Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 226300

991 questions total · 14pages · All types, answers revealed

Page 3

Page 4 of 14

Page 5
226
MCQmedium

You are reviewing a Windows 10 compliance policy in Microsoft Intune. A user with a device running Windows 10 version 20H2 (build 19042.985) reports that the device is marked as non-compliant. The device has a password of length 8, a PIN with 4 characters, Secure Boot enabled, BitLocker enabled, and Windows Defender Firewall active. What is the most likely reason for non-compliance?

A.Windows Defender Firewall is not active.
B.Secure Boot is not enabled on the device.
C.The OS build number 19042.985 is below the required minimum version 19041.0.
D.The device uses a PIN with only 4 characters, which does not meet the minimum password length of 6.
AnswerD

Password minimum length is 6, but PIN length is 4.

Why this answer

The device uses a PIN with only 4 characters, which does not meet the minimum password length of 6. In Intune compliance policies for Windows 10, the 'Minimum password length' setting applies to both passwords and PINs. A PIN of 4 characters violates this requirement, causing non-compliance even if other settings like BitLocker and Secure Boot are properly configured.

Exam trap

The trap here is that candidates assume a PIN is separate from a password and not subject to the same minimum length requirement, but Intune's compliance policy treats both under the same 'password length' rule.

How to eliminate wrong answers

Option A is wrong because the user reports Windows Defender Firewall is active, and the question states it is active, so this is not the cause of non-compliance. Option B is wrong because Secure Boot is explicitly enabled on the device, as stated in the scenario. Option C is wrong because the build number 19042.985 is above the required minimum version 19041.0, so the OS version meets the compliance requirement.

227
MCQhard

You are troubleshooting a Windows 11 device that fails to enroll in Intune via Group Policy. The device is domain-joined and you have configured the 'Enable automatic MDM enrollment using default Azure AD credentials' GPO. The user has a valid Microsoft 365 license. What is the most likely reason for the failure?

A.The device is not registered in Azure AD.
B.The GPO is not linked to the correct organizational unit.
C.The user does not have an Intune license assigned.
D.The device does not have a service connection point configured.
AnswerA

Devices must be registered in Azure AD for the GPO to trigger enrollment.

Why this answer

Option D is correct because the GPO trigger requires the device to be registered in Azure AD; domain-join alone is not enough. Option A is wrong because the user license is present. Option B is wrong because the GPO is correct.

Option C is wrong because the service connection point is for SCCM.

228
MCQmedium

Refer to the exhibit. A Windows 10 device is enrolled in Intune and has the above compliance policy assigned. The device reports as non-compliant. The device has TPM version 2.0, Secure Boot enabled, and a password of 8 characters. Which of the following is the most likely reason for non-compliance?

A.The OS version is outside the allowed range.
B.The device does not have a TPM chip.
C.Secure Boot is not enabled.
D.The password length is less than 6 characters.
AnswerA

The policy restricts OS version; the device likely has a newer build.

Why this answer

The policy requires the OS version to be between 10.0.19041.0 and 10.0.19045.0. If the device has a newer OS version like 10.0.19046.0, it would exceed the maximum. Option D is correct because the device may have an OS version outside the range.

Option A is incorrect because the device has TPM. Option B is incorrect because Secure Boot is enabled. Option C is incorrect because the password length meets the minimum.

229
Multi-Selectmedium

You need to configure device compliance policies in Microsoft Intune for Windows 10 devices. Which THREE settings can you include in a compliance policy? (Choose three.)

Select 3 answers
A.Require BitLocker.
B.Maximum OS version.
C.Allow camera.
D.Require a password to unlock the device.
E.Minimum OS version.
AnswersA, D, E

BitLocker is a device health setting in compliance policies.

Why this answer

Option A is correct because BitLocker is a built-in Windows 10 encryption feature that can be required via a device compliance policy in Microsoft Intune. When you configure a compliance policy for Windows 10, you can set the 'Require BitLocker' setting to 'Require' to ensure the device's operating system drive is encrypted, which is a common security baseline for corporate devices.

Exam trap

The trap here is that candidates often confuse compliance policy settings (which enforce security baselines like encryption and OS version minimums) with device configuration profile settings (which manage features like camera permissions), leading them to incorrectly select 'Allow camera' as a compliance option.

230
MCQeasy

You need to ensure that devices enrolled in Microsoft Intune automatically receive Windows quality updates as soon as they are released. Which update ring setting should you configure?

A.Set 'Driver update deferral period (days)' to 0
B.Set 'Quality update deferral period (days)' to 0
C.Set 'Feature update deferral period (days)' to 0
D.Set 'Microsoft product updates' to 'Allow'
AnswerD

Correct. This setting allows quality updates to be installed automatically.

Why this answer

Option A is correct. The 'Microsoft product updates' setting, when set to 'Allow', ensures that Windows quality updates are installed. Option B is for feature updates.

Option C is for driver updates. Option D is for update deferral periods.

231
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to ensure that only devices with TPM 2.0 and UEFI Secure Boot enabled can enroll. Which configuration profile setting should you configure?

A.Create a Conditional Access policy requiring compliant devices
B.Configure a BitLocker policy in Endpoint Security
C.Set a compliance policy for device health
D.Enable Device Health Attestation (DHA) in enrollment restrictions
AnswerD

DHA verifies TPM and Secure Boot before enrollment.

Why this answer

Device Health Attestation (DHA) in enrollment restrictions allows you to block enrollment for devices that do not meet specific hardware security requirements, such as TPM 2.0 and UEFI Secure Boot enabled. When configured, Intune verifies these attestation claims during the enrollment process and rejects non-compliant devices before they can enroll. This is the only setting that enforces hardware prerequisites at the enrollment stage, not after the device is already managed.

Exam trap

The trap here is that candidates confuse post-enrollment compliance policies (which only mark devices non-compliant) with enrollment restrictions (which block enrollment entirely), leading them to choose Option C instead of D.

How to eliminate wrong answers

Option A is wrong because a Conditional Access policy requiring compliant devices operates after enrollment, checking compliance status during resource access, not blocking enrollment itself. Option B is wrong because a BitLocker policy in Endpoint Security configures encryption settings on already-enrolled devices and does not enforce TPM or Secure Boot requirements during enrollment. Option C is wrong because a compliance policy for device health evaluates devices after they are enrolled and can mark them non-compliant, but it does not prevent enrollment from occurring in the first place.

232
MCQeasy

You need to deploy a line-of-business (LOB) iOS app to company-owned devices using Microsoft Intune. The app is signed with an enterprise certificate. Which deployment method should you use?

A.Managed Browser app.
B.iOS/iPadOS LOB app.
C.iOS/iPadOS store app.
D.Volume Purchase Program (VPP) app.
AnswerB

LOB app type supports custom enterprise-signed apps.

Why this answer

For LOB iOS apps signed with an enterprise certificate, Intune uses the iOS/iPadOS LOB app type. The app must be uploaded as an .ipa file. Option A is incorrect because VPP is for public apps.

Option B is incorrect because the iOS/iPadOS store app type is for public apps. Option D is incorrect because the managed browser is a specific app, not relevant.

233
MCQhard

Refer to the exhibit. You have created the compliance policy shown in JSON format. The policy is assigned to a group containing Windows 10 devices. A device running Windows 10 version 22H2 (build 22621.1) is showing as noncompliant. What is the most likely reason?

A.The device does not have BitLocker encryption enabled.
B.The device does not have a password set.
C.The device OS version exceeds the maximum allowed version.
D.The password type is not set to alphanumeric.
AnswerC

The maximum version is 10.0.22621.0, and the device is 22621.1, which is higher.

Why this answer

The compliance policy JSON specifies a maximum OS version of 10.0.22621.1555, but the device is running build 22621.1, which is lower than the maximum. However, the device is showing as noncompliant because the policy enforces a maximum OS version, and the device's OS version (22621.1) is actually below the minimum allowed version (which is not explicitly set but implied by the policy's version range logic). In Intune compliance policies, when a maximum OS version is specified, devices with an OS version greater than that maximum are marked noncompliant.

Since the device's build 22621.1 is less than the maximum 22621.1555, the noncompliance must be due to the OS version being below the minimum allowed version (which is not shown in the exhibit but is a common configuration). The most likely reason is that the device OS version exceeds the maximum allowed version, as the policy's maximum version is set to 10.0.22621.1555 and the device's version 22621.1 is actually lower, but the policy may also have a minimum version requirement that the device does not meet. Given the options, the correct answer is C because the device's OS version (22621.1) is below the minimum version that is implicitly enforced by the policy's maximum version setting, causing noncompliance.

Exam trap

The trap here is that candidates assume a device with a lower OS version than the maximum is compliant, but they overlook that the policy may also enforce a minimum OS version, causing the device to be noncompliant for being too old rather than too new.

How to eliminate wrong answers

Option A is wrong because the JSON policy does not include any BitLocker settings; it only defines OS version requirements and password policies, so BitLocker encryption is not evaluated. Option B is wrong because the policy does not require a password; it only specifies password type and length, but the 'password required' setting is not present in the JSON, so a missing password would not cause noncompliance. Option D is wrong because the policy does not specify a password type; the JSON only includes 'passwordMinimumLength' and 'passwordRequiredType' is not defined, so the password type is not evaluated.

234
MCQhard

You have a Windows 10 device running OS version 10.0.19043.1234. The device is compliant with all settings except password requirements. The device does not have a password set. What is the compliance status?

A.Noncompliant because passwordRequired is true and no password set.
B.Noncompliant because storage encryption is not enabled.
C.Noncompliant because OS version is not within range.
D.Compliant
AnswerA

The policy requires a password, and the device has none.

Why this answer

Option A is correct because the device is noncompliant due to the passwordRequired policy setting being set to true while no password is configured on the device. In Microsoft Intune, compliance policies evaluate each setting independently; if a required setting like passwordRequired is not met, the device is marked noncompliant regardless of other compliant settings. The OS version 10.0.19043.1234 is within a supported range, and storage encryption is not evaluated unless explicitly required by a policy, so only the missing password triggers noncompliance.

Exam trap

The trap here is that candidates assume a device is compliant if most settings are met, but Microsoft Intune evaluates each compliance policy setting independently, and a single failure—such as missing a password—results in overall noncompliance.

