Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 901975

991 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQhard

A user reports that a Microsoft 365 Apps for enterprise installation failed on their Windows 11 device managed by Intune. The Intune management extension logs show error code 0x80070005. The device is Azure AD joined and compliant. What is the most likely cause?

A.The user does not have local administrator privileges on the device
B.The device has insufficient disk space
C.The device does not have internet connectivity to the Microsoft CDN
D.The device is not compliant with the conditional access policy
AnswerA

0x80070005 is access denied; installation requires admin rights.

Why this answer

Option C is correct because error 0x80070005 indicates 'Access Denied', often due to missing local admin rights. Option A is wrong because this error is not related to network connectivity. Option B is wrong because error 0x80070005 is not a disk space error.

Option D is wrong because the device is compliant, so compliance policy is not the issue.

902
MCQhard

A company uses Microsoft Intune for mobile device management. They have a group of Android Enterprise devices that need to be enrolled in a way that allows the device to have a work profile while keeping personal apps separate. Which enrollment method should be used?

A.Android Enterprise corporate-owned fully managed devices
B.Android Enterprise personally-owned devices with a work profile
C.Android Enterprise corporate-owned dedicated devices
D.Android Enterprise corporate-owned work profile
AnswerB

This allows a work profile on a personally-owned device, keeping personal apps separate.

Why this answer

Option D is correct because Android Enterprise personally-owned devices with a work profile provide separation. Option A is wrong because corporate-owned dedicated devices are for single-purpose devices. Option B is wrong because corporate-owned fully managed devices give full control.

Option C is wrong because corporate-owned work profile is for corporate-owned devices with work profile.

903
MCQhard

Refer to the exhibit. You apply this device configuration profile to a Windows 10 device. A user downloads a file that is classified as potentially unwanted application (PUA). What action will Defender take?

A.Audit the detection and allow the download.
B.Send the file to the cloud for analysis.
C.Automatically clean the file.
D.Block the file from being downloaded.
AnswerD

PUA protection enabled blocks the file.

Why this answer

The policy has defenderPUAProtection set to 'enabled', which means PUA detection is turned on. When PUA is detected, the default action is to block the file, as PUA protection typically blocks. The malware actions defined in the policy apply to actual malware, not PUA.

Option A is incorrect because 'audit' is not configured. Option B is incorrect because the policy does not specify a custom action for PUA. Option D is incorrect because cloud-delivered protection is not related to PUA action.

904
MCQeasy

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that all devices have Windows Defender Antivirus enabled and up to date. You create a security baseline that includes antivirus settings and assign it to all devices. After a week, you find that some devices still have outdated antivirus definitions. What should you check first?

A.Verify that the security baseline is assigned to the devices.
B.Check the device compliance status.
C.Ensure that Windows Update for Business is configured to update definitions.
D.Review the device's network firewall settings.
AnswerC

Definitions are updated via Windows Update.

Why this answer

The security baseline assigns configuration settings, but it does not automatically trigger definition updates. Windows Defender Antivirus definitions are updated via Windows Update, so Windows Update for Business must be configured to deliver those updates. Without this, devices may have the correct baseline policies but still run outdated definitions.

Exam trap

The trap here is that candidates assume a security baseline automatically handles all aspects of antivirus management, including definition updates, when in reality the baseline only configures settings and relies on a separate update channel (Windows Update) to deliver the definitions.

How to eliminate wrong answers

Option A is wrong because the security baseline is already assigned to all devices; the issue is not assignment but the mechanism for updating definitions. Option B is wrong because compliance status reflects whether devices meet the baseline policies, not whether definitions are current; a device can be compliant with outdated definitions if the baseline doesn't enforce update frequency. Option D is wrong because network firewall settings control traffic flow, not the update process for antivirus definitions; firewalls do not block or allow Windows Update definition downloads unless specifically configured to do so.

905
Multi-Selectmedium

Which THREE of the following are features of Microsoft Defender for Endpoint that help protect devices?

Select 3 answers
A.Attack surface reduction rules
B.Endpoint detection and response
C.Next-generation protection
D.Data loss prevention
E.Conditional access policies
AnswersA, B, C

These rules reduce the attack surface.

Why this answer

Attack surface reduction, next-generation protection, and endpoint detection and response are core features. Option A is correct because attack surface reduction rules reduce vulnerabilities. Option B is correct because next-generation protection includes antivirus.

Option C is correct because EDR detects and responds to threats. Option D is incorrect because 'Conditional access' is a Microsoft Entra ID feature. Option E is incorrect because 'Data loss prevention' is a Microsoft Purview feature.

906
MCQeasy

You need to deploy a custom Windows 10 image to 100 new devices using Microsoft Intune. The devices are not yet enrolled. Which method should you use to deploy the image and enroll the devices?

A.Use PXE boot to deploy the image and then enroll via a provisioning package.
B.Create a bootable USB with the image and manually enroll each device.
C.Use Microsoft Configuration Manager to deploy the image and enroll via co-management.
D.Use Windows Autopilot to deploy a custom image and automatically enroll the devices.
AnswerD

Autopilot supports custom images (with Windows 11 21H2+) and auto-enrollment.

Why this answer

Option B is correct because Windows Autopilot can deploy a custom image and automatically enroll devices. Option A is wrong because PXE boot is not supported by Intune directly. Option C is wrong because USB deployment is manual.

Option D is wrong because Configuration Manager is a separate tool.

907
Multi-Selecthard

You deploy a Windows Update for Business policy in Intune. You need to ensure that devices install quality updates within 2 days of release and feature updates within 30 days. Which THREE settings should you configure?

Select 3 answers
A.Quality update deferral period (days): 2
B.Feature update uninstall period (2-60 days): 30
C.Quality update pause start date
D.Feature update deferral period (days): 30
E.Quality update deadline (days): 2
AnswersA, D, E

Defers quality updates by 2 days, meaning they are offered 2 days after release.

Why this answer

Options B, D, and E are correct. Quality update deferral period (B) and feature update deferral period (D) set the number of days to wait before offering updates. Quality update deadline (E) forces installation within a set number of days after the update is offered.

Option A is wrong because 'Quality update pause' halts updates. Option C is wrong because 'Feature update uninstall period' controls how long users can roll back, not installation.

908
MCQeasy

You need to wipe a lost corporate-owned Windows 10 device that is enrolled in Intune. Which action should you take?

A.Delete the device from Intune.
B.Select the device and choose Wipe.
C.Select the device and choose Retire.
D.Reset the device using the Company Portal.
AnswerB

Correct. Wipe resets the device to factory settings.

Why this answer

The Wipe action in Intune restores a Windows 10 device to its factory default settings, removing all data and corporate access. This is the appropriate action for a lost corporate-owned device because it ensures sensitive data is erased while retaining the device's enrollment record for potential recovery or re-provisioning.

Exam trap

The trap here is confusing the Retire action (which only removes management and corporate data) with the Wipe action (which performs a full factory reset), leading candidates to choose Retire when a complete data erasure is required.

How to eliminate wrong answers

Option A is wrong because deleting the device from Intune only removes the device object from the console; it does not send a wipe command to the device, so data remains intact. Option C is wrong because Retire removes managed apps and policies but preserves personal data and does not perform a full factory reset, leaving corporate data potentially accessible. Option D is wrong because the Company Portal reset is a user-initiated action that requires the device to be physically accessible and logged in, which is not possible for a lost device.

909
MCQmedium

Your organization uses Windows Autopilot for user-driven deployments. You need to ensure that during the out-of-box experience (OOBE), users are prompted to set up Windows Hello for Business. Which setting should you configure in the Autopilot profile?

A.Skip privacy settings
B.Windows Hello for Business
C.Device name template
D.Language (Region)
AnswerB

This setting enables Hello enrollment during OOBE.

Why this answer

Option C is correct because the 'Windows Hello for Business' setting in the Autopilot profile controls this behavior. Option A is wrong because the 'Language' setting is for locale. Option B is wrong because 'Skip privacy settings' bypasses privacy, not Hello.

Option D is wrong because 'Device name template' is for naming.

910
MCQmedium

An organization manages Windows 10 devices with Microsoft Intune. They need to deploy a PowerShell script that runs once on each device to remediate a security issue. The script should not run again after successful execution. Which configuration should be used?

A.Assign the script to all devices and set 'Run this script using the logged on credentials' to Yes
B.Use a proactive remediation with a detection script and set 'Run script on every logon' to No, and configure the remediation script to exit with code 0 on success
C.Use a proactive remediation with a detection script and set 'Run script on every logon' to Yes
D.Use a custom compliance policy with a script that runs daily
AnswerB

The detection script checks if remediation is needed; if not, the remediation script doesn't run. Setting 'Run script on every logon' to No ensures it runs only once.

Why this answer

Option C is correct because setting the script to run once and not run again on successful remediation achieves the goal. Option A is wrong because it would run every time. Option B is wrong because running once on every logon is not desired.

Option D is wrong because detection scripts are separate from remediation scripts.

