Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Protect devices practice sets

MD-102 Protect devices • Complete Question Bank

MD-102 Protect devices — All Questions With Answers

Complete MD-102 Protect devices question bank — all 0 questions with answers and detailed explanations.

163
Questions
Free
No signup
Certifications/MD-102/Practice Test/Protect devices/All Questions
Question 1easymultiple choice
Read the full Protect devices explanation →

A user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. Which step should you take first to resolve the issue?

Question 2mediummultiple choice
Read the full Protect devices explanation →

Your company uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data in Microsoft 365 apps is protected even if a device is compromised. Which App Protection Policy setting should you configure?

Question 3hardmultiple choice
Read the full Protect devices explanation →

You are implementing Microsoft Defender for Endpoint on Windows Server devices managed by Microsoft Intune. After onboarding, the devices show as 'Inactive' in the Microsoft Defender XDR portal. Which action should you take?

Question 4easymultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Entra ID joined devices with Windows 10. You need to ensure that only compliant devices can access corporate email in Microsoft Outlook for Windows. Which integration should you enable?

Question 5mediummultiple choice
Read the full Protect devices explanation →

You manage Android Enterprise devices with work profiles. A user reports that corporate apps are not appearing in the work profile after enrollment. The device shows as enrolled in Microsoft Intune. What is the most likely cause?

Question 6hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Windows Autopilot for device deployment. After a device completes the user-driven deployment, it appears in Microsoft Entra ID as 'Azure AD registered' instead of 'Azure AD joined'. What should you modify to ensure the device is joined?

Question 7easymultiple choice
Read the full Protect devices explanation →

You are investigating a malware incident on a Windows 10 device managed by Microsoft Intune and protected by Microsoft Defender for Endpoint. Which log should you analyze to determine the initial infection vector?

Question 8mediummultiple choice
Read the full Protect devices explanation →

You need to deploy a line-of-business (LOB) iOS app to users in your organization. The app is signed with an enterprise certificate. How should you distribute the app to managed devices?

Question 9hardmultiple choice
Read the full Protect devices explanation →

You have enabled Microsoft Defender for Endpoint on macOS devices. Some macOS devices show a status of 'Sensor disconnected' in the Microsoft Defender XDR portal. The devices are online and can communicate with the internet. Which troubleshooting step should you take first?

Question 10easymulti select
Read the full Protect devices explanation →

Which TWO of the following are valid methods to wipe a Windows 10 device using Microsoft Intune? (Select TWO.)

Question 11mediummulti select
Read the full Protect devices explanation →

Which THREE of the following are prerequisites for deploying Microsoft Defender for Endpoint on Windows 10 devices via Microsoft Intune? (Select THREE.)

Question 12hardmulti select
Read the full Protect devices explanation →

Which TWO of the following are valid reasons to use Windows Autopilot Reset? (Select TWO.)

Question 13easymultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. You deploy this compliance policy to Windows 10 devices. A device running Windows 10 version 20H2 (OS build 19042.1234) reports as compliant. However, the device does not have BitLocker enabled. Why is the device compliant?

Exhibit

Refer to the exhibit.

```json
{
  "compliancePolicy": {
    "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
    "passwordRequired": true,
    "passwordMinimumLength": 6,
    "passwordRequiredType": "deviceDefault",
    "requireHealthyDeviceReport": false,
    "osMinimumVersion": "10.0.19041.0",
    "osMaximumVersion": null,
    "mobileOsMinimumVersion": null,
    "storageRequireEncryption": true
  }
}
```
Question 14mediummultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. You configure this Enrollment Status Page (ESP) policy for Windows Autopilot deployments. During a deployment, a device fails to install a required app. What happens?

