Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 976991

991 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to configure a policy that automatically retires a device if it does not check in for 30 days. Which policy type should you configure?

A.Device configuration policy
B.Compliance policy
C.Windows Update for Business policy
D.Device health attestation policy
AnswerB

Compliance policies can include a grace period and action for non-compliance, including retiring devices after a specified period of inactivity.

Why this answer

A compliance policy in Microsoft Intune can include a 'Maximum days since device last checked in' setting. When a device fails to check in for the specified period (e.g., 30 days), Intune marks it as noncompliant, and a conditional access policy or automated action (such as retiring the device) can be triggered. This directly meets the requirement to automatically retire a device after 30 days of inactivity.

Exam trap

The trap here is that candidates often confuse a device configuration policy (which controls settings) with a compliance policy (which enforces conditions and triggers actions like retirement), leading them to select Option A instead of B.

How to eliminate wrong answers

Option A is wrong because a device configuration policy manages settings like passwords, encryption, and restrictions, but it does not include a check-in timeout or retirement trigger. Option C is wrong because a Windows Update for Business policy controls update deferrals and delivery optimization, not device check-in monitoring or retirement. Option D is wrong because a device health attestation policy verifies boot integrity and security features (e.g., Secure Boot, BitLocker) via the TPM, but it does not enforce a check-in interval or automatic retirement.

977
MCQhard

You are troubleshooting a Windows 10 device that is enrolled in Microsoft Intune. The device shows as 'Pending' in the Intune console. The user confirms that the device was enrolled using a provisioning package. Which log file should you review to diagnose the enrollment failure?

A.%windir%\temp\MdmEnrollment.log
B.%ProgramData%\Microsoft\Provisioning\ProvisioningPackage.log
C.%windir%\Panther\setupact.log
D.Event Viewer under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider
AnswerB

This log contains provisioning package enrollment details.

Why this answer

When a Windows 10 device is enrolled using a provisioning package, the provisioning engine logs detailed information about the package processing and enrollment steps in %ProgramData%\Microsoft\Provisioning\ProvisioningPackage.log. This log captures the execution of the provisioning package, including any errors during enrollment, making it the correct source for diagnosing a 'Pending' status caused by a provisioning package failure.

Exam trap

The trap here is that candidates confuse the general MDM enrollment log (MdmEnrollment.log) with the provisioning package-specific log, not realizing that provisioning package enrollment uses a completely separate logging path and engine.

How to eliminate wrong answers

Option A is wrong because MdmEnrollment.log is used for MDM enrollment initiated via Settings or manual enrollment, not for provisioning package-based enrollment. Option C is wrong because setupact.log is a Windows Setup log used for OS installation and upgrade troubleshooting, not for provisioning package or MDM enrollment issues. Option D is wrong because the DeviceManagement-Enterprise-Diagnostics-Provider logs in Event Viewer capture general MDM client events but are not the primary log for provisioning package execution; the provisioning engine writes its own dedicated log file.

978
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. You configure a Conditional Access policy in Microsoft Entra ID targeting Exchange Online. What else must you configure in Intune to enforce compliance?

A.Device compliance policies.
B.No additional configuration is needed.
C.Device configuration policies.
D.App protection policies.
AnswerA

Compliance policies must be configured and assigned to devices.

Why this answer

Option A is correct because device compliance policies evaluate device health and report compliance status to Entra ID, which Conditional Access uses. Option B is wrong because device configuration policies do not affect compliance. Option C is wrong because app protection policies are for mobile apps, not device compliance.

Option D is wrong because compliance policies are required, not optional.

979
MCQhard

A company uses Configuration Manager to deploy Windows 10 to 2000 devices. After deployment, several devices report that the Start menu layout is not applied. The administrator used a provisioning package to configure Start layout. What is the most likely cause of the issue?

A.Group Policy settings are overriding the Start layout configuration.
B.The devices are not Azure AD joined.
C.The provisioning package was not signed properly.
D.The provisioning package was applied after user first logon.
AnswerA

GP can override provisioning package settings.

Why this answer

Option C is correct because provisioning packages apply during OOBE and may be overwritten by Group Policy. Option A is wrong because user profile issue would not affect all. Option B is wrong because MDM is not used.

Option D is wrong because the package is applied, just overridden.

980
Multi-Selecthard

An organization is planning to implement a zero-trust security model. They need to evaluate the following capabilities in Microsoft 365. Which THREE are essential for a zero-trust architecture? (Choose three.)

