Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 76150

991 questions total · 14pages · All types, answers revealed

Page 1

Page 2 of 14

Page 3
76
MCQeasy

You need to ensure that only compliant devices can access Microsoft 365 resources. You create a Conditional Access policy in Microsoft Entra ID. Which condition should you use?

A.Locations condition set to trusted IPs.
B.Grant access with multi-factor authentication.
C.Require device to be marked as compliant.
D.Device platform condition set to all.
AnswerC

This is a grant control that enforces compliance.

Why this answer

Option A is correct because Conditional Access policy can require device compliance. Option B is wrong because it's not a condition. Option C is wrong because it's a control, not a condition.

Option D is wrong because it's a location condition.

77
MCQmedium

You are troubleshooting a Windows 10 device that is not receiving required security updates from Microsoft Intune. The device is enrolled and shows as compliant. The update ring policy is assigned to the device. You check the Windows Update for Business logs and see that the deferral period is set correctly. What is the most likely cause?

A.The update ring is configured with an incorrect deferral period.
B.The device is not compliant with the security baseline.
C.Windows Update is blocked by the corporate firewall.
D.The update ring is not assigned to the device's group.
AnswerD

Without proper assignment, the policy does not apply to the device.

Why this answer

Option D is correct because the device is enrolled and compliant, and the deferral period is correctly set, which eliminates policy configuration issues. The most likely remaining cause is that the update ring policy is not assigned to the device's group, meaning the policy never reaches the device via Intune's policy delivery mechanism. Without proper group assignment, the Windows Update for Business settings are not applied, even if the device is compliant and the ring policy exists.

Exam trap

The trap here is that candidates assume a compliant device with a correctly configured policy will always receive updates, but they overlook the critical step of verifying that the device is actually a member of the assigned group, which is a separate prerequisite from compliance or policy configuration.

How to eliminate wrong answers

Option A is wrong because the question explicitly states that the deferral period is set correctly in the Windows Update for Business logs, so an incorrect deferral period is not the cause. Option B is wrong because the device is reported as compliant, and compliance with a security baseline is not a prerequisite for receiving update ring policies; update rings are applied via policy assignment, not compliance status. Option C is wrong because if Windows Update were blocked by a corporate firewall, the device would likely show errors connecting to Windows Update services, but the logs confirm the deferral period is correctly set, indicating the policy is being processed locally; a firewall block would prevent updates from downloading, not prevent the policy from being applied.

78
Multi-Selecthard

Your organization uses Microsoft Intune to manage iOS devices. You need to deploy an app that requires a VPN configuration when the app is launched. Which TWO options can you use to achieve this? (Choose two.)

Select 2 answers
A.Use a managed app configuration to include VPN settings.
B.Use a device compliance policy to require VPN.
C.Assign an app protection policy that enables VPN.
D.Create a device-wide VPN configuration profile.
E.Create a per-app VPN configuration profile and assign it to the app.
AnswersA, E

Managed app config can include VPN payload.

Why this answer

Options B and C are correct. A per-app VPN profile can be assigned to the app, or a managed app configuration can include VPN settings. Option A is incorrect because device-wide VPN does not restrict to specific apps.

Option D is incorrect because app protection policies do not manage VPN. Option E is incorrect because device compliance does not include VPN configuration.

79
MCQmedium

A company uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent update, some devices are stuck in a reboot loop. The administrator needs to identify devices affected by the issue. Which report in the Microsoft Intune admin center should the administrator use?

A.Windows Update report
B.Update compliance report
C.Device compliance report
D.Device inventory report
AnswerA

Windows Update report provides details on update deployment, including restart status.

Why this answer

The Windows Update report in the Microsoft Intune admin center provides detailed information about Windows 10 update deployments, including devices that are stuck in a reboot loop after an update. This report shows update status, errors, and pending reboots, allowing the administrator to identify affected devices and take remediation actions.

Exam trap

The trap here is that candidates often confuse the 'Update compliance report' (which is an Azure Monitor solution for broad update compliance) with the Intune-native 'Windows Update report' that specifically tracks update deployment status and reboot issues, leading them to select the wrong option.

How to eliminate wrong answers

Option B is wrong because the Update compliance report is a feature of Azure Monitor and Windows Analytics, not a native Intune report; it focuses on overall update compliance across devices but does not specifically highlight reboot loop issues. Option C is wrong because the Device compliance report shows compliance status against policies (e.g., encryption, antivirus) and does not track update-related reboot failures. Option D is wrong because the Device inventory report lists hardware and software details (e.g., OS version, installed apps) but does not include update status or reboot loop information.

80
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices automatically install critical updates from Windows Update for Business within 3 days of release. Which configuration should you use?

A.Windows Autopatch deployment policy
B.Windows feature update policy
C.Device configuration policy for Windows 10/11
D.Update rings for Windows 10 and later
AnswerD

Update rings allow configuring deferral periods for quality updates.

Why this answer

Option B is correct because 'Update rings' in Intune allow you to configure deferral periods for quality updates. Option A is wrong because Windows Autopatch is for automated patching but not for deferral periods. Option C is wrong because Feature updates are for feature updates, not quality updates.

Option D is wrong because Windows 10/11 device configuration policies do not directly manage update rings.

81
MCQhard

Refer to the exhibit. You run this Microsoft Graph PowerShell command to retrieve managed devices. The output shows a device with a lastSyncDateTime of 5 days ago. What does this indicate?

A.The device was enrolled 5 days ago.
B.The device is non-compliant.
C.The device is unenrolled.
D.The device has not communicated with Intune for 5 days.
AnswerD

lastSyncDateTime indicates the last check-in time.

Why this answer

Option B is correct because lastSyncDateTime indicates when the device last communicated with Intune; 5 days ago means the device has not checked in for 5 days. Option A is wrong because complianceState is a separate property. Option C is wrong because enrollment date is in the past.

Option D is wrong because the device is still enrolled.

82
Multi-Selectmedium

You are designing a Windows 10 update strategy using Windows Update for Business and Intune. Which THREE settings should you configure to ensure updates are delivered efficiently while minimizing user disruption?

Select 3 answers
A.Set active hours to prevent restarts during work.
B.Configure a deadline for quality updates.
C.Enable Delivery Optimization for update distribution.
D.Configure a deferral period for driver updates.
E.Set a grace period after the deadline.
AnswersA, B, E

Correct. Active hours minimize disruption.

Why this answer

Setting active hours prevents restarts during work by defining a window during which Windows Update will not automatically reboot the device. This minimizes user disruption by ensuring that updates only restart the device outside of specified active hours, aligning with the goal of delivering updates efficiently while maintaining productivity.

Exam trap

The trap here is that candidates often confuse Delivery Optimization (a bandwidth-saving feature) with a setting that directly controls update timing or user disruption, leading them to select it instead of focusing on restart management policies like active hours, deadlines, and grace periods.

83
MCQhard

Refer to the exhibit. A Windows 11 device assigned to this update ring is running a released version. What is the immediate behavior after the policy applies?

A.The device will uninstall the current Insider build and revert to the released version.
B.The device will be offered the latest Windows Insider Dev Channel build.
C.The device will defer all updates by 10 days.
D.The device will install the latest released quality update immediately.
AnswerB

Correct. The servicing channel directs the device to Dev Channel builds.

Why this answer

The exhibit shows an update ring policy configured with the 'Windows Insider Program' enabled and the 'Insider Channel' set to 'Dev Channel'. Since the device is currently on a released version, applying this policy will enroll it in the Windows Insider Program and offer the latest Dev Channel build. This is the immediate behavior because the policy triggers a check for the specified Insider build, not a deferral or quality update.

Exam trap

The trap here is that candidates may confuse the 'Deferral' settings with Insider build behavior, assuming deferral periods apply to Insider builds, when in fact enabling the Insider Program overrides deferrals for feature updates and directly offers the specified channel's build.

How to eliminate wrong answers

Option A is wrong because the policy does not uninstall the current build; it enrolls the device in the Insider Program, which offers a new build without reverting the existing OS. Option C is wrong because the policy explicitly enables Insider builds, overriding any deferral settings; deferrals apply to quality updates, not feature updates from Insider channels. Option D is wrong because the policy targets Insider Dev Channel builds, not released quality updates; quality updates are managed separately via deferral periods or other policies.

84
Multi-Selectmedium

Which TWO prerequisites are required for Windows Autopilot self-deploying mode? (Choose two.)

Select 2 answers
A.A user account with Intune license
B.A Windows product key
C.MDM user affinity
D.TPM 2.0 chip
E.Network connectivity to Microsoft Intune
AnswersD, E

TPM 2.0 is required for hardware attestation.

Why this answer

Options B and C are correct. Self-deploying mode requires a physical TPM 2.0 chip for attestation and network connectivity to Microsoft Intune. Option A is wrong because a user account is not required.

Option D is wrong because a product key is not needed. Option E is wrong because a mobile device management (MDM) user affinity is not required.

85
MCQhard

Refer to the exhibit. An Intune administrator finds this configuration on a Windows 10 device. What is the purpose of this setting?

