Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 301375

991 questions total · 14pages · All types, answers revealed

Page 4

Page 5 of 14

Page 6
301
MCQhard

You have an Intune-managed Windows 10 device that is not receiving app updates. The app was deployed as a Win32 app with a detection rule. You verify that the device is online and the Intune Management Extension is running. What should you check first?

A.The detection rule is set to 'File exists'.
B.The app is assigned as 'Required' in the assignment.
C.The Intune Management Extension is up to date.
D.The app assignment schedule is configured to update.
AnswerD

The update schedule must be set for the app to receive updates.

Why this answer

The app update frequency is controlled by the app assignment schedule. Option A is correct because if the assignment is set to 'Available' or 'Required' but not 'Update', the app will not update automatically. Option B is wrong because the extension runs regardless.

Option C is wrong because logs would not show update policy. Option D is wrong because detection rules are for installation, not updates.

302
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a line-of-business (LOB) app that requires a reboot after installation. Which deployment configuration should you use to ensure the app installs and the device reboots outside of business hours?

A.Available assignment without deadline
B.Available assignment with a deadline and a grace period for reboot
C.Uninstall assignment for all devices
D.Required assignment with a reboot behavior of 'Immediate'
AnswerB

Allows flexible installation and postpones reboot within grace period.

Why this answer

Option B is correct because the 'Available' assignment with 'Deadline' and 'Grace period' allows users to install the app during non-business hours and provides a grace period before forced reboot. Option A is wrong because 'Required' assignment with 'Immediate' reboot would force reboot immediately. Option C is wrong because 'Uninstall' assignment removes the app.

Option D is wrong because 'Available' without deadline does not enforce reboot timing.

303
MCQmedium

Refer to the exhibit. You run a PowerShell command to check the assignment status of device configuration profiles. The 'BitLocker Policy' shows 'Pending'. What does 'Pending' indicate?

A.The policy is waiting for user approval
B.The policy assignment failed due to a conflict
C.The policy has been successfully applied
D.The policy has been assigned to the device but not yet applied
AnswerD

Pending indicates the policy is queued for application.

Why this answer

Option C is correct. 'Pending' means the policy has been assigned but not yet applied to the device. Option A is for errors. Option B is not a status.

Option D is for success.

304
MCQhard

A company uses Microsoft Defender for Endpoint to manage endpoint security. They observe that some devices are not reporting vulnerability data to Microsoft Defender XDR. Which component is most likely misconfigured?

A.Microsoft Sentinel workspace
B.Microsoft Defender for Endpoint sensor on the devices
C.Intune MDM authority
D.Microsoft Purview compliance portal
AnswerB

The sensor collects vulnerability data; missing sensor stops reporting.

Why this answer

Option A is correct: Microsoft Defender for Endpoint relies on its agent (sensor) to collect vulnerability data. If the sensor is not installed or running, vulnerability data won't be reported. Option B (Intune MDM) manages device configuration but not vulnerability reporting.

Option C (Microsoft Purview) is for compliance and data loss prevention. Option D (Microsoft Sentinel) ingests data from Defender but is not the source.

305
Multi-Selecteasy

You are deploying Microsoft 365 Apps for enterprise using Microsoft Intune. Which TWO methods can you use to assign the application to users?

Select 2 answers
A.Assign to individual users directly.
B.Assign to a distribution group.
C.Assign to a dynamic group using device attributes.
D.Assign to a device group.
E.Assign to a Microsoft Entra ID user group.
AnswersD, E

Device groups allow targeting based on device membership.

Why this answer

Option D is correct because Microsoft Intune supports assigning Microsoft 365 Apps for enterprise directly to device groups, which ensures the application is installed on the specified devices regardless of which user signs in. This method is useful for shared or kiosk devices where user-based assignment would not apply. Option E is correct because assigning to a Microsoft Entra ID user group is the standard method for user-based deployment, allowing the apps to be provisioned based on user identity.

Exam trap

The trap here is that candidates often confuse distribution groups with security groups, assuming any group type can be used for Intune assignments, but only security groups (including Microsoft Entra ID groups) are supported for application targeting.

306
Multi-Selecteasy

Which TWO are valid methods to enroll iOS/iPadOS devices into Microsoft Intune?

Select 2 answers
A.Apple Configurator 2
B.Automated Device Enrollment (ADE)
C.Company Portal enrollment
D.Windows Autopilot
E.Android Zero Touch enrollment
AnswersB, C

Apple's DEP-based enrollment.

Why this answer

Options B and C are correct. Automated Device Enrollment (ADE) is the modern method for corporate devices, and Company Portal enrollment is for user-driven enrollment. Option A is wrong because Windows Autopilot is for Windows.

Option D is wrong because Android Zero Touch is for Android. Option E is wrong because Apple Configurator 2 is for supervised devices but not a primary enrollment method; it's used for setup.

307
MCQmedium

You have a Windows 10 device that is managed by Intune and enrolled in Microsoft Defender for Endpoint. The device is reporting a high number of false positive detections from Microsoft Defender Antivirus. You need to configure an exclusion for a specific folder path to reduce false positives. Where should you configure the exclusion?

A.In a device compliance policy
B.In Group Policy
C.In the endpoint protection profile for Microsoft Defender Antivirus in Intune
D.In Microsoft Defender Security Center
AnswerC

Exclusions are set within the antivirus settings of the endpoint protection profile.

Why this answer

Option A is correct because exclusions for Microsoft Defender Antivirus are configured in the endpoint protection profile in Intune. Option B is wrong because compliance policies do not handle exclusions. Option C is wrong because Microsoft Defender Security Center is for security operations, not configuration.

Option D is wrong because Group Policy is not used when devices are managed by Intune.

308
Multi-Selecteasy

You are configuring Microsoft Intune for Windows 10 devices. Which two settings can you enforce using a device restrictions profile? (Select TWO.)

Select 2 answers
A.Disable the camera
B.Set default web browser
C.Set battery saver threshold
D.Configure Windows Update for Business settings
E.Require a password for device unlock
AnswersA, E

Device restrictions include hardware disabling.

Why this answer

Options A and D are correct. Device restrictions can disable the camera and require a password. Option B is wrong because battery saver is a system setting, not a restriction.

Option C is wrong because Windows Update settings are in update rings. Option E is wrong because default browser is set via settings catalog, not device restrictions.

309
Multi-Selecteasy

Your organization plans to use Windows Autopilot to provision new devices. Which TWO methods can you use to obtain the hardware hash for a new device?

Select 2 answers
A.Request the hardware hash from the device manufacturer (OEM)
B.Extract the hardware hash from the device BIOS
C.Run a PowerShell script on a device that is already running Windows 10 or later
D.Use Microsoft Intune to generate the hardware hash from the device serial number
E.Use Windows Configuration Designer to create a provisioning package that captures the hardware hash
AnswersA, C

OEMs can provide the hardware hash.

Why this answer

Options A and D are correct. A: If the device is already running Windows, you can use a PowerShell script to get the hardware hash. D: OEMs can provide the hardware hash during manufacturing.

Option B is wrong because the hardware hash is not available in BIOS. Option C is wrong because Windows Configuration Designer does not generate hardware hashes. Option E is wrong because Microsoft Intune can import hardware hashes but not generate them.

310
MCQhard

You are troubleshooting an Intune-managed iOS device that cannot install a VPP (Volume Purchase Program) app. The device shows a 'License Not Found' error. The app is assigned as 'Available' without device enrollment. What is the most likely cause?

A.The app is configured to remove when the device leaves management.
B.The Apple VPP token has expired.
C.The device is not compliant with conditional access policies.
D.The device is enrolled without user affinity (device enrollment).
AnswerD

VPP apps need user affinity to assign licenses.

Why this answer

Option B is correct because VPP apps require user enrollment for Apple VPP token to assign licenses; device enrollment does not support user-based licensing. Option A is wrong because app removal policy is irrelevant. Option C is wrong because device compliance is not the issue.

Option D is wrong because the token is valid.

311
Multi-Selecthard

Which THREE are required for a successful Microsoft Intune enrollment of a Windows device?

Select 3 answers
A.A device compliance policy assigned to the device
B.MDM enrollment enabled in Microsoft Entra ID
C.Azure AD Premium P1 license
D.A valid Microsoft Intune license assigned to the user
E.Internet connectivity to Microsoft Intune service
AnswersB, D, E

Must be enabled to allow enrollment.

Why this answer

Option B is correct because Microsoft Intune requires MDM enrollment to be enabled in Microsoft Entra ID (formerly Azure AD) to allow devices to register and communicate with the Intune service. Without this setting, the device cannot complete the enrollment process, as Entra ID acts as the identity provider and enrollment authority for Intune-managed devices.

Exam trap

The trap here is that candidates often confuse post-enrollment requirements (like compliance policies or Azure AD Premium P1) with prerequisites for enrollment, leading them to select options that are only needed after the device is already enrolled.

312
MCQeasy

You need to deploy Microsoft 365 Apps to Windows devices using Microsoft Intune. The deployment must be available to users in the company portal. Which app type should you select?

A.Windows 10/11 (Microsoft 365 Apps)
B.Microsoft 365 (Web link)
C.Microsoft Store app (new)
D.Windows app (Win32)
AnswerA

This app type is specifically for Office deployment.

