Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 451525

991 questions total · 14pages · All types, answers revealed

Page 6

Page 7 of 14

Page 8
451
MCQhard

Refer to the exhibit. You apply this device configuration profile to a group of Windows 10 devices. Users report that they receive update notifications outside of active hours. Which setting should you modify to suppress notifications during active hours?

A.Set updateNotificationLevel to 'turnOffAllNotifications'.
B.Modify activeHoursStart and activeHoursEnd to cover the full day.
C.Set cloudBlockLevel to 'normal'.
D.Set detectionFrequency to a higher value.
AnswerA

This disables all Windows Update notifications.

Why this answer

The setting updateNotificationLevel controls whether Windows Update displays notifications to users. Setting it to 'turnOffAllNotifications' suppresses all update notifications, including those that appear outside of active hours. This is the correct configuration to prevent users from seeing update notifications during active hours.

Exam trap

The trap here is that candidates often confuse active hours (which control update installation timing) with notification suppression, leading them to incorrectly choose modifying active hours instead of the dedicated notification control setting.

How to eliminate wrong answers

Option B is wrong because modifying activeHoursStart and activeHoursEnd to cover the full day would prevent updates from being installed during that time, but it does not suppress the notifications themselves; users would still receive update notifications outside the defined active hours. Option C is wrong because cloudBlockLevel is a Microsoft Defender for Endpoint setting that controls cloud-delivered protection levels, not Windows Update notification behavior. Option D is wrong because detectionFrequency controls how often the device checks for updates, not whether notifications are shown; increasing it would not suppress notifications.

452
Multi-Selectmedium

Which TWO actions should you take to prepare infrastructure for devices running macOS in your organization? (Select two.)

Select 2 answers
A.Deploy the Company Portal app to macOS devices.
B.Enroll macOS devices in Microsoft Intune.
C.Configure Windows Autopilot for macOS devices.
D.Join macOS devices to Microsoft Entra ID.
E.Use Group Policy to manage macOS settings.
AnswersA, B

Company Portal provides self-service app installation.

Why this answer

Option A is correct because the Company Portal app is the primary interface for users to enroll macOS devices in Microsoft Intune, access corporate resources, and manage compliance. Deploying it ensures users can initiate enrollment and receive policies. Option B is correct because enrolling macOS devices in Intune is the foundational step to apply management policies, deploy apps, and enforce compliance settings via MDM.

Exam trap

The trap here is that candidates may confuse Windows-centric technologies like Autopilot and Group Policy as being cross-platform, when in fact macOS management relies on Apple-specific protocols and tools such as MDM, APNs, and Apple Business Manager.

453
MCQeasy

You need to ensure that corporate devices automatically install critical Windows updates within 24 hours of release. Which update ring setting should you configure in Intune?

A.Grace Period for Restarts (days)
B.Defer Quality Updates (days)
C.Update Deadline for Quality Updates (days)
D.Active Hours
AnswerC

This setting enforces installation by a deadline.

Why this answer

The 'Update Deadline for Quality Updates (days)' setting in Intune's update ring policy enforces a deadline by which quality updates must be installed. Configuring this to 1 day ensures that devices install critical Windows updates within 24 hours of release, as the deadline triggers automatic installation and restart after the specified number of days.

Exam trap

The trap here is that candidates confuse 'Defer Quality Updates' (which delays updates) with 'Update Deadline for Quality Updates' (which enforces installation timing), leading them to incorrectly select Option B thinking it controls installation speed.

How to eliminate wrong answers

Option A is wrong because 'Grace Period for Restarts (days)' controls how long after the deadline a user can postpone a restart, not the time to install the update. Option B is wrong because 'Defer Quality Updates (days)' delays the availability of updates, which would prevent automatic installation within 24 hours of release. Option D is wrong because 'Active Hours' defines a time window during which restarts are avoided, but does not enforce a deadline for update installation.

454
MCQmedium

Your company uses Microsoft Defender for Endpoint (Defender XDR). You need to configure an automated investigation and remediation (AIR) rule that automatically quarantines a file when a specific alert is triggered. Which action should you take?

A.Add an indicator of compromise for the file.
B.Configure a device control policy.
C.Create a new automation rule in the Microsoft 365 Defender portal.
D.Create an attack surface reduction rule.
AnswerC

Automation rules define automated actions based on alerts.

Why this answer

Option D is correct because automated investigation and remediation rules use conditions and actions. Option A is wrong because attack surface reduction rules reduce attack surface, not automate response. Option B is wrong because indicators are for block/allow, not automation.

Option C is wrong because device control policies restrict hardware.

455
Multi-Selectmedium

Which TWO actions can you perform to reduce the amount of time it takes for a Windows 10 device to receive a new policy from Microsoft Intune?

Select 2 answers
A.Increase the policy refresh interval in the device configuration profile.
B.Manually trigger a sync from the device's Settings > Accounts > Access work or school.
C.Restart the device.
D.Change the device's DNS to point to a local Intune server.
E.Configure the device to sync more frequently using the Intune management extension.
AnswersB, E

Manual sync triggers immediate policy retrieval.

Why this answer

Reducing the check-in frequency can be done by configuring more frequent sync intervals via the Intune management extension, or by manually triggering a sync from the device. Option A is incorrect because increasing the frequency would increase time. Option C is incorrect because rebooting does not trigger a policy sync.

Option D is incorrect because the policy refresh interval is not configurable via device policies.

456
MCQeasy

A company uses Microsoft Intune to manage devices. They want to ensure that when a device is reported as lost or stolen, the IT admin can remotely wipe the device. Which action should the admin take in the Intune console?

A.Select the device and choose 'Retire'.
B.Select the device and choose 'Wipe'.
C.Select the device and choose 'Reset'.
D.Select the device and choose 'Delete'.
AnswerB

Wipe performs a factory reset, removing all data.

Why this answer

The 'Wipe' action in Microsoft Intune restores a device to its factory default settings, removing all corporate and personal data. This is the appropriate action for a lost or stolen device to prevent unauthorized access to company data. The 'Retire' action only removes managed app data and policies but leaves personal data intact, which is insufficient for a security breach scenario.

Exam trap

The trap here is that candidates often confuse 'Retire' with 'Wipe', assuming both remove data equally, but 'Retire' only removes managed corporate data while leaving personal data and device access intact, making it unsuitable for lost or stolen scenarios.

How to eliminate wrong answers

Option A is wrong because 'Retire' removes only managed corporate data and policies from the device, leaving personal data and the device itself functional, which does not fully protect data on a lost or stolen device. Option C is wrong because 'Reset' is not a standard Intune action; the correct term is 'Wipe' for factory reset, and 'Reset' may be confused with a local device reset that is not initiated via Intune. Option D is wrong because 'Delete' removes the device object from Intune management but does not perform a remote wipe, leaving the device and its data untouched.

457
Multi-Selectmedium

Which THREE of the following are required to deploy a Win32 app using Microsoft Intune?

Select 3 answers
A.Product code
B.Detection rule
C.Return codes for success
D.Dependencies
E.Installation command
AnswersB, C, E

Required to determine if app is installed.

Why this answer

Options A, B, and C are required: a detection rule to verify installation, an installation command, and a return code for success. Option D is optional; Option E is only for MSI apps.

458
MCQhard

You deploy a Win32 app via Intune to Windows 10 devices. The app installs successfully, but the detection rule incorrectly reports the app as not installed, causing Intune to attempt reinstallation repeatedly. Which detection rule method is most likely causing this issue?

A.MSI product code detection uses a product code that does not match the installed app
B.File existence detection checks for a file that is installed by the app
C.Registry detection checks for a registry key that is created by the app
D.Custom script detection returns exit code 0 even if app is not present
AnswerA

Mismatched product code causes detection failure.

Why this answer

Option D is correct because if the MSI product code is used but the product code is wrong or missing, Intune will not detect the app. Option A is wrong because file existence detection is straightforward if path is correct. Option B is wrong because registry detection is reliable if key exists.

Option C is wrong because custom script detection can work if script returns correct exit code.

459
MCQmedium

Your organization plans to deploy Windows 365 Cloud PCs. You need to ensure that users can connect only from compliant devices. Which configuration should you implement?

A.Create an app protection policy for Windows 365 app.
B.Configure the Cloud PC provisioning policy to allow only compliant devices.
C.Assign a device compliance policy to all users.
D.Create a Conditional Access policy requiring device to be marked as compliant.
AnswerD

Conditional Access enforces compliance requirement.

Why this answer

Option D is correct because a Conditional Access policy that requires the device to be marked as compliant is the only configuration that enforces compliance at the authentication and access level. This policy evaluates the device's compliance status (reported by Microsoft Intune) before granting access to Windows 365 Cloud PCs, ensuring that only devices meeting your organization's compliance requirements can connect.

Exam trap

The trap here is that candidates often confuse provisioning policies (which configure Cloud PCs) with access control policies (Conditional Access), leading them to select Option B, but provisioning policies do not enforce compliance-based access restrictions.

How to eliminate wrong answers

Option A is wrong because app protection policies (MAM) manage data protection within apps and do not evaluate device compliance; they are designed for unmanaged devices and cannot block access based on device compliance status. Option B is wrong because a Cloud PC provisioning policy defines the configuration and assignment of Cloud PCs (e.g., image, network, user assignments) but does not enforce access controls or compliance checks at the time of connection. Option C is wrong because assigning a device compliance policy to all users defines the compliance requirements (e.g., encryption, OS version) but does not enforce access restrictions; it only marks the device as compliant or non-compliant—a separate Conditional Access policy is needed to block non-compliant devices.