A.Define the Intune MDM discovery URL
B.Set the compliance policy evaluation URL
C.Configure Windows Update service endpoint
D.Specify the Microsoft Defender ATP tenant
AnswerA

This CSP sets the MDM enrollment server URL for Intune.

Why this answer

The correct answer is that it sets the Intune management endpoint for the device. Option A is incorrect because the MDM discovery URL is not for Windows Update. Option B is incorrect because the enrollment server URL is not for compliance policy.

Option D is incorrect because the URL is for device management, not Defender ATP.

86
Multi-Selectmedium

You are troubleshooting a Windows 11 device that fails to install a required Win32 app deployed via Intune. Which THREE logs or locations should you review?

Select 3 answers
A.Windows Update log (C:\Windows\WindowsUpdate.log)
B.Intune Management Extension logs in %ProgramData%\Microsoft\IntuneManagementExtension\Logs
C.The IntuneManagementExtension.log file in the agent directory.
D.Windows Registry under HKLM\Software\Microsoft\Intune
E.Windows Event Logs under Applications and Services Logs > Microsoft > Windows > AppLocker
AnswersB, C, E

These logs detail app installation attempts.

Why this answer

Option A, Option C, and Option D are correct. The Intune Management Extension logs contain details about app installation. The Windows Event Logs under Applications and Services Logs > Microsoft > Windows > AppLocker may show block events.

The %ProgramData%\Microsoft\IntuneManagementExtension\Logs folder also contains logs. Option B is incorrect because the registry is not a primary log location. Option E is incorrect because the Windows Update log is not relevant for Win32 app installation.

87
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Intune to manage Windows 10 devices?

Select 2 answers
A.Create local user accounts on the device
B.Remotely wipe a device
C.Configure DHCP settings
D.Apply BitLocker encryption policies
E.Add the device to an Active Directory group
AnswersB, D

Intune supports remote wipe.

Why this answer

Option B is correct because Microsoft Intune supports a remote wipe action that can be triggered from the Intune console to reset a Windows 10 device to factory settings or selectively remove corporate data. This is a core device management capability used for data protection when a device is lost or stolen, leveraging the Windows 10 reset functionality via the Intune management channel.

Exam trap

The trap here is that candidates often confuse Intune's device management capabilities with on-premises Group Policy or Active Directory tasks, leading them to incorrectly select options like creating local users or managing DHCP, which are outside Intune's scope.

88
MCQmedium

Your organization has Windows 11 devices used by remote employees. You need to ensure that only devices compliant with your security policies can access corporate email via Microsoft Outlook for Windows. What should you configure?

A.Set up a device compliance policy in Microsoft Purview to block non-compliant devices.
B.Create a Conditional Access policy in Microsoft Entra ID that requires device compliance, and assign the policy to the cloud app 'Office 365 Exchange Online'.
C.Configure a device filter in Exchange Online to block devices that are not managed by Intune.
D.Deploy an email security policy via Intune to block access from non-compliant devices.
AnswerB

This correctly combines Intune compliance with Entra ID Conditional Access to block non-compliant devices.

Why this answer

Conditional Access in Microsoft Entra ID can block access based on device compliance status. Intune compliance policies define the compliance requirements, and Conditional Access policies enforce the access control. Option A is correct.

Option B is wrong because device filters don't check compliance. Option C is wrong because it doesn't enforce compliance. Option D is wrong because it's for device enrollment, not access control.

89
MCQeasy

You need to ensure that Windows 10 devices are automatically upgraded to Windows 11 if they meet hardware requirements. Which policy should you configure in Microsoft Intune?

A.Assign a driver update policy.
B.Assign a quality update policy.
C.Assign an update ring for Windows 10.
D.Assign a Windows 10/11 feature update policy.
AnswerD

Feature update policies are used to upgrade Windows 10 to Windows 11.

Why this answer

Option A is correct because the Windows 10/11 feature update policy in Intune is designed to upgrade devices to a later version, including Windows 11. Option B is wrong because update rings control update deferral, not feature upgrades. Option C is wrong because quality updates are cumulative security updates, not feature upgrades.

Option D is wrong because drivers are separate.

90
Multi-Selecthard

Which THREE of the following are valid detection rules for a Win32 app in Intune?

Select 3 answers
A.PowerShell script (custom detection)
B.MSI product code
C.Registry (key or value exists)
D.File system (file or folder exists)
E.Network share access
AnswersA, C, D

PowerShell script detection is valid.

Why this answer

Valid detection rules include file system, registry, and PowerShell script. MSI product code is a separate built-in rule but not a general detection rule type. Option E is not a detection rule type.

91
Multi-Selecthard

Which TWO are required to enable Windows Hello for Business in a hybrid deployment? (Select TWO.)

Select 2 answers
A.Configuration Manager
B.Microsoft Entra ID Connect
C.Public Key Infrastructure (PKI)
D.Multifactor authentication (MFA)
E.Microsoft Intune
AnswersB, C

Synchronizes on-premises AD with Microsoft Entra ID.

Why this answer

In a hybrid deployment, Windows Hello for Business requires synchronization of user credentials from on-premises Active Directory to Microsoft Entra ID. Microsoft Entra ID Connect (B) provides this synchronization, enabling the device to authenticate against both on-premises and cloud resources. Additionally, a Public Key Infrastructure (PKI) (C) is required to issue the certificate-based authentication keys used by Windows Hello for Business in hybrid deployments, as the on-premises domain controllers must trust the certificates.

Exam trap

The trap here is that candidates often confuse prerequisites (like MFA) with required infrastructure components, leading them to select MFA instead of recognizing that PKI and directory synchronization are the two mandatory elements for hybrid deployments.

92
MCQmedium

Your organization has 500 Windows 11 devices managed by Microsoft Intune. You need to deploy a third-party Win32 application (AppDeploy.exe) that requires the user to accept an end-user license agreement (EULA) during installation. The app must be installed silently without user interaction. You have created a custom script that accepts the EULA automatically. The app is packaged as an .intunewin file. You need to configure the deployment in Intune. The installation command must run the script that accepts the EULA and then launches the installer. The detection rule must check for the presence of a specific file (C:\Program Files\AppDeploy\app.exe). You want to ensure that if the installation fails, Intune retries automatically. Which of the following configurations should you choose?

A.Install command: 'powershell.exe -ExecutionPolicy Bypass -File AcceptEULA.ps1 && AppDeploy.exe /S', Detection rule: File 'C:\Program Files\AppDeploy\app.exe' exists, Retry: 3 attempts every 60 minutes
B.Install command: 'AppDeploy.exe /S', Detection rule: Registry 'HKLM\Software\AppDeploy\Installed' exists, Retry: 3 attempts every 60 minutes
C.Install command: 'powershell.exe -ExecutionPolicy Bypass -File AcceptEULA.ps1', Detection rule: File 'C:\Program Files\AppDeploy\app.exe' exists, Retry: None
D.Install command: 'AppDeploy.exe /S', Detection rule: File 'C:\Program Files\AppDeploy\app.exe' exists, Retry: None
AnswerA

Chains EULA acceptance and silent install; retry configured.

Why this answer

Option B is correct. Using a PowerShell script as the install command allows you to chain commands: first accept EULA, then run setup. The detection rule uses file existence.

Setting 'Retry count' to 3 and 'Retry interval' to 60 minutes provides automatic retry. Option A is wrong because it does not include the EULA acceptance. Option C is wrong because the detection rule checks registry instead of file, which may not be reliable.

Option D is wrong because it does not include retry settings.

93
MCQeasy

An IT administrator needs to ensure that iOS devices enrolled in Intune require a PIN of at least 6 digits. Where should the administrator configure this setting?

A.App protection policy
B.Device compliance policy for iOS
C.Conditional Access policy
D.Enrollment restrictions
AnswerB

Compliance policies include device health and security settings like PIN length.

Why this answer

The correct answer is Device compliance policy for iOS. Option B is incorrect because enrollment restrictions control device enrollment, not settings. Option C is incorrect because app protection policies apply to apps, not device-level PIN.

Option D is incorrect because conditional access controls access, not device settings.

94
MCQeasy

You need to deploy a custom PowerShell script to all Windows 10 devices enrolled in Intune. The script must run under the SYSTEM account. Which Intune feature should you use?

A.Proactive remediations
B.PowerShell scripts (Devices > Scripts)
C.Compliance policy
D.Device configuration profile
AnswerB

PowerShell scripts in Intune can run in the system context.

Why this answer

PowerShell scripts (Devices > Scripts) in Intune allow you to upload and assign custom PowerShell scripts that run under the SYSTEM account on Windows 10 devices. This feature is specifically designed for executing scripts during device enrollment or on a schedule, ensuring the script has elevated privileges without user interaction.

Exam trap

The trap here is that candidates often confuse Proactive remediations (which also run scripts under SYSTEM) with custom PowerShell scripts, but Proactive remediations are limited to built-in templates and cannot deploy arbitrary custom scripts.