Why this answer

Option A is correct because Windows 10/11 (Microsoft 365 Apps) is the correct app type for deploying Office. Option B is wrong because it is for line-of-business apps. Option C is wrong because it is for web links.

Option D is wrong because it is for store apps.

313
Drag & Dropmedium

Arrange the steps to perform a Windows 10 feature update using Windows Update for Business in Intune.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the ring, set version and rollout, assign, then monitor.

314
MCQhard

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data is protected when users access Microsoft 365 apps. Which policy should you configure?

A.Use a Mobile App Configuration policy to enforce app settings.
B.Deploy an Intune App Protection Policy (APP) for Microsoft 365 apps.
C.Create a Device Compliance policy for iOS devices.
D.Configure a Conditional Access policy to require compliant devices.
AnswerB

APP protects corporate data in apps, such as preventing copy-paste or requiring PIN.

Why this answer

Option C is correct because App Protection Policies (APP) in Intune protect data at the app level, including for Microsoft 365 apps, without requiring device management. Option A is wrong because Conditional Access controls access, not data protection within apps. Option B is wrong because Device Compliance policies ensure devices are compliant, but do not protect data within apps.

Option D is wrong because Mobile App Configuration policies configure app settings, not protect data.

315
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Intune to protect devices from malware?

Select 2 answers
A.Create network segmentation rules
B.Enable email attachment scanning
C.Deploy third-party antivirus software
D.Enforce Windows Defender Antivirus real-time protection
E.Configure Windows Defender Firewall rules
AnswersD, E

Intune can configure antivirus settings.

Why this answer

Options A and C are correct. Intune can enforce Windows Defender Antivirus settings and manage Windows Defender Firewall. Option B is wrong because Intune does not directly manage third-party AV.

Option D is wrong because Intune does not manage email filtering. Option E is wrong because Intune does not manage network segmentation.

316
MCQmedium

You manage Windows 10 devices with Intune. You need to collect diagnostic logs from a remote device that is experiencing application crashes. Which Intune feature should you use?

A.Collect diagnostics
B.Company Portal app
C.Autopilot Reset
D.Windows Update for Business
AnswerA

This remote action collects logs without user intervention.

Why this answer

Option C is correct because 'Collect diagnostics' is a remote action in Intune that allows admins to gather logs from Windows devices. Option A (Company Portal) is for end users. Option B (Autopilot Reset) is for re-provisioning.

Option D (Windows Update for Business) is for updates.

317
MCQhard

An organization uses Microsoft Defender for Cloud Apps to monitor cloud app usage. The security team wants to automatically apply an Intune app protection policy (APP) when a user accesses a risky app from an unmanaged device. What should the administrator use?

A.Conditional Access App Control with session control
B.Device configuration policy
C.App protection policy assignment to users
D.Device compliance policy
AnswerA

Session control can enforce APP when a risky app is accessed.

Why this answer

The correct answer is Conditional Access App Control with session policies. Option A is incorrect because compliance policies apply to devices, not app sessions. Option B is incorrect because APP can be targeted to users but not triggered automatically by risk.

Option D is incorrect because device configuration profiles do not react to cloud app risk.

318
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 and Windows 11 devices. You need to deploy a critical security update to all devices within 24 hours. The update is classified as a 'Quality Update' by Microsoft. You have configured a Windows Update for Business policy in Intune with a 'Quality update deadline' of 1 day. However, after 48 hours, some devices still have not installed the update. You verify that the devices are online and have checked in with Intune recently. What should you do to ensure the update is installed immediately on the remaining devices?

A.Ask users to restart their devices.
B.Reassign the update ring to a broader device group.
C.Use the 'Update Immediately' setting in the Windows Update for Business policy.
D.Increase the 'Quality update deadline' to 3 days.
AnswerC

This setting forces the device to check for and install available updates immediately.

Why this answer

Option D is correct because the 'Update Immediately' setting forces the device to check for and install updates without delay. Option A is wrong because the deadline is already set to 1 day; increasing it would allow more delay. Option B is wrong because restarting the device does not force update installation.

Option C is wrong because the issue is not with the update ring assignment; the policy is already applied.

319
MCQeasy

A company uses Microsoft 365 E3 licenses. They need to enforce that all users must use the Microsoft Authenticator app for MFA instead of SMS or phone call. What should the administrator configure?

A.MFA service settings in the legacy portal
B.Authentication methods policy
C.Security defaults
D.Conditional Access policy
AnswerB

This policy controls which methods are allowed.

Why this answer

The Authentication methods policy (B) is the correct configuration because it allows administrators to control exactly which authentication methods users can register and use for MFA. By targeting the policy to all users and disabling SMS and voice call while enabling Microsoft Authenticator (push notifications or OTP), the requirement is met. This policy supersedes legacy MFA settings and provides granular control over modern authentication methods.

Exam trap

The trap here is that candidates often confuse the Authentication methods policy with Conditional Access policies, assuming that a Conditional Access policy can restrict MFA methods, but in reality, Conditional Access only controls when MFA is required, not which methods are allowed.

How to eliminate wrong answers

Option A is wrong because the MFA service settings in the legacy portal only control per-user MFA enforcement and basic method availability (call, SMS, app), but they do not allow disabling specific methods like SMS or phone call for all users—they only enable or disable the app as a whole. Option C is wrong because Security defaults enforce a baseline set of security policies (including requiring MFA for all users) but do not allow granular control to restrict MFA methods to only the Authenticator app; they permit any available method. Option D is wrong because a Conditional Access policy can require MFA but cannot restrict which specific MFA methods (e.g., Authenticator app vs.

SMS) are allowed; method restriction is handled exclusively by the Authentication methods policy.

320
Matchingmedium

Match each Microsoft 365 compliance feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevent sensitive data from being shared inappropriately

Classify and protect documents and emails with labels

Manage retention and disposal of records

Search and export content for legal investigations

Log and investigate user and admin activities

Why these pairings

Compliance features are part of the Microsoft 365 security and compliance center, relevant for endpoint administrators.

321
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. You create a compliance policy requiring devices to have BitLocker enabled. Some devices report as non-compliant even though BitLocker appears to be on. You discover these devices are using software-based encryption instead of hardware-based encryption. What should you do to resolve the compliance failure?

A.Modify the compliance policy to include 'BitLocker hardware encryption' as 'not configured' or set to 'allow software encryption'.
B.Configure the compliance policy to require TPM attestation.
C.Upgrade the devices to Windows 10 Enterprise edition.
D.Change the compliance policy setting from 'require' to 'allow' for BitLocker.
AnswerA

This accommodates both encryption types.

Why this answer

Option C is correct because the compliance policy can be configured to accept both hardware and software encryption. Option A is incorrect because the TPM is used regardless of encryption type. Option B is incorrect because the policy does not need to be changed to 'required' if it already requires encryption.

Option D is incorrect because BitLocker is available on Windows 10 Pro and Enterprise.

322
Multi-Selecthard

Which THREE factors should you consider when planning the deployment of Windows 10 feature updates using Intune?

Select 3 answers
A.Devices must have sufficient disk space to download the update.
B.A deployment ring strategy should be used to test updates on a pilot group first.
C.The version of Windows 10 determines which update rings are available.
D.The feature update compatibility report is only available for Windows 11.
E.Deferral periods can be set to delay the update installation.
AnswersA, B, E

Sufficient disk space is required for feature updates.

Why this answer

Feature update deployment requires considering deferral periods, pilot groups, and bandwidth. Option A is incorrect because feature update compatibility reporting is available. Option B is incorrect because Windows 10 version is not relevant to update rings; update rings apply to quality updates.

Option D is correct: a deployment ring strategy helps stage updates. Option E is correct: deferral periods control timing.

323
MCQhard

You manage devices with Microsoft Intune. Some Windows devices are not receiving required security updates despite being assigned to an update ring for Windows 10. You verify that the devices are active and connected to the internet. What is the most likely cause?

A.The devices have a compliance policy requiring a specific version that is not yet met.
B.The update ring has a deferral period configured that delays updates for 30 days.
C.The devices are not connected to a corporate VPN.
D.Delivery Optimization is disabled on the devices.
AnswerB

Deferral periods can significantly delay update delivery.

Why this answer

The most likely cause is that the update ring has a deferral period configured that delays updates for 30 days. In Microsoft Intune, update rings for Windows 10 allow administrators to set deferral periods for quality and feature updates. A deferral period of 30 days means that even if the device is active and connected, it will not install the update until the specified number of days after Microsoft releases it.

This explains why the devices are not receiving the updates despite being compliant and online.

Exam trap

The trap here is that candidates often assume connectivity or compliance issues are the root cause, overlooking the fact that update rings can intentionally delay updates via deferral periods, which is a core configuration in Intune for staged rollouts.

How to eliminate wrong answers

Option A is wrong because a compliance policy requiring a specific version would not prevent updates from being offered; it would instead mark the device as non-compliant if the version is not met, but updates would still be available and installable. Option C is wrong because Windows Update for Business does not require a corporate VPN to receive updates; devices can download updates directly from Microsoft's update servers over the internet. Option D is wrong because Delivery Optimization is a peer-to-peer caching mechanism that speeds up update downloads but is not required for updates to be received; disabling it would not block updates entirely.

324
MCQhard

Your organization deploys Microsoft Defender for Endpoint (now Microsoft Defender XDR) on Windows 10 devices using Intune. After deployment, some devices show 'Defender service is not running' in the security console. The devices are online and compliant. What is the most likely cause?

