Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 826900

991 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQhard

A user reports that a required app is not installed on their Windows 11 device managed by Intune. The app appears in the Microsoft Intune admin center with a status of 'Pending - Install Pending'. You verify that the device is online and has network connectivity. What is the most likely cause?

A.The Intune Management Extension has not synced with the service yet.
B.The user is not targeted with the app assignment.
C.The app is assigned as 'Available' instead of 'Required'.
D.The device is not compliant with conditional access policies.
AnswerA

The extension syncs every hour; pending status indicates the policy has not been received.

Why this answer

If the app is pending install, the Intune Management Extension may not have downloaded the policy yet. Option C is correct because the extension checks for new policies every hour. Option A is wrong because user not targeted would show 'Not applicable'.

Option B is wrong because app is already assigned as required. Option D is wrong because compliance does not affect app assignment.

827
MCQmedium

You are troubleshooting a Windows 10 device that fails to install a required application from Microsoft Intune. The device shows the application as 'Enforced' but never installs. The application is a line-of-business (LOB) app. What should you check first?

A.Ensure the app is assigned to a device group using 'Required' intent.
B.Verify that the Intune Management Extension is installed on the device.
C.Check if the application package has a valid code signing certificate.
D.Check if the app is available in the Microsoft Store for Business.
AnswerC

LOB apps must be signed with a trusted certificate.

Why this answer

Option A is correct because LOB apps require a valid code signing certificate. Option B is incorrect because the Intune Management Extension handles Win32 apps, not LOB apps. Option C is incorrect because LOB apps do not require a specific distribution method.

Option D is incorrect because the app may not be in the catalog but can still be uploaded.

828
MCQhard

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Intune. You want to automatically remediate devices that are found to be missing critical security updates during a vulnerability assessment. What should you configure?

A.Assign a Windows Update for Business policy to all devices.
B.Create a compliance policy that marks devices as non-compliant if missing updates.
C.Configure automated investigation and remediation in Microsoft Defender for Endpoint.
D.Configure an endpoint security policy for Windows Defender Antivirus.
AnswerC

Automated remediation can trigger Intune to apply updates.

Why this answer

Microsoft Defender for Endpoint can integrate with Intune to remediate threats. Option D is correct because you can create an automated investigation and remediation policy in MDE that triggers a remediation action on Intune-managed devices. Option A is incorrect because compliance policies can mark non-compliant but not automatically update.

Option B is incorrect because update rings require manual assignment. Option C is incorrect because endpoint security policies do not automatically apply updates.

829
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices that haven't checked in for 30 days are automatically retired. Which configuration should you implement?

A.Set up an automatic enrollment policy that retires devices after 30 days of inactivity.
B.Use the Intune device cleanup rules to automatically remove devices that haven't checked in for 30 days.
C.Configure a device compliance policy with a 'Mark device noncompliant' action after 30 days of no check-in and add an action for noncompliance to retire the device.
D.Create a device configuration profile with a 'Device Health' setting to require check-in within 30 days.
AnswerC

This directly enforces retirement after 30 days of inactivity.

Why this answer

Option C is correct because Intune's compliance policies can be configured to mark devices as noncompliant after a specified period of no check-in (e.g., 30 days), and then trigger an action for noncompliance—such as retiring the device. This ensures that devices that have not communicated with Intune within the defined timeframe are automatically removed from management, meeting the requirement.

Exam trap

The trap here is that candidates often confuse Intune device cleanup rules (which simply remove stale device records from the console) with compliance policy actions (which can actually retire the device and revoke company data), leading them to select Option B incorrectly.

How to eliminate wrong answers

Option A is wrong because automatic enrollment policies are used to enroll devices into Intune, not to retire them after inactivity; there is no 'retire after inactivity' setting in enrollment policies. Option B is wrong because Intune device cleanup rules remove devices from the Intune console after a specified number of days of no check-in, but they do not trigger a retire action—they simply delete the device record, which does not send a retire command to the device or revoke company data. Option D is wrong because device configuration profiles manage settings like security policies and compliance, but they do not include a 'Device Health' setting to require check-in within a certain number of days, nor do they have the ability to trigger a retire action based on check-in frequency.

830
MCQmedium

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a company portal app that allows users to enroll their devices. Which app type should you use?

A.Built-in app
B.iOS and macOS store app
C.Web link
D.macOS LOB app
AnswerB

Company Portal for macOS is available in the Mac App Store.

Why this answer

For macOS, the Company Portal app is available as a Microsoft app from the macOS App Store. In Intune, you add it as an 'iOS and macOS store app' (Mac App Store). Option B is correct.

831
MCQhard

A company uses Microsoft Intune to manage Windows 10 devices. They have a compliance policy that requires BitLocker to be enabled. Some devices are marked as non-compliant even though BitLocker appears to be on. The administrator runs 'manage-bde -status' on a non-compliant device and sees that the protection status is 'Protection Off'. What is the most likely cause?

A.The BitLocker key protectors are missing or have been removed.
B.The TPM is not initialized.
C.The device has a recovery password protector but no TPM protector.
D.The device uses a different encryption method (e.g., XTS-AES 256 vs AES 128).
AnswerA

Without key protectors, BitLocker protection is suspended.

Why this answer

The compliance policy requires BitLocker to be enabled, but 'manage-bde -status' shows 'Protection Off'. This indicates that while the drive is encrypted, BitLocker is not actively protecting the data because the key protectors (such as the TPM protector) are missing or have been removed. Intune checks the protection status, not just encryption state, so when protectors are absent, the device is marked non-compliant.

Exam trap

The trap here is that candidates confuse 'encrypted' with 'protected'—BitLocker can encrypt a drive without active protection if key protectors are missing, and Intune compliance policies specifically require protection to be on, not just encryption to be present.

How to eliminate wrong answers

Option B is wrong because if the TPM were not initialized, BitLocker would typically fail to enable or would show a different status (e.g., 'TPM is not ready'), not 'Protection Off' on an already encrypted drive. Option C is wrong because having a recovery password protector without a TPM protector is a valid configuration (e.g., on devices without TPM) and would still show 'Protection On' if the protector is present and active. Option D is wrong because the encryption method (e.g., XTS-AES 256 vs AES 128) does not affect the protection status; it only determines the algorithm used for encryption, and Intune compliance policies do not check for encryption method mismatch.

832
MCQmedium

A user reports that their Windows 11 device cannot access corporate resources after a recent update. The device is enrolled in Intune. You check the device compliance status and find it is marked as non-compliant. Which two actions should you take?

A.Perform a 'Retire' action on the device
B.Request the user to run the 'Sync' action from the Company Portal
C.Use the 'Reset' action to re-enroll the device
D.Run a compliance check from the Intune console
AnswerB, D

Sync applies pending policies and updates compliance status.

Why this answer

Option A and C are correct. Option A resets the compliance state to force re-evaluation. Option C triggers a sync to apply any pending policies.

Option B is for BitLocker issues. Option D is for device wipe.

833
MCQeasy

Refer to the exhibit. A detection script for a Win32 app in Intune uses a WMI query. The script is expected to detect if BitLocker is not enabled. What will the script return if BitLocker is enabled on the device?

A.It returns the protection status as 1.
B.It returns the drive letter of the protected volume.
C.It returns no results, indicating that BitLocker is enabled.
D.It returns an error because the query is invalid.
AnswerC

No volumes match the condition when BitLocker is on.

Why this answer

Option C is correct because the query returns volumes where ProtectionStatus = 0 (not protected). If BitLocker is enabled, ProtectionStatus = 1, so no results are returned, meaning the script would return a non-detection (often $false or exit 1 depending on script). Option A is incorrect because the query does not return when protection is on.

Option B is incorrect because no results are returned. Option D is incorrect because the query is valid.

834
Multi-Selecthard

You have a Microsoft Intune environment with devices running Windows 10 and 11. You need to configure a policy that enforces BitLocker drive encryption with a TPM protector and stores recovery key in Microsoft Entra ID. Which three settings must you configure in the endpoint protection profile? (Choose three.)

Select 3 answers
A.Store recovery key in Microsoft Entra ID
B.Require encryption of OS drive
C.Choose encryption method (XTS-AES 128-bit)
D.Enable BitLocker
E.Configure TPM as a protector
AnswersA, D, E

Recovery key storage must be set to Microsoft Entra ID.

Why this answer

Options A, B, and D are correct. To enforce BitLocker with TPM and store recovery key in Entra ID, you need to enable BitLocker, configure TPM as protector, and specify Entra ID as the recovery key storage. Option C is wrong because encryption of OS drive is a separate setting.

Option E is wrong because the encryption method does not affect recovery key storage.

835
MCQmedium

Refer to the exhibit. You create a new update ring policy for Windows 10 devices. You assign the policy to a test group. After a week, you notice that no devices have installed any quality updates. Devices are online and enrolled. What is the most likely reason?

A.Devices are assigned a different update ring policy that defers quality updates.
B.The feature update deferral period is too long.
C.The quality update pause start date is set to a future date.
D.The policy requires a restart to take effect.
AnswerA

Conflicting policies can cause no updates to apply.

Why this answer

The policy sets QualityUpdateDeferralInDays to 0, which means no deferral, but if the pause start date is null, updates should install. However, if the devices are not receiving updates, it could be that the policy is not applied. But the exhibit shows that quality update deferral is 0, so quality updates should be installed immediately.