How to eliminate wrong answers

Option A is wrong because Proactive remediations are used for detecting and fixing common support issues with built-in detection and remediation scripts, not for deploying custom PowerShell scripts under the SYSTEM account. Option C is wrong because Compliance policies evaluate device settings against defined rules and do not execute scripts. Option D is wrong because Device configuration profiles manage settings via CSPs (Configuration Service Providers) and cannot run arbitrary PowerShell scripts.

95
MCQeasy

You need to remotely wipe a lost corporate-owned iOS device enrolled in Microsoft Intune. The device is currently offline. What will happen when the device comes online?

A.The device must be unenrolled first and then wiped.
B.The device will be wiped immediately after a grace period of 24 hours.
C.The device will receive the wipe command the next time it checks in with Intune.
D.The wipe command will be queued only if the device is supervised.
AnswerC

Intune stores the command and delivers it on next device check-in.

Why this answer

Option B is correct because the wipe command is stored in the Intune service and sent when the device checks in. Option A is wrong because Intune does not wait for a grace period. Option C is wrong because the device does not need to be unenrolled first.

Option D is wrong because the wipe is not queued only for supervised devices.

96
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You need to configure a policy that automatically blocks downloads of sensitive data from SharePoint Online to unmanaged devices. Which policy type should you use?

A.Activity policy
B.App discovery policy
C.Access policy
D.Session policy
AnswerD

Session policies can block downloads in real-time.

Why this answer

Option C is correct because session policies in Defender for Cloud Apps can monitor and control activities in real-time. Option A is wrong because access policies control access, not downloads. Option B is wrong because activity policies are for alerts, not blocking.

Option D is wrong because app discovery policies are for discovering cloud apps.

97
Multi-Selectmedium

A company uses Microsoft Intune to manage Windows 10 devices. Users report that some required line-of-business (LOB) apps are not being installed on their devices. The apps are assigned as 'Required' to a device group that includes the affected devices. Which two actions should the administrator take to troubleshoot the issue? (Choose two.)

Select 2 answers
A.Review the Intune Management Extension logs on a device for installation errors.
B.Uninstall the app from the affected devices and reassign it as Required.
C.Check the device’s last check-in time and perform a manual sync from the Intune console.
D.Reassign the app to the device group with a different assignment type.
E.Run gpresult /r on a device to confirm the app assignment policy is applied.
AnswersA, C

Logs provide detailed error messages.

Why this answer

The Intune Management Extension (IME) is the component responsible for deploying Win32 and line-of-business (LOB) apps on Windows 10 devices. Reviewing its logs (located in %ProgramData%\Microsoft\IntuneManagementExtension\Logs) provides detailed error messages, such as download failures, dependency issues, or script execution errors, which directly indicate why a required app failed to install.

Exam trap

The trap here is that candidates confuse Intune MDM app deployment with traditional Group Policy Software Installation (GPSI) and incorrectly choose gpresult /r, not realizing Intune uses the IME and MDM channel, not Active Directory Group Policy.

98
MCQhard

Refer to the exhibit. A Windows 10 device with OS build 10.0.19041.1 is evaluated against this compliance policy. The device meets all settings except one: the OS version is 10.0.19041.1, which is below the minimum 10.0.19041.0? Actually it is above. But wait, the device has BitLocker enabled, Secure Boot enabled, and firewall enabled. Which setting will cause the device to be non-compliant?

A.BitLocker is not enabled on the device.
B.Antivirus signatures are out of date.
C.Secure Boot is not enabled on the device.
D.The firewall is not enabled on the device.
AnswerB

The policy requires signatureOutOfDate: false, meaning signatures must be up to date.

Why this answer

Option C is correct. The policy requires osMinimumVersion "10.0.19041.0" and osMaximumVersion "10.0.19043.0". The device has 10.0.19041.1, which is above the minimum but below the maximum, so it is within range.

However, the policy has "signatureOutOfDate": false meaning it requires antivirus signatures to be up to date. The exhibit doesn't specify signature status, but the question implies the device is non-compliant due to signature out of date. Actually, re-evaluating: The policy sets "signatureOutOfDate": false, meaning the device must have up-to-date signatures.

If the device has outdated signatures, it will be non-compliant. Options A, B, and D are all satisfied per the exhibit. So the correct answer is that signatureOutOfDate is false, but the device may have outdated signatures.

However, the question asks which setting will cause non-compliance. The most likely is that the device has outdated signature definitions. But the exhibit shows the policy requirement; the device might not meet it.

Since the device meets all others, the answer is related to signatureOutOfDate. But the options given are A) BitLocker not enabled, B) Secure Boot not enabled, C) Antivirus signatures out of date, D) Firewall not enabled. The device has all these enabled except possibly signatures.

So C is correct.

99
MCQmedium

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a PKG app that requires reboot. Which app type should you select?

A.macOS LOB app
B.macOS web app
C.Microsoft 365 for macOS
D.macOS DMG app
AnswerA

Supports PKG and scripts for reboot.

Why this answer

macOS LOB app supports PKG format and can include post-install scripts. Web app is for URLs. Microsoft 365 for macOS is for Office suite.

DMG apps are for macOS. PKG is not directly supported as DMG, but LOB app can wrap PKG. Therefore, macOS LOB app is correct.

100
MCQmedium

Your organization uses Microsoft Intune to manage iOS devices. You need to deploy a custom configuration profile to configure Wi-Fi settings for corporate devices. Which method should you use?

A.Use a Microsoft Entra ID (Azure AD) device configuration policy.
B.Use a PowerShell script to apply the settings.
C.Use a custom configuration profile in Intune.
D.Use a Microsoft Defender for Endpoint security policy.
AnswerC

Custom profiles allow deploying settings not available in built-in templates.

Why this answer

Custom configuration profiles are created using Apple Configurator or manually, and then uploaded to Intune for deployment.

101
MCQeasy

A user reports that their Windows 10 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. Which of the following is the most likely cause?

A.The device has not checked in with Intune recently.
B.The MDM authority is set to Configuration Manager.
C.The compliance policy is set to 'Not applicable' due to OS version.
D.BitLocker encryption is enabled on the device.
AnswerA

The device must sync to receive and evaluate policies.

Why this answer

The device is not syncing with Intune, so compliance policies are not evaluated. Option A is correct because the Intune Management Extension handles policy retrieval and compliance evaluation. Option B is incorrect because BitLocker is not related to policy evaluation.

Option C is incorrect because stale policies do not prevent evaluation; the device would still evaluate. Option D is incorrect because the MDM authority is already set to Intune.

102
MCQhard

Your company uses Microsoft Intune to manage Windows 10 devices. You need to deploy a PowerShell script that runs in the system context during automatic enrollment. The script must run before the user logs on. Which approach should you use?

A.Add the script as a device management extension (PowerShell script) in Intune, assigned to 'All Devices'.
B.Assign the script as a compliance policy remediation.
C.Deploy the script as a proactive remediation in Microsoft Intune.
D.Embed the script in a device configuration profile using a custom OMA-URI.
AnswerA

Device management extension scripts run in system context during enrollment.

Why this answer

Option A is correct because device management extension (PowerShell scripts) in Microsoft Intune run in the system context and execute during automatic enrollment before the user logs on. This is the only Intune method that supports system-context script execution at enrollment time without requiring a user session.

Exam trap

The trap here is that candidates confuse proactive remediations (which also run PowerShell scripts) with device management extension scripts, not realizing that proactive remediations require a user session and are intended for post-enrollment health checks, not pre-logon provisioning.

How to eliminate wrong answers

Option B is wrong because compliance policy remediations run only after the device has been evaluated for compliance, which occurs after enrollment and user logon, not before. Option C is wrong because proactive remediations are designed for ongoing detection and remediation of common support issues, not for first-run deployment during automatic enrollment. Option D is wrong because custom OMA-URI profiles are used to configure device settings via CSPs, not to execute PowerShell scripts in the system context.

103
Multi-Selectmedium

An Intune administrator needs to ensure that Windows 10 devices are compliant with security requirements. Which TWO options are valid compliance settings for Windows 10?

Select 2 answers
A.Device category must be 'Corporate'
B.Device enrollment type must be 'Corporate'
C.Require BitLocker
D.Minimum OS version
E.Require app protection policy
AnswersC, D

BitLocker is a built-in compliance setting for Windows 10.

Why this answer

The correct answers are A and D. Option B is incorrect because app protection policy is not part of compliance. Option C is incorrect because device category is not a compliance setting.

Option E is incorrect because device enrollment type is not a compliance setting.

104
MCQhard

Refer to the exhibit. You have an Intune configuration that includes a compliance policy and a device configuration policy for Windows 10 devices. You deploy both policies to a group of devices. After deployment, some devices are marked as non-compliant even though they have BitLocker enabled and Windows Defender Antivirus running. Which setting is most likely causing the conflict?

A.The compliance policy requires password, but the device configuration policy does not configure any password settings, leading to non-compliance.
B.The compliance policy requires encryption, but the device configuration policy does not enforce BitLocker startup PIN, causing compliance failure.
C.The device configuration policy sets scanParameter to 'fullscan', which may interfere with compliance checks.
D.The compliance policy requires Defender, but the device configuration policy sets cloudBlockLevel to 'high', which may conflict with some devices.
AnswerA

The compliance policy requires a password, but the device configuration policy does not set a password policy, so devices may not have a compliant password.