460
MCQhard

Refer to the exhibit. You deploy this compliance policy to a Windows 11 device running build 10.0.22621.1000. The device has BitLocker enabled, Secure Boot enabled, and code integrity enabled. The device is compliant?

A.No, the device's OS version exceeds the maximum allowed.
B.No, the device does not have a password set.
C.Yes, the device meets all requirements.
D.Yes, but only if the device is Windows 10 Pro.
AnswerA

The policy restricts max version to 22621.0.

Why this answer

Option B is correct because the device's OS version (22621.1000) is higher than the maximum version (22621.0) specified in the policy, making it non-compliant. Option A is wrong because the device exceeds the max version. Option C is wrong because the device is non-compliant.

Option D is wrong because the policy does not require a specific edition.

461
MCQhard

You are deploying a Win32 app that requires .NET Framework 4.8. You create a dependency in Intune for the .NET Framework app. However, some devices fail to install the parent app even though .NET Framework is present. What is the most likely issue?

A.The dependency version is set to 'Greater than' instead of 'Greater than or equal to'.
B.The dependency detection rule does not match the actual .NET installation.
C.The parent app is set to install before the dependency.
D.The dependency is set to 'Do not install automatically'.
AnswerB

Intune uses detection rules to determine if dependency is present.

Why this answer

Option D is correct because dependency rules check for app presence by detection method; if the detection method is not configured correctly, Intune may think .NET is not installed. Option A is wrong because dependencies do not check version by default. Option B is wrong because dependencies can be set to auto-install.

Option C is wrong because the parent app does not install before dependency.

462
Multi-Selectmedium

A company is deploying Windows 11 using a task sequence in Configuration Manager. They encounter an issue where the task sequence fails on devices that have BitLocker enabled. Which TWO actions should you take to ensure the task sequence completes successfully on BitLocker-enabled devices?

Select 2 answers
A.Add a 'Preprovision BitLocker' step before the 'Apply Operating System' step
B.Ensure the boot image includes the Microsoft BitLocker Administration and Monitoring (MBAM) optional component
C.Add a 'Suspend BitLocker' step before the 'Format and Partition Disk' step
D.Ensure the boot image includes the BitLocker optional component in WinPE
E.Disable Secure Boot in the device BIOS
AnswersC, D

Suspending BitLocker allows partition modifications.

Why this answer

Option C is correct because suspending BitLocker before the 'Format and Partition Disk' step prevents the task sequence from failing due to BitLocker-protected volumes. When BitLocker is active, the disk cannot be repartitioned or formatted without first suspending protection, as the Trusted Platform Module (TPM) validation and encryption keys would be invalidated. Option D is correct because the boot image must include the BitLocker optional component in WinPE to enable BitLocker-related operations (e.g., suspend, resume, preprovision) during the task sequence execution.

Exam trap

The trap here is that candidates often confuse 'Preprovision BitLocker' (used to enable encryption after OS deployment) with 'Suspend BitLocker' (used to temporarily disable protection during disk operations), leading them to incorrectly select Option A instead of Option C.

463
MCQhard

You apply the custom policy shown in the exhibit to a Windows 11 device. Users report that they cannot use Bluetooth devices (e.g., mouse, keyboard) after the policy applies. Which setting in the policy is causing this issue?

A.allowBluetooth set to false
B.allowStorageCard set to false
C.allowCopyPaste set to false
D.allowCamera set to false
AnswerA

Disabling Bluetooth prevents all Bluetooth devices from connecting.

Why this answer

Option D is correct because 'allowBluetooth' is set to false, which disables Bluetooth functionality entirely, including peripherals. Option A (allowCamera) affects camera only. Option B (allowCopyPaste) affects clipboard.

Option C (allowStorageCard) affects external storage.

464
MCQmedium

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a company-specific application (a .pkg file) to all macOS devices. The application requires a specific configuration file that must be placed in the /Library/Application Support/ directory. You also need to ensure that the application is installed silently without user interaction. How should you configure the deployment in Intune?

A.Use a shell script in Intune to download and install the .pkg file from a secure URL.
B.Create a device configuration profile for macOS that includes the app installation settings.
C.Add the .pkg file as a macOS line-of-business app in Intune, specify installation arguments for silent install, and include a script to copy the configuration file post-install.
D.Use Apple Volume Purchase Program (VPP) to distribute the app as a managed app.
AnswerC

This is the standard method for deploying custom macOS apps with configuration.

Why this answer

Option A is correct because Intune supports deploying macOS line-of-business apps (.pkg) with installation arguments for silent installation, and you can include a script to copy the configuration file. Option B is incorrect because the volume purchase program (VPP) is for purchasing apps, not custom deployment. Option C is incorrect because a device configuration profile cannot install .pkg apps.

Option D is incorrect because shell scripts can install apps but are less integrated than the LOB app deployment.

465
MCQhard

You are designing a Windows 365 Cloud PC provisioning policy. The requirement is that when a user is assigned a Cloud PC, it must automatically have Microsoft Defender for Endpoint configured with real-time protection enabled and a custom firewall rule allowing only specific IPs. Which approach should you use?

A.Create an Intune device configuration profile using the Settings Catalog and assign it to the Azure AD group containing Cloud PC users.
B.Include the settings in the Windows 365 provisioning policy.
C.Create a PowerShell script that runs during provisioning and apply it via Azure Automation.
D.Use a Group Policy Object (GPO) applied via on-premises AD.
AnswerA

Settings Catalog allows granular configuration of Defender and firewall settings.

Why this answer

Option A is correct because Intune device configuration profiles using the Settings Catalog allow granular control over Microsoft Defender for Endpoint settings (e.g., real-time protection) and custom firewall rules. These profiles can be assigned to an Azure AD group containing Cloud PC users, ensuring the settings are applied automatically after provisioning via the Windows 365 service, which integrates with Intune for post-provisioning management.

Exam trap

The trap here is that candidates mistakenly think Windows 365 provisioning policies can include security configurations, but in reality, they only define infrastructure settings, while all post-provisioning management (including Defender and firewall rules) must be handled by Intune policies.

How to eliminate wrong answers

Option B is wrong because Windows 365 provisioning policies only define Cloud PC configuration (e.g., region, network, image) and do not support granular security settings like Defender or custom firewall rules; those must be applied via Intune after provisioning. Option C is wrong because PowerShell scripts run during provisioning via Azure Automation are not natively integrated with Windows 365 provisioning; the recommended approach is to use Intune configuration profiles, which are designed for post-provisioning device management. Option D is wrong because Group Policy Objects (GPOs) require on-premises Active Directory and domain-joined devices, but Cloud PCs are Azure AD-joined or Hybrid Azure AD-joined by default and do not support direct GPO application without additional infrastructure like Group Policy Administrative Templates in Intune.

466
Multi-Selecteasy

You are troubleshooting a Windows device that is not receiving policies from Intune. Which TWO actions should you take?

Select 2 answers
A.Configure a Conditional Access policy
B.Reset the user's password
C.Verify the device is enrolled in Intune
D.Check the device sync status in the Intune console
E.Review the app protection policy assignment
AnswersC, D

Device must be enrolled to receive policies.

Why this answer

Check the device sync status in Intune and verify the device is enrolled. App protection policies are for app configuration, not device policy delivery. Conditional Access policies do not directly affect policy delivery.

Checking user credentials does not resolve policy delivery issues.

467
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a custom Windows 10 feature update using the Windows 10 Update Rings feature. However, the deployment fails and devices show error 0x800f0905. What is the most likely cause?

A.The device does not have enough free disk space.
B.The device is not set to the correct language for the update.
C.The feature update package is missing prerequisite updates.
D.The update ring is configured with a maintenance window that is too short.
AnswerC

The error indicates a missing component.

Why this answer

Option A is correct because error 0x800f0905 indicates missing installation files. Option B is incorrect because the update ring does not include language settings. Option C is incorrect because a maintenance window does not cause this error.

Option D is incorrect because disk space would cause a different error.

468
MCQmedium

A user reports that a Microsoft 365 Apps for enterprise installation on a Windows 10 device fails with error code 30088-1028. The device is managed by Intune. What is the most likely cause?

A.Windows Update is disabled on the device.
B.The device does not have enough free disk space.
C.The user does not have an appropriate license assigned.
D.The device is behind a proxy that blocks the Microsoft CDN.
AnswerB

Error 30088-1028 is disk space related.

Why this answer

Option C is correct because error 30088-1028 typically indicates insufficient disk space for installation. Option A is wrong because proxy issues cause different errors. Option B is wrong because license assignment errors are different.

Option D is wrong because Windows update is unrelated.

469
MCQeasy

You need to ensure that only corporate-owned devices can access Microsoft 365 apps. You plan to use Conditional Access in Microsoft Entra ID. What should you configure as the grant control?

A.Require Hybrid Azure AD joined device.
B.Require multi-factor authentication.
C.Require approved client app.
D.Require device to be marked as compliant.
AnswerD

Compliance policies can be configured for corporate devices.

Why this answer

Option A is correct because requiring devices to be marked as compliant in Intune filters for corporate-owned devices. Option B is wrong because Hybrid Azure AD join does not distinguish corporate vs. personal. Option C is wrong because multi-factor authentication does not check device ownership.

