Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 676750

991 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that devices that are not compliant are blocked from accessing corporate resources. Which configuration should you use?

A.Create a device compliance policy and assign it to users.
B.Create a device configuration profile that restricts access.
C.Create a Conditional Access policy that requires compliant devices.
D.Configure enrollment restrictions to block non-compliant devices.
AnswerC

Conditional Access enforces access based on compliance.

Why this answer

Conditional Access policies in Azure AD are the correct mechanism to enforce access controls based on device compliance status. By creating a policy that requires devices to be marked as compliant, you ensure that only compliant devices can access corporate resources, while non-compliant devices are blocked at the authentication level. This integrates with Intune compliance policies to evaluate device health before granting access.

Exam trap

The trap here is that candidates often confuse the role of a compliance policy (which only evaluates and reports) with the enforcement mechanism (Conditional Access), leading them to select Option A as the answer.

How to eliminate wrong answers

Option A is wrong because a device compliance policy alone only reports compliance status and can trigger actions like sending notifications or marking devices as non-compliant, but it does not block access to corporate resources; it requires a Conditional Access policy to enforce the block. Option B is wrong because a device configuration profile is used to configure device settings (e.g., password policies, restrictions) and does not enforce access control or block non-compliant devices from resources. Option D is wrong because enrollment restrictions control which devices can enroll in Intune, not whether already enrolled devices that become non-compliant are blocked from accessing corporate resources.

677
MCQeasy

You need to remotely wipe a lost corporate-owned iOS device that is managed by Intune. Which action should you use?

A.Wipe
B.Reset
C.Delete
D.Retire
AnswerA

Wipe performs a factory reset.

Why this answer

Option C is correct because the 'Wipe' action performs a factory reset. Option A is wrong because 'Retire' removes management but keeps user data. Option B is wrong because 'Delete' removes the device from Intune without wiping.

Option D is wrong because 'Reset' is not a standard Intune action; the correct term is 'Wipe'.

678
MCQhard

A company uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent update, some devices are unable to connect to the corporate Wi-Fi network. The Wi-Fi profile is deployed via Intune. Which troubleshooting step should you take first?

A.Recreate the Wi-Fi profile in Intune with new settings
B.Run the 'netsh wlan show profiles' command on affected devices
C.Check the Intune console for Wi-Fi profile assignment and conflict status
D.Review Microsoft Entra ID sign-in logs for authentication failures
AnswerC

Directly shows profile deployment and conflicts.

Why this answer

Option A is correct because checking the Intune console for profile assignment and conflict is the fastest way to identify deployment issues. Option B is wrong because reviewing sign-in logs does not show Wi-Fi profile status. Option C is wrong because event logs are more granular and time-consuming.

Option D is wrong because recreating the profile may not address the root cause.

679
MCQeasy

Your organization is implementing Microsoft Entra ID join for Windows devices. You need to ensure that when users sign in with their Microsoft Entra ID credentials, they automatically get access to company resources without additional authentication. Which feature should you enable?

A.Device compliance policies
B.Windows Hello for Business
C.Conditional Access policies
D.Primary Refresh Token (PRT)
AnswerD

PRT is obtained upon sign-in and provides SSO to cloud resources.

Why this answer

Option C is correct because Microsoft Entra ID joined devices use Primary Refresh Token (PRT) for SSO. Option A is incorrect because Windows Hello for Business provides passwordless sign-in but is not required for automatic resource access. Option B is incorrect because Conditional Access policies control access, not automatic authentication.

Option D is incorrect because device compliance policies are for compliance, not SSO.

680
Multi-Selecthard

Your company uses Microsoft Defender for Cloud Apps (Microsoft 365 Defender). You need to create a session policy that monitors and controls access to a specific cloud app. Which three components must you configure? (Select THREE.)

Select 3 answers
A.Policy template (e.g., block download)
B.Conditional Access policy assignment
C.Device group assignment
D.App filter (e.g., specific app)
E.Session control type (e.g., monitor only)
AnswersA, D, E

The template defines the action to take.

Why this answer

Options A, C, and D are correct. A session policy requires a template (or action), an app filter, and a session control type. Option B is wrong because device groups are not part of session policy.

Option E is wrong because Conditional Access policies are separate from session control templates.

681
MCQhard

An organization is deploying Windows 10 using Configuration Manager task sequences. During a pilot deployment, the task sequence fails with error code 0x80070002. What is the most likely cause?

A.The device does not meet minimum hardware requirements
B.The task sequence includes a duplicate step
C.The boot image is missing or corrupted
D.The distribution point is unreachable
AnswerC

0x80070002 indicates file not found; boot image is essential for deployment.

Why this answer

Error code 0x80070002 translates to 'The system cannot find the file specified.' In the context of a Configuration Manager task sequence, this typically indicates that the boot image (WIM file) referenced by the task sequence is missing from the distribution point or is corrupted. The boot image is required to start Windows PE and initiate the OS deployment; if it cannot be located or loaded, the task sequence fails immediately.

Exam trap

The trap here is that candidates often associate error 0x80070002 with a network connectivity issue (Option D) or a hardware problem (Option A), but the error code specifically indicates a missing file, not a network or hardware failure.

How to eliminate wrong answers

Option A is wrong because minimum hardware requirements would produce a different error (e.g., 0x80070570 or a pre-flight check failure), not a file-not-found error. Option B is wrong because a duplicate step in the task sequence would cause a validation error during editing or a runtime conflict, but not a 0x80070002 error, which is specifically a file access issue. Option D is wrong because an unreachable distribution point would result in a network-related error (e.g., 0x80072EFE or 0x80004005), not a file-not-found error; the boot image must be present on the distribution point for the task sequence to even begin.

682
Multi-Selectmedium

Your organization is preparing to deploy Windows 11 using Microsoft Intune. You need to ensure that all devices meet the minimum hardware requirements for Windows 11 before upgrade. Which THREE checks should you perform?

Select 3 answers
A.Check that Secure Boot is enabled.
B.Check that the processor is at least 1GHz with 1 core.
C.Check that the device has TPM 2.0 enabled.
D.Check that the device has at least 4GB of RAM.
E.Check that the device has at least 32GB of storage.
AnswersA, C, D

Secure Boot is required.

Why this answer

Options A, B, and C are correct. TPM 2.0, Secure Boot, and 4GB RAM are minimum requirements. Option D is incorrect because the requirement is 64GB storage.

Option E is incorrect because the requirement is 1GHz or faster with 2 cores.

683
MCQmedium

Refer to the exhibit. You run the PowerShell command shown to create a compliance policy. However, when you check the compliance status of a Windows 11 device, it shows as compliant even though the device does not have BitLocker enabled. What is the most likely reason?

A.The policy has not been assigned to the device or its user group.
B.The BitLocker setting is not supported on Windows 11.
C.The policy was not saved correctly due to a syntax error.
D.The device does not have a TPM chip, which is required for BitLocker, but the compliance policy does not check TPM.
AnswerA

Unless assigned, the policy does not evaluate.

Why this answer

The compliance policy has BitLockerEnabled set to $true, which should require BitLocker. However, the device might be showing as compliant because the policy has not been assigned to the device, or the device has not evaluated the policy. But the most likely reason from the options is that the device is not subject to the policy because it is not assigned.

Option C is correct. Option A is wrong because the policy was created. Option B is wrong because the setting is correct.

Option D is wrong because TPM is required but not related to BitLocker compliance directly.

684
MCQhard

Your organization uses Microsoft Intune to manage Windows devices. You need to ensure that only users in the Sales department can enroll their devices. What should you configure?

A.An Intune role-based access control (RBAC) role for Sales users.
B.A device configuration profile assigned to Sales users.
C.A Conditional Access policy that requires device compliance.
D.Enrollment restrictions that allow only users in the Sales group.
AnswerD

Enrollment restrictions can be scoped to specific user groups.

Why this answer

Option C is correct because enrollment restrictions can be configured to allow or block enrollment based on user groups. Option A is wrong because Conditional Access controls access after enrollment. Option B is wrong because device configuration profiles do not control enrollment.

Option D is wrong because role-based access controls admin actions, not user enrollment.

685
MCQeasy

A company uses Microsoft Intune to manage Windows 10 devices. They need to ensure that only devices that have a BitLocker encryption status of 'fully encrypted' are allowed to access corporate resources. They create a device compliance policy that requires BitLocker. However, some devices are still accessing resources even though they are not fully encrypted. What should you check?

A.The devices are running Windows 10 Home edition, which does not support BitLocker.
B.The compliance policy is not assigned to the user or device groups.
C.The compliance policy is set to 'Report non-compliant' instead of 'Block non-compliant'.
D.The compliance policy has a grace period configured that allows access for non-compliant devices.
AnswerB

Without assignment, the policy does not apply, and non-compliant devices can still access resources.

Why this answer

Option B is correct because a device compliance policy must be assigned to the appropriate user or device groups to take effect. If the policy is not assigned, Intune will not evaluate the devices against the BitLocker requirement, and non-compliant devices will continue to access corporate resources. The scenario indicates that the policy was created but not enforced, which points directly to a missing assignment.