Exhibit

Refer to the exhibit.

```json
{
  "enrollmentStatusPage": {
    "@odata.type": "#microsoft.graph.windows10EnrollmentCompletionPageConfiguration",
    "showInstallationProgress": true,
    "blockDeviceSetupRetryByUser": true,
    "allowDeviceResetOnInstallFailure": true,
    "allowDeviceUseOnInstallFailure": false,
    "installProgressTimeoutInMinutes": 60,
    "trackInstallProgressForAutopilotOnly": true
  }
}
```
Question 15hardmultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. You apply this configuration profile to Windows 10 devices. A user reports that their device's diagnostic data level is set to 'Full' in Settings > Diagnostics & feedback. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "microsoft365BusinessVoice": {
    "@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
    "telemetryLevel": "1 - Basic",
    "enableDeviceManufacturer": "Contoso",
    "enableDeviceModel": "Surface Pro 7",
    "enableDeviceName": "LAPTOP-01",
    "enableDeviceOSVersion": true,
    "enableDeviceOSBuild": true,
    "enableDeviceSerialNumber": true,
    "enableDeviceIMEI": null
  }
}
```
Question 16mediummultiple choice
Read the full Protect devices explanation →

You are configuring a Windows 10 device compliance policy in Microsoft Intune. The policy requires that devices have BitLocker enabled and a minimum OS build version. However, some devices are showing as 'Not compliant' even though they meet the requirements. What is the most likely cause?

Question 17hardmultiple choice
Read the full Protect devices explanation →

You manage a fleet of iOS devices enrolled in Microsoft Intune. You need to ensure that only approved corporate devices can access Exchange Online. You configure a Conditional Access policy that requires devices to be compliant with Intune compliance policies. However, some users report that they are still able to access email from personal iOS devices that are not enrolled. What should you check first?

Question 18easymultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a security baseline that enforces BitLocker encryption and Windows Defender Antivirus settings. What is the recommended approach?

Question 19mediummultiple choice
Read the full Protect devices explanation →

A user reports that they cannot install a company-required app from the Company Portal on their Android device. The app is assigned as 'Available for enrolled devices' in Intune. The device is enrolled and compliant. What is the most likely issue?

Question 20hardmultiple choice
Read the full Protect devices explanation →

You are troubleshooting an issue where Windows 10 devices are not receiving Windows updates from Intune. The update rings are configured, and the devices are enrolled. However, devices show 'Up to date' even though they are missing critical security updates. What should you verify?

Question 21easymultiple choice
Read the full Protect devices explanation →

You need to ensure that only compliant devices can access Microsoft 365 resources. You create a Conditional Access policy in Microsoft Entra ID. Which condition should you use?

Question 22mediummultiple choice
Read the full Protect devices explanation →

You are configuring an app protection policy (MAM) in Intune for iOS and Android devices. The policy should prevent users from copying corporate data to personal apps. Which setting should you configure?

Question 23hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR) to manage device threat detection. You have integrated Defender for Endpoint with Intune for compliance. Some devices are showing as non-compliant due to 'active threats' that are actually low-risk. How can you adjust the compliance policy to allow low-risk threats?

Question 24easymultiple choice
Read the full Protect devices explanation →

You need to wipe a lost corporate-owned iOS device that is enrolled in Intune. Which action should you perform?

Question 25mediummulti select
Read the full Protect devices explanation →

Which TWO conditions must be met for a Windows 10 device to be considered compliant with an Intune compliance policy that requires BitLocker and Secure Boot?

Question 26hardmulti select
Read the full Protect devices explanation →

Which THREE settings must be configured to enable Windows Hello for Business in an Intune policy?

Question 27easymulti select
Read the full Protect devices explanation →

Which TWO methods can be used to enroll Android devices in Microsoft Intune?

Question 28hardmultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. A Windows 10 device with OS build 10.0.19041.1 is evaluated against this compliance policy. The device meets all settings except one: the OS version is 10.0.19041.1, which is below the minimum 10.0.19041.0? Actually it is above. But wait, the device has BitLocker enabled, Secure Boot enabled, and firewall enabled. Which setting will cause the device to be non-compliant?

Exhibit

Refer to the exhibit.

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "passwordRequired": true,
  "passwordMinimumLength": 6,
  "passwordRequiredType": "deviceDefault",
  "passwordMinutesOfInactivityBeforeLock": 5,
  "passwordExpirationDays": 90,
  "passwordPreviousPasswordBlockCount": 5,
  "requireHealthyDevice": false,
  "osMinimumVersion": "10.0.19041.0",
  "osMaximumVersion": "10.0.19043.0",
  "mobileOsMinimumVersion": null,
  "mobileOsMaximumVersion": null,
  "earlyLaunchAntiMalwareDriverEnabled": true,
  "bitLockerEnabled": true,
  "secureBootEnabled": true,
  "codeIntegrityEnabled": true,
  "storageRequireEncryption": true,
  "activeFirewallRequired": true,
  "defenderEnabled": true,
  "defenderVersion": "1.1.1800.0",
  "signatureOutOfDate": false,
  "rtpEnabled": true
}
Question 29mediummultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. You run this PowerShell script using the Microsoft Graph PowerShell SDK. What is the purpose of this script?

Exhibit

Refer to the exhibit.

$devices = Get-MgDeviceManagementManagedDevice
foreach ($device in $devices) {
    if ($device.DeviceType -eq 'WindowsRT' -or $device.DeviceType -eq 'WindowsMobile') {
        Write-Output "Device $($device.DeviceName) is not supported for compliance."
    }
}
Question 30hardmultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. You are deploying a custom OMA-URI policy to Windows 10 devices. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "@odata.type": "#microsoft.graph.windows10ConfigurationPolicy",
  "displayName": "Custom Policy",
  "omaSettings": [
    {
      "@odata.type": "#microsoft.graph.omaSettingString",
      "displayName": "Enable telemetry",
      "description": null,
      "omaUri": "./Vendor/MSFT/Policy/Config/System/AllowTelemetry",
      "value": "2"
    },
    {
      "@odata.type": "#microsoft.graph.omaSettingString",
      "displayName": "Disable Cortana",
      "description": null,
      "omaUri": "./Vendor/MSFT/Policy/Config/Experience/AllowCortana",
      "value": "0"
    }
  ]
}
Question 31easymultiple choice
Read the full Protect devices explanation →

A company uses Microsoft Intune to manage Windows 11 devices. They want to ensure that only devices with a TPM 2.0 and Secure Boot enabled can access corporate resources in Microsoft Entra ID. What should they configure?

Question 32mediummultiple choice
Read the full Protect devices explanation →

Contoso has iOS/iPadOS devices managed by Intune. They need to prevent users from installing apps from outside the Apple App Store and ensure that devices with a jailbreak are blocked from accessing corporate email. Which two policies should they combine?

Question 33hardmultiple choice
Read the full Protect devices explanation →

A company uses Microsoft Defender for Endpoint to manage endpoint security. They observe that some devices are not reporting vulnerability data to Microsoft Defender XDR. Which component is most likely misconfigured?

Question 34easymultiple choice
Read the full Protect devices explanation →

An organization wants to enforce encryption on all Windows 10/11 devices using Intune. Which policy type should they use?

Question 35mediummultiple choice
Read the full Protect devices explanation →

A company uses Intune to manage macOS devices. They need to deploy a custom configuration profile that enforces FileVault encryption. What is the recommended approach?

Question 36hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Windows Defender Application Control (WDAC) to allow only approved apps. After deploying a WDAC policy via Intune, some users report that a critical line-of-business app is blocked. How should you troubleshoot?

Question 37easymultiple choice
Read the full Protect devices explanation →

A company wants to prevent users from copying corporate data from managed Microsoft 365 apps to personal apps on iOS devices. What should they configure?

Question 38mediummultiple choice
Read the full Protect devices explanation →

Contoso uses Microsoft Defender for Endpoint on Windows servers. They need to ensure that antivirus definitions are always up-to-date even if the server is disconnected from the internet for extended periods. What should they configure?

Question 39hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Windows 11 devices. You notice that some devices are not receiving security updates even though update rings are assigned. What is the most likely cause?

Question 40mediummulti select
Read the full Protect devices explanation →

Which TWO actions should you take to ensure that only healthy Windows 10/11 devices can access Microsoft 365 services? (Choose two.)

Question 41hardmulti select
Read the full Protect devices explanation →

Which THREE components are essential for a Microsoft Defender for Endpoint deployment on Windows 10 devices? (Choose three.)

Question 42easymulti select
Read the full Protect devices explanation →

Which TWO methods can you use to deploy Microsoft Defender for Endpoint on Windows Server 2019? (Choose two.)

Question 43mediummultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. The Intune device compliance policy shown is assigned to a group of Windows 10 devices. A user reports that their device is marked as noncompliant. The device has a password set, BitLocker enabled, Secure Boot on, and code integrity (HVCI) enabled. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Windows 10 compliance policy",
  "passwordRequired": true,
  "passwordMinimumLength": 8,
  "passwordRequiredType": "deviceDefault",
  "requireSecureBoot": true,
  "requireDeviceEncryption": true,
  "requireCodeIntegrity": true
}
Question 44hardmultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. A PowerShell script is used to check the encryption compliance state of Windows devices managed by Intune. Some devices return a State of 'notApplicable' for the Encryption setting. What does this indicate?

Exhibit

Refer to the exhibit.

