Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 526600

991 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQhard

You manage devices with Microsoft Intune. You need to implement a conditional launch policy for Microsoft Defender for Endpoint that requires the device to have a minimum version of the sensor (10.8049.22439.1043) and a healthy signal. Which JSON policy should you deploy?

A.{"deviceHealth": {"defenderSensorVersion": {"minimumVersion": "10.8049.22439.1043"}, "defenderSensorHealth": {"minimumVersion": "healthy"}}}
B.{"deviceHealth": {"defenderSensorVersion": {"version": "10.8049.22439.1043"}, "defenderSensorHealth": {"state": "enabled"}}}
C.{"deviceHealth": {"defenderSensorVersion": {"minimumVersion": "10.8049.22439.1043"}, "defenderSensorHealth": {"minimumVersion": 1}}}
D.{"deviceHealth": {"clientVersion": {"minimumVersion": "10.8049.22439.1043"}, "clientHealth": {"minimumVersion": 1}}}
E.{"deviceHealth": {"defenderSensorVersion": {"minimumVersion": "10.8049.22439.1043"}, "defenderSensorHealth": {"minimumVersion": 1}}}
AnswerE

Correct conditional launch policy for Defender sensor version and health.

Why this answer

Option A is correct because the 'deviceHealth' condition with 'defenderSensorVersion' and 'defenderSensorHealth' is the correct syntax for conditional launch in Intune app protection policies. Option B is wrong because 'minimumVersion' is not a valid key. Option C is wrong because 'clientVersion' is used for the app itself, not the sensor.

Option D is wrong because the syntax is incorrect.

527
MCQeasy

You are a Microsoft Intune administrator for Tailwind Traders. The company has enrolled Windows 11 devices. You need to configure BitLocker encryption on all devices using Intune. You have created an endpoint security policy for BitLocker and assigned it to the correct group. After 24 hours, some devices still show as not encrypted. You verify that the devices are compliant with the policy's prerequisites. What should you do to force the policy to apply?

A.Use Group Policy Editor to configure BitLocker locally on each device.
B.Check if the devices have TPM version 2.0.
C.Re-create the BitLocker policy with a different name.
D.Remotely sync the devices from the Intune console to refresh policy.
AnswerD

Sync forces policy retrieval and application.

Why this answer

Triggering a sync on the devices will force the policy to be applied. Re-creating the policy is unnecessary. Using a local GPO is not managed centrally.

Checking the hardware is not relevant.

528
MCQeasy

Refer to the exhibit. The JSON snippet shows a Windows Update for Business policy assigned to a device group. Users report that quality updates are installed 7 days after release. Which setting controls this behavior?

A.featureUpdateDeferralPeriodInDays
B.businessReadyUpdatesOnly
C.qualityUpdateDeferralPeriodInDays
D.automaticUpdateMode
AnswerC

This setting defers quality updates by the specified number of days.

Why this answer

Option C is correct because qualityUpdateDeferralPeriodInDays is set to 7, deferring quality updates by 7 days. Option A is wrong because featureUpdateDeferralPeriodInDays controls feature updates. Option B is wrong because automaticUpdateMode controls restart behavior.

Option D is wrong because businessReadyUpdatesOnly controls which updates are offered.

529
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only approved Microsoft Store apps can be installed on company devices. The solution must not require users to be local administrators. What should you configure?

A.Enable Conditional Access to block non-approved apps.
B.Deploy a local AppLocker policy using Intune.
C.Configure Windows Defender Application Control (WDAC) policy.
D.Assign an Intune App Protection Policy (APP) for Windows.
AnswerB

AppLocker can be configured via Intune to restrict app installations to approved Store apps.

Why this answer

A local AppLocker policy can be deployed via Intune to control app installations without requiring admin rights. Option B is incorrect because Windows Defender Application Control is more complex and not solely for Store apps. Option C is incorrect because Intune App Protection Policies apply to mobile devices, not Windows.

Option D is incorrect because Conditional Access controls access, not app installation.

530
Multi-Selectmedium

A company uses Microsoft Intune to manage Windows 10 devices. The administrator needs to configure Windows Defender Firewall rules via a device configuration profile. Which TWO settings can be configured?

Select 3 answers
A.Configure notification settings
B.Set default inbound action
C.Enable local firewall merge
D.Set default outbound action
E.Configure log file location
AnswersB, C, D

Default inbound action (allow/block) can be configured.

Why this answer

Option B is correct because the Windows Defender Firewall device configuration profile in Microsoft Intune includes the 'Default inbound action' setting, which allows administrators to specify whether inbound connections that do not match an explicit rule should be blocked or allowed. This setting is a core firewall behavior control that can be enforced via a device configuration profile (Windows 10 and later) under the 'Endpoint Protection' category.

Exam trap

The trap here is that candidates often assume 'Set default outbound action' is configurable in the same profile because it mirrors the inbound setting, but the MD-102 exam tests that only the inbound default action is exposed in the Intune device configuration profile for Windows Defender Firewall rules.

531
MCQmedium

A user reports that they cannot install a company-required app from the Company Portal on their Android device. The app is assigned as 'Available for enrolled devices' in Intune. The device is enrolled and compliant. What is the most likely issue?

A.The device is not compliant with the compliance policy.
B.The app is not assigned to the user's device group.
C.The app is not approved in the Android Enterprise managed Google Play.
D.The Company Portal app is not installed on the device.
AnswerB

The app must be assigned to the user or group.

Why this answer

Option B is correct because the app must be assigned to the user or device group. Option A is wrong because the device is compliant. Option C is wrong because Android app approval status is not a common issue.

Option D is wrong because Company Portal is installed.

532
MCQhard

You are a Microsoft 365 Endpoint Administrator for Contoso Ltd. The company has 2,000 Windows 11 devices enrolled in Microsoft Intune. You need to deploy a custom line-of-business (LOB) application (AppX package) to 500 devices used by the sales team. The app must be available in the Company Portal for users to install on demand, but it should also be automatically installed on devices that have not installed it within 7 days. Additionally, you want to ensure that the app is removed if a device is unenrolled from Intune. The sales team members are in a dynamic device group called 'Sales Devices' based on device category. You have the AppX package (.appxbundle) signed with a trusted certificate. You need to choose the correct deployment approach from the four options below.