How to eliminate wrong answers

Option B is wrong because storage encryption is not a default compliance requirement for Windows 10 devices; it must be explicitly configured in a compliance policy, and the question states only password requirements are noncompliant. Option C is wrong because OS version 10.0.19043.1234 corresponds to Windows 10 21H1, which is within the supported range for Intune compliance policies, and no OS version range issue is indicated. Option D is wrong because the device fails the passwordRequired setting, which is a mandatory compliance check, so it cannot be marked compliant.

235
MCQeasy

A company is implementing Windows Hello for Business and wants to use certificate-based authentication. They have an on-premises Active Directory and are using Azure AD Connect for hybrid identity. Which prerequisites must be met to support certificate-based Windows Hello for Business?

A.All users must have the Microsoft Authenticator app installed.
B.Conditional Access policies must be configured to require Windows Hello for Business.
C.An enterprise certification authority (CA) must be deployed and all devices must be Azure AD joined or hybrid Azure AD joined.
D.All users must be configured for passwordless sign-in.
AnswerC

Certificate-based Windows Hello requires a CA and hybrid or Azure AD joined devices.

Why this answer

Certificate-based Windows Hello for Business requires an enterprise PKI to issue and validate certificates for authentication. Devices must be Azure AD joined or hybrid Azure AD joined to enroll these certificates and support the certificate trust model. On-premises Active Directory and Azure AD Connect provide the hybrid identity foundation, but the CA and appropriate device join state are the critical prerequisites.

Exam trap

The trap here is that candidates often confuse the prerequisites for certificate-based Windows Hello for Business with those for passwordless sign-in or MFA, mistakenly thinking that the Authenticator app or Conditional Access policies are required, when in fact the core requirement is an enterprise CA and the correct device join state.

How to eliminate wrong answers

Option A is wrong because the Microsoft Authenticator app is used for phone-based MFA or passwordless phone sign-in, not for certificate-based Windows Hello for Business, which relies on a PKI and device certificates. Option B is wrong because Conditional Access policies are used to enforce sign-in risk or compliance requirements, not to establish the infrastructure prerequisites for certificate-based Windows Hello for Business; the CA and device join state must exist first. Option D is wrong because passwordless sign-in is a broader concept that can be achieved via FIDO2 security keys or phone sign-in, but certificate-based Windows Hello for Business specifically requires a CA and does not mandate that all users be configured for passwordless sign-in.

236
MCQmedium

Your company has iOS/iPadOS devices enrolled in Microsoft Intune. You need to ensure that users cannot remove the Microsoft Intune Company Portal app from their devices. What should you configure?

A.Configure an App Configuration policy for Company Portal.
B.Configure an App Protection policy for Company Portal.
C.Configure a Required app assignment with removal prevention.
D.Configure a Device Compliance policy to require Company Portal installation.
AnswerC

Required apps with removal prevention prevent users from removing the app.

Why this answer

Option C is correct because configuring a Required app assignment with removal prevention in Microsoft Intune ensures that the Company Portal app is installed as a required app and users cannot uninstall it. This setting is specifically designed to prevent removal of managed apps on iOS/iPadOS devices enrolled in Intune, leveraging the MDM channel to enforce the policy.

Exam trap

The trap here is that candidates confuse App Protection policies (which control data behavior) with app assignment settings (which control installation and removal), leading them to choose Option B instead of C.

How to eliminate wrong answers

Option A is wrong because App Configuration policies are used to supply custom settings or managed app configuration to apps, not to prevent uninstallation. Option B is wrong because App Protection policies (MAM) manage data protection and access control for apps, but they do not control app removal at the device level. Option D is wrong because Device Compliance policies check device health and configuration but cannot enforce app installation or prevent removal; they only mark devices as non-compliant if the app is missing.

237
MCQeasy

You need to ensure that users can access corporate resources on their personal iOS devices only if they are jailbroken. Which Intune policy should you configure?

A.App Protection Policy
B.Device Configuration Policy
C.Device Compliance Policy
D.Conditional Access Policy
AnswerC

Correct. Compliance policies can detect jailbroken devices.

Why this answer

Device Compliance Policy in Microsoft Intune allows you to set rules that devices must meet to be considered compliant, including a jailbreak detection rule for iOS devices. When a device is detected as jailbroken, you can mark it as non-compliant and then use Conditional Access to block access to corporate resources. This directly addresses the requirement to control access based on jailbreak status.

Exam trap

The trap here is that candidates often confuse Device Compliance Policy with Conditional Access Policy, thinking that Conditional Access itself performs the jailbreak detection, when in fact it only enforces the compliance status reported by the Device Compliance Policy.

How to eliminate wrong answers

Option A is wrong because App Protection Policies (APP) manage how data is handled within managed apps (e.g., preventing copy/paste or requiring PIN) and do not include jailbreak detection or device-level compliance checks. Option B is wrong because Device Configuration Policies are used to configure device settings (e.g., Wi-Fi, VPN, email profiles) and do not evaluate or enforce compliance based on jailbreak status. Option D is wrong because Conditional Access Policy is an Azure AD feature that enforces access controls based on signals like device compliance, but it cannot directly detect jailbreak status; it relies on a Device Compliance Policy to provide that signal.

238
MCQeasy

You need to deploy Windows 10 Enterprise to 100 new computers using Microsoft Intune. The computers are not yet joined to Microsoft Entra ID. What is the recommended method?

A.Join each device to Entra ID manually and then enroll in Intune.
B.Create a provisioning package using Windows Configuration Designer and deploy via USB.
C.Register the devices in Windows Autopilot and deploy an Autopilot profile.
D.Use a Configuration Manager task sequence to deploy the OS.
AnswerC

Autopilot automates the deployment and enrollment process.

Why this answer

Windows Autopilot is the recommended method for deploying Windows 10 Enterprise to new devices that are not yet joined to Microsoft Entra ID because it automates the entire provisioning process—from joining Entra ID to enrolling in Intune—without requiring any manual intervention or imaging. By registering the devices in Autopilot and deploying an Autopilot profile, the out-of-box experience (OOBE) is customized to join Entra ID and enroll in Intune automatically, ensuring a zero-touch deployment that aligns with modern management best practices.

Exam trap

The trap here is that candidates often confuse provisioning packages (Option B) as the recommended method for cloud-only deployments, but Autopilot is specifically designed for zero-touch, cloud-native provisioning and is the correct answer for new devices not yet joined to Entra ID.

How to eliminate wrong answers

Option A is wrong because manually joining each device to Entra ID and then enrolling in Intune is not recommended for 100 new computers; it is labor-intensive, error-prone, and defeats the purpose of automated, scalable deployment. Option B is wrong because provisioning packages created with Windows Configuration Designer are typically used for bulk provisioning in on-premises or hybrid scenarios, but they do not leverage cloud-native Autopilot capabilities and require physical USB deployment, which is less efficient for remote or large-scale rollouts. Option D is wrong because using a Configuration Manager task sequence to deploy the OS is a traditional imaging approach that relies on on-premises infrastructure and does not integrate natively with cloud-based Entra ID join and Intune enrollment, making it unsuitable for a modern, cloud-first deployment strategy.

239
Multi-Selectmedium

Which TWO of the following are benefits of using Windows Autopilot for device provisioning?

Select 2 answers
A.Eliminates the requirement for a Microsoft Entra ID subscription.
B.Allows end users to set up their own devices with minimal IT involvement.
C.Enables device provisioning over a VPN connection.
D.Reduces the need for custom imaging and manual setup.
E.Supports deployment without any internet connectivity.
AnswersB, D

Autopilot provides a self-service deployment experience.

Why this answer

Option B is correct because Windows Autopilot leverages the device's hardware identity (hash) to automatically enroll it in Microsoft Entra ID and join it to a domain or tenant, allowing end users to complete the setup process themselves with minimal IT intervention. This reduces helpdesk calls and streamlines the out-of-box experience (OOBE) by presenting only necessary screens.

Exam trap

The trap here is that candidates often assume Autopilot can work over a VPN or without internet because it is a cloud-based service, but it requires direct internet access during OOBE before any VPN client is installed.

240
MCQmedium

You are the Intune administrator for Fabrikam, Inc., which has 5,000 Windows 10 devices. The company wants to move from on-premises Group Policy management to Intune. You have already deployed the Intune Management Extension to all devices. However, some devices are not receiving policies. You discover that these devices are not enrolled in Intune. You need to enroll all devices as quickly as possible with minimal user interaction. The devices are already joined to on-premises Active Directory. You have Microsoft Entra ID Connect configured. What should you do?

A.Configure the MDM user scope in Microsoft Entra ID to All, and ensure devices are hybrid joined.
B.Distribute a script to each user to run manually.
C.Deploy Windows Autopilot to reset and re-enroll each device.
D.Use the Intune Enrollment Status Page to force enrollment.
AnswerA

This enables automatic enrollment for hybrid joined devices.

Why this answer

Option A is correct because configuring the MDM user scope to 'All' in Microsoft Entra ID triggers automatic MDM enrollment for hybrid Azure AD-joined devices when combined with Microsoft Entra ID Connect. Since the devices are already joined to on-premises AD and Entra ID Connect is configured, setting the MDM scope to 'All' enables automatic, silent enrollment via the scheduled task created by the Group Policy for automatic enrollment, requiring no user interaction beyond sign-in.

Exam trap

The trap here is that candidates often confuse the Enrollment Status Page (ESP) as an enrollment trigger, when in fact it is a post-enrollment configuration tool, or they mistakenly believe Autopilot is required for hybrid devices, ignoring the simpler automatic enrollment path via MDM scope and hybrid join.

How to eliminate wrong answers

Option B is wrong because distributing a script for manual execution requires user interaction and administrative overhead, which contradicts the goal of minimal user interaction and rapid enrollment. Option C is wrong because Windows Autopilot resets the device and requires re-joining to Azure AD, which is disruptive, time-consuming, and not suitable for already domain-joined devices that only need Intune enrollment. Option D is wrong because the Enrollment Status Page (ESP) is a configuration within Intune that controls device setup progress during enrollment, not a mechanism to trigger or force enrollment on unenrolled devices.

241
MCQmedium

A user reports that their Windows 11 device is not receiving configuration policies from Microsoft Intune. The device shows as 'active' in the Intune admin center. Which troubleshooting step should you take first?

A.Unenroll and re-enroll the device.
B.Restart the Microsoft Intune Management Extension service on the device.
C.Verify that the device is compliant with BitLocker encryption requirements.
D.Check the device's compliance policy assignment.
AnswerB

This service handles delivery of configuration policies, scripts, and apps; restarting it forces a sync.