Option C is correct because if the quality update pause start date is not set, it does not pause updates. Actually, the issue might be that the policy is not assigned correctly. But given the options, Option B is plausible: If the devices have a conflicting update ring policy that defers quality updates, they might not install.

Option A is wrong because feature update deferral does not affect quality updates. Option D is wrong because the policy does not pause quality updates.

836
MCQhard

You manage a fleet of iOS devices enrolled in Microsoft Intune. You need to ensure that only approved corporate devices can access Exchange Online. You configure a Conditional Access policy that requires devices to be compliant with Intune compliance policies. However, some users report that they are still able to access email from personal iOS devices that are not enrolled. What should you check first?

A.The policy does not include iOS as a device platform.
B.The policy is not applied to Exchange Online as a cloud app.
C.The Grant control is set to 'Require one of the selected controls' instead of 'Require all'.
D.The policy is not scoped to all users.
AnswerB

The policy must include Exchange Online in the cloud apps list.

Why this answer

Option D is correct because the Conditional Access policy must target all cloud apps, including Exchange Online. Option A is wrong because the policy can apply to all users. Option B is wrong because the policy applies to device platforms.

Option C is wrong because the policy should be set to 'Require device to be marked as compliant'.

837
MCQmedium

A company plans to deploy Windows 11 to 500 new devices using Microsoft Deployment Toolkit (MDT). The devices have various hardware configurations. The deployment must include language packs and regional settings. Which deployment method should the administrator use to minimize manual intervention?

A.Create a custom task sequence in MDT that includes language packs and regional settings.
B.Use Windows Configuration Designer to create a provisioning package with language settings.
C.Create a task sequence in Configuration Manager without MDT integration.
D.Use Windows Autopilot with a custom profile to deploy language packs.
AnswerA

Task sequences automate deployment including language and region.

Why this answer

Option A is correct because MDT allows the administrator to create a custom task sequence that integrates language packs and regional settings directly into the deployment process. This approach automates the entire deployment with minimal manual intervention, as the task sequence handles all configuration steps without requiring post-deployment adjustments.

Exam trap

The trap here is that candidates often confuse provisioning packages (Option B) or Autopilot (Option D) as suitable for offline image customization, when in fact they only apply settings at runtime and cannot inject language packs into the OS image during deployment.

How to eliminate wrong answers

Option B is wrong because Windows Configuration Designer provisioning packages are designed for runtime configuration and cannot inject language packs into the offline Windows image during deployment; they apply settings after the OS is installed, requiring additional manual steps. Option C is wrong because Configuration Manager without MDT integration lacks the flexible task sequence engine needed to seamlessly inject language packs and regional settings during the deployment process, making it less efficient for this scenario. Option D is wrong because Windows Autopilot is a cloud-based deployment method that does not support injecting language packs into the OS image; it relies on existing images and applies settings post-deployment, which does not minimize manual intervention for language pack integration.

838
Multi-Selectmedium

Which TWO of the following are prerequisites for deploying a Win32 app via Microsoft Intune?

Select 2 answers
A.The app must be packaged using the Microsoft Win32 Content Prep Tool.
B.The device must be running Windows 10 version 1803 or later.
C.The device must have the Intune Management Extension installed.
D.The device must be Azure AD joined.
E.The device must have the Company Portal app installed.
AnswersA, C

Tool creates .intunewin file.

Why this answer

Win32 app requires the Intune Management Extension and the app must be packaged in .intunewin format. Option C is incorrect because Company Portal is optional. Option D is incorrect because Windows 10 version 1607+ is required.

Option E is incorrect because Azure AD join is not required.

839
Multi-Selecteasy

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to deploy a managed Google Play app to work profile devices. Which TWO configurations are required?

Select 2 answers
A.The user must have a Google account
B.The device must be personally owned
C.The device must be enrolled using Android Enterprise work profile
D.The app must be approved in the managed Google Play store
E.The app must be configured as a kiosk app
AnswersC, D

Required for managed Google Play apps.

Why this answer

Options A and C are correct. The device must be enrolled in Android Enterprise work profile. The app must be approved in the managed Google Play store.

Option B is wrong because the device does not need to be personally owned; it can be corporate-owned with work profile. Option D is wrong because a Google account is not required for managed Play store. Option E is wrong because the app does not need to be in a kiosk mode.

840
Multi-Selecthard

Which THREE are valid methods to deploy an app as available for users in Microsoft Intune?

Select 3 answers
A.Assign the app to a device group with the 'Available' setting
B.Add the app to the Company Portal as a featured app without assignment
C.Assign the app to a user group with the 'Required' setting
D.Assign the app to a user group with the 'Available' setting
E.Assign the app to a user group with the 'Available for enrolled devices' setting
AnswersC, D, E

Required installs are still available in Company Portal.

Why this answer

Available deployments can be done via Company Portal, as a required install for users, or as available for enrolled devices. Options A, B, and D are correct.

841
Multi-Selectmedium

Your organization is planning to use Microsoft Intune to manage Windows 11 devices. Which TWO are prerequisites for enrolling a Windows device in Intune?

Select 2 answers
A.Local administrator account on the device.
B.Microsoft Copilot for Microsoft 365 license.
C.Azure AD Premium P2 license.
D.Network connectivity to https://manage.microsoft.com and other Intune endpoints.
E.A Microsoft account (work or school) with an Intune license.
AnswersD, E

Connectivity is required for enrollment and management.

Why this answer

Windows 11 devices require a Microsoft account for enrollment (unless using a work or school account with automatic MDM enrollment) and network connectivity to Intune services. Option C is not a prerequisite because Intune enrollment can be done without Azure AD Premium P2. Option D is not required because a local admin account is not needed for enrollment.

Option E is not required because Copilot is optional.

842
MCQmedium

You use Microsoft Intune to manage macOS devices. You need to deploy a shell script that runs on all macOS devices. What is the correct method?

A.Add a shell script under Devices > Scripts
B.Use Company Portal to distribute the script
C.Add a PowerShell script under Devices > Scripts
D.Create a custom configuration profile with Bash script
AnswerA

Intune supports shell scripts for macOS.

Why this answer

Option A is correct because Intune supports shell scripts for macOS via the Scripts blade. Option B is wrong because PowerShell is for Windows. Option C is wrong because macOS does not have a Company Portal equivalent for scripts.

Option D is wrong because there is no Bash script type in Intune; shell scripts are used.

843
MCQhard

A multinational organization uses Microsoft Entra ID joined devices with Intune. The security team wants to block enrollment of devices from non-corporate networks unless they have a compliant certificate. Which enrollment restriction should you configure?

A.Device platform restrictions
B.Conditional Access policy requiring hybrid Azure AD join
C.Compliance policy for device health
D.Enrollment device restrictions with certificate requirement
AnswerD

This allows only devices presenting a valid certificate to enroll.

Why this answer

Option D is correct because enrollment device restrictions in Intune allow you to block enrollment from non-corporate networks unless a compliant certificate is present. This is configured under 'Enrollment device restrictions' where you can set a 'Block' action for devices not on trusted networks and require a certificate for compliance, ensuring only authenticated devices can enroll from untrusted locations.

Exam trap

The trap here is confusing post-enrollment controls (compliance policies, Conditional Access) with pre-enrollment controls (enrollment restrictions), leading candidates to select options that manage devices after they are already enrolled rather than blocking enrollment itself.

How to eliminate wrong answers

Option A is wrong because device platform restrictions control which operating systems (e.g., Windows, iOS, Android) can enroll, not network-based certificate requirements. Option B is wrong because a Conditional Access policy requiring hybrid Azure AD join applies to access to cloud apps after enrollment, not to the enrollment process itself, and it does not enforce certificate-based network restrictions. Option C is wrong because compliance policies evaluate device health (e.g., encryption, jailbreak status) after enrollment, not during the enrollment flow, and cannot block enrollment from specific networks.

844
MCQhard

Your organization has 5,000 Windows 10 devices managed by Microsoft Intune. You are implementing a new security policy that requires all devices to have BitLocker enabled with TPM validation. You create a device configuration profile for BitLocker and assign it to all devices. After two days, you notice that only 3,200 devices are compliant with the BitLocker policy. The remaining devices show 'Not applicable' for the setting. You verify that all devices are Windows 10 Pro or Enterprise and have TPM 2.0. What is the most likely cause of the 'Not applicable' status?

A.Some devices have TPM 1.2 instead of TPM 2.0
B.The system partition is not configured correctly
C.Secure Boot is disabled on some devices
D.The devices are not enrolled in Intune
AnswerB

BitLocker requires a properly configured system partition; otherwise, the policy shows 'Not applicable'.

Why this answer

Option D is correct because BitLocker requires a system partition that is active and has sufficient space. Option A is incorrect because all devices have TPM 2.0. Option B is incorrect because Secure Boot is not required for BitLocker policy to apply.

Option C is incorrect because the devices are already enrolled, and enrollment restrictions are not the issue.

845
MCQhard

You are the endpoint administrator for Contoso, a company with 5,000 Windows 11 devices managed by Microsoft Intune. The company uses Microsoft Defender for Endpoint (MDE) for endpoint detection and response. You need to implement a solution that ensures all devices have the latest Windows security updates installed within 7 days of release. Additionally, you must ensure that if a device misses two consecutive update cycles, it is automatically blocked from accessing corporate resources until it is updated. You have the following requirements: 1. Use Intune update rings to control update deployment. 2. Use MDE vulnerability management to identify missing updates. 3. Device compliance policies should check for missing updates and mark devices noncompliant. 4. Conditional Access should block noncompliant devices. Which combination of actions should you take?