Select 3 answers
A.Azure AD Application Proxy
B.Multi-factor authentication (MFA)
C.Azure AD Connect sync
D.Device compliance policies
E.Conditional Access policies
AnswersB, D, E

Verifies identity.

Why this answer

Multi-factor authentication (MFA) is essential for a zero-trust architecture because it enforces strong identity verification beyond just a password, ensuring that each authentication request is validated with an additional factor (e.g., a phone call, text message, or authenticator app). This aligns with the zero-trust principle of 'never trust, always verify' by requiring explicit proof of identity at every access attempt, even if the user is inside the corporate network.

Exam trap

The trap here is that candidates often confuse infrastructure components (like Azure AD Connect sync or Application Proxy) with security controls, mistakenly thinking they are required for zero trust when they are merely supporting services for hybrid identity or remote access.

981
MCQeasy

Your organization needs to deploy a web app link to users' devices via Microsoft Intune. Which app type should you select?

A.Windows app (Win32)
B.iOS store app
C.Web link
D.Managed Google Play app
AnswerC

Creates a shortcut to the URL.

Why this answer

Web link app type creates a shortcut to a URL. Managed Google Play app is for Android store apps. iOS store app is for iOS. Windows app (Win32) is for desktop apps.

982
MCQeasy

Refer to the exhibit. You are reviewing an Intune management intent configuration. What does this setting configure on Windows devices?

A.Disables the Windows Firewall for all network profiles
B.Enables the Windows Firewall for the public network profile
C.Enables Microsoft Defender Antivirus real-time protection
D.Disables the Windows Firewall for the domain network profile
AnswerB

The setting enables firewall on public profile.

Why this answer

Option A is correct because the setting ID references Windows Firewall public profile enable firewall, and the value '1' means enabled. Option B is wrong because it's firewall, not Defender. Option C is wrong because it's public profile, not domain.

Option D is wrong because it enables, not disables.

983
Multi-Selecthard

Which THREE conditions must be met for a Windows 10 device to be co-managed with Microsoft Intune and Microsoft Configuration Manager? (Choose three.)

Select 3 answers
A.The device must be enrolled in Microsoft Intune.
B.The device must have the Configuration Manager client installed.
C.The device must be Azure AD joined or hybrid Azure AD joined.
D.The device must be hybrid Azure AD joined.
E.The device must have the Intune Management Extension installed.
AnswersA, B, C

Intune enrollment is required for co-management.

Why this answer

Option A is correct because a device must be enrolled in Microsoft Intune to establish the co-management authority. Intune enrollment allows the device to receive policies and apps from the cloud, which is a prerequisite for splitting workloads between Configuration Manager and Intune. Without enrollment, the device cannot be managed by Intune at all.

Exam trap

The trap here is that candidates often think hybrid Azure AD join is mandatory (Option D), but Microsoft actually allows either Azure AD join or hybrid Azure AD join, and they confuse the Intune Management Extension (Option E) as a prerequisite when it is automatically installed post-enrollment for specific app deployment scenarios.

984
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to ensure that only devices with a Trusted Platform Module (TPM) version 2.0 and Secure Boot enabled can access corporate email. What should you configure?

A.Create a compliance policy with device health rules.
B.Configure Windows Hello for Business with TPM requirement.
C.Create a conditional access policy that requires compliant device.
D.Create a device configuration policy to enable Secure Boot.
AnswerA

Device health rules in compliance policies can require TPM and Secure Boot.

Why this answer

Compliance policies in Intune can check device health attestation, including TPM and Secure Boot. Option A is correct because a compliance policy with device health rules enforces these requirements. Option B is incorrect because conditional access policies apply after compliance.

Option C is incorrect because configuration policies do not enforce access. Option D is incorrect because Windows Hello for Business is for authentication, not device health.

985
MCQmedium

You are implementing Windows Autopilot for your organization. You need to ensure that during the first boot, the device automatically enrolls in Microsoft Intune and joins Microsoft Entra ID. What is the minimum requirement for the device?

A.The device must have a local administrator account.
B.The device must be joined to an on-premises Active Directory domain.
C.The device must have a TPM 2.0 chip.
D.The device must be registered in Autopilot with a valid profile.
AnswerD

Autopilot requires registration and profile assignment.

