Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 376450

991 questions total · 14pages · All types, answers revealed

Page 5

Page 6 of 14

Page 7
376
MCQeasy

A user reports that their Microsoft Intune enrolled device is not receiving required compliance policies. The device shows as 'Not evaluated' in the Microsoft Intune admin center. What is the most likely cause?

A.The device is not connected to the internet
B.The Intune Management Extension is not installed
C.The user does not have an Intune license assigned
D.The device is not enrolled in Intune
AnswerB

Without the extension, policies cannot be evaluated, leading to 'Not evaluated'.

Why this answer

Option D is correct because compliance policies require the Intune Management Extension to be installed and running to evaluate and apply policies. Option A (Network connectivity) would show as 'Not compliant' or 'Unknown', not 'Not evaluated'. Option B (Device is unenrolled) would show as 'Not enrolled'.

Option C (User lacks license) would prevent enrollment but not cause 'Not evaluated' after enrollment.

377
MCQhard

Refer to the exhibit. You execute this PowerShell script to wipe noncompliant Windows devices. After running, you find that some compliant devices were also wiped. What is the most likely reason?

A.The filter 'operatingSystem eq 'Windows'' does not match any devices, so the script wiped all devices.
B.The script wipes only noncompliant devices, but some compliant devices had a null compliance state.
C.The script uses the wrong Graph API endpoint, causing all devices to be wiped.
D.The script does not check the device's compliance state before wiping.
AnswerC

The cmdlet Invoke-MgDeviceManagementManagedDevice does not exist; the correct cmdlet is Invoke-MgDeviceManagementManagedDeviceAction with proper parameters. The incorrect cmdlet might have unexpected behavior or default to wiping all devices.

Why this answer

Option C is correct because the script uses the wrong Graph API endpoint. The correct endpoint for wiping a device is `/deviceManagement/managedDevices/{deviceId}/wipe`, but the script likely uses an incorrect or generic endpoint (e.g., `/devices/{deviceId}/wipe` or a non-existent path), which causes the API to misinterpret the request or apply the wipe action to all devices in the tenant, including compliant ones. This is a common misconfiguration when targeting the Microsoft Graph API for Intune device actions.

Exam trap

The trap here is that candidates assume the script logic is correct and focus on the compliance filter, but the real issue is the Graph API endpoint, which is a common misconfiguration that causes unintended mass actions.

How to eliminate wrong answers

Option A is wrong because the filter 'operatingSystem eq 'Windows'' would match Windows devices, not cause a mismatch that wipes all devices; if no devices matched, the script would simply not process any devices. Option B is wrong because a null compliance state is treated as noncompliant in Intune, so wiping devices with null compliance would be expected behavior, not an error that wipes compliant devices. Option D is wrong because the script explicitly checks compliance state with the filter 'complianceState eq 1' (noncompliant), so it does check compliance before wiping; the issue is the endpoint, not the absence of a compliance check.

378
MCQeasy

You are deploying Microsoft Defender for Endpoint to Windows 10 devices managed by Microsoft Intune. After onboarding, you need to verify that the sensor is running. Which cmdlet should you use on the device?

A.Get-Service -Name WinDefend
B.Get-DefenderEndpoint
C.Get-MpComputerStatus
D.Get-Service -Name Sense
AnswerD

The Defender for Endpoint sensor service is named 'Sense'.

Why this answer

The correct cmdlet is Get-Service -Name Sense because the Microsoft Defender for Endpoint sensor runs as a Windows service named 'Sense' (Microsoft Defender Advanced Threat Protection Service). Checking this service confirms the sensor is installed and running, which is the standard verification step after onboarding devices to Defender for Endpoint.

Exam trap

The trap here is that candidates confuse the Defender for Endpoint sensor service (Sense) with the Windows Defender Antivirus service (WinDefend) or mistakenly use a non-existent cmdlet like Get-DefenderEndpoint, leading them to choose an incorrect verification method.

How to eliminate wrong answers

Option A is wrong because Get-Service -Name WinDefend checks the Windows Defender Antivirus service (WinDefend), not the Defender for Endpoint sensor. Option B is wrong because Get-DefenderEndpoint is not a valid PowerShell cmdlet; the correct cmdlet for checking sensor status is Get-MpComputerStatus or Get-Service -Name Sense. Option C is wrong because Get-MpComputerStatus retrieves antimalware status and definitions, not the running state of the Defender for Endpoint sensor service.

379
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy a custom vertical market app that is not available in the Apple App Store. The app is distributed as an .ipa file signed with an enterprise certificate. You have uploaded the .ipa file to Intune. However, when you assign the app to a user group, the installation fails on devices with the error 'Unable to download app'. The devices are enrolled as user-affinity devices with Device Enrollment Program (DEP). You have verified that the enterprise certificate is trusted on the devices. What is the most likely cause of the failure?

A.The app package does not include an icon file.
B.The devices do not have a VPN configuration profile installed.
C.The app is not purchased through the Volume Purchase Program (VPP).
D.The devices are not in Supervised mode.
AnswerD

Enterprise apps require supervised mode for silent installation.

Why this answer

Option B is correct because enterprise-signed apps require the device to be in Supervised mode for silent installation without user prompts. Without supervision, the user must manually trust the certificate or the app may fail. Option A is wrong because VPN configuration is not required for app download.

Option C is wrong because VPP is for store apps, not enterprise-signed. Option D is wrong because the icon file is not critical for installation.

380
MCQhard

You are designing an app protection policy (APP) for Microsoft 365 mobile apps accessing corporate data on iOS devices. The security team requires that when a user opens a work document in the Microsoft Word app, the user must authenticate with Face ID or a passcode. Which setting should you configure?

A.Require PIN or Face ID for access (iOS)
B.Block managed apps from running on jailbroken devices
C.Encrypt app data
D.Require app PIN when device PIN is not set
AnswerA

This setting enforces authentication on app access.

Why this answer

Option A is correct because 'Require PIN or Face ID for access' controls access to the app itself, including when opening documents. Option B is wrong because jailbreak/root detection is a device condition. Option C is wrong because encryption is for data at rest.

Option D is wrong because 'Block managed apps from running on jailbroken devices' is a device-level check.

381
Multi-Selecthard

Which THREE conditions must be met for a device to automatically enroll in Windows Autopilot?

Select 3 answers
A.The device must have BitLocker Drive Encryption enabled
B.The device must be Azure AD joined or Hybrid Azure AD joined
C.The device must have internet connectivity during OOBE
D.The device must be running Windows 10 version 1709 or later
E.The user must be a Global Administrator in Azure AD
AnswersB, C, D

Autopilot requires Azure AD join.

Why this answer

Option B is correct because Windows Autopilot requires the device to be either Azure AD joined or Hybrid Azure AD joined to establish a managed identity in the cloud. This identity enables the device to automatically receive a configuration profile that triggers the Autopilot deployment profile during the out-of-box experience (OOBE). Without this join state, the device cannot be recognized as an Autopilot-managed device.

Exam trap

The trap here is that candidates often confuse the prerequisites for Autopilot enrollment with post-enrollment security requirements, mistakenly selecting BitLocker (Option A) as a condition when it is actually a compliance setting applied after the device is enrolled.

382
Multi-Selecteasy

Which TWO of the following are required to deploy an iOS line-of-business app via Microsoft Intune? (Select TWO.)

Select 2 answers
A.iOS app package file (.ipa)
B.Apple Developer signing certificate
C.iOS provisioning profile
D.Volume purchase program (VPP) token
E.MDM push certificate
AnswersA, C

The app binary.

Why this answer

An .ipa file is the app package. A provisioning profile is needed for app installation. An MDM push certificate is for device management, not app deployment.

A VPP token is for volume purchasing. A signing certificate is needed for development, but the provisioning profile includes signing info. So the two required are .ipa and provisioning profile.

383
MCQmedium

Refer to the exhibit. You are evaluating a compliance policy for Windows 10. The policy is assigned to a group containing devices running Windows 10 version 1803 (build 17134.1). Which of the following devices will be marked as non-compliant?

A.A device with OS version 10.0.16299.0 (build 1709).
B.A device with OS version 10.0.17134.1 (build 1803).
C.A device with OS version 10.0.17134.2 (build 1803).
D.A device with OS version 10.0.15063.0 (build 1703).
AnswerC

This build is higher than the maximum allowed, so non-compliant.

Why this answer

The compliance policy targets Windows 10 version 1803 (build 17134.1). A device with OS version 10.0.17134.2 (build 1803) is non-compliant because its build number (17134.2) is higher than the policy's specified minimum version (17134.1), and compliance policies typically enforce a minimum OS version, not an exact match. Any device with a build number greater than the policy's defined version is marked non-compliant unless the policy explicitly allows higher versions.

Exam trap

The trap here is that candidates assume a device with a higher build number (e.g., 17134.2) is compliant because it is 'newer' than the minimum, but Intune compliance policies mark devices with a higher build number as non-compliant unless the policy explicitly uses a 'greater than or equal to' operator, which is not the default for 'Minimum OS version'.

How to eliminate wrong answers

Option A is wrong because OS version 10.0.16299.0 (build 1709) is lower than the policy's minimum version (1803), so it would be non-compliant, but the question asks which device will be marked non-compliant, and the correct answer is C. Option B is wrong because OS version 10.0.17134.1 (build 1803) exactly matches the policy's specified version, so it is compliant. Option D is wrong because OS version 10.0.15063.0 (build 1703) is lower than the minimum version, making it non-compliant, but again the correct answer is C.

384
MCQeasy

You configure Windows Update for Business policies in Intune. Users report that updates are not installing during configured active hours. You verify that the policy is applied. What is the most likely cause?

A.Update notification level is set to 'Disable all notifications' and 'Automatic Updates behavior' is set to 'Notify download'.
B.Deadline for feature updates is set to 7 days.
C.Quality update deferral period is set to 0 days.
D.Active hours start is set to 8:00 AM and end to 5:00 PM.
AnswerA

'Notify download' means updates are not automatically downloaded; they must be manually initiated, so they won't install automatically during active hours.