A.Add as a Microsoft Store for Business (offline) app, assign to 'Sales Devices' group as 'Available', and configure deadline after 7 days.
B.Add as a Line-of-business app, assign to 'Sales Devices' group as 'Required', and also assign to the same group as 'Available' for Company Portal.
C.Add as a Line-of-business app, assign to 'Sales Devices' group as 'Available', and configure 'Available for enrolled devices' with deadline after 7 days.
D.Add as a Windows app (Win32), assign to a user group containing sales users as 'Required', and set deadline to 7 days.
AnswerB

Required ensures auto-install; Available allows on-demand; removal on unenroll is automatic.

Why this answer

Option C is correct: A required assignment to the device group ensures installation on all devices; the 'Available' assignment makes it visible in Company Portal; the removal on unenroll is automatic with required assignment. Option A has no required assignment. Option B uses user group, not device group.

Option D uses 'Available' assignment with deadline, but the deadline is not supported for LOB apps in that way.

533
MCQmedium

An administrator is deploying Windows 11 using Configuration Manager. The task sequence fails on some devices during the 'Apply Operating System' step with a notice that the image file is not valid. All other devices succeed. What is the most likely cause?

A.The boot image is not compatible with the device firmware.
B.The distribution point is out of disk space.
C.The task sequence variable OSDPackagePath is missing.
D.The OS image download was corrupted on the client.
AnswerD

Corrupted download causes invalid image error on specific clients.

Why this answer

Option D is correct because a corrupted OS image download on the client will cause the 'Apply Operating System' step to fail with an 'image file is not valid' error. Since the issue occurs only on some devices, a per-client download corruption (e.g., due to network interruption or disk I/O errors during BITS transfer) is the most likely cause, while the image itself remains valid on the distribution point.

Exam trap

The trap here is that candidates often assume a distribution point or boot image problem because those are common causes of task sequence failures, but the 'some devices succeed' clue points to a client-specific corruption rather than a global infrastructure issue.

How to eliminate wrong answers

Option A is wrong because a boot image incompatible with device firmware would cause a failure earlier in the task sequence, typically during the boot phase or when loading Windows PE, not during the 'Apply Operating System' step. Option B is wrong because if the distribution point were out of disk space, the failure would affect all clients attempting to download the OS image, not just some devices. Option C is wrong because the OSDPackagePath variable is automatically set by Configuration Manager during task sequence processing; if it were missing, the task sequence would fail consistently on all devices, not selectively.

534
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. They deploy a Win32 app using detection rules. The app installs but the detection rule incorrectly reports failure, causing repeated installation attempts. What is the best way to resolve this?

A.Uninstall and redeploy the app
B.Update the detection rule to accurately reflect installed state
C.Reinstall the app manually
D.Modify the installation command to suppress output
AnswerB

Corrects the false failure.

Why this answer

Updating the detection rule to accurately detect installation will prevent repeated attempts. Reinstalling may cause issues. Modifying the install command may not fix detection.

Uninstalling and redeploying is unnecessary.

535
MCQeasy

You need to ensure that only compliant devices can access corporate email in Exchange Online. Which Conditional Access policy setting should you configure?

A.Require device to be marked as compliant
B.Require multi-factor authentication
C.Require hybrid Azure AD joined device
D.Require approved client app
AnswerA

Directly enforces compliance for access.

Why this answer

Option A is correct because 'Require device to be marked as compliant' is the standard setting for this scenario. Option B is wrong because multi-factor authentication is separate. Option C is wrong because hybrid Azure AD join is for device identity, not compliance.

Option D is wrong because app protection policies are for mobile app management, not device compliance.

536
MCQmedium

Refer to the exhibit. You have the following compliance policy assigned to a Windows 10 device running version 10.0.22000.0. The device has a password of 8 characters and is encrypted. What is the compliance status of the device?

A.Noncompliant due to password length
B.Noncompliant due to encryption
C.Compliant
D.Noncompliant due to OS version
AnswerC

All conditions are met.

Why this answer

Option B is correct because the device OS version (10.0.22000.0) is within the minimum (10.0.19041.0) and maximum (10.0.22621.0) versions, password is 8 characters (min 6), and encryption is enabled. Option A is wrong because all conditions are met. Option C is wrong because OS version is within range.

Option D is wrong because password meets requirements.

537
MCQmedium

You are troubleshooting a Windows device that is not receiving policies from Microsoft Intune. The device shows as 'Not evaluated' or 'Pending' in the Intune console. The device is enrolled and connected to the internet. What is the most likely cause?

A.The device is marked as non-compliant.
B.The device does not have a valid device certificate.
C.The device has not checked in with the Intune service recently.
D.The device enrollment profile has expired.
AnswerC

Devices must check in to receive policy updates.

Why this answer

When a device shows as 'Not evaluated' or 'Pending' in the Intune console, it indicates that the Intune service has not received a recent check-in from the device. Even if the device is enrolled and connected to the internet, it must periodically communicate with the Intune service to retrieve policies; the default check-in interval is approximately 8 hours, and if the device misses this window, policies remain unevaluated.

Exam trap

The trap here is that candidates often assume policy delivery failures are due to compliance or certificate issues, but the MD-102 exam specifically tests the understanding that a device must actively check in with the Intune service to receive policies, and a 'Pending' status directly indicates a missed check-in.

How to eliminate wrong answers

Option A is wrong because a non-compliant device still receives policies from Intune; compliance status affects conditional access, not policy delivery. Option B is wrong because while a valid device certificate is required for enrollment, the issue described is about policy retrieval after enrollment, and a missing or expired certificate would typically cause enrollment failure or a different error state, not a 'Not evaluated' status. Option D is wrong because enrollment profiles are used during the enrollment process itself; once a device is enrolled, the profile is no longer relevant for ongoing policy delivery, and an expired profile would prevent enrollment, not cause a 'Pending' state for already-enrolled devices.

538
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to enforce BitLocker encryption on all devices. Some devices are not encrypting. You check the BitLocker policy and it is assigned correctly. What is the most likely reason?

A.The device is running Windows 10 Home edition.
B.The device does not have a TPM chip.
C.The BitLocker policy is not assigned to the users.
D.The device is non-compliant and encryption is blocked.
AnswerB

TPM is required for BitLocker.

Why this answer

Option C is correct because BitLocker requires a TPM and if the device does not have one, encryption will not start. Option A is wrong because the policy is assigned correctly. Option B is wrong because the device is compliant.

Option D is wrong because BitLocker does not require a specific Windows edition for basic encryption.

539
MCQeasy

Your organization wants to deploy Windows Update for Business policies using Microsoft Intune to Windows 10 devices. Which policy type should you use?