```
$devices = Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'"
foreach ($device in $devices) {
    $compliance = Get-MgDeviceManagementDeviceCompliancePolicySettingStateSummary -ManagedDeviceId $device.Id
    Write-Output $device.DeviceName
    $compliance.SettingStates | Where-Object {$_.SettingName -eq "Encryption"} | Select-Object State
}
```
Question 45mediummultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. A KQL query in Microsoft Defender XDR returns no results for PC001 and PC002 even though you know there have been antivirus detections on those devices. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kusto
DeviceEvents
| where Timestamp > ago(7d)
| where DeviceName in ('PC001', 'PC002')
| where ActionType == 'AntivirusDetection'
| summarize DetectionCount = count() by DeviceName
| where DetectionCount > 0
```
Question 46hardmultiple choice
Read the full NAT/PAT explanation →

You are the endpoint administrator for Contoso, a company with 5,000 Windows 11 devices managed by Microsoft Intune. The company uses Microsoft Defender for Endpoint (MDE) for endpoint detection and response. You need to implement a solution that ensures all devices have the latest Windows security updates installed within 7 days of release. Additionally, you must ensure that if a device misses two consecutive update cycles, it is automatically blocked from accessing corporate resources until it is updated. You have the following requirements: 1. Use Intune update rings to control update deployment. 2. Use MDE vulnerability management to identify missing updates. 3. Device compliance policies should check for missing updates and mark devices noncompliant. 4. Conditional Access should block noncompliant devices. Which combination of actions should you take?

Question 47easymultiple choice
Read the full Protect devices explanation →

You configure Windows Update for Business policies in Intune. Users report that updates are not installing during configured active hours. You verify that the policy is applied. What is the most likely cause?

Question 48mediummultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). You need to ensure that when a device is offboarding, all collected forensic data is deleted from Microsoft 365. What should you do?

Question 49hardmultiple choice
Read the full Protect devices explanation →

Your company uses Microsoft Intune to manage Windows 11 devices. You need to deploy a configuration that requires users to use Windows Hello for Business (WHfB) and prohibits the use of FIDO2 security keys. Which CSP and value should you configure?

Question 50easymultiple choice
Read the full Protect devices explanation →

A user reports that their iOS device is not receiving email on their work account. The device is enrolled in Intune. You verify that the Exchange ActiveSync profile is assigned correctly. What should you check next?

Question 51mediummultiple choice
Read the full Protect devices explanation →

You manage Windows 10 devices with Intune. You need to ensure that only approved apps can run on corporate devices. You configure AppLocker via a custom OMA-URI. However, users can still run unapproved apps. What is the most likely reason?

Question 52hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Defender for Cloud Apps (part of Microsoft Defender XDR). You need to detect when users access cloud apps from unauthorized locations. Which log source should you integrate to get location information?

Question 53easymultiple choice
Read the full Protect devices explanation →

You need to configure BitLocker encryption for Windows 10 devices managed by Intune. You create a device configuration profile for endpoint protection. After assigning, devices show 'BitLocker not enabled' in the Intune console. What is the most likely cause?

Question 54mediummultiple choice
Read the full Protect devices explanation →

Your company uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that work apps are sandboxed from personal apps. Which enrollment type should you use?

Question 55hardmultiple choice
Read the full Protect devices explanation →

You manage devices with Microsoft Intune. You need to implement a conditional launch policy for Microsoft Defender for Endpoint that requires the device to have a minimum version of the sensor (10.8049.22439.1043) and a healthy signal. Which JSON policy should you deploy?

Question 56mediummulti select
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage mobile devices. You need to configure compliance policies that trigger conditional access. Which TWO conditions can be used in a device compliance policy?

Question 57hardmulti select
Read the full Protect devices explanation →

You deploy a Windows Update for Business policy in Intune. You need to ensure that devices install quality updates within 2 days of release and feature updates within 30 days. Which THREE settings should you configure?

Question 58easymulti select
Read the full Protect devices explanation →

You need to configure Microsoft Defender for Endpoint on macOS devices. Which THREE components must be installed?

Question 59easymultiple choice
Read the full Protect devices explanation →

A user reports that their Windows 11 device cannot install a required line-of-business (LOB) app from Company Portal. The app is assigned to the user and shows as 'Available' in Intune. The device is compliant and managed. What is the most likely cause?

Question 60mediummultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices automatically install critical updates from Windows Update for Business within 3 days of release. Which configuration should you use?

Question 61hardmultiple choice
Read the full Protect devices explanation →

A company uses Microsoft Defender for Endpoint. They want to automatically remediate threats on endpoints using automated investigation and response. They also need to ensure that the remediation actions are approved by the security team before execution. Which configuration should they use?

Question 62easymultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that users cannot remove the Company Portal app from their devices. Which configuration should you apply?

Question 63mediummultiple choice
Read the full Protect devices explanation →

A user has a Windows 10 device that is managed by Intune. The device is compliant but the user reports that they cannot access corporate email on their device. The email profile is deployed via Intune. Other users can access email successfully. What should you check first?

Question 64hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to enforce BitLocker encryption on all devices. Some devices are not encrypting. You check the BitLocker policy and it is assigned correctly. What is the most likely reason?

Question 65easymultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that corporate data is separated from personal data on the device. Which management approach should you use?

Question 66mediummultiple choice
Read the full Protect devices explanation →

A user has a Windows 11 device that is enrolled in Intune. The device is compliant, but the user cannot install apps from the Company Portal. The Company Portal shows 'This app is not available for your device'. The app is assigned to the user and the device meets the minimum requirements. What should you check?

Question 67hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to configure a policy that automatically blocks downloads of sensitive data from SharePoint Online to unmanaged devices. Which policy type should you use?

