Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 151225

991 questions total · 14pages · All types, answers revealed

Page 2

Page 3 of 14

Page 4
151
Multi-Selecthard

Which THREE prerequisites are required to enable Windows Autopilot for existing devices?

Select 3 answers
A.The device must be domain-joined to an on-premises Active Directory
B.The device must be running Windows 10 or Windows 11 Pro, Enterprise, or Education edition
C.The device must have a TPM 2.0 chip
D.The device must have internet connectivity during the out-of-box experience
E.The device must be registered in Intune using its hardware hash
AnswersB, D, E

Autopilot requires these editions.

Why this answer

Options A, C, and D are correct. Autopilot requires Windows 10/11 Pro/Enterprise/Edu, the device to be registered in Intune, and internet connectivity. Option B is wrong because a TPM is not strictly required for Autopilot (except for self-deploying mode).

Option E is wrong because an on-premises DC is not needed for pure cloud Autopilot.

152
MCQhard

An organization uses Microsoft Intune for Windows 10 device management. They need to deploy a custom Windows app (.exe) to kiosk devices. The app requires admin privileges to install, and the devices are shared. Which deployment method should be used?

A.Use a Win32 app with install context set to 'system'.
B.Assign the app as 'available' for user-install.
C.Deploy as a line-of-business app with device context.
D.Package as a Microsoft Store for Business app.
AnswerA

Win32 apps support system context installation, enabling admin-level installs on shared devices.

Why this answer

Option A is correct because Win32 apps in Microsoft Intune can be configured with the install context set to 'system', which grants the necessary admin privileges for installation and ensures the app is installed for all users on shared kiosk devices. This method uses the Intune Management Extension to run the installer with SYSTEM account privileges, bypassing user-level restrictions and supporting per-machine installations.

Exam trap

The trap here is that candidates often confuse 'device context' with 'system context', not realizing that LOB apps cannot handle .exe files and that 'available' assignments run in user context, which fails for admin-required installs on shared devices.

How to eliminate wrong answers

Option B is wrong because assigning the app as 'available' for user-install runs the installer in the user context, which lacks admin privileges and installs per-user, not per-device, making it unsuitable for shared kiosk devices. Option C is wrong because line-of-business (LOB) apps in Intune only support .msi, .appx, or .msix formats, not .exe files, and the 'device context' option for LOB apps is limited to .msi installers with system context, not custom .exe apps. Option D is wrong because packaging as a Microsoft Store for Business app requires the app to be available in the Store or repackaged as a Store-managed app, which does not support custom .exe files and cannot enforce admin privileges during installation.

153
MCQmedium

A company uses Microsoft Intune to manage Windows 10 devices. They want to prevent users from installing unapproved applications. Which approach provides the most granular control?

A.Use the Microsoft Store for Business to deploy only approved apps.
B.Deploy AppLocker rules via Intune to allow only approved publishers.
C.Enable Windows Defender SmartScreen to block unknown apps.
D.Configure User Account Control (UAC) to always notify.
AnswerB

AppLocker provides granular control over app execution.

Why this answer

Option C is correct because AppLocker allows you to create rules based on file attributes, such as publisher, to allow only approved apps. Option A is wrong because Windows Defender SmartScreen only warns about unknown apps, but does not block installation. Option B is wrong because User Account Control (UAC) does not prevent installation.

Option D is wrong because the Microsoft Store for Business only controls store apps, not all applications.

154
MCQhard

Your organization has 500 Windows 10 devices that are currently managed by Microsoft Configuration Manager (ConfigMgr). You plan to enable co-management with Microsoft Intune to leverage cloud-based policies and conditional access. The devices are on-premises Active Directory joined and are already enrolled in ConfigMgr. You need to configure the co-management workload slider in ConfigMgr to move the 'Device configuration' workload to Intune while keeping 'Compliance policies' and 'Windows Update policies' in ConfigMgr initially. The devices should automatically enroll in Intune upon receiving the co-management policy. You have already configured Azure AD Connect for hybrid Azure AD join. What should you do next?

A.Install the Intune connector for ConfigMgr and configure the workloads.
B.Create a Group Policy that enables automatic MDM enrollment to Intune.
C.In ConfigMgr, enable co-management, select the devices for pilot, and set the 'Device configuration' workload slider to 'Pilot Intune' or 'Intune'.
D.Configure hybrid Azure AD join for all devices via Group Policy and wait for auto-enrollment.
AnswerC

This configures the workload movement and triggers Intune enrollment for pilot devices.

Why this answer

Option D is correct because to co-manage devices, you must configure the co-management properties in ConfigMgr with the correct pilot collection and workload slider. Option A is incorrect because Intune enrollment happens via ConfigMgr policy, not Azure AD join alone. Option B is incorrect because the Intune connector does not handle workload distribution.

Option C is incorrect because automatic enrollment in Intune requires Group Policy or ConfigMgr policy to trigger it.

155
MCQeasy

Your organization is deploying Windows 10 devices using Windows Autopilot. The devices are purchased from a vendor and will be shipped directly to users. You need to ensure that the devices are automatically enrolled in Intune and configured with your organization's standard settings as soon as the user turns on the device and connects to the internet. The devices should be Azure AD joined. What is the minimal configuration required?

A.Ask the vendor to configure the devices with your organization's settings before shipping.
B.Upload the device's hardware hash to Azure AD.
C.Instruct the user to manually enroll the device after receiving it.
D.Upload the device's hardware hash to Microsoft Intune.
AnswerD

The hash is needed for Autopilot device recognition.

Why this answer

Option C is correct because the hardware hash must be uploaded to Intune for Autopilot to recognize the device. Option A is incorrect because the hash is not automatically available. Option B is incorrect because the hash is uploaded to Intune, not Azure AD.

Option D is incorrect because the user does not need to perform any pre-configuration.

156
MCQeasy

You have the above compliance policy for Windows 10. A device running Windows 10 version 22H2 (build 22621.1) will be marked as?

A.Noncompliant because the OS version exceeds the maximum
B.Noncompliant because the password minimum length is not met
C.Noncompliant because the OS version is below the minimum
D.Compliant
AnswerA

The build is higher than the max allowed.

Why this answer

The policy sets osMaximumVersion to 10.0.22621. Build 22621.1 is within that version (22621 > 19041 but <= 22621). However, the policy requires min 19041, so the device is compliant.

But note: the maximum version is inclusive? In Intune, osMaximumVersion uses 'less than or equal' to the version string. 22621.1 <= 22621? Version comparison is tricky; typically, build numbers are compared as integers. 22621.1 is greater than 22621, so it would be noncompliant. Option B is correct.

157
MCQhard

You are troubleshooting a Microsoft Intune app deployment for a Win32 app that is assigned as 'Available' to a user group. The user reports that the app does not appear in Company Portal. The user is a member of the assigned group. The device is enrolled and compliant. What should you check first?

A.Review the app detection rules.
B.Confirm the app is assigned as 'Required' instead of 'Available'.
C.Verify the user is in the correct Azure AD group.
D.Check if the app is added to Company Portal as a featured app.
AnswerD

Only featured apps appear by default; otherwise users must browse.

Why this answer

Option B is correct because the app must be added to the Company Portal as a featured app or the user must browse to find it; if not visible, it may not be added. Option A is wrong because the app is assigned to the user group. Option C is wrong because the app is not required.

Option D is wrong because detection rules are for installation, not visibility.

158
MCQmedium

You manage Windows 10 devices with Microsoft Intune. Users report that after a recent Windows update, some devices fail to enroll in mobile device management (MDM). You verify that the devices are domain-joined and can reach the internet. Which configuration should you check first?

A.Confirm that the user is assigned a Microsoft Entra ID P1 license.
B.Verify that the BitLocker recovery key is backed up to Microsoft Entra ID.
C.Ensure the Windows Defender Firewall allows inbound RPC traffic.
D.Check that the MDM enrollment URL (https://enrollment.manage.microsoft.com) is reachable and not blocked by a proxy.
AnswerD

The enrollment URL must be reachable for successful MDM enrollment.

Why this answer

Option D is correct because the MDM enrollment URL must be accessible and properly configured in Group Policy or Intune. Option A is wrong because BitLocker is not related to enrollment. Option B is wrong because Windows Defender Firewall is not the primary cause.

Option C is wrong because user credentials are valid but routing is the issue.

159
MCQmedium

You need to deploy a custom Win32 app to Windows 10 devices. The app installation is silent and requires a reboot. You set the installation behavior to 'system' and the device restart behavior to 'Allow'. After deployment, users report that the app is installed but not working properly. What is the most likely cause?

A.The app requires user interaction to complete setup
B.The detection rule is misconfigured
C.The device was not restarted after installation
D.The app was not wrapped correctly with the Intune Win32 Content Prep Tool
AnswerC

A pending restart can cause apps to malfunction.

Why this answer

When the installation behavior is 'system' and a reboot is required, setting device restart behavior to 'Allow' gives users the option to postpone the restart. If they postpone, the app may not function correctly until reboot. Option D addresses this.

160
MCQmedium

You manage Android Enterprise devices with work profiles. A user reports that corporate apps are not appearing in the work profile after enrollment. The device shows as enrolled in Microsoft Intune. What is the most likely cause?

A.The device is not connected to the internet.
B.The device is not compliant with corporate policies.
C.The work profile was not created or was removed on the device.
D.The corporate apps are not assigned to the user.
AnswerC

Without a work profile, corporate apps have no container to install into.

Why this answer

Option C is correct because if the work profile is not set up correctly on the device, corporate apps won't appear. Option A is wrong because if apps were assigned, they should deploy; the issue is with the profile. Option B is wrong because assignment not applied would affect all devices, not just one.

Option D is wrong because compliance policies don't affect app visibility.

161
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy a Microsoft Copilot app that requires users to sign in with their work account. The app must be automatically installed without user interaction. What should you do?

A.Configure a web clip that links to the app in the App Store.
B.Create an Intune App Protection Policy for the app.
C.Add the app as a line-of-business app and deploy via Company Portal.
D.Purchase the app through Apple Business Manager and assign it as a required app in Intune.
AnswerD

VPP allows silent install on supervised devices.

Why this answer

VPP apps can be assigned as required and installed silently if device is supervised. Option B is incorrect because Company Portal requires user to initiate. Option C is incorrect because APP does not install apps.

Option D is incorrect because web clip is not the app.

162
MCQmedium

A company plans to deploy Windows 11 to 500 devices using Microsoft Deployment Toolkit (MDT). The deployment must support UEFI-based devices with Secure Boot enabled. During a pilot deployment, several devices fail to boot after deployment. You suspect the issue is related to the boot image configuration. Which boot image setting should you verify?

