Sample questions
Microsoft 365 Endpoint Administrator MD-102 practice questions
You are deploying a custom Windows 10 image to 200 new laptops using MDT. The deployment fails on several devices at the 'Apply Operating System' step with error 0x80070070. The laptops have 60 GB SSDs and 4 GB RAM. What is the most likely cause?
Trap 1: The laptops have insufficient RAM (4 GB) to run the deployment.
4 GB RAM is sufficient for Windows 10 deployment.
Trap 2: The deployment share is not accessible over the network.
Network issues would produce different errors.
Trap 3: The custom image is missing critical drivers.
Missing drivers cause different errors, not 0x80070070.
- A
The laptops have insufficient RAM (4 GB) to run the deployment.
Why wrong: 4 GB RAM is sufficient for Windows 10 deployment.
- B
The deployment share is not accessible over the network.
Why wrong: Network issues would produce different errors.
- C
The custom image is missing critical drivers.
Why wrong: Missing drivers cause different errors, not 0x80070070.
- D
The custom image is too large for the 60 GB SSD.
Error 0x80070070 means 'Not enough disk space'. The image likely exceeds available space.
A company uses Windows Autopilot for user-driven deployments. They want to ensure that during the out-of-box experience (OOBE), users are required to sign in with their Azure AD credentials and the device is automatically enrolled in Intune. Which Autopilot deployment profile setting should be configured?
Trap 1: Set 'Deployment mode' to 'Self-Deploying' and 'Join to Azure AD as'…
Self-deploying mode doesn't require user sign-in.
Trap 2: Set 'Deployment mode' to 'User-Driven' and 'Join to Azure AD as' to…
Hybrid join requires on-premises AD and a different flow.
Trap 3: Set 'Deployment mode' to 'White Glove' and 'Join to Azure AD as' to…
White Glove is for pre-provisioning, not user-driven OOBE.
- A
Set 'Deployment mode' to 'Self-Deploying' and 'Join to Azure AD as' to 'Azure AD joined'.
Why wrong: Self-deploying mode doesn't require user sign-in.
- B
Set 'Deployment mode' to 'User-Driven' and 'Join to Azure AD as' to 'Hybrid Azure AD joined'.
Why wrong: Hybrid join requires on-premises AD and a different flow.
- C
Set 'Deployment mode' to 'White Glove' and 'Join to Azure AD as' to 'Azure AD joined'.
Why wrong: White Glove is for pre-provisioning, not user-driven OOBE.
- D
Set 'Deployment mode' to 'User-Driven' and 'Join to Azure AD as' to 'Azure AD joined'.
This requires user sign-in and enrolls device in Intune.
You are a Teams administrator. After running the PowerShell script shown in the exhibit, users report they cannot communicate with federated users from 'trusted.com'. What is the most likely cause?
Exhibit
Refer to the exhibit.
```
$session = New-CsOnlineSession -Verbose
Import-PSSession $session
Set-CsTenantFederationConfiguration -Identity Global -AllowFederatedUsers $true
Set-CsTenantFederationConfiguration -Identity Global -AllowPublicUsers $false
Set-CsTenantFederationConfiguration -Identity Global -BlockedDomains @{Add="suspicious.com"}
Set-CsTenantFederationConfiguration -Identity Global -AllowedDomains @{Add="trusted.com"}
Remove-CsOnlineSession $session
```Trap 1: The AllowedDomains list does not include a wildcard ' * ' to allow…
If only trusted.com is allowed, users should be able to communicate with that domain. The problem states they cannot, so this is not the cause.
Trap 2: The script sets AllowPublicUsers to $false, which blocks all…
AllowPublicUsers controls public Skype users, not federated domains.
Trap 3: The script sets AllowFederatedUsers to $true, which disables…
Setting AllowFederatedUsers to $true enables federation, not disables it.
- A
The AllowedDomains list does not include a wildcard ' * ' to allow all domains, so only trusted.com is allowed.