Question 68mediummulti select
Read the full Protect devices explanation →

Which TWO actions can you perform using Microsoft Intune to protect devices from malware?

Question 69hardmulti select
Read the full Protect devices explanation →

Which THREE features are available in Microsoft Intune for managing Windows 10/11 device updates?

Question 70easymulti select
Read the full Protect devices explanation →

Which TWO compliance settings can be configured in Microsoft Intune for Android devices?

Question 71hardmultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. You deploy this compliance policy to a Windows 11 device running build 10.0.22621.1000. The device has BitLocker enabled, Secure Boot enabled, and code integrity enabled. The device is compliant?

Exhibit

Refer to the exhibit.

```json
{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Windows 10 compliance policy",
  "passwordRequired": true,
  "passwordMinimumLength": 6,
  "passwordRequiredType": "deviceDefault",
  "passwordMinutesOfInactivityBeforeLock": 5,
  "passwordExpirationDays": 90,
  "passwordPreviousPasswordBlockCount": 5,
  "requireHealthyDeviceReport": true,
  "osMinimumVersion": "10.0.19041.0",
  "osMaximumVersion": "10.0.22621.0",
  "mobileOsMinimumVersion": null,
  "mobileOsMaximumVersion": null,
  "earlyLaunchAntiMalwareDriverEnabled": true,
  "bitLockerEnabled": true,
  "secureBootEnabled": true,
  "codeIntegrityEnabled": true,
  "storageRequireEncryption": true
}
```
Question 72mediummultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. An administrator runs this PowerShell command using the Microsoft Graph PowerShell SDK. The output returns no devices. However, the administrator knows that there are non-compliant Windows devices in Intune. What is the most likely reason?