Exam trap

The trap here is that candidates assume creating a compliance policy automatically enforces it, but Microsoft Intune requires explicit assignment to user or device groups before the policy is evaluated and acted upon.

How to eliminate wrong answers

Option A is wrong because Windows 10 Home edition does not include BitLocker, but the question states the devices are managed by Intune and the policy requires BitLocker; if a device lacked BitLocker support, it would simply be marked non-compliant, not bypass the policy. Option C is wrong because Intune compliance policies do not have a 'Report non-compliant' vs 'Block non-compliant' setting; the enforcement is controlled by Conditional Access policies, not the compliance policy itself. Option D is wrong because a grace period in a compliance policy allows non-compliant devices to remain compliant temporarily, but the question states devices are 'still accessing resources even though they are not fully encrypted,' which would be consistent with a grace period—however, the core issue is that the policy was never assigned, so the grace period is irrelevant.

686
MCQhard

Your organization has 5,000 Windows 10 devices managed by Microsoft Intune. You are planning to upgrade them to Windows 11. The devices must meet the Windows 11 hardware requirements. You need to identify which devices are eligible for upgrade and then deploy Windows 11 using a feature update policy in Intune. You have the following requirements: (1) Generate a report of devices that are not eligible due to TPM 2.0 or CPU incompatibility. (2) Deploy Windows 11 to eligible devices using a phased approach: first to IT department (200 devices), then to pilot users (500 devices), and finally to all remaining devices. (3) Ensure that devices in the IT department receive the update within 7 days of Microsoft's release, while pilot users receive it after 30 days, and remaining devices after 60 days. (4) Monitor deployment progress and roll back if critical issues are detected. What should you do?

A.Create feature update policies for Windows 10 and later, targeting each group with appropriate deferral settings. Use the Windows 11 readiness report to identify eligible devices.
B.Configure Windows Update for Business group policies in on-premises AD.
C.Use update rings with different deferral periods for each group.
D.Use Windows Autopilot to deploy Windows 11 images to devices.
AnswerA

Feature update policies are designed for OS upgrades and support deferrals.

Why this answer

Option C is correct because feature update policies allow you to specify deferral periods and target groups. The readiness report identifies incompatibilities. Option A is wrong because update rings are for quality updates, not feature updates.

Option B is wrong because Autopilot is for initial provisioning, not upgrades. Option D is wrong because Windows Update for Business group policies are not managed via Intune.

687
MCQeasy

You are using Microsoft Intune to deploy a Win32 app (MyApp.exe) to Windows 10 devices. The app requires .NET Framework 4.8 as a dependency. You have created a Win32 app for .NET Framework 4.8 and set it as a dependency for MyApp. However, when you assign MyApp to a device group, the installation fails because .NET Framework is not installed first. The detection rules for MyApp are correctly configured. What should you do to ensure that the dependency is installed before MyApp?

A.Assign the dependency app to the same device group with a higher priority.
B.Modify the detection rule for the dependency app to check a different file.
C.Require that all devices have .NET Framework 4.8 pre-installed before enrollment.
D.Enable 'Auto-install dependency' in the dependency settings of MyApp.
AnswerD

This ensures the dependency is installed first.

Why this answer

Option C is correct because dependencies in Intune are automatically installed before the parent app only when Auto-install dependency is enabled. Option A is wrong because order of assignment does not guarantee installation order. Option B is wrong because detection rule is for app existence, not installation order.

Option D is wrong because requiring devices to have .NET pre-installed is not feasible.

688
MCQmedium

You need to ensure that Windows 10 devices in your organization receive the latest quality updates within 7 days of release. You configure a Windows Update for Business policy in Intune with a deferral period of 7 days. After two weeks, some devices have not installed the updates. What is the most likely reason?

A.The devices are configured to receive updates from WSUS instead of Windows Update.
B.The deferral period is too short; Microsoft recommends 14 days.
C.The policy is configured to apply only to devices in a specific Azure AD group.
D.Devices have not synced with Intune to receive the updated policy.
AnswerD

Devices must sync to get the policy; if they miss sync, updates are not enforced.

Why this answer

Option D is correct because Windows Update for Business policies in Intune are not applied in real time; devices must check in with the Intune service to receive the updated policy. The default sync interval for Intune-managed Windows 10 devices is approximately 8 hours, and if a device has not synced since the policy was configured, it will not yet have the new deferral settings. This explains why some devices have not installed the updates even after two weeks, as they may have missed the sync window or have a longer check-in cycle.

Exam trap

The trap here is that candidates often assume that configuring a Windows Update for Business policy in Intune immediately applies to all targeted devices, overlooking the critical requirement for devices to complete an Intune sync before the policy takes effect.

How to eliminate wrong answers

Option A is wrong because if devices were configured to receive updates from WSUS, they would ignore Windows Update for Business policies entirely, but the question states the policy was configured in Intune and the issue is that some devices have not installed updates, not that they are using a different update source. Option B is wrong because the deferral period of 7 days is technically valid and not inherently too short; Microsoft does not mandate a 14-day deferral, and the problem is about policy delivery, not the deferral duration. Option C is wrong because while a policy can be scoped to a specific Azure AD group, the question does not indicate that the policy was scoped incorrectly; the issue is that devices have not synced, not that they are in the wrong group.

689
MCQmedium

You are responsible for deploying Microsoft 365 Apps for enterprise to Windows 10 devices using Microsoft Intune. You want to ensure that users receive the Current Channel with updates delivered directly from the Office Content Delivery Network (CDN). You also want to minimize bandwidth usage on your network. What should you configure?

A.Configure a local update server using BranchCache.
B.Set the update path to the Office CDN and enable Office automatic updates.
C.Use a configuration profile to disable peer-to-peer distribution.
D.Enable delivery optimization and set the Office update channel to Current Channel.
AnswerD

Delivery optimization with peer-to-peer reduces bandwidth.

Why this answer

To minimize bandwidth, you can enable peer-to-peer distribution and configure delivery optimization. Option C is correct because enabling delivery optimization with peer-to-peer reduces network load. Option A is wrong because CDN is the default but does not minimize bandwidth.

Option B is wrong because BranchCache is not used for Office updates. Option D is wrong because peer-to-peer is the recommended approach.

690
MCQmedium

A company uses Microsoft Intune to manage Windows 10 devices. They need to ensure that only devices with BitLocker enabled can access corporate email via Exchange Online. Which configuration should the administrator use to enforce this requirement?

A.Create a Device Compliance policy for Windows 10 with the 'Require encryption of data storage on device' setting enabled.
B.Create a Conditional Access policy that requires device compliance and assign it to Exchange Online.
C.Create an App Protection policy for the Outlook mobile app that requires device encryption.
D.Configure Windows Defender Firewall to block non-BitLocker encrypted devices.
AnswerB

Conditional Access can enforce access based on compliance, which includes BitLocker status.

Why this answer

Option B is correct because a Conditional Access policy in Azure AD can require that devices accessing Exchange Online be marked as compliant in Intune. By combining a Device Compliance policy that requires encryption (BitLocker) with a Conditional Access policy targeting Exchange Online, only compliant devices with BitLocker enabled will be granted access to corporate email.

Exam trap

The trap here is that candidates confuse Device Compliance policies (which only report status) with Conditional Access policies (which enforce access control), leading them to pick Option A, thinking compliance alone blocks access.

How to eliminate wrong answers

Option A is wrong because a Device Compliance policy alone does not enforce access control; it only evaluates and reports compliance status. Without a Conditional Access policy to block non-compliant devices, devices without BitLocker can still access Exchange Online. Option C is wrong because App Protection policies apply to mobile apps (like Outlook for iOS/Android) and manage data protection at the app level, not device-level encryption like BitLocker on Windows 10.

Option D is wrong because Windows Defender Firewall controls network traffic based on IP/port rules, not device encryption status; it cannot enforce BitLocker requirements for Exchange Online access.

691
Multi-Selecteasy

Which TWO are valid methods to enroll Windows devices in Microsoft Intune?

Select 2 answers
A.Apple Business Manager
B.Manual enrollment using work or school account
C.Windows Autopilot
D.Android Enterprise
E.Azure AD Join
AnswersB, C

Manual enrollment is a valid method.

Why this answer

Options A and D are correct. A: Windows Autopilot is a modern enrollment method. D: Manual enrollment via Settings > Accounts > Access work or school is valid.

Option B is wrong because Apple Business Manager is for Apple devices. Option C is wrong because Android Enterprise is for Android. Option E is wrong because Azure AD Join is a prerequisite, not an enrollment method.

692
MCQeasy

You need to deploy a critical security update to 500 Windows 10 devices managed by Intune. The update must be installed by the end of the week. Which deployment method should you use?

A.Create a Windows 10 update ring in Intune and enable expedited quality updates.
B.Configure a Windows Update for Business deferral policy in Intune.
C.Use Windows Autopatch to automatically deploy the update.
D.Create a WSUS policy and push it via Group Policy.
AnswerA

Intune can expedite critical updates using update rings.