A.App protection policy
B.Device configuration profile for Windows Update for Business
C.Device compliance policy
D.Endpoint security policy for antivirus
AnswerB

This profile type configures update rings and deferrals.

Why this answer

Windows Update for Business settings are configured via device configuration profiles in Intune. Option B is correct because 'Windows Update for Business' is a profile type under 'Update Policies' or 'Device configuration - Windows Update'. Option A is incorrect because compliance policies are for compliance, not updates.

Option C is incorrect because app protection policies manage data protection. Option D is incorrect because endpoint security policies include antivirus, not update settings.

540
Multi-Selecteasy

Your organization is implementing Windows Autopilot. Which TWO prerequisites must be met before you can use Autopilot?

Select 2 answers
A.An on-premises Active Directory domain
B.Microsoft Intune licenses
C.Configuration Manager
D.Microsoft Entra ID P1 or P2 licenses
E.TPM 2.0 chip on all devices
AnswersB, D

Intune licenses are required for device management.

Why this answer

Option B and Option D are correct because Autopilot requires Microsoft Entra ID P1/P2 and Intune licenses. Option A is wrong because on-prem AD is not required. Option C is wrong because Configuration Manager is not required.

Option E is wrong because a TPM is only required for self-deploying mode.

541
MCQeasy

You have created the above custom policy but it fails to apply on Windows 10 devices. What is the most likely reason?

A.The value must be an integer, not a string.
B.The OMA-URI targets the user, not the device.
C.Custom configuration policies are not supported on Windows 10.
D.The OMA-URI path is incorrect for an ADMX-backed policy.
AnswerD

ADMX policies require a specific URI format that includes the category path.

Why this answer

Option D is correct because the OMA-URI path for an ADMX-backed policy must follow the exact format: `./Device/Vendor/MSFT/Policy/Config/ADMX_<Category>/<PolicyName>`. If the path is incorrect—for example, missing the `ADMX_` prefix or using a wrong category name—the policy will fail to apply on Windows 10 devices. Custom configuration policies do support ADMX-backed policies, but the URI must precisely match the ADMX administrative template structure.

Exam trap

The trap here is that candidates assume any OMA-URI error is due to targeting (user vs. device) or data type issues, but the MD-102 exam specifically tests the precise URI syntax for ADMX-backed policies, which is a common misconfiguration point.

How to eliminate wrong answers

Option A is wrong because the error is not about data type mismatch; ADMX-backed policies can accept string values (e.g., registry strings) depending on the policy definition, and the question does not specify a value type conflict. Option B is wrong because the OMA-URI for device configuration policies uses the `./Device/` prefix, not `./User/`, and targeting the user would be a different scope; the issue here is the path structure, not the target. Option C is wrong because custom configuration policies are fully supported on Windows 10 via MDM; they are a core feature for deploying settings not available in the built-in configuration profiles.

542
MCQhard

Your organization has an existing Microsoft Intune environment. You need to configure a Windows 11 device to automatically enroll in Intune when a user signs in with their Microsoft Entra ID credentials. The device is joined to Microsoft Entra ID. What should you do?

A.Set the MDM user scope in Microsoft Entra ID to 'All' or 'Some'.
B.Configure the MDM discovery URL in Microsoft Entra ID.
C.Create an enrollment restriction that allows Windows devices.
D.Assign a device compliance policy to the user.
AnswerA

This enables automatic enrollment for Microsoft Entra ID joined devices.

Why this answer

Option D is correct because Microsoft Entra ID joined devices automatically enroll in Intune when the MDM user scope is set to 'All' or 'Some'. Option A is wrong because the MDM discovery URL is configured automatically for Microsoft Entra ID joined devices. Option B is wrong because enrollment restrictions do not trigger automatic enrollment.

Option C is wrong because device compliance policies are applied after enrollment.

543
MCQhard

Your organization uses Microsoft Intune for device management. You have a compliance policy that requires Windows devices to have BitLocker enabled. A user reports that their device is marked as non-compliant even though BitLocker is turned on. What is the most likely cause?

A.The BitLocker recovery key is not escrowed to Microsoft Entra ID
B.BitLocker is only enabled on data drives, not the system drive
C.The device is running a version of Windows that does not support BitLocker
D.The device does not have a TPM chip
AnswerA

The compliance policy checks for recovery key backup; missing escrow causes non-compliance.

Why this answer

Option B is correct because the compliance policy often checks for the recovery key being escrowed to Entra ID, not just encryption. Option A is wrong because TPM is checked but not the primary issue. Option C is wrong because BitLocker on OS drive is required.

Option D is wrong because version compatibility is usually not the issue.

544
MCQmedium

You are planning the enrollment of 500 Android Enterprise personally-owned work profile devices. Management requires that users must not be able to remove the work profile from their device. Which enrollment method should you use?

A.Android Enterprise dedicated devices
B.Android Enterprise corporate-owned work profile
C.Android Enterprise fully managed
D.Android Enterprise personally-owned work profile
AnswerA

Dedicated devices are fully managed and users cannot remove the work profile.

Why this answer

Option C is correct because Android Enterprise dedicated devices are fully managed and cannot have the work profile removed by the user. Option A is wrong because personally-owned work profile allows users to remove the work profile. Option B is wrong because corporate-owned work profile is for company-owned devices.

Option D is wrong because fully managed is for corporate-owned devices.

545
MCQmedium

Your company uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that work apps are sandboxed from personal apps. Which enrollment type should you use?

A.Fully managed
B.Work profile
C.Device administrator
D.Corporate-owned personally enabled (COPE)
AnswerB

Creates a separate work profile that sandboxes work apps on personally owned devices.

Why this answer

Option C is correct because Android Enterprise work profile creates a separate profile on the device that isolates work apps and data from personal apps. Option A is wrong because device administrator mode is legacy and does not provide strong separation. Option B is wrong because corporate-owned personally enabled (COPE) uses work profile but is for corporate-owned devices, not BYOD.

Option D is wrong because fully managed is for corporate-owned without personal space.

546
MCQmedium

Your organization uses Microsoft Defender for Endpoint (part of Microsoft Defender XDR) on all Windows devices. You need to ensure that devices that are not actively reporting to Defender for Endpoint are flagged as non-compliant in Intune. What should you configure?