Exhibit

Refer to the exhibit.

```powershell
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'" |
  Where-Object {$_.complianceState -eq 'noncompliant'} |
  Select-Object id, deviceName, complianceState
```
Question 73hardmultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. You deploy this endpoint protection configuration to a Windows 10 device. A user reports that they cannot connect to the device via RDP. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration",
  "firewallRules": [
    {
      "@odata.type": "#microsoft.graph.windowsFirewallRule",
      "displayName": "Allow RDP",
      "direction": "inbound",
      "protocol": "tcp",
      "localPortRanges": ["3389"],
      "action": "block"
    }
  ],
  "defenderDetectedMalwareActions": {
    "highSeverity": "block",
    "moderateSeverity": "clean",
    "lowSeverity": "allow"
  }
}
```
Question 74easymultiple choice
Read the full Protect devices explanation →

You are deploying Windows 10 devices using Autopilot. You need to ensure that during the out-of-box experience (OOBE), users are blocked from bypassing the sign-in screen by clicking 'Skip for now'. Which setting should you configure in the Enrollment Status Page (ESP) profile?

Question 75mediummultiple choice
Read the full Protect devices explanation →

You manage Windows 10 devices with Microsoft Intune. A user reports that a device has a red shield icon in the Windows Security Center, indicating tamper protection is off. You need to re-enable tamper protection on the device using Intune. Which profile type should you configure?

Question 76hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Intune. You need to create a device group that dynamically includes all devices with a threat level of 'High' from MDE. You then plan to apply a compliance policy to force those devices to be non-compliant. Which method should you use to create the dynamic group?

Question 77easymultiple choice
Read the full Protect devices explanation →

You have devices enrolled in Microsoft Intune. You need to configure a policy that requires a PIN of at least 6 characters for accessing Microsoft Entra ID resources. Which policy type should you configure?

Question 78mediummultiple choice
Read the full Protect devices explanation →

Your organization uses Windows Autopilot and Microsoft Intune. You need to ensure that during the Autopilot deployment, the device automatically installs a set of required applications (Microsoft 365 Apps, company portal, and a line-of-business app) before the user can access the desktop. Which configuration should you use?

Question 79hardmultiple choice
Read the full Protect devices explanation →

You have an Intune-managed device that is not receiving compliance policies. You check the Intune console and see the device status is 'Pending'. The device is connected to the internet and can sync. What is the most likely cause?

Question 80easymultiple choice
Read the full Protect devices explanation →

You need to ensure that Windows 10 devices automatically receive Microsoft Defender antivirus definition updates from Microsoft. Which update channel should you configure in the endpoint protection profile?

Question 81mediummultiple choice
Read the full NAT/PAT explanation →

You have a Windows 10 device that is managed by Intune and enrolled in Microsoft Defender for Endpoint. The device is reporting a high number of false positive detections from Microsoft Defender Antivirus. You need to configure an exclusion for a specific folder path to reduce false positives. Where should you configure the exclusion?

Question 82hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to enforce that all devices use a 6-digit passcode and that the device automatically wipes after 10 failed attempts. Which profile type should you configure?

Question 83mediummulti select
Read the full Protect devices explanation →

You are planning a Windows 10 deployment using Windows Autopilot. You need to ensure that devices are automatically enrolled in Intune during the out-of-box experience. Which two prerequisites must be met? (Choose two.)

Question 84hardmulti select
Read the full Protect devices explanation →

You have a Microsoft Intune environment with devices running Windows 10 and 11. You need to configure a policy that enforces BitLocker drive encryption with a TPM protector and stores recovery key in Microsoft Entra ID. Which three settings must you configure in the endpoint protection profile? (Choose three.)

Question 85easymulti select
Read the full Protect devices explanation →

You are configuring Microsoft Defender for Endpoint for your organization. You need to ensure that devices are onboarded to the service. Which two methods can you use to onboard Windows 10 devices? (Choose two.)

Question 86mediummultiple choice
Read the full Protect devices explanation →

You are reviewing an Intune endpoint protection profile for Windows 10. The exhibit shows a JSON snippet of the configuration. A user reports that a device detected malware with moderate severity, but the action taken was 'quarantine'. However, the desired action is 'clean'. Which setting should you modify?

Exhibit

Refer to the exhibit.

{
  "@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration",
  "defenderDetectedMalwareActions": {
    "highSeverity": "clean",
    "moderateSeverity": "quarantine",
    "lowSeverity": "block"
  },
  "defenderScanType": "quick",
  "defenderScheduleScanDay": 4,
  "defenderScheduleScanTime": "02:00:00"
}
Question 87hardmultiple choice
Read the full Protect devices explanation →

You are troubleshooting a Windows 10 device that is showing as non-compliant in Intune. The exhibit shows the PowerShell output from the Microsoft Graph API. Based on the output, what is the most likely reason for the non-compliance?

Exhibit

Refer to the exhibit.

$device = Get-MgDeviceManagementManagedDevice -ManagedDeviceId "12345678-1234-1234-1234-123456789012"
$device.ComplianceState

Output:
"Noncompliant"

$device.GetCompliancePolicyNonComplianceReasons()

Output:
"RequireEncryption"
Question 88easymultiple choice
Read the full Protect devices explanation →

You are reviewing a custom device configuration profile in Intune. The exhibit shows an OMA-URI setting. What is the purpose of this setting?

Exhibit

Refer to the exhibit.

Device configuration profile:

{
  "@odata.type": "#microsoft.graph.windows10CustomConfiguration",
  "omaSettings": [
    {
      "@odata.type": "#microsoft.graph.omaSettingString",
      "displayName": "Disable Lock Screen Camera",
      "description": null,
      "omaUri": "./Vendor/MSFT/Policy/Config/DeviceLock/PreventLockScreenCamera",
      "value": "1"
    }
  ]
}
Question 89easymultiple choice
Read the full Protect devices explanation →

You need to ensure that devices enrolled in Microsoft Intune automatically receive Windows quality updates as soon as they are released. Which update ring setting should you configure?

Question 90mediummultiple choice
Read the full Protect devices explanation →

A user reports that their Windows 11 device cannot access corporate resources after a recent update. The device is enrolled in Intune. You check the device compliance status and find it is marked as non-compliant. Which two actions should you take?

Question 91hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Defender for Endpoint (now part of Defender XDR) and Intune. You need to create a device compliance policy that triggers automatic remediation when a device has a 'Medium' severity alert from Defender. Which setting should you configure?

Question 92easymultiple choice
Read the full Protect devices explanation →

You need to deploy a Microsoft 365 Apps for enterprise configuration to devices managed by Intune. Which policy type should you use?

Question 93mediummultiple choice
Read the full Protect devices explanation →

You manage Windows 10 devices with Intune. After deploying a new compliance policy requiring BitLocker, many devices show as non-compliant. You verify that BitLocker is enabled on the system drive. What is the most likely cause?

Question 94hardmultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. You deploy this compliance policy to Windows 10 devices. A device reports as compliant, but you suspect it may have a weak password policy because the password type is 'deviceDefault'. What is the effect of 'deviceDefault' on the password requirement?

Exhibit

Refer to the exhibit.

Exhibit (Intune JSON policy snippet):
{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Company compliance policy",
  "passwordRequired": true,
  "passwordMinimumLength": 8,
  "passwordRequiredType": "deviceDefault",
  "passwordMinutesOfInactivityBeforeLock": 15,
  "passwordExpirationDays": 90,
  "passwordPreviousPasswordBlockCount": 5,
  "requireHealthyUntrustedEndorsementCertificate": false,
  "requireHealthyTrustedEndorsementCertificate": false,
  "tpmRequired": false,
  "secureBootEnabled": true,
  "codeIntegrityEnabled": true,
