Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 175

991 questions total · 14pages · All types, answers revealed

Page 1 of 14

Page 2
1
MCQmedium

Refer to the exhibit. You run this PowerShell script using the Microsoft Graph PowerShell SDK. What is the purpose of this script?

A.To check compliance status of devices.
B.To enroll devices in Intune.
C.To remove unsupported devices from Intune.
D.To identify devices that are not supported for compliance policies.
AnswerD

The script flags Windows RT and Windows Mobile devices.

Why this answer

Option B is correct. The script iterates through managed devices and outputs a message for Windows RT and Windows Mobile devices, indicating they are not supported for compliance. Option A is wrong because it does not remove devices.

Option C is wrong because it does not check compliance status. Option D is wrong because it does not enroll devices.

2
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only devices with a minimum OS version can access corporate email via Microsoft Outlook for iOS. Which policy type should you configure?

A.Device configuration policy
B.Conditional Access policy
C.Device compliance policy
D.App protection policy (MAM)
AnswerD

App protection policies can require a minimum OS version for managed apps.

Why this answer

Option D is correct because App Protection Policies (MAM) allow you to target specific apps like Microsoft Outlook for iOS with conditional launch settings, including minimum OS version requirements. This policy applies at the app layer without requiring device enrollment, making it ideal for controlling access to corporate data in Outlook on iOS devices based on OS version.

Exam trap

The trap here is that candidates often confuse Device Compliance Policies (Option C) with app-level OS version controls, not realizing that MAM policies can enforce OS version requirements directly on the app without device enrollment.

How to eliminate wrong answers

Option A is wrong because Device Configuration Policies manage device settings (e.g., Wi-Fi, VPN, restrictions) but do not enforce OS version requirements for app-level access. Option B is wrong because Conditional Access policies control access at the authentication layer (e.g., requiring compliant devices) but cannot enforce a minimum OS version specifically for the Outlook app on iOS without device compliance integration. Option C is wrong because Device Compliance Policies evaluate device-level compliance (e.g., OS version, jailbreak status) but require device enrollment and are not app-specific; they would block all access from non-compliant devices, not just Outlook.

3
MCQeasy

You need to deploy a Microsoft 365 Apps for enterprise configuration to devices managed by Intune. Which policy type should you use?

A.Device configuration profile (settings catalog)
B.Managed apps policy
C.Windows update ring policy
D.Microsoft 365 Apps (Windows) configuration policy
AnswerD

This policy type is designed to configure Microsoft 365 Apps.

Why this answer

Option B is correct. Intune uses 'Microsoft 365 Apps (Windows)' configuration policies specifically for Microsoft 365 Apps. Option A is for general app deployment.

Option C is for Windows settings. Option D is for device configuration.

4
MCQhard

You are troubleshooting a Microsoft 365 Apps for enterprise deployment on Windows 10 devices managed by Intune. Users report that the apps are not installing, but the deployment status in Intune shows 'Success' for some devices and 'Failed' for others. On a failing device, you discover that the Office Deployment Tool (ODT) logs indicate '0x80070005 - Access denied'. What is the most likely cause?

A.The device has insufficient disk space for the installation.
B.The configuration.xml file has an invalid Channel attribute.
C.The device does not have internet connectivity to download Office installation files.
D.The Office Deployment Tool is running in user context instead of system context.
AnswerD

Running as user leads to access denied when writing to Program Files.

Why this answer

Option D is correct because the ODT requires administrative privileges to install Office. If the installation context is user-level, access denied occurs. Option A is wrong because network issues typically give different error codes.

Option B is wrong because configuration.xml syntax errors cause different errors. Option C is wrong because disk space errors are different.

5
MCQeasy

You need to deploy Windows 11 to a remote office with limited bandwidth. Which deployment method is most appropriate?

A.Cloud-based deployment using Windows Autopilot
B.PXE boot deployment from a local server
C.Deployment using BranchCache
D.Multicast deployment from a central location
AnswerC

BranchCache caches content locally, reducing WAN usage.

Why this answer

BranchCache is the most appropriate deployment method for a remote office with limited bandwidth because it allows clients to cache content locally from a peer after the first download, reducing WAN link usage. In Windows deployment, BranchCache can be used with Configuration Manager or standalone to distribute OS images efficiently by having clients retrieve data from local peers rather than repeatedly downloading from a central source over a slow link.

Exam trap

The trap here is that candidates often confuse BranchCache with peer caching in general or assume multicast is always the best for bandwidth savings, but multicast still requires a full WAN transfer of the image, whereas BranchCache avoids redundant WAN traffic entirely after the first download.

How to eliminate wrong answers

Option A is wrong because Windows Autopilot is a cloud-based provisioning method that requires internet connectivity to download the OS image from Microsoft Intune or Windows Update, which would consume significant bandwidth over a limited link. Option B is wrong because PXE boot deployment from a local server requires a local Distribution Point or server at the remote site, which may not be available or feasible in a remote office with limited infrastructure. Option D is wrong because multicast deployment from a central location sends a single stream to multiple clients simultaneously, but it still requires the entire OS image to traverse the WAN link once, which can saturate limited bandwidth and does not leverage local caching.

6
MCQhard

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy a custom VPN configuration that uses per-app VPN and certificate-based authentication. The certificate is already deployed via a PKCS certificate profile. However, the VPN connection fails. What is the most likely reason?

A.The certificate is not trusted by the device
B.The per-app VPN profile does not include the app bundle IDs or is not associated with the certificate
C.The VPN profile is not assigned to the correct device group
D.The VPN server type is not supported by iOS
AnswerB

The per-app VPN profile must specify the apps and associate the certificate.

Why this answer

Option B is correct because per-app VPN on iOS requires a VPN profile that includes the app identifier list and associates it with the certificate, and the certificate must be properly configured. Option A is wrong because the certificate is already deployed. Option C is wrong because per-app VPN does not require a separate MDM profile for each app.

Option D is wrong because the VPN server type is not necessarily the issue.

7
MCQeasy

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a PowerShell script that runs at every device startup to map network drives based on the user's security group membership. The script should run in the system context and should not require user interaction. How should you configure the script deployment in Intune?

A.Add the script as a Windows PowerShell script in Intune and assign it to users, so it runs when users log in.
B.Use Proactive remediations in Intune to run the script on a schedule.
C.Add the PowerShell script as a Windows PowerShell script in Intune, set the execution context to 'System', and configure the script to run at device startup.
D.Create a device configuration profile that includes the script as a custom setting.
AnswerC

Intune PowerShell scripts can run in system context and at startup.

Why this answer

Option A is correct because Intune supports PowerShell scripts that can run in the system context and be set to run at startup. Option B is incorrect because the script needs to run at startup, not on demand. Option C is incorrect because a device configuration profile cannot run scripts.

Option D is incorrect because Proactive remediations are for detecting and fixing issues, not for running scripts at startup.

8
MCQmedium

Your organization uses Microsoft Entra ID joined devices and Microsoft Intune for mobile device management. A user reports that their device is not receiving compliance policies. The device shows as 'Compliant' in Intune but the Conditional Access policy still blocks access. What should you verify first?

A.Check if the compliance policy is assigned to the device's group.
B.Review the Conditional Access policy to ensure it requires compliant device.
C.Confirm the device is enrolled in Intune.
D.Verify the user is in the correct Azure AD group for Conditional Access.
AnswerC

If not enrolled, compliance policies are not applied.

Why this answer

Option C is correct because the most common cause of this issue is that the device is not enrolled in Intune, so compliance policies are not applied. Option A is wrong because the device shows as compliant, so the compliance policy is applied. Option B is wrong because the user is a member of the group.

Option D is wrong because Conditional Access policies require compliance data; the issue is that the device lacks the policy.

9
Multi-Selectmedium

Which TWO actions can you perform using Windows Autopilot in Microsoft Intune?

Select 2 answers
A.Enforce security baselines on devices
B.Convert existing devices to Autopilot by uploading hardware hash
C.Deploy third-party applications automatically
D.Customize the out-of-box experience (OOBE) for users
E.Configure BIOS settings remotely
AnswersB, D

Allows redeploying existing devices.

Why this answer

Option B is correct because Windows Autopilot allows you to import a hardware hash (a unique device identifier) from existing devices into Intune, converting them into Autopilot devices. This enables you to apply Autopilot deployment profiles and customize the OOBE without requiring a full OS reinstall, leveraging the device's existing identity.

Exam trap

The trap here is that candidates confuse Windows Autopilot's OOBE customization capabilities with broader device management features like security baselines or third-party app deployment, which are handled by Intune policies after enrollment, not during the Autopilot provisioning phase.

10
MCQeasy

You need to deploy a Microsoft 365 Apps for enterprise configuration that includes Teams and Visio Pro for Microsoft 365. Users should get the full suite with both apps. What is the recommended method?