Why this answer

The Microsoft Intune Management Extension (IME) is the agent responsible for processing and applying configuration policies on Windows devices. If the device is 'active' in Intune but not receiving policies, the IME service may be stuck or not running. Restarting this service forces the agent to re-sync with Intune, which is the quickest and least disruptive first step.

Exam trap

The trap here is that candidates often confuse device 'active' status with successful policy delivery, leading them to jump to compliance checks or re-enrollment instead of first troubleshooting the local agent that actually applies the policies.

How to eliminate wrong answers

Option A is wrong because unenrolling and re-enrolling is a drastic step that should only be taken after verifying that the IME service or sync process is not the issue; it also requires re-provisioning the device and can cause unnecessary downtime. Option C is wrong because BitLocker compliance is a specific policy setting, not a prerequisite for receiving any configuration policies; the device can be non-compliant with BitLocker yet still receive other policies. Option D is wrong because checking compliance policy assignment addresses whether the device meets compliance rules, not whether the policy delivery mechanism (IME) is functioning; a device can be compliant but still fail to receive policies if the agent is not running.

242
MCQmedium

A company uses Microsoft Intune to manage iOS and Android devices. Users report that some line-of-business (LOB) apps fail to install with error '0x87D1041C'. The apps are signed and deployed as device-required installs. What is the most likely cause?

A.The user is not assigned to the app deployment.
B.The app is not compliant with the device's OS version.
C.The device does not have the required app configuration policy.
D.The app is signed with a different certificate than the one uploaded to Intune.
AnswerD

This error specifically indicates a certificate mismatch.

Why this answer

Error 0x87D1041C in Intune indicates a signature mismatch. When a line-of-business (LOB) app is deployed as a device-required install, the app binary must be signed with a certificate that has been uploaded to the Intune console. If the signing certificate used to sign the app differs from the one uploaded, Intune rejects the installation because it cannot verify the app's integrity and trust chain.

Exam trap

The trap here is that candidates often confuse error 0x87D1041C with a user assignment or OS version issue, but the specific error code directly points to a certificate mismatch, not a policy or compliance failure.

How to eliminate wrong answers

Option A is wrong because the deployment is configured as a device-required install, which targets the device directly and does not require user assignment; the error would be different (e.g., 0x87D13B9F) if the user lacked assignment. Option B is wrong because OS version compliance issues typically produce error 0x87D1041C only if the app's minimum OS requirement is not met, but the question states the apps are signed and deployed, and the specific error code 0x87D1041C maps to a certificate/signing problem, not an OS version mismatch. Option C is wrong because app configuration policies are optional for LOB apps and are not required for installation; missing configuration policies would not block installation with this error code.

243
MCQmedium

You have a Windows 11 device enrolled in Intune that is not receiving configuration profiles. The device shows 'Pending' status for all profiles. You confirm the device is connected to the internet and can reach Microsoft's servers. What is the most likely cause?

A.The device is not in the correct security group for the profile assignment.
B.The device has a certificate issue preventing it from receiving profiles.
C.The device is not syncing with Intune.
D.The Intune service is experiencing an outage.
AnswerC

If the device is not syncing, it will show 'Pending'.

Why this answer

Option C is correct because if the device is not syncing, it will show 'Pending'. Option A is wrong because group membership is for assignment, not sync. Option B is wrong because certificate issues affect authentication, not profile delivery.

Option D is wrong because the Intune service health is for global issues, not a single device.

244
MCQmedium

Your organization is migrating from on-premises Active Directory to Microsoft Entra ID. You plan to use Windows Autopilot for new devices. Which prerequisite must be met for Autopilot to work with Entra ID?

A.Devices must be registered in Autopilot using hardware hash
B.Devices must be domain-joined to on-premises AD
C.An Azure AD Premium P2 license must be assigned
D.Configuration Manager must be deployed for OS imaging
AnswerA

Prerequisite for Autopilot deployment.

Why this answer

Windows Autopilot requires that each device be registered in the Autopilot service using its unique hardware hash (also known as a hardware ID). This hash is collected from the device's firmware and uploaded to the Autopilot deployment service, which then associates the device with the target tenant. Without this registration, Autopilot cannot identify the device during the out-of-box experience (OOBE) and cannot automatically enroll it into Microsoft Entra ID.

Exam trap

The trap here is that candidates often assume Autopilot requires an on-premises domain join (option B) because they confuse Autopilot with traditional imaging or hybrid Azure AD join scenarios, but Autopilot's core value is cloud-native, domain-join-free provisioning.

How to eliminate wrong answers

Option B is wrong because Autopilot devices do not need to be domain-joined to on-premises Active Directory; Autopilot is designed to directly join devices to Microsoft Entra ID (formerly Azure AD) during OOBE, bypassing any on-premises dependency. Option C is wrong because while Azure AD Premium P2 licenses provide additional features like Identity Protection and Privileged Identity Management, Autopilot itself only requires Azure AD Premium P1 (or Microsoft 365 E3/E5) for the Autopilot deployment profile and automatic enrollment; P2 is not a prerequisite. Option D is wrong because Configuration Manager is not required for Autopilot; Autopilot uses cloud-based provisioning via Microsoft Intune and does not rely on any on-premises imaging or OS deployment tool like Configuration Manager.

245
MCQeasy

An organization uses Microsoft Intune to manage Windows devices. They want to ensure that only devices with a TPM 2.0 chip can access corporate email. Which policy should be configured?

A.Device enrollment restriction to require TPM 2.0
B.Device configuration profile to enable TPM 2.0
C.Device compliance policy with a condition for TPM 2.0, combined with a conditional access policy
D.App protection policy to require TPM 2.0
AnswerC

The compliance policy checks for TPM 2.0, and conditional access blocks devices that are non-compliant.

Why this answer

Option C is correct because a compliance policy can require TPM 2.0, and conditional access can block non-compliant devices. Option A is wrong because configuration profiles do not enforce access control. Option B is wrong because app protection policies do not check hardware.

Option D is wrong because device enrollment restrictions are for enrollment, not ongoing access.

246
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10/11 devices. You need to configure a Windows Autopilot deployment for new devices that are shipped directly to users. The devices must be automatically enrolled in Intune and configured with your organization's standard settings. What is the minimum requirement for the device to be recognized by Windows Autopilot?

A.The device must have a Microsoft Entra ID Premium P2 license assigned.
B.The device must have its hardware hash uploaded to Microsoft Intune.
C.The device must be Azure AD registered before shipping.
D.The device must be joined to on-premises Active Directory first.
AnswerB

The hardware hash uniquely identifies the device for Autopilot.

Why this answer

Option D is correct because Windows Autopilot requires the device's hardware hash to be uploaded to the Autopilot service. Option A is incorrect because devices do not need to be joined to on-premises AD first. Option B is incorrect because Azure AD join is configured during the Autopilot process, not a prerequisite.

Option C is incorrect because the hardware hash is the minimum requirement, not a Microsoft Entra ID Premium license (though some features may require it).

247
MCQmedium

You are designing a Windows Autopilot deployment for a new fleet of devices. The devices will be shipped directly to users from the vendor. You need to ensure that the devices automatically enroll in Microsoft Intune and receive a standard set of applications during the out-of-box experience (OOBE). Which Autopilot deployment profile should you assign?

A.User-Driven mode (Azure AD joined) with user-assigned apps.
B.Pre-provisioning (White Glove) mode with device-assigned apps.
C.Self-Deploying mode (Azure AD registered) with device-assigned apps.
D.Self-Deploying mode (Azure AD joined) with user-assigned apps.
AnswerA

User-Driven mode allows users to sign in and receive user-assigned apps during OOBE.

Why this answer

User-Driven mode with Azure AD joined and user-assigned apps is correct because the devices are shipped directly to users, who will perform the OOBE themselves. This mode requires a user to sign in with Azure AD credentials, which triggers automatic enrollment in Microsoft Intune and applies the assigned user-targeted apps during the enrollment process.

Exam trap

The trap here is confusing Self-Deploying mode with user-assigned apps, but Self-Deploying mode is designed for devices without a user context and only supports device-assigned apps, making it unsuitable for user-driven app delivery.

How to eliminate wrong answers

Option B is wrong because Pre-provisioning (White Glove) mode requires an IT technician to perform the initial setup before shipping, which contradicts the scenario where devices ship directly to users. Option C is wrong because Self-Deploying mode with Azure AD registered does not support full Intune enrollment with user-assigned apps; it is designed for kiosk or shared devices and uses device-assigned apps only. Option D is wrong because Self-Deploying mode with Azure AD joined cannot use user-assigned apps; it is intended for devices without a user context, so apps must be device-assigned.

248
Drag & Dropmedium

Arrange the steps to troubleshoot a BitLocker recovery key prompt on a Windows 10 device.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First identify cause, retrieve key, enter it, then address root cause.

249
Multi-Selecthard

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a set of Line-of-Business (LOB) apps using the Microsoft Intune Management Extension. Which THREE conditions must be met?

Select 3 answers
A.The app must be deployed in user context
B.The Microsoft Intune Management Extension must be installed on the device
C.The device must have connectivity to Microsoft Intune
D.The devices must be co-managed with Microsoft Configuration Manager
E.The device must be Azure AD joined or hybrid Azure AD joined
AnswersB, C, E

The extension is required for Win32 app deployment.

Why this answer

Options B, C, and D are correct. B: The Intune Management Extension is required to deploy PowerShell scripts and Win32 apps. C: The device must be Azure AD joined or hybrid Azure AD joined.

D: The device must have connectivity to Intune. Option A is wrong because LOB apps can be deployed to Intune-managed devices without Configuration Manager. Option E is wrong because the management extension runs as SYSTEM, not user context.

250
Multi-Selecteasy

Which TWO are benefits of using Windows Autopilot for device provisioning? (Select two.)

Select 2 answers
A.Works offline without internet connectivity.
B.Enables deployment of custom operating system images.
C.Allows IT to provision devices remotely without physical access.
D.Reduces the need for manual imaging and configuration.
E.Eliminates the need for any user interaction during setup.
AnswersC, D

Users can self-deploy from anywhere.

Why this answer

Windows Autopilot leverages cloud-based services to provision new devices, eliminating the need for IT staff to be physically present. Option C is correct because Autopilot allows IT to deploy a device by simply providing the user with the hardware; the device automatically joins Azure AD, enrolls in Intune, and applies policies over the internet. This remote provisioning capability is a core benefit, as it enables zero-touch deployment for remote workers or distributed offices.