  "earlyLaunchAntiMalwareDriverEnabled": true,
  "deviceThreatProtectionEnabled": false,
  "deviceThreatProtectionRequiredSecurityLevel": "unavailable",
  "configurationManagerComplianceRequired": false
}
Question 95easymultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data in Microsoft Outlook is protected even if the device is not enrolled in MDM. Which policy should you deploy?

Question 96mediummultiple choice
Read the full Protect devices explanation →

You have a hybrid Microsoft Entra ID joined Windows 10 device that is co-managed with Configuration Manager and Intune. You want Intune to manage Windows Update for Business settings. Which slider setting should you configure in Configuration Manager?

Question 97hardmultiple choice
Read the full Protect devices explanation →

You configure a Windows 10 device compliance policy in Intune that requires 'Firewall' to be enabled. The device has Windows Defender Firewall enabled, but the device reports as non-compliant. You verify that the firewall is active. What is the most likely cause?

Question 98easymulti select
Read the full Protect devices explanation →

Which TWO settings can be configured in a Windows 10 device restriction profile in Intune to enhance security?

Question 99mediummulti select
Read the full Protect devices explanation →

Which THREE actions can you perform from the Microsoft Intune admin center to remediate a non-compliant Windows device?

Question 100hardmulti select
Read the full Protect devices explanation →

Which TWO conditions in a Conditional Access policy can be used to enforce device compliance for access to Microsoft 365 services?

Question 101easymultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. You deploy this custom OMA-URI policy to Windows 10 devices. What is the expected outcome?

Exhibit

Refer to the exhibit.

Exhibit (Intune JSON configuration policy snippet):
{
  "@odata.type": "#microsoft.graph.windows10CustomConfiguration",
  "omaSettings": [
    {
      "@odata.type": "#microsoft.graph.omaSettingString",
      "displayName": "Disable Telemetry",
      "description": null,
      "omaUri": "./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry",
      "value": "0"
    }
  ]
}
Question 102mediummultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. You run a PowerShell command to check the assignment status of device configuration profiles. The 'BitLocker Policy' shows 'Pending'. What does 'Pending' indicate?

Exhibit

Refer to the exhibit.

Exhibit (PowerShell output from Get-MgDeviceManagementDeviceConfiguration):
Id                                   DisplayName             AssignmentStatus
--                                   -----------             ----------------
d36f8c2a-1234-5678-9abc-def012345678 Windows Defender AV     Success
b7a1c3d4-5678-90ab-cdef-1234567890ab BitLocker Policy        Pending
f8e7d6c5-4321-0fed-cba9-876543210abc Firewall Rules          Error
Question 103hardmultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. You run this KQL query in Microsoft Defender XDR to investigate a device. The result shows RiskScore = 0. What does this indicate about the device?

Exhibit

Refer to the exhibit.

Exhibit (KQL query from Microsoft Defender XDR):
DeviceInfo
| where Timestamp > ago(7d)
| where DeviceName contains "CONTOSO-LAPTOP"
| project Timestamp, DeviceName, OSPlatform, OSVersion, IsAzureADJoined, RiskScore
| order by Timestamp desc
Question 104easymultiple choice
Read the full Protect devices explanation →

A user reports that their Windows 10 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. Which of the following is the most likely cause?

Question 105mediummultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to ensure that only devices with a Trusted Platform Module (TPM) version 2.0 and Secure Boot enabled can access corporate email. What should you configure?

Question 106hardmultiple choice
Read the full Protect devices explanation →

A company uses Microsoft Intune to manage iOS devices. Users report that they cannot install the required Microsoft Defender for Endpoint app from the Company Portal. The app shows as 'Not available' in the Company Portal. Which of the following is the most likely reason?

Question 107easymultiple choice
Read the full Protect devices explanation →

Your organization wants to deploy Windows Update for Business policies using Microsoft Intune to Windows 10 devices. Which policy type should you use?

Question 108mediummultiple choice
Read the full Protect devices explanation →

A user's Android device is enrolled in Microsoft Intune. The device reports as 'Compliant' but the user cannot access corporate resources that require compliant devices. The conditional access policy is configured to require a compliant device. What is the most likely cause?

Question 109hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Intune. You want to automatically remediate devices that are found to be missing critical security updates during a vulnerability assessment. What should you configure?

Question 110easymultiple choice
Read the full Protect devices explanation →

You need to ensure that only authorized users can enroll devices in Microsoft Intune. Which setting should you configure?

Question 111mediummultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a custom PowerShell script that runs during enrollment to configure network settings. What should you use?

Question 112hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune with co-management and Configuration Manager. Some Windows 10 devices are enrolled in Intune but also managed by Configuration Manager. You need to ensure that the Intune compliance policy is evaluated and enforced on these devices. What should you configure?

Question 113easymulti select
Read the full Protect devices explanation →

Which TWO of the following are valid enrollment methods for Windows 10 devices in Microsoft Intune?

Question 114mediummulti select
Read the full Protect devices explanation →

Which THREE of the following are features of Microsoft Defender for Endpoint that help protect devices?

Question 115hardmulti select
Read the full Protect devices explanation →

Which TWO of the following are required to configure Windows Hello for Business using Microsoft Intune?

Question 116mediummultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. A Windows 10 device is enrolled in Intune and has the above compliance policy assigned. The device reports as non-compliant. The device has TPM version 2.0, Secure Boot enabled, and a password of 8 characters. Which of the following is the most likely reason for non-compliance?

Exhibit

Refer to the exhibit.

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Windows 10 compliance policy",
  "passwordRequired": true,
  "passwordMinimumLength": 6,
  "passwordRequiredType": "deviceDefault",
  "osMinimumVersion": "10.0.19041.0",
  "osMaximumVersion": "10.0.19045.0",
  "earlyLaunchAntimalwareDriverEnabled": true,
  "secureBootEnabled": true,
  "tpmRequired": true,
  "deviceThreatProtectionEnabled": true,
  "deviceThreatProtectionRequiredSecurityLevel": "medium"
}
Question 117hardmultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. A Windows 10 device shows a compliance state of 'noncompliant'. The last sync was 2 hours ago. The device is managed by Intune (mdm). You have verified that the assigned compliance policy requires a device threat level of 'high' from Microsoft Defender for Endpoint. Which of the following is the most likely cause of non-compliance?

Exhibit

Refer to the exhibit.

PowerShell output:

PS C:\> Get-IntuneManagedDevice -DeviceName "DESKTOP-1234" | Select-Object -Property complianceState, lastSyncDateTime, managementAgent, azureADDeviceId

complianceState : noncompliant
lastSyncDateTime : 2025-12-01T10:30:00Z
managementAgent : mdm
azureADDeviceId : a1b2c3d4-e5f6-7890-abcd-ef1234567890
Question 118easymultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. You have assigned the above compliance policy to a Windows 10 device group. A user reports that their device is non-compliant even though BitLocker is enabled on the system drive. Which of the following is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Require BitLocker",
  "bitLockerEnabled": true,
  "bitLockerRemovableDrivesEncryptionRequired": true,
  "bitLockerRecoveryPasswordRotation": "enabled"
}
Question 119hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to configure a device compliance policy that requires devices to run Windows version 22H2 or later. When you create the policy, which option must you select for the OS version requirement?

Question 120mediummultiple choice
Read the full Protect devices explanation →

Your company deploys Microsoft Defender for Endpoint (Defender XDR) to all Windows devices. You need to create a custom detection rule that triggers an alert when a specific PowerShell script is executed on any device. Which action should you take in the Microsoft 365 Defender portal?

Question 121easymultiple choice