Why wrong: If only trusted.com is allowed, users should be able to communicate with that domain. The problem states they cannot, so this is not the cause.
- B
The script sets AllowPublicUsers to $false, which blocks all external communication including federated users.
Why wrong: AllowPublicUsers controls public Skype users, not federated domains.
- C
The script sets AllowFederatedUsers to $true, which disables federated user communication.
Why wrong: Setting AllowFederatedUsers to $true enables federation, not disables it.
- D
The script did not run in a Teams PowerShell session that supports the Set-CsTenantFederationConfiguration cmdlet.
The New-CsOnlineSession and Import-PSSession sequence is correct, but if the module is not properly loaded or the session is not created with the right endpoint, the cmdlets may not be available, causing the script to have no effect.
Match each Co-management workload to its management authority when co-managed.
Drag a concept onto its matching description — or click a concept then click the description.
Intune
Intune (if Windows Update for Business selected)
Intune
Configuration Manager or Intune
Configuration Manager or Intune
Match each Microsoft 365 compliance feature to its description.
Drag a concept onto its matching description — or click a concept then click the description.
Prevent sensitive data from being shared inappropriately
Classify and protect documents and emails with labels
Manage retention and disposal of records
Search and export content for legal investigations
Log and investigate user and admin activities
Which TWO actions are supported by Microsoft Intune for managing macOS devices?
Trap 1: Configure Windows Hello for Business.
Windows Hello is Windows-only.
Trap 2: Enable BitLocker encryption.
BitLocker is Windows-only.
Trap 3: Deploy .app applications.
Intune supports .pkg or .dmg, not .app directly.
- A
Configure Windows Hello for Business.
Why wrong: Windows Hello is Windows-only.
- B
Apply device compliance policies.
Intune supports compliance policies for macOS.
- C
Enable BitLocker encryption.
Why wrong: BitLocker is Windows-only.
- D
Deploy software update policies.
Intune can manage macOS software updates.
- E
Deploy .app applications.
Why wrong: Intune supports .pkg or .dmg, not .app directly.
A company uses Configuration Manager to deploy Windows 10 to 2000 devices. After deployment, several devices report that the Start menu layout is not applied. The administrator used a provisioning package to configure Start layout. What is the most likely cause of the issue?
Trap 1: The devices are not Azure AD joined.
Azure AD join not required for provisioning packages.
Trap 2: The provisioning package was not signed properly.
Signing does not prevent application.
Trap 3: The provisioning package was applied after user first logon.
Still would apply; override is more plausible.
- A
Group Policy settings are overriding the Start layout configuration.
GP can override provisioning package settings.
- B
The devices are not Azure AD joined.
Why wrong: Azure AD join not required for provisioning packages.
- C
The provisioning package was not signed properly.
Why wrong: Signing does not prevent application.
- D
The provisioning package was applied after user first logon.
Why wrong: Still would apply; override is more plausible.
You need to deploy Windows 11 to a remote office with limited bandwidth. Which deployment method is most appropriate?
Trap 1: Cloud-based deployment using Windows Autopilot
Uses internet; may not optimize for limited bandwidth.
Trap 2: PXE boot deployment from a local server
Requires local server; bandwidth not optimized.
Trap 3: Multicast deployment from a central location
Multicast is efficient but may not be possible across WAN.
- A
Cloud-based deployment using Windows Autopilot
Why wrong: Uses internet; may not optimize for limited bandwidth.
- B
PXE boot deployment from a local server
Why wrong: Requires local server; bandwidth not optimized.
- C
Deployment using BranchCache
BranchCache caches content locally, reducing WAN usage.
- D
Multicast deployment from a central location
Why wrong: Multicast is efficient but may not be possible across WAN.
A company uses Configuration Manager to deploy Windows 11. During the deployment, the task sequence fails at the 'Apply Operating System' step. The error log shows 'Failed to find a valid operating system image package'. You verify that the operating system image package exists and is distributed to the distribution point. What is the most likely cause?