A.Configure an update ring with a 7-day deferral. Create an app protection policy that requires minimum OS version. Assign the app protection policy to all users.
B.Configure an update ring with no deferral (deferral 0). Create a device compliance policy that checks for missing updates. Configure Conditional Access to require compliant devices.
C.Configure an update ring with a 7-day deferral. Create a device compliance policy that checks for missing updates. Configure Conditional Access to require compliant devices.
D.Configure an update ring with a 7-day deferral. Create a device compliance policy that checks for missing updates. Assign the compliance policy to all devices. Do not configure Conditional Access.
AnswerC

Correct: updates are deferred 7 days; compliance checks missing updates; Conditional Access blocks noncompliant devices. The policy will mark devices noncompliant if they miss updates, and after two cycles (14 days) they will be blocked.

Why this answer

Option D is correct: Update rings set the deferral period to 7 days; a device compliance policy checks for missing updates and marks noncompliant; Conditional Access blocks noncompliant devices. Option A (compliance policy on missing updates only) misses the Conditional Access block. Option B (app protection policy) is irrelevant.

Option C (update ring with deferral 0) applies updates immediately, not within 7 days.

846
MCQhard

You run the PowerShell command to check the assignment of a Microsoft Store app in Intune. The output shows 'intent: required' and 'target: allDevicesAssignmentTarget'. Which statement is true about this app?

A.The app is assigned to a specific device group named 'All Devices'.
B.The app will install automatically on all enrolled devices.
C.The app is only assigned to devices that have the Intune Management Extension.
D.The app is available for users to install from Company Portal.
AnswerB

Required assignment to all devices triggers automatic installation.

Why this answer

Option C is correct because 'allDevicesAssignmentTarget' means the app is assigned to all devices, not all users. Option A is wrong because it is assigned to all devices, not a specific group. Option B is wrong because it is required, not available.

Option D is wrong because it is assigned to all devices, not just enrolled ones.

847
Multi-Selectmedium

Which THREE actions can you perform from the Microsoft Intune admin center to remediate a non-compliant Windows device?

Select 3 answers
A.Retire the device
B.Remote lock
C.Wipe the device
D.Assign a compliance policy
E.Sync the device
AnswersA, C, E

Retire removes managed data and enrollment.

Why this answer

Options A, C, and D are correct. 'Sync' triggers policy refresh, 'Retire' removes the device, and 'Wipe' resets it. Option B is for iOS. Option E is for compliance policy assignment.

848
MCQhard

A user reports that their Windows 11 device cannot connect to the corporate Wi-Fi network. In Intune, the device shows a status of 'Pending' for the Wi-Fi configuration profile. The profile is assigned to a group that includes the user. What is the most likely cause of the issue?

A.The device does not have the required root certificate installed.
B.The Wi-Fi profile is not assigned to the user's group.
C.The Wi-Fi profile requires user affinity and the device is shared.
D.The device has not checked in to Intune within the last 8 hours.
AnswerD

Devices check in periodically; a pending status means the policy hasn't been applied yet.

Why this answer

The 'Pending' status in Intune for a Wi-Fi configuration profile indicates that the policy has been assigned but not yet applied to the device. This typically occurs when the device has not performed a recent check-in with the Intune service. By default, devices check in every 8 hours, so if the device has not checked in within that window, the profile remains in a 'Pending' state until the next successful sync.

Exam trap

The trap here is that candidates often assume 'Pending' means a configuration error (like missing certificates or incorrect assignment) rather than recognizing it as a synchronization delay, which is a common Intune behavior tested on the MD-102 exam.

How to eliminate wrong answers

Option A is wrong because a missing root certificate would typically cause a connection failure after the profile is applied, not a 'Pending' status in Intune; the profile would still be delivered and show as 'Succeeded' or 'Error' depending on the certificate validation. Option B is wrong because the question explicitly states the profile is assigned to a group that includes the user, so assignment is not the issue. Option C is wrong because user affinity affects how profiles are targeted (user vs. device), but a 'Pending' status is not caused by user affinity settings; it is a sync timing issue.

849
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom .pkg app that requires a kernel extension. The app is signed with a Developer ID certificate. The devices are enrolled in Intune and are supervised. You have uploaded the .pkg to Intune and assigned it to a user group. The installation fails on devices with the error 'The app could not be installed because the kernel extension is not approved'. You have already configured a kernel extension profile that allows the specific team identifier. What else is likely missing?

A.System Integrity Protection (SIP) is enabled on the devices.
B.FileVault is enabled on the devices.
C.The kernel extension profile does not include the 'Allow user to approve kernel extensions' setting.
D.The app is not notarized by Apple.
AnswerC

On supervised devices, this setting allows silent approval; otherwise user must approve.

Why this answer

Option B is correct because on macOS, even if the kernel extension is allowed via profile, the user must approve it in Security & Privacy settings after installation unless the device is supervised and the profile includes a user-approved configuration. Option A is wrong because the app is already signed. Option C is wrong because SIP is not blocking; the issue is user approval.

Option D is wrong because FileVault is unrelated.

850
MCQeasy

Your organization uses Microsoft Intune to manage iOS and Android devices. You need to ensure that corporate data on these devices is protected. Specifically, you want to prevent users from copying corporate data from managed apps to personal apps. You also want to ensure that when a device is lost or stolen, the corporate data can be selectively wiped without affecting personal data. Which Intune feature should you use to achieve these requirements?

A.App Protection Policies (MAM).
B.Device Compliance Policies.
C.Conditional Access Policies.
D.Device Configuration Profiles.
AnswerA

MAM policies provide data protection and selective wipe for managed apps.

Why this answer

Option A is correct because App Protection Policies (MAM) provide data protection settings such as preventing copy/paste between managed and unmanaged apps, and allow selective wipe of corporate data. Option B is incorrect because device compliance policies focus on device-level settings, not app-level data protection. Option C is incorrect because device configuration profiles configure device settings, not app data protection.

Option D is incorrect because conditional access policies control access based on compliance, but do not directly prevent copy/paste or provide selective wipe at the app level.

851
MCQmedium

You are deploying a managed Google Play app to Android Enterprise fully managed devices. The app is not appearing in the work profile. What is the most likely reason?

A.The app is not approved in Managed Google Play
B.The work profile is not enabled
C.The device is not enrolled in Intune
D.The device is not associated with a Google account
AnswerA

Apps must be approved before deployment.

Why this answer

Option B is correct because the app must be approved in Managed Google Play to be available. Option A is wrong because it's not about personal accounts. Option C is wrong because work profile is separate.

Option D is wrong because this does not block the app.

852
Multi-Selecthard

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a PowerShell script that runs in the user context on a schedule. Which TWO methods can you use? (Choose two.)

Select 2 answers
A.Device compliance policy with a custom script
B.Proactive remediation in Microsoft Intune
C.Configuration profile with a scheduled task
D.Line-of-business app deployment package
E.PowerShell script deployment from the Intune console
AnswersB, C

Proactive remediations can run PowerShell scripts on a schedule in user context.

Why this answer

Proactive remediations in Microsoft Intune allow you to run PowerShell scripts in the user context on a schedule, making option B correct. They are designed for detection and remediation of common support issues, supporting both user and system context execution with configurable schedules.

Exam trap

The trap here is that candidates confuse the one-time execution of Intune PowerShell scripts (option E) with the scheduled execution capability of proactive remediations, or mistakenly think a configuration profile with a scheduled task (option C) is not valid because it requires manual creation of the scheduled task XML, but it is actually a supported method for running scripts on a schedule in the user context.

853
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to configure a policy that prevents users from disabling the camera on their corporate iOS devices. You create a device restrictions profile and set the 'Enable camera' setting to 'No'. You assign the profile to a group containing all iOS devices. After 24 hours, users report that the camera is still functional. What should you check first?

A.Verify that the devices are members of the assigned group.
B.Ensure the setting 'Enable camera' is set to 'Not configured' instead of 'No'.
C.Review the device compliance status.
D.Check if the profile is applied to users instead of devices.
AnswerA

Group membership is the most common cause of policy not applying.

Why this answer

Option A is correct because the profile must be assigned to the correct group; if the devices are not in the group, the policy won't apply. Option B is wrong because the setting is correct. Option C is wrong because iOS restrictions are applied at the device level, not user.

Option D is wrong because device compliance is not relevant here.

854
MCQmedium

A company uses Intune to manage Android Enterprise devices. The administrator deployed a compliance policy that requires encryption and a minimum OS version. Some devices are not showing as compliant even though they meet the requirements. The administrator suspects a time delay. What is the default compliance check interval for Android Enterprise devices in Intune?

A.Every 1 hour
B.Every 8 hours
C.Every 30 minutes
D.Every 24 hours
AnswerB

Default compliance check interval for Android Enterprise is every 8 hours.

Why this answer

The correct answer is Every 8 hours. Option A is incorrect because 30 minutes is too short and not default. Option B is incorrect because 1 hour is not default.

Option D is incorrect because 24 hours is not default.

855
Multi-Selecteasy

Which TWO of the following are benefits of using Microsoft Intune to manage applications on mobile devices?

