows 11 device, it shows as compliant even though the device does not have BitLocker enabled. What is the most likely reason?

Exhibit

New-IntuneCompliancePolicy -DisplayName "Windows 11 Compliance" -Platform Windows10AndLater -PasswordRequired $true -PasswordMinimumLength 8 -PasswordRequiredType DeviceDefault -PasswordMinutesOfInactivityBeforeLock 15 -PasswordExpirationDays 90 -PasswordPreviousPasswordCountToBlock 5 -SecureBootEnabled $true -CodeIntegrityEnabled $true -EarlyLaunchAntimalwareDriverProtectionEnabled $true -BitLockerEnabled $true -BitLockerRecoveryPasswordRotation Disabled -TpmRequired $true
Question 16mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You manage devices with Microsoft Intune. Users report that enrollment fails on Android Enterprise personally-owned work profiles. After reviewing enrollment restrictions, you verify that Android Enterprise is allowed. What should you check next?

Question 17hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a custom Windows security baseline that includes specific BitLocker settings. What is the best approach to create and assign this configuration?

Question 18easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to ensure that only corporate-owned devices can access Microsoft 365 apps. You plan to use Conditional Access in Microsoft Entra ID. What should you configure as the grant control?

Question 19hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

During Windows Autopilot deployment, devices fail to enroll in Intune with error code 0x80180014. You confirm the device is registered in Autopilot and has internet connectivity. What is the most likely cause?

Question 20easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to deploy Microsoft 365 Apps to Windows devices using Intune. Users should be able to install from Company Portal. What app type should you choose in Intune?

Question 21mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You deploy a Windows 11 kiosk device using Intune. The kiosk should run a single app (Microsoft Edge). After assignment, the device starts but shows a blank screen. What is the most likely issue?

Question 22hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to configure Windows Update for Business policies using Intune. You want to defer feature updates by 60 days and quality updates by 14 days. Which policy setting should you use?

Question 23easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Users have iOS/iPadOS devices enrolled in Intune. You need to ensure that corporate data in managed apps is encrypted at rest. What should you configure?

Question 24mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You use Microsoft Intune to manage macOS devices. You need to deploy a shell script that runs on all macOS devices. What is the correct method?

Question 25hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. An Intune administrator configures an Autopilot deployment profile with the shown settings. During OOBE, a device fails to install a required app and enrollment fails. What will happen to the device?

Exhibit

Refer to the exhibit.

{
  "enrollmentTimeDeviceMembershipProcessingStatus": "notStarted",
  "displayName": "Windows AutoPilot Deployment Profile",
  "description": "Profile for Autopilot devices",
  "enrollmentStatusTrackerSettings": {
    "blockDeviceWithNotApplicableStatus": false,
    "blockDeviceWithPendingRetryStatus": false,
    "blockDeviceWithTimeoutStatus": false,
    "deviceEnrollmentFailureAction": "block"
  }
}
Question 26easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to deploy a Win32 app to Windows devices using Intune. The app requires admin privileges to install. How should you configure the deployment?

Question 27mediummulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO prerequisites are required for Windows Autopilot self-deploying mode?

Question 28hardmulti select
Read the full Prepare infrastructure for devices explanation →

Which THREE actions can be taken from the Intune admin center when a device is retired?

Question 29easymulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO are valid methods to enroll iOS/iPadOS devices into Microsoft Intune?

Question 30hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. An administrator runs this Graph PowerShell script. What is the purpose?

Exhibit

Refer to the exhibit.

$devices = Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'"
foreach ($device in $devices) {
  if ($device.deviceEnrollmentType -eq 'windowsAzureADJoin') {
    Write-Output $device.id
  }
}
Question 31mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization is evaluating Microsoft Intune for device management. The security team requires that all devices be registered in Microsoft Entra ID before they can enroll in Intune. Which configuration should you implement?

Question 32hardmultiple choice
Read the full wireless explanation →

Your company uses Microsoft Intune to manage Windows devices. Users frequently work from public Wi-Fi and the security team is concerned about unmanaged devices accessing corporate resources. You need to ensure that only devices compliant with your security policies can access Microsoft 365 services. What should you implement?

Question 33easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization plans to use Windows Autopilot for device provisioning. You need to ensure devices are automatically registered in Microsoft Entra ID when they are powered on for the first time. Which prerequisite must be met?

Question 34mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that only devices with a passcode longer than six characters can access corporate email. Which type of policy should you configure?

Question 35hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You manage devices with Microsoft Intune. Users report that after a recent policy update, they cannot access company SharePoint sites on their Android devices. The devices show as compliant in Intune. What is the most likely cause?

Question 36easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization wants to use Microsoft Intune to manage Windows devices that are joined to an on-premises Active Directory domain. The devices will be hybrid Azure AD joined. Which tool should you use to configure automatic enrollment into Intune?

Question 37mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are configuring Microsoft Intune for a school that provides iPads to students. You want students to be able to use their personal Apple IDs to install apps, but you need to ensure that the devices are enrolled in Intune and managed. Which Apple enrollment method should you use?

Question 38hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune for device management. You have a compliance policy that requires Windows devices to have BitLocker enabled. A user reports that their device is marked as non-compliant even though BitLocker is turned on. What is the most likely cause?

Question 39easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization is deploying Microsoft Intune for the first time. You need to ensure that devices can enroll in Intune. Which of the following is a prerequisite for Intune enrollment?

Question 40mediummulti select
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage devices. You need to configure a compliance policy for Windows devices that requires the device to be at a specific OS version and have antivirus enabled. Which TWO settings should you configure in the compliance policy?

Question 41hardmulti select
Read the full Prepare infrastructure for devices explanation →

You are planning a Microsoft Intune deployment for a large organization with Windows, iOS, and Android devices. You need to ensure that devices can enroll automatically when users sign in with their work accounts. Which THREE components are required?

Question 42easymulti select
Read the full Prepare infrastructure for devices explanation →

Your organization is implementing Windows Autopilot. Which TWO prerequisites must be met before you can use Autopilot?

Question 43hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You are configuring a device compliance policy in Microsoft Intune for Windows devices. Based on the JSON configuration, what will happen if a device does not have a password set?

Exhibit

{
  "displayName": "Windows Device Compliance Policy",
  "scheduledActionsForRule": [
    {
      "ruleName": "Password",
      "scheduledActionConfigurations": [
        {
          "actionType": "block",
          "gracePeriodHours": 24
        },
        {
          "actionType": "retire",
          "gracePeriodHours": 72
        }
      ]
    }
  ],
  "passwordRequired": true,
  "passwordMinimumLength": 6
}
Question 44mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You have configured a Windows Update for Business policy in Intune. Based on the JSON, what is the effect on devices?

Exhibit

{
  "displayName": "Windows Update for Business Policy",
  "windowsUpdateForBusinessConfiguration": {
    "qualityUpdatePauseStartDate": "2026-06-01",
    "qualityUpdatePauseExpiryDateTime": "2026-06-30T00:00:00Z",
    "featureUpdatePauseStartDate": "2026-07-01",
    "featureUpdatePauseExpiryDateTime": "2026-07-15T00:00:00Z"
  }
}
Question 45easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You are reviewing an Intune management intent configuration. What does this setting configure on Windows devices?

Exhibit

{
  "managementIntent": {
    "displayName": "Baseline Security",
    "settingsDelta": [
      {
        "settingDefinitionId": "device_vendor_msft_policy_config_windowsfirewall_publicprofile_enablefirewall",
        "settingInstance": {
          "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
          "choiceSettingValue": {
            "value": "device_vendor_msft_policy_config_windowsfirewall_publicprofile_enablefirewall_1"
          }
        }
      }
    ]
  }
}
Question 46mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 10/11 devices. You need to configure a Windows Autopilot deployment for new devices that are shipped directly to users. The devices must be automatically enrolled in Intune and configured with your organization's standard settings. What is the minimum requirement for the device to be recognized by Windows Autopilot?

Question 47hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are troubleshooting a Windows 10 device that fails to enroll in Microsoft Intune. The device shows error code 0x8018000b. You verify that the user has a valid Intune license and that the device is running Windows 10 Pro. What is the most likely cause of the enrollment failure?