Option D is wrong because approval of the client app is not about device ownership.

470
MCQhard

Refer to the exhibit. A KQL query is run in Microsoft Defender XDR for a device 'WIN10-PC'. The results show that a critical line-of-business app 'ContosoApp' version '2.0.0' has InstallationResult 'Failed' with ErrorCode '0x80073CF6'. What does this error code typically indicate?

A.The app package is not signed correctly
B.The device does not have internet connectivity
C.The user does not have permission to install apps
D.The device has insufficient disk space
AnswerA

0x80073CF6 means APPX deployment error, often signing.

Why this answer

Error 0x80073CF6 is an app installation error that often indicates a signature or package issue, or that the app requires a newer OS version. It is not a network error or disk space error.

471
MCQmedium

A company is using Microsoft Deployment Toolkit (MDT) to deploy Windows 11 to 200 new laptops. The deployment includes applications such as Microsoft 365 Apps for enterprise and a line-of-business (LOB) application. The LOB application requires a specific registry key to be set before installation. You have added a 'Set Registry' step in the task sequence before the application installation step. During a test deployment, the LOB application fails to install. The MDT logs show that the registry key is set correctly, but the application installer still fails. You suspect the application requires a reboot after setting the registry key. The task sequence does not have a reboot step after the registry change. Which step should you add to the task sequence?

A.Add a 'Wait' step for 60 seconds
B.Add a 'Set Task Sequence Variable' step to set a reboot variable
C.Add a 'Restart Computer' step immediately after the 'Set Registry' step
D.Add a 'Run Command Line' step to run gpupdate /force
AnswerC

This ensures the registry change takes effect before application installation.

Why this answer

Option C is correct because the LOB application requires a reboot after the registry key is set to make the change effective. In MDT, a 'Restart Computer' step forces a system restart, ensuring the registry modification is recognized by the application installer. Without this reboot, the installer may read stale registry data and fail, even though the key is correctly written.

Exam trap

The trap here is that candidates may think a simple wait or Group Policy refresh is sufficient, overlooking that some applications require a reboot to recognize registry changes, and that MDT's 'Restart Computer' step is the only way to enforce that reboot at the correct point in the task sequence.

How to eliminate wrong answers

Option A is wrong because a 60-second 'Wait' step does not cause a reboot; it merely pauses the task sequence, so the registry change remains unapplied from the installer's perspective. Option B is wrong because setting a task sequence variable like 'SMSTSRebootRequested' can trigger a reboot later, but without an explicit 'Restart Computer' step, the reboot may not occur at the correct point in the sequence, or the variable may be ignored if not properly handled. Option D is wrong because 'gpupdate /force' refreshes Group Policy settings, not registry keys set directly by the task sequence; it does not cause a reboot and is irrelevant to making a manually written registry key effective.

472
MCQeasy

Refer to the exhibit. The JSON shows a compliance policy for Windows 10 devices. A device is marked as non-compliant even though it has a password of length 8, firewall enabled, and Defender enabled. What is the most likely cause?

A.Microsoft Defender is not running.
B.The device firewall is not active.
C.The device does not lock after inactivity.
D.The device password is not complex enough.
AnswerC

The policy requires lock after inactivity.

Why this answer

The policy requires 'passwordRequireToUnlockFromIdle' which means the device must be locked after inactivity. If the device is not set to lock automatically, it will be non-compliant. Option A is incorrect because the password meets length.

Option B is incorrect because firewall is enabled. Option D is incorrect because Defender is enabled.

473
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that all Windows 11 devices automatically install critical and security updates from Windows Update. Which policy should you configure?

A.Configure a device configuration profile with 'Windows Update for Business' settings.
B.Deploy a feature update policy to install the latest quality updates.
C.Create an update ring for Windows 10 and later, and set the 'Automatic update behavior' to 'Auto install and reboot' and assign it to all devices.
D.Create a device compliance policy that requires devices to have the latest updates.
AnswerC

Update rings centrally manage Windows Update settings and enforce installation.

Why this answer

Intune uses 'Update rings for Windows 10 and later' to configure Windows Update settings. Within the update ring, you can set 'Automatic update behavior' to 'Auto install and reboot' or similar. Option C is correct.

Option A is wrong because compliance policies don't control update installation. Option B is wrong because device configuration profiles can configure some update settings, but the dedicated update ring policy is the intended method. Option D is wrong because feature updates are for version upgrades, not quality updates.

474
MCQeasy

You are asked to recommend a solution for deploying a web application as an icon on users' Windows 10 devices managed by Intune. Which app type should you use?

A.Windows app (Win32)
B.Microsoft Store app
C.Built-in app
D.Web link
AnswerD

Web links place a shortcut to the web app on the device.

Why this answer

Web links in Intune create shortcuts to URLs on the device. Option B is correct. Option A is wrong because the Windows app (Win32) is for desktop applications.

Option C is wrong because the Built-in app type is for system apps like Edge. Option D is wrong because the Microsoft Store app type is for store apps.

475
Multi-Selectmedium

Which TWO actions can you perform using the Microsoft Intune admin center to manage Windows 11 devices remotely? (Choose two.)

Select 2 answers
A.Collect diagnostics
B.Deploy a line-of-business app
C.Restart the device
D.Create a VPN profile
E.Assign a compliance policy
AnswersA, C

Remote diagnostics collection is a remote action.

Why this answer

Options A and D are correct. 'Restart' is a remote action to reboot a device. 'Collect diagnostics' gathers logs remotely. Option B (Create a VPN profile) is a configuration policy, not a remote action. Option C (Assign a compliance policy) is a configuration assignment.

Option E (Deploy a line-of-business app) is an app deployment, not a remote action.

476
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that corporate data in managed apps is encrypted at rest. Which setting should you configure?

A.Device compliance policy – Require data encryption.
B.App protection policy – Data protection – Encrypt app data.
C.Enrollment restrictions – Require encrypted backup.
D.Device configuration profile – Encryption settings.
AnswerB

Encrypts app data at rest.

Why this answer

Option B is correct because App Protection Policies (APP) in Microsoft Intune include a 'Data Protection' setting called 'Encrypt app data' that enforces encryption of corporate data at rest on iOS/iPadOS devices. This setting uses hardware-backed file-level encryption (Data Protection class) to protect data in managed apps, ensuring that even if the device is lost or stolen, the data remains inaccessible without the user's passcode.

Exam trap

The trap here is that candidates often confuse device-level encryption (which is always on for iOS with a passcode) with app-level encryption, and incorrectly choose a Device Compliance Policy or Configuration Profile, not realizing that only App Protection Policies can enforce encryption specifically for corporate data within managed apps.

How to eliminate wrong answers

Option A is wrong because Device Compliance Policies can require device-level encryption (e.g., FileVault on macOS or BitLocker on Windows), but on iOS/iPadOS, encryption is always enabled by default when a passcode is set; compliance policies cannot granularly encrypt data within managed apps at rest. Option C is wrong because Enrollment Restrictions control which devices can enroll and whether backups are encrypted, but they do not encrypt corporate data within apps on the device itself. Option D is wrong because Device Configuration Profiles can enforce passcode policies or VPN settings, but they do not include a specific setting to encrypt app data at rest; that capability is exclusive to App Protection Policies.

477
MCQmedium

You need to deploy a line-of-business (LOB) iOS app to users in your organization. The app is signed with an enterprise certificate. How should you distribute the app to managed devices?

A.Upload the app to Intune and provide a signing certificate.
B.Publish the app to the Apple App Store and assign it as a required app.
C.Add the app as an iOS/iPadOS line-of-business app in Microsoft Intune and assign it to users.
D.Use Apple Business Manager to assign the app to devices.
AnswerC

This is the correct method for enterprise-signed LOB apps.

Why this answer

Option D is correct because enterprise-signed LOB apps can be added as an iOS LOB app in Intune and deployed to devices. Option A is wrong because the App Store is for public apps. Option B is wrong because Apple Business Manager is for volume purchasing, not LOB distribution.

Option C is wrong because the app is already signed; a signing certificate is not needed.

478
MCQeasy

A user's iOS device is enrolled in Microsoft Intune. The user reports that they cannot install the Company Portal app from the App Store. What is the most likely reason?

A.The user does not have an Apple ID.
B.The App Store is disabled by a device restriction policy.
C.The device is not enrolled in Intune.
D.The device is not supervised.
AnswerB

A device restriction policy can block the App Store.

Why this answer

If the device is already enrolled, the Company Portal app might be blocked by a configuration profile or restrictions. Option A is incorrect because the device is enrolled. Option B is incorrect because no location services required for app install.

Option D is incorrect because if the device is supervised, admins can block installation of certain apps.

479
MCQeasy

You need to deploy a custom Microsoft Edge extension to managed Windows 10 devices via Intune. Which policy type should you use?

A.Device restrictions profile
B.Compliance policy
C.Administrative Templates profile (ADMX-backed policies)
D.PowerShell script deployment
AnswerC

Supports Edge extension policies.

Why this answer

Option A is correct. An Administrative Templates profile can configure Edge policies including extension installation. Option B is wrong because a device restrictions profile does not manage extensions.

Option C is wrong because a compliance policy is not for configuration. Option D is wrong because a PowerShell script is not the recommended method for extension deployment.

480
MCQeasy

A company uses Microsoft Intune to manage iOS devices. They want to ensure that only devices with a passcode of at least 6 characters and without jailbreak can access corporate email. Which policy type should they configure?