Trap 1: The client computer does not have enough disk space
Low disk space would cause a different error.
Trap 2: The task sequence is not associated with the correct boot image
Boot image issue would cause a different error.
Trap 3: The distribution point is not configured to support PXE boot
PXE is not related to applying OS image.
- A
The client computer does not have enough disk space
Why wrong: Low disk space would cause a different error.
- B
The task sequence is not associated with the correct boot image
Why wrong: Boot image issue would cause a different error.
- C
The operating system image package is not enabled for use with task sequences
The package must be enabled for task sequences.
- D
The distribution point is not configured to support PXE boot
Why wrong: PXE is not related to applying OS image.
A company plans to deploy Windows 11 to 500 devices using Microsoft Deployment Toolkit (MDT). The deployment must be fully automated with minimal user interaction. Which configuration should be used in the CustomSettings.ini file?
Trap 1: SkipApps=YES
Only skips application selection, not all wizards.
Trap 2: UserDataLocation=AUTO
Automates user data migration but does not skip wizards.
Trap 3: DoNotCreateExtraPartition=YES
Prevents extra partitions but does not automate wizard.
- A
SkipApps=YES
Why wrong: Only skips application selection, not all wizards.
- B
UserDataLocation=AUTO
Why wrong: Automates user data migration but does not skip wizards.
- C
SkipWizard=YES
Suppresses all wizard pages, enabling zero-touch deployment.
- D
DoNotCreateExtraPartition=YES
Why wrong: Prevents extra partitions but does not automate wizard.
Which TWO options are valid methods to deploy Windows 10 to new hardware in a Configuration Manager environment?
Trap 1: Microsoft Deployment Toolkit (MDT) Lite Touch
MDT is a separate tool, though can be integrated with ConfigMgr.
Trap 2: Windows Autopilot self-deploying mode
Autopilot is a separate cloud service, not a ConfigMgr method.
Trap 3: Azure Migrate
Used for server migration, not OS deployment.
- A
Microsoft Deployment Toolkit (MDT) Lite Touch
Why wrong: MDT is a separate tool, though can be integrated with ConfigMgr.
- B
Windows Autopilot self-deploying mode
Why wrong: Autopilot is a separate cloud service, not a ConfigMgr method.
- C
Azure Migrate
Why wrong: Used for server migration, not OS deployment.
- D
Bootable media deployment
Standard ConfigMgr deployment method.
- E
PXE-initiated task sequence deployment
Standard ConfigMgr deployment method.
Which THREE conditions must be met for a device to automatically enroll in Windows Autopilot?
Trap 1: The device must have BitLocker Drive Encryption enabled
Not a prerequisite for Autopilot enrollment.
Trap 2: The user must be a Global Administrator in Azure AD
Not required; any user with appropriate licenses can enroll.
- A
The device must have BitLocker Drive Encryption enabled
Why wrong: Not a prerequisite for Autopilot enrollment.
- B
The device must be Azure AD joined or Hybrid Azure AD joined
Autopilot requires Azure AD join.
- C
The device must have internet connectivity during OOBE
Internet is required to download Autopilot profile and join Azure AD.
- D
The device must be running Windows 10 version 1709 or later
Autopilot requires this version or later.
- E
The user must be a Global Administrator in Azure AD
Why wrong: Not required; any user with appropriate licenses can enroll.
You manage a Microsoft 365 tenant with 10,000 users. You are planning a Conditional Access policy to require MFA for all users. However, you need to ensure that users who have not yet registered for MFA are not blocked. What should you do to handle unregistered users?
Trap 1: Configure the Conditional Access policy in 'Report-only' mode to…
Report-only mode doesn't block, but it also doesn't force registration; unregistered users would still be able to access resources without MFA.
Trap 2: Exclude all users who have not registered for MFA from the…
This would leave those users unprotected, which is not secure.
Trap 3: Create a separate Conditional Access policy that requires MFA only…
Unregistered users cannot satisfy the MFA requirement, so they would be blocked.