Why this answer

Option D is correct because the compliance policy requires encryption (bitLocker) but the device configuration policy sets 'requireStartupPin' to false, and the compliance policy does not require a startup PIN. However, the compliance policy requires a password with minimum length 6. The device configuration policy does not set a password policy, so the password requirement from compliance may not be met if the device does not have a local password set.

But the most direct conflict is that the compliance policy requires encryption (which might require a startup PIN on some devices) while the device configuration policy explicitly disables the startup PIN requirement, potentially causing the device to not meet the encryption requirement if the device's BitLocker configuration is not fully compliant. However, the exhibit does not show a password configuration policy; the compliance policy requires password, but there is no device configuration policy setting password. Thus, the device may be non-compliant because it lacks a password.

Option A is wrong because Defender is not the issue. Option B is wrong because there is no device health attestation requirement. Option C is wrong because cloud block level does not affect compliance.

The correct answer is that the device configuration policy does not set a password policy, so the compliance password requirement may not be met. But the options are limited: the best answer is D, as the missing password configuration leads to non-compliance.

105
Multi-Selectmedium

Which TWO Intune policies can be used to enforce encryption on macOS devices?

Select 2 answers
A.Device Compliance policy that requires BitLocker.
B.Device Compliance policy that requires Disk Encryption.
C.Device Configuration policy (Device Restrictions) for Disk Encryption.
D.Device Configuration policy (Endpoint Protection) for FileVault.
E.Device Compliance policy that requires FileVault.
AnswersD, E

This policy configures FileVault settings.

Why this answer

Option D is correct because FileVault is the native full-disk encryption solution for macOS, and Intune's Device Configuration policy (Endpoint Protection) provides a dedicated profile to enable and enforce FileVault encryption. Option E is correct because a Device Compliance policy can also require FileVault encryption as a compliance setting, allowing conditional access to block non-compliant devices.

Exam trap

The trap here is that candidates confuse the generic 'Disk Encryption' term with the macOS-specific FileVault, or assume that BitLocker (a Windows-only feature) can be applied to macOS, leading them to select options A or B instead of the correct FileVault-based answers.

106
Multi-Selecteasy

You need to deploy Windows updates to a group of devices using Microsoft Intune. Which TWO policies should you configure to ensure updates are applied within a maintenance window?

Select 2 answers
A.Assignment filter
B.Device compliance policy
C.Windows 10 and later update ring
D.Windows 10 and later quality update
E.Windows 10 and later feature update
AnswersC, E

Update rings manage update deferral, deadline, and maintenance windows.

Why this answer

Update rings control the deferral and deadline settings, while feature update policies deploy specific feature versions. Quality update policies are not a separate policy type; they are part of update rings. Assignment filters and compliance policies do not directly configure update deployment.

107
Multi-Selectmedium

Your organization uses Microsoft Intune to manage Windows devices. You need to deploy a PowerShell script that runs in the user context during device enrollment. Which two conditions must be met? (Select TWO.)

Select 2 answers
A.The script must be assigned to the user scope.
B.The script must be saved as a .psm1 file.
C.The script must be assigned to device groups.
D.The script must be signed with a trusted certificate.
E.The script must be added via a custom OMA-URI policy.
AnswersA, D

User context scripts must be assigned to user groups.

Why this answer

Options A and D are correct. The script must be signed if the execution policy requires it, and the script must be assigned to the user scope. Option B is wrong because scripts can be .ps1, not .psm1.

Option C is wrong because scripts are not added via OMA-URI. Option E is wrong because scripts need to be assigned to users, not devices, for user context.

108
Multi-Selectmedium

Which TWO conditions must be met for a Windows 10 device to be considered compliant with an Intune compliance policy that requires BitLocker and Secure Boot?

Select 2 answers
A.TPM is present and enabled.
B.Secure Boot is enabled.
C.All fixed drives are encrypted with BitLocker.
D.Windows Defender Antivirus is active.
E.BitLocker is enabled on the system drive.
AnswersB, E

Secure Boot is a required setting.

Why this answer

Options A and C are correct. BitLocker must be enabled on the system drive, and Secure Boot must be enabled. Option B is wrong because TPM is required for BitLocker but not a separate compliance setting.

Option D is wrong because encryption of other drives is not required. Option E is wrong because antivirus is not part of this policy.

109
MCQhard

You are the endpoint administrator for Contoso, Ltd., a company with 10,000 employees. The environment includes Windows 10/11 devices, iOS/iPadOS, and Android Enterprise devices. The company recently acquired a subsidiary that uses non-compliant Android devices. The security team mandates that all devices must have encryption enabled and a PIN of at least 6 digits. Additionally, the company wants to use Microsoft Defender for Endpoint on all Windows devices. Currently, only 60% of devices are enrolled in Intune. The CIO wants to increase enrollment to 95% within 6 months. You need to design a device preparation strategy. Which approach should you recommend?

A.Deploy Windows Autopilot for all new devices and ignore existing devices.
B.Purchase a third-party MDM tool to manage non-compliant devices.
C.Ask all users to manually enroll their devices using the Company Portal app.
D.Configure automatic enrollment via Microsoft Entra ID for Windows devices, deploy conditional access policies that require compliance for iOS/Android, and run a communications campaign to drive enrollment.
AnswerD

This leverages automation and policy enforcement to increase enrollment.

Why this answer

Option D is correct because it leverages Microsoft Entra ID automatic enrollment for Windows devices (via Group Policy or MDM discovery), which scales enrollment without user intervention, and uses Conditional Access policies to enforce compliance for iOS/Android devices, requiring encryption and a 6-digit PIN. This approach addresses the 95% enrollment target within 6 months by combining automated enrollment, compliance enforcement, and user awareness, while also integrating Microsoft Defender for Endpoint for Windows devices.

Exam trap

The trap here is that candidates may assume manual enrollment (Option C) is sufficient, overlooking the scalability and enforcement capabilities of automatic enrollment and Conditional Access, which are essential for achieving high enrollment rates in a large enterprise with mixed device platforms.

How to eliminate wrong answers

Option A is wrong because ignoring existing devices leaves 40% of the current fleet unmanaged, failing to meet the 95% enrollment target; Windows Autopilot is only for new devices and does not address existing non-compliant Android devices. Option B is wrong because purchasing a third-party MDM tool introduces unnecessary cost and complexity, and does not integrate with Intune or Microsoft Defender for Endpoint, which is required for Windows devices; the goal is to increase Intune enrollment, not replace it. Option C is wrong because relying solely on manual enrollment via Company Portal is inefficient and unlikely to achieve 95% enrollment within 6 months, as it depends on user initiative and does not enforce compliance for non-compliant Android devices.

110
MCQhard

You manage iOS devices with Microsoft Intune. You need to deploy an app that is not available in the Apple App Store. The app is developed internally and signed with an enterprise certificate. Which app type should you use?

A.iOS/iPadOS app store app
B.Web link
C.Built-in app
D.iOS/iPadOS Line-of-business app
AnswerD

LOB apps are for custom or in-house iOS apps.

Why this answer

For internally developed iOS apps not in the App Store, use the iOS/iPadOS Line-of-business app type. Option A is correct. Option B is wrong because the iOS app store type is for apps from the App Store.

Option C is wrong because the Built-in app type is for pre-installed system apps. Option D is wrong because the Web link type is for web shortcuts.

111
MCQhard

Refer to the exhibit. You create a custom configuration profile in Intune for Windows 10 devices. The profile is assigned to a test device, but the telemetry setting is not applied. The device is managed and compliant. What is the most likely reason?

A.The device is not compliant with the baseline policy.
B.The OMA-URI path for AllowTelemetry is incorrect.
C.The AllowTelemetry policy value must be an integer, not a string, or the device needs a Windows 10 version that supports this setting.
D.The custom profile conflicts with a built-in policy that sets telemetry to full.
AnswerC

AllowTelemetry expects an integer (0-3); OMA-URI string type may cause failure. Also, some settings require specific builds.

Why this answer

Option C is correct because the AllowTelemetry policy requires a value of 0 to disable telemetry, but the OMA-URI string must match the expected data type; the value '0' as a string may not be accepted, or the device may require a specific version. Option A is wrong because the custom profile overwrites, it doesn't conflict with built-in policies. Option B is wrong because the device is compliant.

Option D is wrong because the OMA-URI path is correct.

112
MCQeasy

A user reports that their Windows device is not appearing in the Intune console after enrollment. The device is joined to Microsoft Entra ID and the user has an Intune license. What should you check first?

A.Ensure that the MDM user scope in Microsoft Entra ID is set to 'All' or 'Some'.
B.Assign an Intune license to the device.
C.Verify that enrollment restrictions are not blocking the device.
D.Check if the device is compliant.
AnswerA

The MDM user scope controls automatic enrollment.

Why this answer

The most common reason a device fails to appear in the Intune console after enrollment is that the MDM user scope in Microsoft Entra ID is not configured to include the user. The MDM user scope determines which users can automatically enroll their devices into Intune; if it is set to 'None', enrollment is blocked entirely. Since the device is already joined to Microsoft Entra ID and the user has an Intune license, the first step is to verify this scope setting.