Question 48easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your company plans to deploy Microsoft 365 Apps to 500 devices using Microsoft Intune. You want to ensure that the Office suite is installed with only Word, Excel, and PowerPoint. Which approach should you use?

Question 49mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are planning the device enrollment strategy for a school that provides shared iPads to students. The iPads are used by multiple students throughout the day, and each student must have access to their own apps and data. Which enrollment method should you recommend?

Question 50hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You create a compliance policy requiring devices to have BitLocker enabled. Some devices report as non-compliant even though BitLocker appears to be on. You discover these devices are using software-based encryption instead of hardware-based encryption. What should you do to resolve the compliance failure?

Question 51easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to ensure that all corporate-owned Windows devices automatically receive security updates as soon as they are released by Microsoft. Which update ring policy setting should you configure in Microsoft Intune?

Question 52mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your company uses Microsoft Intune to manage mobile devices. You need to ensure that corporate data on Android Enterprise work profiles is protected so that users cannot copy and paste data from work apps to personal apps. Which configuration should you implement?

Question 53hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are deploying Windows 10 to 100 new devices using Microsoft Deployment Toolkit (MDT). You want to integrate with Microsoft Intune for post-deployment management. Which MDT integration method should you use?

Question 54easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to configure Microsoft Intune to automatically retire a device if it has not checked in for 30 days. Where would you configure this setting?

Question 55mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. The JSON shows a managed device's properties retrieved from Microsoft Graph. The device's complianceState is 'noncompliant'. Which step should you take next to investigate why the device is noncompliant?

Exhibit

{
  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#deviceManagement/managedDevices/$entity",
  "id": "12345678-1234-1234-1234-123456789012",
  "deviceName": "DESKTOP-ABC123",
  "managedDeviceOwnerType": "company",
  "enrolledDateTime": "2025-01-15T08:00:00Z",
  "lastSyncDateTime": "2025-02-01T10:00:00Z",
  "operatingSystem": "Windows",
  "complianceState": "noncompliant",
  "jailBroken": "Unknown",
  "managementAgent": "mdm",
  "azureADRegistered": true,
  "deviceEnrollmentType": "windowsAzureADJoin"
}
Question 56hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. A PowerShell command is used to create a device category in Microsoft Intune. After running the command, you want to automatically assign devices to this category based on their Azure AD group membership. How should you configure this?

Exhibit

New-IntuneDeviceCategory -Name "Sales" -Description "Sales department devices"
Question 57easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. A detection script for a Win32 app in Intune uses a WMI query. The script is expected to detect if BitLocker is not enabled. What will the script return if BitLocker is enabled on the device?

Exhibit

WmiContext: root\cimv2
Query: SELECT * FROM Win32_EncryptableVolume WHERE ProtectionStatus = 0
Question 58mediummulti select
Read the full Prepare infrastructure for devices explanation →

Your organization is deploying Windows 10 devices using Windows Autopilot. You need to ensure that during the out-of-box experience (OOBE), users are required to set up Windows Hello for Business. Which TWO configurations should you apply?

Question 59hardmulti select
Read the full Prepare infrastructure for devices explanation →

You are planning device management for a corporate environment with Windows 10, iOS, and Android devices. You need to implement a solution that allows users to access corporate email and documents securely on their personal devices without IT managing the entire device. Which THREE components should you include?

Question 60easymulti select
Read the full Prepare infrastructure for devices explanation →

You are configuring Windows Update for Business policies in Microsoft Intune. You want to ensure that devices receive quality updates (security fixes) as soon as they are released, but defer feature updates for up to 60 days. Which TWO settings should you configure?

Question 61mediummulti select
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage corporate-owned iOS devices. You need to ensure that devices are supervised and can be configured with restrictions that cannot be removed by the user. Which THREE steps must you take?

Question 62hardmulti select
Read the full Prepare infrastructure for devices explanation →

You are designing a device management strategy for a remote workforce using Windows 10 laptops that are Azure AD joined. You need to ensure that devices can be remotely wiped if lost or stolen, and that BitLocker recovery keys are escrowed to Azure AD. Which THREE configurations should you implement?

Question 63easymulti select
Read the full Prepare infrastructure for devices explanation →

You are configuring Microsoft Intune for a new organization. You need to ensure that users can only enroll corporate-owned devices and are blocked from enrolling personal devices. Which TWO settings should you configure?

Question 64mediummulti select
Read the full Prepare infrastructure for devices explanation →

Your organization is preparing to deploy Windows 11 using Microsoft Intune. You need to ensure that all devices meet the minimum hardware requirements for Windows 11 before upgrade. Which THREE checks should you perform?

Question 65hardmulti select
Read the full Prepare infrastructure for devices explanation →

You are troubleshooting an issue where Windows 10 devices are not receiving policies from Microsoft Intune. The devices are enrolled and show as 'active' in the console. Which THREE steps should you take to diagnose the problem?

Question 66easymulti select
Read the full Prepare infrastructure for devices explanation →

You are planning to deploy Microsoft Defender for Endpoint on Windows 10 devices managed by Intune. Which TWO prerequisites must be met before deploying?

Question 67mediummulti select
Read the full wireless explanation →

Your company is deploying iOS devices using Apple Business Manager and Intune. You need to ensure that devices are automatically configured with Wi-Fi settings, email profiles, and a list of required apps during the initial setup. Which THREE configurations should you create in Intune?

Question 68hardmulti select
Read the full Prepare infrastructure for devices explanation →

You are configuring Windows Information Protection (WIP) in Microsoft Intune. You want to protect corporate data from being accidentally shared to personal locations while still allowing the user to work productively. Which THREE settings should you configure?

Question 69hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization has 500 Windows 10 devices that are currently managed by Microsoft Configuration Manager (ConfigMgr). You plan to enable co-management with Microsoft Intune to leverage cloud-based policies and conditional access. The devices are on-premises Active Directory joined and are already enrolled in ConfigMgr. You need to configure the co-management workload slider in ConfigMgr to move the 'Device configuration' workload to Intune while keeping 'Compliance policies' and 'Windows Update policies' in ConfigMgr initially. The devices should automatically enroll in Intune upon receiving the co-management policy. You have already configured Azure AD Connect for hybrid Azure AD join. What should you do next?

Question 70mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your company has 200 iOS devices that are enrolled in Microsoft Intune via Apple Business Manager. The devices are used by field sales representatives who need access to the corporate CRM app and email. You need to ensure that if a device is lost or stolen, the corporate data can be removed without affecting personal data. The devices are configured with user affinity. What should you do?

Question 71easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization is deploying Windows 10 devices using Windows Autopilot. The devices are purchased from a vendor and will be shipped directly to users. You need to ensure that the devices are automatically enrolled in Intune and configured with your organization's standard settings as soon as the user turns on the device and connects to the internet. The devices should be Azure AD joined. What is the minimal configuration required?

Question 72mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 10/11 devices. You need to ensure that devices are enrolled automatically without user interaction and that the enrollment status page (ESP) is configured to block device use until required apps are installed. What should you configure?

Question 73hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

A user reports that their Windows 11 device is not receiving a required security baseline policy from Microsoft Intune. The device appears as compliant in the Microsoft Intune admin center. Other devices in the same group receive the policy. You verify that the policy is assigned to the correct group and that the user is a member. What is the most likely cause?

Question 74easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your company deploys Microsoft Defender for Endpoint to Windows devices managed by Microsoft Intune. You need to ensure that all devices send diagnostic data at the 'Optional diagnostic data' level. Which configuration profile type should you use?

Question 75hardmultiple choice
Read the full VPN explanation →

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy a custom VPN configuration that uses per-app VPN and certificate-based authentication. The certificate is already deployed via a PKCS certificate profile. However, the VPN connection fails. What is the most likely reason?

Question 76mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are planning the enrollment of 500 Android Enterprise personally-owned work profile devices. Management requires that users must not be able to remove the work profile from their device. Which enrollment method should you use?

Question 77hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You deploy a PowerShell script via Intune management extension to install a legacy application. The script runs successfully on most devices, but fails on devices that have the 'LocalSystem' account disabled. What should you do to resolve the issue?