- A
Configure the Conditional Access policy in 'Report-only' mode to identify unregistered users.
Why wrong: Report-only mode doesn't block, but it also doesn't force registration; unregistered users would still be able to access resources without MFA.
- B
Enable the Azure AD Identity Protection MFA registration policy to require users to register for MFA within 14 days.
This policy ensures users register before they are required to use MFA, preventing lockout.
- C
Exclude all users who have not registered for MFA from the Conditional Access policy.
Why wrong: This would leave those users unprotected, which is not secure.
- D
Create a separate Conditional Access policy that requires MFA only for users who have not registered for MFA.
Why wrong: Unregistered users cannot satisfy the MFA requirement, so they would be blocked.
A company with 500 users uses Microsoft 365 E3 licenses. They want to ensure that all users have multi-factor authentication (MFA) enforced. Currently, 80% of users have MFA enabled through the legacy per-user MFA setting. The security team wants to use Conditional Access policies instead. You need to migrate from per-user MFA to Conditional Access with no disruption to users. What should you do?
Trap 1: Create a Conditional Access policy requiring MFA for all cloud…
Including break-glass accounts in the policy could lock out administrators if the policy misconfigures.
Trap 2: Create a Conditional Access policy requiring MFA for all users only…
This does not enforce MFA for internal access, which may not meet security requirements.
Trap 3: Disable per-user MFA for all users, then create a Conditional…
This would leave users without MFA during the gap between disabling per-user MFA and enabling the policy, causing disruption.
- A
Create a Conditional Access policy requiring MFA for all cloud apps, including break-glass accounts. Then disable per-user MFA.
Why wrong: Including break-glass accounts in the policy could lock out administrators if the policy misconfigures.
- B
Create a Conditional Access policy requiring MFA for all users only when accessing from outside the corporate network.
Why wrong: This does not enforce MFA for internal access, which may not meet security requirements.
- C
Create a Conditional Access policy requiring MFA for all users, excluding break-glass accounts. Disable per-user MFA for all users.
This ensures MFA is always enforced and provides emergency access via break-glass accounts.
- D
Disable per-user MFA for all users, then create a Conditional Access policy requiring MFA for all cloud apps.
Why wrong: This would leave users without MFA during the gap between disabling per-user MFA and enabling the policy, causing disruption.
Which THREE of the following are valid methods for deploying Microsoft Intune compliance policies to devices?
Trap 1: Assign the policy directly to individual devices from the Intune…
Individual device assignment is not supported.
Trap 2: Assign the policy to a device category.
Device categories are not used for policy assignment.
- A
Assign the policy to a user group, which applies to devices enrolled by those users.
User-based assignment applies policies to devices enrolled by those users.
- B
Assign the policy to an Azure AD group that contains devices.
Groups are the primary method for assignment.
- C
Assign the policy directly to individual devices from the Intune console.
Why wrong: Individual device assignment is not supported.
- D
Assign the policy to a dynamic device group created using device rules.
Dynamic groups allow automatic inclusion of devices based on rules.
- E
Assign the policy to a device category.
Why wrong: Device categories are not used for policy assignment.
A multinational organization uses Microsoft 365 E5 licenses. The compliance officer wants to ensure that all documents containing credit card numbers are automatically classified and protected with a label that applies encryption. You configure auto-labeling policies in Microsoft Purview. After 24 hours, the compliance officer reports that no documents have been labeled. The policy scope is set to 'All locations' and the policy is enabled. What is the most likely cause of the issue?
Trap 1: No sensitivity labels have been published to the users.
Auto-labeling uses labels published by label policy; if not published, labeling fails.
Trap 2: Auto-labeling requires Azure Information Protection (AIP) add-on…
E5 includes auto-labeling; no add-on needed.
Trap 3: The priority of the policy is too low compared to other policies.
Priority determines which label wins, not whether labeling occurs.