Exam trap

The trap here is that candidates often jump to troubleshooting enrollment restrictions or compliance policies, overlooking the foundational MDM user scope which must be explicitly configured to allow enrollment to proceed.

How to eliminate wrong answers

Option B is wrong because Intune licenses are assigned to users, not devices; the user already has a license, so assigning one to the device is not a valid action. Option C is wrong because enrollment restrictions (e.g., platform or version blocks) would typically cause an enrollment failure with an error message, not a silent absence from the console after a successful join. Option D is wrong because device compliance is evaluated after enrollment and does not affect whether the device appears in the Intune console; a non-compliant device still shows up.

113
MCQeasy

Your company has 500 iOS devices enrolled in Microsoft Intune. The devices are used by sales representatives to access customer data. You need to ensure that if a device is lost or stolen, an administrator can remotely lock the device and display a custom message with a phone number to call. Which remote action should the administrator use?

A.Remote lock
B.Reset passcode
C.Wipe
D.Retire
AnswerA

Remote lock locks the device and can display a custom message with a phone number.

Why this answer

Option A is correct because 'Remote lock' locks the device and allows a custom message to be displayed. Option B is wrong because 'Wipe' performs a factory reset, which would erase all data and prevent the message from being shown. Option C is wrong because 'Retire' removes company data only, does not lock the device.

Option D is wrong because 'Reset passcode' changes the passcode but does not display a custom message.

114
Multi-Selecthard

Which THREE of the following are valid methods to deploy Microsoft 365 Apps for enterprise using Microsoft Intune?

Select 3 answers
A.Use the built-in Microsoft 365 Apps app type in Intune.
B.Use the Office Deployment Tool (ODT) within a script deployed via Intune.
C.Assign the apps via Azure AD application registration.
D.Package the Office installer as a Win32 app.
E.Deploy the MSI version of Office via Intune.
AnswersA, B, D

Simplest method with built-in settings.

Why this answer

Intune supports deploying via built-in Microsoft 365 Apps app type, Win32 app packaging, and using the Office Deployment Tool. Option D is incorrect because Azure AD is identity, not deployment method. Option E is incorrect because Intune does not use MSI for M365 Apps.

115
Multi-Selecteasy

Which TWO settings can be configured in a Windows 10 device restriction profile in Intune to enhance security?

Select 2 answers
A.Require BitLocker encryption
B.Disable copy and paste between apps
C.Disable the camera
D.Require a password for unlocking the device
E.Configure Windows Update for Business settings
AnswersC, D

Disabling camera is a security restriction.

Why this answer

Options A and D are correct. Disabling the camera and requiring a password are security measures. Option B is about updates, not device restrictions.

Option C is about encryption. Option E is about copy/paste.

116
Matchingmedium

Match each Intune configuration profile type to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Control settings like password, camera, and Bluetooth

Define rules for device health and security

Deploy custom OMA-URI or Apple Configurator settings

Configure Windows Defender Firewall and BitLocker

Group Policy-like settings for Windows devices

Why these pairings

These are common profile types managed in Intune for MD-102.

117
MCQhard

You manage devices with Microsoft Intune. You need to deploy a line-of-business (LOB) app that is signed with a certificate not trusted by the devices. The app requires installation in the system context. Which deployment method should you use?

A.Microsoft Store for Business app
B.Win32 app
C.Microsoft Intune LOB app (msi/appx)
D.Web link
AnswerB

Win32 apps can be unsigned and run in system context.

Why this answer

Win32 apps in Microsoft Intune support installation in the system context via the 'Install behavior' setting, and they can be deployed using a custom installation script that handles certificate trust issues (e.g., by installing the signing certificate first or using a silent install switch). This method also allows the app to run with elevated privileges, which is required for system-context installation, and does not depend on the device trusting the app's signing certificate at deployment time.

Exam trap

The trap here is that candidates often assume 'LOB app' must use the Intune LOB app type (MSI/APPX), but the requirement for system context and untrusted certificate forces the use of the Win32 app type, which provides the flexibility to handle certificate trust via scripting.

How to eliminate wrong answers

Option A is wrong because Microsoft Store for Business apps require the device to trust the Microsoft Store certificate chain and cannot be deployed in the system context; they are per-user installs. Option C is wrong because Intune LOB apps (MSI/APPX) require the app to be signed with a certificate that is already trusted by the device (e.g., via a PKI or pre-installed root), and they do not support custom installation logic to bypass certificate trust issues. Option D is wrong because a web link simply opens a URL in the browser and does not install any software, let alone in the system context.

118
MCQmedium

Your organization uses Intune to manage iOS/iPadOS devices. You need to deploy a custom SSL certificate to all devices for accessing an internal web app. Which profile type should you use?

A.PKCS certificate profile
B.SCEP certificate profile
C.Trusted certificate profile
D.Custom configuration profile (preferences)
AnswerC

Deploys a root CA certificate to devices.

Why this answer

Option B is correct because a trusted certificate profile deploys root CA certificates. Option A is wrong because SCEP profile is for issuing certificates via SCEP protocol, not deploying an existing certificate. Option C is wrong because PKCS profile is for certificate enrollment.

Option D is wrong because a custom configuration profile is for arbitrary settings, but certificate deployment uses dedicated certificate profiles.

119
MCQmedium

Your organization recently deployed Windows 11 devices managed by Microsoft Intune. You need to ensure that only approved third-party drivers are installed on these devices. What is the best approach?

A.Deploy a Windows Driver Frameworks (WDF) Coinstaller to enforce driver signing.
B.Use Device Installation Restrictions to allow only approved hardware IDs.
C.Configure Windows Update for Business group policy settings to block driver updates from Windows Update.
D.Configure a Windows Defender Application Control policy to block unsigned drivers.
AnswerC

This setting prevents drivers from being installed via Windows Update, and you can use a custom policy to allow specific approved drivers.

Why this answer

Option C is correct because Windows Update for Business (WUfB) group policy settings allow you to block driver updates from Windows Update, which prevents unauthorized third-party drivers from being installed automatically. This is the most direct and manageable approach for ensuring only approved drivers are installed on Windows 11 devices managed by Microsoft Intune, as it controls the driver update source without requiring complex driver signing or hardware ID management.

Exam trap

The trap here is that candidates often confuse driver signing enforcement (WDAC or code signing policies) with controlling the source of driver updates, leading them to choose Option D or A, when the real requirement is to block automatic driver updates from Windows Update, not to enforce signing at execution time.

How to eliminate wrong answers

Option A is wrong because Windows Driver Frameworks (WDF) Coinstaller is used to install and register driver packages, not to enforce driver signing; it does not restrict which drivers can be installed. Option B is wrong because Device Installation Restrictions based on hardware IDs can block specific devices but do not control driver updates from Windows Update; they are designed to prevent installation of devices, not drivers. Option D is wrong because Windows Defender Application Control (WDAC) blocks unsigned binaries from executing, but it does not specifically target driver updates from Windows Update; it is a broader security control that can block legitimate signed drivers if not properly configured, and it is not the best approach for simply restricting driver updates.

120
MCQhard

Refer to the exhibit. An Intune compliance policy JSON for Windows 10 devices. A device with OS version 10.0.19041.1 and no encryption reports as noncompliant. What is the most likely reason?

A.The OS version exceeds the maximum allowed version.
B.The password type is set to 'deviceDefault' which does not support numeric PIN.
C.The OS version is below the minimum requirement.
D.The device does not have BitLocker encryption enabled.
AnswerD

The policy requires encryption, and the device has none.

Why this answer

Option B is correct because the policy requires encryption (storageRequireEncryption: true) and the device does not have encryption enabled. Option A is wrong because the OS version is within range. Option C is wrong because password type is deviceDefault which includes PIN.

Option D is wrong because the OS version is within range.

121
MCQhard

Refer to the exhibit. You are creating a device filter in Microsoft Intune to target a policy to Windows 10 Pro devices. The filter should only apply to devices running OS build 1904x (20H1 or later). However, some devices with build 1904x and SKU Professional are not receiving the policy. What is the most likely reason?

A.The -startsWith operator does not work for osVersion property.
B.The device must be enrolled via Autopilot for filters to apply.
C.The filter rule syntax is incorrect because of the parentheses.
D.The device.skuFamily property value is case-sensitive and may not match 'Professional'.
AnswerD

Case sensitivity can cause mismatches.

Why this answer

Option D is correct because the `device.skuFamily` property in Microsoft Intune is case-sensitive. When creating a device filter rule, the value 'Professional' must exactly match the case of the SKU family string returned by the device. If the actual SKU family is reported as 'Professional' with a different casing (e.g., 'professional' or 'PROFESSIONAL'), the filter will not match, causing the policy not to apply to those devices.

Exam trap

The trap here is that candidates often assume property values in Intune filters are case-insensitive, leading them to overlook the exact casing requirement for `device.skuFamily`, and instead focus on unrelated syntax or enrollment requirements.