Why this answer

Option D is correct because the 'Update notification level' set to 'Disable all notifications' can prevent users from seeing restart prompts, but updates still install during active hours. However, if 'Automatic Updates behavior' is set to 'Notify download', updates are not automatically downloaded, causing the issue. Option A is wrong because 'Deadline for feature updates' does not affect active hours.

Option B is wrong because 'Active hours start/end' is configured correctly. Option C is wrong because 'Quality update deferral period' does not prevent installation during active hours.

385
MCQhard

An organization uses Microsoft Intune to manage Windows 10 devices. They deploy a PowerShell script via Intune to install a custom application. The script runs successfully on some devices but fails on others with error code 0x80070002. What is the most likely cause?

A.The script execution exceeds the 60-minute timeout.
B.The user does not have local administrator privileges on the failing devices.
C.The script references a file path that does not exist on the failing devices.
D.The PowerShell execution policy is set to Restricted on the failing devices.
AnswerC

Error 0x80070002 is 'File not found'.

Why this answer

Option B is correct because the script likely references a file that is not present. Option A is wrong because execution policy can be bypassed by Intune. Option C is wrong because admin rights are granted.

Option D is wrong because script timeout would give a different error.

386
MCQhard

You are deploying Windows 11 devices using Windows Autopilot. Some devices are not registering in Microsoft Intune. You have verified that the hardware hashes are uploaded correctly. What is the most likely cause?

A.The devices are not connected to the internet.
B.The hardware hashes are invalid.
C.The devices are not running Windows 11 Pro or Enterprise.
D.The user does not have an Intune license.
AnswerA

Autopilot requires internet connectivity to register with Intune.

Why this answer

Option A is correct because Windows Autopilot requires internet connectivity during the out-of-box experience (OOBE) to contact the Autopilot deployment service and Microsoft Intune. Without internet access, the device cannot download the Autopilot profile or register in Intune, even if hardware hashes are correctly uploaded. The hardware hash upload is a separate step that does not guarantee the device can later connect to the service.

Exam trap

The trap here is that candidates often assume hardware hash upload is the only prerequisite for Autopilot registration, overlooking the critical requirement for internet connectivity during the device's initial boot process.

How to eliminate wrong answers

Option B is wrong because the question explicitly states that the hardware hashes are uploaded correctly, so invalid hashes are not the issue. Option C is wrong because Windows Autopilot supports Windows 11 Pro, Enterprise, and Education editions; the device not registering is not caused by running an unsupported edition. Option D is wrong because the user license is not required for device registration via Autopilot; device enrollment occurs before user sign-in, and Intune licenses are only needed for user-based management after enrollment.

387
MCQhard

You are troubleshooting an issue where users report that they cannot install required line-of-business (LOB) apps from Microsoft Intune Company Portal on their Windows 10 devices. The apps are assigned as 'Required' to a dynamic device group. You verify that the devices are enrolled and compliant. What is the most likely cause of the failure?

A.The dynamic device group is not updating membership correctly.
B.The apps are not published in the Company Portal.
C.The user is not a local administrator on the device.
D.The enrollment restrictions block installation of LOB apps.
AnswerC

LOB app installation requires local admin rights, which users typically lack on managed devices.

Why this answer

For Windows 10 devices managed by Microsoft Intune, the installation of line-of-business (LOB) apps that are assigned as 'Required' requires the user to be a local administrator on the device. This is because the Intune Management Extension (IME) runs in the context of the local system account, but the actual app installation process for LOB apps (typically .msi or .exe files) often requires elevated privileges that only a local administrator can provide. Without local admin rights, the installation fails silently or with an access denied error, even though the device is enrolled and compliant.

Exam trap

The trap here is that candidates often assume 'Required' assignments bypass user permissions or that device compliance alone guarantees installation success, overlooking the specific local administrator requirement for LOB app installations on Windows 10.

How to eliminate wrong answers

Option A is wrong because dynamic device group membership is evaluated continuously by Azure AD, and if the device meets the group's query criteria, the assignment will apply; a delay in membership update would not cause a persistent installation failure for all users. Option B is wrong because apps assigned as 'Required' are automatically pushed to devices and do not need to be published in the Company Portal for installation; the Company Portal is used for 'Available' apps, not 'Required' ones. Option D is wrong because enrollment restrictions in Intune control which devices can enroll (e.g., platform, OS version), not the installation behavior of LOB apps on already enrolled devices; they do not block app installation.

388
MCQhard

You have a Windows device with serial number ABC123 that is registered for Autopilot. The above PowerShell output shows the diagnostics. The device is not receiving the Autopilot profile. What is the most likely cause?

A.The device has not been successfully registered in Windows Autopilot.
B.The Autopilot profile is not assigned to the device group.
C.The device was previously manually imaged.
D.The device is not connected to the internet during OOBE.
AnswerA

RegistrationStatus should be 'Registered'.

Why this answer

Option A is correct because 'NotRegistered' indicates the device is not properly registered in Autopilot. Option B is incorrect because if the profile were not assigned, it would show 'NotAssigned' but still registered. Option C is incorrect because the diagnostics show registration status.

Option D is incorrect because the device can still be registered even if it has been imaged.

389
MCQmedium

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom .pkg app to all macOS devices. What app type should you create in Intune?

A.macOS app (line-of-business)
B.Windows app (Win32)
C.Web link
D.iOS app (line-of-business)
AnswerA

macOS line-of-business app supports .pkg and .dmg files.

Why this answer

macOS app (line-of-business) supports .pkg and .dmg. Option D is correct. Option A is wrong because Windows app is for Windows.

Option B is wrong because iOS app is for iOS. Option C is wrong because web link is for URLs.

390
MCQhard

Your organization uses Microsoft Intune to manage devices. You have a compliance policy that requires devices to have a password of at least 6 characters. Some users report that their devices are marked as non-compliant even though they have a password set. What is the most likely cause?

A.The password length setting is set to '6' but the device requires a minimum of 8.
B.The compliance policy is assigned to device groups, but the devices are user-enrolled.
C.The compliance policy is assigned to a user group that does not include the affected users.
D.The device uses a PIN instead of a password, which is not evaluated.
AnswerC

If the policy is not assigned to the user or device group containing the users, they won't receive the policy and may be non-compliant by default.

Why this answer

Intune compliance policies for password length are specific to the platform. For example, on Android, the password length setting might be interpreted differently. However, the most common issue is that the compliance policy is not assigned to the correct group, or the device has not checked in.

But given the options, the most likely cause is that the policy is assigned to a group that the device or user is not a member of. Option C is correct. Option A is wrong because the user may be in the target group but the device might not.

Option B is wrong because the policy is correct. Option D is wrong because the password complexity setting is separate.

391
MCQhard

Refer to the exhibit. You have configured the compliance policy shown above. A user reports that their Windows 11 device is compliant with all settings except the threat level. The device has no threat protection agent installed. What will happen when the user tries to access corporate resources?

A.Access is granted but the user receives a warning notification.
B.Access is blocked only after a 24-hour grace period.
C.Access is blocked immediately.
D.Access is granted because the device meets all other compliance requirements.
AnswerC

Device is noncompliant and action is to block immediately.

Why this answer

The compliance policy requires a minimum threat level, which cannot be evaluated because the device has no threat protection agent installed. In Microsoft Intune, when a required compliance setting cannot be assessed (e.g., no agent), the device is treated as non-compliant, and access is blocked immediately. There is no grace period for missing required agents, and conditional access enforces the block at the time of the access request.

Exam trap

The trap here is that candidates assume a grace period applies to all non-compliance scenarios, but grace periods are only applicable to specific settings (like password expiration) and not to missing required agents or unassessable settings.

How to eliminate wrong answers

Option A is wrong because access is not granted with a warning; Intune conditional access blocks non-compliant devices immediately, and a warning notification is only sent if the device is compliant but has a warning-level issue. Option B is wrong because a 24-hour grace period applies only to specific non-compliance actions (e.g., password expiration) when configured in a compliance policy, not to missing required agents like a threat protection agent. Option D is wrong because meeting all other compliance requirements does not override the specific threat level requirement; the device is non-compliant overall, and access is blocked.

392
MCQmedium

You need to implement a solution that automatically wipes a company-owned Windows 10 device when it has not connected to Intune for 30 days. Which Intune feature should you configure?

A.A PowerShell script that runs on the device to self-destruct after 30 days.
B.Compliance policy with a device health rule for 'Maximum days since last check-in' and a non-compliance action to retire the device.
C.Device cleanup rules to automatically delete devices after 30 days.
D.Device configuration profile with a setting to require periodic check-in.
AnswerB

This combination allows automatic retirement after a period of inactivity.

Why this answer

Option B is correct because a compliance policy can mark a device as non-compliant if it hasn't checked in for a specified period, and then a conditional access policy can block access. However, automatic wipe is not automatic; you can configure a non-compliance action to retire or wipe. Option A is wrong because configuration profiles don't enforce check-in.

Option C is wrong because device cleanup is for stale records, not automatic wipe. Option D is wrong because scripts don't run on disconnected devices.

393
MCQeasy

You are planning a Windows Autopilot deployment for your organization. You need to ensure that during the out-of-box experience (OOBE), the user is prompted to set up Windows Hello for Business. What should you configure in the Autopilot profile?

A.Ensure the device is Azure AD joined.
B.Create a separate Windows Hello for Business policy and assign it to the device group.
C.Configure the Enrollment Status Page to show Hello setup.
D.Set 'Enable Windows Hello for Business' in the Autopilot profile.
AnswerD

The profile includes a setting to enable Hello during OOBE.

Why this answer

Option A is correct because Autopilot profiles have settings for Windows Hello for Business. Option B is incorrect because the Enrollment Status Page does not configure Hello. Option C is incorrect because a separate policy is not required; it can be set in the profile.

Option D is incorrect because Azure AD join is a prerequisite, not a configuration for Hello.

394
MCQhard

A company uses Microsoft Intune to manage Windows 10 devices. A user reports that their device is not receiving critical security updates despite being compliant with all update policies. You verify that the device is online and communicating with Intune. Which action should you take to resolve the issue?