A.Ensure the boot image is set to x64 BIOS
B.Ensure the boot image is set to x86 BIOS
C.Ensure the boot image includes the WinPE optional component for Secure Boot
D.Ensure the boot image is set to x64 UEFI
AnswerD

x64 UEFI is required for UEFI and Secure Boot.

Why this answer

UEFI-based devices with Secure Boot require a 64-bit boot image because UEFI firmware does not support legacy BIOS boot modes. Selecting an x64 UEFI boot image ensures the deployment environment is compatible with Secure Boot and GPT disk partitioning, which are mandatory for Windows 11 on UEFI systems. An incorrect boot image type (e.g., BIOS-based) will cause boot failures on UEFI-only hardware.

Exam trap

The trap here is that candidates confuse the need for a Secure Boot-specific WinPE component (Option C) with the actual requirement of selecting the correct boot image architecture and firmware type (x64 UEFI), leading them to overlook that Secure Boot support is inherent to the UEFI boot image, not an add-on component.

How to eliminate wrong answers

Option A is wrong because an x64 BIOS boot image is designed for legacy BIOS firmware, not UEFI, and will fail to boot on UEFI-only devices with Secure Boot enabled. Option B is wrong because an x86 BIOS boot image is both the wrong architecture (32-bit) and the wrong firmware type (BIOS), making it incompatible with 64-bit UEFI hardware and Secure Boot requirements. Option C is wrong because Secure Boot support in WinPE is built into the x64 UEFI boot image itself; there is no separate 'WinPE optional component for Secure Boot' — the component is automatically included when you generate an x64 UEFI boot image in MDT.

163
MCQhard

You are troubleshooting a Windows 10 device that is showing as non-compliant in Intune. The exhibit shows the PowerShell output from the Microsoft Graph API. Based on the output, what is the most likely reason for the non-compliance?

A.The device does not have a compliant operating system version
B.BitLocker drive encryption is not enabled on the device
C.The device is not running a supported version of Windows 10
D.The device has a third-party antivirus installed
AnswerB

The 'RequireEncryption' reason indicates BitLocker is missing.

Why this answer

Option B is correct because the output shows the non-compliance reason is 'RequireEncryption', indicating BitLocker is not enabled. Option A is wrong because the reason is specifically about encryption. Option C is wrong because the reason is not about antivirus.

Option D is wrong because the reason is specific to encryption.

164
Multi-Selecteasy

Which TWO of the following are valid methods to wipe a Windows 10 device using Microsoft Intune? (Select TWO.)

Select 2 answers
A.Factory reset from Windows Settings
B.Retire (selective wipe)
C.Remote lock
D.Delete device from Intune
E.Full wipe (remote wipe)
AnswersB, E

Retire removes corporate data from the device.

Why this answer

Option B and Option D are correct. A remote wipe resets the device to factory settings, and a retire removes corporate data while keeping personal data. Option A is wrong because a remote lock only locks the device.

Option C is wrong because a device delete just removes the device from management without wiping. Option E is wrong because a factory reset is a user action, not an Intune action.

165
MCQhard

Refer to the exhibit. You are reviewing a Win32 app configuration in Microsoft Intune. The app is not installing on some Windows 10 devices. Which is the most likely reason?

A.The devices have an OS version lower than 10.0.19041.
B.The install command line is missing the /silent switch.
C.The detection rule path is incorrect.
D.The install experience is set to system, but should be user.
AnswerA

The requirement rule sets a minimum OS version of 10.0.19041.

Why this answer

The correct answer is A because the exhibit shows the 'Minimum OS version' requirement set to 10.0.19041 (Windows 10 version 20H1/2004). Devices with an OS build lower than this threshold will fail to install the Win32 app, as Intune enforces this requirement before executing the installation command. This is a common configuration issue when deploying apps to a mixed-OS environment.

Exam trap

The trap here is that candidates often focus on the install command or detection rules as the cause of installation failure, overlooking the explicit OS version requirement that prevents installation from even starting on incompatible devices.

How to eliminate wrong answers

Option B is wrong because the install command line is not missing the /silent switch; the exhibit shows the command includes '--silent' (or a similar silent flag), so the absence of /silent is not the issue. Option C is wrong because the detection rule path being incorrect would cause the app to appear as 'Not Installed' on devices where it actually installed, not prevent installation from starting. Option D is wrong because the install experience set to 'system' is correct for system-wide installations; setting it to 'user' would install per-user and could cause issues, but the exhibit shows 'system' is selected, so this is not the problem.

166
MCQeasy

You need to deploy a Microsoft Store app (e.g., Microsoft Whiteboard) to Windows 10 devices managed by Intune. Which app type should you use?

A.Microsoft Store app (Windows)
B.Windows app (Win32)
C.Web link
D.Microsoft Store for Business (offline licensed)
AnswerA

Directly supports store apps.

Why this answer

Option A is correct because Microsoft Store apps are deployed using the 'Microsoft Store app (Windows)' type in Intune. Option B is wrong for offline apps. Option C is wrong for packaged apps.

Option D is wrong for web links.

167
MCQeasy

Refer to the exhibit. You configure an Enrollment Status Page (ESP) policy as shown. During Windows Autopilot deployment, a device fails to install one of the required apps. What happens to the device?

A.The device blocks use and the user cannot proceed
B.The device automatically resets and retries
C.The user can skip the installation and use the device
D.The user can retry the installation
AnswerA

The device blocks use because allowDeviceUseOnInstallFailure is false.

Why this answer

Option D is correct because 'allowDeviceUseOnInstallFailure' is set to false, so the device will block use on install failure. Additionally, 'allowDeviceResetOnInstallFailure' is false, so the device will not reset. 'blockDeviceSetupRetryByUser' is true, so the user cannot retry. Option A is wrong because the user cannot retry.

Option B is wrong because the device will not reset. Option C is wrong because the user cannot skip.

168
Multi-Selectmedium

Which THREE are valid Windows Autopilot deployment scenarios?

Select 3 answers
A.Self-deploying
B.App-driven
C.User-driven
D.Policy-driven
E.White glove
AnswersA, C, E

Self-deploying is for shared devices.

Why this answer

Windows Autopilot self-deploying is a valid deployment scenario where a device can be automatically configured without user interaction, using a hardware hash to enroll in Azure AD and Intune. This scenario is ideal for kiosks, digital signage, or shared devices that require zero-touch provisioning.

Exam trap

The trap here is that candidates confuse deployment phases or management concepts (like app or policy deployment) with the three official Autopilot deployment scenarios, which are strictly self-deploying, user-driven, and white glove (pre-provisioning).

169
Multi-Selecteasy

Which TWO actions can you perform using the Microsoft Intune admin center to manage Windows devices? (Choose two)

Select 2 answers
A.Reset a user's password.
B.View hardware inventory of a device.
C.Remotely sync a device with Intune.
D.Manage on-premises Active Directory objects.
E.Assign Microsoft 365 licenses to a user.
AnswersB, C

Inventory is visible in the device properties.

Why this answer

Option B is correct because the Microsoft Intune admin center provides a hardware inventory view for managed Windows devices, displaying details such as processor, RAM, disk space, and firmware version. This data is collected via the Intune Management Extension and device inventory reports, enabling administrators to assess device compliance and readiness without requiring on-premises tools.

Exam trap

The trap here is that candidates confuse user management tasks (password reset, license assignment) with device management actions, or assume Intune can manage on-premises AD objects, when Intune's scope is strictly cloud-based device and app management via MDM and MAM.

170
Multi-Selecthard

You are troubleshooting an Intune deployment of a line-of-business (LOB) app for iOS. The app fails to install on some devices with error '0x87D13B9F'. Which THREE actions should you take to diagnose the issue?

Select 3 answers
A.Check the Intune Service Health dashboard for service incidents
B.Check if the device is supervised and that the app requires supervised mode
C.Ensure that an app configuration policy is assigned to the device
D.Verify that the app's provisioning profile has not expired
E.Confirm that the device has sufficient storage space available
AnswersB, D, E

Some LOB apps require supervised devices.

Why this answer

Options A, B, and E are correct. Verify the app is signed with a valid Apple Developer Enterprise certificate; expired certificates cause failures. Check that the device is not supervised if required; some LOB apps require supervised mode.

Ensure the device has enough storage; error can be storage-related. Option C is wrong because Intune Service Health is not specific to app deployment. Option D is wrong because app configuration policies are optional.

171
MCQeasy

A technician is troubleshooting a Windows 11 device that is enrolled in Intune. The device reports as 'Not compliant' due to missing required updates. The administrator runs the following command on the device and receives the output shown. What should the administrator do next to resolve the compliance issue?

A.Check for a policy conflict in Intune.
B.Run a manual sync from the Company Portal app.
C.Verify network connectivity to Microsoft Update.
D.Restart the device.
AnswerD

A pending restart is blocking the updates from completing.

Why this answer

The command output indicates that the Windows Update service is in a 'Stopped' state, which prevents the device from installing required updates. Restarting the device (Option D) will restart the Windows Update service and trigger a fresh update scan, allowing the device to become compliant on the next Intune check-in. This is the most direct fix for a stopped service that is blocking update installation.

Exam trap

The trap here is that candidates often assume a sync or connectivity check is needed, but the command output directly reveals a stopped service, making a restart the immediate and correct action.

How to eliminate wrong answers

Option A is wrong because a policy conflict in Intune would typically cause a different compliance status (e.g., 'Error' or 'Conflict') and would not manifest as a stopped Windows Update service; the command output clearly shows the service is not running, not a policy mismatch. Option B is wrong because running a manual sync from the Company Portal app only forces a device check-in with Intune to re-evaluate compliance policies, but it does not start the stopped Windows Update service or install missing updates; the sync would still report non-compliance if the updates are not installed. Option C is wrong because verifying network connectivity to Microsoft Update is unnecessary when the command output explicitly shows the Windows Update service is stopped; connectivity is irrelevant if the service cannot run.

172
MCQeasy

Your company uses Microsoft Intune to manage Windows 10 devices. You need to deploy a Microsoft Store app (new) named 'Company Portal' to all devices. The app is already added to Intune. You want to ensure that the app is automatically installed on devices that are not yet enrolled in Intune. You assign the app to the 'All devices' group with the intent 'Required'. However, you notice that devices that enroll after the assignment do not receive the app automatically. What should you do to ensure that the app installs on newly enrolled devices?

A.Create a new assignment with 'Available' intent for the 'All devices' group
B.Ensure the 'All devices' group is a dynamic group that includes all devices
C.Re-add the app to Intune
D.Change the assignment intent to 'Available'
AnswerB

Dynamic groups automatically include new devices.