How to eliminate wrong answers

Option A is wrong because the `-startsWith` operator is fully supported for the `osVersion` property in Intune device filters, and it is commonly used to match OS build versions like '1904x'. Option B is wrong because device filters in Intune do not require Autopilot enrollment; they work with any enrolled Windows device, regardless of enrollment method. Option C is wrong because parentheses are valid in filter rule syntax for grouping conditions, and the provided syntax does not contain an error related to parentheses.

122
MCQeasy

A user reports that their Windows 11 device is not receiving security updates. The device is enrolled in Microsoft Intune and shows as compliant. You check the Update Rings policy and see that the device is assigned to a ring that defers updates by 30 days. What should you do to ensure the device gets the latest security updates immediately?

A.Change the compliance policy to require immediate updates.
B.Run Windows Update manually on the device.
C.Re-enroll the device in Intune.
D.Assign the device to a different update ring with a 0-day deferral.
AnswerD

This ensures the device receives updates without delay.

Why this answer

The device is assigned to an update ring that defers updates by 30 days, which is why it is not receiving the latest security updates despite being compliant. To immediately receive the latest updates, you must assign the device to a different update ring with a 0-day deferral, as update rings in Microsoft Intune control the deferral period for Windows Update for Business. Changing the ring triggers the device to check for updates based on the new policy, ensuring immediate availability of security updates.

Exam trap

The trap here is that candidates may think manually running Windows Update or changing compliance policies can override the update ring deferral, but only reassigning to a different ring with a shorter deferral period will actually change the update behavior.

How to eliminate wrong answers

Option A is wrong because compliance policies in Intune do not control update deferral settings; they enforce device health and configuration requirements, not update ring deferral periods. Option B is wrong because manually running Windows Update on the device will still respect the deferral period set by the assigned update ring policy, so it will not bypass the 30-day delay. Option C is wrong because re-enrolling the device in Intune does not change the update ring assignment; the device would still be subject to the same deferral policy unless the ring assignment is explicitly changed.

123
MCQmedium

A company plans to deploy Windows 11 to 500 devices using Microsoft Deployment Toolkit (MDT). The deployment must be fully automated with minimal user interaction. Which configuration should be used in the CustomSettings.ini file?

A.SkipApps=YES
B.UserDataLocation=AUTO
C.SkipWizard=YES
D.DoNotCreateExtraPartition=YES
AnswerC

Suppresses all wizard pages, enabling zero-touch deployment.

Why this answer

Option C is correct because `SkipWizard=YES` in the CustomSettings.ini file tells MDT to bypass all deployment wizard pages, enabling a fully unattended, zero-touch deployment. This is the specific setting required to achieve minimal user interaction during the MDT deployment process.

Exam trap

The trap here is that candidates often confuse `SkipWizard=YES` with individual `Skip*` settings, thinking they need to list each one, or they mistakenly believe `UserDataLocation=AUTO` or `DoNotCreateExtraPartition=YES` control automation level when they only affect specific deployment phases.

How to eliminate wrong answers

Option A is wrong because `SkipApps=YES` only skips the application selection page in the wizard, but the deployment still requires user interaction for other wizard pages (e.g., computer name, credentials). Option B is wrong because `UserDataLocation=AUTO` controls where user state data is stored during migration, not the level of automation or wizard skipping. Option D is wrong because `DoNotCreateExtraPartition=YES` prevents MDT from creating additional partitions (like a recovery partition) during disk configuration, but does not affect the wizard interaction or automation level.

124
Multi-Selectmedium

Which TWO settings can you configure in a Microsoft Intune device compliance policy for Android Enterprise devices?

Select 2 answers
A.Encryption
B.Require a password to unlock the device
C.Minimum OS version
D.Disable camera
E.Maximum OS version
AnswersB, C

This is a compliance setting.

Why this answer

Option B is correct because Microsoft Intune device compliance policies for Android Enterprise require a password to unlock the device as a configurable setting. This setting enforces a lock screen password, which is a fundamental security requirement for compliance evaluation. It directly controls device access and is a standard compliance check for Android Enterprise work profiles and fully managed devices.

Exam trap

The trap here is that candidates confuse device compliance policies with device configuration profiles, assuming settings like disabling the camera or controlling encryption are part of compliance, when they are actually managed under separate configuration policies.

125
MCQmedium

Refer to the exhibit. You run the PowerShell cmdlet in Microsoft Graph to list managed Windows devices. The output shows that several devices have a complianceState of 'noncompliant' but lastSyncDateTime is recent. What is the most likely reason for noncompliance?

A.The devices are running a non-Windows OS.
B.The devices have not synced recently.
C.The devices do not meet the assigned compliance policies.
D.The admin lacks permissions to view compliance details.
AnswerC

Noncompliance occurs when devices fail compliance policy rules.

Why this answer

Option A is correct because noncompliance indicates that the device does not meet one or more compliance rules. Option B is wrong because recent sync means connectivity is fine. Option C is wrong because the cmdlet returns results, so permissions are fine.

Option D is wrong because the query filters by Windows OS, so OS is correct.

126
MCQmedium

Refer to the exhibit. You are reviewing a JSON representation of a Microsoft Intune compliance policy for Windows 10. The policy is assigned to a group of devices running Windows 10 version 22H2 (build 22621). The devices are non-compliant due to the OS version. What is the most likely reason?

A.The validOperatingSystemBuildRanges property is empty, causing all builds to be non-compliant.
B.The OS build is greater than the maximum version specified.
C.The OS build is less than the minimum version.
D.The policy requires a password but the devices have no password.
AnswerB

If the device build exceeds 22621, it becomes non-compliant.

Why this answer

Option C is correct because the policy specifies osMinimumVersion as 10.0.19041.0 (Windows 10 2004) and osMaximumVersion as 10.0.22621.0 (Windows 10 22H2). Since 22621 is equal to the maximum, it should be compliant. However, if the devices have a newer build (e.g., 22631 from an Insider preview), they would exceed the maximum.

Option A is incorrect because 22621 is not less than 19041. Option B is incorrect because the maximum is inclusive. Option D is incorrect because the policy does not specify validOperatingSystemBuildRanges.

127
MCQhard

Refer to the exhibit. The JSON shows a device queried from Microsoft Graph. The device shows as compliant, but the user reports that they are unable to access corporate resources. The conditional access policy requires device compliance. What is a likely reason for the access issue?

A.The device has not synced recently, so the compliance state may be outdated.
B.The device compliance state is actually non-compliant.
C.The device is managed by MAM instead of MDM.
D.The device enrollment date is too recent.
AnswerA

Last sync is at 10:30, which might be too old for conditional access.

Why this answer

The lastSyncDateTime is 2025-12-01 at 10:30, but the current time might be later (e.g., 12:00). If the device has not synced recently, the compliance state might be stale. Conditional access may require a recent sync.

Option A is incorrect because compliance is compliant. Option B is incorrect because management agent is MDM, not MAM. Option D is incorrect because enrolledDateTime is not relevant.

128
MCQhard

You manage devices with Microsoft Intune. You need to ensure that only devices with a specific BIOS serial number can enroll. What should you configure?

A.Enrollment restrictions that block devices by hardware identifier.
B.A device category with a dynamic group based on BIOS serial.
C.A device compliance policy that checks BIOS serial number.
D.A Conditional Access policy that requires a compliant device.
AnswerA

Enrollment restrictions can block devices based on hardware IDs like BIOS serial numbers.

Why this answer

Option D is correct because enrollment restrictions allow you to block devices based on hardware identifiers like BIOS serial numbers. Option A is wrong because compliance policies apply after enrollment. Option B is wrong because Conditional Access applies after enrollment.

Option C is wrong because device categories are organizational labels, not hardware-based filters.

129
MCQmedium

You need to configure a Windows 10 device to automatically install updates from a specific branch readiness level. Which setting in the Update ring policy should you configure?

A.Automatic update behavior
B.Quality update deferral period
C.Feature update deferral period
D.Branch readiness level
AnswerD

This setting determines the branch for updates.

Why this answer

Option A is correct because 'Branch readiness level' defines which updates the device receives (e.g., Windows Insider, Semi-Annual Channel). Option B is wrong because 'Quality update deferral period' delays updates but does not set branch. Option C is wrong because 'Feature update deferral period' delays feature updates.

Option D is wrong because 'Automatic update behavior' controls installation behavior.

130
MCQhard

A company uses Microsoft Intune to manage macOS devices. A security audit requires that all macOS devices must have FileVault encryption enabled. Compliance policy reports show that 90% of devices are compliant, but 10% are non-compliant. You review the non-compliant devices and find that FileVault is enabled on them. What is the most likely cause of the non-compliance?

A.FileVault is not actually enabled on those devices.
B.The recovery key is not escrowed to Intune.
C.The devices are not supervised.
D.The compliance policy is not assigned to those devices.
AnswerB

Key escrow is required for compliance.

Why this answer

Intune compliance policy for macOS FileVault checks both encryption status and whether the recovery key has been escrowed to Intune. If the key is not escrowed, the device is considered non-compliant. Option A is incorrect because FileVault is enabled.