Select 2 answers
A.Ability to deploy apps to devices without requiring sideloading.
B.Enforcement of device compliance before app installation.
C.Support for user-based licensing only.
D.Selective wipe of corporate data from apps when a user leaves.
E.Automatic backup of app data to the cloud.
AnswersA, D

Apps are installed via MDM channel.

Why this answer

Intune allows deploying apps without sideloading and can selectively wipe corporate data. Option C is incorrect because Intune does not provide local backup. Option D is incorrect because Intune manages app installation, not just compliance.

Option E is incorrect because device-based licensing is not a primary benefit.

856
MCQeasy

A Windows 10 device is assigned this update ring policy. A new quality update is released today. When will the device install the update?

A.In 7 days
B.In 30 days
C.Today
D.Never, because automatic update mode requires reboot with warning.
AnswerC

Deferral is 0 days, so it installs as soon as available.

Why this answer

Option C is correct because the update ring policy is configured with 'Automatic update behavior' set to 'Auto install and restart without end-user control' and 'Servicing channel' set to 'Current branch (CB)'. When a new quality update is released, devices in this configuration will download and install the update immediately, typically within 24 hours of release, without any deferral period. The policy does not specify any deferral for quality updates, so the installation occurs today.

Exam trap

The trap here is that candidates confuse the 'Automatic update behavior' setting (which controls restart behavior) with the deferral period (which controls when the update is offered), leading them to incorrectly assume that a 'reboot with warning' mode delays the installation itself.

How to eliminate wrong answers

Option A is wrong because a 7-day deferral would only apply if the update ring policy had a 'Quality update deferral period (days)' set to 7, which is not indicated in the scenario. Option B is wrong because a 30-day deferral is typically used for feature updates, not quality updates, and the policy does not specify such a deferral for quality updates. Option D is wrong because 'Automatic update mode' with 'Auto install and restart without end-user control' does not prevent installation; it allows the update to install and then reboots with a warning, but the update itself is installed immediately upon availability.

857
MCQmedium

A company deploys Windows 10 Enterprise devices managed by Microsoft Intune. Users report that after a recent Windows update, the Start menu layout is reset to default on some devices. The company uses a custom Start menu layout XML policy. How should the administrator ensure the custom layout is reapplied automatically after feature updates?

A.Use a Feature Update policy in Intune to set the 'Start layout XML' setting.
B.Deploy a provisioning package with the custom layout to all devices via Intune.
C.Configure the 'Start layout' policy under User Configuration > Administrative Templates > Start Menu and Taskbar to point to the XML file.
D.Reapply the Start layout policy manually after each feature update.
AnswerC

The Start layout policy is reapplied during policy refresh, which occurs after feature updates.

Why this answer

Option C is correct because the 'Start layout' policy under User Configuration > Administrative Templates > Start Menu and Taskbar in a Group Policy Object (GPO) or Intune Administrative Template profile is designed to persistently enforce a custom Start layout XML. When a Windows feature update resets the Start menu to default, this policy automatically reapplies the custom layout at next user logon or policy refresh, ensuring consistency without manual intervention.

Exam trap

The trap here is that candidates confuse Feature Update policies (which manage version upgrades) with configuration policies (which enforce settings like Start layout), leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because a Feature Update policy in Intune controls which Windows version is installed, not the Start layout configuration; it does not contain a 'Start layout XML' setting. Option B is wrong because a provisioning package applies settings only during initial device setup or reset, not dynamically after a feature update; it is not designed for ongoing policy enforcement. Option D is wrong because manual reapplication is not an automated solution and contradicts the requirement for automatic reapplication after feature updates.

858
MCQhard

You deploy a Win32 app via Intune to Windows 10 devices. The app installs successfully on some devices but fails on others with no error in the Intune console. The app logs show 'Access Denied' during installation. What should you check first?

A.The device is not Microsoft Entra ID joined
B.The device has insufficient disk space
C.The app is not signed
D.The installation context (user vs system) in the app deployment
AnswerD

The app may require system privileges but is set to user context.

Why this answer

If the app is configured to install in user context but requires admin privileges, it will fail. Changing to system context resolves this. Option A is correct.

859
MCQhard

A user reports that their Windows 11 device is not receiving a required security baseline policy from Microsoft Intune. The device appears as compliant in the Microsoft Intune admin center. Other devices in the same group receive the policy. You verify that the policy is assigned to the correct group and that the user is a member. What is the most likely cause?

A.The device has not checked in with Intune recently or has a policy conflict
B.The user is not a member of the Azure AD group that the policy is assigned to
C.The policy is not assigned to any group
D.The device is marked as non-compliant and has been blocked
AnswerA

If the device hasn't checked in or has a conflict, it may not apply the policy.

Why this answer

Option D is correct because the problem is isolated to one device, and the user is in the correct group. The most likely cause is that the device is in a pending state such as waiting for check-in or has a conflict with another policy. Option A is wrong because if the user were not in the group, the policy would not apply to any devices, but other devices in the same group receive the policy.

Option B is wrong because the device is compliant. Option C is wrong because the policy is assigned to the group and other devices receive it.

860
MCQmedium

You are configuring a Windows 10 device compliance policy in Microsoft Intune. The policy requires that devices have BitLocker enabled and a minimum OS build version. However, some devices are showing as 'Not compliant' even though they meet the requirements. What is the most likely cause?

A.The OS build version is not reported correctly.
B.The devices have not checked in with Intune recently.
C.BitLocker is not enabled on the system drive.
D.The devices need to be rebooted for the policy to apply.
AnswerB

Outdated check-in can cause incorrect non-compliance status.

Why this answer

Option B is correct because compliance policies in Intune are evaluated based on the last check-in time; if a device hasn't checked in recently, its status may be outdated. Option A is wrong because a reboot is not required for compliance evaluation. Option C is wrong because BitLocker status is reported correctly if enabled.

Option D is wrong because OS build version reporting is accurate.

861
Multi-Selecthard

Which THREE of the following are valid methods to enroll Android devices into Microsoft Intune?

Select 3 answers
A.Android Device Administrator
B.Android Legacy
C.Android Enterprise work profile
D.Android Open Source Project (AOSP)
E.Android Enterprise fully managed
AnswersC, D, E

Work profile is for BYOD scenarios, separating work and personal data.

Why this answer

Option C is correct because Android Enterprise work profile is a supported enrollment method in Microsoft Intune that allows users to keep their personal apps and data separate from corporate data on the same device. Intune manages the work profile using the Android Enterprise platform, which provides containerization and policy enforcement without requiring full device control.

Exam trap

The trap here is that candidates confuse 'Android Device Administrator' (a deprecated method) with 'Android Enterprise work profile' (a modern method), or mistakenly think 'Android Legacy' is a valid enrollment option when it is not a recognized Intune enrollment type.

862
Multi-Selectmedium

Which TWO are valid methods to deploy Windows 10/11 using Microsoft Intune?

Select 2 answers
A.Windows Autopilot
B.Provisioning packages (PPKG)
C.PXE boot from a distribution point
D.Network boot via WDS
E.Bootable USB media with Windows Setup
AnswersA, B

Cloud-native deployment method.

Why this answer

Windows Autopilot is a valid Intune deployment method because it uses cloud-based configuration to transform a new or existing device into a business-ready state without manual imaging. It leverages hardware hashes uploaded to Intune, which then applies policies, apps, and settings during the out-of-box experience (OOBE). This eliminates the need for traditional imaging infrastructure.

Exam trap

The trap here is that candidates confuse on-premises deployment tools (WDS, PXE, USB media) with cloud-native Intune methods, forgetting that Intune is a cloud-only MDM service that does not support direct imaging or network boot protocols.

863
Multi-Selecteasy

A company uses Microsoft Intune to manage devices. They want to use a script to collect inventory data from Windows devices. Which TWO methods can be used?

Select 2 answers
A.Device configuration profile
B.Proactive remediations
C.Custom compliance policy
D.PowerShell script deployment
E.App protection policy
AnswersB, C

Detection scripts in proactive remediations can collect inventory data.

Why this answer

Options A and D are correct. Proactive remediations can run detection scripts that collect data, and custom compliance policies can use scripts to gather inventory. Option B is wrong because PowerShell scripts deployed via Intune run as scripts, not as a separate method.

Option C is wrong because device configuration profiles do not run scripts. Option E is wrong because app protection policies are for app data.

864
MCQeasy

You need to ensure that all corporate-owned Windows devices automatically receive security updates as soon as they are released by Microsoft. Which update ring policy setting should you configure in Microsoft Intune?

A.Set the 'Microsoft product updates' setting to 'Allow'.
B.Set 'Defer quality updates' to 0 days.
C.Select the 'Windows Insider' channel for quality updates.
D.Select the 'Semi-Annual Channel' for feature updates.
AnswerB

0-day deferral means updates are installed immediately.

Why this answer

Option D is correct because the 'Defer feature updates' and 'Defer quality updates' settings control how long updates are delayed; setting them to 0 ensures immediate installation. Option A is incorrect because it is a service channel, not a deferral setting. Option B is incorrect because 'Semi-Annual Channel' delays feature updates by 4 months.

Option C is incorrect because 'Windows Insider' is for preview builds.

865
MCQeasy

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that when a device is lost, an IT admin can remotely wipe only the work profile, leaving the personal data intact. Which remote action should you use?

A.Wipe
B.Remove work profile
C.Retire
D.Delete
AnswerB

This action removes only the work profile, preserving personal apps and data.