Why this answer

Option D is correct because Windows Autopilot requires the device to be registered in the Autopilot service with a valid profile assigned. This profile contains the settings that dictate the out-of-box experience (OOBE), including automatic enrollment into Microsoft Intune and joining Microsoft Entra ID (formerly Azure AD). Without a registered Autopilot profile, the device will not trigger the automated enrollment and join process during first boot.

Exam trap

The trap here is that candidates often confuse hardware prerequisites (like TPM 2.0) with the mandatory requirement of a registered Autopilot profile, leading them to select Option C instead of D.

How to eliminate wrong answers

Option A is wrong because a local administrator account is not a prerequisite for Autopilot; the device can be a standard user device and still enroll via Autopilot. Option B is wrong because Autopilot devices are designed to join Microsoft Entra ID directly, not an on-premises Active Directory domain; hybrid join is an optional configuration, not a minimum requirement. Option C is wrong because while TPM 2.0 is recommended for self-deploying mode and Windows Hello for Business, it is not a minimum requirement for user-driven Autopilot enrollment and Entra ID join; devices without TPM 2.0 can still use user-driven mode with password-based authentication.

986
MCQhard

A company applies the above BitLocker policy to Windows 10 devices via Intune. An administrator discovers that some devices are not encrypting. The administrator checks a device and finds that it has no TPM chip. Which setting in the policy will cause encryption to fail?

A.requireTpm
B.recoveryKeyRotation
C.encryptionMethod
D.requireStartupPin
AnswerA

If requireTpm is true, devices without TPM will not encrypt.

Why this answer

The 'requireTpm' setting enforces that BitLocker will only start encryption if a Trusted Platform Module (TPM) chip is present on the device. If a device lacks a TPM, this policy setting causes the encryption process to fail outright, as BitLocker cannot meet the mandatory hardware requirement.

Exam trap

The trap here is that candidates may think 'requireStartupPin' is the direct cause of failure on a TPM-less device, but the policy's 'requireTpm' setting is evaluated first and will block encryption entirely before any PIN requirement is even considered.

How to eliminate wrong answers

Option B (recoveryKeyRotation) is wrong because it controls how often the recovery key is rotated in Azure AD, not whether encryption starts; it has no effect on TPM absence. Option C (encryptionMethod) is wrong because it specifies the algorithm (e.g., AES 128/256) used after encryption begins, not a prerequisite for starting encryption. Option D (requireStartupPin) is wrong because it requires a PIN at startup but still relies on a TPM to validate that PIN; without a TPM, this setting also fails, but the question asks which setting in the policy causes failure, and 'requireTpm' is the direct cause—if 'requireTpm' is set to 'true', encryption fails regardless of other settings.

987
MCQhard

You have assigned the compliance policy shown in the exhibit to all Windows devices. A Windows 11 device running build 10.0.22621.1500 reports as noncompliant. Which setting is causing the noncompliance?

A.OS version is above the maximum allowed
B.Password minimum length is not met
C.Device threat protection level is below medium
D.TPM is not present
AnswerA

The device build 22621.1500 exceeds the maximum 22621.1000.

Why this answer

The compliance policy in the exhibit specifies a maximum OS version of 10.0.22621.1000, but the Windows 11 device is running build 10.0.22621.1500, which is above that maximum. Intune compares the device's OS version against the configured maximum OS version setting; if the device's version exceeds the maximum, it is marked as noncompliant. This setting is used to prevent devices with newer, potentially untested builds from accessing corporate resources.

Exam trap

The trap here is that candidates often assume noncompliance is due to missing security features like TPM or password policies, but the exhibit clearly shows a maximum OS version setting that the device's build exceeds, making it the direct cause.

How to eliminate wrong answers

Option B is wrong because the compliance policy does not include a password minimum length requirement, so the device cannot be noncompliant due to that setting. Option C is wrong because the policy does not configure a device threat protection level; the device threat protection setting is not present in the exhibit, so it cannot cause noncompliance. Option D is wrong because the policy does not require TPM presence; the TPM setting is not configured in the exhibit, so a missing TPM would not trigger noncompliance.

988
MCQeasy

Your organization uses Microsoft Intune to manage Android devices. You need to deploy an app that is available in the Managed Google Play store as a required app. What must you do first?

A.Connect Intune to the Managed Google Play store.
B.Enroll the device in Intune.
C.Install the Managed Google Play app on the device.
D.Upload the app package to Intune.
AnswerA

You must establish the connection before you can browse and assign apps.