Why this answer

Option C is correct. The 'Required' assignment with 'All devices' group will apply to devices that enroll later because the assignment is dynamic. However, if the group includes 'All devices', new devices should get the app.

The issue might be that the group is a static device group. The best practice is to use a dynamic device group that includes all devices. Option A is wrong because the assignment is already required.

Option B is wrong because 'Available' requires user initiation. Option D is wrong because the app is already added.

173
Multi-Selectmedium

Your organization uses Microsoft Intune to manage devices. You need to configure a compliance policy for Windows devices that requires the device to be at a specific OS version and have antivirus enabled. Which TWO settings should you configure in the compliance policy?

Select 2 answers
A.Maximum OS version
B.Require antivirus (Windows Defender)
C.Minimum OS version
D.Device type
E.Storage encryption
AnswersB, C

Requires Windows Defender to be active.

Why this answer

Option A and Option D are correct because 'Minimum OS version' and 'Require antivirus' are compliance policy settings for Windows. Option B is wrong because 'Maximum OS version' is not a typical setting; usually min version is used. Option C is wrong because 'Device type' is not a compliance setting.

Option E is wrong because 'Storage encryption' is typically covered by BitLocker, not separate.

174
MCQhard

Refer to the exhibit. An Intune administrator configures an Autopilot deployment profile with the shown settings. During OOBE, a device fails to install a required app and enrollment fails. What will happen to the device?

A.The device will be allowed to proceed because enrollment status is notStarted.
B.The device will retry enrollment automatically.
C.The device will be blocked from completing OOBE.
D.The device will be blocked until retry due to pendingRetry setting.
AnswerC

Failure action is set to block.

Why this answer

Option B is correct because the setting "deviceEnrollmentFailureAction": "block" will block the device from proceeding if enrollment fails. Option A is wrong because the status is "notStarted". Option C is wrong because the block settings for notApplicable, pendingRetry, and timeout are false, but the failure action is block.

Option D is wrong because the device will not retry automatically.

175
MCQeasy

You need to manage updates for Windows 10 devices using Microsoft Intune. You want to ensure that critical security updates are installed within 7 days of release, while feature updates are deferred for 60 days. Which approach should you use?

A.Create a Windows update ring policy with quality update deferral set to 7 days and feature update deferral set to 60 days.
B.Create a Windows feature update profile to deploy the latest feature update after 60 days.
C.Create a device compliance policy requiring devices to install updates within 7 days.
D.Configure Windows Update for Business settings via a configuration profile.
AnswerA

Update rings allow granular deferral settings for quality and feature updates.

Why this answer

Option A is correct because Windows update ring policies in Microsoft Intune allow granular control over both quality (security) and feature update deferral periods. Setting quality update deferral to 7 days ensures critical security patches are installed within a week, while feature update deferral of 60 days delays non-security feature updates. This directly meets the requirement without additional profiles or compliance policies.

Exam trap

The trap here is that candidates often confuse update ring policies (which manage deferral periods) with feature update profiles (which target specific versions) or compliance policies (which only report compliance status), leading them to select B or C instead of the correct ring-based approach.

How to eliminate wrong answers

Option B is wrong because a Windows feature update profile is used to deploy a specific feature update version (e.g., Windows 10 22H2) to devices, not to manage deferral periods for ongoing updates; it does not control quality update timing. Option C is wrong because device compliance policies can require a minimum OS version or patch level but cannot enforce specific deferral periods for quality or feature updates; they are for compliance evaluation, not update scheduling. Option D is wrong because configuring Windows Update for Business settings via a configuration profile is a legacy approach that lacks the unified deferral management available in update ring policies; update rings are the modern, recommended method in Intune for controlling update deferrals.

176
MCQhard

Your organization uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR) to manage device threat detection. You have integrated Defender for Endpoint with Intune for compliance. Some devices are showing as non-compliant due to 'active threats' that are actually low-risk. How can you adjust the compliance policy to allow low-risk threats?

A.Modify the Conditional Access policy to require device compliance.
B.Configure the 'Machine risk score' in Defender for Endpoint.
C.Whitelist the specific threats in Defender for Endpoint.
D.Set the 'Threat level' in the Intune compliance policy to 'Low'.
AnswerD

This allows devices with low-risk threats to be compliant.

Why this answer

Option C is correct because the Intune compliance policy for Defender for Endpoint has a 'Threat level' setting that can be set to 'Low' to allow low-risk threats. Option A is wrong because you cannot whitelist specific threats. Option B is wrong because it's not a Conditional Access policy setting.

Option D is wrong because the threat level is configured in the compliance policy, not in Defender.

177
MCQmedium

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to enroll a personally owned device with a work profile. Which enrollment method should the user use?

A.Android Enterprise fully managed enrollment.
B.Android Enterprise personally owned work profile enrollment.
C.Android Enterprise corporate-owned work profile enrollment.
D.Corporate-owned dedicated device enrollment.
AnswerB

This creates a work profile on a personal device.

Why this answer

Option B is correct because Android Enterprise personally owned devices with a work profile use the 'Bring your own device' (BYOD) enrollment method. Option A is wrong because corporate-owned dedicated devices use a different method. Option C is wrong because fully managed devices are corporate-owned.

Option D is wrong because corporate-owned work profile is for corporate devices with work profile.

178
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. You deploy a PowerShell script via Intune management extension to install a legacy application. The script runs successfully on most devices, but fails on devices that have the 'LocalSystem' account disabled. What should you do to resolve the issue?

A.Configure the script to run in the user context by modifying the script settings in Intune
B.Change the script to run as the logged-on user using a scheduled task
C.Deploy the script using Microsoft Configuration Manager instead
D.Re-enable the LocalSystem account on the affected devices
AnswerA

Intune allows scripts to run in user context, which may resolve the issue.

Why this answer

Option D is correct because the Intune management extension runs scripts in the system context, but if the LocalSystem account is disabled, the script may fail. Running the script in the user context may bypass this issue. Option A is wrong because changing the script to run as a different user is not directly supported.

Option B is wrong because the management extension is required. Option C is wrong because re-enabling LocalSystem is not recommended and may have security implications.

179
Multi-Selecthard

A company uses Microsoft Intune to manage devices. They have a Windows 10 device that is non-compliant due to missing required updates. The administrator reviews the device and sees the update status shows 'Pending restart'. Which THREE actions should the administrator take to resolve the compliance issue?

Select 3 answers
A.Check the Update Rings policy for deferral settings.
B.Sync the device with Intune.
C.Restart the device.
D.Wait for the automatic restart from the compliance policy.
E.Re-enroll the device in Intune.
AnswersA, B, C

Deferrals may delay update installation.

Why this answer

Option A is correct because Update Rings policy deferral settings can delay the installation of required updates, causing the device to show a 'Pending restart' status without actually applying the updates. By checking and adjusting these deferral settings, the administrator can ensure updates are installed promptly, resolving the non-compliance issue.

Exam trap

The trap here is that candidates may assume waiting for an automatic restart (Option D) is sufficient, but Intune compliance policies do not enforce restarts; the administrator must take proactive steps like syncing and restarting to resolve the pending restart state.

180
MCQhard

Your company has a Microsoft 365 E5 subscription. You are planning to deploy Windows 11 using Microsoft Intune. You need to ensure that devices automatically receive English (US) language pack and regional settings during the provisioning process. You plan to use a provisioning package (PPKG) created with Windows Configuration Designer. What should you include in the PPKG?

A.Add a PowerShell script that runs during Autopilot to set language and region.
B.Include the 'Language' and 'RegionalSettings' settings in the PPKG.
C.Assign an Intune Language Pack policy to the device group.
D.Create a Group Policy Object that sets language and region, and link it to the device OU.
AnswerB

Windows Configuration Designer allows embedding language and regional settings directly.

Why this answer

Windows Configuration Designer (WCD) directly supports configuring language and regional settings within a provisioning package (PPKG) through built-in settings. Including the 'Language' and 'RegionalSettings' settings in the PPKG ensures these configurations are applied during the out-of-box experience (OOBE) or provisioning process, without requiring additional scripts or policies. This is the most efficient and supported method for offline or Autopilot pre-provisioning scenarios.

Exam trap

The trap here is that candidates often assume a PowerShell script or Intune policy is required for language configuration, overlooking that Windows Configuration Designer provides native, first-class settings for language and region within a PPKG.

How to eliminate wrong answers

Option A is wrong because adding a PowerShell script that runs during Autopilot to set language and region is unnecessary and less reliable; the PPKG can natively set these settings without scripting, and Autopilot does not guarantee script execution before user logon for language pack installation. Option C is wrong because Intune Language Pack policies are designed for deploying language packs to already-provisioned devices, not for setting regional settings during the initial provisioning process via a PPKG. Option D is wrong because Group Policy Objects (GPOs) require domain-joined devices and Active Directory, which are not applicable during the provisioning phase of a PPKG-based deployment, and GPOs cannot be applied during OOBE.

181
Multi-Selectmedium

You are planning to deploy Microsoft 365 Apps to Windows devices using Microsoft Intune. Which TWO methods can you use to deploy Microsoft 365 Apps? (Choose two.)

Select 2 answers
A.Android store app type.
B.Windows Installer (Win32) app type using the Office Deployment Tool.
C.Web link app type pointing to the Office website.
D.iOS store app type.
E.Microsoft 365 Apps for Windows app type in Intune.
AnswersB, E

Win32 apps can deploy Office via the Office Deployment Tool.

Why this answer

Option B is correct because the Windows Installer (Win32) app type in Intune allows you to deploy Microsoft 365 Apps using the Office Deployment Tool (ODT), which provides granular control over installation settings, languages, and update channels. Option E is correct because Intune includes a dedicated 'Microsoft 365 Apps for Windows' app type that simplifies deployment by automatically configuring the ODT XML and handling the installation process without manual scripting.

Exam trap

The trap here is that candidates often confuse the 'Web link' app type with a valid deployment method, thinking it will trigger an installation, when in fact it only provides a browser shortcut to the Office website without any local installation.

182
MCQhard

You manage Windows 10 devices with Microsoft Intune. You need to deploy a PowerShell script that runs every time a device boots, before the user logs on. The script is signed. What is the correct deployment approach?

A.Use a proactive remediation script set to run at device startup.
B.Package the script as a Win32 app and deploy it with installation behavior set to 'System'.
C.Deploy the script as a PowerShell script in Intune, configured to run in system context at device startup.
D.Add the script as a device configuration profile (OMA-URI).
AnswerC

This allows the script to run before user logon in system context.