Why this answer

Option A is correct because Intune's expedited quality updates allow you to bypass standard deferral periods and force-install critical security updates within days, not weeks. This is the only method that guarantees installation by the end of the week for 500 devices managed solely by Intune, as it leverages the Windows Update service with a reduced deadline (e.g., 2 days) and immediate restart behavior.

Exam trap

The trap here is that candidates confuse 'expedited updates' with 'deferral policies' or 'Autopatch,' assuming any automated update method will meet a tight deadline, but only expedited quality updates bypass the built-in deferral windows and enforce a short installation deadline.

How to eliminate wrong answers

Option B is wrong because configuring a Windows Update for Business deferral policy delays the update by a set number of days (e.g., 7–30 days), which contradicts the requirement to install it by the end of the week. Option C is wrong because Windows Autopatch is designed for ongoing, automated patch management with gradual rollout rings (e.g., Test, First, Fast, Broad) and does not support emergency expedited deployment for a single critical update within a short timeframe. Option D is wrong because WSUS and Group Policy require on-premises infrastructure and Active Directory, which are not applicable to devices managed solely by Intune in a cloud-only or hybrid scenario without domain connectivity.

693
MCQmedium

A company uses Microsoft Intune to manage Android Enterprise personally-owned work profile devices. They need to deploy a managed app that restricts data transfer between work and personal profiles. Which app configuration policy should they use?

A.Compliance policy
B.Managed app configuration policy
C.App protection policy
D.Device configuration policy
AnswerB

Configures app-specific settings like data transfer restrictions.

Why this answer

Managed app configuration policy allows setting app-specific restrictions. App protection policy is for data protection but is separate. Compliance policy is for device compliance.

Device configuration policy for device settings. Therefore, managed app configuration policy is correct for app-level restrictions.

694
MCQmedium

Refer to the exhibit. You are reviewing a Win32 app deployment configuration in Microsoft Intune. The detection rule checks for a registry key under HKLM. The app is set to install in user context. A user reports that the app appears as 'Installed' for some users but not others on the same device. What is the most likely cause?

A.The detection type 'exists' should be 'value' to check the DisplayName.
B.The install experience should be 'system' to write to HKLM.
C.The detection rule uses HKLM but the app installs per user, so the key may not exist for all users.
D.The 'check32BitOn64System' flag is set to false, causing detection to fail on 64-bit systems.
AnswerC

User-context install may write to HKCU, not HKLM.

Why this answer

Option A is correct because the detection rule uses HKLM (machine-level), but the app installs per user; the detection might succeed for one user and not another if the registry key is written per user. Option B is wrong because 32-bit on 64-bit is false. Option C is wrong because detection type 'exists' does not check value.

Option D is wrong because install context does not affect detection rule location.

695
MCQeasy

You need to deploy Microsoft 365 Apps to 1000 devices using Microsoft Intune. The devices are a mix of Windows 10 and Windows 11. Which app deployment method should you use to ensure the latest version is always installed?

A.Deploy a line-of-business app from the installation file.
B.Deploy a Win32 app with the Office Deployment Tool.
C.Deploy Microsoft 365 Apps for enterprise as a built-in app type in Intune.
D.Deploy a custom script that installs Office from a network share.
AnswerC

Built-in type ensures automatic updates from CDN.

Why this answer

Option C is correct because the Microsoft 365 Apps for enterprise built-in app type in Intune is specifically designed to deploy and manage Office with automatic updates from the Office Content Delivery Network (CDN). This method ensures that devices always receive the latest version of Microsoft 365 Apps without requiring manual intervention or custom configuration, as Intune handles the deployment policy and update channel settings natively.

Exam trap

The trap here is that candidates often choose Option B (Win32 app with ODT) because they know ODT is the standard tool for Office deployment, but they overlook that the built-in app type in Intune provides a simpler, more reliable method that automatically handles update channel configuration and ensures the latest version is always installed without custom scripting.

How to eliminate wrong answers

Option A is wrong because deploying a line-of-business (LOB) app from an installation file requires manual packaging and does not support automatic updates to the latest version; it also lacks the built-in update channel management that Microsoft 365 Apps require. Option B is wrong because while deploying a Win32 app with the Office Deployment Tool (ODT) can install Office, it requires custom configuration of the update channel and does not inherently ensure the latest version is always installed unless you manually configure the CDNBaseUrl and update settings; it also adds unnecessary complexity compared to the built-in app type. Option D is wrong because deploying a custom script that installs Office from a network share relies on a static source that must be manually updated, and it does not integrate with Intune's update management or the Office CDN, making it impossible to guarantee the latest version is always installed across all devices.

696
MCQmedium

You are planning to deploy a Win32 app to Windows 10 devices using Microsoft Intune. The app requires a specific registry key to be present before installation. How should you ensure the prerequisite is met?

A.Configure the installation behavior as 'System' to bypass user context.
B.Add the registry key as a dependency.
C.Set a requirement rule for the registry key.
D.Configure a detection rule to verify the registry key exists.
AnswerD

Detection rules can be used to check prerequisites.

Why this answer

Option A is correct because you can use detection rules to check for the registry key; if not found, Intune will not attempt installation. Option B is wrong because requirements rules are for architecture/OS. Option C is wrong because dependencies are for other apps.

Option D is wrong because installation behavior is for user context.

697
MCQeasy

Refer to the exhibit. An Autopilot device registration JSON. What does the '%RAND:5%' placeholder do?

A.It inserts the device's model name.
B.It generates a random 5-character string.
C.It inserts the device's serial number.
D.It inserts the user's principal name.
AnswerB

This ensures unique names.

Why this answer

Option C is correct because %RAND:5% generates a random 5-character string to ensure unique device names. Option A is wrong because it's not based on serial. Option B is wrong because it's not the model.

Option D is wrong because it's not user-specific.

698
MCQmedium

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to deploy a custom app that is not available in the Google Play Store. Which app deployment method should you use?

A.Add the app as a Managed Google Play app.
B.Deploy the app as a web link to the APK file.
C.Add the app as a line-of-business (LOB) app and upload the APK file.
D.Use the iOS LOB app deployment method.
AnswerC

LOB app deployment allows side-loading custom APKs.

Why this answer

Option B is correct because line-of-business (LOB) apps are used for custom apps not in the store. Option A is wrong because Managed Google Play only offers store apps. Option C is wrong because Web links are not apps.

Option D is wrong because iOS-specific deployment is irrelevant.

699
MCQeasy

Your company plans to deploy Microsoft 365 Apps to 500 devices using Microsoft Intune. You want to ensure that the Office suite is installed with only Word, Excel, and PowerPoint. Which approach should you use?

A.Use Microsoft Intune to deploy Office by selecting the built-in Office 365 app type and then modify the installation options.
B.Use the Microsoft 365 admin center to assign licenses and then have users install from the portal.
C.Use Microsoft Intune to deploy Office by configuring a Win32 app with the Office Deployment Tool and a custom XML.
D.Use Microsoft Configuration Manager to deploy Office with a task sequence.
AnswerC

ODT with XML allows selecting specific Office apps.

Why this answer

Option A is correct because the Office Deployment Tool allows you to configure which products are installed via an XML configuration file. Option B is incorrect because the Click-to-Run tool is part of the ODT but not the primary method. Option C is incorrect because Intune itself does not install Office without an XML configuration.

Option D is incorrect because the Microsoft 365 admin center is for service configuration, not client installation.

700
MCQhard

Refer to the exhibit. You run this KQL query in Microsoft Defender XDR to investigate a device. The result shows RiskScore = 0. What does this indicate about the device?

A.The risk score cannot be calculated for this device
B.The device is not enrolled in Defender for Endpoint
C.The device is highly vulnerable
D.The device has no detected threats
AnswerD

RiskScore 0 means no risk.

Why this answer

Option B is correct. RiskScore 0 means no risk detected. Option A is wrong because 0 does not indicate vulnerability.

Option C is wrong because it is not unknown. Option D is wrong because risk score applies to devices.

701
MCQhard

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that work profile apps are encrypted and that the device owner cannot uninstall the Company Portal app. Which configuration profile should you deploy?

A.Device configuration profile with custom OMA-URI
B.Device restrictions for Android Enterprise fully managed
C.Device restrictions for Android Enterprise work profile
D.Compliance policy for Android Enterprise
AnswerC

This profile can enforce encryption and block removal of apps.

Why this answer

Option C is correct because the 'Device restrictions for Android Enterprise work profile' profile includes settings to enforce encryption of work profile apps and to prevent the uninstallation of the Company Portal app. Specifically, the 'Require work profile encryption' setting ensures that work profile data is encrypted, and the 'Block uninstall of Company Portal' setting prevents the device owner from removing the Company Portal app. These settings are only available within the work profile restrictions profile, not in other profile types.

Exam trap

The trap here is that candidates often confuse 'Device restrictions for Android Enterprise work profile' with 'Device restrictions for Android Enterprise fully managed' or assume that a compliance policy can enforce configuration settings, when in fact the work profile restrictions profile is the only one that combines both encryption enforcement and app uninstall prevention for personally owned devices with work profiles.