A.Conditional Access policy
B.App protection policy
C.Device compliance policy
D.Device configuration policy
AnswerC

Compliance policies define required device configurations like passcode and jailbreak status.

Why this answer

Device compliance policies in Intune define rules for device security (e.g., passcode length, jailbreak detection). Option A is incorrect because device configuration policies set device settings but not compliance rules. Option B is incorrect because app protection policies target app-level data protection.

Option D is incorrect because conditional access uses compliance status but doesn't define the rules.

481
MCQmedium

You manage Windows 10 devices enrolled in Microsoft Intune. Users report that the Windows Update for Business policy is not applying to some devices. You verify the devices are assigned the correct update ring. What should you check first?

A.Increase the sync frequency for the devices.
B.Check if the devices are compliant with device compliance policies.
C.Ensure the Windows Update service is not disabled on the devices.
D.Verify the Intune Management Extension is installed.
AnswerC

Windows Update service must be enabled for update rings to apply.

Why this answer

Option C is correct because the Windows Update for Business policy requires Windows Update service to be enabled. If it's disabled, updates won't apply. Option A is wrong because compliance policies don't block update rings.

Option B is wrong because the Intune Management Extension is for Win32 apps, not updates. Option D is wrong because sync interval doesn't prevent policy application.

482
MCQmedium

You manage devices at Fabrikam Inc. using Microsoft Intune. You have a Windows 11 device that is not compliant because it is missing a required application. The device shows as 'Not evaluated' in Intune for the compliance policy. The user reports that the device syncs manually but still shows as non-compliant. You have verified that the device is enrolled and policy is assigned. What should you do first to resolve the issue?

A.Verify that the user has a valid Microsoft 365 license.
B.Create a new compliance policy with the same requirements and assign it to the device.
C.From the Intune console, select the device and run the 'Sync' action with the option 'Re-evaluate compliance policies'.
D.Remove the device from Intune and re-enroll it.
AnswerC

Triggers a fresh compliance evaluation.

Why this answer

Re-evaluating the compliance policy by running a sync with the Intune management extension can trigger a fresh assessment. Creating a new compliance policy is unnecessary. Removing and re-enrolling is disruptive.

Checking the user's license is not relevant to compliance evaluation.

483
MCQmedium

Your organization uses Microsoft Intune for Windows device management. Users report that after a recent update, the company VPN client fails to start. You suspect a driver conflict. Which Intune feature should you use to roll back the problematic driver without affecting other updates?

A.Windows Update Rings
B.Group Policy Administrative Templates
C.Microsoft 365 Apps Admin Center
D.Windows Driver Update Rings
AnswerD

Correct. Driver Update Rings allow managing and rolling back specific driver updates.

Why this answer

Windows Driver Update Rings (D) is the correct feature because it allows you to selectively roll back a specific driver update without affecting other Windows updates or configuration changes. This feature is designed to manage driver updates independently from quality or feature updates, enabling targeted rollbacks when a driver causes conflicts like a VPN client failure.

Exam trap

The trap here is that candidates confuse 'Windows Driver Update Rings' with 'Windows Update Rings,' assuming all update rings are identical, but Microsoft specifically separated driver update rings to allow granular control over driver deployments without affecting other updates.

How to eliminate wrong answers

Option A is wrong because Windows Update Rings control the deployment of all Windows updates (quality, feature, and driver updates) as a group, and cannot selectively roll back a single driver without reverting other updates. Option B is wrong because Group Policy Administrative Templates manage configuration settings via registry-based policies, not driver versions or rollbacks. Option C is wrong because the Microsoft 365 Apps Admin Center is used to manage Office 365 app updates and policies, not Windows drivers or device-level driver rollbacks.

484
MCQmedium

Your organization plans to deploy Windows 11 to 500 devices using Microsoft Intune. You need to ensure that each device receives the correct language pack and regional settings based on the user's location. Which configuration method should you use?

A.Configure Windows Autopilot with enrollment profile specifying language and region
B.Deploy a PowerShell script via Intune to set language after enrollment
C.Use Configuration Manager task sequence with language packs
D.Create a provisioning package (PPKG) with language settings and apply via USB
AnswerA

Allows per-device language and region during OOBE, cloud-native.

Why this answer

Option C is correct because Autopilot with enrollment profile allows assigning language and region settings per device during OOBE. Option A is wrong because provisioning packages (PPKG) are for bulk deployment but not dynamic per-user settings. Option B is wrong because Configuration Manager task sequences require on-premises infrastructure and are less dynamic.

Option D is wrong because PowerShell scripts run after provisioning, not during OOBE.

485
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent software update, the Start menu layout is missing. You need to restore the Start menu layout using Intune. What should you do?

A.Create a configuration profile for Windows 10 using 'Start layout' under Administrative Templates.
B.Create a configuration profile for Windows 11 using 'Start layout' setting.
C.Create a configuration profile for Windows 10 using 'Start layout' setting under Device restrictions.
D.Create a configuration profile using Administrative Templates and configure 'Start layout' policy.
AnswerC

This is the correct setting for Windows 10.

Why this answer

Option B is correct because the 'Start layout' setting in Devices > Configuration profiles > Windows 10 > Device restrictions allows you to specify an XML file that defines the Start menu layout. Option A is wrong because this is for Windows 11. Option C is wrong because Administrative Templates do not include Start layout.

Option D is wrong because the Start layout policy is under Device restrictions, not Administrative Templates.

486
Multi-Selectmedium

Which TWO are prerequisites for deploying Win32 apps via Microsoft Intune?

Select 2 answers
A.The Intune management extension must be installed on devices
B.The app must be signed with a Microsoft certificate
C.Devices must be Microsoft Entra ID joined or hybrid joined
D.Devices must have at least 4 GB of RAM
E.Devices must be enrolled with user affinity
AnswersA, C

The extension handles Win32 app deployment.

Why this answer

Win32 app deployment requires the Intune management extension and that devices are Microsoft Entra ID joined or hybrid joined. Options A and D are correct.

487
MCQmedium

Refer to the exhibit. You deploy this ARM template to create an Intune configuration policy for macOS devices. The policy sets the 'com.apple.ManagedClient.appstore' setting to true. What is the expected behavior on the target macOS devices?

A.Users will be allowed to install apps from the App Store.
B.App Store updates will be automatically installed.
C.Only apps purchased through Apple Business Manager will be installable.
D.Users will be blocked from installing apps from the App Store.
AnswerA

Setting enables App Store access.

Why this answer

This setting allows the App Store for managed devices. Option A is incorrect because it enables, not disables. Option B is incorrect because it allows App Store, not specific apps.

Option C is incorrect because it does not configure updates. Option D is incorrect because it does not enforce certificate.

488
MCQhard

Your organization uses Microsoft Intune to manage devices. You have a Windows 10 device that is Azure AD joined and enrolled in Intune. The device is compliant, but the user cannot access corporate resources due to a Conditional Access policy requiring a compliant device. The user can access other cloud apps that do not require compliance. You check the Conditional Access policy and find it is configured correctly. What is the most likely issue?

A.The Conditional Access policy is not applied to the user.
B.The device's certificate is expired or missing; re-register the device in Intune.
C.The device is not enrolled in Intune.
D.The user is not in the correct group.
AnswerB

Re-registration refreshes the certificate used for Conditional Access.

Why this answer

Option D is correct because if the device is compliant but Conditional Access still blocks, the device might not have the correct certificate, or the token might be stale. Re-registering the device with Intune refreshes the certificate. Option A is wrong because the policy is correct.

Option B is wrong because the device is compliant. Option C is wrong because the user is probably in the correct group.

489
MCQhard

Refer to the exhibit. The exhibit shows a JSON representation of a managed device from Microsoft Graph API. The device shows as noncompliant. Which of the following is the most likely reason for the noncompliant status?

A.The device has not synced recently; the compliance policy may require a more recent check-in.
B.The device is company-owned, which is noncompliant by default.
C.The device is a userless device and cannot be compliant.
D.The device's operating system version is not supported.
AnswerA

Compliance policies often require devices to sync within a certain period; the last sync is March 15, which may be older than the policy threshold.

Why this answer

The JSON shows the device's lastSyncDateTime is significantly older than the current time, and the complianceState is 'noncompliant'. Microsoft Intune compliance policies require devices to check in within a configurable grace period (default 30 days for noncompliant devices, but policies can enforce a shorter interval). If the device hasn't synced recently, it fails the 'Device check-in frequency' compliance rule, marking it noncompliant.

Option A correctly identifies this as the most likely cause.

Exam trap

The trap here is that candidates often assume noncompliance is due to an unsupported OS version or ownership type, but the JSON explicitly shows a supported OS and no ownership-based policy, while the stale lastSyncDateTime is the clear indicator of a check-in failure.

How to eliminate wrong answers

Option B is wrong because company-owned devices are not noncompliant by default; ownership type (corporate vs. personal) does not directly affect compliance state unless a specific compliance policy targets ownership. Option C is wrong because userless devices (e.g., kiosk or shared devices) can be compliant if they meet all policy requirements; Intune supports device compliance for userless scenarios via device enrollment. Option D is wrong because the JSON shows the operating system version as '10.0.22621' (Windows 11 22H2), which is a supported version; there is no indication of an unsupported OS.

490
MCQeasy

Your organization plans to use Windows Autopilot for device provisioning. You need to ensure devices are automatically registered in Microsoft Entra ID when they are powered on for the first time. Which prerequisite must be met?