Exam trap

The trap here is that candidates often assume Autopilot eliminates all user interaction (Option E) because of the term 'zero-touch,' but in user-driven mode the user must still sign in, while self-deploying mode (for kiosks or shared devices) can be truly zero-touch—the question does not specify the mode, so Option E is too absolute and incorrect.

251
MCQeasy

You need to deploy a Microsoft 365 Apps for enterprise configuration (e.g., exclude specific apps) to Windows 10 devices via Intune. Which tool should you use to generate the configuration XML?

A.Office Customization Tool (OCT)
B.Group Policy Management Console
C.Microsoft 365 admin center
D.Microsoft Intune admin center
AnswerA

OCT creates the configuration XML for Click-to-Run installations.

Why this answer

Option A is correct because the Office Customization Tool is the official tool for creating configuration XML for Click-to-Run. Option B is wrong because the Microsoft 365 admin center is for user management. Option C is wrong because Group Policy Management Console is for on-premises.

Option D is wrong because Intune does not generate XML.

252
MCQeasy

You need to ensure that all corporate-owned Windows 11 devices automatically install critical security updates as soon as they are released by Microsoft. Which Intune feature should you configure?

A.Expedited quality updates in a Windows 10 update ring.
B.A WSUS policy pushed via Group Policy.
C.Windows 10 update rings with a deferral period of 0 days.
D.Windows Autopatch.
AnswerA

Expedited quality updates force immediate installation.

Why this answer

Expedited quality updates in a Windows 10 update ring allow you to push critical security updates immediately, bypassing any deferral periods or gradual rollout settings. This feature uses the Windows Update for Business service to force the installation of a specific update as soon as it is released by Microsoft, ensuring compliance with security requirements for corporate-owned devices.

Exam trap

The trap here is that candidates confuse a zero-day deferral period with immediate installation, not realizing that update rings still use gradual rollout percentages and device check-in schedules, whereas expedited updates force an immediate, non-deferred installation.

How to eliminate wrong answers

Option B is wrong because WSUS (Windows Server Update Services) is an on-premises solution that requires Group Policy configuration and does not leverage Intune's cloud-based update management; it also introduces latency due to synchronization schedules and approval workflows. Option C is wrong because setting a deferral period of 0 days in a Windows 10 update ring still respects the gradual rollout (e.g., percentage-based rings) and does not guarantee immediate installation; updates are offered based on Microsoft's release cadence and device check-in cycles. Option D is wrong because Windows Autopatch is a service for automating update deployment across multiple update rings and policies, but it does not provide a mechanism to force immediate installation of a specific critical security update; it focuses on maintaining a baseline update cadence, not expedited deployment.

253
MCQeasy

You need to ensure that only approved iOS apps can be installed on company-owned devices. Which Intune feature should you use?

A.Selective wipe
B.App protection policy
C.Device compliance policy with required apps
D.App configuration policy
AnswerC

A compliance policy can require specific apps to be installed and block others.

Why this answer

Option C is correct because a device compliance policy with a required app list can restrict apps. Option A is wrong because app protection policies apply to app data, not installation. Option B is wrong because app configuration policies configure app settings.

Option D is wrong because selective wipe removes data, not prevent installations.

254
Multi-Selecteasy

Your organization requires that all managed Windows devices have Microsoft Defender Antivirus enabled and running. Which TWO methods can you use to verify this compliance?

Select 2 answers
A.Create an Intune compliance policy for Windows Defender.
B.Check Microsoft Entra ID device settings.
C.Use Microsoft Defender XDR device health reports.
D.Review the Local Group Policy Editor on each device.
E.Run a Configuration Manager hardware inventory.
AnswersA, C

Correct. Compliance policies can check Defender state.

Why this answer

Option A is correct because Intune compliance policies include a 'Microsoft Defender for Endpoint' category that allows you to require Defender Antivirus to be enabled and running. When a device reports its Defender status via the Intune Management Extension, the compliance policy evaluates the real-time protection state and marks the device as noncompliant if Defender is off or disabled. Option C is correct because Microsoft Defender XDR (formerly Microsoft 365 Defender) provides device health reports that aggregate antivirus status across all enrolled devices, including whether Defender is active and up to date.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID device settings (which manage device identity and registration) with device compliance monitoring, leading them to incorrectly select Option B as a verification method.

255
MCQhard

You run the above PowerShell script to change the Windows Autopilot group tag for devices currently tagged as 'Sales' to 'Marketing'. You have assigned different deployment profiles to the 'Sales' and 'Marketing' group tags. After running the script, you check the Autopilot devices in Intune and see that the group tag for the devices has changed. However, the devices still apply the 'Sales' deployment profile during OOBE. What is the most likely reason?

A.The deployment profile is assigned to the device by device ID, not group tag.
B.The deployment profile assignment is based on the group tag at the time of enrollment; existing devices retain the original profile.
C.The script needs to include a step to remove the device from Autopilot and re-import it.
D.The script did not sync the device details to Intune after changing the group tag.
AnswerB

Autopilot profiles are assigned at enrollment, and changing the tag does not reassign profiles for already-enrolled devices.

Why this answer

The group tag is evaluated at the time of enrollment to determine which deployment profile to assign. Changing the group tag on an already-enrolled device does not retroactively change the profile assignment; the device retains the profile that was applied during its original OOBE. This is by design in Windows Autopilot, as the profile is bound to the device record at enrollment.

Exam trap

The trap here is that candidates assume updating the group tag in Intune will immediately change the deployment profile for already-enrolled devices, but Microsoft's Autopilot design evaluates the tag only at enrollment time, not retroactively.

How to eliminate wrong answers

Option A is wrong because deployment profiles are assigned based on group tags or device serial numbers, not device IDs, and the scenario confirms the tag changed but the profile didn't, ruling out a device ID assignment. Option C is wrong because removing and re-importing the device is unnecessary; the group tag change is sufficient for new enrollments, but existing devices are not affected. Option D is wrong because the script likely synced the change (the tag updated in Intune), but syncing does not retroactively reassign the deployment profile to an already-enrolled device.

256
MCQeasy

You are reviewing a custom device configuration profile in Intune. The exhibit shows an OMA-URI setting. What is the purpose of this setting?

A.Enables the camera on the lock screen
B.Disables the camera on the device entirely
C.Disables the microphone on the lock screen
D.Disables the camera on the lock screen
AnswerD

The OMA-URI prevents the camera from being used on the lock screen.

Why this answer

Option C is correct because the OMA-URI 'PreventLockScreenCamera' with value '1' disables the camera on the lock screen. Option A is wrong because it disables the camera on the lock screen, not the camera generally. Option B is wrong because it disables the camera, not microphone.

Option D is wrong because it disables the camera on the lock screen, not all settings.

257
MCQmedium

A company uses Intune to manage macOS devices. They need to deploy a custom configuration profile that enforces FileVault encryption. What is the recommended approach?

A.Create an endpoint security disk encryption policy in Intune and assign it to the devices
B.Use Apple Configurator to create the profile and import it into Intune
C.Ask users to manually enable FileVault
D.Use JAMF Pro to manage FileVault
AnswerA

Intune supports FileVault configuration via endpoint security policies.

Why this answer

Option D is correct: Intune provides a built-in FileVault setting in the endpoint security disk encryption policy for macOS. Option A (Apple Configurator) is a local tool, not for MDM. Option B (JAMF Pro) is a third-party MDM, not Microsoft Intune.

Option C (Manual configuration) is not scalable.

258
MCQeasy

You assign a required app to a device group. After the next sync, some devices report a 'Failed' status. What should you check first?

A.The device's last sync time
B.If a newer version is already installed
C.Whether the user is licensed
D.The device management log
AnswerD

Logs contain error details.

Why this answer

Option B is correct because the device log provides details on why the installation failed. Option A is wrong because the user may not be relevant. Option C is wrong because the same version may be the cause, but logs give specifics.

Option D is wrong because sync status is not detailed enough.

259
MCQmedium

You have assigned the above compliance policy to all Windows 10 devices. A user's device shows as noncompliant with a reason of 'TPM not found'. What should you do to resolve the issue?

A.Disable the TPM requirement in the policy.
B.Assign the policy to a different group that excludes those devices.
C.Create a new compliance policy without the TPM requirement and assign it to devices without TPM.
D.Change the password complexity requirement to 'none'.
AnswerC

This allows different requirements for different hardware.

Why this answer

Option B is correct because the policy requires TPM (tpmEnabled: true), but the device does not have a TPM. The best action is to create a separate policy for devices without TPM and exclude them from the current policy. Option A is incorrect because the setting is required by security policy.

Option C is incorrect because the policy is already assigned. Option D is incorrect because changing the complexity requirement does not address TPM.

260
MCQhard

Your organization is deploying Windows Autopilot self-deploying mode for kiosk devices. The devices will be used in a public area and must not require user interaction during the initial setup. What is the prerequisite for this deployment?

A.A user must be assigned to the device in Microsoft Entra ID.
B.The device must have a TPM 2.0 chip.
C.An enrollment profile must be assigned to the user.
D.The device must be added to Microsoft Entra ID manually.
AnswerB

TPM 2.0 is required for hardware attestation in self-deploying mode.

Why this answer

Option A is correct because self-deploying mode requires the device to be a physical device with a TPM 2.0 chip for attestation. Option B is wrong because self-deploying mode does not require a user to sign in. Option C is wrong because self-deploying mode uses a device-based enrollment token, not a user-based one.

Option D is wrong because the device must be pre-registered in Intune as an Autopilot device.

261
Multi-Selectmedium

Which THREE conditions can be used in a Conditional Access policy to require a compliant device?

Select 3 answers
A.Device state
B.Client apps
C.Locations
D.Device platform
E.Sign-in risk
AnswersB, C, D

Can require compliance for browser, mobile apps, desktop clients.

Why this answer

Options B, C, and E are correct. Option B: Device platform can be selected to target specific OS. Option C: Client apps condition can apply to mobile apps and desktop clients.

Option E: Locations condition can be used to require compliance only from specific IP ranges. Option A is wrong because risk is a separate condition but not a 'device condition' per se; it's a signal. Option D is wrong because device state is used for hybrid Azure AD joined, not compliance.