A.Create a Conditional Access policy requiring device compliance and blocking access if not compliant.
B.Enable 'Require BitLocker' compliance setting.
C.Deploy a PowerShell script via Intune that checks the Defender service status and reports to Intune custom compliance.
D.Add a compliance policy setting: 'Require the device to be at or under the machine risk score' with a low score.
AnswerD

This setting uses Defender for Endpoint risk score to evaluate compliance. If the device is not reporting, the score is not available, causing non-compliance.

Why this answer

Intune compliance policies can include a rule to require that the device is marked as a 'healthy' device by Microsoft Defender for Endpoint. This rule evaluates the device's sensor state. Option A is correct.

Option B is wrong because it's for device health attestation, not Defender. Option C is wrong because Conditional Access does not flag compliance; it enforces access. Option D is wrong because a compliance policy for Defender is not a script.

547
MCQhard

You need to configure Windows Update for Business policies using Intune. You want to defer feature updates by 60 days and quality updates by 14 days. Which policy setting should you use?

A.Windows compliance policy
B.Windows 10 and later update ring
C.Windows feature update policy
D.Windows driver update policy
AnswerB

Allows configuring deferral periods.

Why this answer

Option A is correct because the Update Rings policy includes settings for deferral periods. Option B is wrong because feature updates policy is for version targeting. Option C is wrong because driver updates policy is separate.

Option D is wrong because Windows Update for Business is not a compliance policy.

548
MCQeasy

A company plans to deploy Windows 11 to 500 new devices using Windows Autopilot. The devices are purchased from a hardware vendor that supports OEM registration. Which prerequisite must be met to ensure Autopilot can automatically enroll these devices?

A.The devices must be registered in Microsoft Intune via the hardware vendor or manually.
B.The organization must have a hybrid Azure AD join configuration in place.
C.BitLocker must be enabled on the devices before they are shipped.
D.A local administrator account must be created on each device prior to deployment.
AnswerA

Autopilot requires device registration in Intune for automatic enrollment.

Why this answer

Option A is correct because Autopilot requires the device to be registered in Microsoft Intune (or Entra ID) before it can be automatically enrolled. Option B is wrong because a local admin account is not required. Option C is wrong because a hybrid join configuration is optional.

Option D is wrong because BitLocker is not a prerequisite for enrollment.

549
MCQmedium

You need to deploy a custom Windows 11 feature update to a pilot group of 50 devices before rolling out to the entire organization. The devices are managed by Intune and are in a 'Pilot' Azure AD group. What is the best approach?

A.Configure a Windows Update for Business deferral policy for all devices
B.Create a custom configuration profile with update settings
C.Create a feature update profile for Windows 11 and assign to the pilot group
D.Use Group Policy to configure Windows Update settings for the pilot group
AnswerC

Feature update profiles allow targeted deployment of feature updates.

Why this answer

Option C is correct because Intune's feature update profiles are specifically designed to deploy Windows 11 feature updates to targeted Azure AD groups, such as the 'Pilot' group. This approach allows you to control the exact feature update version (e.g., Windows 11 23H2) and assign it only to the pilot devices, enabling a controlled rollout before expanding to the entire organization.

Exam trap

The trap here is that candidates often confuse feature update profiles with quality update policies or configuration profiles, mistakenly thinking any update-related setting can be applied via a configuration profile or deferral policy.

How to eliminate wrong answers

Option A is wrong because a Windows Update for Business deferral policy only delays the installation of updates; it does not deploy a specific feature update version to a targeted group. Option B is wrong because custom configuration profiles are used for device settings (e.g., security policies, app configurations), not for deploying feature updates; feature updates require a dedicated feature update profile. Option D is wrong because Group Policy is not applicable in a cloud-only Intune-managed environment; devices must be Azure AD joined and managed via Intune, and Group Policy requires on-premises Active Directory and Domain Services.

550
MCQeasy

Northwind Traders is a retail company with 500 employees. They use Microsoft Intune to manage iOS devices. The company has a custom iOS app for inventory management that they need to deploy to all store managers. The app is signed with an enterprise certificate. The administrator uploads the .ipa file to Intune and assigns it as 'Required' to a device group containing the store managers' devices. After 48 hours, several managers report that the app is not installed on their devices. The administrator checks the Intune console and sees that the app status for those devices is 'Pending install'. What should the administrator do first to resolve the issue?

A.Deploy a certificate profile that installs the enterprise root certificate to the affected devices.
B.Create an app protection policy and assign it to the devices.
C.Instruct the users to install the app manually from the Company Portal app.
D.Re-upload the .ipa file to Intune with a different version number.
AnswerA

The devices need to trust the enterprise certificate.

Why this answer

The 'Pending install' status for an enterprise-signed iOS app typically indicates that the device does not trust the enterprise certificate used to sign the app. Deploying a certificate profile that installs the enterprise root certificate on the affected devices establishes trust, allowing the app to install successfully. Without this trust, iOS blocks the installation of any enterprise-signed app, even when assigned as 'Required' via Intune.

Exam trap

The trap here is that candidates may assume the issue is with the app package or assignment, rather than recognizing that iOS's enterprise app trust model requires the root certificate to be explicitly deployed to devices before installation can occur.

How to eliminate wrong answers

Option B is wrong because app protection policies (MAM) control data access and behavior within apps, not the installation of enterprise-signed apps; they do not resolve certificate trust issues. Option C is wrong because instructing users to install manually from Company Portal will still fail if the enterprise root certificate is not trusted on the device, as iOS will block the installation. Option D is wrong because re-uploading the .ipa file with a different version number does not address the underlying certificate trust issue; the app will remain in 'Pending install' until the device trusts the signing certificate.

551
MCQhard

You need to ensure that Windows 10 devices automatically receive Microsoft 365 Apps updates from the Internet when not connected to the corporate network. Which update channel should you configure?

A.Monthly Enterprise Channel
B.Office Insider
C.Current Channel
D.Semi-Annual Channel
AnswerC

Current Channel delivers updates as they become available and works over the Internet.

Why this answer

The Current Channel is the correct choice because it provides the most frequent updates for Microsoft 365 Apps, and it is the only channel that supports automatic updates from the Internet (via the Office Content Delivery Network) when devices are not connected to the corporate network. This channel is designed for devices that need the latest features and security updates without relying on on-premises update infrastructure.

Exam trap

The trap here is that candidates often confuse the Monthly Enterprise Channel with the Current Channel, assuming that 'Monthly' implies automatic Internet updates, but the Monthly Enterprise Channel is actually designed for managed deployment and does not support automatic Internet-based updates for off-network devices.