A.Tamper protection is enabled and blocking the service.
B.The devices are not compliant with the Defender policy.
C.Windows Firewall is blocking Defender updates.
D.A third-party antivirus is installed and active.
AnswerD

Defender disables when another AV is active.

Why this answer

Option C is correct because if another antivirus product is active, Defender will disable itself to avoid conflict. Option A is wrong because compliance policy does not disable service. Option B is wrong because tamper protection prevents changes, not failure.

Option D is wrong because firewall is unrelated.

325
MCQmedium

Refer to the exhibit. A Windows 10 device is showing as non-compliant. The compliance policy 'Require BitLocker' is assigned to all devices. The device does not have BitLocker enabled. However, the user is able to access corporate email on the device. What is the most likely reason for this?

A.The compliance policy has a grace period of 7 days for BitLocker.
B.The compliance policy is not assigned to the device.
C.The device is configured as a kiosk device, which exempts it from compliance.
D.There is no Conditional Access policy that requires compliant device for access to corporate email.
AnswerD

Without a Conditional Access policy, compliance status does not block access.

Why this answer

D is correct because compliance policies alone do not enforce access restrictions; they only report device compliance status. To block access to corporate email, a Conditional Access policy must be configured to require a compliant device. Without such a policy, the device can still access email even if it is non-compliant.

Exam trap

The trap here is that candidates assume a compliance policy automatically blocks access to resources when a device is non-compliant, but in reality, a separate Conditional Access policy is required to enforce that block.

How to eliminate wrong answers

Option A is wrong because a grace period delays enforcement but does not allow access if the device is non-compliant and a Conditional Access policy is in place; the question states the device is non-compliant and still accessing email, so the absence of Conditional Access is the key. Option B is wrong because the exhibit states the compliance policy is assigned to all devices, so the device is indeed assigned the policy. Option C is wrong because kiosk devices are not exempt from compliance policies; they can be targeted by compliance policies and Conditional Access, and there is no built-in exemption for kiosk mode in this context.

326
MCQmedium

Refer to the exhibit. You run the PowerShell command above to get a list of noncompliant devices. The output shows that some devices have a complianceGracePeriodExpirationDateTime in the past. What does this indicate?

A.The compliance policy has been removed from these devices.
B.The devices are still within the grace period and can access resources.
C.The devices were recently remediated and are now compliant.
D.The devices have exceeded the grace period and should be blocked from accessing resources.
AnswerD

Past expiration means grace period has been exceeded.

Why this answer

Option B is correct because the grace period expiration in the past means the device has been noncompliant beyond the grace period, so it should be blocked. Option A is wrong because the grace period has expired. Option C is wrong because the device is noncompliant.

Option D is wrong because compliance policies are still applied.

327
MCQmedium

You deployed this endpoint protection policy to a Windows 10 device. A user reports that a known malicious file was downloaded but not blocked. What is the most likely reason?

A.Real-time scanning is set to monitorAllFiles, but the file was an archive.
B.The scan type is set to quick, which does not scan downloaded files.
C.The cloud block level is set to high, which may block unknown files, but known files might be missed.
D.The policy has not been applied to the device yet.
AnswerD

If the policy hasn't applied, settings are not active.

Why this answer

Option D is correct because if the endpoint protection policy has not been applied to the device, the Microsoft Defender for Endpoint settings (including real-time scanning and cloud-delivered protection) are not active. The policy must be successfully delivered via Microsoft Intune or Configuration Manager before any protection rules take effect. Without policy application, the device runs with default or no protection, allowing known malicious files to be downloaded without being blocked.

Exam trap

The trap here is that candidates assume a protection policy is automatically active once created, but Microsoft Intune policies require device check-in and successful application before they take effect, and the cloud block level setting is often misunderstood as affecting known malware detection.

How to eliminate wrong answers

Option A is wrong because real-time scanning set to monitorAllFiles includes archives; Microsoft Defender scans archive files (e.g., .zip, .rar) by default when monitorAllFiles is enabled, so an archive would still be scanned. Option B is wrong because the scan type (quick, full, or custom) applies to scheduled or on-demand scans, not to real-time protection; real-time scanning always inspects files as they are downloaded or accessed, regardless of the scan type setting. Option C is wrong because the cloud block level setting (high, moderate, etc.) affects how aggressively unknown files are sent to the cloud for analysis, but known malicious files are blocked locally by signature-based detection and do not rely on cloud block level; a known file would be blocked even with a high cloud block level.

328
MCQeasy

You need to retire a device in Microsoft Intune. What is the effect of retiring a device?

A.The device is unenrolled, and corporate data and apps are removed. Personal data is preserved.
B.The device is factory reset to its original settings.
C.The device remains enrolled but can no longer access corporate resources.
D.The device is deleted from Azure AD and Intune.
AnswerA

Retirement removes company data and unenrolls the device.

Why this answer

Option A is correct because retirement removes managed data and apps but retains personal data. Option B is wrong because that describes a wipe. Option C is wrong because retirement does not delete the device from Azure AD.

Option D is wrong because the device remains enrolled.

329
MCQmedium

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that only approved corporate apps can be installed on work profiles. What should you configure?

A.Device compliance policy to block noncompliant devices
B.Device restrictions configuration profile
C.App configuration policy for managed Google Play
D.Conditional access policy to require approved apps
AnswerC

App configuration policies can define an approved list of apps for work profiles.

Why this answer

To restrict app installation on Android Enterprise work profiles to only approved corporate apps, you must configure an app configuration policy for managed Google Play. This policy enforces a list of required and allowed apps, preventing users from installing unapproved apps from the Play Store on the work profile. Device compliance and conditional access policies control access to resources, not app installation, while device restrictions lack the granularity to enforce app whitelisting on managed Google Play.

Exam trap

The trap here is that candidates often confuse app configuration policies (which control app installation and settings) with app protection policies (which control data behavior within apps), leading them to incorrectly select conditional access or compliance policies instead.

How to eliminate wrong answers

Option A is wrong because device compliance policies evaluate device health (e.g., encryption, root status) and can block access to resources, but they do not control which apps can be installed on the work profile. Option B is wrong because device restrictions configuration profiles manage device settings (e.g., camera, Bluetooth) but cannot enforce a whitelist of approved apps for installation on managed Google Play. Option D is wrong because conditional access policies require approved apps for resource access (e.g., Exchange Online) but do not prevent installation of unapproved apps on the work profile; they only gate access after the app is already installed.

330
MCQhard

The above PowerShell cmdlet returns the following output: DeviceName: LAPTOP001 LastSyncDateTime: 2025-03-15T08:30:00Z ComplianceState: noncompliant ManagementState: managed OSVersion: 10.0.19044.1288 The device last synced 3 days ago. What is the most likely reason for the noncompliant status?

A.The device is running an outdated OS version.
B.The device has been retired or wiped.
C.The device has not synced in over 24 hours.
D.The device has no compliance policy assigned.
AnswerC

Many compliance policies require a recent sync to remain compliant.

Why this answer

The device last synced 3 days ago, and the output shows ComplianceState: noncompliant. In Microsoft Intune, a device that has not checked in for more than 24 hours is automatically marked as noncompliant because the compliance policies cannot be evaluated without a recent sync. The LastSyncDateTime of 2025-03-15T08:30:00Z confirms the device has not synced within the required 24-hour window, making C the correct answer.

Exam trap

The trap here is that candidates assume 'noncompliant' always means a policy rule violation (like outdated OS or missing encryption) rather than recognizing that Intune can mark a device noncompliant simply for failing to sync within the required timeframe, even if all other policies are satisfied.

How to eliminate wrong answers

Option A is wrong because the OSVersion (10.0.19044.1288) corresponds to a supported build of Windows 10 21H2, which is not inherently outdated for compliance unless a specific policy requires a newer version, and the output does not indicate an OS version mismatch. Option B is wrong because the ManagementState is 'managed', not 'retired' or 'wiped', so the device is still under management and has not been removed. Option D is wrong because if no compliance policy were assigned, the device would typically show a ComplianceState of 'unknown' or 'not evaluated', not 'noncompliant'.

331
MCQeasy

A user's device is marked as 'Noncompliant' in Microsoft Intune due to missing required updates. The device is configured with a compliance policy that requires a minimum OS version. The user claims the device is up-to-date. What should you verify first?

A.The current OS version on the device.
B.The user's license status.
C.The compliance policy is assigned to the device.
D.The device is connected to the internet.
AnswerA

The device might not have the required OS version.

Why this answer

Option A is correct because the first step in troubleshooting a noncompliant device due to a missing minimum OS version is to verify the actual OS version currently installed on the device. The user's claim that the device is up-to-date may be based on a misunderstanding of what version is required, or the device may have pending updates that have not been applied. Intune compliance policies evaluate the OS version reported by the device during check-in, so confirming the exact build number against the policy requirement is the logical starting point.

Exam trap

The trap here is that candidates may jump to verifying policy assignment or connectivity, overlooking that the most direct and immediate verification is the actual OS version on the device, which is the specific attribute being evaluated by the compliance policy.