Why this answer

To run a script at boot before user logon, use a PowerShell script in Intune that runs in the system context at device startup. Option A is incorrect because proactive remediations typically run after the user logs in. Option B is incorrect because device configuration profiles don't run scripts on boot.

Option D is incorrect because app deployment runs apps in user context after logon.

183
MCQeasy

You manage devices with Microsoft Intune. You need to deploy a Windows 10 feature update to a pilot group of devices. Which profile type should you use?

A.Windows 10 configuration profile
B.Windows 10 compliance policy
C.Windows 10 update ring profile
D.Windows 10 feature update profile
AnswerD

This profile type is designed for deploying feature updates like version upgrades.

Why this answer

Option A is correct because 'Windows 10 feature update' is specifically for deploying feature updates. Option B is wrong because 'Windows 10 update ring' is for quality updates and deferrals. Option C is wrong because 'Windows 10 compliance policy' checks device compliance.

Option D is wrong because 'Windows 10 configuration profile' configures settings.

184
Multi-Selecthard

Which TWO conditions in a Conditional Access policy can be used to enforce device compliance for access to Microsoft 365 services?

Select 2 answers
A.Sign-in risk
B.Locations (trusted IPs)
C.Applications (e.g., Exchange Online)
D.Client apps (Browser, Mobile apps and desktop clients)
E.Device state (Compliant or Domain joined)
AnswersD, E

Client apps condition can require compliant device for specific app types.

Why this answer

Options A and C are correct. 'Device state' includes compliant and domain-joined conditions. 'Client apps' can target specific apps. Option B is about location. Option D is about sign-in risk.

Option E is about application.

185
MCQhard

You are the endpoint administrator for Contoso, a company with 5,000 employees. The organization uses Microsoft Intune for device management and Microsoft Entra ID for identity. The current environment includes: - 3,000 Windows 11 Enterprise devices (corporate-owned, managed via Intune) - 1,500 iOS devices (corporate-owned, managed via Intune) - 500 Android devices (BYOD, managed via Intune with work profile) - 200 macOS devices (corporate-owned, managed via Intune) You need to implement a solution to automatically enroll new Windows 11 devices purchased from a vendor. The devices should be pre-provisioned with the organization's configuration and applications without requiring IT staff to touch them. Additionally, you need to ensure that only compliant devices can access corporate email and documents. The solution must minimize manual effort and leverage cloud-based services. You have the following requirements: 1. Zero-touch enrollment for new Windows 11 devices. 2. Devices must be automatically configured with security policies and required applications. 3. Conditional access to Microsoft 365 resources based on device compliance. 4. Support for both corporate and BYOD devices. Which of the following actions should you take FIRST to meet the zero-touch enrollment requirement?

A.Create a dynamic device group in Microsoft Entra ID that includes all Windows 11 devices.
B.Assign Microsoft Intune licenses to all users who will receive the new devices.
C.Register the devices in Windows Autopilot by providing the hardware hash to the Microsoft Intune admin center.
D.Create a compliance policy that requires BitLocker encryption and a minimum OS version.
AnswerC

Registering the hardware hash is the first step to enable Autopilot, which provides zero-touch deployment.

Why this answer

Option C is correct because Windows Autopilot is the cloud-based zero-touch deployment solution that uses hardware hashes to register devices in Intune, enabling them to automatically enroll and receive configurations without IT intervention. This directly meets the requirement for pre-provisioned Windows 11 devices with no manual touch.

Exam trap

The trap here is confusing post-enrollment configuration steps (like creating groups or compliance policies) with the prerequisite enrollment mechanism, leading candidates to select a step that is necessary but not sufficient for zero-touch deployment.

How to eliminate wrong answers

Option A is wrong because creating a dynamic device group in Entra ID is a post-enrollment step for applying policies or targeting apps, not a mechanism for zero-touch enrollment itself. Option B is wrong because assigning Intune licenses is a prerequisite for enrollment but does not automate the enrollment process; it must be combined with Autopilot registration to achieve zero-touch. Option D is wrong because creating a compliance policy enforces security settings after enrollment, but it does not initiate or automate the enrollment process.

186
MCQhard

You manage devices with Microsoft Intune and have enabled co-management with Configuration Manager. You need to ensure that Windows Update policies are managed by Intune for all co-managed Windows 10 devices. Which workload slider should you set in Configuration Manager?

A.Endpoint Protection
B.Windows Update Policies
C.Client Apps
D.Device Configuration
AnswerB

Correct. This workload controls update management.

Why this answer

In a co-management scenario, the workload slider determines which management authority handles specific workloads. Setting the 'Windows Update Policies' slider to 'Intune' directs Windows Update for Business policies to be applied via Intune, overriding Configuration Manager policies for co-managed Windows 10 devices. This ensures that update rings and deferral settings configured in Intune are enforced.

Exam trap

The trap here is that candidates often confuse the 'Windows Update Policies' slider with the 'Endpoint Protection' slider, mistakenly thinking update management is part of security policies, but the slider specifically governs Windows Update for Business policies, not Defender or antivirus updates.

How to eliminate wrong answers

Option A is wrong because the Endpoint Protection workload slider controls antimalware and firewall policies (e.g., Defender for Endpoint), not Windows Update policies. Option C is wrong because the Client Apps workload slider governs the deployment of applications (e.g., MSI, Win32 apps) from Intune or Configuration Manager, not update management. Option D is wrong because the Device Configuration workload slider manages settings like compliance policies and resource access (e.g., VPN, Wi-Fi), not Windows Update policies.

187
Multi-Selectmedium

Which TWO actions are required to deploy a Win32 app using Microsoft Intune? (Choose two.)

Select 2 answers
A.Upload the .intunewin package file.
B.Configure detection rules.
C.Connect to Managed Google Play.
D.Assign a Microsoft Store license.
E.Sign the app with a macOS developer certificate.
AnswersA, B

The .intunewin file is the packaged app for Win32 deployment.

Why this answer

To deploy a Win32 app, you must upload the .intunewin file (which contains the installation files) and configure detection rules (to determine if the app is installed). Options A and C are correct. Option B is wrong because the app is not from the store.

Option D is wrong because Managed Google Play is for Android. Option E is wrong because macOS signing is not required for Windows apps.

188
MCQhard

You are designing a Windows Autopilot deployment for a global organization. Devices are purchased from multiple OEMs and shipped directly to users. Some users report that their devices do not register in Autopilot automatically. You confirm the devices have Windows 11 Pro preinstalled and meet hardware requirements. What is the most likely reason for the registration failure, and what should you do to resolve it?

A.The devices are not registered in Autopilot by the OEM; collect the hardware hash using a script
B.The devices have a TPM chip that is not compliant with Autopilot requirements
C.The Autopilot deployment profile is assigned to a dynamic device group that excludes these devices
D.The devices are not connected to the internet during OOBE
AnswerA

The OEM must register the device; if not, manual hash collection is required.

Why this answer

The most likely reason is that the OEM did not register the devices in Windows Autopilot by uploading their hardware hashes to the Microsoft Partner Center. Without this registration, the devices will not be recognized during OOBE and will not automatically receive the Autopilot deployment profile. To resolve this, you must collect the hardware hash from each device using a PowerShell script (e.g., Get-WindowsAutopilotInfo.ps1) and manually upload it to Intune or the Partner Center.

Exam trap

The trap here is that candidates often assume the issue is with TPM or connectivity during OOBE, but the core problem is that the device was never registered in Autopilot by the OEM, which is a prerequisite for automatic profile assignment.

How to eliminate wrong answers

Option B is wrong because TPM compliance is not a prerequisite for Autopilot registration; Autopilot requires TPM 2.0 only for self-deploying mode, but the question does not specify that mode, and devices with non-compliant TPM would still register and show in Intune. Option C is wrong because dynamic device group membership is evaluated after a device is registered in Autopilot; if the device is not registered, the group assignment is irrelevant. Option D is wrong because internet connectivity during OOBE is required for Autopilot to download the profile, but the issue here is that the device never appears in Autopilot at all, which indicates a registration failure, not a connectivity problem.

189
MCQmedium

You manage Windows 10 devices with Microsoft Intune. A user reports that their device is not receiving required compliance policies, and the device status in Intune shows 'Not evaluated' for compliance. You confirm the device is enrolled and able to sync. What should you check first?

A.Verify that the user is assigned an Intune license.
B.Run the 'dsregcmd /status' command to check the device registration status.
C.Check that the device has a TPM chip enabled and Secure Boot turned on.
D.Ensure the compliance policy is assigned to a group that includes the user or device.
AnswerD

The compliance policy must be assigned to a group containing the user or device.

Why this answer

Option D is correct because a compliance policy must be assigned to a group containing the user or device for it to be evaluated. Even if the device is enrolled and syncing, without assignment the policy will not apply, resulting in a 'Not evaluated' status in Intune.

Exam trap

The trap here is that candidates confuse 'Not evaluated' with a device health or configuration issue, when it actually points to a missing policy assignment or group membership problem.

How to eliminate wrong answers

Option A is wrong because an Intune license is required for enrollment and sync, which the user already has (device is enrolled and syncing), so licensing is not the cause of 'Not evaluated' status. Option B is wrong because 'dsregcmd /status' checks Azure AD registration and hybrid join status, not compliance policy assignment or evaluation; the device is already enrolled and syncing, indicating registration is fine. Option C is wrong because TPM and Secure Boot are prerequisites for BitLocker or device health attestation, not for compliance policy evaluation; their absence would cause specific compliance failures, not a 'Not evaluated' status.

190
MCQhard

An organization uses Microsoft Intune to manage iOS/iPadOS devices. They have a custom line-of-business (LOB) iOS app that must be deployed to 50 devices. The app is signed with an enterprise certificate. The administrator uploads the .ipa file to Intune and assigns it as 'Required' to a device group containing the 50 devices. After 24 hours, only 30 devices have the app installed. The remaining 20 devices show 'pending install' status. What is the most likely cause?

A.The .ipa file exceeds the maximum file size allowed for LOB apps.
B.The users on the 20 devices have not opened the Company Portal app to trigger the installation.
C.The devices do not have a trusted certificate profile that trusts the enterprise signing certificate.
D.The MDM push certificate has expired, preventing app installation.
AnswerC

Enterprise-signed apps require the device to trust the root certificate.

Why this answer

The most likely cause is that the 20 devices lack a trusted certificate profile that trusts the enterprise signing certificate. For an enterprise-signed LOB app to install on iOS/iPadOS, the device must trust the root certificate used to sign the app. Without a trusted certificate profile deployed via Intune, the installation will remain in 'pending install' status because the device cannot validate the app's signature.