How to eliminate wrong answers

Option A is wrong because custom OMA-URI profiles are used for settings not available in the Intune UI, but the required encryption and uninstall prevention settings are natively available in the work profile restrictions profile, making a custom OMA-URI unnecessary and less precise. Option B is wrong because 'Device restrictions for Android Enterprise fully managed' applies to corporate-owned devices with a single user, not to work profiles on personally owned devices; it lacks the specific settings to block uninstallation of the Company Portal app from the work profile. Option D is wrong because compliance policies evaluate device compliance (e.g., encryption status) but cannot enforce configuration settings like preventing app uninstallation; they are reactive, not proactive.

702
Multi-Selecteasy

Which TWO methods can you use to deploy Microsoft Defender for Endpoint on Windows Server 2019? (Choose two.)

Select 2 answers
A.Install from Microsoft Store
B.Enable via Windows Update
C.Use Group Policy to configure and enable the service
D.Install manually from Microsoft 365 admin center
E.Deploy via Microsoft Intune endpoint security
AnswersC, E

Group Policy can deploy Defender for Endpoint on servers.

Why this answer

Options B and D are correct: Intune supports server management via endpoint security policies; Group Policy is on-premises method. Option A (Microsoft Store) is not for servers. Option C (Windows Update) does not install Defender for Endpoint.

Option E (ConfigMgr) is also valid but not listed as correct here; only two correct answers.

703
MCQeasy

A user reports that a required line-of-business (LOB) app does not appear on their Windows 11 device enrolled in Microsoft Intune. The app was deployed as a 'Required' assignment to a dynamic device group. The device is compliant and shows as 'Active' in Intune. What is the most likely cause?

A.The app requires manual approval from Microsoft Store for Business.
B.The user is not a member of the device group.
C.The device was offline during the last check-in.
D.The app is assigned to users instead of devices.
AnswerC

Required apps are installed during check-in; offline devices may miss the policy.

Why this answer

Option C is correct because the device might have been offline when the policy evaluation occurred, and the app installation may be pending. Option A is wrong because assignment filters are not mentioned. Option B is wrong because user-targeted apps are different.

Option D is wrong because the app is not managed by Microsoft Store for Business.

704
MCQeasy

You need to deploy an Android Enterprise app to corporate-owned work profile devices. The app is available on Google Play. Which deployment method should you use?

A.Microsoft Store for Business
B.Managed Google Play
C.Apple Business Manager
D.Side-loading via Intune
AnswerB

Managed Google Play is the app store for Android Enterprise.

Why this answer

Managed Google Play is the store for Android Enterprise apps. Option C is correct. Option A is wrong because Apple Business Manager is for iOS.

Option B is wrong because Microsoft Store is for Windows. Option D is wrong because side-loading is not recommended for work profiles.

705
MCQeasy

A user reports that their Windows 11 device cannot install a required line-of-business (LOB) app from Company Portal. The app is assigned to the user and shows as 'Available' in Intune. The device is compliant and managed. What is the most likely cause?

A.The Company Portal app on the device is outdated.
B.The app is not assigned to the user.
C.The app is not assigned to the device group.
D.The device is non-compliant with security policies.
AnswerA

An outdated Company Portal can cause display issues.

Why this answer

Option C is correct because the Company Portal app on the device might be outdated, causing it to not display the app correctly. Option A is wrong because the user is assigned the app. Option B is wrong because the device is compliant.

Option D is wrong because the app is assigned.

706
MCQeasy

Refer to the exhibit. You have assigned the above compliance policy to a Windows 10 device group. A user reports that their device is non-compliant even though BitLocker is enabled on the system drive. Which of the following is the most likely reason?

A.BitLocker recovery password rotation is not enabled.
B.The device does not have a TPM 2.0 chip.
C.The system drive is not encrypted with BitLocker.
D.A removable USB drive is not encrypted with BitLocker.
AnswerD

The policy requires encryption of removable drives.

Why this answer

The policy requires encryption of removable drives as well (bitLockerRemovableDrivesEncryptionRequired). If the user has a USB drive that is not encrypted, the device will be non-compliant. Option C is correct.

Option A is incorrect because the policy does not require a specific TPM version. Option B is incorrect because the system drive is encrypted. Option D is incorrect because recovery password rotation does not affect compliance.

707
MCQhard

Refer to the exhibit. An administrator retrieves a list of Win32 apps. They notice that one app shows installExperience as 'system' and detectionRules as 'fileVersion' with version '1.0.0'. The app fails to install on some devices. The event viewer on a failing device shows 'The app was installed but detection rule did not match'. What is the most likely cause?

A.The PowerShell cmdlet is deprecated
B.The installExperience should be 'user' instead of 'system'
C.The app requires a reboot that is not handled
D.The detection rule expects version 1.0.0 but the installed version is different
AnswerD

Version mismatch causes detection failure.

Why this answer

The detection rule checks for file version '1.0.0' but the app installs a different version. System context is fine. The install command might be correct.

The detection rule is likely incorrect or too strict.

708
MCQhard

Your organization uses Microsoft Defender for Endpoint. You need to ensure that all Windows devices have the Defender Antivirus platform update installed. Which Intune app type should you use?

A.Windows app (Win32)
B.Microsoft Defender for Endpoint app type
C.Microsoft 365 Apps for enterprise
D.Line-of-business app
AnswerB

Intune includes a specific app type for Defender updates.

Why this answer

Option C is correct because Defender updates are deployed as a built-in app type in Intune. Option A is wrong because a Win32 app is not needed. Option B is wrong because it's an update, not a line-of-business app.

Option D is wrong because it's not a Microsoft 365 app.

709
MCQmedium

Refer to the exhibit. An Intune administrator configured a Win32 app with the settings shown. What is the expected behavior when the app installation exits with return code 3010?

A.The device restarts immediately
B.The installation is marked as failed
C.The device may restart after installation outside of active hours
D.The app is not installed
AnswerC

Soft reboot triggers a deferred restart.

Why this answer

Option B is correct because return code 3010 is mapped to 'softReboot', which means a reboot is required and the device may reboot after installation during maintenance hours. Option A is wrong because the restart is not immediate. Option C is wrong because success is not indicated by 3010.

Option D is wrong because the app is still considered installed.

710
Multi-Selecthard

Which THREE features are available in Microsoft Intune's Windows Autopilot for existing devices?

Select 3 answers
A.Collect hardware hash from the existing device.
B.Deploy a provisioning package using a USB drive.
C.Reset the device and re-enroll it using Autopilot.
D.Automatically convert the device to an Autopilot device without user interaction.
E.Apply Autopilot profiles to macOS devices.
AnswersA, B, C

Hardware hash is collected to register the device.

Why this answer

Options A, C, and D are correct because Windows Autopilot for existing devices supports collecting hardware hash, deploying a provisioning package, and resetting the device. Option B is wrong because converting a device to Autopilot is done via hardware hash upload, not during deployment. Option E is wrong because Autopilot is for Windows, not macOS.

711
Multi-Selectmedium

Your organization uses Microsoft Intune to manage Windows devices. You are deploying a Win32 app that requires a reboot to complete installation. You want to control the reboot behavior to minimize user disruption. Which TWO settings can you configure in the Intune Win32 app properties to manage reboot? (Choose two.)

Select 2 answers
A.Allow restart after installation (in assignment)
B.Device restart behavior
C.Restart deadline
D.Restart grace period
E.Restart notification text
AnswersA, B

This can be set to Yes or No in the assignment settings.

Why this answer

Options B and D are correct. Device restart behavior controls if restarts are suppressed or blocked. The 'Allow restart after installation' option in the app assignment can also be set.

Option A is for Android. Option C is for macOS. Option E is for iOS.

712
Multi-Selectmedium

Your company is deploying iOS devices using Apple Business Manager and Intune. You need to ensure that devices are automatically configured with Wi-Fi settings, email profiles, and a list of required apps during the initial setup. Which THREE configurations should you create in Intune?

Select 3 answers
A.A device configuration profile for Wi-Fi settings.
B.A Windows configuration designer provisioning package.
C.A device compliance policy for iOS.
D.A device configuration profile for email settings.
E.An iOS app configuration policy for required apps.
AnswersA, D, E

Wi-Fi profile configures wireless settings.

Why this answer

Options B, C, and D are correct. Device configuration profiles can push Wi-Fi and email settings. Required apps can be assigned as mandatory.

Option A is not used for iOS. Option E is for compliance, not configuration.

713
Multi-Selecthard

Which THREE conditions can be used to create a dynamic device group in Microsoft Entra ID for Intune management? (Choose three.)

Select 3 answers
A.Enrollment profile name (e.g., 'Autopilot Profile')
B.Last sign-in time of the user
C.Installed application version
D.Device model (e.g., 'Surface Pro 7')
E.Operating system version (e.g., 'Windows 11 22H2')
AnswersA, D, E

Enrollment profile name is a valid device attribute.

Why this answer

Options B, C, and D are correct. Dynamic groups can be based on device model, operating system version, and enrollment profile name. Option A is wrong because last login time is not a valid attribute for dynamic device groups.

Option E is wrong because application version is not a device attribute.