911
MCQmedium

Your organization uses Intune to manage Windows 10 devices. You have deployed a Win32 app named 'FinanceApp' with a detection rule that checks for the existence of a registry key. After deployment, you find that the app is not being detected on some devices, causing Intune to attempt reinstallation. You suspect the detection rule is incorrect. You need to update the detection rule for the app without redeploying the entire app. You edit the app properties in Intune and modify the detection rule. However, after saving, the existing assignments still use the old detection rule. What should you do to apply the updated detection rule to existing devices?

A.Increment the app version in the app properties
B.Remove and re-add the assignment
C.Delete the app and recreate it with the new detection rule
D.Uninstall the app from all devices and redeploy
AnswerA

Forces Intune to re-evaluate detection.

Why this answer

Option B is correct. After modifying the detection rule, you must increase the app version number to force Intune to reevaluate the detection on existing devices. Option A is wrong because deleting and recreating the app is unnecessary.

Option C is wrong because the app is already assigned. Option D is wrong because there is no need to uninstall and reinstall.

912
Multi-Selectmedium

Which TWO of the following are valid app types in Microsoft Intune for deploying applications to Windows 10/11 devices?

Select 2 answers
A.Windows app (Win32)
B.Web link
C.Microsoft Store app (new)
D.macOS app
E.Android store app
AnswersA, C

Win32 app type is for deploying traditional Windows applications.

Why this answer

Options B and D are correct. Windows app (Win32) and Microsoft Store app (new) are valid app types. Option A is wrong because macOS is for Apple devices.

Option C is wrong because Web link is a web app, not a Windows app type. Option E is wrong because Android store app is for Android.

913
MCQeasy

You are configuring a Windows 10 kiosk device using Intune. The device should run a single-store app in full-screen mode. Which Intune policy type should you use?

A.A device configuration profile using the 'Kiosk' settings for single-app mode
B.A device restrictions profile blocking access to other apps
C.A compliance policy requiring the app to be installed
D.A configuration profile for Microsoft Edge in kiosk mode
AnswerA

Designed for single-app kiosk scenarios.

Why this answer

Option A is correct because a kiosk configuration profile with single-app mode is used for full-screen single-store app kiosks. Option B is wrong because device restrictions do not configure kiosk mode. Option C is wrong because a compliance policy does not enforce app behavior.

Option D is wrong because a configuration profile for Microsoft Edge is for browser settings.

914
Matchingmedium

Match each Microsoft 365 Defender feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Endpoint detection and response (EDR) and antivirus

Protection for email and collaboration tools

Detect and investigate advanced attacks on-premises

Cloud access security broker (CASB) for SaaS apps

Identify and remediate vulnerabilities

Why these pairings

These are core Microsoft 365 Defender components covered in MD-102.

915
MCQmedium

A company uses Microsoft Intune to manage Windows 10 devices. The security team reports that several devices are missing critical security updates. You need to ensure that devices install updates within 7 days of release. What should you configure?

A.Create a compliance policy for Windows 10 update compliance.
B.Create an update ring for Windows 10 with a deadline of 7 days.
C.Create a device configuration profile for Windows 10 updates.
D.Configure a Windows Update for Business policy in Group Policy.
AnswerB

Update rings enforce update installation deadlines.

Why this answer

Option B is correct because update rings in Microsoft Intune allow you to configure Windows Update for Business settings, including a deadline for feature and quality updates. Setting a deadline of 7 days ensures that devices must install released updates within that timeframe, directly addressing the requirement for timely installation of critical security updates.

Exam trap

The trap here is that candidates often confuse compliance policies (which only report on update status) with update rings (which enforce installation deadlines), leading them to choose Option A instead of B.

How to eliminate wrong answers

Option A is wrong because compliance policies evaluate device configuration and health (e.g., required updates installed) but do not enforce an installation deadline; they only report non-compliance. Option C is wrong because device configuration profiles manage settings like security policies or certificates, not update deadlines or rings. Option D is wrong because Group Policy is a traditional on-premises management tool that does not integrate with Intune for cloud-managed devices; the question specifies Microsoft Intune management, so a cloud-native solution (update ring) is required.

916
MCQmedium

A user has an Android Enterprise fully managed device. The device is enrolled in Microsoft Intune and all policies are applied. However, the user cannot install a required app from the managed Play Store. The app appears in the company portal but fails to install. What should you check first?

A.Ensure that the device has a policy to allow installation of unapproved apps.
B.Check if the device's enrollment token is still valid.
C.Check if the app is available in the unmanaged Play Store.
D.Verify that the app has been approved in the managed Google Play store.
AnswerD

Apps must be approved before deployment.

Why this answer

Option B is correct because managed Play Store apps require approval. Option A is incorrect unless the app is not available in the managed store. Option C is incorrect because enrollment token is for enrollment, not app installation.

Option D is incorrect because unapproved apps are not blocked by default.

917
Multi-Selectmedium

You need to ensure that corporate data on lost or stolen iOS devices is protected. Which TWO actions should you configure in Intune?

Select 2 answers
A.Enable device inventory reporting.
B.Configure a device passcode policy.
C.Perform a selective wipe to remove corporate data only.
D.Retire the device from Intune.
E.Enable remote wipe on the device.
AnswersB, E

A passcode prevents unauthorized access.

Why this answer

Option A and Option D are correct because remote wipe and passcode reset are standard data protection measures for lost devices. Option B is incorrect because selective wipe only removes corporate data, not the device. Option C is incorrect because device retire removes management but does not protect data immediately.

Option E is incorrect because device inventory is not a protective action.

918
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to deploy a custom Windows 10 line-of-business app that is not signed. Which action must you take on the target devices to allow installation?

A.Enable sideloading on the devices.
B.Enable Developer Mode on the devices.
C.Add the app publisher to the trusted publisher store.
D.Turn off Windows Defender SmartScreen.
AnswerA

Sideloading must be enabled to install unsigned LOB apps.

Why this answer

Option A is correct because enabling sideloading allows installation of unsigned apps. Option B is wrong because turning off Windows Defender SmartScreen may help but is not sufficient. Option C is wrong because enabling Developer Mode is not required for sideloading in Intune.

Option D is wrong because the app is not signed, so trusting the publisher is not applicable.

919
Multi-Selecthard

You are configuring app protection policies (MAM) in Microsoft Intune for iOS devices. Which THREE settings can you configure to prevent data leakage?

Select 3 answers
A.Require device PIN.
B.Restrict web content transfer to managed browsers.
C.Restrict cut, copy, and paste between apps.
D.Prevent 'Save as' to local storage.
E.Block screenshots of corporate data.
AnswersB, C, D

Ensures web links open in managed browsers.

Why this answer

App protection policies can restrict cut/copy/paste, prevent 'Save as', and restrict web content transfer to managed browsers. Option D, blocking screenshots, is not available as a setting (though it can be done via device compliance). Option E, requiring device PIN, is a device-level setting, not app-level.

920
MCQmedium

You are reviewing the Intune Win32 app configuration for Microsoft Edge. The app is deployed to Windows 10 devices. Users report that Edge is not being installed on some devices. What is the most likely issue with the detection rule?

A.The uninstall command is incorrect.
B.The detection rule requires an exact version match, which may not match if a different version is installed.
C.The install command is missing the --silent flag.
D.The detection rule is checking the 32-bit registry on a 64-bit system.
AnswerB

Exact version detection can cause false negatives if versions differ.

Why this answer

The detection rule checks for the exact version. If a different version is installed, the rule will not match and Intune will not detect the app as installed, causing it to attempt reinstall or fail. Option B is correct.

Option A is wrong because 32-bit registry is not an issue if check32BitOn64System is false. Option C is wrong because detection rule does not affect installation. Option D is wrong because the registry path is correct.

921
MCQhard

Your organization uses Intune to manage macOS devices. You need to deploy a .pkg app. What must be done before uploading the app to Intune?

A.Nothing, upload the .pkg directly
B.Convert the package to .intunemac format
C.Use the Intune App Wrapping Tool for macOS
D.Sign the package with an Apple Developer certificate
AnswerC

The tool wraps .pkg apps for Intune.

Why this answer

Option C is correct because .pkg apps must be wrapped using the Intune App Wrapping Tool for macOS. Option A is wrong because signing is not required in the same way. Option B is wrong because no certificate conversion is needed.

Option D is wrong because the tool is required.

922
MCQeasy

Your company has 500 Windows 10 devices that are Hybrid Azure AD joined and managed by Microsoft Intune. You need to deploy a new line-of-business (LOB) app to all devices. The app is packaged as a .msi file. You create a new app in Intune and assign it to a device group containing all devices. After 24 hours, some devices report the app as 'Installed' but others show 'Failed'. You verify that the devices are online and have network connectivity. What should you do next to resolve the installation failures?

A.Use a PowerShell script to install the app on failed devices.
B.Check the Intune management extension logs on a failed device.
C.Create a new device group and assign the app again.
D.Re-assign the app to the device group.
AnswerB

Logs will show the specific error code or dependency issue.

Why this answer

Option B is correct because the most common cause of .msi installation failures is missing prerequisites or dependencies. Checking the Intune management extension logs on the device will reveal the specific error. Option A is wrong because the app is already assigned; re-assigning won't fix underlying issues.

Option C is wrong because the app is already targeted to all devices. Option D is wrong because scripts are not needed; the issue is likely with the app itself.