Question 78easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage macOS devices. You need to ensure that all devices have FileVault disk encryption enabled. Which configuration profile type should you use?

Question 79mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are preparing to deploy Windows Autopilot for your organization. You have obtained the hardware hashes for 100 new devices. You need to register these devices in Microsoft Intune so that they can be associated with an Autopilot deployment profile. What should you do?

Question 80hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You deploy a Windows 10 feature update policy to keep devices on a specific version. After deployment, some devices report that the update is not being offered. The devices are not in a maintenance window. What is the most likely cause?

Question 81mediummulti select
Read the full Prepare infrastructure for devices explanation →

You are planning the deployment of Microsoft Defender for Endpoint to macOS devices managed by Microsoft Intune. Which TWO prerequisites are required?

Question 82hardmulti select
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a set of Line-of-Business (LOB) apps using the Microsoft Intune Management Extension. Which THREE conditions must be met?

Question 83easymulti select
Read the full Prepare infrastructure for devices explanation →

Your organization plans to use Windows Autopilot to provision new devices. Which TWO methods can you use to obtain the hardware hash for a new device?

Question 84hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You have deployed the compliance policy shown in the exhibit. A Windows 10 device reports as non-compliant. The device has Windows 10 version 21H2 (build 19044.1288), password is set with 8 characters and includes numbers only, firewall is active, Defender is enabled, and BitLocker is on. Which setting is causing non-compliance?

Exhibit

Refer to the exhibit.

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Windows 10 compliance policy",
  "passwordRequired": true,
  "passwordMinimumLength": 8,
  "passwordRequiredType": "alphanumeric",
  "passwordMinutesOfInactivityBeforeLock": 5,
  "passwordExpirationDays": 90,
  "passwordPreviousPasswordBlockCount": 5,
  "osMinimumVersion": "10.0.19042.0",
  "osMaximumVersion": "10.0.19045.999",
  "storageRequireEncryption": true,
  "activeFirewallRequired": true,
  "defenderEnabled": true
}
Question 85mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You run the PowerShell cmdlet shown and get the output. You need to investigate why Laptop-02 is non-compliant. Which additional cmdlet should you run to get the non-compliance reasons?

Exhibit

Refer to the exhibit.

Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'" | Select-Object Id, DeviceName, LastSyncDateTime, ComplianceState

Id                                   DeviceName   LastSyncDateTime        ComplianceState
--                                   ----------   ----------------        ---------------
12345678-1234-1234-1234-123456789abc Laptop-01    2025-03-15T10:30:00Z    compliant
87654321-4321-4321-4321-123456789abc Laptop-02    2025-03-14T09:15:00Z    noncompliant
11223344-5566-7788-99aa-bbccddeeff00 Laptop-03    2025-03-10T08:00:00Z    compliant
Question 86easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You configure an Enrollment Status Page (ESP) policy as shown. During Windows Autopilot deployment, a device fails to install one of the required apps. What happens to the device?

Exhibit

Refer to the exhibit.

{
  "@odata.type": "#microsoft.graph.windows10EnrollmentStatusPageConfiguration",
  "displayName": "ESP Configuration",
  "description": "Block device use until required apps install",
  "trackInstallProgressForAutopilotOnly": true,
  "blockDeviceSetupRetryByUser": true,
  "allowDeviceResetOnInstallFailure": false,
  "allowLogCollectionOnInstallFailure": true,
  "customErrorMessage": "",
  "installProgressTimeoutInMinutes": 60,
  "allowDeviceUseOnInstallFailure": false,
  "selectedMobileAppIds": [
    "appId1",
    "appId2"
  ]
}
Question 87easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization is deploying Windows devices using Windows Autopilot. You need to ensure that devices are automatically enrolled in Microsoft Intune when they are first powered on. What should you configure?

Question 88mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that users cannot remove the Mail app that is required for corporate email. What configuration should you apply?

Question 89hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

A user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the compliance status. Other devices in the same group are compliant. What is the most likely cause?

Question 90easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization is implementing Microsoft Entra ID join for Windows devices. You need to ensure that when users sign in with their Microsoft Entra ID credentials, they automatically get access to company resources without additional authentication. Which feature should you enable?

Question 91mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are troubleshooting a Windows 10 device that fails to install a required application from Microsoft Intune. The device shows the application as 'Enforced' but never installs. The application is a line-of-business (LOB) app. What should you check first?

Question 92hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage macOS devices. You need to configure FileVault disk encryption for all devices. After deploying the policy, some devices report that encryption is pending. What is the most likely reason?

Question 93easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You are planning a Windows Autopilot deployment for your organization. You need to ensure that during the out-of-box experience (OOBE), the user is prompted to set up Windows Hello for Business. What should you configure in the Autopilot profile?

Question 94mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

A user has an Android Enterprise fully managed device. The device is enrolled in Microsoft Intune and all policies are applied. However, the user cannot install a required app from the managed Play Store. The app appears in the company portal but fails to install. What should you check first?

Question 95hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a custom Windows 10 feature update using the Windows 10 Update Rings feature. However, the deployment fails and devices show error 0x800f0905. What is the most likely cause?

Question 96mediummulti select
Read the full Prepare infrastructure for devices explanation →

Your organization is planning to enroll Windows devices into Microsoft Intune using Group Policy. Which TWO prerequisites must be in place? (Choose two.)

Question 97mediummulti select
Read the full Prepare infrastructure for devices explanation →

You are configuring Microsoft Intune device compliance policies for Windows 10. Which THREE settings can be evaluated by compliance policies? (Choose three.)

Question 98hardmulti select
Read the full VPN explanation →

Your organization uses Microsoft Intune to manage iOS devices. You need to deploy an app that requires a VPN configuration when the app is launched. Which TWO options can you use to achieve this? (Choose two.)

Question 99easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You have the above JSON policy assigned to a Windows 10 device. A user reports that they are unable to set a password that meets the policy. Which additional setting is required for the password to be accepted?

Exhibit

Refer to the exhibit.

{
  "@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
  "id": "dummy-id",
  "passwordBlockSimple": true,
  "passwordMinimumLength": 8,
  "passwordRequired": true,
  "passwordRequiredType": "alphanumeric",
  "passwordExpirationDays": 90,
  "passwordMinimumCharacterSetCount": 3
}
Question 100mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You have the above profile assigned to a macOS device. After the profile is applied, the device shows FileVault as 'Encrypted'. However, the recovery key is not escrowed to Intune. What is the most likely reason?

Exhibit

Refer to the exhibit.

Device configuration profile: macOSEndpointProtection

FileVault settings:
- Encryption type: Full disk encryption
- Recovery key type: Personal recovery key
- Personal recovery key rotation: On
- Escrow location description: Intune
- Show recovery key: Not configured
Question 101hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You have a Windows device with serial number ABC123 that is registered for Autopilot. The above PowerShell output shows the diagnostics. The device is not receiving the Autopilot profile. What is the most likely cause?

Exhibit

Refer to the exhibit.

PowerShell output:

Get-AutopilotDiagnostics -SerialNumber "ABC123" | Format-List

SerialNumber : ABC123
RegistrationStatus : NotRegistered
ProfileAssignmentStatus : NotAssigned
DeploymentStatus : NotStarted
LastCheckInDateTime : 2026-03-01 10:00:00
Question 102easymultiple choice
Read the full Prepare infrastructure for devices explanation →

A company plans to deploy Windows 11 to 500 new devices using Windows Autopilot. The devices are purchased from a hardware vendor that supports OEM registration. Which prerequisite must be met to ensure Autopilot can automatically enroll these devices?

Question 103mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

A user reports that their Windows 10 device is not receiving configuration policies from Intune. The device shows as 'Enrolled' but the last check-in was 5 days ago. What is the most likely cause?

Question 104hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are planning a Windows 11 deployment for 1000 devices using Configuration Manager co-management with Intune. You need to ensure that devices automatically enroll to Intune after the Configuration Manager client is installed. Which workload must you configure in Configuration Manager?