How to eliminate wrong answers

Option B is wrong because license status affects enrollment and access to Intune features, but it does not directly cause a device to be marked noncompliant due to a missing OS version; a licensed user can still have a noncompliant device. Option C is wrong because if the compliance policy were not assigned to the device, the device would not be evaluated against that policy and would not be marked noncompliant for that reason; the fact that it is marked noncompliant indicates the policy is assigned. Option D is wrong because while internet connectivity is required for the device to check in with Intune and report compliance, the device is already reporting its noncompliant status, meaning it has communicated with the service; connectivity is not the root cause of the OS version mismatch.

332
Multi-Selecthard

Which THREE of the following are valid detection rule types for a Win32 app in Microsoft Intune? (Select THREE.)

Select 3 answers
A.Windows feature
B.MSI product code
C.File system
D.Registry
E.DNS query
AnswersB, C, D

Detects based on MSI product GUID.

Why this answer

File, registry, and MSI product code are valid detection rules. PowerShell script is also valid but not listed. Script is valid; however, the three listed are file, registry, and MSI.

PowerShell script is also a detection rule type. But the question asks for three from the options. I need to choose three correct ones.

File, registry, and MSI product code are all valid. DNS query is not a detection rule. So A, B, C.

333
Multi-Selecthard

Which THREE components are essential for a Microsoft Defender for Endpoint deployment on Windows 10 devices? (Choose three.)

Select 3 answers
A.Cloud-delivered protection enabled
B.Microsoft Defender for Endpoint sensor
C.Microsoft Defender Antivirus
D.Microsoft Intune management agent
E.Microsoft 365 Apps for enterprise
AnswersA, B, C

Cloud protection provides real-time defense.

Why this answer

Options A, B, and D are correct: The Defender for Endpoint sensor, Microsoft Defender Antivirus, and cloud-delivered protection are core components. Option C (Intune) is a management tool but not essential for the agent to function. Option E (Microsoft 365 Apps) is unrelated.

334
MCQmedium

Your organization manages Windows devices with Intune and uses Azure Information Protection (AIP) to classify documents. You are deploying the AIP client as a Win32 app. After deployment, some users report that the AIP add-in is not visible in Office applications. What should you check first?

A.Confirm that Office is updated to the latest version.
B.Ensure that the required .NET Framework and Visual Studio Tools for Office runtime are installed.
C.Verify that the user has local administrator rights.
D.Check if the device has internet access to activate the client.
AnswerB

These are prerequisites for the add-in to load.

Why this answer

Option C is correct because the AIP client requires the .NET Framework and Visual Studio Tools for Office runtime. Missing prerequisites cause the add-in to not load. Option A is wrong because user permissions affect installation but not add-in visibility after install.

Option B is wrong because network connectivity is not the primary issue. Option D is wrong because Office updates don't remove the add-in.

335
Multi-Selecthard

Which THREE of the following are prerequisites for using Microsoft Intune to manage Linux devices?

Select 3 answers
A.The Microsoft Intune agent installed on the Linux device.
B.A supported Linux distribution such as Ubuntu 20.04 or later.
C.The device must be joined to an on-premises Active Directory domain.
D.Network connectivity to Microsoft Intune service endpoints.
E.An Azure Active Directory Premium P2 license for each user.
AnswersA, B, D

The agent enables management and compliance reporting.

Why this answer

Option A is correct because the Microsoft Intune agent is the core component that enables communication between the Linux device and the Intune service. Without this agent installed, the device cannot enroll, receive compliance policies, or be managed. The agent handles device registration, policy retrieval, and reporting back to Intune.

Exam trap

The trap here is that candidates often assume Linux devices must be domain-joined or require premium Azure AD licensing, but Intune manages Linux as a standalone mobile device class with only basic licensing and network connectivity prerequisites.

336
Multi-Selecteasy

You need to deploy Microsoft Defender for Endpoint to Windows 10 devices using Microsoft Intune. Which TWO methods can you use to deploy the Microsoft Defender for Endpoint client?

Select 2 answers
A.Using Group Policy connected to Intune.
B.As a line-of-business (LOB) app in Intune.
C.From the Microsoft Store for Business.
D.Via a device configuration profile using the 'Microsoft Defender for Endpoint' CSP.
E.Via Microsoft Configuration Manager.
AnswersB, D

You can upload the MDATP installer as an LOB app.

Why this answer

You can deploy the Microsoft Defender for Endpoint client via Intune as a line-of-business app (by uploading the installer) or as part of a device configuration profile (by enabling the 'Microsoft Defender for Endpoint' configuration service provider (CSP) settings). Option C, Microsoft Store, is not applicable because Defender for Endpoint is not a store app. Option D, Group Policy, is not managed by Intune.

Option E, Configuration Manager, is a separate management tool.

337
MCQeasy

Refer to the exhibit. You see this JSON in an Intune policy for a Windows 10 device. What type of app is being deployed?

A.Win32 app
B.Web app
C.Line-of-business app
D.Microsoft Store app
AnswerD

The type is windowsStoreApp.

Why this answer

Option A is correct because the @odata.type is 'microsoft.graph.windowsStoreApp', indicating a Microsoft Store app. Option B is wrong because Win32 apps have a different type. Option C is wrong because LOB apps use a different type.

Option D is wrong because web apps use a different type.

338
Multi-Selectmedium

Your organization is planning to enroll Windows devices into Microsoft Intune using Group Policy. Which TWO prerequisites must be in place? (Choose two.)

Select 2 answers
A.An on-premises Active Directory environment.
B.A Group Policy object to enable automatic MDM enrollment.
C.A Microsoft Intune subscription must be active.
D.Azure AD Connect must be configured.
E.Devices must be Azure AD hybrid joined.
AnswersA, B

Group Policy is used to configure automatic enrollment.

Why this answer

Options B and D are correct. Group Policy enrollment requires an on-premises AD and automatic enrollment via GPO. Option A is not required because hybrid join is not mandatory.

Option C is incorrect because Azure AD Connect is needed for hybrid join but not for pure AD enrollment. Option E is incorrect because Intune subscription is required, but the question asks for prerequisites for Group Policy enrollment, which includes automatic enrollment policy.

339
MCQhard

A multinational organization uses Microsoft 365 E5 licenses. The compliance officer wants to ensure that all documents containing credit card numbers are automatically classified and protected with a label that applies encryption. You configure auto-labeling policies in Microsoft Purview. After 24 hours, the compliance officer reports that no documents have been labeled. The policy scope is set to 'All locations' and the policy is enabled. What is the most likely cause of the issue?

A.The policy is deployed in simulation mode only.
B.No sensitivity labels have been published to the users.
C.Auto-labeling requires Azure Information Protection (AIP) add-on license.
D.The priority of the policy is too low compared to other policies.
AnswerA

Auto-labeling policies start in simulation mode; you must turn on the policy to apply labels.

Why this answer

Auto-labeling policies in Microsoft Purview can be configured in simulation mode, which evaluates documents against the policy rules and reports what would be labeled without actually applying any labels. Since the compliance officer reports that no documents have been labeled after 24 hours, the most likely cause is that the policy is still in simulation mode, which is a common deployment step to validate the policy before turning it on for real labeling.

Exam trap

The trap here is that candidates may assume auto-labeling policies apply labels immediately upon creation, overlooking the deliberate simulation mode that Microsoft requires for validation before production deployment.

How to eliminate wrong answers

Option B is wrong because publishing sensitivity labels to users is required for manual labeling, but auto-labeling policies apply labels automatically based on conditions, regardless of whether labels are published to users. Option C is wrong because auto-labeling for sensitive information types like credit card numbers is included with Microsoft 365 E5 licenses and does not require an additional Azure Information Protection (AIP) add-on license. Option D is wrong because policy priority affects which label is applied when multiple policies match, but it does not prevent labeling entirely; if the policy is enabled and in production mode, it would still apply labels even if its priority is lower.

340
MCQeasy

You need to configure BitLocker encryption for Windows 10 devices managed by Intune. You create a device configuration profile for endpoint protection. After assigning, devices show 'BitLocker not enabled' in the Intune console. What is the most likely cause?

A.The profile is assigned to a user group instead of a device group.
B.The devices do not have a TPM chip.
C.Secure Boot is not enabled on the devices.
D.The devices are running Windows 10 Home edition.
AnswerB

BitLocker requires TPM for seamless encryption; without TPM, a USB startup key is needed.

Why this answer

Option B is correct because BitLocker requires a TPM chip on the device. If the device does not have TPM or it is disabled, BitLocker cannot be enabled. Option A is wrong because the profile is assigned to devices.

Option C is wrong because BitLocker is available on Windows 10 Pro and Enterprise. Option D is wrong because Windows 10 can be encrypted with or without Secure Boot.

341
MCQhard

A Windows device shows enrollment state 'Enrolled' and compliance state 'compliant', but the policy setting 'MaxInactivityTimeDeviceLock' is not applied. The exhibit shows the device JSON from Intune. What is the most likely reason?

A.The OMA-URI setting is invalid.
B.The device is not enrolled.
C.The device's group membership is still being processed, so policies are not yet applied.
D.The device is not compliant.
AnswerC

Pending status indicates group membership processing.

Why this answer

Option C is correct because when a device shows 'Enrolled' and 'Compliant' in Intune, the issue is not enrollment or compliance but policy delivery. The 'MaxInactivityTimeDeviceLock' OMA-URI setting (./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock) is a CSP-based policy that applies via group membership targeting. If the device was recently added to the group or the group membership is still being evaluated, Intune's policy processing cycle (which runs every 15–30 minutes by default) may not have delivered the policy yet.