A.Use the built-in Microsoft 365 Apps for enterprise app type in Intune and select the products.
B.Instruct users to install from the Office portal.
C.Deploy a PowerShell script that runs Setup.exe /configure.
D.Create a Win32 app with the Office Deployment Tool and a configuration.xml that includes both products.
AnswerD

ODT allows full customization of products.

Why this answer

Option C is correct because the Office Deployment Tool and a custom configuration.xml allow you to specify products, languages, and update channels. Option A is wrong because Intune built-in Microsoft 365 Apps app allows selecting products but may not include Visio easily. Option B is wrong because manually installing is not scalable.

Option D is wrong because PowerShell scripts are less reliable.

11
MCQhard

Refer to the exhibit. You are configuring Windows enrollment restrictions in Intune. After applying this JSON, a user tries to enroll a Windows 10 device but receives an error that enrollment is blocked. What is the most likely cause?

A.The device does not meet authentication requirements
B.The enrollment is restricted to Windows Holographic only
C.The device type filter excludes Windows 10
D.The user already has 5 devices enrolled
AnswerA

requireDeviceAuthentication prevents enrollment without proper device auth.

Why this answer

The JSON configuration sets 'minimumVersion' to '10.0.22000' (Windows 11) and 'maximumVersion' to '10.0.22621.0' (Windows 11 22H2), which excludes all Windows 10 builds. Since the user is attempting to enroll a Windows 10 device, it falls outside the allowed version range, causing the enrollment block. The error message 'enrollment is blocked' aligns with a version restriction failure, not an authentication issue.

Exam trap

The trap here is that candidates assume the error 'enrollment is blocked' always points to authentication or device count limits, but the JSON's version range silently excludes Windows 10, which is the actual root cause.

How to eliminate wrong answers

Option A is incorrect because the error is not related to authentication; the JSON does not contain any authentication-related settings (e.g., 'requireMultiAuth' or 'deviceEnrollmentLimit'). Option B is incorrect because the JSON does not specify 'deviceType' or 'platform' restrictions; it only filters by OS version, not by Holographic or any specific SKU. Option C is incorrect because the device type filter is not present in the JSON; the restriction is based on OS version range, not device type.

Option D is incorrect because the JSON does not include a 'deviceEnrollmentLimit' key; the user's device count is not restricted by this configuration.

12
MCQhard

Refer to the exhibit. The JSON snippet shows a dynamic device group configuration in Microsoft Intune. What is the effect of the 'enrollmentTimeDeviceMembershipLimit' property set to 15?

A.The group will only contain devices that have been enrolled for at least 15 days
B.Only devices enrolled in the last 15 days are eligible
C.Limits the number of devices in the group to 15
D.Devices added to the group will be removed after 15 days from enrollment
AnswerD

This property sets a time limit for membership after enrollment.

Why this answer

Option B is correct. The enrollmentTimeDeviceMembershipLimit property defines how many days after enrollment a device remains in the dynamic group. Option A is wrong because it does not limit total devices.

Option C is wrong because it does not limit scope tags. Option D is wrong because it does not limit assignments.

13
MCQeasy

You manage Windows 10 devices with Microsoft Intune. You need to deploy a PowerShell script that runs in the user context to configure user settings. What type of script should you use?

A.A platform script for Windows.
B.A PowerShell script deployed via Intune Management Extension.
C.A discovery script.
D.A remediation script.
AnswerB

PowerShell scripts can run in user context.

Why this answer

Option B is correct because Microsoft Intune supports PowerShell scripts that can run in the user context. Option A is wrong because remediation scripts are for proactive remediations. Option C is wrong because platform scripts are for macOS/Linux.

Option D is wrong because discovery scripts are for detecting issues.

14
Multi-Selecteasy

Which TWO of the following are valid remote assistance tools for Windows devices managed by Microsoft Intune? (Choose two.)

Select 2 answers
A.Windows Remote Management (WinRM)
B.Remote Desktop
C.Quick Assist
D.Skype
E.TeamViewer
AnswersC, E

Quick Assist is a Windows built-in tool for remote assistance.

Why this answer

Quick Assist is a built-in Windows tool that allows remote assistance connections and is fully supported for managed devices in Microsoft Intune. It uses Remote Desktop Protocol (RDP) for screen sharing and control, and can be deployed and configured via Intune policies, making it a valid remote assistance option.

Exam trap

The trap here is that candidates often confuse Remote Desktop (full remote access) with remote assistance (attended, consent-based support), leading them to select Remote Desktop instead of Quick Assist or TeamViewer.

15
Multi-Selectmedium

Which TWO settings can be configured in a Microsoft Intune device compliance policy for iOS/iPadOS?

Select 2 answers
A.Allow app installation from App Store only
B.Block USB devices
C.Require a password
D.Minimum OS version
E.Jailbroken devices
AnswersC, D

This is a compliance setting.

Why this answer

Option C is correct because Intune device compliance policies for iOS/iPadOS include a setting to require a password on the device, which can enforce specific password complexity rules such as minimum length, number of complex characters, and lockout behavior. This setting is a core compliance requirement for securing devices that access corporate resources.

Exam trap

The trap here is that candidates often confuse settings available in device compliance policies with those in device configuration profiles, mistakenly thinking restrictions like app store installation or USB blocking are compliance settings, when they are actually managed under configuration profiles.

16
Multi-Selecthard

You need to configure a Microsoft Intune policy to ensure that only devices with a minimum OS version can access corporate email. Which THREE policy types can enforce this requirement?

Select 3 answers
A.Device compliance policy
B.App protection policy
C.Enrollment restrictions
D.Device configuration profile
E.Conditional access policy
AnswersA, B, E

Compliance policy can require minimum OS version.

Why this answer

Options A, C, and D are correct. A: Device compliance policy can mark devices as non-compliant if OS version is below minimum. C: Conditional access policy can block access based on device state.

D: App protection policy can require minimum app version, which maps to OS version in some contexts. Option B is wrong because configuration profiles do not enforce access. Option E is wrong because enrollment restrictions block enrollment, not access after enrollment.

17
MCQeasy

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy a VPP (Volume Purchase Program) app that is already purchased and assigned to your tenant. What is the minimum configuration required to make the app available to users?

A.Configure a device enrollment restriction to allow the app.
B.Sync the VPP token, then add the app from the store and assign it.
C.Distribute the app via the Company Portal without any additional configuration.
D.Upload the app IPA file to Intune, then create an app configuration policy.
AnswerB

Syncing the token brings in purchased licenses, then you can assign the app.

Why this answer

Option B is correct because VPP apps require a token to be synced with Intune, and then the app can be assigned as required or available. Option A is wrong because app configuration policies are optional. Option C is wrong because device enrollment restrictions don't affect app assignment.

Option D is wrong because company portal is used for available apps but not strictly required for required installs.

18
MCQeasy

You manage Android Enterprise devices with Microsoft Intune. You need to ensure that work profile apps are automatically installed when a user enlists their device. What should you configure?

A.Auto-enrollment with app assignment to the 'All devices' group.
B.A device configuration policy to allow Google Play Store.
C.A compliance policy for work profile.
D.A managed Google Play app assignment with 'Required' intent.
AnswerA

Auto-enrollment allows automatic app installation during enrollment.

Why this answer

In Android Enterprise, you can configure 'Auto-enrollment' to automatically install required apps in the work profile when the device enrolls. Option A is incorrect because compliance policies do not install apps. Option C is incorrect because configuration policies do not install apps.

Option D is incorrect because the Google Play Store is used for distribution, but the trigger is auto-enrollment.

19
MCQmedium

Contoso has iOS/iPadOS devices managed by Intune. They need to prevent users from installing apps from outside the Apple App Store and ensure that devices with a jailbreak are blocked from accessing corporate email. Which two policies should they combine?

A.Device compliance policy and Conditional Access
B.Windows Autopilot and Intune enrollment
C.Device configuration profile and Microsoft Defender XDR
D.App protection policy and Conditional Access
AnswerA

Device compliance policy detects jailbreak; Conditional Access blocks noncompliant devices.

Why this answer

Option D is correct: Device compliance policy can detect jailbroken devices and mark them noncompliant; Conditional Access then blocks access. Option A (App protection policy) can restrict app installation to managed apps but not detect jailbreak. Option B (Device configuration profile) can enforce restrictions but jailbreak detection is a compliance feature.

Option C (Autopilot) is for provisioning only.

20
MCQeasy

You need to remotely wipe a lost corporate-owned iOS device that is enrolled in Microsoft Intune. Which action should you perform in the Intune console?

A.Retire.
B.Wipe.
C.Delete.
D.Reset.
AnswerB

Wipe performs a factory reset, suitable for lost devices.

Why this answer

The 'Wipe' action performs a factory reset on the device. Option B is incorrect because 'Retire' removes management and corporate data but does not wipe personal data (and is less thorough). Option C is incorrect because 'Delete' removes the device from management without wiping.

Option D is incorrect because 'Reset' is not a standard action.

21
MCQeasy

You are configuring an app protection policy in Microsoft Intune for iOS/iPadOS devices. Which setting can you enforce to prevent users from copying data from a managed app and pasting it into an unmanaged app?