923
MCQmedium

You use Microsoft Intune to manage Android Enterprise fully managed devices. You need to ensure that only work apps can access corporate data. Personal apps should not be able to read work data. What should you configure?

A.Configure Conditional Access to block personal apps.
B.Enable Android Enterprise work profile on the devices.
C.Deploy Windows Information Protection (WIP) policy.
D.Configure an Intune App Protection Policy (APP) targeting the work apps.
AnswerD

APP prevents data transfer to unmanaged apps.

Why this answer

Work profile on fully managed devices is not supported; Android Enterprise fully managed uses containerization via app protection policies. Option B is for personally-owned work profile. Option C is for Windows.

Option D is for conditional access.

924
Multi-Selecthard

Which TWO Windows Update for Business policies can you configure using Microsoft Intune?

Select 2 answers
A.Feature update version targeting
B.Quality update deferral period
C.Driver update deferral period
D.Windows Defender definition update schedule
E.Microsoft 365 Apps update channel
AnswersA, B

Intune has a feature update policy for Windows 10/11.

Why this answer

Intune supports configuring update ring policies for deferral periods and feature update policies for targeting specific versions. Quality update deferral is part of update rings, but the question asks for policies; feature update policy is a separate policy type.

925
MCQhard

A company uses Microsoft Intune to manage iOS devices. They need to ensure that corporate data on these devices is protected if a device is lost or stolen. The solution must allow users to continue using personal apps and data after a selective wipe. What should they configure?

A.Initiate a selective wipe from the Intune console.
B.Configure a full wipe action in a compliance policy.
C.Use Remote Lock from the Intune console.
D.Create a device compliance policy that marks the device as noncompliant.
AnswerA

Selective wipe removes only managed corporate data and apps, preserving personal data.

Why this answer

Option A is correct because a selective wipe from the Intune console removes only corporate data (e.g., managed apps, email profiles, VPN configurations) while preserving personal apps and data on the iOS device. This meets the requirement of protecting corporate data on a lost or stolen device without affecting the user's personal content. Intune uses the iOS Management Profile and the built-in selective wipe capability that targets only the MDM-managed corporate partition.

Exam trap

The trap here is that candidates confuse a selective wipe with a full wipe or assume that noncompliance actions automatically perform a data wipe, but Microsoft explicitly separates these actions, and only a selective wipe preserves personal data while removing corporate data.

How to eliminate wrong answers

Option B is wrong because a full wipe (also called a factory reset) erases all data on the device, including personal apps and data, which violates the requirement to allow users to continue using personal content. Option C is wrong because Remote Lock only locks the device screen and does not remove any corporate data, so it does not protect corporate data if the device is lost or stolen. Option D is wrong because marking a device as noncompliant in a compliance policy does not automatically remove corporate data; it can trigger conditional access blocks but not a wipe action, so it fails to protect data on a lost device.

926
MCQmedium

You need to deploy a web app to Android Enterprise work profile devices. The app is available in the Managed Google Play store. How should you make it available in Intune?

A.Upload the APK file to Intune
B.Direct users to Google Play to install
C.Add the app from Managed Google Play in Intune
D.Sync device groups with Google Play
AnswerC

Apps are added via Managed Google Play integration.

Why this answer

Option A is correct because you must add the app from Managed Google Play and then assign it. Option B is wrong because you cannot upload APKs directly for work profile. Option C is wrong because the app must be added to Intune first.

Option D is wrong because there is no direct sync.

927
Matchingmedium

Match each Windows Update for Business deployment service to its capability.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Define deferral, pause, and deadline policies

Deploy major Windows version upgrades

Deploy monthly security and cumulative updates

Approve and deploy driver and firmware updates

Force immediate installation of critical updates

Why these pairings

These are key components of Windows Update for Business in Intune.

928
MCQmedium

Refer to the exhibit. The Intune device compliance policy shown is assigned to a group of Windows 10 devices. A user reports that their device is marked as noncompliant. The device has a password set, BitLocker enabled, Secure Boot on, and code integrity (HVCI) enabled. What is the most likely reason?

A.Secure Boot is not properly configured in UEFI
B.The device uses a biometric sign-in method instead of a password
C.Code integrity (HVCI) is not enabled
D.Device encryption is using a software-based method
AnswerB

"deviceDefault" may require a password; biometrics alone may not satisfy.

Why this answer

Option A is correct: The policy requires passwordRequiredType set to "deviceDefault" which typically means a PIN or alphanumeric password. If the user uses a biometric or picture password, it may not satisfy "deviceDefault". Option B (Secure Boot) is enabled.

Option C (Device encryption) is enabled. Option D (Code integrity) is enabled.

929
MCQmedium

You have the above profile assigned to a macOS device. After the profile is applied, the device shows FileVault as 'Encrypted'. However, the recovery key is not escrowed to Intune. What is the most likely reason?

A.FileVault encryption is not enabled on the device.
B.The recovery key type should be 'Institutional recovery key'.
C.The 'Show recovery key' setting is not configured, so the user is not prompted to escrow.
D.Personal recovery key rotation is enabled, causing a conflict.
AnswerC

User must be prompted to escrow.

Why this answer

Option D is correct because 'Show recovery key: Not configured' means the user is not prompted to escrow the key. Option A is incorrect because encryption is enabled. Option B is incorrect because rotation is enabled.

Option C is incorrect because the key type is personal.

930
MCQeasy

You are a Microsoft 365 Endpoint Administrator for a medium-sized company that uses Microsoft Intune to manage its Windows 10 devices. The company recently experienced a ransomware attack that encrypted local files on several devices. To mitigate future attacks, management wants to ensure that all devices have real-time protection enabled in Microsoft Defender Antivirus and that Controlled Folder Access is turned on. You need to configure these settings via Intune. You decide to create a device configuration profile for Windows 10. What is the most efficient way to deploy these settings to all existing and future devices?

A.Create a device configuration profile and assign it to a device group that includes all devices.
B.Use PowerShell scripts deployed via Intune to enable the settings on each device.
C.Create a device configuration profile and assign it to a user group that includes all users.
D.Create a compliance policy that requires these settings and assign it to all devices.
AnswerA

Assigning to a device group ensures all devices receive the settings regardless of user.

Why this answer

Option A is correct because a device configuration profile in Intune can include Microsoft Defender Antivirus settings (such as real-time protection and Controlled Folder Access) and is assigned to a device group. This ensures that both existing and future devices that join the group automatically receive the settings, providing a scalable and efficient deployment method without requiring user interaction or additional scripts.

Exam trap

The trap here is that candidates often confuse compliance policies with configuration profiles, thinking that compliance policies can enforce settings, when in reality they only evaluate and report on settings, requiring a separate configuration profile to actually apply the desired state.

How to eliminate wrong answers

Option B is wrong because PowerShell scripts deployed via Intune are executed on a per-device or per-user basis and require manual assignment or targeting; they do not provide the same declarative, policy-driven enforcement as a device configuration profile, and they cannot be as easily applied to future devices without ongoing script management. Option C is wrong because assigning the profile to a user group applies settings based on user identity, not device identity; if a user logs into a different device, the settings may not apply, and devices without a signed-in user (e.g., kiosks) would be missed. Option D is wrong because a compliance policy is designed to report or mark devices as non-compliant, not to enforce settings; it cannot enable real-time protection or Controlled Folder Access—it only checks if those settings are present and can trigger remediation actions only if configured with a corresponding device configuration profile.

931
Multi-Selectmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate applications. Which TWO configurations should you implement?

Select 2 answers
A.Deploy an App Protection Policy
B.Create a device compliance policy
C.Configure a device configuration profile
D.Enable multifactor authentication (MFA) for all users
E.Create a Conditional Access policy requiring compliant devices
AnswersB, E

Defines compliance requirements.

Why this answer

Options A and B are correct because they enforce conditional access based on compliance. Option C is wrong because app protection policies are for unmanaged devices. Option D is wrong because device compliance policy alone does not block access.

Option E is wrong because MFA is not specifically for app access control.

932
MCQhard

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a custom Windows security baseline that includes specific BitLocker settings. What is the best approach to create and assign this configuration?

A.Use a compliance policy with custom settings to enforce BitLocker.
B.Create a new security baseline from scratch and include the BitLocker settings.
C.Copy the built-in Windows security baseline and customize the BitLocker settings in the copy.
D.Edit the built-in Windows security baseline and add the BitLocker settings.
AnswerC

Intune allows you to duplicate a baseline and modify settings.

Why this answer

Option B is correct because custom security baselines in Intune are created by copying the built-in baseline and modifying settings. Option A is wrong because you cannot edit the built-in baseline directly. Option C is wrong because custom baselines are created from existing baselines, not from scratch.

Option D is wrong because security baselines are not configured via compliance policies.

933
Multi-Selectmedium

Which TWO app types can be deployed to iOS/iPadOS devices using Microsoft Intune?

Select 2 answers
A.Web link
B.iOS LOB app
C.Win32 app
D.iOS store app
E.Android store app
AnswersB, D

Custom line-of-business apps.

Why this answer

Intune supports iOS store apps and LOB apps for iOS. Option A and B are correct.