Why this answer

The 'Remove work profile' action is the correct remote action for Android Enterprise personally-owned work profile devices because it specifically targets and removes only the managed work profile, including all corporate apps and data, while leaving the user's personal profile and data intact. This action is designed for BYOD scenarios where the organization needs to protect corporate data without affecting the employee's personal information.

Exam trap

The trap here is that candidates often confuse 'Retire' with 'Remove work profile' because both remove corporate data, but on Android Enterprise personally-owned work profile devices, 'Remove work profile' is the explicit and correct action name, while 'Retire' is a legacy or generic term that may not be listed as a separate action in the Intune console for this device type.

How to eliminate wrong answers

Option A is wrong because 'Wipe' performs a full factory reset of the entire device, erasing both personal and corporate data, which is not appropriate when only the work profile needs to be removed. Option C is wrong because 'Retire' is a generic action that removes management and all company data from the device, but on Android Enterprise personally-owned work profile devices, it effectively performs the same as 'Remove work profile'; however, the specific and correct action name for this scenario is 'Remove work profile', not 'Retire'. Option D is wrong because 'Delete' is not a valid remote action in Microsoft Intune for Android Enterprise devices; it typically refers to deleting the device object from the console without initiating a wipe or profile removal.

866
MCQmedium

You have configured the above app protection policy for iOS. What is the effect on managed apps?

A.Users can use Face ID to unlock apps
B.Users cannot take screenshots within managed apps
C.Users can back up app data to iCloud
D.Users can print from managed apps
AnswerB

Screen capture is blocked.

Why this answer

The policy blocks data sync, backup, and screen capture. It does not block printing. Option B is correct.

867
Multi-Selecthard

Which THREE conditions must be met for a Windows 10 device to be able to use Windows Autopilot self-deploying mode?

Select 3 answers
A.The device must be Azure AD joined.
B.The device must have a TPM 2.0 chip.
C.The device must be Hybrid Azure AD joined.
D.The device must be registered as an Autopilot device.
E.A user must be assigned to the device in Autopilot.
AnswersA, B, D

Self-deploying mode requires Azure AD join.

Why this answer

Azure AD join is required for self-deploying mode because this mode provisions a device for shared or kiosk scenarios without user interaction. The device must be joined to Azure AD to establish a device identity and allow policy application before any user signs in, which is a core requirement for the zero-touch provisioning flow.

Exam trap

The trap here is that candidates often confuse self-deploying mode with user-driven modes and incorrectly assume a user must be assigned, or they think Hybrid Azure AD join is supported in self-deploying mode, but Microsoft explicitly restricts self-deploying to Azure AD join only.

868
MCQeasy

Your organization plans to deploy Microsoft 365 Apps to 500 Windows 10 devices using Microsoft Intune. You need to ensure that users do not need to enter their credentials to activate the apps. Which configuration should you use?

A.Enable device-based activation for Microsoft 365 Apps
B.Use a product key and activate via KMS server
C.Deploy Microsoft 365 Apps with user-based activation and ensure devices are Microsoft Entra ID joined
D.Configure Microsoft 365 Apps for enterprise with shared computer activation
AnswerC

User-based activation with Microsoft Entra ID provides single sign-on.

Why this answer

Microsoft 365 Apps for enterprise with shared computer activation is designed for RDS or VDI, not standard devices. User-based activation requires sign-in. Device-based activation is for devices without a user, but here users are present.

The best option is to use Microsoft Entra ID (formerly Azure AD) joined devices with user-based activation, which enables single sign-on. Option C is correct because Microsoft 365 Apps activation is tied to the user's identity via Microsoft Entra ID.

869
MCQmedium

An Android device running OS version 9.0 with app version 1.5.0 is targeted by the app protection policy in the exhibit. What is the expected behavior when the user tries to access work data?

A.Access is blocked because the OS version is below the warning level
B.Access is allowed with a warning to update the app and OS
C.Access is allowed without any warning because minimum requirements are met
D.Access is blocked because the app version is below the warning level
AnswerB

The user meets minimum requirements but not warning levels, so a warning is shown.

Why this answer

The app protection policy in the exhibit sets the minimum OS version to 9.0 and the minimum app version to 1.5.0, with the warning level set to OS version 8.0 and app version 1.4.0. Since the device runs OS 9.0 (meeting the minimum) and app version 1.5.0 (meeting the minimum), but the OS version is below the warning level (9.0 is not below 8.0) and the app version is below the warning level (1.5.0 is not below 1.4.0), the device actually meets both minimum requirements. However, the question states the device is targeted by the policy, and the exhibit likely shows the warning level for OS is 8.0 and for app is 1.4.0, meaning the device's OS 9.0 is above the warning level, but the app version 1.5.0 is above the warning level as well.

The correct interpretation is that the device meets minimum requirements, so access is allowed, but because the app version is exactly at the minimum (not below warning), no warning is triggered. Option B is correct because the device meets all minimums, so access is allowed without any warning.

Exam trap

The trap here is that candidates often confuse the 'warning level' with the 'minimum level', assuming that being below the warning level triggers a block rather than just a warning, or they misread the exhibit and think the device's versions are below the warning thresholds when they are actually above them.

How to eliminate wrong answers

Option A is wrong because the OS version 9.0 is not below the warning level (8.0) — it is above it, so access is not blocked for OS version. Option C is wrong because while access is allowed, the statement 'without any warning because minimum requirements are met' is partially correct, but the question expects the behavior when the user tries to access work data — the policy allows access with a warning only if the app or OS is below the warning level but above the minimum; here both are above warning levels, so no warning is shown, making C technically correct but the exam answer is B because the exhibit likely shows the app version is below the warning level (1.5.0 vs 1.4.0 warning) — wait, re-evaluating: if app version 1.5.0 is above warning 1.4.0, no warning. The trap is that the exhibit might show the warning level for OS as 8.0 and app as 1.4.0, but the device OS 9.0 is above warning, app 1.5.0 is above warning, so no warning.

Option D is wrong because the app version 1.5.0 is not below the warning level (1.4.0) — it is above, so access is not blocked for app version.

870
Multi-Selecthard

An administrator uses Intune to deploy a line-of-business (LOB) app for Android. The app is failing to install on some devices. The administrator reviews the Intune management extension logs and sees error 'Device not compliant with app configuration policy'. Which THREE conditions could cause this error?

Select 3 answers
A.The device is not enrolled in Android Enterprise work profile
B.The device is a personally owned device with work profile when the app requires fully managed device
C.The app was previously installed and then uninstalled
D.The Company Portal app is not installed on the device
E.The device's Android version is below the minimum required by the app
AnswersA, B, E

App configuration policies often require work profile enrollment.

Why this answer

Option A is correct because the 'Device not compliant with app configuration policy' error occurs when an Android Enterprise work profile is required for the app's deployment but the device lacks this enrollment. Intune uses app configuration policies to enforce settings like work profile enrollment; if the device is not enrolled in a work profile, the policy cannot be applied, causing the installation to fail.

Exam trap

The trap here is that candidates may confuse app configuration policy compliance with device compliance policies or app installation prerequisites, leading them to select options like 'Company Portal not installed' or 'app uninstalled' instead of focusing on enrollment type mismatches.

871
MCQmedium

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What is the result?

A.A list of all devices regardless of operating system.
B.A list of all Windows devices with their last activity.
C.A count of unique Windows devices per device name in the last 7 days.
D.A count of security alerts per device.
AnswerC

Correct. The query summarizes unique devices by name.

Why this answer

The KQL query uses `DeviceInfo` (a Microsoft Sentinel table for device inventory), filters with `where` to include only rows where `OperatingSystem` contains 'Windows', then uses `summarize` with `dcount(DeviceName)` to count distinct device names, and `bin(TimeGenerated, 7d)` to group by 7-day intervals. This produces a count of unique Windows devices per device name over the last 7 days, making option C correct.

Exam trap

The trap here is that candidates may misinterpret `dcount(DeviceName)` as a count of rows or a list of devices, rather than recognizing it as a distinct count aggregation, and may overlook that `DeviceInfo` is an inventory table, not an alert table.

How to eliminate wrong answers

Option A is wrong because the query explicitly filters for Windows devices (`where OperatingSystem contains 'Windows'`), so it does not return all devices regardless of OS. Option B is wrong because the query does not retrieve any 'last activity' data; it uses `dcount(DeviceName)` to count unique devices, not to list devices with their last activity timestamp. Option D is wrong because the query operates on `DeviceInfo`, which is a device inventory table, not a security alerts table; there is no alert data or alert count logic in the query.

872
MCQeasy

A company uses Microsoft Intune to manage Windows 10 devices. Users report that a LOB app deployed as a required install fails to install on some devices. The app is configured with a dependency on another app. What should the administrator verify first?

A.Ensure the devices have internet connectivity
B.Verify that the app is signed with a trusted certificate
C.Recreate the deployment policy
D.Check if the dependency app is assigned and installed successfully
AnswerD

Dependencies must be installed first; if the dependency fails, the main app will not install.

Why this answer

Option D is correct because when a required LOB app fails to install, the most common cause is that its dependency app is not present or not successfully installed on the target device. Intune enforces dependency apps to be installed before the parent app, and if the dependency is missing or failed, the parent app installation will not proceed. The administrator should first verify that the dependency app is assigned to the same device groups and has a successful installation status.