A.Verify that the device meets the minimum hardware requirements for the update.
B.Force a sync from the device via Intune Company Portal or Settings > Accounts > Access work or school.
C.Reassign the device to a different Update Ring policy that has no feature update deferral.
D.Review the Windows Update Rings policy assigned to the device and adjust the deferral settings for quality updates.
AnswerD

Deferral settings can delay updates; adjusting them can resolve the issue.

Why this answer

The user's device is compliant and online, but not receiving critical security updates. The most likely cause is that the Windows Update Rings policy assigned to the device has a deferral period configured for quality updates, which delays the installation of security patches. Adjusting the deferral settings for quality updates to 0 days ensures that critical security updates are installed immediately upon release, resolving the issue without changing the feature update deferral.

Exam trap

The trap here is that candidates confuse 'force sync' with 'force update installation,' not realizing that a sync only retrieves policy and update metadata, but the deferral period still prevents the update from being offered until it expires.

How to eliminate wrong answers

Option A is wrong because minimum hardware requirements are checked by Windows Update itself before offering an update, and a device that is compliant with update policies would already meet those requirements; this is not a policy-related issue. Option B is wrong because forcing a sync only triggers the device to check for new policies and pending updates from Intune, but if the deferral period is still in effect, the sync will not cause the critical updates to be installed—they will remain deferred. Option C is wrong because reassigning to a different Update Ring policy that has no feature update deferral does not address the quality update deferral; feature update deferral controls major version upgrades, not critical security patches, and changing it would not resolve the delay in receiving quality updates.

395
MCQeasy

A company wants to deploy Microsoft 365 Apps for enterprise to Windows 10 devices using Intune. They need to ensure that the apps are updated automatically from the Office Content Delivery Network (CDN). Which update channel should they select in the Office app deployment configuration?

A.Semi-Annual Enterprise Channel
B.Current Channel
C.Monthly Enterprise Channel
D.Insider Channel
AnswerC

Monthly Enterprise Channel is the recommended channel for enterprises, delivering updates monthly from the CDN.

Why this answer

The Monthly Enterprise Channel is the correct choice because it provides a predictable, once-per-month update cadence with security and quality updates, and it is designed for enterprise environments that require automatic updates from the Office Content Delivery Network (CDN) via Intune. This channel balances receiving new features sooner than the Semi-Annual Enterprise Channel while still offering managed deployment through configuration profiles.

Exam trap

The trap here is that candidates often confuse the Monthly Enterprise Channel with the Current Channel, assuming that 'Monthly' implies the same rapid update frequency as Current Channel, when in fact Current Channel updates multiple times per month and is not the recommended default for managed enterprise deployments.

How to eliminate wrong answers

Option A is wrong because the Semi-Annual Enterprise Channel only receives updates twice per year, which would delay critical security updates and does not align with the requirement for automatic updates from the CDN with a more frequent cadence. Option B is wrong because the Current Channel delivers updates multiple times per month, which can introduce frequent feature changes that may not be suitable for enterprise environments needing stability and predictable testing cycles. Option D is wrong because the Insider Channel is intended for early testing and validation of pre-release builds, not for production deployment with automatic updates from the CDN.

396
MCQhard

A user reports that their Windows 11 device is not receiving configuration policies from Intune. The device shows as 'Enrolled' in the Intune console but last check-in was three days ago. What is the most likely cause?

A.The Intune service is experiencing an outage
B.The device is powered off or not connected to the internet
C.The device has conflicting policies from another MDM
D.The device's enrollment certificate has expired
AnswerB

Prevents MDM check-in.

Why this answer

Option D is correct because the device may be powered off or not connected to the internet, preventing check-in. Option A is wrong because certificate expiry would affect enrollment, not check-in. Option B is wrong because Intune service outage is unlikely for a single device.

Option C is wrong because policy conflict would not prevent check-in.

397
MCQmedium

You manage Windows 10 devices enrolled in Microsoft Intune. Users report that the Company Portal app is not installing required apps. You verify that the devices are compliant and checked in recently. What is the most likely cause?

A.The users are not members of the Azure AD group assigned to the required app.
B.The devices are not connected to a Wi-Fi network configured in Intune.
C.The devices are not compliant with the compliance policy.
D.The enrollment restrictions are blocking the devices from receiving apps.
AnswerA

App assignment targeting is based on group membership; if users are not in the group, the app won't be required.

Why this answer

Option A is correct because if users are not members of the Azure AD group targeted for the app, the app will not be required. Option B is wrong because compliance does not affect app assignment targeting. Option C is wrong because Wi-Fi profiles are not required for app installation.

Option D is wrong because enrollment restrictions block enrollment, not app installation.

398
MCQeasy

You need to retire a corporate-owned iOS device that is no longer in use. The device is enrolled in Intune with user affinity. Which action should you perform?

A.Disable the device in Intune.
B.Wipe the device from Intune.
C.Retire the device from Intune.
D.Delete the device from Microsoft Entra ID.
AnswerC

Retire removes management and corporate data.

Why this answer

Option C is correct because the 'Retire' action in Intune removes the managed app data and policies from the device while preserving the user's personal data, which is appropriate for a corporate-owned device with user affinity that is no longer in use. Retiring also removes the device from Intune management and revokes the company portal access, ensuring compliance without unnecessary data loss.

Exam trap

The trap here is that candidates often confuse 'Retire' with 'Wipe' or 'Disable', not realizing that Retire is the correct action for removing corporate data without affecting personal data on a corporate-owned device with user affinity.

How to eliminate wrong answers

Option A is wrong because disabling a device in Intune only blocks it from synchronizing and receiving policies, but does not remove corporate data or unenroll the device, leaving it partially managed. Option B is wrong because wiping the device performs a factory reset, which would erase all data including personal content, which is excessive for a corporate-owned device that simply needs to be decommissioned. Option D is wrong because deleting the device from Microsoft Entra ID removes the device object from Azure AD but does not trigger the Intune retirement process, leaving the device still enrolled and potentially able to access resources.

399
MCQeasy

You need to deploy Microsoft Edge for Business to Windows 10 devices using Microsoft Intune. Which app type should you select in the Intune portal?

A.Web link
B.Windows app (Win32)
C.Microsoft 365 Apps
D.Built-in app
AnswerD

Edge for Business is listed under built-in apps.

Why this answer

Microsoft Edge for Business is available as a built-in app in Intune (for Windows 10). Option C is correct.

400
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent update, some devices are no longer receiving compliance policies. You verify that the devices are enrolled and show as active in Intune. What should you check first?

A.Verify that the compliance policy is assigned to the correct Windows version.
B.Check if the devices can connect to the Intune service.
C.Ensure the users are members of the correct Azure AD group.
D.Re-enroll the devices in Intune.
AnswerA

The update may have changed the OS version, and the policy might not target that version.

Why this answer

Option B is correct because the compliance policy may not have been updated to target the new Windows version after the update. Option A is wrong because connectivity issues would affect all policies, not just compliance. Option C is wrong because if the device is enrolled and active, the enrollment record is intact.

Option D is wrong because compliance policies are not tied to user group membership in this scenario.

401
MCQeasy

A user's iOS device is enrolled in Microsoft Intune and is compliant. However, the user cannot access corporate email in the Outlook mobile app. The app displays an error that the device is not compliant. What is the most likely cause?

A.The user's Intune license has expired.
B.The Outlook app is not installed on the device.
C.A compliance policy was updated requiring a newer OS version or additional security settings.
D.The device is not enrolled in Intune.
AnswerC

Updated policies can cause previously compliant devices to become non-compliant.

Why this answer

Option C is correct because Intune compliance policies are evaluated in real time when a user attempts to access corporate resources. If an administrator updates a policy to require a newer iOS version or additional security settings (e.g., passcode complexity, encryption), the device may become non-compliant even if it was previously compliant. The Outlook app checks device compliance via the Intune SDK and will block access if the device no longer meets the policy requirements, displaying the 'device not compliant' error.

Exam trap

The trap here is that candidates assume the error means the device is not enrolled or that the app is missing, but the question explicitly states the device is enrolled and compliant, so the most likely cause is a policy change that retroactively affects compliance status.

How to eliminate wrong answers

Option A is wrong because an expired Intune license would prevent the user from enrolling the device or accessing Intune-managed resources entirely, but the device is already enrolled and compliant, and the error specifically states non-compliance, not a licensing issue. Option B is wrong because if the Outlook app were not installed, the user would not be able to launch it or see an error within the app; the error is displayed by the app itself, confirming it is installed. Option D is wrong because the question explicitly states the device is enrolled in Intune and compliant, so the device is enrolled; the error is due to a change in compliance status, not enrollment status.

402
MCQeasy

Your organization is deploying Microsoft Intune for the first time. You need to ensure that devices can enroll in Intune. Which of the following is a prerequisite for Intune enrollment?

A.A Microsoft Intune license assigned to the user
B.A VPN connection to the corporate network
C.An on-premises Active Directory domain
D.A Configuration Manager infrastructure
AnswerA

An Intune license is required for enrollment and management.

Why this answer

A Microsoft Intune license assigned to the user is a prerequisite because Intune uses Azure Active Directory (Azure AD) for identity and access management. Without an Intune license (e.g., Microsoft 365 E3, E5, or standalone Intune license) assigned to the user, the device cannot authenticate and enroll via the Intune enrollment service, as the license is required to authorize the enrollment request and apply device management policies.

Exam trap

The trap here is that candidates often confuse on-premises prerequisites (like AD or VPN) with cloud-only requirements, mistakenly thinking corporate network connectivity or legacy infrastructure is needed for Intune enrollment, when in fact only an Azure AD identity and an Intune license are required.

How to eliminate wrong answers

Option B is wrong because a VPN connection to the corporate network is not required for Intune enrollment; Intune uses internet-based enrollment over HTTPS (port 443) to the Microsoft Intune service, and devices can enroll from anywhere without a VPN. Option C is wrong because an on-premises Active Directory domain is not a prerequisite; Intune enrollment relies on Azure AD for identity, and while hybrid Azure AD join can be used, a standalone on-premises AD domain is not required for basic Intune enrollment. Option D is wrong because a Configuration Manager infrastructure is not a prerequisite; Intune is a cloud-only MDM solution, and while co-management with Configuration Manager is possible, it is optional and not required for enrollment.