Question 105easymultiple choice
Read the full Prepare infrastructure for devices explanation →

A company uses Microsoft Intune to manage iOS devices. They need to ensure that only devices with a passcode of at least 6 characters can access corporate email. Which type of policy should they create?

Question 106mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Windows Autopilot for user-driven deployments. You need to ensure that during the out-of-box experience (OOBE), users are prompted to set up Windows Hello for Business. Which setting should you configure in the Autopilot profile?

Question 107hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are troubleshooting a Windows 11 device that fails to enroll in Intune via Group Policy. The device is domain-joined and you have configured the 'Enable automatic MDM enrollment using default Azure AD credentials' GPO. The user has a valid Microsoft 365 license. What is the most likely reason for the failure?

Question 108easymultiple choice
Read the full Prepare infrastructure for devices explanation →

A company wants to deploy Microsoft 365 Apps to 200 devices using Intune. They need to ensure that the deployment is available only to devices that meet a specific minimum OS version. Which feature should they use?

Question 109mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You manage a fleet of Android Enterprise devices. You need to configure a policy that prevents users from installing apps from unknown sources. Which policy type should you use?

Question 110hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Defender for Endpoint (Defender XDR) and Intune. You need to ensure that when a device is found to have a critical vulnerability, a remediation action is automatically triggered. Which integration should you configure?

Question 111mediummulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO prerequisites are required for Windows Autopilot self-deploying mode? (Choose two.)

Question 112hardmulti select
Read the full Prepare infrastructure for devices explanation →

Which THREE components are required for a successful co-management setup between Configuration Manager and Microsoft Intune? (Choose three.)

Question 113easymulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO actions can be performed using a Windows Autopilot reset? (Choose two.)

Question 114mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. An Intune administrator created this device restrictions policy for Windows 10 devices. Which statement about the policy is true?

Exhibit

Refer to the exhibit.

```json
{
  "Name": "Windows 10 - Device Restrictions",
  "Description": "Block consumer features",
  "Settings": [
    {
      "Setting": "Microsoft Store",
      "Value": "Block"
    },
    {
      "Setting": "Cortana",
      "Value": "Block"
    },
    {
      "Setting": "Camera",
      "Value": "Allow"
    }
  ]
}
```
Question 115hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. An Intune compliance policy JSON for Windows 10 devices. A device with OS version 10.0.19041.1 and no encryption reports as noncompliant. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "passwordRequired": true,
  "passwordMinimumLength": 6,
  "passwordRequiredType": "deviceDefault",
  "osMinimumVersion": "10.0.19041.0",
  "osMaximumVersion": "10.0.19045.0",
  "storageRequireEncryption": true
}
```
Question 116easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. An Autopilot device registration JSON. What does the '%RAND:5%' placeholder do?

Exhibit

Refer to the exhibit.