Option B is incorrect because the key escrow setting is separate from encryption. Option D is incorrect because the policy is correctly applied.

131
Multi-Selecthard

Which THREE permissions are required for a service account to register devices in Windows Autopilot? (Select THREE.)

Select 3 answers
A.Intune Administrator role
B.Security Reader role
C.Global Administrator role
D.Windows Autopilot device enrollment manager (DEM) permissions
E.Microsoft Entra ID join permission
AnswersA, D, E

This role allows managing Autopilot devices.

Why this answer

Option A is correct because Intune Administrator can manage Autopilot devices. Option B is correct because the account must be able to read device information in Microsoft Entra ID. Option C is correct because the account needs to add devices to Autopilot.

Option D is wrong because Security Reader cannot modify. Option E is wrong because Global Administrator is not required.

132
MCQhard

You manage Windows 11 devices with Microsoft Intune. Some users report that their device is marked as noncompliant even though it meets all compliance rules. You discover that the devices have not checked in with Intune for over 30 days. What should you do to prevent this issue?

A.Configure a device configuration profile to set the MDM enrollment URL.
B.Create a Conditional Access policy to block devices that haven't checked in.
C.In the device compliance policy, set the 'Days until device is considered noncompliant' option to 30.
D.Enable automatic re-enrollment for Windows devices in Intune.
AnswerC

This setting marks devices as noncompliant if they haven't checked in within the specified days.

Why this answer

Option C is correct because configuring a device compliance policy to mark devices as noncompliant after a missed check-in (e.g., 30 days) ensures stale devices are flagged. Option A is wrong because a configuration profile cannot set a check-in interval. Option B is wrong because Conditional Access does not change check-in behavior.

Option D is wrong because automatic re-enrollment is not a built-in feature for this scenario.

133
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. You deploy a Windows 10 feature update policy to keep devices on a specific version. After deployment, some devices report that the update is not being offered. The devices are not in a maintenance window. What is the most likely cause?

A.The devices are running a build that is newer than the target version
B.Windows Update for Business deferral or pause settings are blocking the update
C.The policy is not assigned to the correct group
D.The devices are in a maintenance window that blocks updates
AnswerB

Deferral or pause can prevent the update from being offered.

Why this answer

Option D is correct because feature update policies require that devices are not paused for updates. Option A is wrong because the policy is assigned. Option B is wrong because the devices are not in a maintenance window.

Option C is wrong because feature update policies do not require a specific build.

134
MCQmedium

Refer to the exhibit. An Intune admin configures the above Windows Update for Business policy. Users report that quality updates are not being installed until 7 days later than expected. What is the likely reason?

A.Quality updates are paused
B.Feature updates are deferred by 30 days
C.Update notifications are set to default
D.Quality updates are deferred by 7 days
AnswerD

The deferral period causes the delay.

Why this answer

QualityUpdateDeferralPeriodInDays is set to 7, which defers updates by 7 days. This is the intended behavior; no issue. However, the question implies users think updates are late.

The policy is correct; perhaps users misunderstand. But the question asks for likely reason. The deferral period is 7 days, so updates are intentionally deferred.

The update notification level is default. Feature updates deferred 30 days. No pause.

So the quality update deferral is the cause.

135
MCQhard

You are implementing Windows Autopilot for a new fleet of devices. You need to ensure that during the out-of-box experience (OOBE), the device automatically joins Microsoft Entra ID and is enrolled in Intune. Which configuration is required?

A.Upload corporate identifiers for each device.
B.Configure the Enrollment Status Page in Intune.
C.Create an Autopilot deployment profile assigned to the devices.
D.Create a dynamic device group in Microsoft Entra ID.
AnswerC

The profile defines the OOBE experience, including Entra ID join and Intune enrollment.

Why this answer

Option C is correct because an Autopilot deployment profile specifies the out-of-box experience (OOBE) settings, including the option to automatically join the device to Microsoft Entra ID and enroll it in Intune. Without a deployment profile assigned to the device, Autopilot will not enforce these behaviors during OOBE.

Exam trap

The trap here is that candidates often confuse the prerequisite step of registering the device (uploading corporate identifiers) with the configuration step that actually defines the OOBE behavior (the deployment profile), leading them to select Option A instead of C.

How to eliminate wrong answers

Option A is wrong because uploading corporate identifiers (e.g., hardware hashes) registers the device with Autopilot but does not configure the OOBE behavior; it only enables the device to be recognized by the Autopilot service. Option B is wrong because the Enrollment Status Page (ESP) controls the post-enrollment device setup experience (e.g., app and policy installation progress), not the initial join or enrollment actions during OOBE. Option D is wrong because a dynamic device group in Microsoft Entra ID is used for targeting policies or applications after enrollment, not for triggering or configuring the Autopilot OOBE flow.

136
MCQhard

Refer to the exhibit. You are reviewing a Windows 10 compliance policy JSON. What is the purpose of the 'osMinimumVersion' setting?

A.It sets the Windows Update for Business ring to that version.
B.It requires the device to be on a specific feature update.
C.It defines the minimum OS build version that the device must have to be compliant.
D.It forces the device to update to that version.
AnswerC

Devices below this version are non-compliant.

Why this answer

Option B is correct because osMinimumVersion specifies the minimum OS build version required for compliance. Option A is wrong because it does not enforce automatic updates. Option C is wrong because it does not check the update ring.

Option D is wrong because it does not require a specific feature update; it's a build number.

137
MCQeasy

Your organization uses Microsoft Intune to manage Windows devices. You need to ensure that only IT administrators can manually install apps from the Microsoft Store. Which setting should you configure in a device restriction policy?

A.Enable 'Private store only' in Microsoft Store for Business settings.
B.Disable 'Automatic app updates' in the device restriction policy.
C.Set 'Allow application store' to 'Block' for non-admin users.
D.Configure 'Require a password for app purchases' to 'Yes'.
AnswerC

Blocking the store prevents non-admins from installing apps manually.

Why this answer

Option C is correct because the 'Allow application store' setting in a device restriction policy controls whether users can access the Microsoft Store. Setting it to 'Block' for non-admin users prevents them from manually installing apps, while IT administrators (who have local admin rights) can still install apps via the Store. This setting is enforced through Intune's policy management and applies to Windows devices managed by Microsoft Intune.

Exam trap

The trap here is that candidates often confuse the 'Allow application store' setting with store visibility or purchase controls, thinking that blocking the entire store or requiring a password for purchases achieves the same result, but only the explicit block for non-admin users prevents manual installations.

How to eliminate wrong answers

Option A is wrong because 'Private store only' in Microsoft Store for Business settings restricts the visible catalog to private apps but does not prevent non-admin users from manually installing apps; it only limits which apps they see. Option B is wrong because disabling 'Automatic app updates' controls whether apps update automatically, not whether users can manually install apps from the Store. Option D is wrong because 'Require a password for app purchases' applies to purchase transactions, not to manual installations of free apps or to blocking installation by non-admin users.

138
MCQhard

You manage devices with Microsoft Intune. Users report that after a recent policy update, they cannot access company SharePoint sites on their Android devices. The devices show as compliant in Intune. What is the most likely cause?

A.The SharePoint site is configured to allow access only from specific IP ranges
B.The device compliance policy has a grace period for non-compliance, and the device is still within that period
C.An app protection policy is blocking access to SharePoint from the browser
D.A Conditional Access policy requires the use of the Microsoft Edge or Microsoft Authenticator app, but users are using Chrome
AnswerD

Conditional Access can require approved client apps; using an unapproved app can block access.

Why this answer

Option A is correct because Conditional Access policies often require a specific app (e.g., Outlook, Edge) and can block access if the wrong app is used, even if the device is compliant. Option B is wrong because if the device is compliant, the CA policy should allow it. Option C is wrong because network locations can be a factor but are less likely if the device is compliant.

Option D is wrong because app protection policies are separate from SharePoint access via browser.

139
Drag & Dropmedium

Order the steps to migrate user profiles from Windows 10 to a new device using User State Migration Tool (USMT).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ScanState collects data, specify store, install new OS, LoadState restores, then verify.

140
MCQmedium

A user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. The user has confirmed that the device is enrolled and connected to the internet. Which is the most likely cause?

A.The device is not enrolled in Microsoft Intune.
B.The device has a Device Lock policy applied that blocks evaluation.
C.The Intune Management Extension is not installed or not running.
D.The user does not have a Microsoft 365 E3 license assigned.
AnswerC

The Intune Management Extension is needed for compliance evaluation on Windows devices.

Why this answer

Option B is correct because when a device shows 'Not evaluated,' it typically means the Intune Management Extension is missing or not running, which is required for compliance evaluation. Option A is wrong because the device is enrolled. Option C is wrong because Windows 10/11 licenses are not required for compliance.

Option D is wrong because Device Lock policies are not related to compliance evaluation.

141
MCQhard

Your organization uses Windows Autopilot for device deployment. After a device completes the user-driven deployment, it appears in Microsoft Entra ID as 'Azure AD registered' instead of 'Azure AD joined'. What should you modify to ensure the device is joined?