A.Devices must be pre-registered in Intune via an OEM or partner
B.Devices must have a TPM 2.0 chip for self-deploying mode
C.An on-premises Active Directory domain must be available
D.Users must have Microsoft Entra ID P1 or P2 licenses assigned
AnswerD

Entra ID P1 or P2 is required for Autopilot's automatic registration and device management.

Why this answer

Option C is correct because Autopilot requires Microsoft Entra ID P1 or P2 licenses to support automatic device registration. Option A is wrong because licenses are needed. Option B is wrong because Autopilot supports both Entra ID join and hybrid join.

Option D is wrong because Intune licenses are required for management but Autopilot also requires Entra ID P1.

491
MCQmedium

Your organization is rolling out Windows 11 devices using Autopilot. You need to ensure that all new devices are automatically enrolled in Microsoft Intune and configured with a custom device name prefix 'CORP-'. Which configuration should you implement?

A.Configure a Windows Autopilot deployment profile with a device name template and set 'Convert all targeted devices to Autopilot' to 'Yes'.
B.Create a device configuration profile for Windows 11 with a custom OMA-URI for device name.
C.Set a device compliance policy that requires device name prefix 'CORP-'.
D.Modify the Enrollment Status Page (ESP) policy to require device naming.
AnswerA

This directly configures enrollment and naming.

Why this answer

Option A is correct because a Windows Autopilot deployment profile allows you to specify a device name template (e.g., 'CORP-%RAND:5%') that automatically applies a custom prefix to new devices during the Autopilot enrollment process. Setting 'Convert all targeted devices to Autopilot' to 'Yes' ensures that devices added to Autopilot are automatically enrolled in Microsoft Intune, meeting both requirements.

Exam trap

The trap here is that candidates often confuse device configuration profiles (OMA-URI) or compliance policies as capable of setting device names, when in fact only the Autopilot deployment profile's device name template can enforce naming during the initial enrollment process.

How to eliminate wrong answers

Option B is wrong because a device configuration profile with a custom OMA-URI cannot rename a device during Autopilot enrollment; device naming is only supported via the Autopilot deployment profile's device name template. Option C is wrong because a device compliance policy can only report or block non-compliant devices based on naming, not enforce or apply a name prefix during enrollment. Option D is wrong because the Enrollment Status Page (ESP) policy controls the blocking of device setup until required apps or policies are installed, but it has no capability to set or enforce a device name prefix.

492
MCQhard

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to deploy a managed Google Play app to work profile devices. After deploying, users report that the app is not available in the work profile. What is the most likely cause?

A.The app has not been approved in the managed Google Play store.
B.The app is only available for corporate-owned devices.
C.Android Enterprise enrollment is not enabled in Intune.
D.The device does not have a work profile configured.
AnswerA

Apps must be approved by the admin in the managed Google Play console before they can be deployed.

Why this answer

Option A is correct because the app must be approved in the managed Google Play store. Option B is wrong because if it's a managed Google Play app, the work profile is required. Option C is wrong because device type (corporate vs personal) does not block the app if targeted correctly.

Option D is wrong because enablement status affects whether the work profile exists, but if it exists, the app should be available if approved.

493
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a .pkg app to these devices. What is the recommended method?

A.Add as a Windows line-of-business app.
B.Add as a macOS web app.
C.Add as a Microsoft Store app.
D.Add as a macOS line-of-business app.
AnswerD

macOS LOB app type supports .pkg files.

Why this answer

Option B is correct because macOS LOB apps support .pkg files. Option A is wrong because macOS web apps are for web links. Option C is wrong because Windows LOB app is for Windows devices.

Option D is wrong because Microsoft Store app is for Windows.

494
MCQeasy

You need to ensure that all iOS devices enrolled in Intune automatically install required apps (e.g., Microsoft Outlook, Teams) during enrollment. Which enrollment profile setting should you configure?

A.Apple Volume Purchase Program token
B.Company Portal branding
C.Device type restriction
D.Install required apps during enrollment
AnswerD

This setting pushes required apps during the enrollment process.

Why this answer

Option B is correct because 'Install required apps during enrollment' is a setting in iOS enrollment profiles that triggers app installation as part of the setup assistant. Option A (Device type restriction) controls which devices can enroll. Option C (Company Portal branding) is for appearance.

Option D (Apple Volume Purchase Program token) is for purchasing apps, not automatic installation.

495
MCQmedium

Your organization is planning to deploy Windows 11 to 5000 devices using Microsoft Intune. The devices are currently a mix of Windows 10 and Windows 11 eligible hardware. You need to ensure that only devices meeting the Windows 11 hardware requirements can be upgraded. What is the most efficient way to achieve this using Intune?

A.Use Windows Autopilot to reset each device and manually verify hardware compatibility.
B.Create a Windows feature update profile targeting Windows 11 and assign it to all devices; Intune will automatically skip ineligible devices.
C.Create a dynamic device group based on TPM version and assign a Windows 10 update ring to non-compliant devices.
D.Create a compliance policy requiring TPM 2.0 and Secure Boot, then assign a Windows 11 update ring to compliant devices.
AnswerB

Intune checks hardware requirements before applying the feature update.

Why this answer

Option B is correct because a Windows feature update profile in Intune automatically checks device hardware eligibility before applying the Windows 11 upgrade. Intune queries the Windows Update for Business service, which evaluates TPM 2.0, Secure Boot, CPU generation, and RAM requirements; devices that do not meet the minimum hardware requirements are skipped without any manual intervention or additional configuration.

Exam trap

The trap here is that candidates confuse compliance policies (which only report or block access) with feature update profiles (which natively enforce hardware gating), leading them to choose Option D, which would still attempt the upgrade on non-compliant devices and cause deployment failures.

How to eliminate wrong answers

Option A is wrong because Windows Autopilot is designed for device provisioning and resetting, not for hardware compatibility verification; manually checking 5000 devices is inefficient and defeats the purpose of automated management. Option C is wrong because creating a dynamic device group based solely on TPM version is insufficient—Windows 11 requires a combination of TPM 2.0, Secure Boot, CPU, and RAM checks, and assigning a Windows 10 update ring to non-compliant devices does not prevent upgrades on ineligible hardware. Option D is wrong because a compliance policy can report non-compliance but does not block the upgrade; a Windows 11 update ring would still attempt to upgrade non-compliant devices, potentially causing failures, whereas a feature update profile inherently skips ineligible devices.

496
MCQhard

Your organization plans to deploy a Win32 app to Windows 10 devices using Intune. The app requires the .NET Framework 4.8, which is not present on all devices. How should you handle this dependency?

A.Include the .NET installer in the same package
B.Use a PowerShell script to install .NET before the app
C.Add a dependency in Intune for the .NET Framework
D.Configure a detection rule for .NET
AnswerC

Dependencies ensure prerequisites are installed first.

Why this answer

Option D is correct because Intune's dependency feature allows pre-installing required apps. Option A is wrong because prerequisites cannot be installed via detection rules. Option B is wrong because the MSI can include .NET, but if not, dependencies are the way.

Option C is wrong because scripting dependencies is less reliable.

497
MCQmedium

You are deploying Windows 11 devices using Autopilot. The devices are purchased from a hardware vendor and need to be registered in your tenant. You want to ensure that the vendor can register the devices on your behalf without granting them full user privileges. What should you configure?

A.Export the device list from the vendor and import it via CSV in Microsoft Intune.
B.Add the vendor as a global administrator in Microsoft Entra ID.
C.Provide the vendor with a bulk enrollment token and URL.
D.Create a custom device preparation profile with delegated admin privileges.
AnswerD

Custom profiles allow limited, delegated permissions for vendor registration.

Why this answer

Option D is correct because a custom device preparation profile with delegated admin privileges allows a hardware vendor to register devices in your tenant via Autopilot without granting them full user privileges. This profile grants the vendor scoped permissions to upload device hashes and associate them with your tenant, using delegated administration in Microsoft Entra ID to limit access to only the necessary actions for device enrollment.

Exam trap

The trap here is that candidates often confuse device registration (adding hardware hashes to Autopilot) with device enrollment (using a token to enroll devices), leading them to incorrectly select the bulk enrollment token option (C) instead of the delegated admin privileges option (D).

How to eliminate wrong answers

Option A is wrong because exporting a device list from the vendor and importing it via CSV in Microsoft Intune requires the vendor to have direct access to your tenant or you to manually handle the import, which does not delegate the registration process to the vendor securely. Option B is wrong because adding the vendor as a global administrator in Microsoft Entra ID grants them full administrative access to your entire tenant, which violates the principle of least privilege and is unnecessary for device registration. Option C is wrong because a bulk enrollment token and URL are used for Windows Autopilot self-deploying mode or user-driven mode enrollment, but they do not delegate the ability to register devices on your behalf; the token is for enrolling devices, not for registering them in the Autopilot service.

498
MCQmedium

Your organization manages Windows 10 and 11 devices using Microsoft Intune. Users report that after a recent update, the Microsoft Store for Business app 'Company Portal' fails to launch. You verify that the app is assigned as required to all devices. What should you do first to resolve the issue?

A.Enable automatic updates for Company Portal in Intune.
B.Uninstall and reinstall Company Portal from all devices.
C.Trigger a device sync from the Microsoft Intune admin center.
D.Run Windows Update troubleshooter on affected devices.
AnswerC

Forces the device to check in and receive the latest app assignment and configuration.