262
MCQhard

You are an Intune administrator for a large enterprise that uses Microsoft Defender for Endpoint (now Microsoft Defender XDR) for threat protection. You need to ensure that all Windows 10 devices are properly onboarded to Defender for Endpoint and that security settings are enforced via Intune. You have created a device configuration profile that includes the 'Microsoft Defender for Endpoint' settings, but some devices are not appearing in the Defender for Endpoint portal. You verify that the devices are Intune managed and enrolled. What should you do to ensure proper onboarding?

A.Ensure that the devices are co-managed with Configuration Manager.
B.Deploy the Microsoft Defender for Endpoint onboarding package (WindowsDefenderATPOnboardingPackage.zip) via Intune using a PowerShell script or a device configuration profile.
C.Create a compliance policy that requires Defender for Endpoint to be active.
D.Register the devices in Microsoft Entra ID (Azure AD) as hybrid joined.
AnswerB

The onboarding package is required to connect devices to the Defender for Endpoint service.

Why this answer

Option B is correct because onboarding to Defender for Endpoint requires a specific deployment package (a .zip file containing the onboarding script) that must be deployed via Intune using a PowerShell script or a device configuration profile with the 'Microsoft Defender for Endpoint' template. However, the most common missing step is deploying the onboarding package. Option A is incorrect because compliance policy does not onboard devices.

Option C is incorrect because the devices are already Intune managed. Option D is incorrect because Microsoft Entra ID registration is not the issue.

263
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. Users report that some required applications are not being installed on their devices. You confirm the applications are assigned as 'Required' to a device group, and the devices are online. What is the most likely cause?

A.BitLocker encryption is pending
B.The user is not logged in to the device
C.The enrollment status page is blocking installation
D.The Intune Management Extension is missing
AnswerD

The extension is required for Win32 app deployment.

Why this answer

Option C is correct because if the Intune Management Extension is not installed or running, PowerShell scripts and Win32 apps will not be processed. Option A is wrong because the BitLocker policy does not affect application installation. Option B is wrong because the user is not required to be logged in for device-targeted assignments.

Option D is wrong because the enrollment status page does not block required app installs.

264
MCQhard

You are planning a Windows 11 deployment for 1000 devices using Configuration Manager co-management with Intune. You need to ensure that devices automatically enroll to Intune after the Configuration Manager client is installed. Which workload must you configure in Configuration Manager?

A.Endpoint Protection
B.Windows Update policies
C.Resource access
D.Client apps
AnswerD

Setting 'Client apps' to Intune triggers automatic enrollment.

Why this answer

Option B is correct because the 'Client apps' workload enables automatic enrollment to Intune. Option A is wrong because 'Windows Update policies' is for update management. Option C is wrong because 'Endpoint Protection' is separate.

Option D is wrong because 'Resource access' is not the correct workload.

265
MCQeasy

You need to enroll a Windows 11 device into Microsoft Intune using a work or school account. The device is already joined to Microsoft Entra ID. What is the simplest enrollment method?

A.Windows Autopilot
B.Group Policy to configure enrollment
C.Manual enrollment using the Company Portal
D.Automatic enrollment via Microsoft Entra join
AnswerD

Microsoft Entra joined devices can be automatically enrolled in Intune.

Why this answer

Option C is correct because Microsoft Entra joined devices automatically enroll in Intune when configured. Option A is wrong because Autopilot requires additional setup. Option B is wrong because manual enrollment requires extra steps.

Option D is wrong because GPO is for on-premises devices.

266
MCQhard

You review the compliance policy JSON for Windows 10 devices. A device running Windows 10 version 22H2 (build 22621.0) with a numeric-only password of 10 characters, BitLocker enabled, firewall enabled, and Microsoft Defender running reports as non-compliant. What is the most likely reason?

A.The password type is not alphanumeric.
B.The OS version is outside the allowed range.
C.Storage encryption is not enabled.
D.Microsoft Defender is not enabled.
AnswerA

The policy requires alphanumeric, but the password is numeric-only.

Why this answer

Option B is correct because the policy requires alphanumeric password, but the device has numeric-only. Option A is wrong because build 22621.0 is within the range (minimum 19045, maximum 22621). Option C is wrong because storage encryption is required and BitLocker is enabled.

Option D is wrong because defender is enabled.

267
MCQhard

You are the endpoint administrator for Contoso Ltd., a global company with 5,000 Windows 11 devices managed by Microsoft Intune. The company has a strict security policy requiring that all devices must have BitLocker Drive Encryption enabled on the operating system drive. Additionally, devices must be compliant with the policy to access corporate resources via Conditional Access. Recently, an audit revealed that 200 devices are non-compliant because BitLocker is not enabled. You investigate and find that these devices are all personal devices enrolled as 'Windows bring your own device' (BYOD). The BitLocker policy is configured as a device configuration profile targeting 'All Devices'. The compliance policy requires 'Storage encryption' to be enabled. You need to resolve the non-compliance for these BYOD devices. What should you do?

A.Assign the BitLocker configuration profile to device groups that include BYOD devices.
B.Upgrade the Windows edition on BYOD devices to Windows Pro or Enterprise.
C.Create a separate compliance policy for BYOD devices that does not require storage encryption.
D.Configure the compliance policy to mark devices as compliant if BitLocker is not enabled but other settings are met.
AnswerB

BitLocker is only available on Pro/Enterprise editions; upgrading enables encryption.

Why this answer

Option C is correct because BitLocker is not available on Windows Home edition, and BYOD devices often run Windows Home. Changing the enforcement to non-compliant but allowing access via Conditional Access exception is not correct. Option A is wrong because encryption is required but not available.

Option B is wrong because the policy is correctly assigned. Option D is wrong because a device compliance policy cannot enable BitLocker on Home edition.

268
MCQeasy

You need to ensure that only authorized users can enroll devices in Microsoft Intune. Which setting should you configure?

A.Enrollment restrictions
B.Device categories
C.Device compliance policies
D.Conditional access policies
AnswerA

Enrollment restrictions can block personal devices or require authorization.

Why this answer

Device enrollment restrictions in Intune allow you to block personal devices or require user approval. Option A is correct because enrollment restrictions can limit who can enroll. Option B is incorrect because device compliance policies apply after enrollment.

Option C is incorrect because conditional access policies control access to resources, not enrollment. Option D is incorrect because device categories are for grouping, not blocking enrollment.

269
MCQhard

You are configuring Conditional Access for device compliance. You have an Intune compliance policy that requires a minimum OS version. You create a Conditional Access policy that grants access only when devices are marked as compliant. However, some users can still access corporate email from non-compliant devices. What is the most likely reason?

A.The Conditional Access policy is set to 'Block' instead of 'Grant'.
B.The Conditional Access policy applies only to users in a specific group.
C.The compliance policy is not assigned to the users' devices.
D.The Conditional Access policy does not include the email application as a target.
AnswerD

Conditional Access must target specific cloud apps.

Why this answer

Option C is correct because Conditional Access policies require a cloud app to be targeted. Option A is incorrect because the policy would block access if applied. Option B is incorrect because compliance policy is separate from Conditional Access.

Option D is incorrect because the policy would apply to all users if included.

270
MCQhard

You have a Windows 11 device that is co-managed with Configuration Manager and Microsoft Intune. After migrating the Windows Update workload to Intune, users report that they can still manually check for updates in Windows Settings and install optional updates. You need to prevent users from installing optional updates. Which setting should you configure in Intune?

A.Set 'Configure Automatic Updates' to '2 - Notify for download and notify for install'.
B.Set 'Defer quality updates' to '30 days'.
C.Set 'Allow non-Microsoft signed updates' to 'Block'.
D.Set 'Specify intranet Microsoft update service location' to point to WSUS.
AnswerC

Blocking non-Microsoft signed updates prevents optional updates from being installed.

Why this answer

Option C is correct because the 'Allow non-Microsoft signed updates' policy, when set to 'Block', prevents the installation of optional updates that are not signed by Microsoft. In a co-managed environment where the Windows Update workload is moved to Intune, this setting specifically targets and blocks optional updates from being installed via Windows Settings, while still allowing critical and security updates to be delivered as configured.

Exam trap

The trap here is that candidates often confuse 'deferral' policies (like deferring quality updates) with 'blocking' policies, assuming that deferring updates indefinitely will prevent installation, but deferral only delays updates and does not block optional updates, which require a specific block policy like 'Allow non-Microsoft signed updates'.

How to eliminate wrong answers

Option A is wrong because 'Configure Automatic Updates' set to '2 - Notify for download and notify for install' controls the notification behavior for updates but does not prevent users from manually checking for or installing optional updates; it only changes the download and install timing. Option B is wrong because 'Defer quality updates' to '30 days' delays the installation of quality updates but does not block optional updates; it is a deferral policy, not a block. Option D is wrong because 'Specify intranet Microsoft update service location' to point to WSUS is used to redirect update scanning to an internal WSUS server, which is not relevant when the Windows Update workload is managed by Intune and does not prevent optional updates from being installed.

271
MCQhard

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that when a device is lost or stolen, the IT admin can remotely lock the device and display a custom message on the lock screen. What should you configure?

A.Enable lost mode on the device via Apple Business Manager.
B.Configure a device compliance policy to wipe the device on non-compliance.
C.Initiate a remote assistance session to lock the device.
D.Use the remote lock action in Intune and provide a custom message.
AnswerD

Remote lock allows locking and displaying a message.

Why this answer

The remote lock action in Microsoft Intune allows IT admins to lock a lost or stolen iOS/iPadOS device and display a custom message on the lock screen. This action uses the Apple MDM protocol to send a lock command with an optional message, ensuring the device is secured and a contact number or instructions are visible. Option D directly fulfills the requirement without relying on third-party services or compliance policies.

Exam trap

The trap here is that candidates confuse Apple Business Manager's enrollment capabilities with Intune's remote management actions, or they assume a compliance policy can be used for immediate lock scenarios, when in fact only the remote lock action supports a custom lock screen message.

How to eliminate wrong answers

Option A is wrong because Apple Business Manager is used for device enrollment and app distribution, not for remote lock actions; lost mode is a feature of Apple's Find My app, not Intune. Option B is wrong because a device compliance policy can trigger a wipe on non-compliance, but it does not provide a custom lock screen message and is not designed for immediate remote lock scenarios. Option C is wrong because remote assistance sessions require user interaction and cannot lock a device or display a custom message without user consent.

272
MCQmedium

Refer to the exhibit. You run the PowerShell cmdlet shown and get the output. You need to investigate why Laptop-02 is non-compliant. Which additional cmdlet should you run to get the non-compliance reasons?