The JSON exhibit likely shows the device is in a pending state for policy application despite being enrolled and compliant.

Exam trap

The trap here is that candidates see 'Enrolled' and 'Compliant' and assume the device is fully healthy, but they overlook that policy application is asynchronous and depends on group membership processing, which can lag behind enrollment and compliance evaluation.

How to eliminate wrong answers

Option A is wrong because if the OMA-URI setting were invalid, the policy would show an error or 'Not applicable' status in Intune, not a missing application while the device remains compliant. Option B is wrong because the device explicitly shows enrollment state 'Enrolled', so the device is enrolled and this contradicts the premise. Option D is wrong because the device shows compliance state 'Compliant', so non-compliance is not the reason the policy is not applied.

342
MCQeasy

An organization uses Microsoft Intune to manage Windows 11 devices. They want to deploy a custom script that runs during device provisioning (ESP – Enrollment Status Page). Which app type should they use?

A.Line-of-business app
B.Win32 app
C.PowerShell script (Device configuration)
D.Proactive remediations
AnswerC

Can run during ESP.

Why this answer

Option B is correct because PowerShell scripts can be run as a 'Windows PowerShell script' in Intune and can be included in ESP. Option A is wrong because Win32 apps are deployed after ESP. Option C is wrong because LOB apps are for MSI/EXE.

Option D is wrong because proactive remediations run after enrollment.

343
Multi-Selectmedium

Which TWO prerequisites are required for Windows Autopilot self-deploying mode?

Select 2 answers
A.Device is registered in Windows Autopilot
B.A user account with Intune license
C.Windows 11/10 Pro, Enterprise, or Education edition
D.Microsoft Entra ID P1 or P2 license
E.TPM 2.0 chip on the device
AnswersA, C

Required for all Autopilot modes.

Why this answer

Options B and D are correct. Self-deploying mode requires the device to be registered in Autopilot, and it requires Windows 11/10 Pro, Enterprise, or Education. Option A is wrong because self-deploying mode does not require a user.

Option C is wrong because TPM 2.0 is required for self-deploying mode, but it is not listed as a prerequisite for device registration. Option E is wrong because the user needs an Intune license only if a user is involved.

344
Multi-Selectmedium

Which THREE of the following are valid methods for deploying Microsoft Intune compliance policies to devices?

Select 3 answers
A.Assign the policy to a user group, which applies to devices enrolled by those users.
B.Assign the policy to an Azure AD group that contains devices.
C.Assign the policy directly to individual devices from the Intune console.
D.Assign the policy to a dynamic device group created using device rules.
E.Assign the policy to a device category.
AnswersA, B, D

User-based assignment applies policies to devices enrolled by those users.

Why this answer

Option A is correct because Microsoft Intune compliance policies can be assigned to user groups, and when a user in the group enrolls a device, the policy applies to that device. This is the most common deployment method, leveraging user-based targeting to ensure compliance settings are enforced on devices associated with those users.

Exam trap

The trap here is that candidates may confuse device categories as a direct assignment target, but they are only used to define membership rules for dynamic device groups, not as a policy assignment scope.

345
MCQeasy

Refer to the exhibit. You are deploying Microsoft Edge via Intune as a required app for Windows devices. Which setting ensures that any previous version of Microsoft Edge is removed before installing the new version?

A.appVersion: 96.0.1054.62
B.channel: Stable
C.uninstallPrevious: true
D.intent: required
AnswerC

This removes previous versions before installing.

Why this answer

Option A is correct because 'uninstallPrevious' set to true removes previous versions. Option B is wrong because channel does not affect removal. Option C is wrong because appVersion is the version to install.

Option D is wrong because intent is 'required' meaning it must be installed.

346
Drag & Dropmedium

Arrange the steps to configure Conditional Access for Microsoft 365 in Azure AD.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Sign in, go to Conditional Access, create policy, set conditions, set controls, enable.

347
Multi-Selectmedium

Which THREE conditions must be met for an iOS line-of-business app to be successfully installed via Intune?

Select 3 answers
A.The app must be assigned to a security group.
B.The app must be signed with an Apple Developer Enterprise Distribution certificate.
C.The device UDID must be registered with Apple Business Manager.
D.The app must be uploaded as a .ipa file.
E.The user must have an active Apple ID.
AnswersB, C, D

Enterprise certificate is required for LOB apps.

Why this answer

Option B is correct because iOS line-of-business (LOB) apps distributed outside the App Store must be signed with an Apple Developer Enterprise Distribution certificate to be trusted by the device. This certificate allows the app to run without being individually approved by Apple, which is required for Intune-managed enterprise deployment. Without this signing, the device will reject the installation due to code signing validation failures.

Exam trap

The trap here is that candidates often confuse the prerequisites for App Store apps (which require an Apple ID) with those for enterprise LOB apps, leading them to incorrectly select 'active Apple ID' as a requirement.

348
MCQmedium

Your company uses Microsoft Intune to manage Windows 10 and 11 devices. You have been asked to deploy a Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus) configuration that includes Word, Excel, PowerPoint, and Outlook. The deployment must be assigned to a group of 200 devices that are not connected to the internet during initial setup; they will get updates from a local Distribution Point (DP) on the network. You have created a Win32 app using the Office Deployment Tool (ODT) with a configuration XML that specifies the products and updates source. Which additional step is necessary to ensure the installation succeeds without internet?

A.Enable the 'Allow devices to discover network content' setting in Intune.
B.Download the Office installation files to each device before deployment.
C.Set the Office channel to 'Current' in the Intune app properties.
D.Include the SourcePath attribute in the configuration XML pointing to the local DP.
AnswerD

ODT needs to know where to get installation files.

Why this answer

Option A is correct because the ODT configuration XML must include the SourcePath attribute pointing to the local DP for installation files. Option B is wrong because the local DP already hosts the files; no additional download required. Option C is wrong because network discovery is not needed if the path is specified.

Option D is wrong because the channel is specified in the XML, not in Intune app properties.

349
MCQmedium

You are a Microsoft 365 Endpoint Administrator for a medium-sized company that uses Intune to manage Windows 10 and iOS devices. The company recently experienced a malware outbreak on several Windows 10 devices. The security team wants to implement a solution that can automatically remediate threats on Windows 10 devices by isolating them from the network and running a full antivirus scan. They also want to be alerted when a threat is detected. You have already configured Microsoft Defender for Endpoint (MDE) and devices are onboarded. What should you configure in Intune to meet these requirements?

A.Configure a device compliance policy to require Device Health Attestation (DHA) and set the action for non-compliance to 'Quarantine device'.
B.Create a device compliance policy that marks devices with active threats as non-compliant, and configure the non-compliance action to 'Retire device' and 'Send notification'.
C.Enable Windows Defender Firewall with advanced security and create an inbound rule to block all traffic.
D.Configure AppLocker to block all apps and set the action to 'Run antivirus scan'.
AnswerB

Retire action can be used to isolate and remediate, but a more accurate answer would be to use the 'Quarantine' action; however, Intune's compliance policy can trigger MDE's automatic investigation and remediation. In practice, you would use MDE's automated investigation and remediation capabilities, which can be triggered by compliance policy. Option D is the closest correct answer.

Why this answer

Option B is correct because it leverages Intune's device compliance policy to detect active threats via Microsoft Defender for Endpoint integration. When a device has an active threat, it is marked as non-compliant, and the configured non-compliance action 'Retire device' ensures the device is isolated from corporate resources, while 'Send notification' alerts the security team. This meets the requirements for automatic remediation and alerting without additional manual steps.

Exam trap

The trap here is that candidates confuse 'Quarantine device' (a compliance action that only blocks resource access) with the actual network isolation and remediation workflow, or they mistakenly think AppLocker or Firewall rules can replace MDE's automated threat response.

How to eliminate wrong answers

Option A is wrong because Device Health Attestation (DHA) verifies boot integrity (e.g., Secure Boot, BitLocker) but does not detect or remediate active malware threats; its non-compliance action 'Quarantine device' only blocks access to resources, not isolate from network or run a scan. Option C is wrong because enabling Windows Defender Firewall with an inbound rule to block all traffic is a static network control that does not automatically detect threats, isolate the device, or trigger a full antivirus scan; it also lacks alerting capabilities. Option D is wrong because AppLocker is an application control feature that blocks apps based on rules, not a threat remediation tool; it cannot run a full antivirus scan or isolate the device from the network, and it does not integrate with MDE threat detection for automatic actions.

350
MCQmedium

You manage devices with Microsoft Intune. Users report that after a recent policy change, some devices are not receiving updated policies. You verify that the devices are online and have connectivity. What should you do to force a policy refresh?

A.Ask users to restart their devices.
B.Ask users to run Windows Update.
C.Adjust the MDM sync interval in Intune.
D.In the Intune portal, select the devices and click 'Sync'.
AnswerD

The Sync action forces the devices to check in and apply latest policies.

Why this answer

Option C is correct because you can remotely trigger a sync from the Intune portal. Option A is wrong because rebooting does not force a policy refresh. Option B is wrong because Windows Update is unrelated.

Option D is wrong because the sync interval is client-side and not directly configurable from Intune.