714
Multi-Selectmedium

A company uses Microsoft Intune to manage Windows 10 devices. They want to ensure that devices have BitLocker enabled and are compliant before accessing corporate resources. Which TWO actions should the administrator take? (Choose two.)

Select 2 answers
A.Assign the device compliance policy to all users.
B.Create a device compliance policy that requires BitLocker.
C.Enable Windows Hello for Business.
D.Create a device configuration profile to enable BitLocker.
E.Create a Conditional Access policy that grants access only to compliant devices.
AnswersB, E

Compliance policy checks BitLocker status.

Why this answer

Option B is correct because a device compliance policy in Microsoft Intune can include the setting to require BitLocker on Windows 10 devices. This policy evaluates the device's BitLocker status and marks it as noncompliant if BitLocker is not enabled, which is a prerequisite for Conditional Access to block access to corporate resources.

Exam trap

The trap here is that candidates often confuse a device configuration profile (which enables BitLocker) with a compliance policy (which evaluates and enforces BitLocker status), leading them to select Option D instead of understanding that both a compliance policy and a Conditional Access policy are required for the stated goal.

715
MCQhard

You are planning to deploy a custom line-of-business (LOB) app to 200 Windows 11 devices using Intune. The app requires a specific registry key to be present before installation. What should you do?

A.Add the app as a dependency for another app that creates the registry key.
B.Use an app configuration policy to set the registry key before the app installs.
C.Add a requirement rule to the app deployment that runs a PowerShell script to check for the registry key.
D.Create a custom compliance policy to enforce the registry key.
AnswerC

Requirement rules can use PowerShell scripts to check prerequisites.

Why this answer

Option C is correct because Intune's requirement rules allow you to run a PowerShell script that checks for the existence of a specific registry key before the app installs. If the script returns a non-zero exit code, Intune will not proceed with the installation, ensuring the prerequisite is met. This is the only option that directly enforces a precondition for the app installation without requiring additional apps or policies.

Exam trap

The trap here is that candidates often confuse requirement rules (which block installation if unmet) with detection rules (which determine if an app is already installed), or they mistakenly think app configuration policies can modify the Windows registry, when in fact they are limited to mobile device management (MDM) settings for specific platforms.

How to eliminate wrong answers

Option A is wrong because adding the app as a dependency for another app that creates the registry key would require the LOB app to be installed first, which is the opposite of what is needed—the registry key must be present before the LOB app installs. Option B is wrong because app configuration policies are used to configure app settings (e.g., for managed iOS/iPadOS or Android apps) and cannot create or modify registry keys on Windows devices. Option D is wrong because custom compliance policies evaluate device compliance after enrollment and can mark a device as non-compliant, but they do not prevent or block the installation of a specific app; they only trigger remediation or conditional access actions.

716
MCQmedium

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to deploy a managed Google Play app to a device. The app appears in the managed Google Play store but the deployment status shows 'Failed'. What is the most likely cause?

A.The device is enrolled in a personally-owned work profile.
B.The device is not allowed to access the managed Google Play store.
C.The app is not approved in the managed Google Play store.
D.The device does not have Google Play Services installed.
AnswerA

Some apps require corporate-owned enrollment.

Why this answer

Option C is correct because managed Google Play apps require that the device is enrolled in corporate-owned work profile or fully managed mode. If the device is in personally-owned work profile, some apps may fail. Option A is wrong because Google Play Services are required for all Android devices.

Option B is wrong because store access is controlled by policy. Option D is wrong because the app is in the managed store.

717
MCQhard

You manage devices with Microsoft Intune. A user reports that their Windows 11 device is not receiving updates from Windows Update for Business. The device shows as compliant in Intune. You verify that update rings are assigned to the device. What should you check next?

A.Check if the device has a compliance policy that blocks updates.
B.Ensure that the device is not configured for dual scan.
C.Check the device's delivery optimization settings.
D.Verify that the update ring is assigned to the correct Azure AD group.
AnswerC

Delivery optimization can prevent updates if misconfigured.

Why this answer

Option C is correct because delivery optimization settings control how Windows Update for Business downloads updates, and misconfigured settings (e.g., peer caching or bandwidth throttling) can prevent updates from being received even when update rings are properly assigned. Since the device is compliant and update rings are assigned, the next logical step is to verify that delivery optimization is not blocking or delaying the download. This aligns with Intune's troubleshooting workflow for Windows Update for Business issues.

Exam trap

The trap here is that candidates assume compliance or group assignment is the root cause, but Microsoft Intune's update delivery relies on delivery optimization as a prerequisite, and the exam tests the understanding that update rings only define the deferral policy, not the download mechanism.

How to eliminate wrong answers

Option A is wrong because compliance policies in Intune do not block updates; they enforce device configuration requirements (e.g., encryption, OS version) and mark devices non-compliant if unmet, but they do not prevent Windows Update from receiving updates. Option B is wrong because dual scan (configuring both Windows Update for Business and WSUS) is a potential issue, but it is not the next check after verifying update ring assignment and compliance; dual scan typically causes update conflicts, not a complete failure to receive updates. Option D is wrong because the question already states that update rings are assigned to the device, so verifying the Azure AD group assignment is redundant and not the next logical step.

718
MCQhard

A company uses Microsoft Intune to manage Windows 10 devices. They need to deploy a custom security baseline that includes blocking PowerShell scripts from running unless they are signed by a trusted publisher. Which configuration should be applied?

A.Set the PowerShell Execution Policy to 'AllSigned' via Administrative Templates.
B.Create a Windows Defender Application Control (WDAC) policy that blocks unsigned scripts.
C.Enable BitLocker with Secure Boot to validate script integrity.
D.Configure AppLocker rules to deny execution of PowerShell scripts.
AnswerA

This policy requires all scripts to be signed by a trusted publisher before running.

Why this answer

Option A is correct because setting the PowerShell Execution Policy to 'AllSigned' via Administrative Templates in Intune ensures that PowerShell scripts can only run if they are signed by a trusted publisher. This policy is enforced through Group Policy or Intune's Settings Catalog, directly controlling the PowerShell execution policy at the machine level, which meets the requirement for a custom security baseline.

Exam trap

The trap here is that candidates often confuse AppLocker or WDAC with PowerShell Execution Policy, thinking they achieve the same granular control over script signing, but only the PowerShell Execution Policy directly enforces the 'AllSigned' requirement for PowerShell scripts.

How to eliminate wrong answers

Option B is wrong because Windows Defender Application Control (WDAC) controls which executables, scripts, and drivers can run based on code integrity policies, but it does not specifically enforce a signature requirement for PowerShell scripts in the same granular way as the PowerShell Execution Policy; WDAC can block unsigned scripts but is broader and not the targeted configuration for PowerShell execution policy. Option C is wrong because BitLocker with Secure Boot validates the integrity of the boot process and system files, not script execution policies; it does not control whether PowerShell scripts must be signed. Option D is wrong because AppLocker rules can deny execution of PowerShell scripts, but they do not enforce a signature requirement from a trusted publisher; AppLocker can block or allow based on path, publisher, or hash, but the specific requirement for scripts to be signed by a trusted publisher is best achieved via the PowerShell Execution Policy set to 'AllSigned'.

719
Multi-Selecthard

Which TWO methods can you use to deploy a custom Windows app that is not available in the Microsoft Store to multiple devices managed by Intune?

Select 2 answers
A.Line-of-business app
B.Win32 app management
C.Microsoft Store for Business app
D.Web app
E.Built-in app
AnswersA, B

LOB apps support .msi and .intunewin for Windows.

Why this answer

Line-of-business (LOB) app deployment is correct because it allows you to upload and distribute custom Windows apps (e.g., .msi, .appx, or .exe) that are not in the Microsoft Store to Intune-managed devices. This method is specifically designed for internal or third-party apps that are not publicly available, using Intune's app packaging and assignment capabilities.

Exam trap

The trap here is that candidates often confuse 'Web app' with a method to install an actual application, when it only creates a web link shortcut and does not deploy any executable code to the device.

720
Multi-Selectmedium

Which TWO of the following are supported app types for deploying to iOS devices via Microsoft Intune?

Select 2 answers
A.Web link
B.iOS line-of-business app
C.iOS store app
D.Android app
E.Win32 app
AnswersB, C

iOS LOB apps are supported.

Why this answer

iOS store apps and iOS line-of-business apps are supported. Web links are for any device but not an app type. Win32 and Android are not for iOS.

721
MCQeasy

A company wants to prevent corporate data from being copied from managed apps to personal apps on iOS devices. Which Intune policy should the administrator configure?

A.Device configuration profile
B.Device compliance policy
C.App protection policy
D.Enrollment restrictions
AnswerC

App protection policies control data transfer between managed and unmanaged apps.

Why this answer

The correct answer is App protection policy (MAM). Option A is incorrect because compliance policies apply to devices, not apps. Option B is incorrect because configuration profiles set device settings.

Option D is incorrect because enrollment restrictions control device enrollment.

722
Multi-Selecteasy

You are configuring Windows Update for Business policies in Microsoft Intune. You want to ensure that devices receive quality updates (security fixes) as soon as they are released, but defer feature updates for up to 60 days. Which TWO settings should you configure?