Read the full Protect devices explanation →

You manage devices with Microsoft Intune. You need to deploy a Windows 10 feature update to a pilot group of devices. Which profile type should you use?

Question 122mediummultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that all devices have a passcode of at least 6 characters and that devices are updated to the latest iOS version. You create a compliance policy. After assigning the policy, some devices are marked as non-compliant even though they have a passcode. What is the most likely cause?

Question 123hardmultiple choice
Read the full Protect devices explanation →

Your company uses Microsoft Intune for device management. You need to configure a Windows 10 device restriction policy that blocks the use of the camera and microphone on all devices. Which settings should you configure?

Question 124easymultiple choice
Read the full Protect devices explanation →

You need to enroll a Windows 11 device into Microsoft Intune using a work or school account. The device is already joined to Microsoft Entra ID. What is the simplest enrollment method?

Question 125hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to deploy a managed Google Play app to work profile devices. After deploying, users report that the app is not available in the work profile. What is the most likely cause?

Question 126mediummultiple choice
Read the full Protect devices explanation →

Your company uses Microsoft Defender for Endpoint (Defender XDR). You need to configure an automated investigation and remediation (AIR) rule that automatically quarantines a file when a specific alert is triggered. Which action should you take?

Question 127easymultiple choice
Read the full Protect devices explanation →

You need to ensure that only approved iOS apps can be installed on company-owned devices. Which Intune feature should you use?

Question 128mediummulti select
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Windows devices. You need to deploy a PowerShell script that runs in the user context during device enrollment. Which two conditions must be met? (Select TWO.)

Question 129hardmulti select
Read the full Protect devices explanation →

Your company uses Microsoft Defender for Cloud Apps (Microsoft 365 Defender). You need to create a session policy that monitors and controls access to a specific cloud app. Which three components must you configure? (Select THREE.)

Question 130easymulti select
Read the full Protect devices explanation →

You are configuring Microsoft Intune for Windows 10 devices. Which two settings can you enforce using a device restrictions profile? (Select TWO.)

Question 131hardmultiple choice
Read the full Protect devices explanation →

You review the compliance policy JSON for Windows 10 devices. A device running Windows 10 version 22H2 (build 22621.0) with a numeric-only password of 10 characters, BitLocker enabled, firewall enabled, and Microsoft Defender running reports as non-compliant. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Windows 10 compliance policy",
  "passwordRequired": true,
  "passwordMinimumLength": 8,
  "passwordRequiredType": "alphanumeric",
  "osMinimumVersion": "10.0.19045.0",
  "osMaximumVersion": "10.0.22621.0",
  "storageRequireEncryption": true,
  "activeFirewallRequired": true,
  "defenderEnabled": true
}
Question 132hardmultiple choice
Read the full Protect devices explanation →

You are the endpoint administrator for Contoso Ltd., a global company with 5,000 Windows 11 devices managed by Microsoft Intune. The company has a strict security policy requiring that all devices must have BitLocker Drive Encryption enabled on the operating system drive. Additionally, devices must be compliant with the policy to access corporate resources via Conditional Access. Recently, an audit revealed that 200 devices are non-compliant because BitLocker is not enabled. You investigate and find that these devices are all personal devices enrolled as 'Windows bring your own device' (BYOD). The BitLocker policy is configured as a device configuration profile targeting 'All Devices'. The compliance policy requires 'Storage encryption' to be enabled. You need to resolve the non-compliance for these BYOD devices. What should you do?

Question 133mediummultiple choice
Read the full Protect devices explanation →

Your organization, Fabrikam, uses Microsoft Intune to manage iOS/iPadOS and Android devices. You need to implement a solution that ensures company email can only be accessed from the Outlook mobile app, and that data from the Outlook app cannot be copied to personal apps. You also need to ensure that when a user leaves the company, the corporate data in Outlook is removed without affecting personal data. You plan to use app protection policies (MAM). The devices are not enrolled in Intune (unmanaged). You configure the app protection policies for Outlook on iOS and Android. However, users report that they can still copy email content to personal apps. What should you check?

Question 134mediummultiple choice
Read the full Protect devices explanation →

A company uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent update, the Start menu layout is not enforced. The administrator verified the policy is assigned to the correct device groups. What should the administrator check next?

Question 135hardmultiple choice
Read the full Protect devices explanation →

An organization uses Microsoft Defender for Endpoint (MDE) with Microsoft Intune for device management. The security team wants to automatically remediate risks detected by MDE on Windows devices. Which Intune feature should be used to trigger remediation actions based on MDE alerts?

Question 136easymultiple choice
Read the full Protect devices explanation →

An IT administrator needs to ensure that iOS devices enrolled in Intune require a PIN of at least 6 digits. Where should the administrator configure this setting?

Question 137mediummultiple choice
Read the full Protect devices explanation →

A company uses Intune to manage Android Enterprise devices. The administrator deployed a compliance policy that requires encryption and a minimum OS version. Some devices are not showing as compliant even though they meet the requirements. The administrator suspects a time delay. What is the default compliance check interval for Android Enterprise devices in Intune?

Question 138hardmultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. An Intune administrator finds this configuration on a Windows 10 device. What is the purpose of this setting?

Exhibit

{
  "csp": "./Device/Vendor/MSFT/DMClient/Provider/MS DM Server/CheckInURL",
  "value": "https://manage.microsoft.com/EnrollmentServer/Discovery.svc"
}
Question 139easymultiple choice
Read the full Protect devices explanation →

An administrator needs to ensure that only devices with a specific manufacturer are allowed to enroll in Intune. Which setting should the administrator configure?

Question 140mediummultiple choice
Read the full Protect devices explanation →

A hospital uses Intune to manage Windows 10 devices used by doctors. The devices should automatically install critical updates from Windows Update for Business. Which type of policy should the administrator create?

Question 141hardmultiple choice
Read the full Protect devices explanation →

An organization uses Microsoft Defender for Cloud Apps to monitor cloud app usage. The security team wants to automatically apply an Intune app protection policy (APP) when a user accesses a risky app from an unmanaged device. What should the administrator use?

Question 142easymultiple choice
Read the full Protect devices explanation →

A company wants to prevent corporate data from being copied from managed apps to personal apps on iOS devices. Which Intune policy should the administrator configure?

Question 143mediummulti select
Read the full Protect devices explanation →

An Intune administrator needs to ensure that Windows 10 devices are compliant with security requirements. Which TWO options are valid compliance settings for Windows 10?

Question 144hardmulti select
Read the full Protect devices explanation →

A company uses Intune to manage Android Enterprise devices. The administrator wants to deploy a set of required apps silently to fully managed devices. Which THREE steps are necessary?

Question 145easymulti select
Read the full Protect devices explanation →

An organization uses Microsoft Defender for Endpoint to detect threats on Windows devices. The security team wants Intune to automatically increase the device's risk score when a threat is detected. Which TWO components are required?

Question 146hardmultiple choice
Read the full Protect devices explanation →