```json
{
  "enrollmentProfile": "Microsoft Intune Windows Enrollment",
  "deviceName": "DESKTOP-%RAND:5%",
  "groupTag": "Marketing",
  "orderID": "12345",
  "serialNumber": "ABC123"
}
```
Question 117easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune for device management. You need to ensure that only corporate-owned devices can enroll in Intune. Which configuration should you use?

Question 118mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization plans to deploy Windows Autopilot for new devices. You need to ensure that the hardware hashes are uploaded to Microsoft Intune before the devices are shipped to users. What is the recommended approach?

Question 119hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization has an existing Microsoft Intune environment. You need to configure a Windows 11 device to automatically enroll in Intune when a user signs in with their Microsoft Entra ID credentials. The device is joined to Microsoft Entra ID. What should you do?

Question 120easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You are troubleshooting an issue where a user reports that their Windows device is not receiving compliance policies from Intune. The device shows as 'Not compliant' in the Intune console. What is the most likely cause?

Question 121mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that only devices running iOS 16 or later can enroll. Which configuration should you use?

Question 122hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You have configured the above enrollment restriction in Microsoft Intune. A user attempts to enroll a personal Windows 11 device. What will be the outcome?

Exhibit

{
  "displayName": "Windows Enrollment Restriction",
  "description": "Block personal Windows devices",
  "@odata.type": "#microsoft.graph.deviceEnrollmentPlatformRestriction",
  "platformType": "windows",
  "personalDeviceEnrollmentBlocked": true,
  "osMinimumVersion": null,
  "osMaximumVersion": null
}
Question 123mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to enroll a personally owned device with a work profile. Which enrollment method should the user use?

Question 124hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization is deploying Windows Autopilot self-deploying mode for kiosk devices. The devices will be used in a public area and must not require user interaction during the initial setup. What is the prerequisite for this deployment?

Question 125easymultiple choice
Read the full Prepare infrastructure for devices explanation →

A user reports that their Windows device is not appearing in the Intune console after enrollment. The device is joined to Microsoft Entra ID and the user has an Intune license. What should you check first?

Question 126mediummulti select
Read the full Prepare infrastructure for devices explanation →

Your organization plans to use Microsoft Intune to manage macOS devices. Which TWO prerequisites are required for macOS enrollment?

Question 127hardmulti select
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune and you need to configure Windows Autopilot for hybrid Microsoft Entra ID join. Which THREE components are required?

Question 128easymulti select
Read the full Prepare infrastructure for devices explanation →

You are preparing infrastructure for device management. Which TWO are valid methods to enroll Windows devices into Microsoft Intune?

Question 129mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You have configured the above Windows Autopilot profile. A device with this profile is being set up. However, the device does not appear to be provisioning correctly. What is the most likely issue?

Exhibit

{
  "displayName": "Windows Autopilot Profile",
  "description": "Self-deploying for kiosks",
  "deploymentProfile": {
    "deploymentMode": "selfDeploying",
    "languageLocale": "en-US",
    "keyboardLocale": "en-US",
    "applicationGroupAssignments": []
  },
  "deviceNameTemplate": "KIOSK-%RAND:5%"
}
Question 130hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You have assigned the above Enrollment Status Page (ESP) policy to a Windows Autopilot deployment. A user reports that the provisioning process hangs on 'Installing apps' and never completes. What is the most likely cause?

Exhibit

{
  "@odata.type": "#microsoft.graph.windows10EnrollmentCompletionPageConfigurationPolicy",
  "id": "00000000-0000-0000-0000-000000000000",
  "displayName": "ESP for Autopilot",
  "description": "Required apps must install",
  "showInstallationProgress": true,
  "blockDeviceSetupRetryByUser": true,
  "allowDeviceResetOnInstallFailure": false,
  "trackInstallProgressForAutopilotOnly": true,
  "selectedMobileAppIds": [
    "App1",
    "App2"
  ]
}
Question 131mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage devices. You need to ensure that devices that are not compliant are blocked from accessing corporate resources. Which configuration should you use?

Question 132mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization is planning to deploy Windows 11 to 5000 devices using Microsoft Intune. The devices are currently a mix of Windows 10 and Windows 11 eligible hardware. You need to ensure that only devices meeting the Windows 11 hardware requirements can be upgraded. What is the most efficient way to achieve this using Intune?

Question 133hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You manage devices with Microsoft Intune. Some Windows devices are not receiving required security updates despite being assigned to an update ring for Windows 10. You verify that the devices are active and connected to the internet. What is the most likely cause?

Question 134easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You are configuring Windows Autopilot for new devices. The devices need to be automatically enrolled in Intune and assigned to a specific group based on their serial number. What is the required step before the devices can be recognized by Autopilot?

Question 135mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Defender for Endpoint. You need to ensure that devices onboarding to Microsoft Defender for Endpoint are automatically assigned to a specific device group based on their operating system version. What should you use?

Question 136hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are planning a Windows 11 deployment using Microsoft Intune. The organization has a requirement that all devices must have BitLocker enabled with a TPM protector. You configure a BitLocker policy in Intune. However, some devices report that BitLocker is not enabled. What is the most likely reason?

Question 137easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to deploy Microsoft 365 Apps to 1000 devices using Microsoft Intune. The devices are a mix of Windows 10 and Windows 11. Which app deployment method should you use to ensure the latest version is always installed?

Question 138mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are troubleshooting a Windows device that is not receiving policies from Microsoft Intune. The device shows as 'Not evaluated' or 'Pending' in the Intune console. The device is enrolled and connected to the internet. What is the most likely cause?

Question 139hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are configuring Conditional Access for device compliance. You have an Intune compliance policy that requires a minimum OS version. You create a Conditional Access policy that grants access only when devices are marked as compliant. However, some users can still access corporate email from non-compliant devices. What is the most likely reason?

Question 140easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to ensure that all corporate devices have a standard set of security settings, including disk encryption and firewall configuration. Which Microsoft Intune feature should you use?

Question 141mediummulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO actions should you take to prepare infrastructure for devices running macOS in your organization? (Select two.)

Question 142hardmulti select
Read the full Prepare infrastructure for devices explanation →

Which THREE components are required for a successful Windows Autopilot deployment with user-driven Microsoft Entra ID join? (Select three.)

Question 143easymulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO are benefits of using Windows Autopilot for device provisioning? (Select two.)

Question 144mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You are reviewing a JSON representation of a Microsoft Intune compliance policy for Windows 10. The policy is assigned to a group of devices running Windows 10 version 22H2 (build 22621). The devices are non-compliant due to the OS version. What is the most likely reason?

Exhibit

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Windows 10 compliance policy",
  "passwordRequired": true,
  "passwordMinimumLength": 8,
  "passwordRequireToUnlockFromIdle": true,
  "passwordMinutesOfInactivityBeforeLock": 15,
  "osMinimumVersion": "10.0.19041.0",
  "osMaximumVersion": "10.0.22621.0",
  "storageRequireEncryption": true,
  "activeFirewallRequired": true,
  "validOperatingSystemBuildRanges": []
}
Question 145hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You have configured a Windows update ring using the JSON above. Today is March 10, 2025. Devices assigned to this ring are not receiving any quality updates. What is the most likely reason?

Exhibit

{
  "@odata.type": "#microsoft.graph.windowsUpdateForBusinessConfiguration",
  "description": "Windows 10 update ring",
  "updateNotificationLevel": "default",
  "featureUpdateDeferralInDays": 30,
  "featureUpdatePauseStartDate": null,
  "qualityUpdateDeferralInDays": 7,
  "qualityUpdatePauseStartDate": "2025-03-01",
  "qualityUpdatePauseExpiryDate": "2025-03-15",
  "automaticUpdateMode": "autoInstallAtMaintenanceTime"
}
Question 146easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You are configuring a Windows Autopilot profile. The profile specifies enrollmentType as 'azureAdJoined'. Which scenario does this profile support?

Exhibit

{
  "deviceEnrollmentConfiguration": {
    "@odata.type": "#microsoft.graph.windows10EnrollmentProfile",
    "displayName": "Autopilot Profile",
    "description": "Standard user-driven Autopilot",
    "enrollmentType": "azureAdJoined",
    "language": "en-US",
    "outOfBoxExperienceSettings": {
      "hidePrivacySettings": false,
      "hideEULA": false,
      "userType": "standard",
      "deviceUsageType": "singleUser"
    }
  }
}
Question 147easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You are preparing to deploy Windows 11 to 500 devices using Microsoft Intune. The devices are currently running Windows 10 22H2. You need to ensure that the in-place upgrade from Windows 10 to Windows 11 completes successfully. Which policy type should you configure in Intune to deliver the upgrade?

Question 148mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage devices. You need to ensure that only corporate-owned devices can access company resources, while allowing users to enroll personal devices for limited access. You plan to use enrollment restrictions and compliance policies. What should you configure?

Question 149hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are troubleshooting an issue where users report that they cannot install required line-of-business (LOB) apps from Microsoft Intune Company Portal on their Windows 10 devices. The apps are assigned as 'Required' to a dynamic device group. You verify that the devices are enrolled and compliant. What is the most likely cause of the failure?

Question 150mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are designing a Windows Autopilot deployment for a new fleet of devices. The devices will be shipped directly to users from the vendor. You need to ensure that the devices automatically enroll in Microsoft Intune and receive a standard set of applications during the out-of-box experience (OOBE). Which Autopilot deployment profile should you assign?