Exam trap

The trap here is that candidates often assume 'pending install' means a user action is required (like opening Company Portal) or a network issue, but Microsoft Intune's MDM channel can push apps silently; the real blocker is certificate trust for enterprise-signed apps.

How to eliminate wrong answers

Option A is wrong because Intune's maximum file size for LOB apps is 2 GB, and the .ipa file would typically be much smaller; exceeding this limit would cause an upload failure, not a 'pending install' status. Option B is wrong because when an app is assigned as 'Required' in Intune, the installation is pushed silently via the MDM channel and does not require the user to open the Company Portal app. Option D is wrong because an expired MDM push certificate would prevent all MDM communication, not just app installations on a subset of devices, and the other 30 devices successfully installed the app, proving the push certificate is valid.

191
Multi-Selectmedium

A company is planning to deploy a custom Win32 app to Windows 10 devices using Intune. The app requires a .NET Framework 4.8 prerequisite. Which TWO methods can the administrator use to ensure the prerequisite is installed?

Select 2 answers
A.Require users to manually install the prerequisite
B.Use Group Policy to deploy the prerequisite
C.Add the prerequisite as a dependency in the app deployment
D.Package the prerequisite into the same Win32 app
E.Create a custom detection script that installs the prerequisite if missing
AnswersC, E

Dependencies allow automatic installation of prerequisites.

Why this answer

Option C is correct because Intune Win32 app deployment supports dependencies, allowing an administrator to specify .NET Framework 4.8 as a required dependency. When configured, Intune automatically installs the dependency before the main app, ensuring the prerequisite is present without manual intervention or additional scripting.

Exam trap

The trap here is that candidates often confuse 'packaging the prerequisite into the same app' (Option D) as a valid method, but Intune requires dependencies to be separate app entries with their own detection rules, not bundled installers.

192
MCQmedium

A company uses Microsoft 365 with hybrid identity. Users report that after changing their on-premises passwords, they cannot access SharePoint Online for up to 30 minutes, but Outlook on the web works immediately. You need to reduce the delay for SharePoint Online access. What should you do?

A.Run a Delta Sync in Azure AD Connect.
B.Configure password writeback in Azure AD Connect.
C.Enable Azure AD Seamless Single Sign-On.
D.In Azure AD, configure the user to require password change at next sign-in.
AnswerA

Delta Sync immediately synchronizes recent password changes, reducing the delay.

Why this answer

The delay occurs because password changes are synchronized only during the next Azure AD Connect sync cycle, which by default runs every 30 minutes. Running a Delta Sync immediately replicates the new password hash to Azure AD, eliminating the wait for SharePoint Online authentication.

Exam trap

The trap here is confusing password writeback (cloud-to-on-premises) with password hash synchronization (on-premises-to-cloud), leading candidates to select writeback when the actual issue is sync frequency.

How to eliminate wrong answers

Option B is wrong because password writeback is used for self-service password reset from the cloud to on-premises, not for synchronizing on-premises password changes to Azure AD. Option C is wrong because Azure AD Seamless SSO provides silent authentication on domain-joined devices but does not affect the synchronization of password hashes. Option D is wrong because requiring a password change at next sign-in is a policy that forces the user to update their password, but it does not accelerate the sync of an already-changed password.

193
Multi-Selecthard

You are configuring Windows Hello for Business in Microsoft Intune. Which THREE settings are required to enable Windows Hello for Business on Windows 10 devices?

Select 3 answers
A.Configure a certificate enrollment policy for smart cards.
B.Set minimum PIN length to at least 4 digits.
C.Enable biometric authentication.
D.Enable Windows Hello for Business in the identity protection policy.
E.Configure a PIN complexity policy.
AnswersB, D, E

A minimum PIN length is required.

Why this answer

Option B is correct because Windows Hello for Business requires a minimum PIN length of at least 4 digits when configured via Intune's identity protection policy. This setting is mandatory to enforce a baseline level of security for the PIN-based authentication method, and Intune will not enable Windows Hello for Business without a defined minimum PIN length.

Exam trap

The trap here is that candidates often assume biometric authentication is required for Windows Hello for Business, but Microsoft explicitly allows PIN-only deployments, and the mandatory settings are enabling the feature and configuring PIN complexity (including minimum length).

194
MCQhard

A company manages 500 Windows 11 devices with Microsoft Intune. They use BitLocker encryption with automatic encryption enabled. Several devices report that encryption did not start. The administrator reviews the devices and finds that they are not compliant with the BitLocker policy. What is the most likely cause?

A.Devices do not have a secure boot enabled
B.Devices do not have a Trusted Platform Module (TPM) chip
C.Devices are not Azure AD joined
D.BitLocker startup key is not saved to Azure AD
AnswerB

BitLocker requires a TPM to automatically encrypt devices.

Why this answer

BitLocker automatic encryption requires a compatible TPM chip to securely store encryption keys and validate system integrity. Without a TPM, BitLocker cannot start the encryption process automatically, leading to non-compliance with the policy. The other options do not directly prevent encryption from starting.

Exam trap

The trap here is that candidates often confuse Secure Boot with TPM requirements, assuming Secure Boot is mandatory for BitLocker, when in fact the TPM is the critical hardware component for automatic encryption to initiate.

How to eliminate wrong answers

Option A is wrong because Secure Boot is recommended but not strictly required for BitLocker automatic encryption; BitLocker can still encrypt without it, though it may affect integrity validation. Option C is wrong because Azure AD join is not a prerequisite for BitLocker encryption; devices can be Azure AD registered or hybrid joined and still encrypt. Option D is wrong because saving the BitLocker startup key to Azure AD is a recovery key backup step, not a prerequisite for encryption to start; encryption can begin without this backup.

195
MCQhard

You are troubleshooting a Windows 11 device that is enrolled in Microsoft Intune. The device shows 'Pending' status for a required app deployment. The app is a line-of-business (LOB) app. The device has been online for the past 24 hours. What is the most likely cause?

A.The device does not have internet connectivity to download the app.
B.The device's certificate for Intune is expired.
C.The Intune management extension is not installed on the device.
D.The device requires a restart to complete previous updates.
AnswerC

LOB apps require the extension, which may be missing.

Why this answer

The Intune management extension is responsible for deploying line-of-business (LOB) apps and PowerShell scripts on Windows devices. If this extension is not installed, the device will show a 'Pending' status for required app deployments because the Intune service cannot initiate the download or installation. Since the device has been online, connectivity is not the issue, and the extension must be present to process the deployment.

Exam trap

The trap here is that candidates often assume a 'Pending' status is always due to network issues or pending reboots, but Microsoft specifically tests the requirement of the Intune management extension for LOB app deployments on Windows devices.

How to eliminate wrong answers

Option A is wrong because the device has been online for the past 24 hours, indicating internet connectivity is available, and a 'Pending' status typically does not result from transient connectivity issues. Option B is wrong because an expired Intune certificate would cause the device to appear as 'Not compliant' or 'Unhealthy' in the Intune console, not a 'Pending' status for a specific app deployment. Option D is wrong because a pending restart would affect the installation of updates, not the initial download or deployment status of an LOB app, and the device would still show the app as 'Pending' only if the management extension were missing.

196
Matchingmedium

Match each Microsoft Entra ID (Azure AD) join type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Personal devices with work account access

Devices owned by organization, cloud-only

Devices joined to on-premises AD and Azure AD

Hybrid join with automatic device enrollment

Hybrid join using federation services

Why these pairings

Join types determine device identity and management scope in MD-102.

197
Multi-Selectmedium

Which TWO actions can you perform on a managed device from the Microsoft Intune admin center?

Select 2 answers
A.Change the primary user
B.Change the enrolled user
C.Restart the device
D.Sync the device
E.Change the device name
AnswersC, D

Remote restart is available in Intune.

Why this answer

Option A and D are correct. A: You can sync a device to force a check-in. D: You can restart a device remotely.

Option B is wrong because you cannot change the primary user from the device blade; you need to re-enroll. Option C is wrong because you cannot change the device name for corporate-owned devices; it's usually auto-generated. Option E is wrong because you cannot change the enrolled user; you need to wipe and re-enroll.

198
MCQeasy

Your organization requires that all corporate laptops be encrypted. You manage Windows 10 devices with Microsoft Intune. Which policy should you configure?

A.Enable Device Encryption in Windows settings.
B.Configure a FileVault policy for Windows devices.
C.Create a BitLocker policy in Intune Endpoint Protection.
D.Deploy an Encrypting File System (EFS) policy.
AnswerC

BitLocker provides full disk encryption and can be managed via Intune.

Why this answer

Option C is correct because Microsoft Intune's Endpoint Protection policy includes a dedicated BitLocker settings section that allows administrators to enforce encryption on Windows 10 devices. This policy centrally manages BitLocker drive encryption, recovery key escrow to Azure AD, and encryption method (e.g., XTS-AES 128-bit), meeting the requirement for corporate laptop encryption.

Exam trap

The trap here is confusing file-level encryption (EFS) with full-disk encryption (BitLocker), or assuming that Device Encryption in Windows settings is the same as BitLocker, when in fact Device Encryption is a limited feature only available on specific hardware and lacks the management capabilities of Intune's BitLocker policy.

How to eliminate wrong answers

Option A is wrong because 'Enable Device Encryption' in Windows settings is a client-side toggle that only enables hardware-based encryption on devices that support InstantGo (Modern Standby), and it cannot be centrally managed or enforced via Intune policy. Option B is wrong because FileVault is Apple's full-disk encryption technology for macOS, not applicable to Windows 10 devices. Option D is wrong because Encrypting File System (EFS) provides file-level encryption, not full-disk encryption, and is managed via NTFS permissions or Group Policy, not Intune's endpoint protection policies for BitLocker.

199
Multi-Selectmedium

Your organization uses Microsoft Intune to manage mobile devices. You need to configure compliance policies that trigger conditional access. Which TWO conditions can be used in a device compliance policy?

Select 2 answers
A.Device is enrolled in a specific MDM authority.
B.App must have a minimum version.
C.Minimum OS version is 14.0.
D.Device is not jailbroken or rooted.
E.SD card encryption is enabled.
AnswersC, D

Compliance policies can specify minimum OS version.

Why this answer

Options A and D are correct. Device compliance policies can check for jailbroken/rooted devices (A) and require a minimum OS version (D). Option B is wrong because app protection policies, not compliance policies, manage app-level restrictions.

Option C is wrong because device compliance policies do not enforce encryption of SD cards; they can require device encryption but not specifically SD card. Option E is wrong because device compliance policies do not require a specific MDM authority; they assume Intune.

200
MCQeasy

Your organization has devices enrolled in Microsoft Intune that are not domain-joined. You need to deploy a LOB app that requires a license key stored in a file. The app must be installed automatically when devices are enrolled. What should you do?