403
MCQhard

Users report that their Android Enterprise fully managed devices are not receiving email profiles pushed from Intune. You confirm the devices are enrolled and show as compliant. What is the most likely cause?

A.The devices are using work profile instead of fully managed.
B.The devices are not compliant with the compliance policy.
C.A device restrictions profile blocks the email app.
D.The 'Android Device Policy' app is not set to 'Required' in the app configuration policy.
AnswerD

This app is essential for managing fully managed devices.

Why this answer

Option B is correct because the Android Enterprise system app 'Android Device Policy' must be set to 'Required' in the app configuration policy. Without it, profiles may not apply. Option A is wrong because compliance does not affect profile delivery.

Option C is wrong because the device restrictions profile does not block email profiles. Option D is wrong because work profile vs fully managed is a separate enrollment method; profiles should work on fully managed devices.

404
MCQeasy

You run the PowerShell command shown in the exhibit for a managed device. The device shows as noncompliant. Which action should you take first to resolve the noncompliance?

A.Trigger a sync from Intune to force the device to check in.
B.Re-enroll the device.
C.Delete the device from Intune and re-register.
D.Assign a new compliance policy to the device.
AnswerA

Last sync is old; syncing may resolve.

Why this answer

The PowerShell command shown likely runs a compliance evaluation or sync action, but the device remains noncompliant because the evaluation results haven't been reported back to Intune. Triggering a sync from Intune forces the device to check in, upload its latest compliance status, and update the portal, which is the first troubleshooting step before considering re-enrollment or policy changes.

Exam trap

The trap here is that candidates assume noncompliance means a policy misconfiguration or enrollment failure, rather than recognizing that the device simply hasn't reported its latest compliance evaluation, making a sync the correct first action.

How to eliminate wrong answers

Option B is wrong because re-enrolling the device is unnecessary; the device is already enrolled and the issue is likely a stale compliance status, not a broken enrollment. Option C is wrong because deleting and re-registering the device is a drastic step that should only be taken if the device cannot sync or has a corrupted enrollment record, not as a first action for noncompliance. Option D is wrong because assigning a new compliance policy won't resolve noncompliance if the device hasn't reported its status; the existing policy is already assigned, and the device needs to sync to evaluate and report compliance.

405
MCQhard

You configure a Windows 10 device compliance policy in Intune that requires 'Firewall' to be enabled. The device has Windows Defender Firewall enabled, but the device reports as non-compliant. You verify that the firewall is active. What is the most likely cause?

A.The firewall is configured to allow all inbound connections
B.The device uses a third-party firewall that Intune does not recognize
C.The firewall is enabled only on the Domain profile but not on Public or Private profiles
D.The device has multiple network adapters and the firewall is disabled on one
AnswerC

Compliance policy may require firewall on all profiles.

Why this answer

Option D is correct. The compliance policy may be checking for the firewall profile to be enabled on all network profiles. Option A is not relevant.

Option B is about third-party firewall. Option C is about logging.

406
Multi-Selectmedium

Which THREE of the following are prerequisites for deploying Microsoft Defender for Endpoint on Windows 10 devices via Microsoft Intune? (Select THREE.)

Select 3 answers
A.Devices must be enrolled in Microsoft Intune.
B.The Microsoft Defender for Endpoint client must be separately downloaded from the Microsoft 365 admin center.
C.Devices must have Microsoft 365 Apps for enterprise installed.
D.Users must be assigned a Microsoft Defender for Endpoint license.
E.Devices must run a supported version of Windows 10.
AnswersA, D, E

Intune is the management platform for deployment.

Why this answer

Option A, Option B, and Option C are correct. Devices must be managed by Intune, run a supported Windows 10 version, and have the Microsoft Defender for Endpoint license assigned. Option D is wrong because Microsoft 365 Apps for enterprise is not a prerequisite.

Option E is wrong because the Microsoft Defender for Endpoint client is already part of Windows 10; no separate client download is needed.

407
MCQmedium

You are reviewing an ARM template for Intune device configuration. The exhibit shows a snippet. What will be the effect on Windows 10 devices?

A.Automatic updates will be disabled.
B.Users can sideload trusted apps.
C.Devices will receive updates from WSUS.
D.Developer unlock is allowed.
AnswerA

EnableAutomaticUpdate is false.

Why this answer

The ARM template snippet configures the 'UpdateNotificationLevel' setting to '1' (Disable all notifications), which is part of the 'Update' policy CSP. This setting disables automatic update checks and notifications, effectively preventing Windows 10 devices from automatically downloading and installing updates. The 'AllowAutoUpdate' setting is not present or set to '0', which would explicitly disable automatic updates, but the 'UpdateNotificationLevel' of '1' achieves the same outcome by suppressing all update-related notifications and background checks.

Exam trap

The trap here is that candidates confuse 'UpdateNotificationLevel' with 'AllowAutoUpdate' or think it only affects notifications, not the actual update behavior, but setting it to '1' effectively disables automatic updates by suppressing the trigger for background scans.

How to eliminate wrong answers

Option B is wrong because sideloading trusted apps is controlled by the 'ApplicationManagement' CSP, specifically the 'AllowAllTrustedApps' setting, which is not present in the template. Option C is wrong because receiving updates from WSUS requires the 'UpdateServiceUrl' or 'UpdateServiceUrlAlternate' setting to point to a WSUS server, which is not configured in the snippet. Option D is wrong because developer unlock is governed by the 'ApplicationManagement' CSP's 'AllowDeveloperUnlock' setting, which is not included in the template.

408
Multi-Selecteasy

You need to configure conditional access for managed devices accessing Exchange Online. Which THREE conditions can be used?

Select 3 answers
A.Device platform (e.g., iOS, Android).
B.Device risk level from Microsoft Defender XDR.
C.Device compliance status.
D.App protection policy status.
E.User location based on IP address.
AnswersA, B, C

Platform can be restricted.

Why this answer

Option A, Option B, and Option E are correct. Conditional access can use device compliance, device platform (e.g., iOS, Android), and device risk from Microsoft Defender XDR. Option C is incorrect because user location is a condition but not device-specific; it is based on IP address.

Option D is incorrect because app protection policies are not a condition in conditional access; they are separate policies.

409
MCQhard

Refer to the exhibit. The JSON shows a compliance policy for Windows 10 devices. Devices that do not meet the policy are marked as non-compliant. Which diagnostic step would you take to identify why a specific device is non-compliant despite having BitLocker enabled?

A.Verify the compliance policy is assigned to the device's group.
B.Check the device's compliance status in Intune for details.
C.Review the device's hardware security features: Secure Boot and Code Integrity.
D.Modify the policy to remove the requireSecureBoot and requireCodeIntegrity settings.
AnswerC

These are additional requirements beyond encryption.

Why this answer

Option B is correct because the policy requires Secure Boot and Code Integrity, which might not be enabled even if BitLocker is on. Option A is wrong because the device compliance status is correct. Option C is wrong because the policy is already assigned.

Option D is wrong because the policy settings are as shown.

410
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate Exchange Online email. Which conditional access policy setting should you use?

A.Require device to be marked as compliant.
B.Require multi-factor authentication.
C.Require app protection policy.
D.Require device to be enrolled in Intune.
AnswerA

This ensures only compliant devices access corporate resources.

Why this answer

Conditional access in Microsoft Entra ID can require device compliance as a grant control. The 'Require device to be marked as compliant' option ensures only compliant devices get access. Option A is incorrect because MFA is separate.

Option B is incorrect because app protection policies are for mobile app management. Option D is incorrect because device enrollment is not enough; compliance is required.

411
MCQmedium

You are configuring an app protection policy (MAM) in Intune for iOS and Android devices. The policy should prevent users from copying corporate data to personal apps. Which setting should you configure?

A.Restrict cut, copy, and paste between apps.
B.Allow app to transfer data to other apps.
C.Save copies of org data.
D.Require PIN for access.
AnswerC

This setting prevents saving to personal locations.

Why this answer

Option D is correct because 'Save copies of org data' controls save actions. Option A is wrong because it controls app access. Option B is wrong because it controls data transfer from other apps.

Option C is wrong because it controls clipboards, not save.

412
MCQmedium

Refer to the exhibit. You have a compliance policy for Windows 10 devices. A device reports as non-compliant with the reason 'TPM not found'. The device does have a TPM 2.0 chip but it is disabled in BIOS. What should you do to resolve the compliance issue?

A.Replace the device's motherboard.
B.Enable the TPM in the device's BIOS settings.
C.Assign a grace period for the device.
D.Remove the tpmRequired setting from the compliance policy.
AnswerB

This will allow the TPM to be detected.

Why this answer

Option B is correct because the device has a TPM 2.0 chip that is disabled in BIOS. Enabling the TPM in BIOS allows the device to report its TPM presence to Microsoft Intune, satisfying the compliance policy's tpmRequired setting. No hardware replacement, grace period, or policy modification is needed when the TPM is physically present but disabled.

Exam trap

The trap here is that candidates may assume a 'TPM not found' error indicates missing hardware, leading them to choose motherboard replacement or policy removal, rather than recognizing that a disabled TPM in BIOS is a common configuration issue that can be resolved without hardware changes.

How to eliminate wrong answers

Option A is wrong because replacing the motherboard is unnecessary when the TPM chip is already present and functional; the issue is only that it is disabled in BIOS. Option C is wrong because assigning a grace period would only delay enforcement of the non-compliance, not resolve the underlying TPM detection failure. Option D is wrong because removing the tpmRequired setting from the compliance policy would lower the security baseline, whereas the correct action is to enable the existing TPM hardware.

413
Drag & Dropmedium

Order the steps for configuring a Windows 10 kiosk device using Assigned Access.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the account, then navigate to Settings, set up the kiosk with the user, choose the app, and test by signing in.

414
MCQeasy

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that only devices with a passcode of at least 6 characters can access corporate email. What should you create?