934
MCQmedium

Your organization uses Microsoft Intune to manage iOS and Android devices. You have a compliance policy that requires a minimum OS version: iOS 16.0 and Android 12.0. You also have a Conditional Access policy that requires compliant devices. Several users report that they cannot access corporate email on their personal Android devices. The devices are Android 11.0. You need to allow these users to access email while ensuring that corporate data is protected. What should you do?

A.Remove the Conditional Access policy for these users.
B.Update the compliance policy to accept Android 11.0.
C.Create a Conditional Access policy that grants access but requires app protection policies and session controls.
D.Ask users to upgrade their devices to Android 12.0.
AnswerC

Allows access with data protection via app policies.

Why this answer

Option C is correct because you can grant access with a session control to limit access to web only, ensuring data protection while allowing access. Option A is wrong because changing the compliance policy would lower security. Option B is wrong because Conditional Access policies are still effective for managed devices.

Option D is wrong because excluding the users would remove all protection.

935
Multi-Selecthard

Which THREE conditions must be met for a Windows device to be able to enroll in Microsoft Intune using Microsoft Entra ID join? (Choose three.)

Select 3 answers
A.The device must be running Windows 10 or later
B.The device must have internet connectivity to Microsoft Entra ID
C.The user must have an Intune license assigned
D.The device must have a TPM 2.0 chip
E.The device must be joined to an on-premises Active Directory domain
AnswersA, B, C

Windows 10/11 are supported for Microsoft Entra ID join.

Why this answer

Option A is correct because Microsoft Entra ID join requires a minimum of Windows 10 (any edition) to support the modern authentication and device registration protocols. Devices running earlier versions like Windows 8.1 or Windows 7 lack the necessary components (e.g., the Device Registration Service client) to complete the join process. This requirement ensures the device can communicate using OAuth 2.0 and the Microsoft Entra ID device registration endpoint.

Exam trap

The trap here is that candidates often confuse the TPM 2.0 requirement for Windows Hello for Business or BitLocker with the Microsoft Entra ID join prerequisites, or mistakenly think an on-premises domain join is a stepping stone to Entra ID join, when in fact it requires a separate hybrid join path.

936
Multi-Selecteasy

Which TWO actions are supported by Microsoft Intune for managing macOS devices?

Select 2 answers
A.Configure Windows Hello for Business.
B.Apply device compliance policies.
C.Enable BitLocker encryption.
D.Deploy software update policies.
E.Deploy .app applications.
AnswersB, D

Intune supports compliance policies for macOS.

Why this answer

Option B is correct because Microsoft Intune supports device compliance policies for macOS devices, allowing administrators to define rules (e.g., OS version, encryption status, firewall settings) that devices must meet to be considered compliant. These policies are evaluated by the Intune Company Portal app on macOS and can trigger conditional access controls to block non-compliant devices from accessing corporate resources.

Exam trap

The trap here is that candidates often assume .app applications are deployable via Intune because they are common on macOS, but Intune requires .pkg or .dmg formats for managed deployment, and .app bundles are only used for manual installation or through Apple's Volume Purchase Program (VPP).

937
MCQmedium

A user reports that their iOS device is unable to access corporate email after updating to a new iOS version. Other iOS devices are working fine. The device is enrolled in Intune and shows as compliant. What should you check?

A.Check the conditional access policy in Microsoft Entra ID to ensure the device platform is still supported.
B.Ensure the email profile is configured correctly.
C.Confirm that the device is still enrolled in Intune.
D.Verify that the device compliance policy includes the new iOS version.
AnswerA

A new iOS version might not be supported by the conditional access policy.

Why this answer

Option A is correct because when a device is compliant but still fails to access corporate email after an iOS update, the most likely cause is that the conditional access policy in Microsoft Entra ID (formerly Azure AD) has been updated to block the new iOS version. Conditional access policies can specify allowed device platforms and OS versions; if the new iOS version is not explicitly permitted, access will be denied even though the device is compliant. This is a common scenario after major OS updates, as administrators must update the policy to include the new version.

Exam trap

The trap here is that candidates assume a compliant device always has access, but conditional access policies can block access based on OS version even when the device is compliant, so the focus should be on the conditional access policy rather than the compliance policy or email profile.

How to eliminate wrong answers

Option B is wrong because the email profile configuration is managed by Intune and would not change automatically due to an iOS update; if other devices are working, the profile is likely correct. Option C is wrong because the device is already reported as compliant in Intune, which implies it is still enrolled; enrollment status is not affected by an OS update. Option D is wrong because the device compliance policy includes the new iOS version by default (or can be updated), and the device is showing as compliant, so the issue is not with the compliance policy itself but with the conditional access policy that enforces access based on compliance.

938
MCQhard

Refer to the exhibit. You deploy this compliance policy to Windows 10 devices. Some devices running Windows 10 22H2 (build 19045.3803) are marked as noncompliant. What is the most likely reason?

A.The device has a password length of 6 characters, not meeting the minimum of 8.
B.The policy requires a firewall, but Windows Defender Firewall is disabled on the device.
C.The device is not enrolled in Microsoft Intune.
D.The device is running a build outside the allowed OS version range specified in the policy.
AnswerA

The policy requires a minimum password length of 8, so a device with a shorter password would be noncompliant.

Why this answer

Option A is correct because the compliance policy specifies a minimum password length of 8 characters, and devices with a password length of 6 characters fail this requirement. In Microsoft Intune, compliance policies evaluate device settings against defined rules, and a password length below the minimum is a common reason for noncompliance. The devices are running Windows 10 22H2 (build 19045.3803), which is within the allowed OS version range, so the issue is specifically the password policy.

Exam trap

The trap here is that candidates may assume the noncompliance is due to a missing firewall or OS version mismatch, but the exhibit clearly shows only password policy settings, so the focus should be on the password length requirement.

How to eliminate wrong answers

Option B is wrong because the policy does not include a firewall requirement; the exhibit shows only password-related settings, so a disabled firewall would not cause noncompliance. Option C is wrong because the devices are already managed by Intune (they are marked as noncompliant, which requires enrollment), so the issue is not lack of enrollment. Option D is wrong because the devices are running build 19045.3803, which is within the allowed OS version range specified in the policy (Windows 10 22H2), so the build is not outside the allowed range.

939
MCQmedium

A company manages Windows 10 and Windows 11 devices using Microsoft Intune. They need to ensure that devices that have not checked in with Intune for more than 30 days are automatically marked as inactive and excluded from compliance policies. Which configuration should be used?

A.Configure a compliance policy with a grace period of 30 days
B.Create a conditional access policy blocking devices inactive for 30 days
C.Set the device compliance status to 'not compliant' after 30 days of inactivity
D.Configure the Intune device cleanup rule to delete devices inactive for 30 days
AnswerD

The device cleanup rule automatically removes devices that haven't checked in for the configured number of days.

Why this answer

Option B is correct because the Intune device cleanup rule allows administrators to automatically remove devices that haven't checked in for a specified number of days. Option A is wrong because compliance policies do not handle device cleanup. Option C is wrong because conditional access policies control access, not device lifecycle.

Option D is wrong because device compliance settings do not automate cleanup.

940
MCQhard

You manage devices with Microsoft Intune. You need to deploy a line-of-business (LOB) app to iOS devices. The app is signed with an enterprise certificate. Some devices report installation failure with error code 0x87D13B9F. What is the most likely cause?

A.The app package is not signed.
B.The app is not available in the Apple App Store.
C.The enterprise signing certificate is not trusted on the device.
D.The device does not have enough storage space.
AnswerC

Error 0x87D13B9F indicates that the app's signing certificate is not trusted, often because the certificate profile is missing.

Why this answer

Error code 0x87D13B9F in Microsoft Intune typically indicates a signing certificate trust issue. Since the app is signed with an enterprise certificate, the device must have that certificate installed and trusted in its trusted root store. If the certificate is not trusted, iOS will reject the installation, producing this specific error.

Exam trap

The trap here is that candidates may confuse a signing error (missing certificate trust) with a packaging error (unsigned app), but the error code 0x87D13B9F specifically points to trust, not signature absence.

How to eliminate wrong answers

Option A is wrong because the question explicitly states the app is signed with an enterprise certificate, so the package is signed. Option B is wrong because line-of-business (LOB) apps are deployed directly via Intune and do not require availability in the Apple App Store. Option D is wrong because insufficient storage space would generate a different error (e.g., 0x87D13B9E or a storage-specific code), not 0x87D13B9F.

941
MCQhard

Refer to the exhibit. You deploy this endpoint protection configuration to a Windows 10 device. A user reports that they cannot connect to the device via RDP. What is the most likely cause?

A.The firewall rule 'Allow RDP' is configured to block traffic.
B.The firewall rule is for outbound traffic, not inbound.
C.The malware actions are blocking RDP traffic.
D.The firewall rule 'Allow RDP' is configured to allow traffic.
AnswerA

The action is 'block', preventing RDP connections.

Why this answer

Option A is correct because the firewall rule 'Allow RDP' is set to 'block' action, which blocks inbound RDP traffic on port 3389. Option B is wrong because the action is block, not allow. Option C is wrong because the rule is for inbound, not outbound.

Option D is wrong because the malware actions do not affect RDP.

942
MCQeasy

Refer to the exhibit. You are configuring a bulk enrollment token for Windows 10 devices in Intune. The token is set to expire on June 1, 2025. You need to ensure that devices can enroll using this token until June 30, 2025. What should you do?