A.Restrict cut, copy, and paste between other apps
B.Require a PIN for access
C.Prevent iTunes and iCloud backups
D.Block managed apps from running on jailbroken devices
AnswerA

This setting restricts clipboard operations between managed and unmanaged apps.

Why this answer

Option A is correct because the 'Restrict cut, copy, and paste between other apps' setting controls data transfer. Option B is wrong because 'Prevent backup' does not restrict clipboard. Option C is wrong because 'Require PIN' is for access control.

Option D is wrong because 'Block managed apps from running on jailbroken devices' is a device condition.

22
Multi-Selectmedium

A company is planning to deploy Windows 11 using Microsoft Deployment Toolkit (MDT). The administrator needs to ensure that the deployment can be fully automated without user interaction. Which TWO settings should be configured in the CustomSettings.ini file?

Select 2 answers
A.SkipTaskSequence=YES
B.SkipComputerBackup=YES
C.SkipBitLocker=YES
D.SkipDomainMembership=YES
E.SkipFinalSummary=YES
AnswersA, E

Skips task sequence selection.

Why this answer

Option A is correct because setting SkipTaskSequence=YES in CustomSettings.ini allows MDT to bypass the Task Sequence Wizard, enabling a fully automated, zero-touch deployment. Option E is correct because SkipFinalSummary=YES suppresses the final summary dialog that would otherwise require user acknowledgment to complete the deployment. Together, these two settings eliminate all interactive prompts during the deployment process.

Exam trap

The trap here is that candidates often assume any single Skip* setting (like SkipDomainMembership or SkipBitLocker) is sufficient for full automation, but Microsoft explicitly requires both SkipTaskSequence and SkipFinalSummary to eliminate all user interaction in MDT.

23
MCQmedium

Your organization is evaluating Microsoft Intune for device management. The security team requires that all devices be registered in Microsoft Entra ID before they can enroll in Intune. Which configuration should you implement?

A.Configure enrollment restrictions to require corporate ownership
B.Set device type restrictions to block unregistered devices
C.Configure automatic enrollment via Group Policy
D.Configure Microsoft Entra join or Microsoft Entra registration as a prerequisite for Intune enrollment
AnswerD

This ensures devices are registered in Entra ID before they can enroll in Intune.

Why this answer

Option B is correct because requiring Microsoft Entra join or registration forces device identity in Entra ID before Intune enrollment. Option A is wrong because automatic enrollment doesn't enforce registration first. Option C is wrong because device type restrictions affect allowed platforms, not identity.

Option D is wrong because enrollment restrictions apply to enrolling users/devices, not identity prerequisites.

24
MCQhard

Refer to the exhibit. An administrator runs this Graph PowerShell script. What is the purpose?

A.To output the device names of all Windows devices.
B.To list the IDs of Microsoft Entra ID joined Windows devices.
C.To list devices that are registered in Autopilot.
D.To update the enrollment type of all Windows devices.
AnswerB

Enrollment type windowsAzureADJoin indicates Entra ID join.

Why this answer

Option C is correct because the script filters for devices with enrollment type 'windowsAzureADJoin' (Microsoft Entra ID joined) and outputs their IDs. Option A is wrong because it outputs IDs, not device names. Option B is wrong because it does not check the autopilot profile.

Option D is wrong because it does not update any properties.

25
MCQeasy

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to configure a Windows 10 update ring that ensures feature updates are deferred by 120 days and quality updates are deferred by 30 days. Which settings should you configure in the update ring?

A.Set feature update deferral to 180 days and quality update deferral to 0 days.
B.Set feature update deferral to 30 days and quality update deferral to 120 days.
C.Set feature update deferral to 120 days and quality update deferral to 30 days.
D.Set both feature and quality update deferrals to 60 days.
AnswerC

This matches the required deferral periods.

Why this answer

Option C is correct because the Windows 10 update ring settings in Microsoft Intune allow you to specify deferral periods for feature updates and quality updates independently. To meet the requirement of deferring feature updates by 120 days and quality updates by 30 days, you must set the feature update deferral to 120 days and the quality update deferral to 30 days. These values directly control how long the device waits before installing the respective update types after Microsoft releases them.

Exam trap

The trap here is that candidates often confuse the deferral periods for feature and quality updates, mistakenly swapping the values or assuming a single deferral applies to both, when the question explicitly requires independent settings for each update type.

How to eliminate wrong answers

Option A is wrong because setting feature update deferral to 180 days exceeds the required 120-day deferral, and setting quality update deferral to 0 days provides no deferral, failing the 30-day requirement. Option B is wrong because it reverses the deferral periods: feature updates would be deferred only 30 days (not 120) and quality updates would be deferred 120 days (not 30), which does not match the specified requirements. Option D is wrong because setting both deferrals to 60 days would defer feature updates by only 60 days instead of the required 120 days, and quality updates by 60 days instead of 30 days, failing both conditions.

26
MCQmedium

A company uses Intune to manage Windows 10 devices. They need to deploy a line-of-business (LOB) Win32 app to devices that are not assigned to any user. The app requires installation in the system context. Which installation behavior should be configured in the Intune Win32 app deployment?

A.User
B.Device
C.System
D.LoggedOnUser
AnswerC

System installs in the system context, suitable for device-wide and userless deployments.

Why this answer

Option C (System) is correct because the Win32 app must run in the system context to install without a user session, which is required for devices not assigned to any user. In Intune, the 'System' installation behavior runs the installer as the local SYSTEM account, enabling silent, elevated installations regardless of user presence.

Exam trap

The trap here is that candidates confuse 'System' with 'Device' or 'LoggedOnUser', not realizing that 'Device' is not a valid installation behavior and that 'System' is the only option that guarantees installation without a user session.

How to eliminate wrong answers

Option A (User) is wrong because it runs the installer in the user context, which requires an interactive user session and cannot install on devices without assigned users. Option B (Device) is wrong because 'Device' is not a valid installation behavior in Intune Win32 app deployment; the correct options are User, System, and LoggedOnUser. Option D (LoggedOnUser) is wrong because it runs the installer in the context of the currently logged-on user, which also requires an active user session and fails on devices with no user assigned.

27
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that only devices running iOS 16 or later can enroll. Which configuration should you use?

A.Create a device configuration profile that requires iOS 16.0.
B.Modify the enrollment profile to require iOS 16.0.
C.Create a compliance policy that requires iOS 16.0 or later.
D.Create an enrollment platform restriction for iOS/iPadOS and set the minimum OS version to 16.0.
AnswerD

Platform restrictions block devices with older OS versions during enrollment.

Why this answer

Option A is correct because platform restrictions allow you to set minimum OS versions for enrollment. Option B is wrong because compliance policies are applied after enrollment. Option C is wrong because device configuration profiles manage settings, not enrollment.

Option D is wrong because the enrollment profile specifies enrollment method, not OS version restrictions.

28
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a line-of-business (LOB) app that is signed with a certificate not trusted by the devices. What should you do to ensure the app installs successfully?

A.Create a device configuration profile to allow sideloading.
B.Add the app to the Microsoft Store for Business.
C.Disable automatic app updates for the device group.
D.Enable the Sideloading policy for the device group.
AnswerD

Sideloading allows installation of apps signed with untrusted certificates.

Why this answer

To install an LOB app that is not signed by a trusted certificate, you must disable the Sideloading policy for the device group. Option A is correct because enabling sideloading allows installation of apps signed with untrusted certificates. Option B is wrong because allowing sideloading does not require the app to be in the Microsoft Store.

Option C is wrong because the Sideloading policy is not a device configuration profile but an app deployment policy. Option D is wrong because disabling automatic updates does not affect sideloading.

29
MCQmedium

You configured the above app protection policy for a Microsoft 365 app. Users report that they cannot paste text from the managed app into another app. What is the most likely reason?

A.The 'pinLength' requirement is not met.
B.The 'requireBiometric' setting is blocking actions.
C.The 'dataTransferPolicy' is set to 'allowNone', which prevents data from leaving the managed app.
D.The 'allowCutCopy' setting is set to false, which blocks copy, but paste is unaffected.
AnswerC

This setting blocks clipboard operations to unmanaged apps.

Why this answer

The 'dataTransferPolicy' setting controls how data can be transferred between managed and unmanaged apps. When set to 'allowNone', it prevents any data from leaving the managed app, including paste operations from the managed app into another app. This is the most direct cause of the reported issue.

Exam trap

The trap here is that candidates often confuse 'allowCutCopy' (which controls copy/cut within the app) with 'dataTransferPolicy' (which controls data leaving the app), leading them to incorrectly select Option D.

How to eliminate wrong answers

Option A is wrong because 'pinLength' only enforces a minimum PIN length for app access and does not affect data transfer or paste behavior. Option B is wrong because 'requireBiometric' controls biometric authentication for app access, not data transfer or clipboard operations. Option D is wrong because 'allowCutCopy' being set to false would block copy and cut operations within the managed app, but paste is indeed unaffected; the issue is about pasting from the managed app into another app, which is governed by 'dataTransferPolicy', not 'allowCutCopy'.