Question 151hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Defender for Endpoint to manage device security. You need to ensure that all Windows devices are reporting security events to Microsoft Defender XDR. You have verified that the Microsoft Defender for Endpoint service is running on the devices. However, some devices show as 'inactive' in the Microsoft Defender XDR console. What is the most likely cause?

Question 152easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to deploy a custom Windows 10 image to 100 new devices using Microsoft Intune. The devices are not yet enrolled. Which method should you use to deploy the image and enroll the devices?

Question 153mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are setting up Microsoft Intune for the first time. You need to ensure that users can enroll their iOS devices using the Company Portal app. You have configured the enrollment restrictions to allow iOS enrollment. However, users report that they see an error 'This device is not allowed to enroll' when trying to enroll. What is the most likely cause?

Question 154hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to configure Windows 10 devices to automatically encrypt their drives using BitLocker when they enroll in Microsoft Intune. You have created a BitLocker policy in Endpoint Security. However, after enrollment, some devices are not encrypted. You verify that the devices have a TPM 2.0 and meet hardware requirements. What is the most likely reason for the failure?

Question 155easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to manage updates for Windows 10 devices using Microsoft Intune. You want to ensure that critical security updates are installed within 7 days of release, while feature updates are deferred for 60 days. Which approach should you use?

Question 156mediummulti select
Read the full Prepare infrastructure for devices explanation →

You are planning to deploy Microsoft 365 Apps to Windows devices using Microsoft Intune. Which TWO methods can you use to deploy Microsoft 365 Apps? (Choose two.)

Question 157hardmulti select
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage devices. You need to ensure that only approved applications can run on Windows 10 devices. Which THREE components can you use to implement application control? (Choose three.)

Question 158mediummulti select
Read the full Prepare infrastructure for devices explanation →

You need to configure device compliance policies in Microsoft Intune for Windows 10 devices. Which THREE settings can you include in a compliance policy? (Choose three.)

Question 159mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You have deployed the above compliance policy in Microsoft Intune. A Windows 10 device running version 10.0.19042.0 is marked as noncompliant. You verify that the device meets all password, encryption, firewall, and Defender requirements. What is the most likely reason for noncompliance?

Exhibit

Refer to the exhibit.
{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Compliance policy for Windows 10 devices",
  "passwordRequired": true,
  "passwordMinimumLength": 6,
  "passwordRequiredType": "deviceDefault",
  "osMinimumVersion": "10.0.19041.0",
  "osMaximumVersion": "10.0.22621.0",
  "storageRequireEncryption": true,
  "activeFirewallRequired": true,
  "defenderEnabled": true,
  "defenderVersion": "1.0.0.0"
}
Question 160hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You run the above PowerShell script to change the Windows Autopilot group tag for devices currently tagged as 'Sales' to 'Marketing'. You have assigned different deployment profiles to the 'Sales' and 'Marketing' group tags. After running the script, you check the Autopilot devices in Intune and see that the group tag for the devices has changed. However, the devices still apply the 'Sales' deployment profile during OOBE. What is the most likely reason?

Exhibit

Refer to the exhibit.
$autopilotDevices = Get-AutopilotDevice -GroupTag 'Sales'
$autopilotDevices | ForEach-Object {
    Set-AutopilotDevice -Id $_.Id -GroupTag 'Marketing'
}
Question 161easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You have deployed the above Endpoint Protection configuration profile to Windows 10 devices. Some users report that their devices are not encrypted. You verify that the devices have TPM 2.0 and meet hardware requirements. What is the most likely cause?

Exhibit

Refer to the exhibit.
{
  "@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration",
  "bitLockerSettings": {
    "encryptionMethod": "AES256",
    "requireDeviceEncryption": true,
    "requireEncryptionForOsDrive": true
  }
}
Question 162mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are deploying Windows 11 devices using Autopilot. The devices are purchased from a hardware vendor and need to be registered in your tenant. You want to ensure that the vendor can register the devices on your behalf without granting them full user privileges. What should you configure?

Question 163easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to configure a Windows 10 update ring that ensures feature updates are deferred by 120 days and quality updates are deferred by 30 days. Which settings should you configure in the update ring?

Question 164hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your company has a Microsoft 365 E5 subscription. You are planning to deploy Windows 11 using Microsoft Intune. You need to ensure that devices automatically receive English (US) language pack and regional settings during the provisioning process. You plan to use a provisioning package (PPKG) created with Windows Configuration Designer. What should you include in the PPKG?

Question 165mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are troubleshooting a Windows 10 device that is not receiving required security updates from Microsoft Intune. The device is enrolled and shows as compliant. The update ring policy is assigned to the device. You check the Windows Update for Business logs and see that the deferral period is set correctly. What is the most likely cause?

Question 166hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that when a device is lost or stolen, the IT admin can remotely lock the device and display a custom message on the lock screen. What should you configure?

Question 167mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are responsible for deploying Microsoft 365 Apps for enterprise to Windows 10 devices using Microsoft Intune. You want to ensure that users receive the Current Channel with updates delivered directly from the Office Content Delivery Network (CDN). You also want to minimize bandwidth usage on your network. What should you configure?

Question 168easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You have a hybrid Azure AD joined Windows 10 device that is managed by Microsoft Intune. The device is not receiving policies. You verify that the device is enrolled and shows in Intune. You also verify that the user has an appropriate license. What should you check next?

Question 169hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization plans to deploy Windows Autopilot for existing devices that are currently running Windows 10. You need to convert these devices from a traditional imaging deployment to an Autopilot deployment. You want to minimize user disruption. What should you do?

Question 170mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are configuring Microsoft Defender for Endpoint in Microsoft Intune for Windows 10 devices. You need to ensure that when a threat is detected, the device automatically receives a remediation action. Which configuration should you use?

Question 171mediummulti select
Read the full Prepare infrastructure for devices explanation →

You are planning to deploy Microsoft Intune for device management. Which TWO of the following are prerequisites for enrolling Windows 10 devices in Intune?

Question 172hardmulti select
Read the full Prepare infrastructure for devices explanation →

You are configuring Windows Hello for Business in Microsoft Intune. Which THREE settings are required to enable Windows Hello for Business on Windows 10 devices?

Question 173easymulti select
Read the full Prepare infrastructure for devices explanation →

You are deploying Microsoft 365 Apps for enterprise using Microsoft Intune. Which TWO methods can you use to assign the application to users?

Question 174mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You are evaluating a compliance policy for Windows 10. The policy is assigned to a group containing devices running Windows 10 version 1803 (build 17134.1). Which of the following devices will be marked as non-compliant?

Exhibit

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "passwordRequired": true,
  "passwordMinimumLength": 6,
  "passwordRequiredType": "deviceDefault",
  "passwordMinutesOfInactivityBeforeLock": 5,
  "passwordExpirationDays": 90,
  "passwordPreviousPasswordBlockCount": 5,
  "osMinimumVersion": "10.0.15063",
  "osMaximumVersion": "10.0.17134.1",
  "storageRequireEncryption": true
}
Question 175hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You run the Get-AutopilotInfo script on a new Surface Pro 7. The output shows DeviceState as 'Unknown' and AssignmentStatus as 'NotAssigned'. The device is connected to the internet. What should you do to prepare this device for Autopilot deployment?

Exhibit

Get-AutopilotInfo -Online

SerialNumber : ABC123
HardwareHash : 1234567890ABCDEF...
ProductName : Surface Pro 7
Manufacturer : Microsoft
DeviceState : AutopilotClientState = Unknown
AssignmentStatus : NotAssigned
Question 176mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You create a new update ring policy for Windows 10 devices. You assign the policy to a test group. After a week, you notice that no devices have installed any quality updates. Devices are online and enrolled. What is the most likely reason?

Exhibit

New-DeviceConfigurationPolicy -Name 'Windows Update Ring' -Windows10UpdateRing -FeatureUpdateDeferralInDays 60 -QualityUpdateDeferralInDays 0 -FeatureUpdatePauseStartDate $null -QualityUpdatePauseStartDate $null
Question 177mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization is rolling out Windows 11 devices using Autopilot. You need to ensure that all new devices are automatically enrolled in Microsoft Intune and configured with a custom device name prefix 'CORP-'. Which configuration should you implement?

Question 178hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your company uses Microsoft Intune to manage Windows 10 devices. You need to deploy a PowerShell script that runs in the system context during automatic enrollment. The script must run before the user logs on. Which approach should you use?

Question 179easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You are troubleshooting an Autopilot deployment where devices are not receiving the expected configuration policies after enrollment. The devices show as enrolled in Intune but are stuck in a 'pending' state for policy application. What is the most likely cause?

Question 180mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization plans to deploy Windows 365 Cloud PCs. You need to ensure that users can connect only from compliant devices. Which configuration should you implement?

Question 181hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You manage devices with Microsoft Intune. A user reports that their Windows 11 device is not receiving updates from Windows Update for Business. The device shows as compliant in Intune. You verify that update rings are assigned to the device. What should you check next?

Question 182easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to deploy Microsoft 365 Apps to Windows devices using Microsoft Intune. The deployment must be available to users in the company portal. Which app type should you select?

Question 183mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that corporate data in managed apps is encrypted at rest. Which setting should you configure?

Question 184hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are evaluating Windows Autopilot for a hybrid Azure AD join scenario. Devices are domain-joined on-premises and will be hybrid Azure AD joined. Which prerequisite is required for Autopilot to perform hybrid Azure AD join?