Why this answer

The correct first step is to trigger a device sync from the Microsoft Intune admin center. This forces the affected devices to check in with Intune, which can push down any pending policy or app configuration updates that may have been missed after the recent Windows update. Since the Company Portal app is assigned as required, a sync ensures the device receives the latest app version or remediation actions without requiring a full reinstall.

Exam trap

The trap here is that candidates may jump to a destructive or configuration-based solution (like reinstalling or enabling auto-updates) instead of recognizing that a simple device sync is the least invasive and most appropriate first troubleshooting step for an app that fails to launch after an update.

How to eliminate wrong answers

Option A is wrong because enabling automatic updates for Company Portal in Intune is a configuration setting that applies to future updates, not a troubleshooting step to fix an app that already fails to launch. Option B is wrong because uninstalling and reinstalling Company Portal from all devices is a drastic, time-consuming measure that should only be attempted after simpler troubleshooting steps like a sync have failed. Option D is wrong because the Windows Update troubleshooter addresses Windows update issues, not problems with a specific Microsoft Store for Business app like Company Portal.

499
Multi-Selecthard

Which THREE features are available in Microsoft Intune for managing Windows 10/11 device updates?

Select 3 answers
A.Windows Update for Business
B.Update rings for Windows 10 and later
C.Windows feature update policy
D.Windows Autopatch
E.Windows Server Update Services (WSUS)
AnswersB, C, D

Update rings manage deferral periods.

Why this answer

Options A, B, and D are correct. Intune supports Update rings, Feature update policies, and Windows Autopatch. Option C is wrong because Windows Update for Business is a service, not an Intune feature.

Option E is wrong because WSUS is on-premises, not Intune.

500
MCQhard

Your organization uses Microsoft Intune with co-management and Configuration Manager. Some Windows 10 devices are enrolled in Intune but also managed by Configuration Manager. You need to ensure that the Intune compliance policy is evaluated and enforced on these devices. What should you configure?

A.Configure the Configuration Manager client setting to enable compliance evaluation.
B.Assign the compliance policy to a device group that includes these devices.
C.Change the MDM authority to Intune.
D.Set the Device Compliance workload to Intune in co-management properties.
AnswerD

This ensures Intune evaluates compliance.

Why this answer

In co-management, you can set the workload for Device Compliance to 'Intune' or 'Configuration Manager'. Option D is correct because you need to move the compliance workload to Intune. Option A is incorrect because changing MDM authority is not recommended.

Option B is incorrect because the client setting does not control workload. Option C is incorrect because the compliance policy is already created; the issue is which management point evaluates it.

501
MCQeasy

You need to deploy a line-of-business (LOB) app to Windows 10 devices managed by Intune. The app is a .msi file. Which app type should you select when adding the app in Intune?

A.Microsoft Store app
B.Web link
C.Windows app (Win32)
D.Windows line-of-business app
AnswerD

Windows LOB app type supports .msi files.

Why this answer

Option C is correct because Windows line-of-business apps are used for .msi files. Option A is wrong because Windows app (Win32) is for .exe or .intunewin files. Option B is wrong because Microsoft Store app is for store apps.

Option D is wrong because Web link is for web apps.

502
MCQmedium

A user's Android device is enrolled in Microsoft Intune. The device reports as 'Compliant' but the user cannot access corporate resources that require compliant devices. The conditional access policy is configured to require a compliant device. What is the most likely cause?

A.The compliance policy has not been refreshed on the device.
B.The user does not have the Company Portal app installed.
C.The conditional access policy requires an approved client app.
D.The device is not compliant with the compliance policy.
AnswerC

Additional conditions in conditional access can block access.

Why this answer

Even if the device is compliant, the conditional access policy may also require a specific client app or location. Option C is correct because the conditional access policy might have additional requirements like 'Require approved client app'. Option A is incorrect because the device is compliant.

Option B is incorrect because stale compliance is not the issue if it shows compliant. Option D is incorrect because the Company Portal app is not required for access.

503
MCQeasy

A company uses Microsoft Intune to manage iOS/iPadOS devices. They need to enforce a policy that requires users to set a device passcode of at least 6 characters. Which type of policy should they create?

A.Device configuration profile
B.Device compliance policy
C.Conditional access policy
D.App protection policy
AnswerB

Device compliance policies enforce device-level settings such as passcode requirements.

Why this answer

Option A is correct because device compliance policies include password settings for iOS. Option B is wrong because configuration profiles can set password policies but compliance policies are specifically for enforcing requirements. Option C is wrong because app protection policies apply to apps, not device-level settings.

Option D is wrong because conditional access policies control access, not device settings.

504
MCQmedium

Refer to the exhibit. You apply this Intune custom OMA-URI policy to a Windows 10 device. What is the expected outcome?

A.VPN connections are allowed over cellular networks.
B.The policy will fail to apply due to an invalid OMA-URI.
C.The policy applies only to users, not devices.
D.VPN connections over cellular are blocked.
AnswerD

Correct. Value '0' disables (blocks) VPN over cellular.

Why this answer

The OMA-URI ./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowCellularData refers to the policy that controls whether cellular data is allowed for VPN connections. When set to 0, it blocks VPN connections over cellular networks, enforcing that VPN traffic must use Wi-Fi or Ethernet. This is a device-level policy, not user-specific, and the OMA-URI is valid for Windows 10 devices managed by Intune.

Exam trap

The trap here is that candidates may confuse the OMA-URI path as invalid or think it applies only to users, when in fact the ./Device/ prefix explicitly targets the device scope, and the policy is a valid Windows 10 CSP setting.

How to eliminate wrong answers

Option A is wrong because setting the value to 0 blocks VPN over cellular, not allows it; a value of 1 would allow it. Option B is wrong because the OMA-URI is a valid and supported policy path for Windows 10 device configuration in Intune, so it will apply successfully. Option C is wrong because this policy is configured under the device-level node (./Device/Vendor/MSFT/...), meaning it applies to the device regardless of which user is signed in, not only to users.

505
MCQeasy

Users have iOS/iPadOS devices enrolled in Intune. You need to ensure that corporate data in managed apps is encrypted at rest. What should you configure?

A.iOS native encryption feature
B.Compliance policy for iOS/iPadOS
C.App protection policy for iOS/iPadOS
D.Device configuration profile with encryption settings
AnswerC

MAM policies can encrypt app data.

Why this answer

Option B is correct because app protection policies can enforce encryption of app data. Option A is wrong because compliance policies do not encrypt app data. Option C is wrong because device configuration profiles manage device settings, not app-level encryption.

Option D is wrong because iOS itself encrypts at the device level, but not app-specific data.

506
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 and Windows 11 devices. Users report that after a recent update, their devices are stuck at the login screen and cannot access corporate resources. You suspect a configuration conflict. Which action should you take first to restore device functionality without affecting other settings?

A.Create a new device configuration profile that overrides the conflicting settings.
C.Reset the devices remotely using Intune.
D.Perform a selective wipe on the affected devices.

Why this answer

The correct first action is to use the 'Test and remediate' feature in Intune, which allows you to apply a temporary configuration to a test group of devices to identify and resolve conflicts without affecting the broader device population. This approach isolates the issue, preserves existing settings, and provides a controlled rollback if needed, aligning with best practices for troubleshooting configuration conflicts in Intune-managed Windows devices.

Exam trap

The trap here is that candidates often choose 'Reset devices remotely' or 'Selective wipe' as a quick fix, not realizing that these are destructive actions that should be reserved for security breaches or device retirement, not for resolving configuration conflicts that can be isolated and tested.

How to eliminate wrong answers

Option A is wrong because creating a new device configuration profile that overrides conflicting settings can introduce additional conflicts or unintended changes, and it does not provide a controlled, reversible test before broad deployment. Option C is wrong because resetting devices remotely using Intune is a drastic measure that erases all data and settings, which is not appropriate for a configuration conflict that can be resolved with a targeted test. Option D is wrong because performing a selective wipe removes corporate data but leaves personal data intact; however, it does not address the underlying configuration conflict and may still leave devices in a non-functional state regarding login.

507
MCQhard

Your organization uses Microsoft Defender for Endpoint (now Microsoft Defender XDR) and Microsoft Intune. You need to ensure that devices that are deemed 'at risk' by Microsoft Defender for Endpoint are automatically blocked from accessing corporate resources. What should you configure?

A.An app protection policy in Intune that blocks access based on device risk.
B.A compliance policy that marks devices as noncompliant based on Defender for Endpoint risk, and a conditional access policy that blocks noncompliant devices.
C.A conditional access policy that requires device to be compliant, and a compliance policy that uses the Defender for Endpoint device risk level.
D.A device configuration policy that disables network access for at-risk devices.
AnswerB

This combination ensures that devices with high risk are blocked from accessing resources.

Why this answer

Option D is correct because the Device Health Attestation Service evaluates device health, but for Defender for Endpoint risk, you need a conditional access policy that uses the 'Require device to be marked as compliant' grant control, combined with a compliance policy that uses the 'Require the device to be at or under the Device Threat Level' setting. However, the option D says: 'A conditional access policy that requires the device to be marked as compliant, and a compliance policy that uses the Microsoft Defender for Endpoint device risk level.' That is exactly what is needed. Option A is wrong because an app protection policy is for app-level, not device-level.

Option B is wrong because a device configuration policy does not enforce access control. Option C is wrong because a compliance policy alone does not block access; it only marks noncompliant.