351
MCQmedium

You have the following JSON compliance policy for Windows 10 devices in Intune. A device with OS version 10.0.19042.0, build 19042, with BitLocker enabled, Secure Boot enabled, but Code Integrity disabled reports as non-compliant. Which setting is causing the non-compliance?

A.requireCodeIntegrity
B.minimumOsVersion
C.requireSecureBoot
D.requireDeviceEncryption
AnswerA

Code Integrity is disabled, causing non-compliance.

Why this answer

The device reports as non-compliant because the compliance policy requires `requireCodeIntegrity` to be enabled, but the device has Code Integrity disabled. Even though BitLocker and Secure Boot are enabled, and the OS version meets the minimum requirement, the absence of Code Integrity enforcement triggers non-compliance. In Intune, Windows 10 compliance policies evaluate each setting independently, and a failure on any required setting results in overall non-compliance.

Exam trap

The trap here is that candidates often assume Secure Boot or BitLocker alone satisfy all security requirements, but Intune's `requireCodeIntegrity` is a separate, independent check that specifically enforces runtime code validation, and failing to enable it causes non-compliance even when other security features are active.

How to eliminate wrong answers

Option B is wrong because `minimumOsVersion` is satisfied by OS version 10.0.19042.0 (build 19042), which is above the typical minimum (e.g., 10.0.17763 for 1809), so it is not causing non-compliance. Option C is wrong because `requireSecureBoot` is enabled on the device, as stated in the scenario, so Secure Boot is compliant. Option D is wrong because `requireDeviceEncryption` is satisfied by BitLocker being enabled, which provides full device encryption, so this setting is compliant.

352
MCQhard

You manage a hybrid Microsoft Entra ID environment with 5,000 Windows 10 devices enrolled in Microsoft Intune. You need to deploy a critical security update that requires a reboot to all devices within the next 4 hours. Users must be able to postpone the reboot for up to 8 hours. You configure a device restart policy in Intune. Which deadline and grace period settings should you use?

A.Deadline: 8 hours, Grace period: 4 hours
B.Deadline: 2 hours, Grace period: 12 hours
C.Deadline: 4 hours, Grace period: 8 hours
D.Deadline: 4 hours, Grace period: 30 minutes
AnswerC

Correct. The deadline ensures reboot within 4 hours, and the grace period allows postponement up to 8 hours.

Why this answer

Option C is correct because the deadline (4 hours) matches the required deployment window for the critical update, and the grace period (8 hours) allows users to postpone the reboot for up to 8 hours after the deadline. In Intune device restart policies, the deadline specifies when the update must be installed and the reboot initiated, while the grace period defines how long users can delay the restart after the deadline. With a 4-hour deadline and 8-hour grace period, the update is enforced within 4 hours, and users can postpone the reboot for up to 8 hours from that point, meeting both requirements.

Exam trap

The trap here is confusing the deadline with the grace period, leading candidates to think the deadline should be the total time allowed for postponement (8 hours) and the grace period the deployment window (4 hours), which reverses the correct logic.

How to eliminate wrong answers

Option A is wrong because a deadline of 8 hours exceeds the required 4-hour deployment window, meaning the update would not be enforced within the necessary timeframe. Option B is wrong because a deadline of 2 hours is too short, forcing the update and reboot before the 4-hour window is fully utilized, and a 12-hour grace period is excessive, allowing postponement beyond the 8-hour user flexibility requirement. Option D is wrong because a grace period of 30 minutes is far too short, preventing users from postponing the reboot for up to 8 hours as required.

353
Multi-Selectmedium

You are planning the deployment of Microsoft Defender for Endpoint to macOS devices managed by Microsoft Intune. Which TWO prerequisites are required?

Select 2 answers
A.Microsoft Defender for Endpoint license assigned to the user or device
B.macOS device enrollment in Microsoft Intune
C.Microsoft Intune management extension installed on the device
D.Onboarding to Microsoft Defender for Cloud
E.A VPN connection to the corporate network
AnswersA, B

A license is required.

Why this answer

Options A and C are correct. A: Microsoft Defender for Endpoint requires a license for each device. C: The macOS device must be enrolled in Intune to receive the configuration profile.

Option B is wrong because Microsoft Defender for Endpoint does not require a VPN. Option D is wrong because Microsoft Intune management extension is for Windows only. Option E is wrong because onboarding to Microsoft Defender for Cloud is optional.

354
MCQeasy

You have deployed the above Endpoint Protection configuration profile to Windows 10 devices. Some users report that their devices are not encrypted. You verify that the devices have TPM 2.0 and meet hardware requirements. What is the most likely cause?

A.The policy does not configure recovery key escrow to Azure AD.
B.The policy disables encryption for the OS drive.
C.The devices do not have a TPM chip.
D.The encryption method is not supported by the devices.
AnswerA

BitLocker requires a recovery password to be escrowed; without it, encryption may not start.

Why this answer

The correct answer is A because when BitLocker encryption is enabled via an Endpoint Protection configuration profile in Microsoft Intune, the policy must include recovery key escrow to Azure AD for encryption to proceed. Without this setting, BitLocker will not encrypt the drive, even if the device meets TPM and hardware requirements. The policy in question likely has the 'Require BitLocker recovery key to be stored in Azure AD' option set to 'Not configured' or 'No', which prevents encryption from starting.

Exam trap

The trap here is that candidates assume meeting hardware requirements (TPM 2.0) is sufficient for BitLocker encryption, overlooking the mandatory recovery key escrow configuration in the Intune policy that is required to initiate encryption.

How to eliminate wrong answers

Option B is wrong because the policy does not disable encryption for the OS drive; the issue is that encryption fails to initiate due to missing recovery key escrow, not because the OS drive encryption is explicitly disabled. Option C is wrong because the question explicitly states that the devices have TPM 2.0 and meet hardware requirements, so the absence of a TPM chip is not the cause. Option D is wrong because the encryption method (e.g., XTS-AES 128-bit or 256-bit) is supported by Windows 10 devices with TPM 2.0, and the problem is not related to encryption method incompatibility.

355
Multi-Selectmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy a custom SSL certificate to all devices to authenticate to a corporate Wi-Fi network. Which TWO methods can you use to deploy the certificate?

Select 2 answers
A.Create a SCEP certificate profile in Intune.
B.Create a device compliance policy that includes the certificate.
C.Create a Wi-Fi profile and embed the certificate in the profile.
D.Create a VPN profile that includes the certificate.
E.Create a PKCS certificate profile in Intune.
AnswersA, E

SCEP profiles request and install certificates from a CA.

Why this answer

Intune supports deploying certificates via SCEP or PKCS profiles. Option A and Option D are correct. Option B is wrong because a Wi-Fi profile can reference a certificate but does not deploy the certificate itself.

Option C is wrong because a compliance policy does not deploy certificates. Option E is wrong because a VPN profile can reference a certificate but does not deploy it.

356
Multi-Selectmedium

Your organization uses Intune to manage iOS devices. You need to deploy a custom configuration for a line-of-business app. Which TWO methods can you use?

Select 2 answers
A.App Configuration Policy for managed devices
B.App Protection Policy
C.iOS app configuration file in the app package
D.App Configuration Policy for managed apps
E.Device Configuration Profile
AnswersA, C

Delivers settings to LOB apps.

Why this answer

Options A and D are correct because they allow custom app configuration. Option B is wrong because it's for app store apps. Option C is wrong because app protection policies do not configure app settings.

Option E is wrong because device features are not app-specific.

357
MCQeasy

You need to deploy Microsoft 365 Apps to 200 Windows devices using Intune. Which app type should you select in Intune?

A.Microsoft 365 Apps for Windows
B.Web link
C.Windows app (MSI)
D.Line-of-business app
AnswerA

Dedicated type for Office deployment.

Why this answer

The Microsoft 365 Apps for Windows app type in Intune is specifically designed to deploy the Microsoft 365 Apps suite (e.g., Word, Excel, Outlook) to Windows devices. It provides built-in configuration options for update channels, removal of previous Office versions, and license assignment, making it the correct choice for deploying Microsoft 365 Apps to 200 devices. Other app types lack the integrated logic to handle the suite's installation, activation, and update management.

Exam trap

The trap here is that candidates often confuse the 'Microsoft 365 Apps for Windows' app type with the 'Windows app (MSI)' or 'Line-of-business app' types, mistakenly thinking they can upload an Office installer manually, but Intune requires the dedicated app type to properly handle the Click-to-Run installation and licensing integration.

How to eliminate wrong answers

Option B is wrong because a web link app type only creates a shortcut to a URL on the device's Start menu or desktop, not an actual software installation. Option C is wrong because Windows app (MSI) is used for deploying traditional MSI-based applications, but Microsoft 365 Apps is not distributed as a single MSI file; it uses the Office Deployment Tool (ODT) and Click-to-Run technology. Option D is wrong because the line-of-business (LOB) app type is intended for sideloading app packages (e.g., .intunewin, .msi, .appx) that are not available in the public store, but it does not provide the specialized configuration options for Microsoft 365 Apps, such as channel selection or exclusion of specific apps.

358
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a line-of-business (LOB) app that is signed with a certificate not trusted by the devices. Which app deployment method should you use?

A.Microsoft Store for Business (MSFB) app
B.Windows app (sideloading)
C.Web app
D.Line-of-business (LOB) app
AnswerD

LOB app type allows sideloading of apps with custom certificates.