Select 2 answers
A.Set 'Defer quality updates (days)' to 0.
B.Set 'Feature update channel' to 'Semi-Annual Channel'.
C.Set 'Update notification level' to 'Turn off notifications'.
D.Set 'Defer quality updates (days)' to 60.
E.Set 'Defer feature updates (days)' to 60.
AnswersA, E

0 days means immediate installation of quality updates.

Why this answer

Options B and D are correct. Setting deferral for quality updates to 0 ensures immediate installation. Setting feature update deferral to 60 days delays feature updates.

Option A is not a setting in update rings. Option C is incorrect because feature updates should be deferred, not quality. Option E is a service channel, not a deferral setting.

723
Multi-Selecthard

Which THREE settings must be configured to enable Windows Hello for Business in an Intune policy?

Select 3 answers
A.Enable Windows Hello for Business provisioning.
B.Use Windows Hello for Business.
C.Configure biometrics (facial recognition or fingerprint).
D.Certificate enrollment policy.
E.Minimum PIN length.
AnswersB, C, E

Must be set to 'Enabled'.

Why this answer

Options B, C, and D are correct. You must enable Windows Hello for Business, configure minimum PIN length, and configure biometrics if desired. Option A is wrong because certificate enrollment is separate.

Option E is wrong because it's not a setting.

724
MCQhard

Refer to the exhibit. The JSON snippet shows the Azure AD Identity Protection MFA registration policy configuration for the Contoso tenant. A new user, Jane, joins the company and is assigned a license. Jane attempts to access the Azure portal and is prompted to register for MFA. She registers successfully. However, the next day, she is again prompted to register for MFA. What is the most likely cause?

A.The MFA registration policy is disabled.
B.The user's MFA registration is being reset due to a synchronization issue with on-premises Active Directory.
C.The policy is not including all users.
D.The policy excludes the user Jane.
AnswerB

If the user is synced from on-premises, changes in on-premises can reset the MFA registration state.

Why this answer

The most likely cause is that the user's MFA registration is being reset due to a synchronization issue with on-premises Active Directory. When Azure AD Connect synchronizes a user object from on-premises AD, it can overwrite the cloud MFA registration state if the on-premises attribute (such as 'StrongAuthenticationMethods' or 'StrongAuthenticationTime') is not set or is reset. This causes the user to be treated as unregistered, prompting MFA registration again despite a previous successful registration.

Exam trap

The trap here is that candidates often assume the issue is with the policy configuration (enabled, scope, or exclusions) rather than recognizing that a synchronization reset of the MFA registration state is the root cause in a hybrid environment.

How to eliminate wrong answers

Option A is wrong because if the MFA registration policy were disabled, Jane would not have been prompted to register at all, let alone repeatedly. Option C is wrong because the policy not including all users would mean Jane is not targeted by the policy, so she would not be prompted to register for MFA. Option D is wrong because if the policy explicitly excluded Jane, she would not be prompted to register for MFA in the first place.

725
MCQeasy

A user reports that Microsoft 365 Apps for enterprise is not installing on their Windows 10 device. The app is assigned as 'Available' to the user group. What must the user do to trigger the installation?

A.Wait for the next device sync
B.Open the Company Portal app and install from there
C.Restart the device
D.Log off and log back in
AnswerB

Users install available apps through Company Portal.

Why this answer

Option B is correct because available app installs require user interaction via the Company Portal. Option A is wrong because the app is not required. Option C is wrong because the user can initiate install anytime.

Option D is wrong because no restart is needed before install.

726
Multi-Selecthard

You are troubleshooting an issue where Windows 10 devices are not receiving policies from Microsoft Intune. The devices are enrolled and show as 'active' in the console. Which THREE steps should you take to diagnose the problem?

Select 3 answers
A.Verify the last sync time in Intune console.
B.Re-register the device in Azure AD.
C.Check the device's local firewall rules for Intune ports.
D.Re-enroll the device by removing and re-adding it in Intune.
E.Collect MDM diagnostic logs from the device.
AnswersA, D, E

If last sync is old, the device may not be communicating.

Why this answer

Options A, C, and E are correct. Checking the sync time helps determine if the device is communicating. Re-enrolling can fix some issues.

Checking the MDM diagnostic logs provides detailed error info. Option B is not necessary because the device is already enrolled. Option D is not a standard troubleshooting step.

727
Multi-Selecthard

You are planning the deployment of Microsoft 365 Apps for enterprise to Windows 10 devices. You need to minimize network bandwidth during installation. Which THREE actions should you take?

Select 3 answers
A.Use the Office Deployment Tool with a local source
B.Configure BranchCache
C.Enable peer caching for Office 365 Content
D.Download the full installation files from the internet
E.Use express updates for Office
AnswersA, C, E

Installs from local share instead of internet.

Why this answer

Options A, B, and E are correct because they reduce bandwidth usage. Option C is wrong because it increases bandwidth. Option D is wrong because LAN delivery does not reduce internet usage.

728
MCQmedium

Refer to the exhibit. The JSON shows a managed device's properties retrieved from Microsoft Graph. The device's complianceState is 'noncompliant'. Which step should you take next to investigate why the device is noncompliant?

A.Verify the last sync time to ensure the device is communicating.
B.Query the device's compliance policy status via Graph API or Intune console.
C.Check if the device is properly enrolled by verifying azureADRegistered.
D.Check if the device is jailbroken or rooted.
AnswerB

The compliance policy details will reveal the failing policy.

Why this answer

Option B is correct because the compliance policy details will show which specific policy is failed. Option A is incorrect because the device is already enrolled. Option C is incorrect because last sync time is recent.

Option D is incorrect because jailbreak is not applicable to Windows.

729
MCQeasy

You are investigating a malware incident on a Windows 10 device managed by Microsoft Intune and protected by Microsoft Defender for Endpoint. Which log should you analyze to determine the initial infection vector?

A.Microsoft Sysinternals Process Monitor logs.
B.Microsoft Intune compliance reports.
C.Windows Event Viewer logs on the device.
D.Microsoft Defender XDR incident investigation timeline.
AnswerD

The timeline shows the initial infection vector and related events.

Why this answer

Option D is correct because the Microsoft Defender for Endpoint portal provides detailed incident investigation tools, including the attack timeline and initial access vector. Option A is wrong because Event Viewer alone lacks the context of Defender detections. Option B is wrong because Intune compliance reports do not contain threat data.

Option C is wrong because Sysinternals is not integrated with Microsoft 365 Defender.

730
MCQhard

An organization has deployed Microsoft Entra Connect Sync to synchronize on-premises Active Directory to Microsoft Entra ID. Users report that some cloud-only user accounts cannot be assigned licenses. The admin checks the provisioning logs and finds that the cloud accounts have a source of authority of 'Microsoft Entra ID'. What is the most likely cause?

A.The accounts have the 'cloudOnly' attribute set to true, which blocks license assignment.
B.The accounts have no proxyAddresses, so licensing fails.
C.The accounts are missing the 'UsageLocation' attribute, which is required for license assignment.
D.The users are not synchronized because the sync schedule is set to manual.
AnswerC

UsageLocation must be set before assigning licenses.

Why this answer

The most likely cause is that the cloud-only user accounts are missing the 'UsageLocation' attribute. In Microsoft Entra ID, a UsageLocation must be set before licenses can be assigned to any user, including cloud-only accounts. Without this attribute, license assignment fails regardless of the user's source of authority.

Exam trap

The trap here is that candidates may assume license assignment failures are due to synchronization issues or missing proxyAddresses, but the real requirement is the UsageLocation attribute, which is often overlooked in cloud-only user provisioning.

How to eliminate wrong answers

Option A is wrong because there is no 'cloudOnly' attribute in Microsoft Entra ID; the source of authority is determined by the 'dirSyncEnabled' property, and cloud-only accounts have it set to false, which does not block license assignment. Option B is wrong because proxyAddresses are not required for license assignment; they are used for email routing and recipient resolution, not licensing. Option D is wrong because the question states the accounts are cloud-only, not synchronized from on-premises, so the sync schedule is irrelevant to these users.

731
MCQmedium

A hospital uses Intune to manage Windows 10 devices used by doctors. The devices should automatically install critical updates from Windows Update for Business. Which type of policy should the administrator create?

A.Device compliance policy
B.App protection policy
C.Update rings for Windows 10
D.Device configuration profile (Update settings)
AnswerC

Update rings configure Windows Update for Business settings, including automatic installation.

Why this answer

The correct answer is Update ring policy. Option A is incorrect because compliance policies do not manage updates. Option B is incorrect because configuration profiles can set update settings but update rings are the recommended method.

Option D is incorrect because application protection policies are for mobile app management.

732
MCQmedium

An administrator deploys an iOS app as 'Required' to a group of devices using Intune. The app fails to install on some devices with error '0x87D13B9F'. What is the most likely cause?

A.The devices have insufficient storage space
B.The app is not compatible with the iOS version on those devices
C.The app is not signed with an Apple Enterprise Developer certificate
D.The devices are not supervised
AnswerD

Required app deployment on iOS requires the device to be in supervised mode.