508
MCQmedium

Refer to the exhibit. You deploy this AppLocker policy via Microsoft Intune to Windows 10 devices. The policy is in AuditOnly mode. Users are now able to run unsigned executables. You need to block unsigned executables without affecting signed ones. What should you do?

A.Add a deny rule for all Microsoft signed executables.
B.Keep the policy in AuditOnly and rely on Windows Defender to block unsigned apps.
C.Delete the existing rule and create a new rule that explicitly allows only specific signed apps.
D.Change the EnforcementMode to 'Enabled' and add a deny rule for unsigned executables.
AnswerD

Enabling enforcement with only allow rules for signed blocks unsigned.

Why this answer

The rule allows all Microsoft signed apps but is in audit mode. To block unsigned, you must change EnforcementMode to Enabled and add a deny rule for unsigned. Option A is correct because simply enabling enforcement will block unsigned (since no allow rule for unsigned).

Option B is incorrect because adding deny rule for signed would block signed. Option C is incorrect because deleting the rule would block all executables. Option D is incorrect because audit mode does not block.

509
Multi-Selectmedium

Which TWO actions can you take to improve the performance of Microsoft Intune management for Windows devices that are geographically distributed and have limited bandwidth?

Select 2 answers
A.Deploy a Configuration Manager site server at each location to act as a peer cache.
B.Increase the frequency of device sync intervals to ensure policies are applied quickly.
C.Enable Delivery Optimization to use peer-to-peer sharing within the same network.
D.Configure Windows Update for Business to use 'Download only' mode to reduce update size.
E.Disable Windows Defender real-time scanning on devices.
AnswersC, D

Peer-to-peer reduces internet bandwidth usage by sharing downloads locally.

Why this answer

Options A and D are correct. Option A reduces data transfer by using delta updates. Option D reduces network load by using delivery optimization.

Option B is wrong because more frequent sync increases network usage. Option C is wrong because it does not affect bandwidth. Option E is wrong because Peer Cache uses local peers, not internet.

510
Multi-Selecteasy

You are planning to deploy Microsoft Defender for Endpoint on Windows 10 devices managed by Intune. Which TWO prerequisites must be met before deploying?

Select 2 answers
A.Devices must be joined to Azure AD.
B.A Microsoft Defender for Endpoint license must be assigned.
C.Devices must be enrolled in Microsoft Intune.
D.Devices must have a third-party antivirus uninstalled.
E.An Azure AD Premium license must be assigned.
AnswersB, C

License is required to use the service.

Why this answer

Options A and D are correct. Devices must be enrolled in Intune to receive the configuration. A Defender for Endpoint license is required.

Option B is not required because Defender is built into Windows 10. Option C is not a prerequisite. Option E is not required for deployment.

511
MCQmedium

You are troubleshooting a user's Windows 11 device that cannot connect to the corporate Wi-Fi network. The device is managed by Intune and has a Wi-Fi profile assigned. The profile uses SCEP certificate authentication. The certificate is issued by your internal CA. The device shows 'No internet access' though it connects. What is the most likely issue?

A.The SSID in the profile is incorrect
B.The root CA certificate is not deployed to the device
C.The user does not have an Intune license
D.The Wi-Fi profile is not assigned to the device
AnswerB

Without the root CA, the SCEP certificate cannot be validated.

Why this answer

Option C is correct because SCEP certificate-based authentication requires the device to trust the issuing CA. If the root CA certificate is not deployed to the device, the certificate chain cannot be validated, causing authentication failure. Option A (Profile is not assigned) would prevent connection entirely.

Option B (Wrong SSID) would not connect to the wrong network. Option D (User not licensed) would not affect certificate authentication after enrollment.

512
MCQhard

Refer to the exhibit. You are deploying Microsoft 365 Apps via Intune Win32 app packaging. The detection rule checks for the registry key existence. After installation, Intune reports the app as not detected. What is the most likely reason?

A.The detection type 'exists' is not supported for registry detection
B.The registry key path is incorrect for a 64-bit system
C.The app did not create the registry key during installation
D.The detection runs in 32-bit context and does not see the 64-bit registry key
AnswerD

32-bit detection redirected to WOW6432Node, but check32BitOn64System is false.

Why this answer

Option C is correct. The registry path uses 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot' but on a 64-bit system, a 32-bit app (like the detection agent) may be redirected to WOW6432Node. The check32BitOn64System is false, so it does not check the WOW6432Node path.

Option A is wrong because the path is correct on 64-bit systems for 64-bit Office. Option B is wrong because Office does install that key. Option D is wrong because the detection type 'exists' is correct.

513
MCQmedium

Refer to the exhibit. You run a PowerShell cmdlet to get managed devices and see the output above. The device is noncompliant. What is the most likely reason?

A.The device is not enrolled.
B.The device name is too long.
C.The OS version is not supported.
D.The device has not synced recently.
AnswerD

Last sync is more than 24 hours ago, which can cause noncompliance.

Why this answer

The device is noncompliant because it has not synced recently. In Microsoft Intune, devices must regularly check in to report their compliance status; if a device fails to sync within the configured grace period (typically 30 days by default), it is marked as noncompliant. The PowerShell output shows the device is enrolled and managed, but the last sync time is missing or outdated, triggering the noncompliant state.

Exam trap

The trap here is that candidates assume noncompliance is always due to a configuration or OS issue, but Microsoft Intune also enforces compliance based on device activity—specifically the last sync time—which is a common oversight in exam scenarios.

How to eliminate wrong answers

Option A is wrong because the device is already enrolled and managed, as indicated by the 'Managed' status in the output. Option B is wrong because device name length does not affect compliance; Intune supports names up to 256 characters and has no compliance rule for name length. Option C is wrong because the OS version is listed as '10.0.19044.1706' (Windows 10 21H2), which is a supported version for Intune management and compliance policies.

514
Multi-Selecteasy

Which TWO compliance settings can be configured in Microsoft Intune for Android devices?

Select 2 answers
A.Device is not jailbroken
B.Require a specific screen lock type
C.Minimum OS version
D.Require antivirus to be installed
E.Require encryption on the device
AnswersC, E

Common compliance setting.

Why this answer

Options A and D are correct. Intune can enforce minimum OS version and require encryption. Option B is wrong because Intune does not check for jailbreak on Android; that's for iOS.

Option C is wrong because Intune does not enforce screen lock type directly in compliance; it's a device restriction. Option E is wrong because Intune does not check for antivirus on Android.

515
MCQmedium

A company uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent update, the Start menu layout is not enforced. The administrator verified the policy is assigned to the correct device groups. What should the administrator check next?

A.Check the enrollment restrictions for Windows
B.Reassign the policy to the same group
C.Review the policy status in the Troubleshooting + support blade
D.Modify the Windows Update ring policy
AnswerC

This blade shows policy conflicts and errors for each device.

Why this answer

The correct answer is to verify that the policy is not in a conflict state by using the Troubleshooting + support blade. Option A is incorrect because the policy is already assigned. Option B is incorrect because the enrollment restrictions are not related to Start layout.

Option D is incorrect because the update ring policy does not affect Start layout enforcement.

516
Multi-Selecthard

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to configure a policy that prevents users from installing apps from outside the Microsoft Store. Which TWO settings can you use?

Select 2 answers
A.Set 'Windows Update for Business' to defer feature updates.
B.Enable 'Windows Defender Firewall' to block inbound connections from non-store apps.
C.Use the 'AppLocker' settings in a device configuration profile to allow only Store apps.
D.Enable 'BitLocker' to encrypt the system drive.
E.Configure 'SmartScreen' settings to block untrusted apps.
AnswersC, E

AppLocker can enforce store-only app installation.

Why this answer

In Intune, you can use a device configuration profile (Settings Catalog) to configure 'AppLocker' or 'SmartScreen' settings. Specifically, 'AppLocker' can block non-store apps, and 'SmartScreen' can block unknown apps. Option A and Option D are correct.

Option B is wrong because Windows Defender Firewall does not control app installation. Option C is wrong because BitLocker is for encryption. Option E is wrong because Windows Update for Business controls updates.

517
MCQeasy

You are the Intune administrator for a small business with 50 Windows 10 devices that are currently managed by a legacy on-premises MDM. The company wants to move to Microsoft Intune for cloud management. All devices are already joined to Microsoft Entra ID. You need to migrate the devices to Intune management without resetting them. You have the following options: A) Use Windows Autopilot to reset the devices and re-enroll. B) Use the 'Switch to Intune' option in the device's 'Access work or school' settings. C) Use a provisioning package (PPKG) to enroll devices. D) Use Group Policy to configure MDM enrollment. Which option should you choose?

A.Use Windows Autopilot to reset the devices and re-enroll
B.Use Group Policy to configure MDM enrollment
C.Use the 'Switch to Intune' option in the device's 'Access work or school' settings
D.Use a provisioning package (PPKG) to enroll devices
AnswerC

Non-disruptive migration for Entra ID joined devices.

Why this answer

The 'Switch to Intune' option in the device's 'Access work or school' settings is the correct choice because it allows a seamless migration from a legacy on-premises MDM to Microsoft Intune without requiring a device reset. This feature, available on Windows 10 devices already joined to Microsoft Entra ID, triggers an automatic MDM enrollment switch by communicating with the Intune service, preserving all existing data and settings.