A.Update the expirationDateTime property of the token.
B.Modify the tokenType to a different type.
C.Create a new bulk enrollment token with a later expiration date.
D.Re-create the token with the same name but later expiration.
AnswerA

You can edit the token and set a new expiration date.

Why this answer

The bulk enrollment token's expiration is controlled by the `expirationDateTime` property in Microsoft Intune. By updating this property to June 30, 2025, you extend the token's validity without needing to create a new token or change its type. This is the direct and supported method to adjust the expiration date of an existing token.

Exam trap

The trap here is that candidates often assume you must create a new token to change the expiration date, overlooking the fact that the existing token's `expirationDateTime` property can be updated directly via the Intune portal or Graph API.

How to eliminate wrong answers

Option B is wrong because `tokenType` defines the enrollment method (e.g., 'azureADJoin' or 'bulkEnrollment'), not the expiration date; changing it would alter the enrollment behavior, not extend the token's life. Option C is wrong because creating a new token is unnecessary and introduces a new token identifier, which would require re-distributing the token to devices, whereas the existing token can simply be updated. Option D is wrong because re-creating the token with the same name but later expiration is functionally identical to updating the `expirationDateTime` property, but it is an indirect approach that involves deleting and re-adding the token, which is less efficient and not the recommended method.

943
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a custom PowerShell script that runs during enrollment to configure network settings. What should you use?

A.Device compliance policy
B.Device configuration profile with custom OMA-URI
C.PowerShell scripts in Microsoft Intune
D.Endpoint security policy
AnswerC

Intune has a dedicated 'PowerShell scripts' section for running scripts.

Why this answer

Intune supports custom scripts via the 'PowerShell scripts' feature under 'Device management'. Option C is correct because you can add a PowerShell script to run during enrollment or at scheduled times. Option A is incorrect because compliance policies do not run scripts.

Option B is incorrect because configuration profiles can include OMA-URI settings but not arbitrary scripts. Option D is incorrect because endpoint security policies do not run scripts.

944
Multi-Selectmedium

You are configuring Microsoft Intune to manage Windows 10 devices. Which TWO actions are required to enable BitLocker encryption on devices?

Select 2 answers
A.Create a device configuration profile for endpoint protection and enable BitLocker settings.
B.Create a compliance policy that requires BitLocker.
C.Ensure the device has a TPM version 2.0 chip.
D.Configure a device cleanup rule.
E.Deploy a Windows 10 update ring.
AnswersA, C

This profile configures BitLocker on devices.

Why this answer

Option A is correct because BitLocker settings are configured via a device configuration profile for endpoint protection in Microsoft Intune. This profile includes policies such as requiring TPM startup PIN or startup key, encryption method, and OS drive encryption. Without this profile, BitLocker cannot be enforced or configured on managed Windows 10 devices.

Exam trap

The trap here is that candidates confuse a compliance policy (which only reports/remediates) with a configuration profile (which actually applies settings), and they may also mistakenly think a TPM requirement is an administrative action rather than a device prerequisite.

945
MCQmedium

Your organization manages Windows 10 and Windows 11 devices with Microsoft Intune. Users report that new Microsoft Store apps are not automatically installing on their devices as expected. You verify that the Intune policy 'Allow Microsoft Store for Business' is set to 'Allow'. What is the most likely reason the apps are not installing?

A.The 'Allow trust apps from Microsoft Store' policy is set to 'Block'.
B.The 'Allow trust apps from Microsoft Store' policy is set to 'Allow'.
C.The 'Allow Microsoft Store for Business' policy is set to 'Block'.
D.The 'Auto install apps from Microsoft Store' policy is disabled.
AnswerB

This policy must be enabled for automatic app installation to work.

Why this answer

For automatic app installation from the Microsoft Store, the Windows device must have the 'Allow trust apps from Microsoft Store' policy enabled. Without it, even if the Store is allowed, apps will not install automatically. Option A is incorrect because it is the opposite setting.

Option C is incorrect because the Store for Business policy is already set to allow. Option D is incorrect because the automatic install setting is separate from the Store enablement.

946
MCQmedium

You have deployed the above compliance policy in Microsoft Intune. A Windows 10 device running version 10.0.19042.0 is marked as noncompliant. You verify that the device meets all password, encryption, firewall, and Defender requirements. What is the most likely reason for noncompliance?

A.The device is running a version higher than the maximum OS version.
B.The device is running a version lower than the minimum OS version.
C.The device's antivirus software is not Microsoft Defender.
D.The device does not have a TPM 2.0 chip.
AnswerA

The device version 10.0.22622.0 exceeds the maximum OS version 10.0.22621.0.

Why this answer

The compliance policy includes a maximum OS version rule, and the device is running version 10.0.19042.0. Since this version is higher than the configured maximum, the device is marked as noncompliant even though it meets all other requirements. In Intune, OS version rules are evaluated as strict comparisons, so exceeding the maximum triggers noncompliance regardless of other settings.

Exam trap

The trap here is that candidates assume noncompliance must be due to a missing security requirement (like antivirus or encryption), but the question explicitly states those are met, leading them to overlook the OS version rule as the cause.

How to eliminate wrong answers

Option B is wrong because the device version 10.0.19042.0 is not lower than any typical minimum OS version (e.g., 10.0.17763 for Windows 10 1809), and the question states the device meets all password, encryption, firewall, and Defender requirements, implying the minimum OS version is satisfied. Option C is wrong because the question explicitly verifies that the device meets Defender requirements, meaning Microsoft Defender is active and compliant. Option D is wrong because TPM 2.0 is not a default compliance setting in Intune for Windows 10; it is only required if explicitly configured in a compliance policy, and the question does not indicate such a rule.

947
Multi-Selectmedium

You are managing devices with Microsoft Intune. You need to ensure that only compliant devices can access corporate email. Which THREE components should you configure?

Select 3 answers
A.Device configuration profile
B.Compliance policy for Microsoft Intune
C.Device compliance policy
D.Conditional Access policy in Microsoft Entra ID
E.App protection policy
AnswersB, C, D

Evaluates device compliance and reports state.

Why this answer

Conditional Access requires compliance policies to evaluate device state, device compliance policies to define rules, and Conditional Access policies to enforce access. Configuration profiles configure settings but do not enforce access. App protection policies apply to apps, not device-level access.

948
MCQhard

Refer to the exhibit. You are configuring a device compliance policy in Microsoft Intune for Windows devices. Based on the JSON configuration, what will happen if a device does not have a password set?

A.The device will be marked non-compliant but no action is taken until the grace period expires
B.The device will be marked non-compliant and after 24 hours access will be blocked, then retired after 72 hours
C.The device will be retired immediately because password is not set
D.The device will be immediately blocked from accessing corporate resources
AnswerB

The scheduled actions define block after 24h, then retire after 72h.

Why this answer

Option C is correct because the compliance policy has a grace period of 24 hours before blocking, and then 72 hours before retiring. The device is not immediately blocked. Option A is wrong because there is a grace period.

Option B is wrong because there are two actions: block then retire. Option D is wrong because the device is not immediately retired; it goes through block first.

949
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom configuration profile that sets a specific firewall rule. However, the profile fails to apply on a subset of devices. The Intune console shows 'Conflict' status. What is the most likely cause?

A.The user does not have a macOS license
B.The macOS version is not supported by the profile
C.Another profile with overlapping settings is assigned
D.The device is not connected to the internet
AnswerC

Conflicting profiles cause 'Conflict' status in Intune.

Why this answer

Option A is correct because a configuration profile conflict occurs when two profiles with overlapping settings are assigned to the same device. Option B (Network connectivity) would show 'Pending' or 'Error'. Option C (Unsupported macOS version) would show 'Not applicable'.

Option D (User not licensed) would prevent enrollment altogether.

950
MCQhard

Refer to the exhibit. You have configured a Windows update ring using the JSON above. Today is March 10, 2025. Devices assigned to this ring are not receiving any quality updates. What is the most likely reason?

A.The quality update deferral of 7 days has not yet elapsed since the last update.
B.The quality update pause has expired, but quality updates are still blocked.
C.Quality updates are paused until March 15, 2025.
D.Feature updates are deferred for 30 days, preventing all updates.
AnswerC

The pause is active, blocking quality updates.

Why this answer

Option C is correct because the JSON configuration includes 'qualityUpdatesPauseStartDate': '2025-03-01' and 'qualityUpdatesPauseExpiryDate': '2025-03-15'. Since today is March 10, 2025, the pause is still active and will block all quality updates until March 15. The pause overrides any deferral settings, so devices will not receive quality updates regardless of the 7-day deferral period.

Exam trap

The trap here is that candidates often confuse 'deferral' with 'pause' and assume a short deferral period is the cause, overlooking that an active pause overrides all deferral settings for that update type.

How to eliminate wrong answers

Option A is wrong because the 7-day quality update deferral is irrelevant while a pause is active; the pause explicitly blocks updates until its expiry date. Option B is wrong because the pause has not expired (it expires on March 15, 2025), so updates are still blocked by the pause, not by an expired pause. Option D is wrong because feature update deferral settings do not affect quality updates; quality and feature update policies are independent in Windows Update for Business.