30
MCQmedium

Your organization uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR) to manage endpoint security. You need to ensure that all Windows 10 devices are onboarded to Defender for Endpoint via Microsoft Intune. Which policy type should you use?

A.Endpoint detection and response policy
B.Antivirus policy
C.Firewall policy
D.Windows Security experience policy
AnswerA

EDR policy is used to onboard devices to Defender for Endpoint.

Why this answer

To onboard Windows 10 devices to Microsoft Defender for Endpoint via Intune, you must use an Endpoint detection and response (EDR) policy. This policy type deploys the required onboarding configuration package (a .cmd script or .xml file) that registers the device with the Defender for Endpoint service, enabling sensor data collection and threat detection. Antivirus, Firewall, and Windows Security experience policies manage separate security features but do not handle the initial onboarding process.

Exam trap

The trap here is that candidates confuse 'onboarding' with 'configuring existing security features,' mistakenly selecting Antivirus policy because they think Defender Antivirus must be enabled first, when in fact onboarding is a distinct prerequisite handled only by the EDR policy.

How to eliminate wrong answers

Option B (Antivirus policy) is wrong because it configures Microsoft Defender Antivirus settings (e.g., real-time protection, cloud-delivered protection) but does not deploy the onboarding package required to connect the device to Defender for Endpoint. Option C (Firewall policy) is wrong because it manages Windows Defender Firewall rules and profiles, which are unrelated to the device registration and sensor activation needed for onboarding. Option D (Windows Security experience policy) is wrong because it customizes the Windows Security app interface (e.g., notifications, tamper protection) but does not include the onboarding configuration that establishes the device's connection to the Defender for Endpoint backend.

31
MCQeasy

A company uses Microsoft Intune to manage iOS devices. They want to enforce a policy that requires a passcode of at least 6 characters and auto-lock after 5 minutes. Which configuration profile type should they use?

A.Device restrictions profile.
B.Wi-Fi profile.
C.VPN profile.
D.Email profile.
AnswerA

Device restrictions contain security settings like passcode and auto-lock.

Why this answer

A Device restrictions profile is the correct configuration profile type because it contains the security settings for iOS devices, including passcode requirements (minimum length, complexity) and device lock timeouts (auto-lock after minutes). This profile type enforces device-level security policies directly managed by Intune, making it the appropriate choice for requiring a 6-character passcode and 5-minute auto-lock.

Exam trap

The trap here is that candidates often confuse Device restrictions profiles with Compliance policies, but Compliance policies evaluate settings after they are applied, whereas Device restrictions profiles actually enforce the settings on the device.

How to eliminate wrong answers

Option B is wrong because a Wi-Fi profile is used to configure wireless network settings (SSID, authentication, certificates) and does not include passcode or auto-lock policies. Option C is wrong because a VPN profile configures virtual private network connections (server address, tunneling protocol, authentication) and has no settings for device passcode or lock timeout. Option D is wrong because an Email profile configures email account settings (server, username, SSL) and does not enforce device-level security policies like passcode length or auto-lock.

32
Multi-Selectmedium

You are configuring an app protection policy for iOS devices to protect corporate data in Microsoft Outlook. Which TWO settings prevent users from copying corporate data to personal apps?

Select 2 answers
A.Allow app to transfer data to other apps
B.Save copies of work data
C.Block screen capture and screen recording
D.Restrict cut, copy, and paste between apps
E.Encrypt app data
AnswersA, D

Setting this to 'Policy managed apps' restricts data transfer.

Why this answer

Option B and Option D are correct. 'Restrict cut, copy, and paste between apps' with policy-managed apps only prevents copying to unmanaged apps. 'Allow app to transfer data to other apps' set to 'Policy managed apps' restricts data transfer to managed apps only. Option A is wrong because encryption is for data at rest. Option C is wrong because it restricts saving to cloud but not copying.

Option E is wrong because it blocks screenshots but not copy/paste.

33
MCQmedium

You manage Windows 10 devices with Microsoft Intune. You need to deploy a line-of-business (LOB) app that is not available in the Microsoft Store. The app is an .msi file that requires admin privileges to install. Which deployment method should you use?

A.Upload the .msi file as a line-of-business app directly
B.Add the app as a Microsoft Store for Business app
C.Deploy the app using a PowerShell script in Intune
D.Use the Microsoft Win32 Content Prep Tool to wrap the .msi into an .intunewin file and deploy as a Win32 app
AnswerD

This is the standard method for deploying LOB .msi apps via Intune.

Why this answer

LOB apps in Intune require the app to be wrapped with the Microsoft Win32 Content Prep Tool. Intune can deploy .msi and .exe as Win32 apps. The correct answer is option D.

34
Multi-Selecthard

Which THREE actions can be taken from the Intune admin center when a device is retired?

Select 3 answers
A.Retire
B.Remote lock
C.Reset passcode
D.Wipe
E.Delete
AnswersA, D, E

Retirement is the action itself.

Why this answer

Options B, C, and D are correct. When retiring a device, you can wipe the device (factory reset), delete the device from Intune, and also retire it which removes management. Option A is wrong because remote lock is available but not during retirement; it's a separate action.

Option E is wrong because resetting the passcode is not an option for retired devices.

35
MCQhard

You are a Microsoft 365 Endpoint Administrator for a global organization with 5,000 Windows 11 devices managed by Intune. The company has a strict security policy requiring that all devices have BitLocker enabled with TPM validation, PIN, and startup key. Currently, only 80% of devices are compliant with BitLocker. After investigating, you discover that many non-compliant devices are older models that lack TPM 2.0, but they do have TPM 1.2. Additionally, some devices are virtual machines (VMs) that do not have a TPM at all. The security team insists that all devices must be encrypted, but they are willing to accept alternative configurations for devices without TPM 2.0. You need to propose a solution that maximizes security while ensuring compliance. What should you do?

A.Create a single compliance policy that requires BitLocker with TPM validation, PIN, and startup key, and exclude devices without TPM 2.0 from the policy.
B.Modify the existing compliance policy to remove the PIN requirement so that all devices can comply.
C.Create multiple compliance policies: one for devices with TPM 2.0 requiring full BitLocker, one for devices with TPM 1.2 requiring BitLocker with TPM validation, and one for VMs requiring BitLocker with startup password.
D.Downgrade all non-compliant devices to Windows 10 and enable BitLocker with TPM 1.2.
AnswerC

This addresses different hardware capabilities while maintaining encryption.

Why this answer

Option C is correct because it uses multiple compliance policies to enforce the strongest possible BitLocker configuration based on each device's TPM capabilities. Devices with TPM 2.0 can meet the full requirement (TPM validation, PIN, startup key), devices with TPM 1.2 can use TPM-only validation (since TPM 1.2 does not support PIN+startup key in the same way), and VMs without a TPM can use a startup password. This approach maximizes security while ensuring all devices remain compliant with the security policy's intent.

Exam trap

The trap here is that candidates assume a single compliance policy with exclusions is sufficient, but they overlook the need to enforce encryption on all devices by tailoring the BitLocker requirements to each device's TPM capabilities.

How to eliminate wrong answers

Option A is wrong because excluding devices without TPM 2.0 from the policy would leave them unmonitored and non-compliant, violating the requirement that all devices must be encrypted. Option B is wrong because removing the PIN requirement weakens security for devices that do support TPM 2.0, and it does not address the specific limitations of TPM 1.2 or VMs. Option D is wrong because downgrading to Windows 10 does not solve the TPM 1.2 or missing TPM issue; BitLocker on Windows 10 still requires a TPM (1.2 or 2.0) for TPM-only protection, and VMs still lack a TPM, so this would not achieve compliance.

36
MCQhard

You are troubleshooting a Windows 10 device that is not receiving policy updates from Intune. The device shows 'Pending' status in the Intune console. The device is connected to the internet. What is the most likely cause?

A.The device is not connected to the network.
B.The device has a pending reboot.
C.The Intune management extension service is not running.
D.The device enrollment is expired.
AnswerC

The service must be running to receive policies.

Why this answer

Intune policies are delivered via the Intune management extension. If the service is not running or is disabled, policies cannot be applied. Option A is incorrect because the device is online.

Option B is incorrect because enrollment shows as valid. Option D is incorrect because the management extension is required for policies.

37
MCQhard

You are using Intune to manage macOS devices. You need to deploy a custom configuration profile that sets a preference for a third-party app. Which method should you use?

A.Upload an XML file with the preference settings.
B.Upload a DMG file containing the preferences.
C.Upload a property list (.plist) file.
D.Upload a JSON file with the preference settings.
AnswerC

Custom macOS profiles use plist files.

Why this answer

Option C is correct because custom configuration profiles on macOS use property list (.plist) files. Option A is incorrect; XML is not directly used for macOS profiles. Option B is incorrect; JSON is used for Windows, not macOS.