Exam trap

The trap here is that candidates often confuse the 'Switch to Intune' option with a simple enrollment method, assuming any enrollment method (like PPKG or Group Policy) can perform a non-destructive migration, when in fact only the built-in switch option is designed to handle the transition from an existing MDM without a reset.

How to eliminate wrong answers

Option A is wrong because Windows Autopilot resets the device to an out-of-box state, which would wipe all data and settings, contradicting the requirement to migrate without resetting. Option B is wrong because Group Policy can configure MDM enrollment via the MDM enrollment authority policy, but it does not provide a direct 'switch' mechanism; it would require additional configuration and may not cleanly transition from an existing MDM without manual intervention or a reset. Option D is wrong because a provisioning package (PPKG) is used for initial enrollment or re-enrollment, but applying it to an already managed device would likely cause conflicts or require a reset, and it does not support a non-destructive migration from a legacy MDM.

518
MCQhard

Your organization uses Microsoft Defender for Cloud Apps (part of Microsoft Defender XDR). You need to detect when users access cloud apps from unauthorized locations. Which log source should you integrate to get location information?

A.Microsoft Entra ID sign-in logs
B.Microsoft Intune device enrollment logs
C.Microsoft Purview audit logs
D.Microsoft Sentinel
AnswerA

Entra ID sign-in logs provide IP addresses and geo-location for access events.

Why this answer

Option A is correct because Microsoft Defender for Cloud Apps can integrate with Microsoft Entra ID (Azure AD) to receive sign-in logs, which include IP address and location. Option B is wrong because Microsoft Sentinel is a SIEM, not a source of location data. Option C is wrong because Microsoft Purview is for compliance, not real-time access.

Option D is wrong because Intune enrollment logs do not contain app access location.

519
MCQeasy

You are preparing to deploy Windows 11 to 500 devices using Microsoft Intune. The devices are currently running Windows 10 22H2. You need to ensure that the in-place upgrade from Windows 10 to Windows 11 completes successfully. Which policy type should you configure in Intune to deliver the upgrade?

A.Deploy a configuration profile with the Windows 11 installation script.
B.Create a Windows update ring profile targeting Windows 11.
C.Create a Windows feature update profile targeting Windows 11.
D.Configure a device compliance policy requiring Windows 11.
AnswerC

Windows feature update profiles are designed to deploy feature updates like Windows 11 in Intune.

Why this answer

A Windows feature update profile in Intune is specifically designed to deliver feature updates like upgrading from Windows 10 to Windows 11. It uses the Windows Update for Business (WUfB) service to orchestrate the in-place upgrade, ensuring the device meets prerequisites and the upgrade completes successfully. This is the correct policy type for managing OS version upgrades at scale.

Exam trap

The trap here is confusing a Windows update ring profile (which controls update behavior but not the target version) with a Windows feature update profile (which explicitly specifies the target OS version for an upgrade), leading candidates to incorrectly choose Option B.

How to eliminate wrong answers

Option A is wrong because Intune does not support deploying a configuration profile with an installation script for OS upgrades; configuration profiles manage settings, not OS installation or upgrade scripts. Option B is wrong because a Windows update ring profile controls the update deferral, delivery optimization, and restart behavior for quality and feature updates, but it does not specify the target OS version for an upgrade; it only manages how updates are applied, not which feature update is installed. Option D is wrong because a device compliance policy enforces security and configuration requirements (e.g., requiring Windows 11) but does not initiate or deliver the upgrade; it only reports non-compliance if the device is not running the required OS.

520
MCQeasy

A company uses Microsoft Intune to manage devices. They need to ensure that a critical line-of-business app is updated automatically on all devices. Which assignment type should they use?

A.Required
B.End-user notification
C.Uninstall
D.Available for enrolled devices
AnswerA

Forces app installation and updates.

Why this answer

Required assignment forces installation and updates. Available allows user opt-in. Uninstall removes the app.

End-user notification is not an assignment type.

521
MCQmedium

You are the endpoint administrator for a healthcare organization that uses Intune to manage 500 iOS devices used by clinicians. The devices are enrolled as corporate-owned, user-approved devices via Apple Business Manager (ABM). You need to deploy a new custom electronic health record (EHR) app that is not in the App Store. The app is distributed as an .ipa file signed with an enterprise certificate. The app must be installed silently without user interaction. The devices are supervised and managed with iOS MDM. You have the following options: A) Deploy the app as an iOS LOB app in Intune and assign to device groups. B) Deploy the app as a Volume Purchase Program (VPP) app. C) Use Apple Configurator to sideload the app via USB. D) Distribute the app via a web link to the .ipa hosted on a public CDN. Which option should you choose?

A.Deploy the app as a Volume Purchase Program (VPP) app
B.Use Apple Configurator to sideload the app via USB
C.Deploy the app as an iOS LOB app in Intune and assign to device groups
D.Distribute the app via a web link to the .ipa hosted on a public CDN
AnswerC

Allows silent installation on supervised devices.

Why this answer

Option C is correct because deploying the app as an iOS LOB app in Intune allows you to upload the enterprise-signed .ipa file directly and assign it to device groups. Since the devices are supervised and enrolled via ABM, Intune can silently install the app using MDM commands without user interaction, leveraging the device's trust for enterprise certificates.

Exam trap

The trap here is that candidates confuse VPP apps with LOB apps, assuming VPP can handle any app distribution, but VPP is strictly for App Store apps, while LOB apps are required for custom enterprise-signed .ipa files.

How to eliminate wrong answers

Option A is wrong because VPP apps are only for apps distributed through the Apple App Store, not for custom enterprise-signed .ipa files. Option B is wrong because Apple Configurator sideloading via USB requires physical device connection and user interaction, which violates the silent installation requirement. Option D is wrong because distributing via a web link to the .ipa on a public CDN would require users to manually download and trust the enterprise certificate, and it does not support silent installation via MDM.

522
MCQhard

A company uses Microsoft Intune to manage iOS devices. Users report that they cannot install the required Microsoft Defender for Endpoint app from the Company Portal. The app shows as 'Not available' in the Company Portal. Which of the following is the most likely reason?

A.The app requires a valid Apple VPP token that has expired.
B.The device is marked as non-compliant with Intune compliance policies.
C.The Company Portal app version is outdated.
D.The device has 'Unknown Sources' enabled.
AnswerB

Non-compliant devices may be blocked from installing required apps.

Why this answer

If the app is assigned as 'Required' but the device is not compliant, the app may not be available. Option A is correct because compliance policies can block app installation. Option B is incorrect because VPP tokens are for volume purchasing, not availability.

Option C is incorrect because the Company Portal app is separate. Option D is incorrect because iOS does not have an 'Unknown Sources' setting.

523
MCQeasy

You are a Microsoft 365 administrator for a school district. You have 2,000 Windows 10 devices used by students. All devices are enrolled in Microsoft Intune. You need to deploy a set of educational apps from the Microsoft Store for Education (now part of Microsoft Store for Business). The apps should be automatically installed on all student devices, and students should not be able to remove them. You have already added the apps to your Microsoft Store for Business inventory and acquired offline licenses. You have also configured Intune to sync the Microsoft Store for Business. Which action should you take in Intune to deploy the apps with the least administrative effort?

A.Create a 'Microsoft Store for Business' app in Intune, select the offline-licensed apps, and assign as 'Required' to a device group containing all student devices.
B.Use the 'Microsoft Store app (Windows)' type and assign as 'Required' to the device group.
C.Create a 'Microsoft Store for Business' app in Intune, select the online-licensed apps, and assign as 'Available' to a user group.
D.Download the app packages and deploy as Win32 apps with silent switches.
AnswerA

Offline licenses allow silent install without user interaction.

Why this answer

Option A is correct: Using the 'Microsoft Store for Business' app type with offline licenses allows automatic sync and silent installation. Option B is for user-targeted. Option C is for online licenses.

Option D is for Win32 apps.

524
MCQeasy

A company wants to deploy Microsoft 365 Apps to 200 devices using Intune. They need to ensure that the deployment is available only to devices that meet a specific minimum OS version. Which feature should they use?

A.Assign the app and configure 'Require device compliance' with a filter for minimum OS version.
B.Assign the app with 'Uninstall' intent.
C.Assign the app as 'Available for enrolled devices' without filters.
D.Assign the app as 'Required' to all devices.
AnswerA

Device compliance filters can enforce OS version requirements.

Why this answer

Option B is correct because 'Require device compliance' in assignment allows filtering by OS version. Option A is wrong because 'Required' installs to all assigned devices. Option C is wrong because 'Available for enrolled devices' makes it optional.

Option D is wrong because 'Uninstall' removes the app.

525
Multi-Selecthard

You are deploying a Win32 app via Intune that requires .NET Framework 4.8 as a dependency. Which THREE steps must you perform to ensure the dependency is installed before the app?

Select 3 answers
A.Configure a detection rule for .NET Framework in the main app.
B.In the main app's properties, add a dependency and select the .NET Framework app.
C.Set the dependency to 'Auto-install' so it installs before the main app.
D.Add .NET Framework 4.8 as a separate app in Intune.
E.Create a supersedence relationship where the .NET Framework app supersedes the main app.
AnswersB, C, D

Dependencies are defined in the app properties.

Why this answer

Option A, Option C, and Option D are correct. You need to add the dependency app in Intune, set the dependency for the main app, and configure auto-install for the dependency. Option B is wrong because detection rules are for the main app, not dependency order.

Option E is wrong because supercedence is for replacement, not dependencies.

Page 6

Page 7 of 14

Page 8