Why this answer

Option B is correct because LOB apps that are not signed with a trusted certificate must be installed using the 'Line-of-business app' type in Intune, which allows sideloading. Option A is wrong because the Microsoft Store for Business is for store apps only. Option C is wrong because side-loading requires a specific license or sideloading key but is not the primary Intune deployment method.

Option D is wrong because web apps are for links, not binary installations.

359
Multi-Selecteasy

You are configuring Microsoft Entra Conditional Access for a company that requires all employees to use multi-factor authentication (MFA) when accessing the Azure portal. The company also wants to block access from devices that are not compliant. You create a Conditional Access policy. Which two assignments must you configure to meet these requirements? (Choose two.)

Select 2 answers
A.Grant access, require Microsoft Entra hybrid joined device
B.Grant access, block access for non-compliant devices
C.Grant access, require multi-factor authentication
D.Grant access, require device to be marked as compliant
AnswersC, D

This enforces MFA for access.

Why this answer

Option C is correct because the requirement to enforce multi-factor authentication (MFA) for Azure portal access is met by configuring the 'Grant' control to 'Require multi-factor authentication'. Option D is correct because blocking access from non-compliant devices is achieved by selecting 'Require device to be marked as compliant' under Grant controls, which ensures only devices that meet compliance policies (e.g., Intune-managed) are allowed. Both assignments are necessary to satisfy the two distinct requirements.

Exam trap

The trap here is that candidates often confuse 'Block access for non-compliant devices' (which does not exist as a Grant control) with the correct 'Require device to be marked as compliant', or they mistakenly think a hybrid join requirement is needed for MFA enforcement.

360
MCQmedium

Refer to the exhibit. You are reviewing an Intune compliance policy JSON for Windows 10. A device reports as non-compliant, and the compliance status details indicate that the setting 'Secure Boot' is not compliant. The device is a virtual machine. What is the most likely reason?

A.The device is not enrolled in Intune correctly.
B.The password policy is conflicting with Secure Boot.
C.The virtual machine does not have Secure Boot enabled in its firmware settings.
D.The device does not have BitLocker enabled, which is required for Secure Boot.
AnswerC

VMs often have Secure Boot disabled; enabling it in the VM settings resolves the issue.

Why this answer

Secure Boot is a hardware-based feature that ensures the system boots using only software that is trusted by the PC manufacturer. Virtual machines typically do not have Secure Boot enabled by default, or they may not support it. Option B is correct.

Option A is wrong because the device might be managed. Option C is wrong because BitLocker is separate. Option D is wrong because the password policy is not related.

361
MCQmedium

You need to provide remote assistance to a Windows 11 device managed by Intune. The user is not technically savvy. Which Intune feature should you use?

A.TeamViewer integration in Intune.
B.Company Portal.
C.Quick Assist.
D.Remote Desktop connection.
AnswerA

TeamViewer is integrated with Intune for remote assistance.

Why this answer

TeamViewer integration in Intune allows an IT admin to initiate a remote assistance session directly from the Intune admin center, without requiring the user to install additional software or share a session code. This is ideal for non-technical users because the admin can start the session, and the user only needs to accept a consent prompt on their device.

Exam trap

The trap here is that candidates often choose Quick Assist because it is a free, built-in Windows tool, but they overlook that it requires the user to generate and share a code, making it unsuitable for non-technical users in a managed Intune environment.

How to eliminate wrong answers

Option B is wrong because Company Portal is a self-service app for users to install apps, enroll devices, and access company resources; it does not provide remote control or screen-sharing capabilities. Option C is wrong because Quick Assist is a built-in Windows tool that requires the user to generate a security code and share it with the admin, which is too complex for a non-technical user and is not integrated with Intune management. Option D is wrong because Remote Desktop Connection (RDP) is typically blocked by default in managed environments for security reasons, requires the device to be on the same network or VPN, and is not designed for attended remote assistance with user consent.

362
MCQhard

Refer to the exhibit. You are deploying a custom OMA-URI policy to Windows 10 devices. What is the effect of this policy?

A.Windows Update is configured to defer updates.
B.Device telemetry is set to enhanced.
C.Windows Defender is disabled.
D.Cortana is enabled.
AnswerB

AllowTelemetry value 2 corresponds to enhanced.

Why this answer

Option A is correct. The OMA-URI for AllowTelemetry set to 2 enables diagnostic data at the enhanced level. Option B is wrong because Cortana is disabled (value 0).

Option C is wrong because neither setting relates to Windows Update. Option D is wrong because the policy does not disable Windows Defender.

363
MCQeasy

You need to ensure that all corporate devices have a standard set of security settings, including disk encryption and firewall configuration. Which Microsoft Intune feature should you use?

A.Update rings
B.Configuration profiles
C.Device enrollment profiles
D.Compliance policies
AnswerB

Configuration profiles apply settings to devices.

Why this answer

Configuration profiles in Microsoft Intune are the correct feature to deploy standard security settings such as disk encryption (e.g., BitLocker) and firewall configuration across corporate devices. These profiles define device-level policies that enforce specific configurations, including endpoint protection settings, and can be assigned to groups of devices to ensure consistent security baselines.

Exam trap

The trap here is that candidates often confuse compliance policies with configuration profiles, mistakenly thinking that compliance policies can apply settings, when in fact compliance policies only evaluate and report on settings that must already be configured by a profile or other means.

How to eliminate wrong answers

Option A (Update rings) is wrong because update rings manage the rollout and deferral of Windows updates, not the configuration of security settings like encryption or firewall rules. Option C (Device enrollment profiles) is wrong because enrollment profiles control the enrollment process and initial device setup (e.g., user affinity, enrollment restrictions), not ongoing security configurations. Option D (Compliance policies) is wrong because compliance policies define conditions that devices must meet to be considered compliant (e.g., requiring encryption), but they do not actually apply the settings; they only mark devices as non-compliant if the settings are missing, whereas configuration profiles actively enforce the settings.

364
MCQmedium

A user reports that their Windows 11 device fails to enroll in Microsoft Intune. The device is Microsoft Entra joined and the user has a valid Intune license. What should you check first?

A.Verify that BitLocker is enabled on the device.
B.Check the Enrollment Status Page (ESP) profile configuration in Intune.
C.Ensure that the device has a local administrator password set.
D.Review the Windows Autopilot deployment profile assigned to the device.
AnswerB

ESP profiles can cause enrollment failures if they are not configured correctly or if they are blocked.

Why this answer

Option B is correct because Enrollment Status Page (ESP) profiles can block enrollment if misconfigured, and checking the Intune console is the first step to see errors. Option A is wrong because BitLocker is not related to enrollment. Option C is wrong because the local admin password is not required for enrollment.

Option D is wrong because the Autopilot profile is only relevant for Autopilot deployments, not general enrollment.

365
MCQhard

Refer to the exhibit. You have assigned the above Enrollment Status Page (ESP) policy to a Windows Autopilot deployment. A user reports that the provisioning process hangs on 'Installing apps' and never completes. What is the most likely cause?

A.The ESP policy is configured to track progress for Autopilot only, but the device is not using Autopilot.
B.One of the required apps failed to install.
C.The user attempted to retry the setup and it was blocked.
D.The device reset on failure is enabled, causing a reset loop.
AnswerB

The ESP waits for app installation, and if it fails without reset, it hangs.

Why this answer

The Enrollment Status Page (ESP) policy tracks the installation of required apps during Autopilot provisioning. If a required app fails to install, the ESP will hang on 'Installing apps' indefinitely because it waits for all required apps to succeed before proceeding. This is the most common cause of a stuck ESP at the app phase.

Exam trap

The trap here is that candidates often assume the ESP hangs due to a network issue or user error, but Microsoft explicitly designs the ESP to block on required app failures, making this the primary troubleshooting focus for 'Installing apps' hangs.

How to eliminate wrong answers

Option A is wrong because the ESP policy is explicitly assigned to an Autopilot deployment, and the device is using Autopilot (the user is in provisioning). Option C is wrong because the ESP does not block retry attempts; the user can retry, but if the app continues to fail, the hang persists. Option D is wrong because 'device reset on failure' is a separate setting that triggers a full reset only after a timeout or explicit failure, not a reset loop; the device would not hang indefinitely.

366
MCQeasy

You need to configure Microsoft Intune to automatically retire a device if it has not checked in for 30 days. Where would you configure this setting?

A.Intune device cleanup rules
B.Conditional access policy
C.Device compliance policy
D.Device configuration profile
AnswerA

Cleanup rules can automatically retire inactive devices.

Why this answer

Option D is correct because device cleanup rules in Intune allow you to automatically retire devices that have not communicated for a specified period. Option A is incorrect because compliance policies handle non-compliance, not retirement based on inactivity. Option B is incorrect because conditional access controls access, not device cleanup.

Option C is incorrect because configuration policies set settings, not cleanup rules.

367
MCQeasy

Your organization is planning to deploy Microsoft Entra hybrid joined devices. What is a prerequisite for this configuration?

A.Azure AD Premium P1 license is required.
B.Microsoft Intune must be enabled for auto-enrollment.
C.Microsoft Defender for Endpoint must be deployed.
D.Microsoft Entra Connect must be installed and configured.
AnswerD

Entra Connect synchronizes on-premises AD to Entra ID, which is required for hybrid identity.