951
MCQmedium

You are troubleshooting an Android Enterprise device that fails to install a required app from the Managed Google Play store. The device is compliant and has a valid work profile. What should you check first?

A.Check that the device is enrolled in Android Enterprise and has a work profile.
B.Ensure the Managed Google Play app is enabled and active on the device.
C.Confirm the user has approved the app installation in the Managed Google Play store.
D.Verify the device compliance policy allows app installation from unknown sources.
AnswerB

The Managed Google Play app must be active to install apps.

Why this answer

If an Android Enterprise device fails to install a required app, the Managed Google Play app is responsible for downloading and installing apps. If it is disabled or not active, apps will not install. Option A is correct.

Option B is wrong because compliance policies do not block app installation. Option C is wrong because the app is required, so user approval is not needed. Option D is wrong because device enrollment is already established.

952
MCQhard

You are the Intune administrator for Contoso Ltd., a company with 5,000 Windows 11 devices and 1,000 iOS devices managed by Microsoft Intune. The company uses Microsoft Defender for Endpoint for threat detection. You need to implement a solution that ensures devices are compliant before they can access corporate resources. You have the following requirements: 1. Windows devices must have Defender for Endpoint running and report a threat level of 'low' or better. 2. iOS devices must have a PIN of at least 6 characters and be jailbreak-detected as 'not jailbroken'. 3. If a device becomes noncompliant, it should be blocked immediately with no grace period. 4. Noncompliant devices should receive a notification to the user. You create compliance policies for Windows and iOS. You also create a conditional access policy in Microsoft Entra ID to require compliant devices. After deploying, you find that some Windows devices that are missing Defender for Endpoint are still able to access email. What should you do to resolve this issue?

A.Configure a notification to users when their device is noncompliant.
B.Modify the conditional access policy to require a compliant device and a specific client app.
C.Enable the 'Require Defender for Endpoint' setting in the Windows compliance policy.
D.Set the required threat level to 'medium' in the Windows compliance policy.
AnswerC

This setting ensures devices without the agent are marked noncompliant.

Why this answer

Option C is correct because the Windows compliance policy must explicitly have the 'Require Defender for Endpoint' setting enabled to enforce that the Defender for Endpoint sensor is present and active on the device. Without this setting, the compliance policy only checks the threat level reported by Defender for Endpoint but does not require the sensor to be installed or running. Enabling this setting ensures that devices missing the Defender for Endpoint sensor are marked as noncompliant, which then triggers the conditional access policy to block access to corporate resources like email.

Exam trap

The trap here is that candidates often assume that setting the required threat level to 'low' automatically enforces the presence of Defender for Endpoint, but in reality, the threat level check only evaluates the last reported threat score, not the sensor's installation or running state.

How to eliminate wrong answers

Option A is wrong because configuring a notification to users when their device is noncompliant does not enforce compliance or block access; it only informs the user after the device is already noncompliant. Option B is wrong because modifying the conditional access policy to require a specific client app does not address the missing Defender for Endpoint sensor; the conditional access policy already requires a compliant device, and the issue is that the compliance policy is not correctly evaluating the Defender for Endpoint requirement. Option D is wrong because setting the required threat level to 'medium' would allow devices with a threat level of 'medium' to be compliant, which is less restrictive than 'low' and does not solve the problem of devices missing Defender for Endpoint entirely.

953
MCQmedium

You are setting up Microsoft Intune for the first time. You need to ensure that users can enroll their iOS devices using the Company Portal app. You have configured the enrollment restrictions to allow iOS enrollment. However, users report that they see an error 'This device is not allowed to enroll' when trying to enroll. What is the most likely cause?

A.A conditional access policy requires compliant devices.
B.The Apple MDM push certificate is not configured.
C.The enrollment restrictions are set to block personally owned devices.
D.The users have not accepted the terms of use.
AnswerC

If personal devices are blocked, users get 'not allowed to enroll' error.

Why this answer

Option D is correct because enrollment restrictions must allow personal devices if users are using personal iOS devices. Option A is wrong because Apple MDM push certificate is required for enrollment, but the error message is different. Option B is wrong because terms of use appear after enrollment attempt.

Option C is wrong because conditional access policies do not block enrollment but access after enrollment.

954
MCQhard

Your company uses Microsoft Intune for device management. You need to configure a Windows 10 device restriction policy that blocks the use of the camera and microphone on all devices. Which settings should you configure?

A.Camera and Microphone
B.Bluetooth and Nearby Share
C.Copy and paste and Clipboard
D.Location and Messaging
AnswerA

These settings block the camera and microphone hardware.

Why this answer

Option B is correct because the 'Camera' and 'Microphone' settings under Device restrictions control these hardware features. Option A is wrong because 'Bluetooth' and 'Nearby Share' are different features. Option C is wrong because 'Copy and paste' and 'Clipboard' are data settings.

Option D is wrong because 'Location' and 'Messaging' are not related.

955
MCQmedium

An organization is moving from on-premises SCCM to Microsoft Intune for Windows app management. They need to ensure that users can self-install company portal apps without administrator intervention. Which configuration is required?

A.Configure the app as 'Required' for all users
B.Add the app to the Windows Autopilot deployment profile
C.Grant users local administrator rights on their devices
D.Assign the app to users as 'Available' in the Company Portal
AnswerD

Available assignment allows users to install from Company Portal.

Why this answer

Option D is correct because the 'Available' assignment type in Microsoft Intune allows users to install apps on demand from the Company Portal without requiring administrator intervention. This configuration meets the requirement for self-service installation while respecting user intent, as opposed to forced installations.

Exam trap

The trap here is that candidates may confuse 'Available' assignments with 'Required' assignments, thinking that self-service implies mandatory installation, or incorrectly assume that local admin rights are needed for app installation in Intune.

How to eliminate wrong answers

Option A is wrong because configuring the app as 'Required' forces installation on all targeted devices, which does not allow users to choose when or if to install the app, contradicting the self-install requirement. Option B is wrong because Windows Autopilot deployment profiles are used for device provisioning and initial setup, not for ongoing self-service app installation via Company Portal. Option C is wrong because granting users local administrator rights is a security risk and unnecessary; Intune's 'Available' assignment enables self-installation without elevated privileges, as the Company Portal uses the Intune Management Extension to install apps in the system context.

956
Multi-Selectmedium

Which THREE actions can you perform using Microsoft Intune's remote assistance feature for Windows devices?

Select 3 answers
A.View the user's screen.
B.Reset the device's password.
C.Transfer files to and from the device.
D.Take full control of the user's desktop.
E.Restart a Windows service.
AnswersA, C, D

Screen viewing is supported.

Why this answer

Option A is correct because Microsoft Intune's remote assistance feature, built on Windows Remote Assistance (WRA) using the Remote Desktop Protocol (RDP) over HTTPS, allows a help desk operator to view the user's screen with the user's explicit consent. This is a core capability for troubleshooting without taking control, enabling the administrator to see what the user sees in real time.

Exam trap

The trap here is that candidates confuse Intune's remote assistance with full remote control tools like TeamViewer or RDP, assuming all remote management actions (password reset, service restart) are bundled, but Microsoft deliberately limits remote assistance to view and full control only, with no administrative actions like password or service management.

957
MCQhard

You are troubleshooting a Windows 10 device that shows as 'Noncompliant' in Intune despite having all required compliance policies applied. The device is domain-joined and configured with hybrid Azure AD join. What is the most likely cause?

A.The Intune Management Extension is not installed.
B.The device is not registered in Microsoft Entra ID.
C.The device's health attestation certificate has expired.
D.The device is not enrolled in Intune.
AnswerC

Expired health attestation can cause noncompliance.

Why this answer

A device that is hybrid Azure AD joined and domain-joined but shows as 'Noncompliant' in Intune, despite having all required compliance policies applied, is most likely failing compliance due to an expired health attestation certificate. Intune uses Windows Health Attestation Service (HAS) to verify device integrity; if the attestation certificate has expired, the device cannot prove its health status, causing it to be marked noncompliant even when policies are correctly assigned.

Exam trap

The trap here is that candidates often assume noncompliance is due to missing enrollment or registration, but the question explicitly states the device is hybrid joined and enrolled, so the real issue is a stale or expired health attestation certificate that prevents the compliance check from completing.

How to eliminate wrong answers

Option A is wrong because the Intune Management Extension is used for deploying PowerShell scripts and Win32 apps, not for compliance evaluation; compliance is handled by the Intune agent and the enrollment state. Option B is wrong because the device is described as hybrid Azure AD joined, which inherently means it is registered in Microsoft Entra ID (Azure AD); lack of registration would prevent hybrid join from succeeding. Option D is wrong because the device is already enrolled in Intune (it shows as 'Noncompliant' in Intune), so the issue is not a lack of enrollment but a failure in the compliance check process.

958
MCQhard

Your organization uses Microsoft Defender for Endpoint. You need to configure automatic investigation and response for devices. Which setting in the Microsoft Defender XDR portal should you adjust?

A.Automated investigation and response
B.Threat analytics
C.Device inventory
D.Alert queue
AnswerA

Correct. This page contains settings for automation.