Option D is incorrect; DMG is a disk image format, not a configuration format.

38
MCQhard

You run the above PowerShell command. The app is installed on a device, but the detection rule checks for CompanyPortal.exe in C:\Program Files. The app installs to C:\Program Files (x86) due to a 32-bit installer. What is the most likely outcome?

A.The app is successfully detected and no action is taken
B.The app installation fails with error
C.The detection rule automatically adjusts to check both folders
D.Intune repeatedly tries to install the app because it is not detected
AnswerD

Failed detection triggers reinstallation.

Why this answer

Detection rules do not automatically check both Program Files folders unless configured. The rule checks the 64-bit folder, so it will not detect the app installed in Program Files (x86) and will report as not installed. Option B is correct.

39
MCQeasy

Your company is deploying Windows 11 devices using Windows Autopilot. You need to ensure that during the first boot, the device automatically joins Microsoft Entra ID, enrolls in Intune, and installs required applications. What should you provide to the device?

A.The device's hardware hash, uploaded to Intune, and an Autopilot deployment profile assigned.
B.The Configuration Manager client and a site code for automatic site assignment.
C.A provisioning package containing the MDM enrollment settings.
D.A Group Policy Object that configures automatic MDM enrollment.
AnswerA

Autopilot requires the hardware hash to identify the device and the profile to define the deployment settings.

Why this answer

Windows Autopilot uses a device-specific hardware hash that is uploaded to Intune. Based on the assigned Autopilot profile and deployment profile, the device automatically joins Entra ID and enrolls in Intune. Option A is correct.

Option B is wrong because a provisioning package is not needed for Autopilot. Option C is wrong because a Configuration Manager client is not required. Option D is wrong because Group Policy does not apply during Autopilot.

40
MCQhard

You are a Teams administrator. After running the PowerShell script shown in the exhibit, users report they cannot communicate with federated users from 'trusted.com'. What is the most likely cause?

A.The AllowedDomains list does not include a wildcard ' * ' to allow all domains, so only trusted.com is allowed.
B.The script sets AllowPublicUsers to $false, which blocks all external communication including federated users.
C.The script sets AllowFederatedUsers to $true, which disables federated user communication.
D.The script did not run in a Teams PowerShell session that supports the Set-CsTenantFederationConfiguration cmdlet.
AnswerD

The New-CsOnlineSession and Import-PSSession sequence is correct, but if the module is not properly loaded or the session is not created with the right endpoint, the cmdlets may not be available, causing the script to have no effect.

Why this answer

Option D is correct because the `Set-CsTenantFederationConfiguration` cmdlet is only available in a remote Teams PowerShell session (connected via `Connect-MicrosoftTeams`), not in a local Skype for Business Online or legacy PowerShell module. If the script was run in an incompatible session (e.g., an older Skype for Business Online Connector or a local PowerShell window without proper module import), the cmdlet would not execute, leaving the federation configuration unchanged. This would cause the default settings to block federated communication with 'trusted.com'.

Exam trap

The trap here is that candidates focus on the federation settings (AllowedDomains, AllowFederatedUsers) and overlook the critical prerequisite of running the cmdlet in the correct PowerShell session, assuming any PowerShell window can execute Teams cmdlets.

How to eliminate wrong answers

Option A is wrong because the `AllowedDomains` list is used to restrict which federated domains are allowed when `AllowFederatedUsers` is `$true`; a missing wildcard does not block all communication—it only limits allowed domains, but the script's primary issue is that the cmdlet itself did not run. Option B is wrong because `AllowPublicUsers` controls Skype for Business public IM connectivity (e.g., with Skype consumer), not federated users from another organization's Teams/Skype for Business domain. Option C is wrong because setting `AllowFederatedUsers` to `$true` enables federated communication, not disables it; the problem is that the cmdlet never executed.

41
Multi-Selecthard

You are troubleshooting a Windows 10 device that is not receiving a required security policy from Intune. The device shows as 'Not compliant' in the Intune console. Which TWO actions should you take to resolve the issue?

Select 2 answers
A.Ensure the device is in the correct Microsoft Entra ID group targeted by the policy.
B.Reissue the user's Microsoft 365 license from the admin center.
C.Reset the device's enrollment state via the Company Portal.
D.Verify that the device has an active internet connection and can reach Intune services.
E.Run Invoke-Command to remotely execute gpupdate /force.
AnswersA, D

Correct. Group assignment is essential for policy delivery.

Why this answer

Option A is correct because Intune security policies are assigned to Microsoft Entra ID groups. If the device is not a member of the targeted group, it will not receive the policy, resulting in a 'Not compliant' status. Verifying group membership ensures the policy scope is correctly applied.

Exam trap

The trap here is that candidates often confuse Intune MDM policy delivery with traditional on-premises Group Policy, leading them to select the gpupdate command (Option E) instead of recognizing that Intune relies on OMA-DM sync and network connectivity.

42
MCQhard

An organization uses Microsoft Intune to manage Windows devices. They want to deploy a Win32 app that requires admin rights to install. The app must be installed in the system context and should not require user interaction. Which installation behavior should be configured?

A.Install behavior: User, Installation purpose: Required, Device restart behavior: No specific action
B.Install behavior: System, Installation purpose: Required, Device restart behavior: No specific action, Installation visibility: Hidden
C.Install behavior: User, Installation purpose: Available
D.Install behavior: System, Installation purpose: Required, Device restart behavior: Immediately
AnswerB

System context ensures admin rights, Hidden prevents user interaction, and Required ensures installation.

Why this answer

Option D is correct because 'System' context installs the app with elevated privileges, and 'Hidden' ensures no user interaction. Option A is wrong because 'User' context does not provide admin rights. Option B is wrong because 'System' with 'Visible' shows installation progress, which may require interaction.

Option C is wrong because 'User' context cannot install with admin rights.

43
MCQhard

You have configured a Windows 10 update ring with a deadline of 3 days for quality updates. However, some devices are not installing updates within the deadline. What should you verify?

A.The devices are set to defer quality updates in Windows Update settings.
B.The devices have a feature update policy that conflicts.
C.The Intune Management Extension is installed.
D.The update ring is assigned to the correct Azure AD group.
AnswerA

Deferral settings can delay installation beyond the deadline.

Why this answer

Option D is correct because if devices are not meeting the deadline, they may be set to defer updates, which overrides the deadline. Option A is incorrect because the update ring is assigned. Option B is incorrect because the issue is not about missing feature updates.

Option C is incorrect because the Intune Management Extension does not manage Windows updates.

44
MCQmedium

Refer to the exhibit. A KQL query in Microsoft Defender XDR returns no results for PC001 and PC002 even though you know there have been antivirus detections on those devices. What is the most likely reason?

A.The timestamp range is too narrow
B.The device names are case-sensitive and are entered incorrectly
C.You do not have permissions to view events on those devices
D.The ActionType filter is incorrect for antivirus detections
AnswerD

Antivirus detection action types may be 'AntivirusDetectedMalware' or others.

Why this answer

Option C is correct: The query filters ActionType == 'AntivirusDetection', but the actual action type might be 'AntivirusDetectedMalware' or similar. Option A (Timestamp range) is 7 days, which should include recent events. Option B (DeviceName case mismatch) is possible but Defender XDR is case-insensitive by default.

Option D (Permissions) would return an error, not empty results.

45
MCQeasy

A company wants to prevent users from copying corporate data from managed Microsoft 365 apps to personal apps on iOS devices. What should they configure?

A.Intune app protection policy
B.Device compliance policy
C.Microsoft Defender for Cloud Apps session policy
D.Conditional Access policy
AnswerA

App protection policies restrict copy/paste and data transfer between apps.

Why this answer

Option B is correct: Intune app protection policies (MAM) control data transfer between managed and unmanaged apps. Option A (Device compliance policy) enforces device health but not app-level data movement. Option C (Conditional Access) controls access but not copy/paste.

Option D (Microsoft Defender for Cloud Apps) is for cloud app security, not local app data protection.

46
MCQhard

A user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the compliance status. Other devices in the same group are compliant. What is the most likely cause?

A.The device does not have a valid certificate profile.
B.The Intune Management Extension is not installed.
C.The device has a non-compliant component that prevents policy application.
D.The device's enrollment token has expired.
AnswerC

If a device is non-compliant, it may not receive further policies until remediated.

Why this answer

Option D is correct because a non-compliant component can cause the device to show 'Not evaluated' if the policy is not applied. Option A is incorrect because a valid token is required for enrollment; if it were expired, the device would not be enrolled. Option B is incorrect because the Intune management extension handles Win32 apps, not compliance policies.

Option C is incorrect because a certificate profile is not required for compliance evaluation.

47
MCQhard

Refer to the exhibit. A Windows 10 device shows a compliance state of 'noncompliant'. The last sync was 2 hours ago. The device is managed by Intune (mdm). You have verified that the assigned compliance policy requires a device threat level of 'high' from Microsoft Defender for Endpoint. Which of the following is the most likely cause of non-compliance?