A.Package the app as a Win32 app and include a script to copy the license file.
B.Use a Microsoft Store for Business app and include the license as a dependency.
C.Join devices to Azure AD and use Group Policy to install.
D.Create an Intune App Protection Policy to deploy the license.
AnswerA

Win32 app allows custom installation scripts.

Why this answer

Intune can deploy Win32 app with script that reads license file. Option B is incorrect because Store apps cannot include custom license files. Option C is incorrect because APP does not install apps.

Option D is incorrect because Azure AD joined is not required for Intune.

201
MCQhard

You are deploying Windows 10 to 100 new devices using Microsoft Deployment Toolkit (MDT). You want to integrate with Microsoft Intune for post-deployment management. Which MDT integration method should you use?

A.Use Microsoft Configuration Manager to deploy the devices and then co-manage with Intune.
B.Configure Windows Autopilot for the devices and skip MDT.
C.Create a provisioning package in MDT that includes the Intune enrollment configuration and apply it during the deployment task sequence.
D.Install the Intune connector for MDT and configure it during deployment.
AnswerC

The provisioning package can include MDM enrollment settings.

Why this answer

Option A is correct because MDT can generate a provisioning package that includes Intune enrollment details, which is applied during deployment. Option B is incorrect because MDT does not directly integrate with Intune via a connector. Option C is incorrect because Configuration Manager integration is separate.

Option D is incorrect because Autopilot is a different deployment method.

202
Multi-Selectmedium

You are configuring Microsoft Intune device compliance policies for Windows 10. Which THREE settings can be evaluated by compliance policies? (Choose three.)

Select 3 answers
A.Windows Firewall status
B.Minimum OS version
C.BitLocker encryption status
D.Password policy (length, complexity)
E.Threat level from Microsoft Defender for Endpoint
AnswersB, D, E

Compliance can require a minimum OS version.

Why this answer

Options A, B, and E are correct. Compliance policies can evaluate threat level, OS version, and password settings. Option C is incorrect because BitLocker is evaluated by device configuration policies, not compliance.

Option D is incorrect because firewall status is a configuration policy, not typically a compliance setting.

203
MCQeasy

You need to ensure that only compliant devices can access Exchange Online. Which Intune policy should you use?

A.Device compliance policy
B.App protection policy
C.Conditional Access policy
D.Device configuration profile
AnswerC

Conditional Access blocks non-compliant devices.

Why this answer

Option B is correct because Conditional Access with device compliance evaluates compliance. Option A is wrong because a compliance policy defines compliance but does not enforce access. Option C is wrong because a device configuration profile configures settings.

Option D is wrong because an app protection policy manages app-level protection.

204
MCQhard

You are a Microsoft 365 Endpoint Administrator for a mid-sized company with 5,000 Windows 10 devices. The company is planning to migrate to Windows 11. You are tasked with deploying Windows 11 using a phased approach with Windows Autopilot. You have configured an Autopilot deployment profile for self-deploying mode targeting all Windows 10 devices in a dynamic device group. However, during the first wave of deployment, you notice that devices that have been upgraded to Windows 11 via an in-place upgrade are not automatically transitioning to the Autopilot experience. Instead, they boot directly to the existing Windows 10 desktop without any Autopilot enrollment. You verify that the devices are registered in Autopilot and that the deployment profile is assigned correctly. What is the most likely cause of this issue?

A.The Autopilot profile has a pre-provisioning policy that blocks self-deploying mode
B.The devices have not been reset to OOBE state after the in-place upgrade
C.The Autopilot profile is configured for user-driven mode instead of self-deploying mode
D.The devices are not connected to the internet during the first boot after upgrade
AnswerB

Autopilot requires OOBE; upgrade doesn't trigger OOBE.

Why this answer

Windows Autopilot requires the device to be in an Out-of-Box Experience (OOBE) state to trigger the enrollment process. An in-place upgrade to Windows 11 preserves the existing user state and settings, so the device boots directly to the desktop without entering OOBE. Even though the device is registered in Autopilot and the profile is assigned, the Autopilot experience only initiates when the device is reset to OOBE (e.g., via a Windows reset or a fresh start).

Therefore, the most likely cause is that the devices have not been reset to OOBE state after the in-place upgrade.

Exam trap

The trap here is that candidates assume Autopilot enrollment will automatically trigger after any upgrade or reboot on a registered device, but they overlook the critical requirement that the device must be in OOBE state to initiate the Autopilot process.

How to eliminate wrong answers

Option A is wrong because a pre-provisioning policy does not block self-deploying mode; pre-provisioning is an optional phase that can be used with self-deploying mode, and it does not prevent the Autopilot enrollment from starting. Option C is wrong because the question states the profile is configured for self-deploying mode, and if it were misconfigured for user-driven mode, the device would still attempt to enroll (but prompt for user credentials) rather than boot directly to the desktop. Option D is wrong because internet connectivity is required for Autopilot enrollment, but the issue here is that the device never enters the OOBE phase where it would check for connectivity; the device boots to the existing desktop, so connectivity is not the blocking factor.

205
Multi-Selectmedium

Your organization uses Microsoft Intune to manage corporate-owned iOS devices. You need to ensure that devices are supervised and can be configured with restrictions that cannot be removed by the user. Which THREE steps must you take?

Select 3 answers
A.Add devices to Apple Business Manager (ABM).
B.Configure automated device enrollment (formerly DEP) in ABM and link to Intune.
C.Create an iOS enrollment profile in Intune with 'Supervised' enabled.
D.Assign a user to each device during enrollment.
E.Create a device compliance policy that requires supervision.
AnswersA, B, C

ABM is required for supervision.

Why this answer

Options A, B, and C are correct. Supervising devices requires Apple Business Manager, automated enrollment, and a supervision profile. Option D is not required because supervised devices do not need user affinity for supervision.

Option E is for device compliance, not supervision.

206
Multi-Selecthard

An organization uses Microsoft Intune to manage Windows devices. They need to configure a policy to enforce disk encryption on devices. Which THREE of the following are valid encryption options?

Select 3 answers
A.BitLocker
B.Encrypting File System (EFS)
C.Device encryption
D.FileVault
E.APFS encryption
AnswersA, C, D

BitLocker is a full disk encryption feature for Windows.

Why this answer

Options A, C, and D are correct. BitLocker is for Windows devices, FileVault is for macOS, and device encryption is a built-in Windows feature. Option B is wrong because Encrypting File System (EFS) is file-level encryption, not full disk encryption.

Option E is wrong because Apple File System (APFS) encryption is for macOS, but it's not a separate policy in Intune; FileVault is used.

207
MCQeasy

Refer to the exhibit. You are reviewing a Windows 10 update ring configuration JSON. What does the 'automaticUpdateBehavior' setting control?

A.The level of update notifications
B.How long to defer feature updates
C.Whether updates are installed automatically and if the user can control reboot timing
D.The branch readiness level
AnswerC

This setting defines the installation and reboot behavior.

Why this answer

Option D is correct because automaticUpdateBehavior controls how updates are installed and whether the user has control over reboots. Option A is wrong because deferral days are separate. Option B is wrong because notification level is separate.

Option C is wrong because branch readiness is not in this JSON.

208
Multi-Selecthard

Which THREE steps are required to configure a Windows 10 device for kiosk mode using Microsoft Intune? (Choose three)

Select 3 answers
A.Configure Autopilot for the device.
B.Create a device compliance policy to enforce kiosk mode.
C.Create a device configuration profile with the kiosk settings.
D.Assign the kiosk profile to a Microsoft Entra ID group containing the target devices.
E.Ensure the device is enrolled in Microsoft Intune.
AnswersC, D, E

Kiosk settings are configured via a configuration profile.

Why this answer

Option C is correct because a device configuration profile in Microsoft Intune is the mechanism used to define the specific kiosk settings, such as the user account, app type (e.g., single-app or multi-app kiosk), and browser configuration. This profile applies the kiosk mode configuration to the device via the Windows 10/11 kiosk policy CSP (Policy Configuration Service Provider).

Exam trap

The trap here is that candidates confuse device compliance policies with device configuration profiles, mistakenly thinking compliance policies can enforce kiosk mode, when in fact compliance policies only evaluate and report on device health and security settings.

209
MCQmedium

Your company uses Intune to manage iOS devices. You need to deploy a new app that is available in the Apple App Store. You create an iOS store app in Intune and assign it as 'Required' to a group of users. After 24 hours, some users report that the app is not installed. You verify that the app is available in the App Store and that the devices are online. The devices are supervised and enrolled via Apple Business Manager. What should you do first to troubleshoot the issue?

A.Review the iOS device restrictions policy
B.Confirm that the devices are enrolled in Intune
C.Check the app configuration policy for the app
D.Verify that a VPP token is configured and assigned
AnswerD

Supervised devices require a VPP token for app distribution.

Why this answer

Option B is correct because Volume Purchase Program (VPP) tokens are required for managed app distribution on supervised devices. Option A is incorrect because app configuration policies are not required for installation. Option C is incorrect because iOS restrictions are not blocking installation.

Option D is incorrect because the devices are enrolled and online.

210
MCQhard

A user has an iOS device enrolled in Intune. The device is lost, and you need to immediately prevent unauthorized access to corporate data. The device contains both corporate and personal data. Which action should you take?

A.Disable the user's account in Microsoft Entra ID
B.Initiate a selective wipe
C.Initiate a full wipe
D.Use Remote Lock to lock the device
AnswerD

Remote lock immediately locks the device, preventing access.

Why this answer

Remote Lock immediately locks the iOS device, preventing unauthorized access to both corporate and personal data without altering the device's content. This is the correct first step to secure data while preserving the ability to recover the device later, as it does not remove any data or accounts.

Exam trap

The trap here is that candidates often confuse 'immediate prevention of unauthorized access' with data removal, leading them to choose a wipe option, but Remote Lock is the correct first step because it secures the device without destroying personal data or requiring re-enrollment.

How to eliminate wrong answers

Option A is wrong because disabling the user's account in Microsoft Entra ID revokes access to cloud services but does not lock the device itself, leaving local data accessible. Option B is wrong because a selective wipe removes only corporate data and apps, which still leaves personal data exposed and does not immediately prevent access to the device. Option C is wrong because a full wipe erases all data, including personal content, which is overly destructive and irreversible; it should only be used as a last resort after confirming the device cannot be recovered.

211
MCQhard

You are troubleshooting a Windows 10 device that fails to enroll in Microsoft Intune. The device shows error code 0x8018000b. You verify that the user has a valid Intune license and that the device is running Windows 10 Pro. What is the most likely cause of the enrollment failure?