Why this answer

Microsoft Entra hybrid joined devices require synchronization of on-premises Active Directory identities to Microsoft Entra ID. Microsoft Entra Connect (or Microsoft Entra Connect Sync) is the tool that performs this identity synchronization, making it a mandatory prerequisite. Without it, the on-premises AD objects cannot be linked to Entra ID for hybrid join.

Exam trap

The trap here is that candidates often confuse licensing requirements (Premium P1) or optional management tools (Intune, Defender) with the core prerequisite of identity synchronization, which is the foundational step for hybrid join.

How to eliminate wrong answers

Option A is wrong because Azure AD Premium P1 is not a prerequisite for hybrid join; it is required for features like Conditional Access or self-service password reset, but hybrid join itself works with any Azure AD license, including Free. Option B is wrong because Microsoft Intune auto-enrollment is optional for managing hybrid joined devices but not a prerequisite for the join process itself. Option C is wrong because Microsoft Defender for Endpoint is a security solution that can be deployed on hybrid joined devices but is not required for the hybrid join configuration.

368
MCQhard

Refer to the exhibit. You run the PowerShell command on a Windows 10 device to troubleshoot why a Win32 app did not install. What information does this command provide?

A.The start of an app installation attempt
B.The list of assigned policies
C.The result of a completed app installation
D.Errors from the last sync
AnswerA

Event 1001 logs the beginning of an installation.

Why this answer

Option C is correct because Event ID 1001 in the Intune Management Extension log indicates the start of an app installation. Option A is wrong because it does not show policies. Option B is wrong because it does not show errors specifically.

Option D is wrong because it shows the start, not the completion.

369
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices are compliant with a new security policy that requires Windows Defender Antivirus to be enabled and up-to-date. You create a device compliance policy with the setting 'Require' for Windows Defender Antivirus. After assigning the policy, you see that 90% of devices are compliant. The remaining 10% show 'Not evaluated'. You check the devices and find that they are online, enrolled, and have Windows Defender Antivirus enabled. What is the most likely reason for the 'Not evaluated' status?

A.The devices have not checked in with Intune since the policy was assigned
B.The devices are offline
C.The policy is not assigned to the devices
D.Windows Defender Antivirus is disabled
AnswerA

Compliance status requires a check-in; 'Not evaluated' means no evaluation has occurred yet.

Why this answer

Option C is correct because compliance policy evaluation requires the device to be in a compliant state after enrollment; if the device was enrolled but not yet checked in, it shows 'Not evaluated'. Option A is incorrect because the devices have Windows Defender Antivirus enabled. Option B is incorrect because the devices are online.

Option D is incorrect because the compliance policy is assigned to the device group.

370
MCQhard

Refer to the exhibit. You are deploying a line-of-business app to Windows 10 devices. The JSON shows the app configuration in Microsoft Graph. Which of the following is true about this deployment?

A.The device will restart automatically after installation.
B.The app will only install if the product code matches.
C.The app will install in system context.
D.The app will be installed from the Microsoft Store for Business.
AnswerC

useDeviceContext: true means system context installation.

Why this answer

The JSON is for a Windows Mobile MSI app. useDeviceContext: true means the app installs in device context (system). suppress device restart means the device will not restart after install. Option C is correct. Option A is wrong because the app is line-of-business, not store.

Option B is wrong because restart is suppressed. Option D is wrong because productCode is for detection.

371
MCQmedium

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that only approved corporate apps can be installed on these devices. Which restriction profile setting should you configure?

A.Allow app installation from App Store only
B.Require app store password
C.Allow managed apps to unmanaged accounts
D.Allow automatic app downloads
AnswerB

This ensures only authorized users can install apps.

Why this answer

Option C is correct because 'Require app store password' ensures that the user must provide the Apple ID password to purchase or download apps. Option A is incorrect; while it prevents installing apps from unknown sources, iOS already blocks that. Option B is incorrect because it manages app data, not installation.

Option D is incorrect because it manages automatic app downloads.

372
MCQmedium

Your organization uses Microsoft Defender for Endpoint (Microsoft Defender XDR). You need to ensure that all Windows 10 devices report their security health to Microsoft Defender for Endpoint. Some devices are showing as inactive. What is the most likely cause?

A.The devices are not enrolled in Microsoft Intune.
B.The Microsoft Defender for Endpoint sensor is not installed or configured correctly.
C.The devices are not compliant with conditional access policies.
D.The devices have lost connectivity to the internet.
AnswerB

The sensor must be onboarded to communicate with the Defender for Endpoint service.

Why this answer

The Microsoft Defender for Endpoint sensor is the core component that collects and reports security telemetry from Windows 10 devices to the Defender for Endpoint cloud service. If the sensor is not installed, is missing, or is misconfigured (e.g., due to a corrupted installation or incorrect onboarding script), the device will appear as inactive in the Microsoft 365 Defender portal, even if the device is otherwise healthy and connected.

Exam trap

The trap here is that candidates often confuse device enrollment (Intune) with sensor onboarding, assuming that a device must be managed by Intune to report to Defender for Endpoint, when in fact any Windows 10 device can be onboarded via a simple script or GPO.

How to eliminate wrong answers

Option A is wrong because enrollment in Microsoft Intune is not a prerequisite for Defender for Endpoint reporting; devices can be onboarded via Group Policy, local script, or other methods without Intune. Option C is wrong because conditional access compliance policies control access to cloud apps, not the reporting of security health to Defender for Endpoint; a non-compliant device can still report telemetry. Option D is wrong because while internet connectivity is required for the sensor to communicate with the cloud, the question states some devices are inactive, not all; if connectivity were the issue, all devices would likely be affected, and the sensor would still attempt to report (showing as 'misconfigured' rather than 'inactive').

373
MCQeasy

Your organization uses Microsoft Intune for device management. You need to ensure that only corporate-owned devices can enroll in Intune. Which configuration should you use?

A.Use Device Enrollment Manager (DEM) accounts to enroll devices.
B.Assign a compliance policy that requires the device to be corporate-owned.
C.Create a device category for corporate devices and instruct users to select it during enrollment.
D.Configure enrollment restrictions to block personally owned devices.
AnswerA

DEM accounts allow enrollment of corporate-owned devices without pre-designation.

Why this answer

Option C is correct because Device Enrollment Manager (DEM) accounts allow designated users to enroll corporate-owned devices without the device needing to be pre-registered as corporate. Option A is wrong because enrollment restrictions can block personal devices but do not designate corporate ownership. Option B is wrong because a compliance policy is applied after enrollment.

Option D is wrong because device categories are used for grouping, not enrollment control.

374
Multi-Selecthard

Your organization is implementing a zero-trust security model using Microsoft Intune. Devices must be compliant before accessing corporate resources. You need to deploy compliance policies for Windows 10 devices that require BitLocker encryption and a minimum OS version. Which two policy settings should you configure? (Choose two.)

Select 2 answers
A.Minimum OS version.
B.Require device health attestation.
C.Require firewall (Windows Defender Firewall).
D.Require encryption of data storage on device.
E.Maximum OS version.
AnswersA, D

This setting ensures the device meets the minimum OS version requirement.

Why this answer

Option A is correct because the 'Minimum OS version' setting in a Windows 10 compliance policy ensures that devices must be running at least a specified build number (e.g., 10.0.19041 for Windows 10 20H1). This directly enforces the zero-trust requirement that only devices with a supported, up-to-date OS can access corporate resources, reducing exposure to known vulnerabilities. Option D is correct because the 'Require encryption of data storage on device' setting mandates BitLocker encryption on the system drive, which is a core data protection control in a zero-trust model.

Exam trap

The trap here is that candidates often confuse 'Require encryption of data storage on device' with 'Require device health attestation,' mistakenly thinking health attestation covers encryption, when in fact health attestation focuses on boot integrity and does not enforce BitLocker status.

375
MCQhard

Refer to the exhibit. You see the following Intune device properties for a Windows device. The device is noncompliant and the grace period expires on 2025-02-20. Today is 2025-02-15. The compliance policy requires a minimum OS version of 10.0.19041 but the device is on 10.0.18363. What will happen if the device does not become compliant before the grace period expires?

A.The device will automatically update to the required OS version
B.The device will be blocked from accessing corporate resources
C.The device will be retired immediately
D.The device will be retired after the grace period expires
AnswerD

After grace period, the configured noncompliance action (e.g., retire) will be applied.

Why this answer

Option D is correct because when a noncompliant device's grace period expires, Intune enforces the compliance policy by retiring the device. Retirement removes the device from Intune management and revokes access to corporate resources, but it does not immediately block access or force an OS update. The grace period allows a window for remediation; after expiration, the device is marked for retirement.

Exam trap

The trap here is that candidates confuse the immediate conditional access block (which can occur during noncompliance) with the post-grace-period retirement action, or assume Intune can force OS updates automatically.

How to eliminate wrong answers

Option A is wrong because Intune does not have the capability to automatically push OS version updates to Windows devices; compliance policies only report noncompliance and trigger actions like blocking access or retirement, not OS upgrades. Option B is wrong because blocking access (conditional access) occurs when the device is noncompliant, but the grace period allows continued access until it expires; after expiration, the device is retired, not merely blocked. Option C is wrong because retirement is not immediate upon noncompliance; it occurs only after the grace period expires, as specified in the policy configuration.

Page 4

Page 5 of 14

Page 6