A.Microsoft Defender for Endpoint reports a medium-severity threat on the device.
B.The device OS version is below the minimum required.
C.The device has not synced with Intune for over 24 hours.
D.The device is not enrolled in Microsoft Defender for Endpoint.
AnswerA

A medium threat would make the device non-compliant if required level is high.

Why this answer

The device threat protection required security level is 'high', meaning the device must have no active threats at medium or high. If Defender for Endpoint reports a medium threat, the device will be non-compliant. Option B is correct.

Option A is incorrect because the device synced recently. Option C is incorrect because the device is enrolled. Option D is incorrect because the OS version is not mentioned in the exhibit.

48
Matchingmedium

Match each PowerShell cmdlet to its function in Microsoft 365 management.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connect to Microsoft Graph using delegated or app-only auth

Retrieve Intune-managed devices

Create a new device configuration policy

Update properties of a managed device

Retire a device from Intune

Why these pairings

PowerShell is used for programmatic management; these cmdlets are from Microsoft Graph PowerShell SDK.

49
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Intune to manage devices that are not compliant? (Choose two.)

Select 2 answers
A.Automatically send an email to the user's manager.
B.Remotely wipe the device.
C.Block access to corporate resources.
D.Send a push notification to the user.
E.Mark the device as noncompliant in the Intune admin center.
AnswersD, E

Intune can notify users when their device is noncompliant.

Why this answer

Option D is correct because Microsoft Intune can send push notifications to noncompliant devices via the Company Portal app, alerting users about compliance issues and required actions. Option E is correct because marking a device as noncompliant in the Intune admin center is a manual action that updates the device's compliance state, which then triggers conditional access policies to block resources. Both actions are available for managing noncompliant devices without requiring user interaction or remote wipe.

Exam trap

The trap here is that candidates confuse the actions available directly in Intune (like sending notifications or marking noncompliant) with the downstream effects of conditional access policies (like blocking access), leading them to incorrectly select 'Block access to corporate resources' as an Intune action rather than a conditional access outcome.

50
MCQhard

You are troubleshooting an issue where Windows 10 devices are not receiving Windows updates from Intune. The update rings are configured, and the devices are enrolled. However, devices show 'Up to date' even though they are missing critical security updates. What should you verify?

A.The deferral settings are too long.
B.The update ring is assigned to the correct device group.
C.The devices have the Windows Update for Business policy assigned.
D.The devices are compliant with the compliance policy.
AnswerC

WUfB policy controls update behavior.

Why this answer

Option C is correct because the device must have the 'Windows Update for Business' (WUfB) policy assigned. Option A is wrong because compliance does not affect update deployment. Option B is wrong because the update ring is configured.

Option D is wrong because deferral settings affect timing, not delivery.

51
MCQmedium

You manage a fleet of Android Enterprise devices. You need to configure a policy that prevents users from installing apps from unknown sources. Which policy type should you use?

A.Device restrictions configuration policy
B.Device compliance policy
C.App configuration policy
D.Enrollment restriction
AnswerA

Device restrictions can disable unknown sources.

Why this answer

Option C is correct because device restrictions include settings to block unknown sources. Option A is wrong because compliance policy checks security, but doesn't block installation. Option B is wrong because app configuration policies configure apps, not device settings.

Option D is wrong because enrollment restrictions control enrollment, not app installation.

52
Drag & Dropmedium

Order the steps to deploy a Windows 10 virtual desktop in Azure using Windows 365.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

License first, then portal, create policy, configure, provision and assign.

53
Multi-Selecthard

You are planning a Microsoft Intune deployment for a large organization with Windows, iOS, and Android devices. You need to ensure that devices can enroll automatically when users sign in with their work accounts. Which THREE components are required?

Select 3 answers
A.Apple Push Notification service certificate (for iOS)
B.Intune licenses assigned to users
C.Microsoft Entra ID (for identity and device registration)
D.Microsoft Intune subscription (for MDM authority)
E.Configuration Manager (for co-management)
AnswersB, C, D

Users must have Intune licenses to enroll devices.

Why this answer

Option A, Option B, and Option D are correct because Microsoft Entra ID, Intune, and licensing are required for automatic enrollment. Option C is wrong because Configuration Manager is optional. Option E is wrong because Apple Push Notification service is only for iOS device management, not for automatic enrollment across all platforms.

54
MCQeasy

You need to deploy a Microsoft 365 Apps for enterprise suite to Windows 10 devices using Intune. Users are unlicensed. How should you proceed?

A.Deploy the suite as 'available' from Company Portal.
B.Use the built-in Microsoft 365 Apps (Office) app type in Intune.
C.Assign the Office 365 E3 license to all users.
D.Create a Win32 app package for Microsoft 365 Apps and deploy it.
AnswerD

Win32 packaging allows you to include a volume license key or use shared activation for unlicensed users.

Why this answer

Option D is correct because when users are unlicensed, the Microsoft 365 Apps for enterprise suite cannot be deployed via the built-in Intune app type (which relies on license activation). Creating a Win32 app package allows you to bundle the Office Deployment Tool (ODT) with a configuration XML that sets the product ID to 'O365ProPlusRetail' and disables automatic licensing checks, enabling deployment to unlicensed devices.

Exam trap

The trap here is that candidates assume the built-in Microsoft 365 Apps app type in Intune is always the correct choice, but they overlook the critical dependency on user licensing, which the question explicitly removes by stating users are unlicensed.

How to eliminate wrong answers

Option A is wrong because deploying the suite as 'available' from Company Portal still requires the user to have an Office 365 license to activate the apps; unlicensed users will see the app but cannot install or run it. Option B is wrong because the built-in 'Microsoft 365 Apps (Office)' app type in Intune is designed for licensed users and automatically triggers license-based activation; it will fail for unlicensed users. Option C is wrong because assigning Office 365 E3 licenses to all users is a licensing action, not a deployment method; while it would resolve the licensing issue, the question specifically states users are unlicensed and asks how to deploy the suite, not how to license users.

55
MCQhard

Users report that after updating to Windows 11, their devices are no longer receiving policy updates from Intune. The devices appear as active and compliant in the Intune console. What is the most likely cause?

A.The devices lost compliance after the upgrade.
B.The Intune management extension is outdated and needs to be updated.
C.The MDM authority changed to Configuration Manager.
D.Windows 11 is not supported by Microsoft Intune.
AnswerB

The management extension must be updated to support Windows 11 policies.

Why this answer

Option D is correct because Windows 11 requires the Intune management extension to be updated; an outdated extension may not process policies correctly. Option A is wrong because Windows 11 is supported. Option B is wrong because the devices are compliant.

Option C is wrong because MDM authority is per tenant, not per device.

56
MCQhard

An organization uses Microsoft Intune for device management. They have a requirement that all Windows devices must have BitLocker enabled. They want to automatically remediate any device that has BitLocker disabled by running a PowerShell script. Which Intune feature should be used?

A.Device configuration profile to enable BitLocker
B.Device compliance policy with a noncompliance action to mark device as non-compliant
C.PowerShell script deployment with assignment to all devices
D.Proactive remediations with a detection script for BitLocker status and a remediation script to enable BitLocker
AnswerD

Proactive remediations can detect and automatically run remediation scripts.

Why this answer

Option B is correct because proactive remediations can detect and remediate issues like BitLocker being disabled. Option A is wrong because compliance policies only report non-compliance. Option C is wrong because configuration profiles can enable BitLocker but not run scripts.

Option D is wrong because scripts run at enrollment or on demand but not continuously.

57
MCQeasy

You need to ensure that Windows 10 devices automatically receive Microsoft Defender antivirus definition updates from Microsoft. Which update channel should you configure in the endpoint protection profile?

A.Microsoft Update
B.Microsoft Update for Business
C.Windows Update
D.WSUS
AnswerA

This channel ensures definition updates from Microsoft.

Why this answer

Option D is correct because the 'Microsoft Update' channel delivers definition updates from Microsoft. Option A is wrong because Windows Update is for OS updates. Option B is wrong because WSUS is for on-premises managed updates.

Option C is wrong because Microsoft Update for Business is a service, not a channel in the profile.

58
MCQhard

An administrator applies the app protection policy shown in the exhibit to a group of users. A user reports that they are unable to copy data from a managed app and paste it into an unmanaged app. Which setting in the policy causes this behavior?

A.requirePin is set to true.
B.dataTransferToUnmanagedApps is set to false.
C.appSharingFromLevel is set to 'policyManagedApps'.
D.disableAppEncryptionIfDeviceEncryptionIsEnabled is set to false.
AnswerB

This setting directly prevents data transfer to unmanaged apps.

Why this answer

The setting `dataTransferToUnmanagedApps` controls whether data can be transferred from a managed app to unmanaged apps via copy/paste, share, or other data-sharing mechanisms. When set to `false`, it blocks all such transfers, including pasting into unmanaged apps. This is the specific policy that prevents the user from copying data from a managed app and pasting it into an unmanaged app.