A.A device compliance policy with a required passcode length of 6.
B.A device configuration profile with a passcode payload.
C.An app protection policy for Microsoft Outlook.
D.A conditional access policy requiring compliant devices.
AnswerA

Device compliance policies enforce device-level security requirements.

Why this answer

Option A is correct because a device compliance policy enforces passcode requirements. Option B is wrong because a device configuration profile can only configure settings, not enforce compliance. Option C is wrong because an app protection policy applies to apps, not device-level passcode.

Option D is wrong because a conditional access policy works with compliance, not alone.

415
MCQeasy

You need to prepare on-premises Windows devices for a migration to Microsoft Intune. Which tool should you use to generate a configuration package that can be deployed via Group Policy or manual installation?

A.Windows Autopilot
B.Configuration Manager
C.Microsoft Intune Management Extension
D.Microsoft Intune Troubleshooting Tool
AnswerC

It enables enrollment and policy application on existing devices.

Why this answer

The Microsoft Intune Management Extension (IME) is the correct tool because it generates a configuration package (a .intunewin file) that can be deployed via Group Policy or manual installation to on-premises Windows devices. This package contains the IME agent and a PowerShell script that, when executed, enrolls the device into Intune and applies MDM policies, enabling a seamless migration without requiring direct network connectivity to Intune during the initial deployment.

Exam trap

The trap here is that candidates often confuse the Intune Management Extension with the Intune client software or assume that Windows Autopilot is the only way to enroll devices, but the IME is specifically designed to create a deployable package for on-premises devices that lack direct cloud connectivity.

How to eliminate wrong answers

Option A is wrong because Windows Autopilot is a cloud-first provisioning tool that requires devices to be Azure AD-joined and connected to the internet; it cannot generate a configuration package for offline deployment via Group Policy. Option B is wrong because Configuration Manager is a separate on-premises management tool that can co-manage devices with Intune but does not generate a standalone configuration package for Intune enrollment; it relies on the ConfigMgr client and cloud attach features. Option D is wrong because the Microsoft Intune Troubleshooting Tool is a diagnostic utility for analyzing enrollment and compliance issues, not a tool for generating deployment packages.

416
MCQeasy

You manage a fleet of iOS devices enrolled in Microsoft Intune. You need to ensure that only approved apps can be installed on corporate devices. Which policy type should you configure?

A.Device Configuration Profile with 'Allow app installation only from App Store' setting.
B.App Configuration Policy to restrict app installation.
C.Device Compliance Policy with 'Require approved apps' setting.
D.App Protection Policy with 'Allow only managed apps' setting.
AnswerD

This restricts installation to apps managed by Intune.

Why this answer

Option D is correct because App Protection Policies (APP) in Microsoft Intune control which apps can access corporate data on iOS devices. The 'Allow only managed apps' setting restricts data transfer and app usage to apps that are managed by Intune, effectively preventing installation of unapproved apps. This is the appropriate policy for enforcing approved app installation on corporate devices.

Exam trap

The trap here is that candidates confuse App Protection Policies (which control app-level data access and approved app lists) with Device Compliance Policies (which evaluate device-level settings), leading them to select Option C despite the absence of a 'Require approved apps' setting in compliance policies.

How to eliminate wrong answers

Option A is wrong because Device Configuration Profiles with 'Allow app installation only from App Store' control the source of app installation (App Store vs. sideloading), not which specific apps are approved; it does not restrict unapproved apps from being installed from the App Store. Option B is wrong because App Configuration Policies are used to supply custom settings or managed app configurations to apps, not to restrict app installation or enforce approval lists. Option C is wrong because Device Compliance Policies evaluate device health and settings (e.g., jailbreak detection, minimum OS version), but they do not have a 'Require approved apps' setting; compliance policies can mark devices noncompliant based on app inventory but do not block installation.

417
MCQhard

Your organization uses Microsoft Intune to manage devices. You have a Windows 10 device that is co-managed with Configuration Manager. You need to configure a policy that requires BitLocker encryption. You create a BitLocker policy in Intune and assign it to the device. After 24 hours, BitLocker is not enabled on the device. You verify that the device is online and the policy is assigned. What is the most likely cause?

A.The device is not online.
B.The encryption workload is set to Configuration Manager.
C.The device is not enrolled in Intune.
D.The BitLocker policy is not assigned to the correct group.
AnswerB

Configuration Manager manages encryption, not Intune.

Why this answer

In a co-managed environment, workload control determines which management authority (Configuration Manager or Intune) handles specific policies. If the encryption workload is set to Configuration Manager, Intune's BitLocker policy will be ignored, even if assigned and the device is online. This is the most likely reason the policy did not take effect after 24 hours.

Exam trap

The trap here is that candidates assume Intune policy always applies to enrolled devices, overlooking the co-management workload slider that can block Intune from managing specific workloads like encryption.

How to eliminate wrong answers

Option A is wrong because the device is verified as online, so connectivity is not the issue. Option C is wrong because the device is co-managed, meaning it is enrolled in both Configuration Manager and Intune; the policy assignment confirms enrollment. Option D is wrong because the policy is assigned to the device and verified, so group assignment is not the problem; the issue is workload control overriding Intune's authority.

418
MCQeasy

You need to block users from enrolling personal Android devices in Microsoft Intune. Which enrollment restriction should you configure?

A.Set the 'Block personally owned devices' restriction for Android.
B.Set the 'Block Android' platform restriction.
C.Set the 'Block Android Enterprise' device type restriction.
D.Configure a device compliance policy to mark personal devices as non-compliant.
AnswerA

This blocks only personal devices while allowing corporate-owned.

Why this answer

Option B is correct because the 'Block personally owned devices' restriction prevents personal devices from enrolling. Option A is wrong because that restricts device platform, not ownership. Option C is wrong because device type restrictions are for platform, not ownership.

Option D is wrong because compliance policies do not block enrollment.

419
MCQeasy

A company is planning to use Windows Autopilot to deploy new devices. They want to ensure that devices are automatically enrolled in Microsoft Intune when a user signs in with their Microsoft Entra ID credentials. Which configuration is required?

A.Configure an Enrollment Status Page (ESP) profile in Intune.
B.Create a device compliance policy with the Action for noncompliance set to 'Enforce enrollment'.
C.Set device enrollment restrictions to allow all device platforms.
D.Configure MDM auto-enrollment in Microsoft Intune admin center.
AnswerA

ESP profile enables automatic enrollment during Autopilot.

Why this answer

Option A is correct because you need to configure an Enrollment Status Page (ESP) policy that allows automatic enrollment. Option B is wrong because MDM auto-enrollment is configured in Microsoft Entra ID, not Intune. Option C is wrong because a compliance policy does not enforce enrollment.

Option D is wrong because device enrollment restrictions do not enable automatic enrollment.

420
Multi-Selecthard

You need to configure Microsoft Intune remote help for Windows devices. Which THREE conditions must be met?

Select 3 answers
A.Users must have an Intune license assigned.
B.Devices must be connected via VPN.
C.Devices must run Windows 10/11.
D.Tenant must have Azure AD Premium P2.
E.Devices must be Intune enrolled.
AnswersA, C, E

License required for remote help.

Why this answer

Option A is correct because Microsoft Intune remote help requires each user who initiates or receives a remote help session to have an Intune license assigned. This license grants the user access to the Intune service and the remote help feature, which is a premium capability within the Microsoft Endpoint Manager admin center. Without an assigned Intune license, the user cannot authenticate or authorize remote help sessions.

Exam trap

The trap here is that candidates often assume a VPN or premium Azure AD license is necessary for remote help, but Microsoft designed the feature to work over standard internet connectivity with only Intune licensing and device enrollment.

421
MCQeasy

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that corporate data is separated from personal data on the device. Which management approach should you use?

A.Android Enterprise kiosk mode
B.Android Enterprise fully managed
C.Android Enterprise work profile
D.Android device administrator
AnswerC

Work profile separates corporate and personal data.

Why this answer

Option A is correct because Android Enterprise work profile provides a separate container for corporate data. Option B is wrong because device administrator is legacy and does not separate data. Option C is wrong because fully managed devices do not have personal space.

Option D is wrong because kiosk mode is for single-app use.

422
MCQeasy

You need to ensure that Windows 11 devices automatically install critical updates as soon as they are released by Microsoft. Which update ring setting should you configure?

A.Set 'Update deferral period (days)' to 0 and 'Update deadline' to 0.
B.Set 'Update deferral period (days)' to 0 and 'Feature update deferral' to 7.
C.Set 'Update deferral period (days)' to 7.
D.Set 'Update deferral period (days)' to 30.
AnswerA

No deferral, immediate deadline.

Why this answer

Option A is correct because setting both 'Update deferral period (days)' to 0 and 'Update deadline' to 0 in a Windows 11 update ring ensures that critical updates are installed immediately upon release. The deferral period of 0 removes any delay before the update is offered, and the deadline of 0 forces the update to be installed without any grace period, achieving automatic and immediate installation of critical updates.

Exam trap

The trap here is that candidates often confuse 'Update deferral period' with 'Feature update deferral' or think that setting a deferral to 0 is unnecessary, but the question specifically requires immediate installation, which mandates both deferral and deadline to be 0.

How to eliminate wrong answers

Option B is wrong because setting 'Feature update deferral' to 7 introduces a 7-day delay for feature updates, which does not affect critical updates but indicates a misunderstanding that feature update deferral applies to critical updates. Option C is wrong because setting 'Update deferral period (days)' to 7 introduces a 7-day delay before critical updates are offered, preventing immediate installation. Option D is wrong because setting 'Update deferral period (days)' to 30 introduces a 30-day delay, which is the opposite of the required immediate installation.

423
Multi-Selecthard

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that only devices with a passcode can access corporate resources. Which THREE configurations should you implement?

Select 3 answers
A.Device configuration profile with passcode settings
B.Windows Autopilot deployment profile
C.Conditional Access policy requiring compliant devices
D.App protection policy with passcode for managed apps
E.Device compliance policy with passcode requirement
AnswersA, C, E

Configures passcode on devices.

Why this answer

Device compliance policy with passcode rule, Conditional Access policy requiring compliant devices, and device configuration profile with passcode settings all enforce passcode. App protection policies apply to apps, not device-level. Autopilot is for Windows devices.