Question 185easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to ensure that Windows 11 devices automatically install critical updates as soon as they are released by Microsoft. Which update ring setting should you configure?

Question 186mediummulti select
Read the full Prepare infrastructure for devices explanation →

Your organization is planning to use Microsoft Intune for Windows device management. Which TWO components are required for a successful Windows Autopilot deployment?

Question 187hardmulti select
Read the full Prepare infrastructure for devices explanation →

You need to configure Microsoft Intune remote help for Windows devices. Which THREE conditions must be met?

Question 188easymulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO are valid methods to enroll Windows devices into Microsoft Intune?

Question 189hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

A Windows device shows enrollment state 'Enrolled' and compliance state 'compliant', but the policy setting 'MaxInactivityTimeDeviceLock' is not applied. The exhibit shows the device JSON from Intune. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "enrollmentTimeDeviceMembershipProcessingStatus": "pending",
  "deviceConfiguration": {
    "omaSettings": [
      {
        "omaUri": "./Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock",
        "value": "15"
      }
    ]
  },
  "enrollmentState": "Enrolled",
  "complianceState": "compliant"
}
Question 190mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are reviewing an ARM template for Intune device configuration. The exhibit shows a snippet. What will be the effect on Windows 10 devices?

Exhibit

Refer to the exhibit.

{
  "resources": [
    {
      "type": "Microsoft.Intune/deviceConfigurations",
      "properties": {
        "@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
        "appsAllowTrustedAppsSideloading": "blocked",
        "developerUnlockSetting": "blocked",
        "enableAutomaticUpdate": false
      }
    }
  ]
}
Question 191easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You run the PowerShell command shown in the exhibit for a managed device. The device shows as noncompliant. Which action should you take first to resolve the noncompliance?

Exhibit

Refer to the exhibit.

Get-MgDeviceManagementManagedDevice -DeviceId "12345" | Select-Object -Property DeviceName, OperatingSystem, ComplianceState, LastSyncDateTime

DeviceName   : DESKTOP-ABC
OperatingSystem : Windows
ComplianceState  : noncompliant
LastSyncDateTime : 2026-01-15T10:30:00Z
Question 192mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices automatically receive the latest feature updates from the Windows 11 servicing channel. You configure a Windows 10 feature update policy targeting the devices. However, after 24 hours, devices still show Windows 10 version 22H2. What is the most likely cause?

Question 193hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You deploy this compliance policy to Windows 10 devices. Some devices running Windows 10 22H2 (build 19045.3803) are marked as noncompliant. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Compliance policy for managed devices",
  "displayName": "Windows 10 Compliance Policy",
  "passwordRequired": true,
  "passwordMinimumLength": 8,
  "passwordExpirationDays": 90,
  "osMinimumVersion": "10.0.19041.0",
  "osMaximumVersion": "10.0.22621.0",
  "storageRequireEncryption": true,
  "activeFirewallRequired": true,
  "defenderEnabled": true
}
Question 194easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your company uses Microsoft Intune to manage devices. You need to ensure that all corporate-owned iOS devices automatically enroll in Intune when users sign in with their work account. Which enrollment method should you configure?

Question 195mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You create a device configuration profile for kiosk mode. The profile is assigned to a device group. After syncing, the device does not enter kiosk mode. What should you check first?

Question 196hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You manage devices with Microsoft Intune. You need to deploy a line-of-business (LOB) app to iOS devices. The app is signed with an enterprise certificate. Some devices report installation failure with error code 0x87D13B9F. What is the most likely cause?

Question 197easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization wants to use Windows Autopilot to deploy new Windows 11 devices. What is required to register a device with Windows Autopilot?

Question 198mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are configuring conditional access policies in Microsoft Entra ID to require compliant devices for access to Microsoft 365 services. Some users report that they cannot access Outlook Web App (OWA) even though their device is marked as compliant in Intune. What should you verify?

Question 199hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You execute this PowerShell script to wipe noncompliant Windows devices. After running, you find that some compliant devices were also wiped. What is the most likely reason?

Exhibit

Refer to the exhibit.

$devices = Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'"
foreach ($device in $devices) {
    if ($device.ComplianceState -ne 'compliant') {
        Invoke-MgDeviceManagementManagedDevice -ManagedDeviceId $device.Id -Action wipe
    }
}
Question 200easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to enroll macOS devices into Microsoft Intune. What is the required enrollment method?

Question 201hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Defender for Endpoint (now Microsoft Defender XDR) and Microsoft Intune. You need to ensure that devices that are deemed 'at risk' by Microsoft Defender for Endpoint are automatically blocked from accessing corporate resources. What should you configure?

Question 202mediummulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO of the following are required to configure Windows Autopilot for existing devices?

Question 203hardmulti select
Read the full Prepare infrastructure for devices explanation →

Which THREE of the following are valid methods to enroll Android devices into Microsoft Intune?

Question 204mediummulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO of the following are benefits of using Windows Autopilot for device provisioning?

Question 205hardmulti select
Read the full Prepare infrastructure for devices explanation →

Which THREE of the following are prerequisites for using Microsoft Intune to manage Linux devices?

Question 206hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are the endpoint administrator for Contoso, a company with 5,000 employees. The organization uses Microsoft Intune for device management and Microsoft Entra ID for identity. The current environment includes: - 3,000 Windows 11 Enterprise devices (corporate-owned, managed via Intune) - 1,500 iOS devices (corporate-owned, managed via Intune) - 500 Android devices (BYOD, managed via Intune with work profile) - 200 macOS devices (corporate-owned, managed via Intune)

You need to implement a solution to automatically enroll new Windows 11 devices purchased from a vendor. The devices should be pre-provisioned with the organization's configuration and applications without requiring IT staff to touch them. Additionally, you need to ensure that only compliant devices can access corporate email and documents. The solution must minimize manual effort and leverage cloud-based services.

You have the following requirements: 1. Zero-touch enrollment for new Windows 11 devices. 2. Devices must be automatically configured with security policies and required applications. 3. Conditional access to Microsoft 365 resources based on device compliance. 4. Support for both corporate and BYOD devices.

Which of the following actions should you take FIRST to meet the zero-touch enrollment requirement?

Question 207mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization plans to deploy Windows 11 to 500 devices using Microsoft Intune. You need to ensure that each device receives the correct language pack and regional settings based on the user's location. Which configuration method should you use?

Question 208hardmultiple choice
Read the full wireless explanation →

A company uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent update, some devices are unable to connect to the corporate Wi-Fi network. The Wi-Fi profile is deployed via Intune. Which troubleshooting step should you take first?

Question 209easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to deploy a line-of-business (LOB) app to 100 iOS devices managed by Intune. The app is signed with an enterprise certificate. Which deployment method should you use?

Question 210mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Defender for Endpoint (Defender XDR) to manage endpoint security. You need to ensure that all Windows devices report their security baselines compliance to Intune. Which configuration should you verify?

Question 211hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

A user reports that their Windows 11 device is not receiving configuration policies from Intune. The device shows as 'Enrolled' in the Intune console but last check-in was three days ago. What is the most likely cause?

Question 212easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to ensure that only compliant devices can access corporate email in Exchange Online. Which Conditional Access policy setting should you configure?

Question 213mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization is migrating from on-premises Active Directory to Microsoft Entra ID. You plan to use Windows Autopilot for new devices. Which prerequisite must be met for Autopilot to work with Entra ID?

Question 214hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are troubleshooting a Windows 10 device that fails to enroll in Intune manually via 'Access work or school'. The user receives the error 'We couldn't auto-discover a management endpoint matching the username entered'. What is the most likely cause?

Question 215easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to deploy Microsoft 365 Apps to 200 Windows devices using Intune. Which app type should you select in Intune?

Question 216mediummulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO actions can you perform using Windows Autopilot in Microsoft Intune?

Question 217hardmulti select
Read the full Prepare infrastructure for devices explanation →

Which THREE are required for a successful Microsoft Intune enrollment of a Windows device?

Question 218mediummulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO are valid methods to deploy Windows 10/11 using Microsoft Intune?

Question 219hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. You are configuring Windows enrollment restrictions in Intune. After applying this JSON, a user tries to enroll a Windows 10 device but receives an error that enrollment is blocked. What is the most likely cause?

Exhibit

{
  "deviceEnrollmentWindows": {
    "enrollmentType": "azureADJoin",
    "requireDeviceAuthentication": true,
    "deviceTypeFilter": {
      "includeDevices": ["windows10AndLater", "windowsHolographicForBusiness"],
      "excludeDevices": []
    },
    "enrollmentRestrictions": {
      "maxDevicesPerUser": 5,
      "allowedPlatforms": ["windows"]
    }
  }
}
Question 220hardmultiple choice
Read the full NAT/PAT explanation →

You are the endpoint administrator for Contoso Ltd., a multinational company with 10,000 Windows 10 and 11 devices managed by Microsoft Intune. The company recently acquired a subsidiary that uses on-premises Active Directory and Configuration Manager. The subsidiary's devices are not joined to Microsoft Entra ID. Your goal is to migrate these devices to cloud management with Intune within six months. The subsidiary has 2,000 devices, all running Windows 10. The devices are currently domain-joined and managed by ConfigMgr. You need to choose the most efficient migration strategy that minimizes user disruption and leverages existing investments. The subsidiary has a high-speed WAN link to the corporate network. You have the following options: A) Use ConfigMgr to deploy a task sequence that performs a wipe-and-load with Windows Autopilot, then enroll in Intune. B) Use ConfigMgr co-management with Intune, then gradually transition workloads to Intune, and finally switch devices to Entra ID join. C) Use a provisioning package (PPKG) to join devices to Entra ID and enroll in Intune, while keeping ConfigMgr client for legacy apps. D) Use Windows Autopilot for existing devices by uploading hardware hashes, resetting devices, and re-provisioning. Which option should you choose?