Why this answer

The correct setting is 'Automated investigation and response' because it directly controls the configuration of automatic investigation and response (AIR) capabilities in Microsoft Defender for Endpoint. This setting allows administrators to enable or disable automated investigations, set the automation level (e.g., full, semi, or no automation), and define remediation actions for devices. Without adjusting this setting, the automatic investigation and response workflow cannot be tailored to the organization's security requirements.

Exam trap

The trap here is that candidates often confuse the 'Automated investigation and response' configuration with the 'Alert queue' or 'Threat analytics' because they all appear under the same XDR portal section, but only the AIR setting directly manages the automation behavior for device-level response actions.

How to eliminate wrong answers

Option B is wrong because Threat Analytics is a feature that provides threat intelligence, vulnerability reports, and mitigation recommendations, but it does not configure the automatic investigation and response behavior for devices. Option C is wrong because Device Inventory is a list of all managed devices with their security status and configuration details, not a setting to enable or adjust automated response actions. Option D is wrong because Alert Queue is a view of security alerts generated by Defender for Endpoint, and while it allows manual triage of alerts, it does not control the automation level or response configuration for investigations.

959
MCQeasy

A company uses Microsoft Intune to manage Windows 11 devices. They want to ensure that only devices with a TPM 2.0 and Secure Boot enabled can access corporate resources in Microsoft Entra ID. What should they configure?

A.Configure Windows Hello for Business in Intune
B.Deploy an attack surface reduction rule in Microsoft Defender XDR
C.Use Windows Autopilot to enforce TPM and Secure Boot during provisioning
D.Create a Conditional Access policy that requires device compliance and a device compliance policy that checks TPM 2.0 and Secure Boot
AnswerD

Conditional Access with compliance policy enforces health requirements before access.

Why this answer

Option B is correct: Conditional Access with device compliance policy is the standard method to enforce device health before granting access. Option A (Windows Hello for Business) is for passwordless authentication, not device health enforcement. Option C (Attack surface reduction) is a Defender policy for threat protection.

Option D (Autopilot) is for device provisioning, not access control.

960
Multi-Selecteasy

Which TWO methods can be used to enroll Android devices in Microsoft Intune?

Select 2 answers
A.Apple Device Enrollment Program (DEP).
B.Android device administrator.
C.Android Enterprise corporate-owned work profile.
D.Android Enterprise fully managed.
E.Windows Autopilot.
AnswersB, C

Legacy method, still supported.

Why this answer

Options A and D are correct. Android Enterprise corporate-owned work profile is for company-owned devices, and Android device administrator (legacy) is also an option. Option B is wrong because iOS supervision is for iOS.

Option C is wrong because Windows Autopilot is for Windows. Option E is wrong because Android Enterprise fully managed is for corporate-owned devices with a single user, but work profile is also valid.

961
MCQhard

Your organization uses Microsoft Intune to manage Windows 11 devices. You notice that some devices are not receiving security updates even though update rings are assigned. What is the most likely cause?

A.Devices are noncompliant and blocked from receiving updates
B.Devices are not enrolled in Intune
C.Update ring policy has a deferral period configured that delays updates
D.Devices are not connected to the internet
AnswerC

Deferral periods can significantly delay update installation.

Why this answer

Option D is correct: Windows Update for Business deferral settings in update rings can delay or pause updates. Option A (Device compliance) doesn't block updates. Option B (Network connectivity) would affect all devices.

Option C (Enrollment) if assigned, policy should apply.

962
MCQmedium

Your company uses Microsoft Intune to manage iOS devices. You have an app protection policy that requires a PIN to access corporate data. Users report that they can access corporate data without entering a PIN after the first time. You want to ensure that the PIN is required every time the app is opened. What should you configure?

A.Set 'Require PIN to access' to 'Yes'.
B.Require device PIN instead of app PIN.
C.Set 'PIN reset after number of hours' to 0.
D.Set 'Timeout' to 1 minute.
AnswerC

0 forces PIN entry every time.

Why this answer

Option B is correct because setting the PIN reset to 'Number of hours' with a value of 0 forces PIN entry every time. Option A is wrong because access for work account is not the issue. Option C is wrong because timeout is for inactivity, not app reopen.

Option D is wrong because device PIN is separate from app PIN.

963
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that all devices have a passcode of at least 6 characters and that devices are updated to the latest iOS version. You create a compliance policy. After assigning the policy, some devices are marked as non-compliant even though they have a passcode. What is the most likely cause?

A.The devices have multiple compliance policies applied.
B.iOS devices do not support compliance policies.
C.The devices have not checked in with Intune since the policy was assigned.
D.The policy was assigned to a user group instead of a device group.
AnswerC

Devices need to check in to receive and report compliance status.

Why this answer

Option D is correct because compliance policies have a grace period; if the device hasn't checked in, it shows as non-compliant. Option A is wrong because Intune can enforce compliance on iOS. Option B is wrong because the policy can target iOS devices.

Option C is wrong because having multiple policies does not inherently cause non-compliance.

964
MCQmedium

Your organization uses Microsoft Intune to manage 1,000 Windows 10 devices and 500 iOS devices. You need to enforce device compliance policies. For Windows devices, you require BitLocker encryption and Windows Defender Antivirus enabled. For iOS devices, you require a passcode of at least 6 characters and device encryption. Devices that become noncompliant should be marked as such and users should receive a notification email. After 7 days of noncompliance, the device should be blocked from accessing corporate email. You also need to create a report that shows the compliance status of all devices. Which combination of actions should you take?

A.Create Windows and iOS compliance policies with the required settings. Configure actions for noncompliance: send email immediately and block access after 7 days. Use the built-in compliance report.
B.Create app protection policies to require encryption and passcode. Use conditional access to block noncompliant devices.
C.Create device configuration profiles for BitLocker and encryption. Use conditional access to block noncompliant devices. Manually generate reports using PowerShell.
D.Use Autopilot to enforce encryption and passcode. Use Intune reporting for compliance status.
AnswerA

Compliance policies with actions and conditional access meet all requirements.

Why this answer

Option A is correct because compliance policies define the rules, and conditional access blocks access. The compliance report is built-in. Option B is wrong because configuration profiles do not enforce compliance.

Option C is wrong because app protection policies do not enforce device-level compliance. Option D is wrong because Autopilot does not enforce compliance.

965
MCQhard

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data on these devices is automatically removed when a user is unenrolled from Intune. Which action should you configure?

A.Configure a selective wipe policy.
B.Configure a compliance policy to mark the device as noncompliant.
C.Configure a remote lock action.
D.Configure a full wipe action.
AnswerA

Selective wipe removes corporate data while leaving personal data intact.

Why this answer

A selective wipe policy in Microsoft Intune removes only corporate data from an iOS device while leaving personal data intact. When a user is unenrolled from Intune, the selective wipe targets managed apps and their associated data, ensuring that company information is automatically removed without affecting the user's personal content.

Exam trap

The trap here is that candidates often confuse selective wipe with full wipe, assuming that any data removal requires a complete device reset, but the exam tests the specific Intune behavior where selective wipe is the correct method for removing only corporate data upon unenrollment.

How to eliminate wrong answers

Option B is wrong because configuring a compliance policy to mark the device as noncompliant does not automatically remove corporate data; it triggers conditional access blocks or notifications but requires a separate wipe action. Option C is wrong because a remote lock action only locks the device screen and does not remove any data. Option D is wrong because a full wipe action resets the entire device to factory settings, removing both corporate and personal data, which is not the requirement for selective removal of corporate data only.

966
MCQmedium

Your organization uses Microsoft Intune for Windows device management. You need to deploy a PowerShell script to all Windows 10 devices to remediate a security issue. The script must run in the user context. What is the best approach?

A.Add the script to Intune as a PowerShell script and set 'Run this script using the logged on credentials' to Yes.
B.Create a device configuration profile with a custom OMA-URI setting to execute the script.
C.Use a device compliance policy to trigger the script when noncompliant.
D.Use Intune proactive remediations and configure the script to run as a detection script.
AnswerA

This runs the script in the user context.

Why this answer

Option A is correct because Intune's PowerShell script deployment feature allows you to upload a script and set 'Run this script using the logged on credentials' to Yes, which executes the script in the user context on Windows 10 devices. This is the only native Intune method that directly supports running a PowerShell script in the user context without additional configuration or third-party tools.

Exam trap

The trap here is that candidates often confuse the execution context of Intune PowerShell scripts (user vs. system) and assume proactive remediations or compliance policies can run scripts in the user context, but only the PowerShell script deployment feature with the logged-on credentials option supports this.

How to eliminate wrong answers

Option B is wrong because a device configuration profile with a custom OMA-URI setting can only execute scripts in the system context via the DeviceManagement/Remediation CSP, not in the user context. Option C is wrong because a device compliance policy cannot directly trigger script execution; it only evaluates compliance and can mark devices noncompliant, but does not run remediation scripts. Option D is wrong because Intune proactive remediations run detection and remediation scripts in the system context by default, not the user context, and cannot be configured to run as a detection script in the user context.

967
Multi-Selecthard

An organization uses Configuration Manager to deploy Windows 11. The administrator needs to ensure that after deployment, the devices are automatically enrolled in Microsoft Intune for co-management. Which THREE actions are required?