How to eliminate wrong answers

Option A is wrong because the Monthly Enterprise Channel is intended for organizations that want a predictable, once-a-month update cycle and typically rely on on-premises distribution points (e.g., Configuration Manager) or cloud-based management tools, not automatic Internet-based updates for off-network devices. Option B is wrong because Office Insider is a pre-release channel for testing upcoming features and is not intended for production devices requiring stable, automatic updates from the Internet. Option D is wrong because the Semi-Annual Channel provides updates only twice a year and is designed for environments with strict change management and on-premises update control, not for devices that need to automatically receive updates from the Internet when off the corporate network.

552
MCQmedium

Your organization uses Microsoft Intune to deploy apps to Windows 11 devices. You need to ensure that a Win32 app installs only when the device has at least 4 GB of RAM. What should you configure?

A.A dependency rule that includes a RAM check
B.A return code for insufficient RAM
C.A requirement rule that specifies minimum RAM
D.A detection rule for RAM
AnswerC

Requirement rules define hardware and software prerequisites.

Why this answer

Intune Win32 apps support requirements rules, including memory (RAM) checks. Option D is correct. Option A is wrong because detection rules determine if the app is installed, not if it can install.

Option B is wrong because return codes indicate installation success or failure. Option C is wrong because dependency rules specify app dependencies, not hardware requirements.

553
MCQeasy

Your organization wants to use Windows Autopilot to deploy new Windows 11 devices. What is required to register a device with Windows Autopilot?

A.The device's product key
B.The device's hardware hash (4K HH)
C.The user's Microsoft account
D.The device's BIOS password
AnswerB

The hardware hash uniquely identifies the device and is required for Autopilot registration.

Why this answer

Windows Autopilot requires the device's hardware hash (4K HH) to uniquely identify the device during the registration process. This hash is generated from the device's hardware components and is uploaded to the Microsoft Intune or Partner portal to associate the device with an Autopilot profile. Without the hardware hash, Autopilot cannot recognize the device as registered and will not apply the deployment profile.

Exam trap

The trap here is that candidates often confuse the hardware hash with the product key, assuming that a license or activation key is needed for Autopilot registration, but Autopilot relies solely on hardware-based identification.

How to eliminate wrong answers

Option A is wrong because the product key is used for Windows activation, not for Autopilot registration; Autopilot uses the hardware hash to identify the device. Option C is wrong because the user's Microsoft account is not required for device registration; Autopilot registration is device-centric and occurs before user sign-in. Option D is wrong because the BIOS password is a security feature for local access control and has no role in Autopilot's device identification or enrollment process.

554
MCQmedium

Refer to the exhibit. You have applied this compliance policy to a Windows 10 device running build 10.0.19044. The device meets all requirements except that the firewall is disabled. What will be the compliance status of the device?

A.Non-compliant, because the OS version is not within the allowed range.
B.Compliant, because the policy includes a grace period for firewall.
C.Compliant, because the OS version is within the allowed range.
D.Non-compliant, because the firewall is disabled.
AnswerD

Active firewall is required; disabling it makes the device non-compliant.

Why this answer

The policy requires activeFirewallRequired to be true. Since the firewall is disabled, the device is non-compliant. Even though other requirements are met, non-compliance in one area makes the device non-compliant.

Option A is incorrect because the policy does not have a grace period. Option B is incorrect because the device is non-compliant. Option D is incorrect because the policy is applicable.

555
MCQhard

Your company uses Microsoft Intune to manage Windows devices. Users frequently work from public Wi-Fi and the security team is concerned about unmanaged devices accessing corporate resources. You need to ensure that only devices compliant with your security policies can access Microsoft 365 services. What should you implement?

A.Deploy Windows Autopilot for all devices and require Entra ID join
B.Configure Conditional Access policies in Microsoft Entra ID that require compliant devices
C.Configure a VPN profile in Intune and enforce device compliance on the VPN server
D.Create a compliance policy in Intune and assign it to all users
AnswerB

Conditional Access enforces access control based on device compliance status from Intune.

Why this answer

Option D is correct because Conditional Access with device compliance policies is the standard approach to restrict access to compliant devices. Option A is wrong because VPN enforcement is not a direct Intune feature for conditional access. Option B is wrong because autopilot doesn't enforce access control.

Option C is wrong because compliance policies alone don't enforce access; they require Conditional Access.

556
Multi-Selecthard

Your organization uses Microsoft Intune to manage devices. You need to ensure that only approved applications can run on Windows 10 devices. Which THREE components can you use to implement application control? (Choose three.)

Select 3 answers
A.Windows Information Protection (WIP).
B.Windows Defender Application Control (WDAC).
C.Intune application control policies.
D.AppLocker.
E.BitLocker drive encryption.
AnswersB, C, D

WDAC is a code integrity policy to control what apps can run.

Why this answer

Windows Defender Application Control (WDAC) is a code integrity feature that restricts which executables, scripts, and installers can run on Windows 10 devices. It uses a trust-based model where only binaries signed by approved publishers or with specific hash values are allowed, making it a core component for application control in an Intune-managed environment.

Exam trap

The trap here is that candidates often confuse Windows Information Protection (WIP) with application control because both involve 'policies' in Intune, but WIP is strictly for data loss prevention, not for blocking or allowing application execution.

557
MCQhard

A Win32 app 'AdobeReader' is configured as 'required' but users report the app is not installed. The above log excerpt is from a device that shows 'Installed' in Intune. What is the most likely cause?

A.The detection script incorrectly reports the app as installed.
B.The app is assigned to a different device group.
C.The app was installed but later removed by the user.
D.The device is not syncing with Intune.
AnswerA

The script returns exit code 0 and stdout 'Installed', so Intune skips enforcement. The actual app may be missing.

Why this answer

The log excerpt indicates that Intune reports the app as 'Installed' on the device, yet users confirm it is not present. This discrepancy most likely occurs because the detection script used to verify installation is flawed—it may be checking for a registry key, file, or version string that exists even when the app is not fully installed, or it may be returning a false positive. Since Intune relies entirely on the detection method to determine installation status, an incorrect script would cause Intune to mark the app as installed without the actual binaries being present.

Exam trap

The trap here is that candidates assume 'Installed' in Intune means the app is physically present on the device, but Intune only reflects what the detection method reports, not the actual file system state.