424
MCQeasy

You need to deploy Microsoft 365 Apps to Windows devices using Intune. Users should be able to install from Company Portal. What app type should you choose in Intune?

A.Windows app (Win32)
B.Microsoft 365 Apps
C.Web link
D.Microsoft Store app
AnswerB

Dedicated app type for Office.

Why this answer

Option B is correct because Microsoft 365 Apps for Windows is a built-in app type in Intune. Option A is wrong because Windows app (Win32) is for custom applications. Option C is wrong because Microsoft Store app is for store-based apps.

Option D is wrong because the web link is for linking to external sources.

425
MCQhard

You are an endpoint administrator for a company that uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access Exchange Online. You have configured a Conditional Access policy that grants access to Exchange Online only if the device is marked as compliant. A user reports that they cannot access email from their iOS device, which is enrolled in Intune and shows as compliant. The user can access other Microsoft 365 services. What is the most likely cause?

A.The user does not have an Exchange Online license assigned.
B.The Conditional Access policy is configured to block access from non-corporate networks.
C.The device compliance policy is not set to require a PIN or password.
D.The Exchange Online workload is not enabled in Intune for mobile device management.
AnswerD

If the workload is not enabled, Intune cannot enforce compliance for Exchange Online access, causing the block.

Why this answer

The most likely cause is that the Exchange Online workload is not enabled in Intune for mobile device management (MDM). Even though the device is enrolled and compliant, Intune must have the Exchange Online workload enabled to apply Conditional Access policies that govern email access. Without this, the Conditional Access policy cannot enforce compliance checks specifically for Exchange Online, resulting in access being blocked despite the device showing as compliant.

Exam trap

The trap here is that candidates assume a compliant device automatically satisfies all Conditional Access requirements, but they overlook the prerequisite that the specific workload (e.g., Exchange Online) must be enabled in Intune for the policy to apply to that service.

How to eliminate wrong answers

Option A is wrong because the user can access other Microsoft 365 services, which also require an Exchange Online license if they were using Exchange features, but the issue is specific to email access; a missing license would affect all Exchange-dependent services, not just Conditional Access. Option B is wrong because the policy is configured to grant access only if the device is compliant, not to block based on network location; a non-corporate network block would affect all services, not just Exchange Online. Option C is wrong because the device is already marked as compliant in Intune, meaning it has passed all assigned compliance policies, including any PIN or password requirements; if a PIN were missing, the device would not show as compliant.

426
MCQmedium

Your organization has a mix of Windows 10 and Windows 11 devices managed by Intune. You need to enforce BitLocker encryption on all devices. Which policy type should you configure?

A.Device configuration profile with Administrative Templates.
B.Endpoint Protection profile in Device restrictions.
C.Device compliance policy.
D.Windows Update ring policy.
AnswerB

Endpoint Protection profile contains BitLocker settings.

Why this answer

Option A is correct because BitLocker settings are configured in the Endpoint Protection profile under device restrictions. Option B is wrong because the Update ring policy manages Windows Update settings. Option C is wrong because the Device compliance policy evaluates compliance but does not enforce BitLocker.

Option D is wrong because the Device configuration profile for 'Administrative Templates' can include BitLocker, but the standard method is the Endpoint Protection profile.

427
MCQmedium

You are planning the device enrollment strategy for a school that provides shared iPads to students. The iPads are used by multiple students throughout the day, and each student must have access to their own apps and data. Which enrollment method should you recommend?

A.Shared iPad enrollment using Apple Business Manager and Intune.
B.Automated Device Enrollment with user affinity.
C.User Enrollment
D.Device Enrollment (DEP) without user affinity.
AnswerA

Shared iPad supports multiple users with separate data.

Why this answer

Option B is correct because Shared iPad mode allows multiple users to sign in with Managed Apple IDs while data is kept separate. Option A is incorrect because User Enrollment is for personally owned devices. Option C is incorrect because Device Enrollment is for single-user corporate devices.

Option D is incorrect because it is not a standard enrollment type.

428
MCQeasy

Your organization has 200 Windows 10 devices that are not yet managed. You need to enroll them in Microsoft Intune. The devices are already joined to on-premises Active Directory. You want to enable hybrid Azure AD join and automatic enrollment via Group Policy. The devices are located in multiple sites with limited internet bandwidth. You need to minimize the amount of data transferred over the WAN during enrollment. What should you do?

A.Use Azure AD Connect to sync the devices to Azure AD and then enable automatic enrollment via Group Policy.
B.Configure a staging server to perform the initial Azure AD sync and then enable automatic enrollment via Group Policy.
C.Use Windows Autopilot to reset the devices and enroll them in Intune.
D.Manually enroll each device by signing in to the Company Portal.
AnswerB

Staging reduces WAN traffic by syncing locally.

Why this answer

Option B is correct because deploying a staging server (or an Azure AD Connect staging server) allows the initial device synchronization to Azure AD to occur locally, minimizing WAN traffic. After the sync, you can enable automatic enrollment via Group Policy, which only sends lightweight registration requests over the network rather than full device data.

Exam trap

The trap here is that candidates often assume Azure AD Connect is always the best choice for hybrid join, but they overlook the staging server feature specifically designed to minimize WAN traffic during initial bulk syncs.

How to eliminate wrong answers

Option A is wrong because using Azure AD Connect to sync devices directly over the WAN would transfer the full device objects and attributes across limited bandwidth links, increasing data transfer rather than minimizing it. Option C is wrong because Windows Autopilot resets the devices and requires internet connectivity for cloud-based provisioning, which would consume significant bandwidth and is not designed to minimize WAN data transfer during enrollment. Option D is wrong because manually enrolling each device via the Company Portal requires user interaction and still transfers enrollment data over the network, failing to minimize WAN traffic and being impractical for 200 devices.

429
MCQeasy

A user's Windows 11 device is not receiving the Company Portal app after enrollment. The device is enrolled in Microsoft Intune. What is the most likely cause?

A.The device is not compliant with security policies.
B.The device is running Windows 10 instead of Windows 11.
C.The device is not connected to the internet.
D.The user does not have an Intune license.
AnswerC

Company Portal download requires internet connectivity.

Why this answer

The Company Portal app is delivered to enrolled devices via Intune, but the initial download and installation require an active internet connection to reach Microsoft's cloud services. If the device is not connected to the internet, the enrollment process may complete locally, but the Company Portal app will not be pushed or installed until connectivity is restored. This is the most likely cause because the question states the device is already enrolled, ruling out licensing or compliance issues that would prevent enrollment itself.

Exam trap

The trap here is that candidates often assume compliance policies or licensing are the root cause for missing apps, but the question explicitly states the device is enrolled, which already confirms a valid license and a successful initial connection, making internet connectivity the most logical remaining factor.

How to eliminate wrong answers

Option A is wrong because non-compliance with security policies does not block the installation of the Company Portal app; it may restrict access to resources or trigger remediation, but the app is still delivered. Option B is wrong because the Company Portal app is fully supported on Windows 10 (version 1607 and later) and Windows 11; the OS version is not a factor. Option D is wrong because the user must have an Intune license to enroll the device, and since the device is already enrolled, the license is present; a missing license would prevent enrollment entirely, not just the app delivery.

430
Multi-Selectmedium

Which TWO of the following are required to implement Azure AD Join for Windows 10 devices in a hybrid environment with on-premises Active Directory?

Select 2 answers
A.Active Directory Federation Services (AD FS) deployed.
B.Windows 10 devices that are domain-joined to the on-premises Active Directory.
C.Azure AD Connect with device writeback enabled.
D.Azure AD Premium P1 licenses for all users.
E.Windows Hello for Business configured for all users.
AnswersB, C

Devices must be domain-joined to be hybrid Azure AD joined.

Why this answer

Option B is correct because Azure AD Join in a hybrid environment requires devices to be domain-joined to on-premises Active Directory first. This allows Azure AD Connect to synchronize the device objects and, with device writeback enabled, register them in Azure AD, enabling seamless single sign-on and conditional access.

Exam trap

The trap here is that candidates often assume AD FS is mandatory for any hybrid identity scenario, but Microsoft supports multiple authentication methods (e.g., PHS, PTA) that do not require AD FS for Azure AD Join.

431
Multi-Selecteasy

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to configure a policy that restricts the device from taking screenshots. Which THREE settings can you use?

Select 3 answers
A.Disable screen capture.
B.Disable copy and paste.
C.Disable camera.
D.Disable Bluetooth.
E.Disable Wi-Fi.
AnswersA, B, C

Directly prevents screenshots.

Why this answer

In Intune, for Android Enterprise, you can restrict screenshots using a device restrictions profile. The settings include 'Disable screen capture' (which prevents screenshots), 'Disable camera', and 'Disable copy and paste' can also help but are not directly about screenshots. However, the question asks for 'restricts the device from taking screenshots'.

The actual setting is 'Disable screen capture'. Additionally, you can use 'Microsoft Defender for Endpoint' or 'Mobile Threat Defense' to detect screenshot attempts? No, that's not typical. The correct settings are: 'Disable screen capture' in device restrictions, 'Allow screenshots' (set to block), and possibly 'Disable Assistant'? No.

The typical setting is 'Disable screen capture'. Since it's a 'Which THREE' and only one setting directly blocks screenshots, the other two could be 'Disable camera' and 'Disable copy and paste'? Not directly. Actually, there is also 'Disable screen share'? Not in Intune.

I need to adjust: For Android, the device restrictions profile includes 'Disable screen capture' (under General). There is also 'Disable camera' and 'Disable copy and paste' under General. These three can be used together to restrict data leakage.

So options: A, B, D. Option C is wrong because 'Disable Wi-Fi' does not restrict screenshots. Option E is wrong because 'Disable Bluetooth' does not.

432
MCQeasy

An organization uses Configuration Manager to deploy software updates to Windows 10 devices. The administrator wants to ensure that devices receive updates from the local distribution point rather than the cloud. Which boundary group option should be configured?