A.The device is running Windows 10 Home edition.
B.MDM enrollment is blocked by a local Group Policy or registry setting.
C.The device is not connected to the internet.
D.The device has an expired certificate required for enrollment.
AnswerB

This error code indicates enrollment is disabled via policy.

Why this answer

Option C is correct because error 0x8018000b typically indicates that MDM enrollment is blocked via Group Policy or registry. Option A is incorrect because the error is specific to MDM enrollment blocking. Option B is incorrect because the device edition is Pro, which supports enrollment.

Option D is incorrect because certificate issues usually produce different errors.

212
MCQeasy

An administrator runs the above PowerShell command on a Windows 10 device managed by Microsoft Defender for Endpoint. The device is reporting as healthy in the security console. Based on the output, which protection feature is disabled?

A.IOAV protection
B.Antimalware service
C.Real-time protection
D.Antivirus
AnswerC

RealTimeProtectionEnabled is False, so real-time protection is disabled.

Why this answer

The PowerShell command `Get-MpComputerStatus` returns the current status of Microsoft Defender Antivirus. The output shows `AMServiceEnabled : False`, which indicates the antimalware service is disabled, but the critical indicator is `RealTimeProtectionEnabled : False`. Real-time protection monitors file system activity for malware in real time; when disabled, the device may still report as healthy in the Microsoft Defender for Endpoint console if other components (e.g., cloud-delivered protection) are active, but the device is not fully protected against immediate threats.

Exam trap

The trap here is that candidates see `AMServiceEnabled : False` and assume the antimalware service is the disabled feature, but the question specifically asks which protection feature is disabled based on the output, and `RealTimeProtectionEnabled : False` is the direct answer; the antimalware service being disabled is a separate state that would also disable real-time protection, but the output explicitly lists real-time protection as disabled.

How to eliminate wrong answers

Option A is wrong because IOAV (Internet-Origin Antimalware) protection is controlled by the `IoavProtectionEnabled` property, which is not shown as False in the output; IOAV protection specifically scans downloaded files from the internet and is separate from real-time protection. Option B is wrong because `AMServiceEnabled : False` indicates the antimalware service itself is disabled, but the question asks which protection feature is disabled based on the output; the antimalware service being disabled would typically prevent real-time protection from functioning, but the direct output shows `RealTimeProtectionEnabled : False` as the explicit feature disabled. Option D is wrong because antivirus (the overall product) is not a single toggle; the output shows `AMProductEnabled : True`, meaning the antivirus product is enabled, but real-time protection (a sub-feature) is disabled.

213
MCQhard

Your organization uses Microsoft Intune to manage devices. You need to deploy a PowerShell script that runs every time a user logs in to a Windows 10 device. The script must run with administrative privileges. Which deployment approach should you use?

A.Package the script as a Win32 app and assign it as required.
B.Deploy the script as a proactive remediation in Intune.
C.Use Intune PowerShell scripts targeting the user, with a scheduled task triggered by logon.
D.Use a custom compliance policy to run the script.
AnswerC

Intune PowerShell scripts can run in user context; a scheduled task triggered at logon can elevate privileges.

Why this answer

Option D is correct because Microsoft Intune supports PowerShell scripts running in the user context on login, and using a scheduled task triggered by logon can run with elevated privileges. Option A is wrong because Proactive remediations run on a schedule, not on logon. Option B is wrong because a Win32 app can be set to run once, not on every logon.

Option C is wrong because custom compliance policies evaluate compliance, not run scripts on login.

214
MCQhard

You are designing a Windows Update for Business deployment for a hybrid environment with 5,000 devices. You need to ensure that critical security updates are deployed within 48 hours while allowing feature updates to be delayed up to 60 days. Which policy configuration should you use?

A.Configure a 'Quality update deadline' of 2 days and a 'Feature update deadline' of 60 days.
B.Use a 'Quality update deferral period' of 48 hours and a 'Feature update deferral period' of 60 days in a Windows 10 update ring.
C.Set the 'Update notification level' to '2 - Disable all notifications' and configure active hours.
D.Configure a 'Quality update deferral period' of 2 days and a 'Feature update deferral period' of 60 days.
AnswerA

Deadline policies are the modern approach to enforce update installation within a specific timeframe.

Why this answer

Option A is correct because Windows Update for Business uses 'deadline' policies to enforce when updates must be installed, not deferral periods. A 'Quality update deadline' of 2 days ensures critical security updates are installed within 48 hours, while a 'Feature update deadline' of 60 days allows feature updates to be delayed up to 60 days. Deferral periods only postpone when an update is offered, not when it must be installed, making deadlines the appropriate mechanism for enforcing installation timelines.

Exam trap

The trap here is that candidates confuse deferral periods with deadlines, assuming a deferral of 2 days achieves the same result as a 2-day deadline, but deferrals only delay the offer while deadlines enforce installation timing.

How to eliminate wrong answers

Option B is wrong because deferral periods delay the offer of updates but do not enforce an installation deadline; a 48-hour deferral would only delay when the quality update is first offered, not ensure it is installed within 48 hours. Option C is wrong because notification settings and active hours control user experience and restart timing, not the deployment timeline for security or feature updates. Option D is wrong because a deferral period of 2 days for quality updates only delays the offer by 2 days, failing to guarantee installation within 48 hours; deadlines are required to enforce the installation window.

215
Multi-Selecthard

Which THREE factors should you consider when planning a Microsoft Intune migration from Configuration Manager?

Select 3 answers
A.The use of co-management to gradually move workloads.
B.The ability to manage on-premises servers with Intune.
C.The compatibility of existing application packages with Intune formats (Win32, LOB).
D.The need for an on-premises Intune server.
E.Network bandwidth requirements for device communication with Intune.
AnswersA, C, E

Co-management enables you to manage devices with both Configuration Manager and Intune, allowing a phased migration.

Why this answer

Option A is correct because co-management allows you to attach your existing Configuration Manager deployment to Microsoft Intune, enabling a gradual migration of workloads (e.g., compliance policies, device configuration, Windows Update policies) at your own pace. This hybrid approach lets you keep some management functions on-premises while testing and shifting others to the cloud, minimizing disruption and providing a rollback path.

Exam trap

The trap here is that candidates often assume Intune can manage on-premises servers like Configuration Manager does, or that an on-premises Intune server exists, when in reality Intune is purely cloud-based and cannot replace Configuration Manager for server management.

216
MCQmedium

A user reports that their Windows 11 device is not receiving Microsoft 365 Apps updates from Intune. You verify the device is enrolled and compliant. The device has a Microsoft 365 Apps update policy assigned. What is the most likely cause?

A.The Microsoft 365 Apps update channel is not configured in the policy
B.The device is in a low-power state and not checking in for updates
C.The device is not connected to the internet
D.The device has an older version of Office installed that does not support Intune management
AnswerB

If the device is in a low-power state, update policies may not apply until it is active.

Why this answer

The most likely cause is that the device is in a low-power state (e.g., sleep or hibernation) and not checking in for updates. Intune relies on the Microsoft 365 Apps update service, which uses a scheduled task that runs only when the device is awake and connected. If the device is in a low-power state, it cannot execute the update check, even though it is enrolled and compliant.

Exam trap

The trap here is that candidates often assume the update channel must be configured (Option A) or that internet connectivity is the issue (Option C), but Intune policies have default channels and the device is already compliant, so the real culprit is the device's power state preventing the update check from running.

How to eliminate wrong answers

Option A is wrong because if the update channel were not configured, the policy would either fail to apply or use a default channel, but the device would still attempt to check for updates; the issue is that the device is not checking in at all. Option C is wrong because the question states the device is enrolled and compliant, which requires internet connectivity for Intune communication; if it were not connected, the device would not be compliant or would show as disconnected. Option D is wrong because all versions of Office that support Intune management (Microsoft 365 Apps, Office 2019 or later) can receive updates via Intune policies; an older version like Office 2016 would not be managed by Intune at all, but the device is already enrolled and has a policy assigned.

217
MCQeasy

You need to enforce encryption on Windows 10 devices managed by Intune. Which policy type should you configure?

A.Endpoint Protection profile
B.Device compliance policy
C.Windows Update for Business policy
D.Device configuration profile (settings catalog)
AnswerA

Endpoint Protection profiles include settings for BitLocker encryption.

Why this answer

Endpoint Protection profiles in Intune include the 'Windows Encryption' settings category, which allows you to enforce BitLocker Drive Encryption on Windows 10 devices. This profile directly manages encryption policies such as requiring BitLocker on OS and fixed drives, configuring encryption methods (e.g., XTS-AES 128-bit), and setting recovery password options. It is the correct policy type for enforcing encryption because it specifically targets security settings like device encryption and BitLocker.

Exam trap

The trap here is that candidates confuse Device Compliance Policies (which can check encryption status) with the actual policy that enforces encryption, leading them to select Option B, but compliance policies are read-only evaluations and cannot configure BitLocker settings.

How to eliminate wrong answers

Option B is wrong because Device Compliance Policies evaluate whether devices meet security requirements (e.g., encryption status) but do not configure or enforce encryption settings; they only mark devices as compliant or non-compliant. Option C is wrong because Windows Update for Business policies manage update rings, deferrals, and feature updates, not encryption or BitLocker settings. Option D is wrong because while the Settings Catalog in Device Configuration Profiles can include many settings, it does not contain the specific 'Windows Encryption' or 'BitLocker' policy categories that are exclusive to Endpoint Protection profiles for encryption enforcement.

218
MCQeasy

You are the compliance administrator for a large organization using Microsoft 365 E5 licenses. The company has a hybrid identity configuration with Azure AD Connect syncing on-premises Active Directory to Azure AD. The security team requires that all mobile devices accessing corporate email and documents must be enrolled in Microsoft Intune and compliant with company device policies. Recently, several users reported that they cannot access Outlook on their iOS devices, receiving a message: 'Your organization requires this device to be managed by Intune. Please install the Company Portal app and enroll your device.' However, after installing Company Portal and completing enrollment, they still cannot access Outlook and see the same error. Upon investigation, you find that the devices are showing as 'Compliant' in the Microsoft Intune admin center. You also verify that the Conditional Access policy requiring device compliance is correctly configured and assigned to all users. What should you do to resolve the issue?

A.Disable the Conditional Access policy, wait 10 minutes, and then re-enable it.
B.Recreate the Conditional Access policy with the same settings and assign it to the affected users.
C.Check if the affected users have an Intune license assigned; if not, assign one.
D.Verify that the devices are properly registered in Azure AD and, if not, ask users to unenroll and re-enroll their devices.
AnswerD

This addresses the common issue of devices being compliant but not properly registered in Azure AD, which causes Conditional Access to fail.