A.Get-MgDeviceManagementManagedDeviceCompliancePolicyState -ManagedDeviceId 87654321-4321-4321-4321-123456789abc
B.Get-MgDeviceManagementDeviceCompliancePolicySettingStateSummary -DeviceCompliancePolicyId <id>
C.Get-MgDeviceManagementManagedDeviceConfigurationState -ManagedDeviceId 87654321-4321-4321-4321-123456789abc
D.Get-MgDeviceManagementDeviceConfigurationState -ManagedDeviceId 87654321-4321-4321-4321-123456789abc
AnswerA

This retrieves compliance policy state and reasons.

Why this answer

Option B is correct because Get-MgDeviceManagementManagedDeviceCompliancePolicyState retrieves the compliance policy state and reasons for each device. Option A is wrong because Get-MgDeviceManagementDeviceConfigurationState gets device configuration states, not compliance reasons. Option C is wrong because Get-MgDeviceManagementManagedDeviceConfigurationState gets configuration state.

Option D is wrong because Get-MgDeviceManagementDeviceCompliancePolicySettingStateSummary summarizes settings, not per-device reasons.

273
MCQhard

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy an internal web app as a web clip on users' devices. The app requires users to authenticate with their organization credentials. Which configuration is required to ensure a seamless single sign-on experience?

A.Add the web clip with 'Managed App Configuration' including SSO key
B.Enable 'Use managed browser' in the app assignment
C.Deploy a VPN configuration that forces traffic through the corporate network
D.Configure the web clip with 'Full screen' option enabled
AnswerA

Managed App Configuration allows setting SSO for web clips.

Why this answer

For web clips on iOS/iPadOS, to enable single sign-on, you must configure a Managed App Configuration with SSO settings. Option C is correct because using the 'managed app configuration' with 'SSO' key allows the app to use Microsoft Entra ID authentication without prompting.

274
MCQhard

A company uses Microsoft Intune to manage Windows 10 devices with a hybrid Azure AD join configuration. Users report that they are unable to access corporate resources on their devices. You verify that the devices are enrolled and that compliance policies are applied. What should you check next?

A.Check the certificate profile assigned to the devices.
B.Verify that the devices can communicate with an on-premises domain controller.
C.Ensure the devices have a VPN connection to the corporate network.
D.Review the conditional access policies for the users.
AnswerB

Hybrid Azure AD join devices need to connect to a domain controller to complete registration.

Why this answer

In a hybrid Azure AD join configuration, devices must be able to communicate with an on-premises domain controller to authenticate and obtain Kerberos tickets for accessing corporate resources. Even if Intune enrollment and compliance policies are applied, a loss of connectivity to the domain controller (e.g., due to network changes or DNS issues) will prevent resource access. This is the most likely cause given that enrollment and compliance are verified as working.

Exam trap

The trap here is that candidates often jump to conditional access or certificate issues because they sound security-related, but the core requirement for hybrid Azure AD joined devices is on-premises domain controller connectivity for authentication.

How to eliminate wrong answers

Option A is wrong because certificate profiles are used for authentication or encryption, but the issue here is about general resource access; if certificates were the problem, you would typically see specific authentication failures rather than a complete inability to access resources. Option C is wrong because a VPN connection is not a prerequisite for hybrid Azure AD joined devices to access corporate resources; they can use DirectAccess or a cloud proxy, and the question does not indicate remote access requirements. Option D is wrong because conditional access policies control access based on conditions like compliance, but since compliance policies are already applied and verified, reviewing conditional access is a later step after confirming network connectivity to the domain controller.

275
MCQmedium

Contoso uses Intune to manage iOS/iPadOS devices. You need to ensure that only approved apps from the Microsoft Store can be installed on corporate devices. What should you configure?

A.App Protection Policies (APP)
B.Device Compliance policies
C.iOS/iPadOS App Configuration policies
D.Managed App Policies (MAM)
AnswerD

MAM policies can restrict installation to approved apps.

Why this answer

App Protection Policies (APP) are for data protection on managed apps, not app installation restrictions. Device Compliance policies enforce compliance, not app control. iOS/iPadOS App Config policies provide configuration, not restrictions. Managed App Policies (MAM) are for app protection.

Option B is correct because Managed App Policies can restrict app installation to approved apps.

276
MCQmedium

You have a hybrid Microsoft Entra ID joined Windows 10 device that is co-managed with Configuration Manager and Intune. You want Intune to manage Windows Update for Business settings. Which slider setting should you configure in Configuration Manager?

A.Move the slider for 'Windows Update policies' to 'Intune'
B.Move the slider for 'Endpoint protection' to 'Intune'
C.Move the slider for 'Resource access' to 'Intune'
D.Move the slider for 'Device configuration' to 'Intune'
AnswerA

This delegates update management to Intune.

Why this answer

Option A is correct. The slider for 'Windows Update policies' must be set to 'Intune' to delegate update management. Option B is for device configuration.

Option C is for resource access. Option D is for endpoint protection.

277
Multi-Selecteasy

Which TWO methods can you use to enroll a Windows 10 device in Microsoft Intune?

Select 2 answers
A.Navigate to the Intune enrollment URL in a browser.
B.Use the Company Portal website to enroll.
C.Sign in to Settings > Accounts > Access work or school and connect.
D.Join the device to Azure AD during OOBE.
E.Enroll from the Microsoft 365 admin center.
AnswersC, D

This is the manual enrollment method.

Why this answer

Windows 10 devices can be enrolled via Azure AD join or by signing in with a work or school account in Settings. Option A is incorrect because Microsoft 365 admin center enrollment is not a direct method. Option B is incorrect because Company Portal is used for manual enrollment but not a separate method; it's part of the work or school account method.

Option E is incorrect because enrolling via a URL in a browser is not supported.

278
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices automatically receive the latest feature updates from the Windows 11 servicing channel. You configure a Windows 10 feature update policy targeting the devices. However, after 24 hours, devices still show Windows 10 version 22H2. What is the most likely cause?

A.Windows Update for Business is disabled in group policy.
B.The policy is a Windows 10 feature update policy, but devices need a Windows 11 feature update policy to upgrade to Windows 11.
C.The policy is not assigned to a device group containing the devices.
D.Devices have not been restarted after policy assignment.
AnswerB

Windows 10 feature update policies only apply to Windows 10 devices for feature updates within Windows 10. To upgrade to Windows 11, a Windows 11 feature update policy must be used.

Why this answer

A Windows 10 feature update policy is designed to move devices between Windows 10 feature versions (e.g., 22H2 to 23H2). To upgrade devices from Windows 10 to Windows 11, you must use a Windows 11 feature update policy, which specifically targets the Windows 11 servicing channel. Since the policy targets Windows 10 feature updates, it will not trigger the OS upgrade to Windows 11, leaving devices on Windows 10 22H2.

Exam trap

The trap here is that candidates assume a 'feature update policy' generically applies to any OS upgrade, but Microsoft Intune strictly separates Windows 10 and Windows 11 feature update policies, and using the wrong one will not trigger the OS version upgrade.

How to eliminate wrong answers

Option A is wrong because disabling Windows Update for Business via group policy would block all Windows Updates, not just feature updates, and the question states the policy is configured in Intune, which overrides local GP if properly set. Option C is wrong because the policy is described as targeting the devices, and if it were not assigned to a device group, the devices would not receive the policy at all, but the issue is that the policy type is incorrect for the desired upgrade. Option D is wrong because restarting devices does not change the policy type; a Windows 10 feature update policy will never upgrade to Windows 11 regardless of reboots.

279
MCQhard

You are the endpoint administrator for Contoso, a company with 10,000 Windows 11 devices managed by Microsoft Intune. The devices are a mix of corporate-owned and bring-your-own-device (BYOD). You need to implement a solution that allows users to access corporate resources only if their devices meet specific security requirements: disk encryption (BitLocker), antivirus (Microsoft Defender), and a minimum OS build. Additionally, you must ensure that users cannot access corporate email from devices that are jailbroken or rooted. The solution should automatically block non-compliant devices from accessing resources and provide a notification to the user explaining the issue. You have already configured compliance policies in Intune. What should you do next to enforce the block?

A.Configure a device enrollment restriction to block non-compliant devices from Azure AD join.
B.Create a device configuration policy that blocks access to corporate resources.
C.Create an app protection policy in Intune to block access to apps.
D.Create a Conditional Access policy in Microsoft Entra ID that requires compliant device for access.
AnswerD

Conditional Access evaluates device compliance and blocks access if not compliant, with user notification.

Why this answer

Option B is correct because Conditional Access policies use the device compliance status from Intune to grant or block access to cloud apps like Exchange Online. Option A is wrong because configuring a device configuration policy only enforces settings but does not block access. Option C is wrong because app protection policies protect data within apps but do not block access based on device compliance.

Option D is wrong because blocking all devices from Azure AD would prevent access even for compliant devices.

280
Multi-Selecthard

Which THREE components are required for a successful Windows Autopilot self-deploying mode deployment?

Select 3 answers
A.A local administrator account created on the device.
B.Windows Autopilot device registration using the hardware hash.
C.A Microsoft 365 E3 license assigned to the user.
D.Microsoft Entra ID Premium P1 or P2 license.
E.A Windows Autopilot deployment profile assigned to the device.
AnswersB, D, E

The device must be registered in Autopilot to be recognized.

Why this answer

B is correct because Windows Autopilot self-deploying mode requires the device to be registered with Microsoft using its hardware hash. This registration links the device to an Azure AD tenant and enables the deployment profile to be downloaded automatically during the out-of-box experience, without user interaction.

Exam trap

The trap here is that candidates often assume a user license or local admin account is required, but self-deploying mode is specifically designed for userless scenarios and relies solely on device registration and a Microsoft Entra ID Premium license.

281
MCQmedium

A company uses Microsoft Intune to manage Windows 10 devices. They deployed a Win32 app as 'required' but some devices show 'pending install'. The app is configured with a detection rule that checks for a registry key. What should you check first?

A.Increase the app installation timeout.
B.Ensure the device has connectivity to Intune.
C.Reassign the app to a different security group.
D.Check if the detection rule is incorrectly marking the app as installed.
AnswerD

A pre-existing registry key can cause Intune to skip installation, resulting in 'pending install'.