A.Prefer distribution points over cloud sources
B.Enable peer caching
C.Use cloud distribution points only
D.Fallback to cloud sources
AnswerA

This setting forces clients to use local distribution points first.

Why this answer

Option A is correct because the 'Prefer distribution points over cloud sources' boundary group option ensures that clients will attempt to download software updates from a local distribution point before falling back to a cloud-based source. This setting directly controls client behavior to prioritize on-premises distribution points, which aligns with the administrator's goal of keeping traffic local and avoiding cloud egress.

Exam trap

The trap here is that candidates often confuse 'Prefer distribution points over cloud sources' with 'Fallback to cloud sources,' mistakenly thinking that allowing fallback is the same as prioritizing local sources, when in fact the fallback option only enables cloud use as a last resort without establishing a preference order.

How to eliminate wrong answers

Option B is wrong because 'Enable peer caching' configures clients to share content with each other within the same boundary group, but it does not influence the preference between local distribution points and cloud sources; it is a separate optimization for peer-to-peer content distribution. Option C is wrong because 'Use cloud distribution points only' would force clients to exclusively use cloud sources, which is the opposite of the desired behavior to avoid the cloud. Option D is wrong because 'Fallback to cloud sources' allows clients to use cloud distribution points as a backup when local distribution points are unavailable, but it does not prioritize local distribution points over cloud sources; it merely permits cloud fallback.

433
MCQhard

A user on a Windows 11 device managed by Intune reports that a required Win32 app is not installing. The Intune console shows the app assignment is 'Required' and the device status is 'Error'. You review the detection rules and find that the app is detected by file version. The app installs successfully when run manually with admin rights. What is the most likely cause?

A.The installation script returns a non-zero exit code.
B.The detection rule is incorrectly matching an existing file version.
C.The Intune Management Extension is not running.
D.The installation script fails in system context.
AnswerB

A false positive detection can cause Intune to skip installation and report error.

Why this answer

Option D is correct because the detection rule may be checking for a file version that already exists (e.g., from a previous version), causing Intune to think the app is already installed. Option A is wrong because the app installs manually. Option B is wrong because the script exit code would show as failed.

Option C is wrong because admin rights are available manually but the system context may differ.

434
MCQhard

An organization uses Microsoft Intune to manage iOS devices. They need to deploy an internal line-of-business (LOB) app that is signed with an enterprise certificate. The app must be available to users who are members of a dynamic Microsoft Entra ID group. Which deployment method should you use?

A.Use a VPP token to deploy the app
B.Configure a managed open-in policy
C.Assign the LOB app as 'Required' to the dynamic group
D.Assign the LOB app as 'Available' to the dynamic group
AnswerD

Makes the app available in Company Portal for group members.

Why this answer

Assigning the app to the dynamic group as an available deployment will make it visible in the Company Portal. Required deployment forces installation, not ideal. A volume purchase program (VPP) is for store apps.

Managed open-in is a data protection feature.

435
MCQhard

Refer to the exhibit. You query Microsoft Graph API and receive this JSON for a managed device. App2 installation failed. The app is a Win32 app deployed as required. The device is compliant and enrolled via MDM. What is the most likely reason for the failure?

A.The Intune Management Extension is not installed.
B.The app is not assigned to the user.
C.The app version is incompatible with the device OS.
D.The device is not compliant.
AnswerA

IME is required for Win32 apps on MDM devices.

Why this answer

Win32 apps require the Intune Management Extension (IME) to install on MDM-only devices. Without IME, installation fails. Option A is incorrect because device is compliant.

Option B is incorrect because assigned to user or device. Option C is incorrect because compliance does not block installation. Option D is incorrect because version is correct.

436
MCQhard

You are deploying a custom Windows 10 image to 200 new laptops using MDT. The deployment fails on several devices at the 'Apply Operating System' step with error 0x80070070. The laptops have 60 GB SSDs and 4 GB RAM. What is the most likely cause?

A.The laptops have insufficient RAM (4 GB) to run the deployment.
B.The deployment share is not accessible over the network.
C.The custom image is missing critical drivers.
D.The custom image is too large for the 60 GB SSD.
AnswerD

Error 0x80070070 means 'Not enough disk space'. The image likely exceeds available space.

Why this answer

Error 0x80070070 translates to 'insufficient disk space' (ERROR_DISK_FULL). During the 'Apply Operating System' step, MDT decompresses the custom WIM image and applies it to the local disk. With a 60 GB SSD, if the custom image (including drivers, updates, and applications) exceeds the available free space after partitioning, the deployment fails.

This is the most direct cause given the error code and hardware constraints.

Exam trap

The trap here is that candidates often confuse error 0x80070070 with a RAM issue (since low RAM can cause other errors) or assume network connectivity is the problem, but the error code explicitly points to disk space, not memory or network.

How to eliminate wrong answers

Option A is wrong because 4 GB RAM is sufficient for MDT deployment of Windows 10; the minimum requirement is 2 GB (64-bit), and the error code specifically indicates disk space, not memory. Option B is wrong because network accessibility issues would typically produce error 0x80070035 (network path not found) or 0x80004005 (access denied), not a disk space error. Option C is wrong because missing critical drivers would cause a different error, such as 0x80070570 (corrupted or missing files) or a BSOD during boot, not a disk space error during the apply phase.

437
MCQhard

Refer to the exhibit. You deploy this compliance policy to Windows 10 devices. A device reports as compliant, but you suspect it may have a weak password policy because the password type is 'deviceDefault'. What is the effect of 'deviceDefault' on the password requirement?

A.It requires a password that meets the minimum length but no complexity
B.It uses the password type configured in the device's local policy
C.It does not require a password at all
D.It requires a password that contains at least one number and one letter
AnswerB

'deviceDefault' defers to the device's own settings.

Why this answer

Option C is correct. 'deviceDefault' means the device's own password settings are used, which may not enforce the Intune password requirements. Option A is wrong because it does not require a specific type. Option B is incorrect.

Option D is incorrect.

438
MCQhard

Your organization uses Windows Defender Application Control (WDAC) to allow only approved apps. After deploying a WDAC policy via Intune, some users report that a critical line-of-business app is blocked. How should you troubleshoot?

A.Review CodeIntegrity/Operational logs in Event Viewer
B.Check AppLocker logs in Event Viewer
C.Review Intune device management events for policy errors
D.Check Microsoft 365 Defender portal for WDAC alerts
AnswerA

WDAC blocks are logged in CodeIntegrity/Operational.

Why this answer

Option C is correct: WDAC policies generate block events in Event Viewer under Microsoft-Windows-CodeIntegrity/Operational. Option A (AppLocker) is a different technology. Option B (Device Management Events) may not contain WDAC details.

Option D (Microsoft 365 Defender portal) shows alerts but not per-app block details.

439
Multi-Selecteasy

Which TWO methods can you use to deploy Microsoft 365 Apps to Windows 10 devices managed by Intune?

Select 2 answers
A.Use the Microsoft 365 Apps (Windows) app type in Intune.
B.Use the Microsoft 365 Apps admin center to create a configuration and deploy via Intune.
C.Use the Office Deployment Tool wrapped as a Win32 app.
D.Use Group Policy to assign Office installation.
E.Deploy the Microsoft Store version of Office.
AnswersA, B

This built-in app type simplifies deployment.

Why this answer

Option A is correct because the 'Microsoft 365 Apps (Windows)' app type in Intune is a built-in deployment method specifically designed to install Office 365 ProPlus (now Microsoft 365 Apps) on managed Windows 10 devices. It allows you to select the installation channel, language, and update settings directly from the Intune console without needing external tools.

Exam trap

The trap here is that candidates often confuse the 'Microsoft 365 Apps (Windows)' app type with the Office Deployment Tool wrapped as a Win32 app, thinking both are equally native Intune methods, but the question specifically asks for methods that use Intune—and the ODT wrapper is a custom deployment, not a native Intune app type.

440
MCQmedium

A company with 500 users uses Microsoft 365 E3 licenses. They want to ensure that all users have multi-factor authentication (MFA) enforced. Currently, 80% of users have MFA enabled through the legacy per-user MFA setting. The security team wants to use Conditional Access policies instead. You need to migrate from per-user MFA to Conditional Access with no disruption to users. What should you do?

A.Create a Conditional Access policy requiring MFA for all cloud apps, including break-glass accounts. Then disable per-user MFA.
B.Create a Conditional Access policy requiring MFA for all users only when accessing from outside the corporate network.
C.Create a Conditional Access policy requiring MFA for all users, excluding break-glass accounts. Disable per-user MFA for all users.
D.Disable per-user MFA for all users, then create a Conditional Access policy requiring MFA for all cloud apps.
AnswerC

This ensures MFA is always enforced and provides emergency access via break-glass accounts.

Why this answer

Option C is correct because you need to exclude the break-glass accounts from the Conditional Access policy to ensure admin access if something goes wrong. You should first create a Conditional Access policy that requires MFA for all users except the break-glass accounts, then disable the per-user MFA for all users. Option A is incorrect because disabling per-user MFA before creating the policy would leave users without MFA.

Option B is incorrect because using a Conditional Access policy to require MFA from outside the network only would not enforce MFA for internal access. Option D is incorrect because creating a policy without excluding break-glass accounts could lock out administrators.

441
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom .pkg app that requires specific installation parameters. Which app type should you select?

A.Line-of-business app
B.macOS app (DMG)
C.Windows app (Win32)
D.macOS app (PKG)
AnswerB

DMG app type supports .pkg files embedded in disk images.

Why this answer

For macOS, custom .pkg apps are deployed using the 'macOS app (DMG)' type, which supports .pkg files embedded in a .dmg. Option D is correct. Option A is wrong because the Line-of-business app type is for iOS/iPadOS.

Option B is wrong because the macOS app (PKG) type does not exist natively; .pkg is handled via DMG. Option C is wrong because the Windows app (Win32) type is for Windows only.

442
MCQhard

You are troubleshooting an iPhone that cannot enroll in Microsoft Intune. The user receives an error stating 'This device is already enrolled in another MDM.' What is the most likely cause?