Why this answer

Error 0x87D13B9F in Intune indicates that the device is not supervised. For iOS/iPadOS, Intune requires devices to be in Supervised mode to install 'Required' apps silently without user interaction. Without supervision, the device cannot accept managed app installations pushed by MDM, causing the deployment to fail.

Exam trap

The trap here is that candidates often confuse generic installation failures (like storage or compatibility) with the specific supervised-mode requirement, because the error code is not immediately intuitive and many assume 'Required' apps can install on any device.

How to eliminate wrong answers

Option A is wrong because insufficient storage space typically generates a different error (e.g., 0x87D13B9E or a generic installation failure), not 0x87D13B9F. Option B is wrong because iOS version incompatibility usually results in error 0x87D13B9C or a 'not supported' message, not this specific code. Option C is wrong because the app signing certificate (Enterprise vs.

App Store) is unrelated to this error; Intune can deploy both types, and signing issues produce errors like 0x87D13B9A or 'invalid profile'.

733
Multi-Selecthard

Which TWO of the following are required to configure Windows Hello for Business using Microsoft Intune?

Select 2 answers
A.Company Portal app installed
B.A Trusted Platform Module (TPM) chip on the device
C.Azure AD Premium P1 licenses
D.Certificate-based authentication
E.A key trust model configured in Intune
AnswersB, E

TPM is required for hardware key protection.

Why this answer

A trusted TPM and a key trust model are required. Option A is correct because Windows Hello for Business requires a TPM for hardware-based key protection. Option B is correct because the key trust model is one of the trust models required for deployment.

Option C is incorrect because Azure AD Premium P1 is not required. Option D is incorrect because certificate-based authentication is optional. Option E is incorrect because the Company Portal is not required for configuration.

734
Drag & Dropmedium

Order the steps to configure Windows Defender Antivirus exclusions via Group Policy.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Open GPMC, edit GPO, navigate to exclusions, configure, then force update.

735
Multi-Selectmedium

Your organization uses Microsoft Intune to manage devices. You need to deploy a line-of-business (LOB) app to iOS devices. Which TWO conditions must be met?

Select 2 answers
A.The iOS devices must have the distribution profile installed.
B.The app must be packaged as an .appx file.
C.The app must be signed with an Apple Enterprise Developer certificate.
D.The app must be assigned to devices only, not users.
E.The app must be distributed via the Apple App Store.
AnswersA, C

The distribution profile trusts the enterprise developer.

Why this answer

Options B and D are correct. The app must be signed with an Enterprise Developer certificate (B), and the iOS devices must have the distribution profile installed (D). Option A is wrong because the app file is an .ipa, not .appx.

Option C is wrong because the app must be uploaded to Intune, not distributed via MDM. Option E is wrong because the app must be assigned to users or devices.

736
MCQeasy

You have the above JSON policy assigned to a Windows 10 device. A user reports that they are unable to set a password that meets the policy. Which additional setting is required for the password to be accepted?

A.Increase passwordMinimumLength to 10.
B.Set passwordExpirationDays to 0 to never expire.
C.Ensure the password includes characters from at least 3 character sets.
D.Set passwordRequiredType to 'alphanumeric' (it is already set).
AnswerC

The policy requires 3 character sets.

Why this answer

Option C is correct because passwordMinimumCharacterSetCount of 3 requires the user to include characters from 3 different sets (e.g., uppercase, lowercase, digits). The other options are not directly related to the issue. Option A is incorrect because alphanumeric includes letters and numbers.

Option B is incorrect because 8 is already set. Option D is incorrect because expiration is not about acceptance.

737
MCQmedium

Refer to the exhibit. A user attempts to sign in to Microsoft Graph PowerShell and receives the error shown. What is the most likely cause?

A.The user is not registered for MFA.
B.The user does not have an appropriate Microsoft Entra ID license assigned.
C.The device is not registered in Microsoft Entra ID.
D.The sign-in was blocked by a Conditional Access policy.
AnswerB

Error code 50058 indicates missing license.

Why this answer

The error shown indicates that the user lacks the required license for Microsoft Entra ID (formerly Azure AD) features needed to sign in to Microsoft Graph PowerShell. Microsoft Graph PowerShell requires an appropriate Microsoft Entra ID license (such as Premium P1 or P2) to access directory-level APIs and authentication methods. Without this license, the service cannot validate the user's identity for Graph API calls, resulting in the sign-in failure.

Exam trap

Microsoft often tests the misconception that MFA registration or device compliance is the root cause of Graph PowerShell sign-in failures, when in fact the underlying license requirement for Microsoft Entra ID is the specific gate that Microsoft enforces for directory API access.

How to eliminate wrong answers

Option A is wrong because the error message does not mention multi-factor authentication (MFA) registration; MFA registration errors typically prompt for additional verification or show a specific MFA-related error code. Option C is wrong because device registration in Microsoft Entra ID is not a prerequisite for signing in to Microsoft Graph PowerShell; the user can authenticate from any device as long as they have the correct credentials and license. Option D is wrong because Conditional Access policy blocks usually display a distinct error message referencing the policy name or a 'blocked by Conditional Access' notice, not a generic license-related error.

738
MCQhard

During Windows Autopilot deployment, devices fail to enroll in Intune with error code 0x80180014. You confirm the device is registered in Autopilot and has internet connectivity. What is the most likely cause?

A.Enrollment restrictions are blocking personal devices.
B.The device is not registered in Autopilot.
C.The user account lacks an Intune license.
D.TPM attestation failed due to hardware incompatibility.
AnswerC

Common cause of this error.

Why this answer

Option D is correct because error 0x80180014 indicates that the user does not have an Intune license assigned. Option A is wrong because the device is already registered. Option B is wrong because the issue is not enrollment restrictions.

Option C is wrong because the error is not related to TPM attestation.

739
MCQmedium

A company uses Microsoft Intune to manage Windows 11 devices. Users report that the Company Portal app is not showing required applications. You verify that the devices show as 'Compliant' in Microsoft Intune. Which configuration should you check first?

A.Check the Microsoft Entra ID (Azure AD) configuration for the device.
B.Check the Windows Update for Business ring assignments.
C.Check the device compliance policy settings.
D.Check the application assignments in Intune.
AnswerD

If the user or device is not assigned to the application, it will not appear in Company Portal.

Why this answer

Option D is correct because the most common reason required applications are not visible in Company Portal is that the applications have not been assigned to the user or device group. Even if a device is compliant, Intune will only display applications that are assigned with an 'Available' intent to the user or device. Checking application assignments first directly addresses the symptom without assuming other configurations are misconfigured.

Exam trap

The trap here is that candidates often assume compliance policy issues cause application visibility problems, but Intune separates compliance evaluation from application assignment; a compliant device can still miss apps if the assignments are misconfigured.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID (Azure AD) configuration primarily controls authentication, device registration, and conditional access, not the visibility of assigned applications in Company Portal. Option B is wrong because Windows Update for Business ring assignments control update deferral and delivery optimization, not application deployment or visibility. Option C is wrong because the device is already marked as 'Compliant', so compliance policy settings are not the cause; compliance policies affect conditional access and device health, not the display of assigned applications.

740
MCQmedium

Refer to the exhibit. You have applied this compliance policy to a Windows 10 device running build 10.0.19044. The device meets all requirements except that the firewall is disabled. What will be the compliance status of the device?

A.Compliant, because the OS version is within the allowed range.
B.Non-compliant, because the firewall is disabled.
C.Compliant, because the policy includes a grace period for firewall.
D.Non-compliant, because the OS version is not within the allowed range.
AnswerB

Active firewall is required; disabling it makes the device non-compliant.

Why this answer

The policy requires activeFirewallRequired to be true. Since the firewall is disabled, the device is non-compliant. Even though other requirements are met, non-compliance in one area makes the device non-compliant.

Option A is incorrect because the policy does not have a grace period. Option B is incorrect because the device is non-compliant. Option D is incorrect because the policy is applicable.

741
MCQhard

Your organization manages Android Enterprise personally-owned work profile devices with Microsoft Intune. You need to deploy a managed Google Play app to these devices. The app is already approved in managed Google Play and added to Intune. When you assign the app as 'Required' to a user group, some users report that the app is not installed on their devices, and they do not see it in the work profile. You verify that the devices are enrolled and checked in with Intune. The app is listed as 'Pending' in the Intune console for those devices. What is the most likely cause?

A.The app is not approved in managed Google Play for the organization.
B.The devices do not have a VPN profile configured.
C.The users do not have an app protection policy assigned.
D.The managed Google Play Store app is disabled on the devices.
AnswerD

If disabled, apps cannot be installed in the work profile.

Why this answer

Option D is correct because in a work profile, the managed Google Play Store app must be present and active; if it is disabled, apps cannot be installed. Option A is wrong because the app is already approved. Option B is wrong because VPN is not required.

Option C is wrong because there is no app protection policy requirement for installation.

742
Multi-Selecthard

You are configuring Windows Information Protection (WIP) in Microsoft Intune. You want to protect corporate data from being accidentally shared to personal locations while still allowing the user to work productively. Which THREE settings should you configure?