Select 3 answers
A.Enable WinRM on the target devices.
B.Configure Azure AD hybrid join in the environment.
C.Configure the Intune Connector in Configuration Manager.
D.Enable co-management in Configuration Manager.
E.Configure a Group Policy for automatic Intune enrollment.
AnswersB, C, D

Devices must be Azure AD hybrid joined.

Why this answer

Azure AD hybrid join is required for co-management because it allows devices to be registered in both on-premises Active Directory and Azure AD, enabling them to be managed by both Configuration Manager and Intune simultaneously. Without hybrid join, devices cannot authenticate to Intune for enrollment, as co-management relies on Azure AD identity for device registration and policy assignment.

Exam trap

The trap here is that candidates often confuse automatic Intune enrollment via Group Policy (Option E) as a required step for co-management, but in the co-management workflow, enrollment is handled by the Configuration Manager client after the Intune Connector and hybrid join are configured, making the Group Policy redundant.

968
MCQmedium

A company uses Microsoft Intune to manage iOS/iPadOS devices. They require that all corporate data on devices be protected with a passcode of at least 6 digits. Which policy type should you configure?

A.Device configuration policy (settings catalog).
B.Conditional Access policy.
C.Device compliance policy.
D.App protection policy.
AnswerC

Compliance policies evaluate passcode settings and mark devices as non-compliant if not met.

Why this answer

Option C is correct because device compliance policies can require a passcode length and complexity. Option A is wrong because device configuration policies include passcode settings but are not used for compliance assessment. Option B is wrong because app protection policies protect data at the app level, not the device level.

Option D is wrong because conditional access policies grant access based on compliance, but do not configure passcode requirements.

969
Multi-Selectmedium

A company uses Microsoft Intune to manage iOS devices. They need to enforce a policy that requires a passcode of at least 6 characters, allows Touch ID, and automatically wipes the device after 10 failed attempts. Which three settings should be configured in a device restrictions profile for iOS? (Choose three.)

Select 3 answers
A.Number of failed attempts before wipe.
B.Maximum passcode age (days).
C.Minimum passcode length.
D.Allow simple passcode.
E.Allow Touch ID.
AnswersA, C, E

This triggers a wipe after 10 failed attempts.

Why this answer

Option A is correct because the 'Number of failed attempts before wipe' setting directly enforces the requirement to automatically wipe the device after 10 failed passcode attempts. This setting is part of the device restrictions profile for iOS and triggers a device wipe when the specified threshold of consecutive incorrect passcode entries is reached.

Exam trap

The trap here is that candidates often confuse 'Maximum passcode age' with the wipe-on-failed-attempts setting, or mistakenly think 'Allow simple passcode' is required to enable Touch ID, when in fact Touch ID is a separate toggle that does not depend on simple passcode being allowed.

970
MCQhard

You are troubleshooting a Windows 11 device that fails to receive a PowerShell script deployed via Intune. The script is assigned to a group containing the device. Other policies on the device apply successfully. What should you check first?

A.Ensure the device has internet connectivity.
B.Check the Windows PowerShell execution policy on the device.
C.Check that the script is digitally signed.
D.Verify that the device is in the correct security group.
AnswerB

PowerShell scripts require the execution policy to be set to allow scripts.

Why this answer

Option B is correct because PowerShell scripts require the execution policy to be set to allow scripts. Option A is wrong because group assignment is correct. Option C is wrong because network issues would affect all policies.

Option D is wrong because script signing is required if the execution policy is restricted, but the first step is to check the execution policy.

971
MCQeasy

Your company uses Microsoft Intune to manage devices. You need to ensure that all corporate-owned iOS devices automatically enroll in Intune when users sign in with their work account. Which enrollment method should you configure?

A.Apple Configurator enrollment
B.Device Enrollment Manager (DEM) account
C.Apple Automated Device Enrollment (ADE)
D.User-initiated enrollment via Company Portal
AnswerC

ADE enables zero-touch deployment where devices enroll automatically when the user signs in with a work account.

Why this answer

Apple Automated Device Enrollment (ADE) is the correct method because it enables zero-touch, automated enrollment for corporate-owned iOS devices. When ADE is configured with Intune, devices are automatically enrolled during the initial setup assistant when the user signs in with their work account, without requiring manual intervention or the Company Portal app.

Exam trap

The trap here is that candidates often confuse Apple Configurator enrollment (a manual, wired method) with ADE (an automated, over-the-air method), or they think user-initiated enrollment via Company Portal can be automated, but it requires manual steps by the user.

How to eliminate wrong answers

Option A is wrong because Apple Configurator enrollment is a manual, wired method intended for small-scale or shared device scenarios, not for automatic enrollment at scale when users sign in. Option B is wrong because the Device Enrollment Manager (DEM) account is used to enroll multiple devices using a single shared account, not to trigger automatic enrollment per user sign-in. Option D is wrong because user-initiated enrollment via Company Portal requires the user to manually download the app and enroll, which does not meet the requirement for automatic enrollment when signing in with a work account.

972
MCQmedium

Your company uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data in Microsoft 365 apps is protected even if a device is compromised. Which App Protection Policy setting should you configure?

A.Configure device compliance policy to require jailbreak detection.
B.Configure App Protection Policy with 'Restrict cut, copy, and paste' and 'Allow app to transfer data to other apps' set to Policy managed apps.
C.Configure device configuration profile to require device PIN.
D.Configure App Protection Policy to require app PIN.
AnswerB

This restricts data transfer to managed apps only.

Why this answer

Option C is correct because the 'Data transfer' settings control how data can be moved between apps, including preventing transfer to unmanaged apps. Option A is wrong because jailbreak detection is a device condition, not an app-level data protection. Option B is wrong because device PIN is a device-level policy.

Option D is wrong because app PIN is for access control, not data transfer.

973
MCQeasy

You are the endpoint administrator for Contoso Ltd. The company uses Microsoft Intune to manage Windows 11 devices. You need to deploy a critical security update to all devices within 24 hours. The update is a quality update (KB5001234). You have created an update ring policy named 'Critical Ring' assigned to all devices. The policy currently has a deferral period of 7 days. You need to ensure that the update is installed immediately. What should you do?

A.Change the update ring policy deadline to 7 days to ensure devices have enough time.
B.Create a new feature update policy for KB5001234 and assign it to all devices.
C.Modify the 'Critical Ring' update ring policy to set the quality update deferral period to 0 days and the deadline for updates to 1 day.
D.Use the Windows Server Update Services (WSUS) console to approve the update for immediate installation.
AnswerC

Removes deferral and sets a short deadline.

Why this answer

The update ring policy controls deferral and deadline. To install immediately, set deferral to 0 and deadline to 1 day. Creating a feature update policy is for feature updates, not quality updates.

Manually approving in WSUS is not relevant as Intune manages updates. Changing the deadline to 7 days would not meet the 24-hour requirement.

974
MCQmedium

A company uses Microsoft Intune to manage Windows devices. They want to deploy a custom line-of-business (LOB) app as a Win32 app. The app requires .NET Framework 4.8 and must be installed silently. Which file type should you use for the app deployment in Intune?

A..msi
B..appx
C..intunewin
D..exe
AnswerC

.intunewin is the required format for Win32 app deployment via Intune.

Why this answer

The .intunewin file is required for Win32 app deployment in Intune because it packages the installation files and detection rules into a single format that Intune can process. For a custom LOB app that needs silent installation and has dependencies like .NET Framework 4.8, the .intunewin wrapper allows you to specify the installation command (e.g., msiexec /i app.msi /qn) and detection logic, which is not possible with raw .msi or .exe files in the Win32 app context.

Exam trap

The trap here is that candidates mistakenly think a raw .exe or .msi can be deployed as a Win32 app in Intune, but Intune requires the .intunewin wrapper to handle detection, dependencies, and installation behavior for non-Store apps.

How to eliminate wrong answers

Option A is wrong because .msi files can be deployed directly as line-of-business apps in Intune, but they do not support the Win32 app deployment method's advanced features like custom detection rules, dependencies, or requirement rules; for a Win32 app, you must wrap the .msi in an .intunewin file. Option B is wrong because .appx files are used for Universal Windows Platform (UWP) apps, not Win32 apps, and they require a different deployment pipeline (e.g., Store or LOB app type). Option D is wrong because .exe files cannot be deployed directly as Win32 apps in Intune without being wrapped in an .intunewin file; the .intunewin packaging tool is required to encapsulate the .exe and its installation parameters.

975
Multi-Selecteasy

Which TWO methods can be used to enroll Android devices in Microsoft Intune?

Select 2 answers
A.Android Enterprise corporate-owned devices with work profile
B.Android Enterprise personally-owned devices with work profile
C.Android Device Administrator
D.Apple Business Manager
E.Windows Autopilot
AnswersA, B

This is a valid enrollment method.

Why this answer

Options B and D are correct. Android Enterprise corporate-owned devices with work profile and Android Enterprise personally-owned devices with work profile are standard enrollment methods. Option A is wrong because Apple Business Manager is for iOS.

Option C is wrong because Windows Autopilot is for Windows. Option E is wrong because Android Device Administrator is deprecated.

Page 12

Page 13 of 14

Page 14