How to eliminate wrong answers

Option B is wrong because if the app were assigned to a different device group, the device would not receive the required assignment at all, and Intune would not show the app as 'Installed'—it would show 'Not applicable' or 'Pending'. Option C is wrong because if the user removed the app, Intune's next sync would detect the absence via the detection script and reinstall the app (since it's required), or at minimum change the status to 'Failed' or 'Not installed'. Option D is wrong because if the device were not syncing, Intune would show a stale or 'Last check-in' status older than 24 hours, and the app status would likely be 'Pending' or 'Unknown', not 'Installed'.

558
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a configuration profile that enforces FileVault encryption. The profile must allow recovery key escrow to Intune. After deploying the profile, you notice that some devices are not encrypted. What should you check first?

A.Check if the user has logged in and acknowledged the FileVault prompt.
B.Ensure that a compliance policy is also assigned requiring encryption.
C.Ensure the devices are supervised.
D.Verify that the profile is assigned to the correct device group.
AnswerA

FileVault requires user interaction to start encryption.

Why this answer

Option A is correct because FileVault encryption on macOS requires user interaction to complete. When Intune deploys a FileVault profile with recovery key escrow, the user must log in and explicitly acknowledge the FileVault prompt to enable encryption. If the user has not done so, the device remains unencrypted regardless of the profile assignment.

Exam trap

The trap here is that candidates often assume a configuration profile alone enforces encryption immediately, overlooking the mandatory user interaction step required by macOS for FileVault activation.

How to eliminate wrong answers

Option B is wrong because compliance policies do not trigger encryption; they only report non-compliance after encryption is expected. Option C is wrong because macOS devices do not require supervision for FileVault encryption or key escrow; supervision is an iOS/iPadOS concept. Option D is wrong because if the profile were assigned to the wrong group, the profile would not appear on the device at all, but the issue here is that the profile is deployed yet encryption is not active, indicating a user interaction gap.

559
Multi-Selectmedium

Which TWO troubleshooting steps should you take when a Windows 11 device fails to enroll in Intune with error code 0x80180014?

Select 2 answers
A.Ensure that the device is in the correct enrollment profile group.
B.Recreate the device compliance policy.
C.Check if the device is already enrolled in another MDM provider.
D.Verify that the user has an appropriate Intune license assigned.
E.Check if the device has TPM 2.0 enabled.
AnswersC, D

Device might be already enrolled elsewhere.

Why this answer

Error code 0x80180014 typically indicates that the device is already enrolled with another MDM provider, such as Microsoft Configuration Manager (with co-management) or a third-party MDM like VMware Workspace ONE. Intune enforces a single-MDM enrollment policy per device; if a prior MDM enrollment is detected, the new enrollment attempt fails. Checking for existing MDM enrollment is therefore the correct first step.

Exam trap

The trap here is that candidates often assume error 0x80180014 is a licensing or compliance issue, but Microsoft specifically uses this error code to signal a duplicate or conflicting MDM enrollment, not a missing license or policy misconfiguration.

560
MCQmedium

You manage Windows 10 devices with Microsoft Intune. A user reports that a device has a red shield icon in the Windows Security Center, indicating tamper protection is off. You need to re-enable tamper protection on the device using Intune. Which profile type should you configure?

A.Device configuration profile (settings catalog)
B.Endpoint protection profile (Microsoft Defender Antivirus)
C.Security baseline (Windows 10/11)
D.Compliance policy
AnswerB

Tamper protection is configured within the Microsoft Defender Antivirus section of endpoint protection profiles.

Why this answer

Option D is correct because tamper protection is configured via an endpoint protection profile for Microsoft Defender Antivirus. Option A is wrong because security baselines include some settings but tamper protection is specifically in endpoint protection. Option B is wrong because device configuration profiles do not include tamper protection.

Option C is wrong because compliance policies do not enforce settings.

561
MCQmedium

Refer to the exhibit. You run this PowerShell command using the Microsoft Graph PowerShell SDK. What is the primary purpose of this command?

A.To list only non-compliant Windows devices.
B.To retrieve all managed devices regardless of operating system.
C.To enforce compliance on Windows devices.
D.To retrieve a list of all Windows managed devices with their compliance status.
AnswerD

Correct. The command selects complianceState for Windows devices.

Why this answer

The PowerShell command uses `Get-MgDeviceManagementManagedDevice` with a filter for `operatingSystem eq 'Windows'` and selects properties including `complianceState`. This retrieves all Windows managed devices and their compliance status, making option D correct. The command does not filter by compliance state, so it returns both compliant and non-compliant devices, and it does not enforce any compliance action.

Exam trap

The trap here is that candidates may assume the command only returns non-compliant devices because complianceState is selected, but the filter does not restrict by compliance value—it merely includes that property in the output.

How to eliminate wrong answers

Option A is wrong because the command does not filter by complianceState; it retrieves all Windows devices, not just non-compliant ones. Option B is wrong because the filter `operatingSystem eq 'Windows'` explicitly limits results to Windows devices, not all managed devices regardless of operating system. Option C is wrong because the command is a read-only GET operation that retrieves device data; it does not perform any enforcement or remediation actions on compliance.

562
MCQeasy

Your organization uses Microsoft Intune to manage macOS devices. You need to ensure that all devices have FileVault disk encryption enabled. Which configuration profile type should you use?

A.Custom
B.Endpoint protection
C.Device restrictions
D.Device features
AnswerB

Endpoint protection includes FileVault settings for macOS.

Why this answer

Option B is correct because 'Endpoint protection' for macOS includes FileVault settings. Option A is wrong because 'Device features' includes settings like wallpaper and lock screen. Option C is wrong because 'Device restrictions' includes general settings, not encryption.

Option D is wrong because 'Custom' is not the standard method.

563
MCQmedium

Refer to the exhibit. An Intune administrator created this device restrictions policy for Windows 10 devices. Which statement about the policy is true?

A.The policy will block access to the Microsoft Store and Cortana.
B.The policy will apply only to the primary user of the device.
C.The policy will prevent users from installing apps from outside the Microsoft Store.
D.The policy will block the camera on all devices.
AnswerA

Both Store and Cortana are set to Block.

Why this answer

Option A is correct because the policy includes settings that block the Microsoft Store and Cortana. Option B is wrong because the policy does not block the camera; it allows it. Option C is wrong because the policy would apply to all users on the device.

Option D is wrong because the policy does not affect app installation from other sources.

564
MCQhard

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You have deployed a device configuration profile that configures the device's email settings for the native Mail app. Recently, the organization decided to switch to Microsoft Outlook for iOS as the primary email client. You need to ensure that users can only use Outlook for accessing corporate email, and that the native Mail app is blocked from accessing corporate data. Which combination of Intune policies should you implement?