Select 3 answers
A.Configure a device configuration profile to enable WIP.
B.Set the 'Share over' data transfer policy to 'Block'.
C.Define network boundaries (corporate IP ranges, DNS suffixes).
D.Configure the data recovery agent certificate.
E.Add protected apps that are allowed to access corporate data.
AnswersC, D, E

Network boundaries help identify corporate data.

Why this answer

Options A, B, and D are correct. Protected apps are allowed to access corporate data. The data recovery agent ensures encrypted data can be recovered.

Network boundaries define corporate network locations. Option C is not a WIP setting. Option E is for configuration profiles, not WIP.

743
MCQeasy

Refer to the exhibit. You are configuring a Windows Autopilot profile. The profile specifies enrollmentType as 'azureAdJoined'. Which scenario does this profile support?

A.Self-deploying mode where no user interaction is required.
B.User-driven deployment with Microsoft Entra ID join.
C.Hybrid Microsoft Entra ID join with on-premises domain controller.
D.On-premises Active Directory domain join only.
AnswerB

User-driven Entra ID join is the standard scenario.

Why this answer

Option B is correct because the enrollmentType 'azureAdJoined' in a Windows Autopilot profile specifically configures a user-driven deployment that joins the device to Microsoft Entra ID (formerly Azure AD). In this mode, the end user provides their Microsoft Entra ID credentials during the out-of-box experience (OOBE), and the device is registered as a Microsoft Entra ID joined device, enabling single sign-on and compliance policies without requiring on-premises infrastructure.

Exam trap

The trap here is that candidates often confuse 'azureAdJoined' with self-deploying mode (option A) because both result in Microsoft Entra ID join, but the key differentiator is that self-deploying mode requires additional profile settings (like a device enrollment manager account) and is intended for kiosk or shared devices, not user-driven scenarios.

How to eliminate wrong answers

Option A is wrong because self-deploying mode uses enrollmentType 'azureADJoined' but with a different profile setting (selfDeployingMode = true) and requires no user interaction; the question specifies only enrollmentType as 'azureAdJoined', which does not imply self-deploying mode. Option C is wrong because hybrid Microsoft Entra ID join requires an on-premises domain controller and uses enrollmentType 'azureADHybridJoined' or a profile configured for hybrid join, not 'azureAdJoined'. Option D is wrong because on-premises Active Directory domain join is not supported by Windows Autopilot; Autopilot only supports Microsoft Entra ID join or hybrid Microsoft Entra ID join, and 'azureAdJoined' explicitly targets cloud-only join.

744
MCQmedium

Your organization plans to deploy Windows 11 devices using Windows Autopilot. You need to ensure that each device is automatically enrolled in Intune and receives a custom configuration profile during the out-of-box experience (OOBE). Which two components are required?

A.A device configuration profile assigned to the device
B.A Microsoft Defender for Endpoint policy
C.An Autopilot deployment profile
D.A compliance policy
E.Windows Autopilot hardware hash
AnswerA, C

This applies settings during or after enrollment.

Why this answer

A device configuration profile assigned to the device is required because it defines the custom settings (e.g., security baselines, app restrictions, or network configurations) that must be applied during the out-of-box experience. Without this profile, the device would enroll in Intune but would not receive the specific custom configuration needed for the organization's compliance and operational requirements.

Exam trap

The trap here is that candidates often confuse the Autopilot deployment profile (which handles enrollment and OOBE branding) with the device configuration profile (which applies settings), and they may incorrectly select the hardware hash as a required component instead of the device configuration profile.

How to eliminate wrong answers

Option B is wrong because a Microsoft Defender for Endpoint policy is a security workload that protects devices post-enrollment, but it is not required for automatic enrollment or applying a custom configuration profile during OOBE. Option D is wrong because a compliance policy evaluates device settings after enrollment to enforce compliance, but it does not trigger enrollment or deliver a custom configuration profile during OOBE. Option E is wrong because the Windows Autopilot hardware hash is used to register a device with the Autopilot service and identify it, but it is not a component that directly enables automatic enrollment or profile delivery; the Autopilot deployment profile and device configuration profile are the two required components.

745
MCQmedium

Your organization uses Microsoft Intune to manage iOS devices. You need to prevent users from removing the Intune Company Portal app from their devices. Which setting should you configure?

A.Block app removal in device restrictions
B.Block screen capture
C.Require PIN for app store purchases
D.Block jailbroken devices
AnswerA

Blocking app removal prevents users from uninstalling the Company Portal.

Why this answer

Option B is correct because blocking app removal prevents users from uninstalling the Company Portal. Option A is wrong because blocking jailbreak detection does not prevent app removal. Option C is wrong because blocking screen capture is unrelated.

Option D is wrong because requiring PIN is unrelated.

746
MCQhard

You have deployed the compliance policy shown in the exhibit. A Windows 10 device reports as non-compliant. The device has Windows 10 version 21H2 (build 19044.1288), password is set with 8 characters and includes numbers only, firewall is active, Defender is enabled, and BitLocker is on. Which setting is causing non-compliance?

A.passwordMinimumLength
B.passwordRequiredType
C.osMinimumVersion
D.activeFirewallRequired
AnswerB

The password is numbers only, not alphanumeric.

Why this answer

Option C is correct because the policy requires 'alphanumeric' password (letters and numbers), but the device uses numbers only. Option A is wrong because the device build 19044.1288 is within the allowed range (19042.0 to 19045.999). Option B is wrong because password length of 8 meets the minimum.

Option D is wrong because the firewall is active.

747
MCQmedium

Refer to the exhibit. A Microsoft Graph PowerShell cmdlet retrieves devices. What is the purpose of this query?

A.To find Windows devices that are compliant
B.To find Windows devices with an operating system version earlier than 2025
C.To find Windows devices enrolled before January 1, 2025
D.To find Windows devices that have not synced since before January 1, 2025
AnswerD

The filter checks lastSyncDateTime less than 2025-01-01.

Why this answer

Option C is correct. The filter retrieves Windows devices that have not synced since before January 1, 2025, meaning they have not synced in a long time. Option A is wrong because it is not about enrollment date.

Option B is wrong because it's about last sync, not OS version. Option D is wrong because it's not about compliance status.

748
MCQhard

Your organization uses Microsoft Defender for Endpoint to manage device security. You need to ensure that all Windows devices are reporting security events to Microsoft Defender XDR. You have verified that the Microsoft Defender for Endpoint service is running on the devices. However, some devices show as 'inactive' in the Microsoft Defender XDR console. What is the most likely cause?

A.The device is not compliant with Intune compliance policies.
B.The device is not enrolled in Microsoft Intune.
C.The device does not have Microsoft Defender Antivirus enabled.
D.The Microsoft Defender for Endpoint sensor is not connected to the cloud service.
AnswerD

Inactive status typically indicates a communication issue between the sensor and the cloud.

Why this answer

The 'inactive' status in Microsoft Defender XDR indicates that the Defender for Endpoint sensor on the device has lost connectivity to the cloud service. Even if the service is running locally, the sensor must maintain an active HTTPS connection (using TLS 1.2 or higher) to the Defender for Endpoint backend to send telemetry and receive policy updates. Without this cloud connectivity, the device cannot report security events, resulting in the 'inactive' state.

Exam trap

The trap here is that candidates assume a running service equals full functionality, but the exam tests the distinction between the local service state and the cloud connectivity required for the sensor to report as 'active' in the console.

How to eliminate wrong answers

Option A is wrong because Intune compliance policies govern device configuration and access control, not the reporting status of Defender for Endpoint; a non-compliant device can still be active in Defender XDR. Option B is wrong because enrollment in Microsoft Intune is not a prerequisite for Defender for Endpoint; devices can be onboarded via Group Policy, local script, or other methods without Intune. Option C is wrong because Microsoft Defender Antivirus is a separate component; the Defender for Endpoint sensor can function and report events even if the antivirus is disabled or replaced by a third-party solution.

749
MCQhard

You are troubleshooting an app deployment issue. A Win32 app fails to install on some Windows 10 devices. The Intune management extension logs show error code 0x80070643. What is the most likely cause?

A.The app package is corrupted
B.The device does not meet the minimum OS version requirement
C.A pending reboot from a previous installation is blocking the install
D.The user does not have admin privileges
AnswerC

0x80070643 often means 'Installation failure, reboot required'.

Why this answer

Error 0x80070643 is a Windows Installer error that typically indicates a failed installation. The most common cause with Intune is that the app requires a reboot from a previous installation. Option C is correct.

750
Multi-Selecteasy

You are configuring a Microsoft Intune app configuration policy for a managed iOS app. Which THREE types of settings can you include in the policy?

Select 3 answers
A.Permissions such as location or camera
B.Configuration settings (key-value pairs)
C.Compliance rules for the app
D.Network requirements like VPN
E.Connection string for a backend service
AnswersA, B, E

Permissions can be configured in app config.

Why this answer

Option A, Option B, and Option D are correct. App configuration policies can include configuration settings (key-value pairs), connection strings, and permissions. Option C is wrong because compliance rules are in compliance policies.

Option E is wrong because network requirements are in device configuration.

Page 9

Page 10 of 14

Page 11