Why this answer

To deploy apps from Managed Google Play, you must first connect your Intune tenant to Managed Google Play. Option D is correct. Option A is wrong because you do not need to enroll each device individually for app deployment.

Option B is wrong because the Managed Google Play app is pre-installed on Android Enterprise devices. Option C is wrong because the app is in the store, so you do not need to upload it.

989
MCQhard

An administrator deploys a Win32 app via Intune with detection rule 'File exists: C:\Program Files\MyApp\app.exe'. The app is reported as installed, but users cannot launch it. The file exists but is corrupted. How should the administrator modify the detection rule to ensure the app is correctly detected and re-installed if corrupted?

A.Remove the detection rule so Intune always re-installs the app
B.Add a registry detection rule for the app's uninstall key
C.Use a custom detection script that validates the file hash or signature
D.Change detection rule to 'File version comparison' and set minimum version
AnswerC

A script can verify integrity and return 0 only if valid.

Why this answer

Option C is correct because a custom detection script can verify the file's integrity by checking its hash or digital signature, ensuring that even if the file exists, it is not corrupted. Intune's built-in detection rules only check for file existence or version, not file integrity. By using a script that validates the hash, the administrator can force a reinstall when the file is corrupted, as the detection will fail.

Exam trap

The trap here is that candidates assume 'File exists' or 'File version comparison' are sufficient for detection, overlooking that these rules do not validate file integrity, which is a common misconception in Intune app deployment scenarios.

How to eliminate wrong answers

Option A is wrong because removing the detection rule would cause Intune to always reinstall the app on every sync, leading to unnecessary bandwidth and user disruption, and it does not solve the corruption detection issue. Option B is wrong because adding a registry detection rule for the uninstall key only confirms the app was installed via the registry, not that the executable is uncorrupted; the uninstall key remains even if the file is corrupted. Option D is wrong because 'File version comparison' only checks the version number of the file, not its integrity; a corrupted file can still have the correct version metadata, so this would not trigger a reinstall.

990
MCQmedium

Refer to the exhibit. You run the PowerShell command shown and get the output. You need to force an immediate sync for PC-001. Which cmdlet should you use?

A.Sync-IntuneDevice -DeviceId ...
B.Start-DeviceSync -DeviceName PC-001
C.Invoke-IntuneDeviceAction -DeviceId ... -Action Sync
D.Update-IntuneDevice -DeviceId ...
AnswerA

This cmdlet initiates a sync with Intune.

Why this answer

The correct cmdlet is Sync-IntuneDevice, which is specifically designed to trigger an immediate synchronization for a Microsoft Intune-managed device by specifying its DeviceId. This cmdlet sends a sync request to the Intune service, forcing the device to check in and apply any pending policies or actions without waiting for the next scheduled sync interval.

Exam trap

The trap here is that candidates often confuse Invoke-IntuneDeviceAction with a sync action because it supports many device actions, but they fail to recognize that the correct parameter value for a sync is 'SyncDevice' (not 'Sync'), and that Sync-IntuneDevice is the dedicated cmdlet for this purpose.

How to eliminate wrong answers

Option B is wrong because Start-DeviceSync is not a valid Microsoft Intune cmdlet; it does not exist in the Microsoft Graph or Intune PowerShell module. Option C is wrong because Invoke-IntuneDeviceAction is a valid cmdlet but it requires an -Action parameter with a value like 'SyncDevice', not just 'Sync', and it is used for remote device actions such as wipe or retire, not for triggering a policy sync. Option D is wrong because Update-IntuneDevice is not a standard Intune cmdlet; it may be confused with Update-AutopilotDevice or similar, but it does not perform a sync action.

991
Multi-Selecteasy

Which TWO app types are available for deploying apps to iOS/iPadOS devices in Microsoft Intune? (Choose two.)

Select 2 answers
A.Web link
B.iOS/iPadOS app store app
C.Windows app (Win32)
D.Android Line-of-business app
E.iOS/iPadOS Line-of-business app
AnswersB, E

For apps available in the Apple App Store.

Why this answer

Intune supports iOS/iPadOS Line-of-business apps (custom apps) and iOS/iPadOS app store apps (from the Apple App Store). Options A and D are correct. Option B is wrong because Win32 is for Windows.

Option C is wrong because Android Line-of-business is for Android. Option E is wrong because Web link is not an app type specific to iOS; it is a generic type.

Page 13

Page 14 of 14