Question 221mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are the endpoint administrator for a healthcare organization that uses Intune to manage 500 iOS devices used by clinicians. The devices are enrolled as corporate-owned, user-approved devices via Apple Business Manager (ABM). You need to deploy a new custom electronic health record (EHR) app that is not in the App Store. The app is distributed as an .ipa file signed with an enterprise certificate. The app must be installed silently without user interaction. The devices are supervised and managed with iOS MDM. You have the following options: A) Deploy the app as an iOS LOB app in Intune and assign to device groups. B) Deploy the app as a Volume Purchase Program (VPP) app. C) Use Apple Configurator to sideload the app via USB. D) Distribute the app via a web link to the .ipa hosted on a public CDN. Which option should you choose?

Question 222easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You are the Intune administrator for a small business with 50 Windows 10 devices that are currently managed by a legacy on-premises MDM. The company wants to move to Microsoft Intune for cloud management. All devices are already joined to Microsoft Entra ID. You need to migrate the devices to Intune management without resetting them. You have the following options: A) Use Windows Autopilot to reset the devices and re-enroll. B) Use the 'Switch to Intune' option in the device's 'Access work or school' settings. C) Use a provisioning package (PPKG) to enroll devices. D) Use Group Policy to configure MDM enrollment. Which option should you choose?

Question 223mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to ensure that only devices with TPM 2.0 and UEFI Secure Boot enabled can enroll. Which configuration profile setting should you configure?

Question 224hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

A company uses Microsoft Intune to manage iOS/iPadOS devices. After enabling Apple User Enrollment (UE), some users report that they cannot install company-recommended apps from the Company Portal. What is the most likely cause?

Question 225easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to prepare on-premises Windows devices for a migration to Microsoft Intune. Which tool should you use to generate a configuration package that can be deployed via Group Policy or manual installation?

Question 226hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization uses Microsoft Entra ID joined devices with Intune. The security team wants to block enrollment of devices from non-corporate networks unless they have a compliant certificate. Which enrollment restriction should you configure?

Question 227mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization plans to deploy Windows 11 devices using Windows Autopilot. You need to ensure that each device is automatically enrolled in Intune and receives a custom configuration profile during the out-of-box experience (OOBE). Which two components are required?

Question 228easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to configure Intune to automatically retire devices that have not checked in for 90 days. Where should you set this?

Question 229hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that work profile apps are encrypted and that the device owner cannot uninstall the Company Portal app. Which configuration profile should you deploy?

Question 230mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are planning to enroll macOS devices in Intune. Users must authenticate with their Microsoft Entra ID credentials and then be prompted to install the Company Portal app. Which enrollment method should you use?

Question 231easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to ensure that Windows 10 devices automatically enroll in Intune when they join Microsoft Entra ID. Which setting should you configure?

Question 232mediummulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO actions are required to prepare Windows devices for subscription activation? (Select TWO.)

Question 233hardmulti select
Read the full Prepare infrastructure for devices explanation →

Which THREE permissions are required for a service account to register devices in Windows Autopilot? (Select THREE.)

Question 234easymulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO are prerequisites for co-management with Microsoft Intune and Configuration Manager? (Select TWO.)

Question 235mediummulti select
Read the full Prepare infrastructure for devices explanation →

Which THREE are valid methods to prepare an existing Windows 10 device for Intune management? (Select THREE.)

Question 236hardmulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO are required to enable Windows Hello for Business in a hybrid deployment? (Select TWO.)

Question 237hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are the endpoint administrator for Contoso, Ltd., a company with 10,000 employees. The environment includes Windows 10/11 devices, iOS/iPadOS, and Android Enterprise devices. The company recently acquired a subsidiary that uses non-compliant Android devices. The security team mandates that all devices must have encryption enabled and a PIN of at least 6 digits. Additionally, the company wants to use Microsoft Defender for Endpoint on all Windows devices. Currently, only 60% of devices are enrolled in Intune. The CIO wants to increase enrollment to 95% within 6 months. You need to design a device preparation strategy. Which approach should you recommend?

Question 238mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You are the Intune administrator for Fabrikam, Inc., which has 5,000 Windows 10 devices. The company wants to move from on-premises Group Policy management to Intune. You have already deployed the Intune Management Extension to all devices. However, some devices are not receiving policies. You discover that these devices are not enrolled in Intune. You need to enroll all devices as quickly as possible with minimal user interaction. The devices are already joined to on-premises Active Directory. You have Microsoft Entra ID Connect configured. What should you do?

Question 239mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You manage a fleet of 2,000 iOS devices for a healthcare organization. The devices are used by clinicians and must be enrolled in Intune. Due to security requirements, you must ensure that devices are supervised and that the Company Portal app is installed automatically. You have Apple Business Manager (ABM) set up with Intune. You need to configure the enrollment process so that when a new device is unboxed and turned on, it automatically enrolls and receives the required configuration. Which enrollment method should you use?

Question 240mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization recently deployed Windows 11 devices managed by Microsoft Intune. You need to ensure that only approved third-party drivers are installed on these devices. What is the best approach?

Question 241hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

A company uses Microsoft Intune to manage Windows 10 devices. They need to deploy a custom security baseline that includes blocking PowerShell scripts from running unless they are signed by a trusted publisher. Which configuration should be applied?

Question 242easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization is planning to deploy Microsoft Entra hybrid joined devices. What is a prerequisite for this configuration?

Question 243mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

A user reports that their Windows 11 device fails to enroll in Microsoft Intune. The device is Microsoft Entra joined and the user has a valid Intune license. What should you check first?

Question 244hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data is protected when users access Microsoft 365 apps. Which policy should you configure?

Question 245easymultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to deploy Windows 10 Enterprise to 100 new computers using Microsoft Intune. The computers are not yet joined to Microsoft Entra ID. What is the recommended method?

Question 246mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

A company uses Microsoft Intune to manage Windows 10 devices. They want to prevent users from installing unapproved applications. Which approach provides the most granular control?

Question 247hardmultiple choice
Read the full Prepare infrastructure for devices explanation →

You are troubleshooting an Intune enrollment issue on a Windows 10 device. The device is Microsoft Entra joined, but the enrollment status shows 'Pending'. What is the most likely cause?

Question 248easymultiple choice
Read the full Prepare infrastructure for devices explanation →

Your organization requires that all corporate laptops be encrypted. You manage Windows 10 devices with Microsoft Intune. Which policy should you configure?

Question 249mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

You need to deploy Microsoft 365 Apps to 500 Windows 10 devices managed by Intune. The deployment must be automatic and should not require user interaction. What is the best method?

Question 250mediummulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO actions should you take to prepare a Windows 10 device for a deployment using Windows Autopilot?

Question 251hardmulti select
Read the full Prepare infrastructure for devices explanation →

Which THREE components are required for a successful Windows Autopilot self-deploying mode deployment?

Question 252mediummulti select
Read the full Prepare infrastructure for devices explanation →

Which TWO Intune policies can be used to enforce encryption on macOS devices?

Question 253hardmulti select
Read the full Prepare infrastructure for devices explanation →

Which THREE factors should you consider when planning a Microsoft Intune migration from Configuration Manager?

Question 254mediummultiple choice
Read the full Prepare infrastructure for devices explanation →

Refer to the exhibit. A Microsoft Intune security baseline is configured for Windows 10 devices. What is the effect of this setting?

Exhibit

{
  "displayName": "Windows 10 Security Baseline",
  "settings": [
    {
      "settingInstance": {
        "@odata.type": "#microsoft.graph.deviceManagementConfigurationSettingInstance",
        "settingDefinitionId": "device_vendor_msft_policy_config_windowsdefender_scan_enablelowcpupriority",
        "settingInstanceTemplateReference": null,
        "choiceSettingInstance": {
          "choiceSettingValue": {
            "value": "device_vendor_msft_policy_config_windowsdefender_scan_enablelowcpupriority_1",
            "children": []
          }
        }
      }
    }
  ]
}

Practice tests

Scored 10-question sessions with instant feedback and explanations.

MD-102 Practice Test 1 — 10 Questions→MD-102 Practice Test 2 — 10 Questions→MD-102 Practice Test 3 — 10 Questions→MD-102 Practice Test 4 — 10 Questions→MD-102 Practice Test 5 — 10 Questions→MD-102 Practice Exam 1 — 20 Questions→MD-102 Practice Exam 2 — 20 Questions→MD-102 Practice Exam 3 — 20 Questions→MD-102 Practice Exam 4 — 20 Questions→Free MD-102 Practice Test 1 — 30 Questions→Free MD-102 Practice Test 2 — 30 Questions→Free MD-102 Practice Test 3 — 30 Questions→MD-102 Practice Questions 1 — 50 Questions→MD-102 Practice Questions 2 — 50 Questions→MD-102 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Prepare infrastructure for devicesManage and maintain devicesManage applicationsProtect devicesDeploy Windows clientManage identity and complianceManage, maintain, and protect devices

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Prepare infrastructure for devices setsAll Prepare infrastructure for devices questionsMD-102 Practice Hub