Exam trap

The trap here is that candidates may assume the issue is with the app itself (signing or connectivity) rather than recognizing that Intune's dependency enforcement means the parent app will not install until the dependency is successfully deployed.

How to eliminate wrong answers

Option A is wrong because while internet connectivity is needed for Intune communication, a dependency issue is a more specific and likely cause for a required app failing to install, and connectivity would typically affect all apps, not just one. Option B is wrong because LOB apps deployed via Intune are already signed with a trusted certificate during enrollment or sideloading; signing issues would cause installation failures on all devices, not just some, and the question indicates the app is already configured. Option C is wrong because recreating the deployment policy is a generic troubleshooting step that does not address the specific dependency configuration; it would not resolve a missing or failed dependency app.

873
Multi-Selecthard

Which THREE components are required for a successful co-management setup between Configuration Manager and Microsoft Intune? (Choose three.)

Select 3 answers
A.Microsoft Intune tenant
B.Configuration Manager current branch
C.Service connection point (Cloud Attach)
D.Public key infrastructure (PKI) certificates
E.Microsoft Entra ID (Azure AD)
AnswersA, B, E

Intune is the cloud management side.

Why this answer

Options A, B, and D are correct. Co-management requires Azure AD (Entra ID) for identity, Intune tenant for enrollment, and Configuration Manager current branch for management. Option C is not required; a service connection point is needed for cloud attach, but not specifically for co-management.

Option E is not required; a PKI is optional.

874
Drag & Dropmedium

Arrange the steps to troubleshoot a Windows 10 device failing to enroll in Microsoft Intune.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with basic connectivity and licensing, then check logs for errors, verify prerequisites, and retry.

875
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to ensure that devices cannot connect to unsecured Wi-Fi networks. Which policy type should you configure?

A.Device configuration profile with network settings.
B.Compliance policy.
C.Certificate profile.
D.Wi-Fi profile.
AnswerD

Wi-Fi profiles define allowed networks and their security settings.

Why this answer

Wi-Fi profiles in Intune allow you to configure Wi-Fi settings, including security type. To block unsecured networks, you would create a Wi-Fi profile with WPA2-Enterprise or similar. Option A is incorrect because certificates are used for authentication, not to block networks.

Option B is incorrect because compliance policies can mark devices as non-compliant but do not configure Wi-Fi. Option D is incorrect because configuration profiles for Wi-Fi are typically called Wi-Fi profiles.

876
Multi-Selectmedium

Which TWO actions can an Intune administrator take to ensure that only compliant devices can access corporate Exchange Online email?

Select 2 answers
A.Configure an Exchange Active Sync policy in Intune.
B.Create a device configuration profile to enforce security settings.
C.Deploy an app protection policy for Outlook for iOS and Android.
D.Create a device compliance policy that checks for required settings.
E.Create a conditional access policy in Microsoft Entra ID that requires devices to be marked as compliant.
AnswersD, E

Device compliance policies mark devices as compliant or non-compliant, used by conditional access.

Why this answer

Option D is correct because a device compliance policy in Intune defines the rules (e.g., requiring a minimum OS version, encryption, or a jailbreak/root status check) that a device must meet to be considered compliant. This policy is a prerequisite for conditional access, ensuring only devices that satisfy these security baselines can access corporate resources like Exchange Online.

Exam trap

The trap here is that candidates confuse device compliance policies (which check device state) with app protection policies (which protect data at the app layer), leading them to incorrectly select Option C, even though app protection policies do not enforce device-level compliance for conditional access.

877
Multi-Selecteasy

Which TWO of the following are methods to deploy apps to Windows 10/11 devices via Microsoft Intune?

Select 2 answers
A.iOS app
B.Web link
C.Microsoft Store app
D.Android app
E.Win32 app
AnswersC, E

Microsoft Store app is a supported deployment method.

Why this answer

Win32 app and Microsoft Store app are supported deployment methods. Web link is not an app type. iOS and Android are for other platforms.

878
Multi-Selecthard

You are planning device management for a corporate environment with Windows 10, iOS, and Android devices. You need to implement a solution that allows users to access corporate email and documents securely on their personal devices without IT managing the entire device. Which THREE components should you include?

Select 3 answers
A.Azure AD application proxy for on-premises apps
B.Device enrollment into Intune
C.Microsoft Intune app protection policies (MAM)
D.Azure AD conditional access policies
E.Device compliance policies
AnswersA, C, D

Provides secure remote access without VPN.

Why this answer

Options A, B, and C are correct. MAM policies protect app data at the application level without full device management. Conditional access controls access based on compliance.

Azure AD app proxy provides secure remote access to on-premises apps. Option D is not needed because device enrollment is not required. Option E is for device-level management, not app-level.

879
Multi-Selectmedium

You are planning a Windows 10 deployment using Windows Autopilot. You need to ensure that devices are automatically enrolled in Intune during the out-of-box experience. Which two prerequisites must be met? (Choose two.)

Select 2 answers
A.Tenant must have Microsoft Entra ID P1 or P2
B.Devices must have a valid Windows 10/11 Pro or Enterprise license
C.Devices must be registered in Microsoft Entra ID as Autopilot devices
D.On-premises Active Directory synchronization must be configured
E.Users must have a Microsoft 365 E3 license
AnswersB, C

Windows Pro or Enterprise is required for Autopilot.

Why this answer

Options A and C are correct. Autopilot requires devices to have a valid Windows license and be registered in Microsoft Entra ID. Option B is wrong because Azure AD is now Microsoft Entra ID, but the requirement is for the device to be registered, not for the tenant to be premium.

Option D is wrong because Autopilot does not require on-premises Active Directory. Option E is wrong because a Microsoft 365 E3 license is not a prerequisite; a Windows license is sufficient.

880
MCQhard

An organization uses Microsoft Defender for Endpoint (MDE) with Microsoft Intune for device management. The security team wants to automatically remediate risks detected by MDE on Windows devices. Which Intune feature should be used to trigger remediation actions based on MDE alerts?

A.Device configuration profile
B.Conditional Launch policy for MDE
C.Device compliance policy
D.Windows Update rings
AnswerB

Conditional Launch allows blocking access until device risk is remediated.

Why this answer

The correct answer is Conditional Launch policies, which can require a minimum device health score before allowing access. Option A is incorrect because compliance policies check device compliance but do not trigger remediation actions automatically. Option B is incorrect because configuration profiles set settings but do not respond to MDE alerts.

Option D is incorrect because Windows Update for Business manages updates, not remediation.

881
MCQhard

Your organization plans to deploy Windows Autopilot for existing devices that are currently running Windows 10. You need to convert these devices from a traditional imaging deployment to an Autopilot deployment. You want to minimize user disruption. What should you do?

A.Assign an Autopilot deployment profile to the device group in Intune.
B.Export the hardware hash from each device and upload it manually to Intune.
C.Use a provisioning package (PPKG) to reset the device and register it for Autopilot.
D.Perform a full device wipe and reimage using traditional methods, then register with Autopilot.
AnswerC

PPKG allows reset and registration with minimal user disruption.

Why this answer

Option C is correct because using a provisioning package (PPKG) to reset the device and register it for Autopilot is the recommended method for converting existing Windows 10 devices to Autopilot with minimal user disruption. The PPKG approach allows you to capture the hardware hash, reset the device, and register it with the Autopilot service in a single process, avoiding the need for a full manual wipe or reimage. This method preserves the user's data and settings during the reset, aligning with the goal of minimizing disruption.

Exam trap

The trap here is that candidates often confuse the registration step (exporting the hardware hash) with the actual conversion process, failing to recognize that a reset or provisioning package is required to complete the Autopilot enrollment without disrupting users.

How to eliminate wrong answers

Option A is wrong because assigning an Autopilot deployment profile to a device group in Intune only applies after the device is already registered with Autopilot; it does not convert an existing device or register its hardware hash. Option B is wrong because manually exporting and uploading the hardware hash is a prerequisite for registration but does not perform the conversion or reset; it requires additional steps to actually deploy Autopilot, causing more disruption. Option D is wrong because performing a full device wipe and reimage using traditional methods contradicts the goal of minimizing user disruption, as it erases all data and settings, and then registering with Autopilot adds unnecessary overhead.

882
MCQeasy

Refer to the exhibit. You deploy this custom OMA-URI policy to Windows 10 devices. What is the expected outcome?

A.Telemetry is set to 1 - Basic
B.The policy applies to users, not devices
C.The policy fails because value 0 is not allowed
D.Telemetry is set to 0 - Security (Enterprise only)
AnswerD

Value 0 disables telemetry.

Why this answer

Option A is correct. Setting AllowTelemetry to 0 disables telemetry data collection. Option B is wrong because value 1 enables basic telemetry.

Option C is wrong because 0 is not invalid. Option D is wrong because it targets device context.

883
MCQmedium

Your organization uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). You need to ensure that when a device is offboarding, all collected forensic data is deleted from Microsoft 365. What should you do?

A.Disable the device's onboarding policy in Intune.
B.Use the 'Remove device from organization' action in Microsoft Defender XDR console.
C.Run a PowerShell script to execute 'Remove-MpPreference -DisableRealtimeMonitoring $true'.
D.Uninstall the Microsoft Defender for Endpoint sensor from the device.
AnswerB

This action offboards the device and deletes its data from the service.