- A
The policy is deployed in simulation mode only.
Auto-labeling policies start in simulation mode; you must turn on the policy to apply labels.
- B
No sensitivity labels have been published to the users.
Why wrong: Auto-labeling uses labels published by label policy; if not published, labeling fails.
- C
Auto-labeling requires Azure Information Protection (AIP) add-on license.
Why wrong: E5 includes auto-labeling; no add-on needed.
- D
The priority of the policy is too low compared to other policies.
Why wrong: Priority determines which label wins, not whether labeling occurs.
A company uses Microsoft Intune to manage devices. They want to ensure that when a device is reported as lost or stolen, the IT admin can remotely wipe the device. Which action should the admin take in the Intune console?
Trap 1: Select the device and choose 'Retire'.
Retire only removes company data and apps.
Trap 2: Select the device and choose 'Reset'.
Reset is for re-enrollment, not data removal.
Trap 3: Select the device and choose 'Delete'.
Delete removes the device from management without a wipe.
- A
Select the device and choose 'Retire'.
Why wrong: Retire only removes company data and apps.
- B
Select the device and choose 'Wipe'.
Wipe performs a factory reset, removing all data.
- C
Select the device and choose 'Reset'.
Why wrong: Reset is for re-enrollment, not data removal.
- D
Select the device and choose 'Delete'.
Why wrong: Delete removes the device from management without a wipe.
An organization uses Microsoft Intune to manage Windows 10 devices. They deploy a PowerShell script via Intune to install a custom application. The script runs successfully on some devices but fails on others with error code 0x80070002. What is the most likely cause?
Trap 1: The script execution exceeds the 60-minute timeout.
Timeout would give a different error.
Trap 2: The user does not have local administrator privileges on the…
Scripts run as SYSTEM.
Trap 3: The PowerShell execution policy is set to Restricted on the failing…
Intune runs scripts with bypass policy.
- A
The script execution exceeds the 60-minute timeout.
Why wrong: Timeout would give a different error.
- B
The user does not have local administrator privileges on the failing devices.
Why wrong: Scripts run as SYSTEM.
- C
The script references a file path that does not exist on the failing devices.
Error 0x80070002 is 'File not found'.
- D
The PowerShell execution policy is set to Restricted on the failing devices.
Why wrong: Intune runs scripts with bypass policy.
An organization uses Configuration Manager to manage Windows 10 devices. The administrator is configuring a phased deployment for a software update. Which THREE conditions can be used to define the phases?
Trap 1: Time-based delay between phases
Time delay is a configuration within a phase, not a condition to define phases.
Trap 2: Device compliance status
Device compliance is not a condition for defining phases.
- A
Collection membership
Phases can target specific collections.
- B
Time-based delay between phases
Why wrong: Time delay is a configuration within a phase, not a condition to define phases.
- C
Percentage of clients
Phases can roll out to a percentage of clients.
- D
Device compliance status
Why wrong: Device compliance is not a condition for defining phases.
- E
Manual approval for next phase
Phases can require manual approval before proceeding.
A company uses Microsoft Intune to manage devices. They have a Windows 10 device that is non-compliant due to missing required updates. The administrator reviews the device and sees the update status shows 'Pending restart'. Which THREE actions should the administrator take to resolve the compliance issue?
Trap 1: Wait for the automatic restart from the compliance policy.
Compliance policy does not force restart.
Trap 2: Re-enroll the device in Intune.
Re-enrollment is not required.
- A
Check the Update Rings policy for deferral settings.
Deferrals may delay update installation.
- B
Sync the device with Intune.
Sync triggers a compliance evaluation.
- C
Restart the device.
Restart completes the update installation.
- D
Wait for the automatic restart from the compliance policy.
Why wrong: Compliance policy does not force restart.
- E
Re-enroll the device in Intune.
Why wrong: Re-enrollment is not required.