Why this answer

Option D is correct because the most common reason for a 'pending install' status when a detection rule is configured is that the rule is incorrectly detecting the app as already installed. Intune evaluates the detection rule before attempting installation; if the rule finds the registry key (even if the app is not fully functional), Intune skips the installation and reports 'pending' or 'installed' without actually deploying the app. This is a frequent misconfiguration where the detection rule is too broad or references a key that exists from a previous installation or unrelated software.

Exam trap

The trap here is that candidates often assume 'pending install' means a connectivity or timeout issue, but the real cause is a misconfigured detection rule that falsely reports the app as already installed, preventing the installation from executing.

How to eliminate wrong answers

Option A is wrong because increasing the installation timeout would not resolve a detection rule that incorrectly marks the app as installed; timeout issues typically affect downloads or installations that are genuinely in progress, not a false positive detection. Option B is wrong because if the device lacked connectivity to Intune, the status would likely be 'not applicable' or 'error' rather than 'pending install', and Intune would report a communication failure. Option C is wrong because reassigning the app to a different security group would not fix a detection rule logic error; the issue is with how the app is detected on the device, not with group membership or targeting.

282
MCQmedium

A user's Android device is not receiving email from the corporate Microsoft 365 tenant. The device is enrolled in Intune and shows as compliant. The email profile is assigned to the user. What should you check first?

A.Verify that the device meets the compliance policy for Android.
B.Confirm that the user has an Exchange Online license.
C.Check the device's last check-in time with Intune.
D.Ensure the device is enrolled in Intune.
AnswerC

The profile may not have been applied yet.

Why this answer

Option A is correct because the most common issue is that the email profile has not been applied due to a pending check-in. Option B is incorrect because the device is compliant. Option C is incorrect because the user has a license.

Option D is incorrect because the device is enrolled.

283
MCQhard

You manage a fleet of Windows 10 devices with Microsoft Intune. You need to deploy a Win32 app that has a complex installation requiring multiple command-line parameters. The app must be available to users in the Company Portal. What is the best way to handle the installation parameters?

A.Deploy a PowerShell script via Intune that runs the installer with parameters.
B.Configure detection rules to run a script that passes parameters.
C.Use the Intune Win32 app packaging to specify the installation command with parameters.
D.Use an administrative template to set parameters before installing.
AnswerC

The .intunewin file includes the command line.

Why this answer

Intune Win32 app deployment allows specifying installation command and parameters in the app package. Option B is incorrect because detection rules do not install. Option C is incorrect because PowerShell scripts can be included but not as separate assignment.

Option D is incorrect because administrative templates configure settings, not install apps.

284
MCQmedium

Refer to the exhibit. You have configured a Windows Update for Business policy in Intune. Based on the JSON, what is the effect on devices?

A.Devices will not receive any updates from June 1 to July 15
B.Devices will receive all updates normally until July 15
C.Quality updates are paused from June 1 to June 30, and feature updates are paused from July 1 to July 15
D.The policy is invalid because pause dates cannot overlap
AnswerC

The pause start and expiry dates define the pause periods.

Why this answer

Option B is correct because quality updates are paused until June 30 and feature updates are paused until July 15. Devices will not receive quality updates after June 1 until June 30. Option A is wrong because feature updates are paused later.

Option C is wrong because both types are paused. Option D is wrong because there are specific pause dates.

285
Multi-Selectmedium

A company uses Microsoft Intune to manage Android Enterprise devices. They have a requirement to deploy a set of apps that are critical for business operations. Which TWO app deployment policies should the administrator configure to ensure the apps are always available and up-to-date?

Select 2 answers
A.Enable 'Auto-update' for the apps in the managed Play Store.
B.Assign the apps as 'Required' to the device group.
C.Configure the app to allow users to update manually.
D.Assign the apps as 'Available for enrolled devices' to the device group.
E.Set the app assignment type to 'Uninstall' for the device group.
AnswersA, B

Auto-update ensures apps stay current.

Why this answer

Option A is correct because enabling 'Auto-update' for apps in the managed Play Store ensures that critical business apps are automatically updated to the latest version without user intervention, maintaining security and functionality. Option B is correct because assigning apps as 'Required' to a device group forces installation on all targeted devices, guaranteeing that the apps are always present for business operations.

Exam trap

The trap here is that candidates often confuse 'Available for enrolled devices' with 'Required', not realizing that only 'Required' forces installation, while 'Available' relies on user action, which fails the 'always available' requirement.

286
MCQhard

Your company uses Microsoft Intune to manage 1,000 Windows 10 devices. You need to deploy a security baseline that includes BitLocker encryption, Windows Defender Antivirus settings, and firewall rules. You create a security baseline policy in Intune and assign it to a group containing all devices. After 48 hours, you notice that only 800 devices have applied the baseline. The remaining 200 devices show 'Pending' status. These devices are online and have network connectivity. What is the most likely cause and solution?

A.The devices need a reboot to apply the baseline settings; schedule a reboot.
B.The devices are not in the correct group; re-assign the policy.
C.Re-create the security baseline and assign again.
D.The devices have low battery; plug them in.
AnswerA

Many security baseline settings require reboot.

Why this answer

Option D is correct because the security baseline uses Configuration Service Provider (CSP) settings that require a reboot to apply. Scheduling a reboot during maintenance hours will apply the baseline. Option A is wrong because the baseline is assigned.

Option B is wrong because the devices are online. Option C is wrong because re-creating the policy won't help if the devices need a reboot.

287
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a .pkg app that is signed by a developer certificate that is not yet trusted on the devices. What must you do to allow the installation?

A.Deploy the app as a line-of-business app with the 'Allow user to bypass' option enabled.
B.Use a device configuration policy to trust the developer certificate before deploying the app.
C.Instruct users to manually approve the installation in System Preferences.
D.Convert the .pkg to a .dmg and deploy via Microsoft Store for Business.
AnswerB

Trusting the certificate allows the .pkg to run.

Why this answer

Option B is correct because you can use a kernel extension profile to allow the developer ID, or use a custom attribute. Alternatively, you can deploy the app as a line-of-business app and use the 'Allow user to bypass' option. But the best approach is to trust the developer certificate via a configuration profile.

Option A is wrong because MDM can deploy unsigned apps only if the device is supervised. Option C is wrong because user approval is not enough. Option D is wrong because the app store is not used.

288
MCQeasy

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that corporate data on a device is wiped if the device is reported stolen. Which action should you configure?

A.Full wipe from the Intune console.
B.Selective wipe from the Intune console.
C.Delete the device from Microsoft Entra ID.
D.Retire the device from Intune.
AnswerB

Selective wipe removes corporate data only.

Why this answer

Option B is correct because a selective wipe on an Android Enterprise device removes only corporate data (managed apps, work profile, and policies) while preserving the user's personal data. This is the appropriate action when a device is reported stolen, as it ensures corporate data is protected without affecting the user's personal information, which aligns with the organization's data protection requirements.

Exam trap

The trap here is that candidates often confuse 'full wipe' with 'selective wipe' in Android Enterprise, mistakenly thinking a full wipe is required for stolen devices, but Microsoft Intune's selective wipe is the correct and recommended action for corporate data removal while preserving personal data.

How to eliminate wrong answers

Option A is wrong because a full wipe resets the entire device to factory defaults, erasing both corporate and personal data, which is overly aggressive and may not be necessary or desired for a stolen device scenario. Option C is wrong because deleting the device from Microsoft Entra ID only removes the device object from identity management, but it does not trigger any data wipe on the device itself, leaving corporate data accessible. Option D is wrong because retiring a device from Intune removes management and wipes corporate data, but the term 'retire' is synonymous with selective wipe in Intune; however, the question specifically asks for the action to configure, and 'selective wipe' is the precise term used in the Intune console for this operation, while 'retire' is the broader action that includes selective wipe.

289
Drag & Dropmedium

Order the steps to configure a Windows 10 device for Microsoft 365 Apps deployment via Intune.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Begin in Intune admin center, add a new app, choose Microsoft 365 Apps, configure suite, and assign.

290
Multi-Selecthard

You are designing a device management strategy for a remote workforce using Windows 10 laptops that are Azure AD joined. You need to ensure that devices can be remotely wiped if lost or stolen, and that BitLocker recovery keys are escrowed to Azure AD. Which THREE configurations should you implement?

Select 3 answers
A.Join devices to on-premises Active Directory.
B.Configure a BitLocker policy in Intune that enables key escrow to Azure AD.
C.Configure a Group Policy to escrow BitLocker keys to Active Directory.
D.Enroll devices in Microsoft Intune.
E.Ensure devices are Azure AD joined.
AnswersB, D, E

Key escrow stores recovery keys in Azure AD.

Why this answer

Options A, C, and D are correct. Intune management enables remote wipe. BitLocker policy with key escrow stores keys in Azure AD.

Azure AD join is required for key escrow. Option B is not required because key escrow works without on-premises AD. Option E is for on-premises AD joined devices.

291
MCQmedium

A company manages 500 Windows 10 devices using Microsoft Intune. They plan to upgrade to Windows 11. The IT team wants to ensure that only devices meeting the Windows 11 hardware requirements are allowed to upgrade. They need to block the upgrade on devices that do not meet the requirements, and provide a clear error message to users. What should the IT team configure?

A.Configure a Windows 11 readiness policy in Intune and assign it to all devices.
B.Configure a feature update policy for Windows 10 and Windows 11 in Intune.
C.Create a compliance policy with Windows 11 requirements and assign it to all devices.
D.Use a device configuration profile to set the 'TargetReleaseVersion' policy for Windows 11.
AnswerA

Windows 11 readiness policy blocks upgrade on non-compliant devices and shows a custom message.

Why this answer

Option A is correct because a Windows 11 readiness policy in Intune is specifically designed to evaluate device hardware compatibility against Windows 11 requirements and block the upgrade on non-compliant devices while displaying a custom error message to users. This policy uses the Windows Health Monitoring and the TPM 2.0 attestation checks to enforce the hardware requirements before the upgrade can proceed.

Exam trap

The trap here is that candidates often confuse a compliance policy (which only reports non-compliance) with a readiness policy (which actively blocks the upgrade and provides a user-facing error), leading them to select Option C instead of A.