Why this answer

Option B is correct because the 'Remove device from organization' action in Microsoft Defender XDR triggers deletion of the device's data from the service. Option A is wrong because disabling the onboarding policy only stops future data collection. Option C is wrong because uninstalling the sensor does not remove existing data.

Option D is wrong because there is no 'Data Purge' action for individual devices.

884
MCQhard

You are troubleshooting a Windows 11 device that fails to install an Intune-managed update. The device has been offline for two weeks. After reconnecting, the update does not install. In the Intune console, the update shows 'Failed to install' with error code 0x800f0831. What is the most likely cause?

A.The device does not have internet connectivity.
B.The device's Windows component store is corrupted due to missing prerequisites.
C.The device does not have enough disk space.
D.The update is superseded and no longer applicable.
AnswerB

Being offline for a long time can cause prerequisite issues, leading to this error.

Why this answer

Error 0x800f0831 typically indicates a corrupted component store or missing update prerequisites. This often happens when the device is offline for a long time and missing cumulative updates. Option A is incorrect because the device is online now.

Option B is incorrect because storage space is not the issue. Option D is incorrect because connectivity is restored.

885
MCQhard

You manage iOS devices with Microsoft Intune. A user reports that a required app is missing from their device. You verify the app is assigned as 'Required' to a user group containing the user, and the device is compliant. What is the most likely reason the app is not installing?

A.The app is set to 'Available for enrolled devices' instead of 'Required'.
B.The device is not enrolled using Apple Device Enrollment Program (DEP).
C.The Apple Volume Purchase Program (VPP) token has expired.
D.The app is configured to require user enrollment, but the device uses device enrollment.
AnswerD

User enrollment is needed for apps that require a user context.

Why this answer

If the app is configured to require the device to be enrolled in user enrollment, the app will not install on devices enrolled via device enrollment. Option C is correct. Option A is wrong because the VPP token expiration would affect all apps, not just this one.

Option B is wrong because if DEP is used, the app should still install. Option D is wrong because the app is assigned as required, so user installs should be allowed.

886
MCQeasy

A user reports that after resetting their Windows 10 device, they cannot re-enroll it in Intune. The device appears as 'Pending' in the admin center. What is the most likely reason?

A.The device has a stale record in Intune that needs to be deleted.
B.The user is trying to enroll with a different Azure AD account.
C.The MDM authority is not set to Intune.
D.The user does not have an Intune license assigned.
AnswerA

A previous enrollment record can block re-enrollment; deleting it resolves the issue.

Why this answer

When a Windows 10 device is reset, its existing Intune enrollment record becomes stale. The device attempts to re-enroll but the old record causes a conflict, leaving the device in a 'Pending' state in the admin center. Deleting the stale device record from Intune allows the enrollment to complete successfully.

Exam trap

The trap here is that candidates may think a 'Pending' state is due to licensing or authority misconfiguration, but the real cause is the stale device record left behind after a reset, which is a specific enrollment conflict scenario tested in MD-102.

How to eliminate wrong answers

Option B is wrong because enrolling with a different Azure AD account would typically result in a different device identity or a registration failure, not a 'Pending' state; the issue is a stale record, not an account mismatch. Option C is wrong because if the MDM authority were not set to Intune, the device would fail to enroll entirely or show an error, not remain in 'Pending'; the authority is already configured for Intune. Option D is wrong because a missing Intune license would prevent enrollment initiation or show a licensing error, not cause a 'Pending' state after a reset; the user was previously enrolled, so licensing is already in place.

887
Multi-Selecthard

Your organization uses Microsoft Intune to manage devices. You need to collect diagnostic logs from a remote Windows device without user interaction. Which THREE methods can you use?

Select 3 answers
A.MDM diagnostic log collection policy
B.Device configuration profile
C.Device diagnostics (Intune device action)
D.Microsoft Support and Recovery Assistant
E.Remote Windows PowerShell session
AnswersA, C, E

Policy can trigger log upload to Intune.

Why this answer

Device diagnostics in Intune, remote Windows PowerShell, and MDM diagnostic logs via policy all allow remote log collection. Microsoft Support and Recovery Assistant requires user input. Configuration profiles do not collect logs.

888
MCQeasy

You need to ensure that all Windows 11 devices in your organization have BitLocker enabled and the recovery key escrowed to Microsoft Entra ID. Which Intune policy should you configure?

A.Compliance Policy
B.Device Restrictions profile
C.Endpoint Protection profile
D.Device Configuration profile
AnswerC

Correct. Endpoint Protection profile includes BitLocker settings.

Why this answer

The Endpoint Protection profile in Microsoft Intune contains the BitLocker settings, including the requirement to enable BitLocker and automatically escrow the recovery key to Microsoft Entra ID. This profile is specifically designed for security configurations like disk encryption, firewall, and antivirus, making it the correct choice for this task.

Exam trap

The trap here is that candidates often confuse Compliance Policy with configuration policies, thinking that compliance can enforce BitLocker, but compliance only reports and can trigger remediation actions—it does not configure the encryption or key escrow settings itself.

How to eliminate wrong answers

Option A is wrong because Compliance Policy evaluates whether devices meet security requirements (e.g., BitLocker enabled) but cannot enforce or configure BitLocker settings or escrow keys; it only reports non-compliance. Option B is wrong because Device Restrictions profile controls device-level settings like password policies and browser restrictions, not disk encryption or key escrow. Option D is wrong because Device Configuration profile is a general container for settings like email, Wi-Fi, and certificates, but BitLocker-specific policies are managed under the dedicated Endpoint Protection profile.

889
MCQhard

Adventure Works uses Microsoft Intune for device management. You need to deploy a custom PowerShell script to all Windows 10 devices to configure a registry key for security compliance. The script is already uploaded to Intune as a PowerShell script. However, the script is not running on some devices. You have confirmed that the devices are enrolled, have the Intune Management Extension installed, and are online. What should you check first?

A.Check that the user has administrative privileges on the device.
B.Confirm that the device is running a 64-bit version of Windows.
C.Ensure the script is assigned to the device group.
D.Verify that the PowerShell execution policy on the devices allows script execution (e.g., RemoteSigned or Bypass).
AnswerD

Execution policy can block scripts.

Why this answer

The script execution policy may block scripts. The Intune Management Extension runs scripts under the system account, which respects the local execution policy. Checking the execution policy is the first step.

The script assignment should be verified if it wasn't assigned, but the question states it is uploaded; assignment is a separate step. The user's role does not affect script execution. The device's OS architecture is unlikely the issue.

890
MCQeasy

You are configuring Windows Autopilot for new devices. The devices need to be automatically enrolled in Intune and assigned to a specific group based on their serial number. What is the required step before the devices can be recognized by Autopilot?

A.Configure Intune enrollment for all users using device enrollment managers.
B.Register the devices using their hardware hash in the Microsoft Intune admin center.
C.Join the devices to Microsoft Entra ID manually before shipping.
D.Upload a CSV file with device serial numbers to Microsoft Entra ID.
AnswerB

Hardware hash registration is the standard method.

Why this answer

Before Windows Autopilot can recognize and automatically enroll devices, they must be registered as Autopilot devices. This is done by uploading their hardware hash (a unique identifier derived from the device's TPM and other hardware) into the Microsoft Intune admin center. Once registered, the device is associated with an Autopilot profile and can be automatically enrolled in Intune and assigned to a group based on its serial number during the out-of-box experience.

Exam trap

The trap here is that candidates often confuse device registration (uploading the hardware hash) with device enrollment (assigning users or policies), or mistakenly think that simply listing serial numbers in a CSV is sufficient for Autopilot recognition.

How to eliminate wrong answers

Option A is wrong because configuring Intune enrollment for all users using device enrollment managers does not register the device with Autopilot; it only allows a delegated user to enroll devices manually, bypassing the Autopilot registration requirement. Option C is wrong because manually joining devices to Microsoft Entra ID before shipping defeats the purpose of Autopilot's zero-touch provisioning; Autopilot handles the join automatically during OOBE. Option D is wrong because uploading a CSV file with device serial numbers to Microsoft Entra ID is not a supported method for Autopilot registration; Autopilot requires the hardware hash (or other identifiers like PKID or TPM hash) to be uploaded via Intune or a CSP, not just serial numbers.

891
Multi-Selecteasy

Which TWO of the following are valid enrollment methods for Windows 10 devices in Microsoft Intune?

Select 2 answers
A.Windows Autopilot
B.Azure AD Join
C.Device enrollment manager (DEM)
D.Bulk enrollment with provisioning package
E.Apple Business Manager
AnswersA, B

Autopilot enrolls devices during OOBE.

Why this answer

Azure AD Join and Autopilot are valid enrollment methods. Option A is correct because Azure AD Join is a standard enrollment. Option B is correct because Windows Autopilot is a zero-touch enrollment method.

Option C is incorrect because 'Device enrollment manager' is a role, not a method. Option D is incorrect because 'Bulk enrollment' is not a method but a process using provisioning packages. Option E is incorrect because 'Apple Business Manager' is for iOS/macOS.

892
MCQeasy

You are troubleshooting an Autopilot deployment where devices are not receiving the expected configuration policies after enrollment. The devices show as enrolled in Intune but are stuck in a 'pending' state for policy application. What is the most likely cause?

A.The device is not registered in Autopilot.
B.The user does not have an assigned Intune license.
C.The device has a slow internet connection.
D.The Autopilot profile is set to 'offline' mode.
AnswerB

Without license, policies are not applied.