An administrator uses Configuration Manager to manage Windows 10 devices. The administrator wants to deploy a custom Windows application as an Application model deployment type. The application requires a reboot. Which deployment purpose should the administrator use to allow users to control the installation timing?
Trap 1: Mandatory
Mandatory is not a standard term; 'Required' is the correct term.
Trap 2: Pre-deploy
Pre-deploy is not a standard deployment purpose.
Trap 3: Required
Required installations are forced and may not allow user control over timing.
- A
Mandatory
Why wrong: Mandatory is not a standard term; 'Required' is the correct term.
- B
Pre-deploy
Why wrong: Pre-deploy is not a standard deployment purpose.
- C
Required
Why wrong: Required installations are forced and may not allow user control over timing.
- D
Available
Available deployments allow users to install at their convenience from Software Center.
You are troubleshooting a Windows 10 device that is enrolled in Microsoft Intune. The device shows as 'Pending' in the Intune console. The user confirms that the device was enrolled using a provisioning package. Which log file should you review to diagnose the enrollment failure?
Trap 1: %windir%\temp\MdmEnrollment.log
This logs MDM enrollment but not provisioning package details.
Trap 2: %windir%\Panther\setupact.log
This logs Windows setup, not provisioning.
Trap 3: Event Viewer under Applications and Services Logs > Microsoft >…
This is a provider, not a single log file.
- A
%windir%\temp\MdmEnrollment.log
Why wrong: This logs MDM enrollment but not provisioning package details.
- B
%ProgramData%\Microsoft\Provisioning\ProvisioningPackage.log
This log contains provisioning package enrollment details.
- C
%windir%\Panther\setupact.log
Why wrong: This logs Windows setup, not provisioning.
- D
Event Viewer under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider
Why wrong: This is a provider, not a single log file.
A technician is troubleshooting a Windows 11 device that is enrolled in Intune. The device reports as 'Not compliant' due to missing required updates. The administrator runs the following command on the device and receives the output shown. What should the administrator do next to resolve the compliance issue?
Trap 1: Check for a policy conflict in Intune.
The issue is a pending restart, not a policy conflict.
Trap 2: Run a manual sync from the Company Portal app.
Sync will not complete the update installation; a restart is required.
Trap 3: Verify network connectivity to Microsoft Update.
Connectivity is not indicated as a problem.
- A
Check for a policy conflict in Intune.
Why wrong: The issue is a pending restart, not a policy conflict.
- B
Run a manual sync from the Company Portal app.
Why wrong: Sync will not complete the update installation; a restart is required.
- C
Verify network connectivity to Microsoft Update.
Why wrong: Connectivity is not indicated as a problem.
- D
Restart the device.
A pending restart is blocking the updates from completing.
A company uses Microsoft Intune to manage Windows 10 devices. They need to ensure that only devices with BitLocker enabled can access corporate email via Exchange Online. Which configuration should the administrator use to enforce this requirement?
Trap 1: Create a Device Compliance policy for Windows 10 with the 'Require…
Compliance policies mark devices as non-compliant but do not enforce access control without Conditional Access.
Trap 2: Create an App Protection policy for the Outlook mobile app that…
App Protection policies apply to apps, not to the device itself, and do not enforce BitLocker.
Trap 3: Configure Windows Defender Firewall to block non-BitLocker…
Firewall does not enforce encryption requirements.
- A
Create a Device Compliance policy for Windows 10 with the 'Require encryption of data storage on device' setting enabled.
Why wrong: Compliance policies mark devices as non-compliant but do not enforce access control without Conditional Access.
- B
Create a Conditional Access policy that requires device compliance and assign it to Exchange Online.
Conditional Access can enforce access based on compliance, which includes BitLocker status.
- C
Create an App Protection policy for the Outlook mobile app that requires device encryption.
Why wrong: App Protection policies apply to apps, not to the device itself, and do not enforce BitLocker.
- D
Configure Windows Defender Firewall to block non-BitLocker encrypted devices.
Why wrong: Firewall does not enforce encryption requirements.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.