Why this answer

The issue is that the devices are compliant in Intune but not properly registered in Azure AD, which is a prerequisite for Conditional Access policies to evaluate device compliance. Even after enrollment, if the device registration fails or is incomplete, the Conditional Access policy will still block access. Option D addresses this by verifying and fixing the Azure AD registration, typically requiring unenrollment and re-enrollment to trigger a fresh registration.

Exam trap

The trap here is that candidates assume 'Compliant in Intune' automatically means 'Registered in Azure AD,' but Conditional Access evaluates Azure AD registration status separately, and a compliant device can still fail the registration check.

How to eliminate wrong answers

Option A is wrong because disabling and re-enabling a Conditional Access policy does not fix underlying device registration issues; it only temporarily removes the policy enforcement, which is not a sustainable solution. Option B is wrong because recreating the policy with identical settings does not resolve the root cause of devices not being properly registered in Azure AD; it would still evaluate the same non-registered devices. Option C is wrong because the affected users already have Microsoft 365 E5 licenses, which include Intune, and the devices show as compliant, indicating licensing is not the issue; the problem is Azure AD registration, not licensing.

219
MCQmedium

Your organization uses Microsoft Defender for Endpoint (Defender XDR) to manage endpoint security. You need to ensure that all Windows devices report their security baselines compliance to Intune. Which configuration should you verify?

A.Devices are onboarded to Defender for Endpoint
B.Group Policy objects are linked to the domain
C.Security baselines are configured and assigned in Intune endpoint security
D.Devices are registered in Microsoft 365 Defender portal
AnswerC

Directly manages baseline compliance.

Why this answer

Option C is correct because Intune security baselines are the mechanism that defines and enforces security configuration policies on Windows devices. To report compliance with those baselines, the baselines must first be configured and assigned to the devices via Intune endpoint security. Without this assignment, devices have no baseline to compare against, and compliance reporting will not occur.

Exam trap

The trap here is that candidates often confuse onboarding to Defender for Endpoint (which enables security telemetry and threat detection) with the separate requirement of configuring and assigning Intune security baselines to enforce and report compliance.

How to eliminate wrong answers

Option A is wrong because onboarding devices to Defender for Endpoint ensures they can send telemetry and be managed for threat detection, but it does not by itself configure or report on security baseline compliance; that requires Intune security baseline policies. Option B is wrong because Group Policy objects are a traditional on-premises management tool that does not report compliance to Intune; Intune uses its own policy engine and MDM channel, not GPOs. Option D is wrong because registering devices in the Microsoft 365 Defender portal is part of the Defender for Endpoint onboarding process and does not create or assign security baseline policies; compliance reporting to Intune requires the Intune security baseline assignment.

220
MCQhard

You are the endpoint administrator for Contoso Ltd., a multinational company with 10,000 Windows 10 and 11 devices managed by Microsoft Intune. The company recently acquired a subsidiary that uses on-premises Active Directory and Configuration Manager. The subsidiary's devices are not joined to Microsoft Entra ID. Your goal is to migrate these devices to cloud management with Intune within six months. The subsidiary has 2,000 devices, all running Windows 10. The devices are currently domain-joined and managed by ConfigMgr. You need to choose the most efficient migration strategy that minimizes user disruption and leverages existing investments. The subsidiary has a high-speed WAN link to the corporate network. You have the following options: A) Use ConfigMgr to deploy a task sequence that performs a wipe-and-load with Windows Autopilot, then enroll in Intune. B) Use ConfigMgr co-management with Intune, then gradually transition workloads to Intune, and finally switch devices to Entra ID join. C) Use a provisioning package (PPKG) to join devices to Entra ID and enroll in Intune, while keeping ConfigMgr client for legacy apps. D) Use Windows Autopilot for existing devices by uploading hardware hashes, resetting devices, and re-provisioning. Which option should you choose?

A.Use a provisioning package (PPKG) to join devices to Entra ID and enroll in Intune, while keeping ConfigMgr client for legacy apps
B.Use ConfigMgr co-management with Intune, then gradually transition workloads to Intune, and finally switch devices to Entra ID join
C.Use Windows Autopilot for existing devices by uploading hardware hashes, resetting devices, and re-provisioning
D.Use ConfigMgr to deploy a task sequence that performs a wipe-and-load with Windows Autopilot, then enroll in Intune
AnswerB

Smooth migration with minimal disruption.

Why this answer

Option B is correct because co-management allows you to gradually transition Configuration Manager workloads to Intune without disrupting existing management, leveraging the existing ConfigMgr infrastructure and high-speed WAN link. This minimizes user disruption by keeping devices domain-joined initially, then switching to Entra ID join after workloads are migrated, which is the most efficient path for 2,000 existing domain-joined devices.

Exam trap

The trap here is that candidates often choose Autopilot or PPKG options because they seem 'modern,' but for existing domain-joined devices with ConfigMgr, co-management is the least disruptive and most efficient migration path, not a full wipe or provisioning package.

How to eliminate wrong answers

Option A is wrong because using a provisioning package (PPKG) to join devices to Entra ID and enroll in Intune while keeping the ConfigMgr client creates a dual-management scenario without the benefit of co-management's workload transition capabilities, leading to conflicts and no gradual migration path. Option C is wrong because Windows Autopilot for existing devices requires uploading hardware hashes and resetting devices, which causes significant user disruption (data loss, re-provisioning) and does not leverage the existing ConfigMgr investment or the high-speed WAN link. Option D is wrong because using ConfigMgr to deploy a task sequence that performs a wipe-and-load with Windows Autopilot is overly disruptive (full wipe, data loss) and inefficient compared to co-management, which allows a phased, non-destructive migration.

221
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only corporate-owned Windows 10 devices are allowed to access Microsoft 365 services. You have configured a conditional access policy to require compliant devices. What else must you do to identify corporate-owned devices?

A.Configure a device compliance policy to require corporate ownership.
B.Set enrollment restrictions to block personally owned devices.
C.Deploy an app protection policy to block personal devices.
D.Add corporate device identifiers (e.g., serial numbers) in Intune.
AnswerD

Corporate identifiers allow Intune to automatically mark devices as corporate-owned upon enrollment.

Why this answer

Option A is correct because you need to add corporate device identifiers (e.g., serial numbers) in Intune so that devices can be marked as corporate-owned. Option B is wrong because app protection policies manage data within apps, not device ownership. Option C is wrong because compliance policies do not set ownership.

Option D is wrong because enrollment restrictions block personal devices but do not mark devices as corporate.

222
MCQmedium

You manage Windows 10 devices with Intune. After deploying a new compliance policy requiring BitLocker, many devices show as non-compliant. You verify that BitLocker is enabled on the system drive. What is the most likely cause?

A.BitLocker recovery key is not backed up to Microsoft Entra ID
B.The device has multiple drives and BitLocker is not enabled on all
C.The device does not have a TPM chip
D.The compliance policy requires 'Encryption' but the device reports 'Encrypted'
AnswerD

The compliance policy might require a specific encryption method or report that doesn't match.

Why this answer

Option D is correct. The compliance policy requires reporting of encryption status via a specific setting. Option A is about TPM not being reported correctly.

Option B is about recovery key backup. Option C is about other drives.

223
Multi-Selecteasy

Which TWO of the following are device configuration settings you can manage with Microsoft Intune? (Choose two.)

Select 2 answers
A.Application settings for Microsoft 365 Apps
B.Device restrictions (e.g., camera, Bluetooth)
C.Wi-Fi profiles
D.Lock screen settings
E.Email profiles for Exchange Online
AnswersB, D

Device restrictions are part of device configuration.

Why this answer

Device restrictions, such as disabling the camera or Bluetooth, are a core configuration setting in Microsoft Intune. These are managed through device configuration profiles that enforce policies on devices, regardless of the user logged in. Option B is correct because Intune's device restrictions profile allows administrators to control hardware and system features at the device level.

Exam trap

The trap here is that candidates often confuse device restrictions with other configuration profile types like Wi-Fi or email profiles, but the question specifically asks for 'device configuration settings' that manage device-level features, not connectivity or account settings.

224
MCQeasy

A user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. Which step should you take first to resolve the issue?

A.Disconnect the device from Microsoft Entra ID and rejoin.
B.On the device, go to Settings > Accounts > Access work or school, select the account, and click Sync.
C.Delete and recreate the compliance policy in Microsoft Intune.
D.Re-enroll the device in Microsoft Intune.
AnswerB

Forcing a sync triggers a policy evaluation.

Why this answer

Option B is correct because forcing a sync from the device can refresh the policy evaluation and resolve the 'Not evaluated' status. Option A is wrong because the device is already enrolled. Option C is wrong because the issue is with policy evaluation, not configuration.

Option D is wrong because the device is already joined.

225
MCQhard

A user reports that their Windows 10 device is not receiving policies from Microsoft Intune. The device shows as 'Not compliant' in the Intune console. You run the Get-MgDeviceManagementManagedDevice cmdlet and see that the device is enrolled and appears in the list. However, the LastSyncTime is 14 days ago. What is the most likely cause?

A.The MDM certificate has expired.
B.The device is not connected to the internet due to a proxy misconfiguration.
C.The device is not enrolled in Intune.
D.The Intune Management Extension service is not running on the device.
AnswerD

This service manages policy sync.

Why this answer

The Intune Management Extension (IME) service is responsible for synchronizing policies, including compliance and configuration policies, from Intune to Windows 10 devices. If the IME service is not running, the device will not receive new policies or sync status, leading to a stale LastSyncTime (14 days ago) and a 'Not compliant' state, even though the device is enrolled and appears in the Get-MgDeviceManagementManagedDevice output.

Exam trap

The trap here is that candidates often assume a stale LastSyncTime always indicates a network or connectivity issue (like a proxy), but the question specifically states the device is enrolled and appears in the list, pointing instead to a service-level failure like the Intune Management Extension not running.

How to eliminate wrong answers

Option A is wrong because an expired MDM certificate would typically cause enrollment failure or a complete loss of communication, not just a stale sync time; the device would likely show as 'Not enrolled' or 'Pending' rather than enrolled with a 14-day-old sync. Option B is wrong because a proxy misconfiguration would prevent any internet connectivity, causing the device to fail to reach Intune entirely, which would result in a much older LastSyncTime or a 'Not connected' status, not a specific 14-day gap. Option C is wrong because the Get-MgDeviceManagementManagedDevice cmdlet output explicitly shows the device is enrolled and in the list, contradicting the claim that it is not enrolled.

Page 2

Page 3 of 14

Page 4