Exam trap

The trap here is that candidates often confuse `appSharingFromLevel` with `dataTransferToUnmanagedApps`, mistakenly thinking that restricting sharing to policy-managed apps also blocks copy/paste to unmanaged apps, when in fact `dataTransferToUnmanagedApps` is the explicit setting that controls clipboard-based data transfer to any unmanaged destination.

How to eliminate wrong answers

Option A is wrong because `requirePin` controls whether a PIN is required to access the managed app, not data transfer behavior. Option C is wrong because `appSharingFromLevel` set to `policyManagedApps` restricts sharing to only other apps that have the same app protection policy, but it does not block copy/paste to unmanaged apps; it allows sharing between managed apps. Option D is wrong because `disableAppEncryptionIfDeviceEncryptionIsEnabled` controls whether app-level encryption is disabled when device encryption is present, which is unrelated to data transfer restrictions.

59
MCQmedium

Refer to the exhibit. You run this PowerShell command to retrieve Windows devices. The output shows several devices with lastSyncDateTime older than 30 days and complianceState as 'noncompliant'. What is the most likely cause for these devices to be noncompliant?

A.The devices failed to enroll properly.
B.The compliance policy includes a rule for 'Maximum days since last check-in' and these devices exceeded that limit.
C.The devices are running a non-Windows operating system.
D.The devices have names that do not match the naming convention.
AnswerB

A common compliance rule requires devices to sync within a set number of days.

Why this answer

Option A is correct because compliance policy requires devices to check in periodically; if they haven't synced in 30 days, they may be marked noncompliant due to a 'last check-in' rule. Option B is wrong because device name does not affect compliance. Option C is wrong because the command filters for Windows.

Option D is wrong because there is no evidence of enrollment failure.

60
Multi-Selecteasy

You are preparing infrastructure for device management. Which TWO are valid methods to enroll Windows devices into Microsoft Intune?

Select 2 answers
A.Android Zero Touch.
B.Microsoft Entra ID join with automatic MDM enrollment.
C.Apple Business Manager.
D.Windows Autopilot.
E.Samsung Knox Mobile Enrollment.
AnswersB, D

Devices automatically enroll in Intune when joined.

Why this answer

Option A is correct because Windows Autopilot is a valid enrollment method. Option E is correct because Microsoft Entra ID join with automatic Intune enrollment is valid. Option B is wrong because Apple Business Manager is for Apple devices.

Option C is wrong because Android Zero Touch is for Android devices. Option D is wrong because Samsung Knox Mobile Enrollment is for Samsung Android devices.

61
Multi-Selecthard

Which THREE of the following are requirements for deploying a Win32 app via Microsoft Intune?

Select 3 answers
A.The device must have the Intune Management Extension installed separately.
B.The app installation files must be hosted on an external web server.
C.The app must be assigned to a group of users or devices.
D.Detection rules must be configured to verify installation.
E.The app must be packaged in the .intunewin format.
AnswersC, D, E

Assignment is required to target the app.

Why this answer

Options A, B, and D are correct. Win32 apps must be packed in the .intunewin format, have detection rules, and be assigned to groups. Option C is wrong because the app must be uploaded to Intune, not hosted externally.

Option E is wrong because the Intune Management Extension handles Win32 app installation, not a separate agent.

62
MCQhard

Refer to the exhibit. You run the Get-AutopilotInfo script on a new Surface Pro 7. The output shows DeviceState as 'Unknown' and AssignmentStatus as 'NotAssigned'. The device is connected to the internet. What should you do to prepare this device for Autopilot deployment?

A.Upload the hardware hash to Microsoft Intune to register the device.
B.Assign an Autopilot deployment profile to the device group.
C.Run the script again with the -Online parameter.
D.Use a provisioning package to set up the device manually.
AnswerA

Registration is required for Autopilot to work.

Why this answer

The device is not yet registered in Autopilot. You need to upload the hardware hash to Intune. Option A is correct.

Option B is wrong because even if the device is already registered, the 'Unknown' state indicates it is not. Option C is wrong because using a provisioning package is not needed if Autopilot is desired. Option D is wrong because the script already works; re-running won't help.

63
MCQmedium

You are configuring Microsoft Defender for Endpoint in Microsoft Intune for Windows 10 devices. You need to ensure that when a threat is detected, the device automatically receives a remediation action. Which configuration should you use?

A.Configure a device compliance policy to mark the device as non-compliant.
B.Enable 'Manual investigation' in the endpoint security policy.
C.Create an alert rule in Microsoft Defender XDR to notify administrators.
D.Enable 'Automatic remediation' in the Microsoft Defender Antivirus policy.
AnswerD

Automatic remediation allows Defender to take action on detected threats.

Why this answer

Option D is correct because enabling 'Automatic remediation' in the Microsoft Defender Antivirus policy within Intune's endpoint security node ensures that when a threat is detected, the device automatically applies the configured remediation action (e.g., quarantine, remove, or block) without requiring manual intervention. This setting directly controls the behavior of Microsoft Defender Antivirus to act on detected threats, aligning with the requirement for automatic remediation.

Exam trap

The trap here is that candidates often confuse alerting or compliance policies with actual remediation actions, mistakenly thinking that marking a device non-compliant or creating an alert will automatically remediate the threat, when in fact only the antivirus policy's automatic remediation setting directly triggers the remediation action on the device.

How to eliminate wrong answers

Option A is wrong because configuring a device compliance policy to mark the device as non-compliant only triggers conditional access restrictions or user notifications; it does not perform any remediation action on the detected threat itself. Option B is wrong because 'Manual investigation' is not a valid setting in endpoint security policies; Microsoft Defender for Endpoint uses automated investigation and response (AIR) capabilities, and manual investigation is a separate process, not a configuration toggle. Option C is wrong because creating an alert rule in Microsoft Defender XDR only sends notifications to administrators about detected threats; it does not cause the device to automatically receive a remediation action.

64
MCQeasy

You need to wipe a lost corporate-owned iOS device that is enrolled in Intune. Which action should you perform?

A.Delete the device from Intune.
B.Retire the device.
C.Wipe the device.
D.Disable the device.
AnswerC

Wipe resets the device completely.

Why this answer

Option B is correct because 'Wipe' resets the device to factory settings. Option A is wrong because 'Retire' removes company data but leaves personal data. Option C is wrong because 'Delete' removes the device record.

Option D is wrong because 'Disable' is not an action.

65
Multi-Selecteasy

Which TWO of the following are valid app types in Microsoft Intune for iOS/iPadOS devices?

Select 2 answers
A.Windows 10 Universal app
B.iOS line-of-business app
C.Android Enterprise system app
D.Managed Google Play iframe
E.iOS store app
AnswersB, E

For custom iOS apps.

Why this answer

Option A (iOS store app) and Option C (iOS LOB app) are valid. Option B is for Android. Option D is for Windows.

Option E is a configuration policy, not an app type.

66
MCQmedium

You are preparing to deploy Windows Autopilot for your organization. You have obtained the hardware hashes for 100 new devices. You need to register these devices in Microsoft Intune so that they can be associated with an Autopilot deployment profile. What should you do?

A.Use the Microsoft Store for Business to automatically register devices
B.Contact the OEM to register the devices using the device serial numbers
C.Use the Windows Configuration Designer to create a provisioning package that includes Autopilot settings
D.Upload the hardware hashes to the Autopilot devices page in the Microsoft Intune admin center
AnswerD

This is the standard method to register devices.

Why this answer

Option A is correct because you can upload the hardware hashes directly to the Autopilot devices page in Intune. Option B is wrong because the OEM can register devices for you, but you already have the hashes. Option C is wrong because Microsoft Store for Business is deprecated.

Option D is wrong because Windows Configuration Designer is for provisioning packages, not Autopilot registration.

67
Multi-Selecthard

Which THREE actions are available in Microsoft Intune's proactive remediations for Windows devices?

Select 3 answers
A.Run a detection script to identify issues.
B.Send email alerts when issues are detected.
C.Schedule scripts to run at regular intervals.
D.Run a remediation script to fix issues.
E.Mark devices as non-compliant if remediation fails.
AnswersA, C, D

Detection scripts identify problems.

Why this answer

Proactive remediations in Microsoft Intune are designed to detect and automatically fix common issues on Windows devices without requiring user intervention. Option A is correct because the workflow begins with a detection script that runs on the device to identify specific problems, such as registry misconfigurations or missing files. This script must return an exit code indicating whether an issue exists, which then triggers the remediation script if needed.

Exam trap

The trap here is that candidates often confuse proactive remediations with compliance policies or alerting features, assuming that failed remediation can automatically trigger non-compliance or email notifications, but Intune separates these functions into distinct policies and requires additional configuration for alerts.

68
Multi-Selecthard

You are configuring Windows Autopilot for a customer who has a hybrid Azure AD join deployment. The devices are self-deploying using a self-deploying profile. Which THREE prerequisites must be met for the self-deploying mode to work?