A.Create an App Protection Policy (MAM) that restricts the transfer of corporate data to other apps and a Device Configuration Profile that sets the default mail app to Outlook.
B.Create a device compliance policy that requires the device to have Outlook installed.
C.Use device enrollment restrictions to block devices that have the native Mail app installed.
D.Create a conditional access policy for Exchange Online that blocks the native Mail app and allows only Outlook.
AnswerA

MAM policy can block data transfer to native Mail, and configuration profile sets default app.

Why this answer

Option C is correct because an App Protection Policy can block the native Mail app from opening corporate data, and a Device Configuration Profile can set the default mail app to Outlook. Option A is incorrect because a compliance policy alone does not block the native Mail app. Option B is incorrect because conditional access can block native Mail app from accessing Exchange Online, but it does not set Outlook as default.

Option D is incorrect because device enrollment restrictions do not control app usage.

565
Multi-Selecthard

Which THREE factors can cause a required app deployment to fail on a Windows 10 device managed by Intune? (Choose three.)

Select 3 answers
A.The device has an app update policy that blocks updates.
B.The device is not connected to the internet.
C.The user is not assigned to the app.
D.The device does not meet the app's requirement rules.
E.The app's dependency is not installed.
AnswersB, D, E

Internet connectivity is required to download the app.

Why this answer

App deployment can fail for several reasons: if the device lacks connectivity to Intune (A), if the device does not meet the app's requirement rules (C), or if the app's dependency is not installed (D). Option B is wrong because user not being assigned does not affect required app deployment; the device itself must be targeted. Option E is wrong because app updates are not blocked by policies; they are configured by the admin.

566
MCQeasy

Your organization is deploying Windows devices using Windows Autopilot. You need to ensure that devices are automatically enrolled in Microsoft Intune when they are first powered on. What should you configure?

A.Join the device to Azure AD hybrid by configuring a domain join profile.
B.Create an Autopilot deployment profile with 'Assign to' set to 'All devices' and ensure the device is registered in Autopilot.
C.Configure the Enrollment Status Page (ESP) to require device enrollment.
D.Manually add the device serial number to Intune via the admin center.
AnswerB

This automatically enrolls the device in Intune during OOBE.

Why this answer

Option A is correct because the Enrollment Status Page (ESP) is not required for enrollment; Autopilot profile with Intune enrollment is the key. Option B is incorrect because the ESP is a separate configuration. Option C is incorrect because Azure AD hybrid join is not required for Autopilot.

Option D is incorrect because for new devices, the Autopilot profile triggers enrollment.

567
MCQhard

An administrator is configuring Microsoft Entra ID Protection. They want to create a policy that automatically blocks sign-ins when the risk level is high. However, they notice that the policy is not triggering for some users who have high risk. What is the most likely reason?

A.The sign-in risk policy is overriding the user risk policy.
B.The users have MFA enabled, so they are exempt from risk policies.
C.The user risk policy is set to 'Report-only' mode instead of 'On'.
D.The policy is configured to apply only to a test group, and the affected users are not members.
AnswerC

Report-only mode only logs, does not block.

Why this answer

Option C is correct because when a user risk policy is set to 'Report-only' mode, it evaluates risk and generates reports but does not enforce any actions such as blocking sign-ins. For automatic blocking to occur, the policy must be set to 'On' (enabled). The administrator likely configured the policy correctly in terms of risk level but overlooked the enforcement mode, which is a common misconfiguration in Microsoft Entra ID Protection.

Exam trap

The trap here is that candidates often assume a policy is automatically enforcing once configured with a risk level, overlooking the separate 'mode' setting that controls enforcement versus reporting-only behavior.

How to eliminate wrong answers

Option A is wrong because sign-in risk policies and user risk policies are independent; one does not override the other. They evaluate different risk types (sign-in vs. user) and can be configured separately. Option B is wrong because having MFA enabled does not exempt users from risk policies; in fact, MFA is often a remediation step, and risk policies can still block or require additional actions regardless of MFA status.

Option D is wrong because if the policy were configured to apply only to a test group and the affected users were not members, the policy would not apply at all, but the question states the policy is not triggering for some users who have high risk, implying it is applied but not enforcing—this points to a mode issue, not a scope issue.

568
MCQhard

You are the Intune administrator for a company that uses Microsoft Entra ID (Azure AD) for identity. You have a line-of-business (LOB) iOS app that is distributed via Intune using volume purchase program (VPP) tokens. The app requires a configuration policy to set the server URL. You have assigned the app as 'Required' to all users in the 'Sales' group. Some users report that the app does not show the configured server URL. You verify that the app configuration policy is assigned to the same 'Sales' group. The app installs successfully. You check the Intune console and see that the app configuration policy has a status of 'Pending' for some devices. The devices are company-owned iPhones running iOS 16. What is the most likely cause of the configuration not applying?

A.The iOS version does not support app configuration
B.The app configuration policy is not assigned to the correct group
C.The devices are not supervised
D.The app is not deployed via VPP correctly
AnswerC

App configuration policies for VPP apps require supervised mode.

Why this answer

Option D is correct. For VPP apps, app configuration policies must be assigned to the same group as the app assignment. Additionally, the configuration policy must be targeted to devices, not users, for iOS.

However, the status 'Pending' suggests the policy is not yet applied; the likely cause is that the devices are not supervised. App configuration policies for iOS require supervised devices when using VPP. Option A is wrong because the app is required and installs successfully.

Option B is wrong because the policy is assigned, but status is pending. Option C is wrong because iOS version is compatible.

569
Multi-Selectmedium

Your organization is deploying Windows 10 devices using Windows Autopilot. You need to ensure that during the out-of-box experience (OOBE), users are required to set up Windows Hello for Business. Which TWO configurations should you apply?

Select 2 answers
A.Configure a Windows Autopilot deployment profile to require Windows Hello for Business.
B.Enable Azure AD device registration.
C.Configure a Windows Hello for Business policy in Intune device configuration.
D.Configure a Windows Hello for Business enrollment policy in Intune.
E.Deploy a custom script that enables Windows Hello.
AnswersC, D

The policy enables Hello enrollment.

Why this answer

Options B and C are correct. Windows Hello for Business deployment requires a PIN policy and enrollment policy to be configured. Option A is not required because Autopilot profiles do not directly enforce Hello.