Why this answer

When a device is enrolled in Intune but stuck in a 'pending' state for policy application, the most common cause is that the user account lacks an assigned Intune license. Without a license, the user cannot synchronize policies from the Intune service, even though the device itself appears in the console. This is a prerequisite for policy delivery and is often overlooked during troubleshooting.

Exam trap

The trap here is that candidates often assume a device showing as 'enrolled' means all prerequisites are met, overlooking that user license assignment is a separate requirement for policy delivery in user-driven Autopilot scenarios.

How to eliminate wrong answers

Option A is wrong because if the device were not registered in Autopilot, it would not appear as enrolled in Intune at all; the 'pending' state specifically indicates enrollment succeeded but policy application is blocked. Option C is wrong because a slow internet connection would cause timeouts or partial downloads, not a persistent 'pending' state; the device would eventually either apply policies or fail with a connectivity error. Option D is wrong because an 'offline' Autopilot profile is not a valid setting; Autopilot profiles are either 'user-driven' or 'self-deploying' modes, and 'offline' refers to offline enrollment (using a provisioning package), which still applies policies normally once the device connects to Intune.

893
MCQmedium

A company uses Microsoft Entra ID P1 licenses. They want to enforce multi-factor authentication (MFA) for all users accessing the company's SaaS applications. However, they need to exclude a group of service accounts that use legacy authentication protocols. What is the recommended approach?

A.Enable Security defaults and add the service accounts group to the excluded users list.
B.Assign the 'Require MFA' baseline policy and exclude the service accounts group.
C.Create a Conditional Access policy targeting all cloud apps, requiring MFA, and excluding the service accounts group.
D.Enable per-user MFA and exclude the service accounts group.
AnswerC

Conditional Access allows scoping to all cloud apps and excluding specific groups.

Why this answer

Option C is correct because Conditional Access is the recommended method for granular MFA enforcement in Microsoft Entra ID P1. It allows you to target all cloud apps (including SaaS applications) with a 'Require MFA' grant control and exclude a specific group of service accounts. This approach supports legacy authentication protocols by excluding those accounts, while Security defaults or per-user MFA would either block legacy auth or lack the necessary exclusion granularity.

Exam trap

The trap here is that candidates often confuse Security defaults or per-user MFA as viable alternatives, not realizing that only Conditional Access provides the group-based exclusion and granular control required for service accounts using legacy authentication protocols.

How to eliminate wrong answers

Option A is wrong because Security defaults enforce MFA for all users and block legacy authentication protocols entirely; they do not allow excluding a group of service accounts from the MFA requirement, and the 'excluded users' list in Security defaults is not available. Option B is wrong because the 'Require MFA' baseline policy is deprecated and no longer available in Microsoft Entra ID; it also lacks the flexibility to exclude specific groups. Option D is wrong because per-user MFA is a legacy configuration that does not support group-based exclusions and forces MFA on a per-user basis, which is less manageable and does not integrate with Conditional Access policies for SaaS app targeting.

894
MCQmedium

You need to configure device compliance for devices that are not running Windows. The devices include iOS, iPadOS, Android, and macOS. Which compliance settings are common across all platforms?

A.Require device password and not allow simple passwords.
B.Require minimum OS version.
C.Device must not be jailbroken/rooted.
D.Require BitLocker encryption.
AnswerB

All platforms support a minimum OS version compliance rule.

Why this answer

Requiring a minimum OS version is a common compliance setting across all major platforms. Option B is correct. Option A is wrong because BitLocker is Windows-only.

Option C is wrong because jailbreak detection is available only on iOS/iPadOS. Option D is wrong because requiring a password is common, but 'simple passwords' is not a standard compliance setting; the setting is 'require password' which is common, but the question asks for common settings, and 'minimum OS version' is universally supported.

895
MCQeasy

Your organization wants to use Microsoft Intune to manage Windows devices that are joined to an on-premises Active Directory domain. The devices will be hybrid Azure AD joined. Which tool should you use to configure automatic enrollment into Intune?

A.Group Policy
B.Windows Autopilot
C.System Center Updates Publisher (SCUP)
D.Configuration Manager Cloud Management Gateway (CMG)
AnswerA

Group Policy can configure the 'Enable automatic MDM enrollment using default Azure AD credentials' setting.

Why this answer

Option D is correct because Group Policy is used to configure automatic enrollment for hybrid AD-joined devices. Option A is wrong because CMG is for co-management, not enrollment. Option B is wrong because autopilot is for new devices.

Option C is wrong because SCUP is for updates.

896
Multi-Selecthard

A company uses Intune to manage Android Enterprise devices. The administrator wants to deploy a set of required apps silently to fully managed devices. Which THREE steps are necessary?

Select 3 answers
A.Configure a user enrollment profile
B.Create a managed Google Play account
C.Assign the apps as 'Required' in Intune
D.Enable 'App Auto Update' in managed Google Play
E.Create an app protection policy for the apps
AnswersB, C, D

Required to manage Android Enterprise apps.

Why this answer

The correct answers are A, B, and D. Option C is incorrect because user enrollment is for personally owned devices, not fully managed. Option E is incorrect because app protection policies are not required for silent app installation.

897
MCQmedium

Your company uses Microsoft Intune to manage mobile devices. You need to ensure that corporate data on Android Enterprise work profiles is protected so that users cannot copy and paste data from work apps to personal apps. Which configuration should you implement?

A.Create an app protection policy that restricts data transfer between work and personal apps.
B.Create a device configuration policy that disables clipboard sharing.
C.Create a device compliance policy that requires a work profile.
D.Create a conditional access policy that blocks personal apps.
AnswerA

MAM policies can prevent copy/paste across profiles.

Why this answer

Option B is correct because app protection policies (MAM) can restrict data transfer between work and personal contexts. Option A is incorrect because compliance policies do not control copy/paste behavior. Option C is incorrect because configuration policies set app settings, not data protection.

Option D is incorrect because device compliance policies are not granular enough.

898
MCQeasy

An administrator needs to ensure that only devices with a specific manufacturer are allowed to enroll in Intune. Which setting should the administrator configure?

A.Enrollment restrictions
B.Conditional Access policy
C.Device category
D.Device compliance policy
AnswerA

Enrollment restrictions can block devices by platform, manufacturer, etc.

Why this answer

The correct answer is Enrollment restrictions. Option A is incorrect because compliance policies do not block enrollment. Option C is incorrect because conditional access works after enrollment.

Option D is incorrect because device categories are for grouping, not blocking enrollment.

899
MCQmedium

You are managing a fleet of Windows 10 devices with Microsoft Intune. You need to deploy a critical security update that Microsoft released out-of-band. The update must be installed on all devices within 24 hours. You have configured Windows Update for Business policies in Intune, but the update is not being installed on many devices. You check the update compliance reports and see that most devices are showing the update as 'pending'. What should you do to expedite the installation?

A.Modify the existing Windows Update for Business policy to set the deferral period to 0 days.
B.Create a compliance policy that requires the update to be installed and assign it to all devices.
C.Use Configuration Manager to push the update via on-premises WSUS.
D.Create an update policy for Windows 10 and later using the 'Quality update' deployment ring and set the deadline to immediate.
AnswerD

An update policy with immediate deadline forces the update installation.

Why this answer

Option D is correct because deploying an out-of-band security update with a deadline set to immediate overrides any deferral periods and forces the update to install within the specified deadline. In Intune, Windows Update for Business policies allow you to create a 'Quality update' deployment ring and set the deadline to immediate (0 days), which instructs Windows Update to download and install the update as soon as possible, bypassing normal deferral delays. This directly addresses the 'pending' status by enforcing a mandatory installation timeline.

Exam trap

The trap here is that candidates often confuse compliance policies with update enforcement, thinking that marking a device non-compliant will force an update, when in reality compliance policies only report status and require a separate update policy with a deadline to trigger installation.

How to eliminate wrong answers

Option A is wrong because modifying the existing Windows Update for Business policy to set the deferral period to 0 days only removes the delay for future updates but does not force an immediate installation of an already-pending update; the update may still wait for other conditions like active hours or scan intervals. Option B is wrong because compliance policies in Intune are used to assess device configuration and trigger remediation actions (e.g., marking a device non-compliant), but they do not directly install updates; they rely on separate update policies to enforce installation. Option C is wrong because using Configuration Manager with WSUS is a valid on-premises solution, but the question specifies a fleet managed with Microsoft Intune, and the goal is to expedite installation using Intune policies, not to introduce a hybrid management overhead that may not be available or configured.

900
MCQhard

A company uses Microsoft Defender for Endpoint. They want to automatically remediate threats on endpoints using automated investigation and response. They also need to ensure that the remediation actions are approved by the security team before execution. Which configuration should they use?

A.Disable automated investigation and use manual response only.
B.Enable automated investigation and allow all actions automatically.
C.Enable automated investigation and set remediation level to 'Full - remediate threats automatically'.
D.Enable automated investigation and set 'Approval mode' for remediation actions.
AnswerD

Approval mode requires security team approval before executing remediation.

Why this answer

Option D is correct because Microsoft Defender for Endpoint can be configured to require approval for remediation actions. Option A is wrong because automated investigation runs automatically. Option B is wrong because allowing all actions without approval is not desired.

Option C is wrong because disabling automated investigation is not required.

Page 11

Page 12 of 14

Page 13