Select 3 answers
A.The device must be registered in Windows Autopilot
B.The local administrator account must be enabled
C.The device must be connected to the internet and able to reach Azure AD
D.The user must be assigned a Windows Autopilot license
E.The device must have an Azure AD Premium license (P1 or P2)
AnswersA, C, E

Registration is required for Autopilot.

Why this answer

Option A is correct because a device must be registered in Windows Autopilot to associate it with a self-deploying profile. Registration is done by uploading the device's hardware hash to the Autopilot service, which then links the device to the profile and enables automatic provisioning without user interaction.

Exam trap

The trap here is that candidates often confuse user-driven Autopilot requirements (like a user license) with device-driven self-deploying mode, leading them to incorrectly select option D instead of recognizing the device license prerequisite.

69
MCQeasy

Your organization uses Windows Autopilot for device provisioning. Users report that after initial setup, devices are not automatically enrolled in Microsoft Intune. What should you verify?

A.That a device configuration profile is assigned to the devices.
B.That the devices are registered in Windows Autopilot with a valid hardware hash.
C.That a Conditional Access policy is in place requiring Intune enrollment.
D.That a device compliance policy is assigned to the Autopilot devices.
AnswerB

Autopilot devices must be registered to automatically enroll in Intune.

Why this answer

Option D is correct because Autopilot devices must be registered with their hardware hash in Intune/Entra ID. Option A is wrong because a compliance policy does not affect enrollment. Option B is wrong because a configuration profile deploys settings after enrollment.

Option C is wrong because Conditional Access is post-enrollment.

70
MCQeasy

You need to deploy a line-of-business (LOB) app to 100 iOS devices managed by Intune. The app is signed with an enterprise certificate. Which deployment method should you use?

A.Upload the app package as an iOS LOB app in Intune
B.Add the app as a Volume Purchase Program (VPP) app
C.Use an Enterprise Code Signing certificate to deploy via MDM
D.Publish the app to the Apple App Store and deploy as public app
AnswerA

Direct method for custom enterprise apps.

Why this answer

Option A is correct because Intune supports deploying internally developed LOB apps to iOS devices by uploading the signed .ipa package directly. Since the app is already signed with an enterprise certificate, it can be distributed via Intune's iOS LOB app workflow without requiring the Apple App Store or VPP.

Exam trap

The trap here is confusing the signing certificate (used to sign the app) with the deployment method, leading candidates to select Option C, which describes a prerequisite rather than a distribution mechanism.

How to eliminate wrong answers

Option B is wrong because Volume Purchase Program (VPP) apps are purchased from the Apple App Store and assigned to devices via managed distribution, not used for custom LOB apps. Option C is wrong because Enterprise Code Signing certificates are used to sign the app, not as a deployment method; MDM deploys the app via Intune's LOB app upload, not by using the certificate directly. Option D is wrong because publishing to the Apple App Store is unnecessary and contradicts the requirement to deploy a signed LOB app; public apps are for store-distributed apps, not enterprise-signed ones.

71
MCQmedium

Contoso uses Microsoft Defender for Endpoint on Windows servers. They need to ensure that antivirus definitions are always up-to-date even if the server is disconnected from the internet for extended periods. What should they configure?

A.Enable Windows Update for Business group policy
B.Use Intune to deliver definition updates
C.Configure a network file share as an internal update source for Microsoft Defender Antivirus
D.Download definitions from Microsoft Update Catalog and install manually
AnswerC

Defender Antivirus supports internal file share for definition updates.

Why this answer

Option A is correct: Microsoft Defender for Endpoint can use a file share as an internal definition update source. Option B (Windows Update) requires internet. Option C (Intune) manages client devices, not servers typically.

Option D (Microsoft Update Catalog) is for manual download, not automatic updates.

72
MCQmedium

Your organization requires that all Windows 11 devices encrypt their drives with BitLocker. You have configured a BitLocker policy in Intune, but some devices show as 'Not evaluated' for the encryption status. What is the most likely reason?

A.The devices do not have a TPM chip.
B.The policy is not assigned to the correct group.
C.The devices have a conflicting Group Policy.
D.Secure Boot is disabled on the devices.
AnswerA

TPM is required for BitLocker, and without it the policy cannot be evaluated.

Why this answer

Option B is correct because BitLocker requires a TPM chip to function; devices without TPM cannot evaluate the policy. Option A is incorrect because the policy is assigned. Option C is incorrect because Secure Boot is not required for BitLocker.

Option D is incorrect because BitLocker can be configured via Intune without a GPO.

73
MCQhard

A user reports that a required Microsoft 365 Apps for enterprise installation failed on their Windows 11 device managed by Intune. The Intune console shows the app assignment is 'Required' for the user group. The device status shows 'Pending' for over a day. You verify the device is online and checks in regularly. What is the most likely cause?

A.The user does not have a Microsoft 365 license assigned.
B.The device has not checked in with Intune recently.
C.The device does not have enough disk space.
D.The app is assigned to the device group instead of the user group.
AnswerA

Microsoft 365 Apps require a license to activate; without it, installation may stall.

Why this answer

Option C is correct because the Microsoft 365 Apps for enterprise deployment requires a valid license assigned to the user. The client may be pending because it cannot activate without a license. Option A is wrong because the device status shows 'Pending' not an error.

Option B is wrong because the device checks in regularly. Option D is wrong because the app assignment is 'Required' and the user is in the group.

74
MCQhard

You are planning a Windows 11 deployment for 200 devices using Microsoft Configuration Manager (current branch). The devices are currently running Windows 10. You need to perform an in-place upgrade while preserving user data and settings. The devices are located in remote offices with limited bandwidth. Which deployment method should you use?

A.Create a provisioning package with Windows 11 upgrade settings and apply it via USB drives.
B.Deploy a Windows 11 feature update using the 'Windows 10/11 feature update' servicing plan in Configuration Manager, enabling Delivery Optimization for peer-to-peer download.
C.Use Windows Autopilot to reset the device and reinstall Windows 11, restoring user data from OneDrive.
D.Create a task sequence to upgrade Windows, and configure it to download content from the internet to reduce distribution point load.
AnswerB

Feature updates in ConfigMgr perform in-place upgrades and can use Delivery Optimization to reduce bandwidth.

Why this answer

For in-place upgrades with limited bandwidth, using peer caching or Delivery Optimization is recommended. However, Configuration Manager supports 'Express updates' for feature updates? No, express updates are for quality updates. For feature updates, you can use 'Windows 10/11 feature update' via 'Windows servicing' or a task sequence.

The best approach is to use a task sequence that downloads the upgrade content from a distribution point, but to minimize bandwidth, you can enable BranchCache or use 'Download content from distribution point and run locally'. Among the options, using a task sequence with 'Pre-stage content' on USB drives or using 'Download content from distribution point and run locally' is possible. But the question asks for 'in-place upgrade while preserving user data' and 'limited bandwidth'.

Configuration Manager's 'Windows 10/11 feature update' deployment does not support preserving user data? Actually, the 'Feature update' method is an in-place upgrade that preserves apps and settings. It uses Delivery Optimization to download from peers and the internet, which can help with bandwidth. Option A is correct.

Option B is wrong because a provisioning package is for new devices. Option C is wrong because Autopilot is not for in-place upgrade. Option D is wrong because a task sequence can preserve data but requires more bandwidth unless you pre-cache content.

75
MCQmedium

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that corporate apps are installed automatically on new devices without user interaction. Which enrollment method should you use?

A.Android Enterprise fully managed
B.Android Enterprise dedicated device
C.Android Legacy device administrator
D.Android Enterprise work profile
AnswerA

Fully managed devices allow silent app installation.

Why this answer

Android Enterprise fully managed (A) is the correct enrollment method because it allows IT to enroll corporate-owned devices into Intune with full device control, enabling automatic, silent installation of required corporate apps without any user interaction. This mode uses the Android Enterprise API to push apps via managed Google Play as required or kiosk apps, ensuring they are installed before the device is handed to the user.

Exam trap

The trap here is that candidates often confuse 'fully managed' with 'dedicated device' because both are corporate-owned, but dedicated devices lack user association and cannot automatically install user-specific corporate apps without a user context.

How to eliminate wrong answers

Option B (Android Enterprise dedicated device) is wrong because it is designed for single-purpose or kiosk devices that are not assigned to a specific user, and while it can auto-install apps, it does not support user-based app targeting or user-specific corporate app deployment without a user context. Option C (Android Legacy device administrator) is wrong because it is a deprecated enrollment method that relies on Device Admin API, which does not support automatic app installation via managed Google Play and lacks the modern app management capabilities of Android Enterprise. Option D (Android Enterprise work profile) is wrong because it is intended for BYOD scenarios where a separate work profile is created on a personal device, and while apps can be pushed, they require user consent or interaction during profile setup and are not automatically installed on new devices without user involvement.

Page 1 of 14

Page 2