Your organization has 5,000 Windows 10 devices managed by Microsoft Intune. You are implementing a new security policy that requires all devices to have BitLocker enabled with TPM validation. You create a device configuration profile for BitLocker and assign it to all devices. After two days, you notice that only 3,200 devices are compliant with the BitLocker policy. The remaining devices show 'Not applicable' for the setting. You verify that all devices are Windows 10 Pro or Enterprise and have TPM 2.0. What is the most likely cause of the 'Not applicable' status?

Question 147mediummultiple choice
Read the full Protect devices explanation →

Your company uses Intune to manage iOS devices. You need to deploy a new app that is available in the Apple App Store. You create an iOS store app in Intune and assign it as 'Required' to a group of users. After 24 hours, some users report that the app is not installed. You verify that the app is available in the App Store and that the devices are online. The devices are supervised and enrolled via Apple Business Manager. What should you do first to troubleshoot the issue?

Question 148mediummultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices are compliant with a new security policy that requires Windows Defender Antivirus to be enabled and up-to-date. You create a device compliance policy with the setting 'Require' for Windows Defender Antivirus. After assigning the policy, you see that 90% of devices are compliant. The remaining 10% show 'Not evaluated'. You check the devices and find that they are online, enrolled, and have Windows Defender Antivirus enabled. What is the most likely reason for the 'Not evaluated' status?

Question 149mediummultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Entra ID joined devices and Microsoft Intune for mobile device management. A user reports that their device is not receiving compliance policies. The device shows as 'Compliant' in Intune but the Conditional Access policy still blocks access. What should you verify first?

Question 150hardmulti select
Read the full Protect devices explanation →

Which TWO actions should you take to ensure that devices are automatically enrolled in Microsoft Intune when users sign in with a work account on Windows 10/11?

Question 151mediummulti select
Read the full Protect devices explanation →

Which THREE conditions can be used in a Conditional Access policy to require a compliant device?

Question 152hardmultiple choice
Read the full Protect devices explanation →

Refer to the exhibit. The JSON shows a compliance policy for Windows 10 devices. Devices that do not meet the policy are marked as non-compliant. Which diagnostic step would you take to identify why a specific device is non-compliant despite having BitLocker enabled?

Exhibit

{
  "compliancePolicies": [
    {
      "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
      "passwordRequired": true,
      "passwordMinimumLength": 6,
      "requireDeviceEncryption": true,
      "requireSecureBoot": true,
      "requireCodeIntegrity": true
    }
  ]
}
Question 153easymultiple choice
Read the full Protect devices explanation →

Your company has 500 Windows 10 devices that are Hybrid Azure AD joined and managed by Microsoft Intune. You need to deploy a new line-of-business (LOB) app to all devices. The app is packaged as a .msi file. You create a new app in Intune and assign it to a device group containing all devices. After 24 hours, some devices report the app as 'Installed' but others show 'Failed'. You verify that the devices are online and have network connectivity. What should you do next to resolve the installation failures?

Question 154mediummultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage iOS and Android devices. You have a compliance policy that requires a minimum OS version: iOS 16.0 and Android 12.0. You also have a Conditional Access policy that requires compliant devices. Several users report that they cannot access corporate email on their personal Android devices. The devices are Android 11.0. You need to allow these users to access email while ensuring that corporate data is protected. What should you do?

Question 155hardmultiple choice
Read the full Protect devices explanation →

Your company uses Microsoft Intune to manage 1,000 Windows 10 devices. You need to deploy a security baseline that includes BitLocker encryption, Windows Defender Antivirus settings, and firewall rules. You create a security baseline policy in Intune and assign it to a group containing all devices. After 48 hours, you notice that only 800 devices have applied the baseline. The remaining 200 devices show 'Pending' status. These devices are online and have network connectivity. What is the most likely cause and solution?

Question 156easymultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage devices. You need to configure a policy that prevents users from disabling the camera on their corporate iOS devices. You create a device restrictions profile and set the 'Enable camera' setting to 'No'. You assign the profile to a group containing all iOS devices. After 24 hours, users report that the camera is still functional. What should you check first?

Question 157mediummultiple choice
Read the full Protect devices explanation →

Your company uses Microsoft Intune to manage Windows 10 devices. You have a compliance policy that requires devices to have a minimum of 4GB RAM and 64GB disk space. Several devices are marked non-compliant due to disk space. You check the devices and find they have 60GB free. The compliance policy checks total disk capacity, not free space. You need to allow these devices to be compliant. What should you do?

Question 158hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage devices. You have a Windows 10 device that is Azure AD joined and enrolled in Intune. The device is compliant, but the user cannot access corporate resources due to a Conditional Access policy requiring a compliant device. The user can access other cloud apps that do not require compliance. You check the Conditional Access policy and find it is configured correctly. What is the most likely issue?

Question 159easymultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Android devices. You need to ensure that corporate data on these devices is protected in case the device is lost or stolen. You configure a compliance policy that requires device encryption and a device lock screen. However, you also want to be able to selectively wipe corporate data without wiping personal data. What should you do?

Question 160mediummultiple choice
Read the full Protect devices explanation →

Your company uses Microsoft Intune to manage Windows 10 devices. You need to deploy a custom Windows 10 update ring that delays feature updates by 60 days and quality updates by 14 days. You create the update ring and assign it to a device group. After a week, you notice that devices are not receiving the quality updates as expected. What should you verify first?

Question 161hardmultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage devices. You have a Windows 10 device that is co-managed with Configuration Manager. You need to configure a policy that requires BitLocker encryption. You create a BitLocker policy in Intune and assign it to the device. After 24 hours, BitLocker is not enabled on the device. You verify that the device is online and the policy is assigned. What is the most likely cause?

Question 162mediummultiple choice
Read the full Protect devices explanation →

Your company uses Microsoft Intune to manage iOS devices. You have an app protection policy that requires a PIN to access corporate data. Users report that they can access corporate data without entering a PIN after the first time. You want to ensure that the PIN is required every time the app is opened. What should you configure?

Question 163easymultiple choice
Read the full Protect devices explanation →

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that all devices have Windows Defender Antivirus enabled and up to date. You create a security baseline that includes antivirus settings and assign it to all devices. After a week, you find that some devices still have outdated antivirus definitions. What should you check first?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

MD-102 Practice Test 1 — 10 Questions→MD-102 Practice Test 2 — 10 Questions→MD-102 Practice Test 3 — 10 Questions→MD-102 Practice Test 4 — 10 Questions→MD-102 Practice Test 5 — 10 Questions→MD-102 Practice Exam 1 — 20 Questions→MD-102 Practice Exam 2 — 20 Questions→MD-102 Practice Exam 3 — 20 Questions→MD-102 Practice Exam 4 — 20 Questions→Free MD-102 Practice Test 1 — 30 Questions→Free MD-102 Practice Test 2 — 30 Questions→Free MD-102 Practice Test 3 — 30 Questions→MD-102 Practice Questions 1 — 50 Questions→MD-102 Practice Questions 2 — 50 Questions→MD-102 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Prepare infrastructure for devicesManage and maintain devicesManage applicationsProtect devicesDeploy Windows clientManage identity and complianceManage, maintain, and protect devices

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Protect devices setsAll Protect devices questionsMD-102 Practice Hub