A.The device is already enrolled in Apple Business Manager or another MDM.
B.The device has a VPN configuration installed.
C.The device is not running the latest iOS version.
D.The user's license is expired.
AnswerA

Apple devices can only be enrolled in one MDM at a time. The device must be removed from the other MDM first.

Why this answer

The error 'This device is already enrolled in another MDM' indicates that the iPhone has an existing MDM profile that conflicts with Intune enrollment. This typically occurs when the device is already enrolled in Apple Business Manager (ABM) or another MDM solution, as iOS enforces a single MDM enrollment per device. Intune cannot overwrite an existing MDM profile without first removing it.

Exam trap

The trap here is that candidates may confuse MDM enrollment conflicts with other common issues like outdated OS or licensing, but the specific error message directly points to an existing MDM profile, not generic configuration or access problems.

How to eliminate wrong answers

Option B is wrong because a VPN configuration does not prevent MDM enrollment; it is a separate network setting that can coexist with an MDM profile. Option C is wrong because while an outdated iOS version might cause compatibility issues, it does not produce the specific 'already enrolled' error; Intune supports a range of iOS versions with appropriate requirements. Option D is wrong because an expired user license would block Intune enrollment with a different error (e.g., 'License not found' or 'Access denied'), not the 'already enrolled' message.

443
MCQmedium

Refer to the exhibit. You have configured the above Windows Autopilot profile. A device with this profile is being set up. However, the device does not appear to be provisioning correctly. What is the most likely issue?

A.The device name template is invalid.
B.The device does not have a TPM 2.0 chip.
C.The profile requires a user to sign in during deployment.
D.The language settings are not configured.
AnswerB

TPM 2.0 is required for self-deploying mode attestation.

Why this answer

Windows Autopilot self-deploying mode requires a TPM 2.0 chip to perform hardware-based attestation and automatically enroll the device without user interaction. If the device lacks TPM 2.0, the provisioning process will fail because the required cryptographic keys for attestation cannot be generated, preventing the device from completing the self-deploying profile.

Exam trap

The trap here is that candidates assume any Autopilot mode can work without TPM 2.0, but Microsoft explicitly requires TPM 2.0 for self-deploying and pre-provisioning modes, while user-driven mode can proceed with software-based attestation if TPM is unavailable.

How to eliminate wrong answers

Option A is wrong because the device name template is validated during profile creation and would cause a profile creation error, not a provisioning failure after assignment. Option C is wrong because the exhibit shows a self-deploying mode profile, which explicitly does not require user sign-in; requiring user sign-in would contradict the mode's purpose. Option D is wrong because language settings are optional in Autopilot profiles and their absence does not prevent provisioning; the device will use default language settings.

444
Multi-Selectmedium

You are planning to deploy Microsoft Intune for device management. Which TWO of the following are prerequisites for enrolling Windows 10 devices in Intune?

Select 2 answers
A.Microsoft Entra ID (Azure AD) Premium P1 or P2.
B.Microsoft Intune license assigned to the user.
C.A Microsoft account (MSA) for each user.
D.Microsoft 365 E3 subscription.
E.Azure Information Protection license.
AnswersA, B

Microsoft Entra ID is required for device identity and authentication.

Why this answer

Microsoft Entra ID (Azure AD) Premium P1 or P2 is a prerequisite because Intune relies on Azure AD for identity and conditional access policies. Without a Premium license, you cannot configure device compliance policies, deploy Windows Hello for Business, or use advanced features like Autopilot. This requirement ensures the tenant has the necessary identity management capabilities to support Intune enrollment and management.

Exam trap

The trap here is that candidates often confuse the need for an Azure AD Premium license with the base Azure AD free tier, assuming free Azure AD is sufficient for Intune enrollment, but Microsoft requires Premium for full device management features like conditional access and compliance policies.

445
MCQhard

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that only approved apps can be installed on corporate-owned devices. Which configuration profile type should you use?

A.Email profile.
B.Device features profile.
C.Apple Configurator enrollment profile.
D.Device restrictions profile with 'Allow app installation from App Store only' set to 'Block'.
AnswerD

This blocks installation of apps not from the App Store.

Why this answer

Option B is correct because a device restrictions profile with 'Allow app installation from App Store only' and a compliant apps policy can restrict apps. Option A is wrong because the Apple Configurator enrollment profile is for device enrollment, not app control. Option C is wrong because the Device Features profile manages settings like wallpaper.

Option D is wrong because the Email profile configures mail settings.

446
MCQhard

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Intune. You need to create a device group that dynamically includes all devices with a threat level of 'High' from MDE. You then plan to apply a compliance policy to force those devices to be non-compliant. Which method should you use to create the dynamic group?

A.Create a security group in Microsoft Entra ID and manually add devices with high threat
B.Create a dynamic device group in Microsoft Entra ID using a rule that includes device.securityTags with the tag 'HighThreat'
C.Create a device group in Microsoft Defender for Endpoint and assign it to a compliance policy
D.Create a dynamic device group in Microsoft Intune using a rule based on threat level
AnswerB

Microsoft Defender for Endpoint can tag devices with threat levels, and Entra ID dynamic groups can use these tags.

Why this answer

Option A is correct because dynamic device groups in Microsoft Entra ID can use rules based on device properties, including MDE threat level. Option B is wrong because MDE machine groups are not used for compliance policies. Option C is wrong because Intune groups cannot be dynamic based on MDE threat level.

Option D is wrong because security groups are static.

447
MCQhard

You are designing a Windows 11 update strategy for a fleet of 500 devices managed by Intune. The organization requires that critical security updates be applied within 7 days, but feature updates can be delayed up to 60 days. Which Update Rings configuration should you use?

A.Assign a Quality Update policy with deferral of 7 days
B.Create an Update Ring with quality update deferral of 7 days and feature update deferral of 60 days
C.Configure Windows Update for Business via Group Policy on-premises
D.Assign a Feature Update policy with deferral of 60 days
AnswerB

Update Rings allow separate deferrals for quality and feature updates.

Why this answer

Option C is correct because Update Rings in Intune allow setting deferral periods separately for quality (security) updates and feature updates. You can set quality update deferral to 7 days and feature update deferral to 60 days. Option A (Windows Update for Business group policy) is a legacy method.

Option B (Feature update policy) alone doesn't control quality updates. Option D (Quality update policy) alone doesn't control feature updates.

448
MCQhard

You are planning a Windows 11 deployment for 500 new devices using Windows Autopilot. The devices will be shipped directly to users from the manufacturer. You need to ensure that the devices are automatically enrolled in Intune and joined to Microsoft Entra ID. What should you do?

A.Register the device hashes in Intune and assign an Autopilot deployment profile
B.Pre-install the Intune Management Extension on each device
C.Configure a provisioning package and include it with the shipment
D.Create a hybrid Azure AD join configuration in Intune
AnswerA

Registering device hashes and assigning an Autopilot deployment profile with the desired join type is the standard approach.

Why this answer

Option A is correct because Windows Autopilot uses device hashes (hardware IDs) to identify devices in Intune. By registering these hashes and assigning an Autopilot deployment profile, the devices are automatically enrolled in Intune and joined to Microsoft Entra ID during the out-of-box experience (OOBE), without requiring manual intervention or additional infrastructure.

Exam trap

The trap here is that candidates often confuse hybrid Azure AD join with Microsoft Entra ID join, or think provisioning packages are needed for Autopilot, when in fact Autopilot is designed for zero-touch, cloud-only scenarios without any on-premises dependency.

How to eliminate wrong answers

Option B is wrong because the Intune Management Extension is automatically installed during Intune enrollment, not pre-installed on devices before Autopilot runs. Option C is wrong because provisioning packages (PPKG files) are used for manual or bulk provisioning, not for the zero-touch, cloud-driven Autopilot scenario where devices are shipped directly to users. Option D is wrong because hybrid Azure AD join requires a connection to on-premises Active Directory and is not the default for Autopilot; the scenario specifies Microsoft Entra ID join, not hybrid.

449
MCQeasy

Refer to the exhibit. A compliance policy is defined for Windows 10 devices. What is the minimum OS version required?

A.Windows 10 20H2
B.Windows 10 1903
C.Windows 10 21H2
D.Windows 10 2004
AnswerD

10.0.19041 corresponds to Windows 10 version 2004.

Why this answer

Option B is correct. The JSON shows 'osMinimumVersion' set to '10.0.19041.0', which is Windows 10 version 2004. Option A is wrong because 1903 is 10.0.18362.

Option C is wrong because 20H2 is 10.0.19042. Option D is wrong because 21H2 is 10.0.19044.

450
MCQeasy

An organization needs to deploy Windows 11 to remote users who do not have access to the corporate network. The devices are brand new and have internet connectivity. Which deployment method should the administrator recommend?

A.Use Configuration Manager with a task sequence over VPN.
B.Use PXE boot from a distribution point at the local office.
C.Use Windows Autopilot with user-driven mode.
D.Deploy using MDT with a bootable USB drive.
AnswerC

Autopilot enables cloud-based deployment.

Why this answer

Windows Autopilot with user-driven mode is the correct choice because it enables remote, zero-touch deployment of new Windows 11 devices using only internet connectivity. The devices are pre-registered in Autopilot, and during the out-of-box experience (OOBE), they automatically download the organization-specific configuration, join Azure AD, and enroll in MDM without requiring any VPN or on-premises infrastructure.

Exam trap

The trap here is that candidates often assume VPN or PXE are viable for remote deployments, but they overlook the fundamental requirement that brand-new devices have no pre-existing network configuration or corporate connectivity, making internet-based Autopilot the only practical option.

How to eliminate wrong answers

Option A is wrong because Configuration Manager task sequences over VPN require the device to first establish a VPN connection to the corporate network, which is not possible for brand-new devices that lack pre-configured VPN profiles and have no prior network access. Option B is wrong because PXE boot relies on a local network broadcast and a distribution point on the same subnet; remote users without corporate network access cannot reach a PXE server, and PXE does not work over the internet. Option D is wrong because deploying with MDT using a bootable USB drive requires physical delivery of the USB media to each remote user, which is not a scalable or practical solution for a large number of remote devices and does not leverage internet connectivity for deployment.

Page 5

Page 6 of 14

Page 7