A.Modify the Autopilot deployment profile to set 'Join to Azure AD as' to 'Azure AD joined'.
B.Add the device to a hybrid Azure AD join profile.
C.Modify the Autopilot deployment profile to set 'Join to Azure AD as' to 'Azure AD registered'.
D.Modify the enrollment restrictions to block personally owned devices.
AnswerA

This setting controls whether the device is joined or registered.

Why this answer

Option A is correct because the Autopilot profile determines the join type; setting it to 'Azure AD joined' ensures the device is joined, not registered. Option B is wrong for the same reason. Option C is wrong because enrollment restrictions affect user enrollment, not the join type.

Option D is wrong because the domain join profile is for hybrid scenarios.

142
Multi-Selectmedium

Which TWO options are valid methods to deploy Windows 10 to new hardware in a Configuration Manager environment?

Select 2 answers
A.Microsoft Deployment Toolkit (MDT) Lite Touch
B.Windows Autopilot self-deploying mode
C.Azure Migrate
D.Bootable media deployment
E.PXE-initiated task sequence deployment
AnswersD, E

Standard ConfigMgr deployment method.

Why this answer

Bootable media deployment (Option D) is a valid method in Configuration Manager because it allows you to create bootable USB or CD/DVD media that contains the boot image, task sequence, and required content. When the media is booted on new hardware, it initiates a task sequence that contacts the Configuration Manager site server to download the OS image and apply it, making it ideal for bare-metal deployments without network connectivity.

Exam trap

The trap here is that candidates often confuse MDT Lite Touch as a Configuration Manager deployment method, but MDT is a separate tool and Lite Touch does not use the Configuration Manager client or infrastructure, making it invalid for this context.

143
MCQhard

Refer to the exhibit. A PowerShell script is used to check the encryption compliance state of Windows devices managed by Intune. Some devices return a State of 'notApplicable' for the Encryption setting. What does this indicate?

A.The device has pending actions to enable encryption
B.The compliance policy is not assigned to the device
C.The device's operating system edition does not support the encryption setting
D.The device does not require encryption per policy
AnswerC

Some editions like Home don't support BitLocker, so setting is not applicable.

Why this answer

Option B is correct: 'notApplicable' means the device's operating system or edition does not support the encryption setting (e.g., Windows 10 Home lacks BitLocker device encryption). Option A (encryption is not required) would show 'compliant'. Option C (policy not assigned) would show 'notEvaluated'.

Option D (pending) would show 'pending'.

144
MCQeasy

You need to configure Intune to automatically retire devices that have not checked in for 90 days. Where should you set this?

A.Compliance policies
B.Enrollment restrictions
C.Windows Autopilot devices blade
D.Device cleanup rules in Intune admin center
AnswerD

This allows automatic retirement of inactive devices.

Why this answer

Device cleanup rules in the Intune admin center allow administrators to automatically retire or delete devices that have not checked in for a specified number of days. This is the correct location because the rule is specifically designed for lifecycle management of stale devices, not for compliance or enrollment policies. Setting the threshold to 90 days ensures that devices exceeding that inactivity period are removed from management.

Exam trap

The trap here is that candidates often confuse compliance policies (which can mark devices as non-compliant for inactivity) with the actual retirement action, but compliance policies do not automatically retire devices—they only trigger conditional access or user notifications, whereas device cleanup rules perform the actual removal.

How to eliminate wrong answers

Option A is wrong because compliance policies evaluate device configuration and health against rules (e.g., requiring encryption or a minimum OS version) and can mark devices as non-compliant, but they do not automatically retire devices based solely on check-in inactivity. Option B is wrong because enrollment restrictions control which devices can enroll (e.g., by platform, OS version, or device manufacturer) and do not manage post-enrollment lifecycle actions like retirement. Option C is wrong because the Windows Autopilot devices blade is used to manage Autopilot deployment profiles and device registration for zero-touch provisioning, not to configure automatic retirement rules for stale devices.

145
Multi-Selecteasy

You need to deploy a Windows 10 feature update to a pilot group. Which TWO steps are required in Microsoft Intune?

Select 2 answers
A.Create a feature update policy for Windows 10.
B.Create a driver update policy for Windows 10.
C.Assign the feature update policy to a device group containing pilot devices.
D.Create an update ring for Windows 10.
E.Create a compliance policy for Windows 10.
AnswersA, C

Feature update policy specifies the target version.

Why this answer

Options B and E are correct. B: Create a feature update profile targeting Windows 10 version 22H2. E: Assign the profile to the pilot device group.

Option A is wrong because update rings are for quality updates. Option C is wrong because compliance policies are not for updates. Option D is wrong because driver updates are separate.

146
MCQhard

You are evaluating Windows Autopilot for a hybrid Azure AD join scenario. Devices are domain-joined on-premises and will be hybrid Azure AD joined. Which prerequisite is required for Autopilot to perform hybrid Azure AD join?

A.Devices must have line-of-sight to an on-premises domain controller.
B.Devices must have VPN connectivity to Azure.
C.An Intune connector for Active Directory must be installed.
D.Azure AD Connect must be configured with password hash sync.
AnswerA

Required to join the domain during Autopilot.

Why this answer

For hybrid Azure AD join via Windows Autopilot, the device must complete domain join during the out-of-box experience. This requires line-of-sight to an on-premises domain controller so that the domain join operation can succeed, as the device cannot join the domain without contacting a DC directly over the network.

Exam trap

The trap here is that candidates often confuse the Intune connector for Active Directory (which is needed for device writeback in hybrid scenarios) with the actual domain join requirement, but the connector does not replace the need for direct line-of-sight to a domain controller.

How to eliminate wrong answers

Option B is wrong because VPN connectivity to Azure is not required; the device needs connectivity to on-premises domain controllers, not Azure. Option C is wrong because the Intune connector for Active Directory is used for device writeback and synchronization, not for the domain join step itself. Option D is wrong because password hash sync is a feature of Azure AD Connect for authentication, not a prerequisite for hybrid Azure AD join; the device must be able to authenticate to the on-premises domain controller directly.

147
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only devices with TPM 2.0 and Secure Boot enabled can access Microsoft 365 resources. What is the best approach?

A.Create an app protection policy targeting Microsoft 365 apps.
B.Create a device configuration policy to enable TPM and Secure Boot.
C.Create a device compliance policy requiring TPM and Secure Boot, and a Conditional Access policy to block non-compliant devices.
D.Create a Conditional Access policy requiring TPM and Secure Boot.
AnswerC

This combination enforces the requirements and blocks access.

Why this answer

Device compliance policies can check for TPM 2.0 and Secure Boot, and Conditional Access blocks non-compliant devices. Option A is incorrect because device configuration policies do not enforce access. Option B is incorrect because app protection policies are for app-level protection.

Option D is incorrect because Conditional Access alone cannot check hardware attributes without a compliance policy.

148
Multi-Selecteasy

You are configuring Microsoft Defender for Endpoint for your organization. You need to ensure that devices are onboarded to the service. Which two methods can you use to onboard Windows 10 devices? (Choose two.)

Select 2 answers
A.PowerShell script
B.Group Policy
C.Microsoft Intune
D.Microsoft Endpoint Manager
E.Microsoft Configuration Manager
AnswersB, C

Group Policy can deploy the onboarding configuration.

Why this answer

Options A and C are correct. Group Policy and Microsoft Intune are both supported methods for onboarding devices. Option B is wrong because Microsoft Endpoint Manager is a suite that includes Intune, but the specific method is Intune.

Option D is wrong because Microsoft Configuration Manager (SCCM) is for on-premises management and is not a direct onboarding method. Option E is wrong because PowerShell can be used for scripting, but it is not a primary onboarding method.

149
Multi-Selecthard

Which THREE steps are required to deploy a Windows 10 feature update (e.g., version 22H2) to a group of test devices using Intune?

Select 3 answers
A.Create a Windows 10 feature update deployment policy.
B.Ensure the test devices are in a group that targets the feature update.
C.Create a device compliance policy for the target version.
D.Create a Windows 10 update ring with expedited updates.
E.Assign the policy to the test device group.
AnswersA, B, E

A feature update deployment policy is needed.

Why this answer

Option A is correct because a Windows 10 feature update deployment policy is the specific Intune policy type designed to deliver feature updates (like version 22H2) to devices. This policy allows you to specify the target version and control the rollout, which is required for deploying feature updates via Intune.

Exam trap

The trap here is confusing update rings (which manage quality updates and deferral settings) with feature update policies (which target specific feature versions), leading candidates to incorrectly select expedited update rings for feature updates.

150
MCQmedium

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that only devices with a passcode longer than six characters can access corporate email. Which type of policy should you configure?

A.Device configuration profile
B.Device compliance policy
C.Enrollment restriction
D.App protection policy
AnswerB

Compliance policies check passcode length and are used with Conditional Access for access control.

Why this answer

Option B is correct because device compliance policies evaluate security settings like passcode length and are used with Conditional Access. Option A is wrong because configuration profiles set settings but don't enforce access. Option C is wrong because app protection policies manage data at the app level.

Option D is wrong because enrollment restrictions control which devices can enroll.

Page 1

Page 2 of 14

Page 3