How to eliminate wrong answers

Option B is wrong because a feature update policy for Windows 10 and Windows 11 only controls the deployment of the feature update itself (e.g., which version to install) but does not include hardware readiness checks or the ability to block the upgrade with a custom error message based on hardware requirements. Option C is wrong because a compliance policy with Windows 11 requirements can mark devices as non-compliant but does not block the upgrade process; compliance policies are used for conditional access and device health, not for controlling the upgrade workflow. Option D is wrong because the 'TargetReleaseVersion' policy is a device configuration profile setting that specifies which Windows version to target (e.g., Windows 11) but does not perform hardware readiness checks or provide a user-facing error message when requirements are not met.

292
MCQhard

You are troubleshooting a Windows 11 device that fails to install a required application from the Company Portal. The app is assigned as required to the device. The device shows as compliant and has a healthy connection. What is the most likely cause?

A.The device is low on storage
B.The app is assigned to users, not devices
C.The app is available but not required
D.The device has offline files enabled
AnswerB

If the app is assigned to users instead of devices, the device may not receive the required installation.

Why this answer

When an application is assigned as required but fails to install on a compliant, connected device, the most likely cause is a mismatch in assignment targeting. In Microsoft Intune, required app assignments can be scoped to either users or devices. If the app is assigned to users but the device is not associated with a licensed user (or the user is not targeted), the device will not receive the installation policy.

The Company Portal checks user-based assignments, and without a targeted user, the required installation does not trigger.

Exam trap

The trap here is that candidates assume a compliant device with a healthy connection will always receive required apps, overlooking the critical difference between user-assigned and device-assigned app policies in Intune.

How to eliminate wrong answers

Option A is wrong because low storage would typically generate a specific error message or status in Intune (e.g., 'not enough disk space') and is not the most likely cause given the device is compliant and healthy. Option C is wrong because the question states the app is assigned as required, not available; if it were available, the user would need to manually install it, which contradicts the 'required' assignment. Option D is wrong because offline files (Client-Side Caching) do not prevent Intune from installing required applications; they affect file synchronization, not policy application.

293
Multi-Selecteasy

You are configuring Microsoft Intune for a new organization. You need to ensure that users can only enroll corporate-owned devices and are blocked from enrolling personal devices. Which TWO settings should you configure?

Select 2 answers
A.Create a conditional access policy that blocks devices not marked as corporate.
B.Configure enrollment restrictions to set 'Allow personally owned devices' to 'No'.
C.Create a conditional access policy that requires compliant devices.
D.Create a device compliance policy that marks personal devices as non-compliant.
E.Configure enrollment device platform restrictions to block personally owned devices.
AnswersB, E

This directly blocks personal device enrollment.

Why this answer

Options B and D are correct. Device type restrictions allow you to block personal devices. Enrollment restrictions include device platform and personal/corporate settings.

Option A is not a restriction setting. Option C is for compliance, not enrollment. Option E is for conditional access, not enrollment blocking.

294
MCQmedium

A user's device is enrolled in Microsoft Intune and compliant, but they cannot access corporate email via the Outlook mobile app. The app opens and shows 'Cannot connect to server'. Other users with the same device model can access email. What is the most likely cause?

A.The app protection policy is misconfigured.
B.The device model is blocked by a Conditional Access policy.
C.The device is not compliant with the compliance policy.
D.The user is blocked by a Conditional Access policy due to sign-in risk.
AnswerD

Conditional Access can block based on user risk, which would prevent access.

Why this answer

Option D is correct because the user's device is compliant and enrolled, yet the Outlook app cannot connect to the server. A Conditional Access policy that blocks access based on sign-in risk (e.g., medium or high risk detected by Azure AD Identity Protection) can target the user directly, even if the device itself is compliant. This explains why other users with the same device model are unaffected—the block is user-specific, not device-specific.

Exam trap

The trap here is that candidates assume a device compliance issue is the root cause because the error is connectivity-related, but the question explicitly states the device is compliant, forcing you to consider user-specific Conditional Access controls like sign-in risk.

How to eliminate wrong answers

Option A is wrong because a misconfigured app protection policy (MAM policy) would typically block data access or show a policy-related error, not a generic 'Cannot connect to server' message, and it would affect all users with that policy applied, not just one user. Option B is wrong because if the device model were blocked by a Conditional Access policy, all users with that model would be affected, not just a single user. Option C is wrong because the question explicitly states the device is compliant, so non-compliance cannot be the cause.

295
MCQmedium

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom shell script that runs once on each device. What should you configure?

A.A shell script with the 'Run script once per device' option.
B.A device compliance policy with a custom shell script.
C.A custom configuration profile with a script payload.
D.A managed app that includes the script.
AnswerA

Shell scripts in Intune can be set to run once per device.

Why this answer

Option A is correct because shell scripts can be deployed with a run-once frequency. Option B is wrong because a configuration profile cannot run scripts. Option C is wrong because a compliance policy does not run scripts.

Option D is wrong because a managed app is not for scripts.

296
MCQeasy

You are an Intune administrator for a company that has recently deployed Windows 11 devices. Management wants to ensure that all devices are running the latest feature update (Windows 11 23H2) within 60 days of release. You need to configure a Windows Update for Business policy in Intune to achieve this goal. Which settings should you configure?

A.Set the feature update deferral period to 60 days and assign the policy to all devices.
B.Set the feature update deferral period to 60 days and pause updates for 30 days.
C.Set the feature update deadline to 60 days and assign the policy to a device group.
D.Set the feature update deferral period to 0 days and assign to all users.
AnswerA

Deferral of 60 days means the update will be offered within 60 days after release.

Why this answer

Option A is correct because setting the feature update deferral period to 60 days in a Windows Update for Business policy ensures that devices will wait up to 60 days after Microsoft releases a feature update (e.g., Windows 11 23H2) before installing it. This meets the requirement of having all devices running the latest feature update within 60 days of release, as the deferral period defines the maximum delay from the release date. Assigning the policy to all devices ensures blanket coverage across the Windows 11 fleet.

Exam trap

The trap here is that candidates confuse the 'deferral period' (which delays the initial offering of the update) with the 'deadline' (which forces installation after the update is already available), leading them to incorrectly select a deadline-based option when the goal is to control how soon after release the update becomes available to devices.

How to eliminate wrong answers

Option B is wrong because pausing updates for 30 days would block updates entirely for that period, preventing devices from receiving the feature update within the 60-day window; the deferral period and pause are mutually exclusive controls. Option C is wrong because setting a feature update deadline to 60 days does not control the initial availability of the update—it only enforces a forced installation deadline after the update is already offered, which could result in devices not receiving the update until well after 60 days from release. Option D is wrong because setting the deferral period to 0 days would cause devices to install the feature update immediately upon release, which does not align with the goal of ensuring installation within 60 days (it would be too aggressive and could cause disruption), and assigning to all users instead of devices is less effective for device-level update management.

297
Multi-Selectmedium

Which TWO actions are required to prepare Windows devices for subscription activation? (Select TWO.)

Select 2 answers
A.Ensure the device has a Windows 10/11 Pro or Education license
B.Enter a MAK key
C.Configure a KMS host key
D.Join the device to Microsoft Entra ID or hybrid Microsoft Entra ID
E.Install the Azure AD Connect tool
AnswersA, D

Subscription Activation works only on Pro and Education editions.

Why this answer

Option A is correct because subscription activation requires a qualifying base license of Windows 10/11 Pro or Education. These editions support the subscription activation feature, which upgrades the device to Windows 10/11 Enterprise without requiring a separate product key. Without this base license, the device cannot be upgraded via subscription activation.

Exam trap

The trap here is that candidates often confuse subscription activation with traditional volume activation methods (KMS or MAK) and select options B or C, or mistakenly think Azure AD Connect is required for device join, when in fact only Microsoft Entra ID or hybrid join is needed.

298
MCQhard

Refer to the exhibit. A PowerShell command is used to create a device category in Microsoft Intune. After running the command, you want to automatically assign devices to this category based on their Azure AD group membership. How should you configure this?

A.Create a dynamic device group in Azure AD that includes devices based on rules, then use that group to assign category via Intune.
B.Use a device configuration profile to set the device category.
C.Map an Azure AD group to the Intune device category in the Intune console.
D.Create a PowerShell script that runs daily to assign devices to the category based on group membership.
AnswerA

Dynamic groups can automate device categorization.

Why this answer

Option D is correct because dynamic device groups in Azure AD can use rules to assign devices to categories based on attributes. Option A is incorrect because manual assignment is not automated. Option B is incorrect because there is no direct mapping between Azure AD groups and Intune categories.

Option C is incorrect because configuration profiles do not assign categories.

299
Multi-Selecthard

You are planning the deployment of Windows 11 using Intune. Which THREE components are required to perform an in-place upgrade from Windows 10?

Select 3 answers
A.A Group Policy to enable Windows Update for Business.
B.A valid Windows 11 product key.
C.The Intune Management Extension installed on the device.
D.A Windows 11 feature update profile in Intune.
E.Hardware that meets Windows 11 system requirements.
AnswersB, D, E

Required for licensing.

Why this answer

Option A, Option C, and Option D are correct. A Windows 11 feature update profile is needed to deploy the upgrade. A valid product key for Windows 11 is required.

Hardware requirements (TPM 2.0, 4GB RAM, etc.) must be met. Option B is incorrect because a Group Policy is not required; Intune can manage the upgrade. Option E is incorrect because the Intune Management Extension is not required for feature updates.

300
MCQmedium

Your organization, Fabrikam, uses Microsoft Intune to manage iOS/iPadOS and Android devices. You need to implement a solution that ensures company email can only be accessed from the Outlook mobile app, and that data from the Outlook app cannot be copied to personal apps. You also need to ensure that when a user leaves the company, the corporate data in Outlook is removed without affecting personal data. You plan to use app protection policies (MAM). The devices are not enrolled in Intune (unmanaged). You configure the app protection policies for Outlook on iOS and Android. However, users report that they can still copy email content to personal apps. What should you check?

A.Ensure that the devices are enrolled in Intune.
B.Check that the device compliance policy is assigned.
C.Verify that the 'Cut, copy, and paste' setting in the app protection policy is set to 'No' or 'Policy managed apps'.
D.Confirm that the Outlook app is a managed app in Intune.
AnswerC

This setting controls data transfer to other apps.

Why this answer

Option A is correct because the policy settings for 'Allow cut, copy, and paste' must be set to 'No' or 'Policy managed apps' to prevent data transfer. Option B is wrong because the policy can be applied without device enrollment. Option C is wrong because the Outlook app is supported.

Option D is wrong because device compliance is not required for MAM policies on unmanaged devices.

Page 3

Page 4 of 14

Page 5