Option D is a prerequisite but not sufficient alone. Option E is an alternative but not a direct configuration for OOBE.

570
MCQmedium

You are configuring Microsoft Intune for a school that provides iPads to students. You want students to be able to use their personal Apple IDs to install apps, but you need to ensure that the devices are enrolled in Intune and managed. Which Apple enrollment method should you use?

A.Apple Automated Device Enrollment (ADE) with user affinity
B.Apple Device Enrollment (ADE) with supervision and allow personal Apple IDs
C.Apple Device Enrollment (ADE) with Shared iPad mode
D.Apple User Enrollment
AnswerB

Supervised devices can allow personal Apple IDs while still being fully managed.

Why this answer

Option C is correct because Device Enrollment (via Apple Business Manager) allows supervised enrollment while still allowing personal Apple IDs if configured. Option A is wrong because user enrollment limits management. Option B is wrong because it uses a shared device mode without Apple IDs.

Option D is wrong because ADE is the same as Device Enrollment, but the key is allowing personal Apple IDs.

571
MCQeasy

A company uses Microsoft Intune to manage Windows 10 devices. They need to deploy Microsoft 365 Apps for enterprise to 500 devices. The devices are in a hybrid Azure AD joined configuration. The administrator wants to use Intune to deploy the apps. Which deployment method should the administrator use?

A.Use the Office Deployment Tool (ODT) to create a configuration file and deploy via Intune as a Win32 app.
B.Use Group Policy to deploy the Office 2019 suite.
C.Add a 'Microsoft 365 Apps for Windows 10 and later' app in Intune and assign it to the devices.
D.Upload the Office installation files as a line-of-business (LOB) app.
AnswerC

This is the recommended method for deploying Microsoft 365 Apps via Intune.

Why this answer

Option C is correct because Intune provides a built-in 'Microsoft 365 Apps for Windows 10 and later' app type that is specifically designed to deploy and manage Microsoft 365 Apps for enterprise. This method uses Intune's native integration with the Office Content Delivery Network (CDN) to download and install the latest version of Office, and it supports hybrid Azure AD joined devices without requiring additional tools or configuration files.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing the Office Deployment Tool (Option A) because they think it provides more control, but they miss that Intune's native 'Microsoft 365 Apps' app type is the simplest and most appropriate method for standard deployments, especially when no custom XML configuration is required.

How to eliminate wrong answers

Option A is wrong because while the Office Deployment Tool (ODT) can be used to create a configuration file, deploying it as a Win32 app is unnecessarily complex and bypasses Intune's native Office app management capabilities, which provide automatic updates and simplified assignment. Option B is wrong because Group Policy is not an Intune deployment method; it relies on on-premises Active Directory and does not integrate with Intune for cloud-managed device deployment. Option D is wrong because uploading Office installation files as a line-of-business (LOB) app is intended for single-file or simple app packages, not for the multi-component, dynamically updated Microsoft 365 Apps suite, and it would require manual updates and lack the built-in configuration options.

572
Multi-Selectmedium

A company manages devices with Microsoft Intune. They need to deploy a line-of-business (LOB) app to iOS devices. Which TWO of the following are required?

Select 2 answers
A.The app package must be in .ipa format
B.The app must have a unique bundle ID
C.The deployment must use 'Required' installation purpose
D.The app must be assigned to a user group only
E.Apple MDM push certificate must be configured
AnswersA, B

iOS LOB apps require .ipa format.

Why this answer

Options A and C are correct. The app file must be an .ipa file, and the bundle ID must be unique. Option B is wrong because the app can be assigned to users or devices, not necessarily user groups only.

Option D is wrong because the app can be available or required. Option E is wrong because an Apple MDM push certificate is required for iOS management, not specifically for LOB app deployment.

573
MCQmedium

You are planning to enroll macOS devices in Intune. Users must authenticate with their Microsoft Entra ID credentials and then be prompted to install the Company Portal app. Which enrollment method should you use?

A.User enrollment
B.Device enrollment (without user affinity)
C.Bring your own device (BYOD) enrollment
D.Automated device enrollment (with user affinity)
AnswerD

This uses Apple Business Manager and prompts for Microsoft Entra ID credentials.

Why this answer

Automated device enrollment (with user affinity) is correct because it uses Apple's Automated Device Enrollment (ADE) to supervise the device, enforce user authentication with Microsoft Entra ID, and automatically install the Company Portal app during setup. This method ensures the device is enrolled in Intune with a user context, which is required for the user to authenticate and receive the Company Portal prompt.

Exam trap

The trap here is that candidates often confuse 'Automated device enrollment' with 'Device enrollment (without user affinity)', mistakenly thinking that any automated enrollment method will prompt for user authentication and app installation, but without user affinity, the device is enrolled as a shared device with no user context.

How to eliminate wrong answers

Option A is wrong because User enrollment is designed for personally owned devices and does not support automated installation of the Company Portal app during setup; it requires manual installation and does not enforce supervision. Option B is wrong because Device enrollment (without user affinity) enrolls the device without a specific user, so users cannot authenticate with their Entra ID credentials, and the Company Portal app is not automatically installed. Option C is wrong because Bring your own device (BYOD) enrollment typically uses User enrollment or manual enrollment methods, not automated device enrollment, and does not guarantee the Company Portal app is installed automatically during the setup process.

574
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 and iOS devices. You need to deploy a certificate-based authentication solution for Wi-Fi and VPN access. You have set up a Certificate Connector for Microsoft Intune and issued a root CA certificate. You have created a trusted certificate profile for the root CA and a SCEP certificate profile for client certificates. However, iOS devices are failing to enroll for client certificates. You verify that the SCEP profile is correctly configured and assigned. What is the most likely cause?

A.The Certificate Connector is not configured to support iOS devices.
B.iOS devices require user affinity for SCEP enrollment, which is not configured.
C.The SCEP profile does not reference the trusted certificate profile for the root CA, or the trusted certificate profile is not assigned to iOS devices.
D.The iOS devices are not compliant with the compliance policy.
AnswerC

The SCEP profile must reference the root CA certificate profile, and both must be assigned.

Why this answer

Option C is correct because iOS devices require a trusted certificate profile for the root CA to be deployed before the SCEP profile, and the SCEP profile must reference that trusted certificate. If the reference is missing or incorrect, the SCEP enrollment will fail. Option A is incorrect because the NDES server is not required for Intune certificate deployment.

Option B is incorrect because device compliance is not a prerequisite for certificate enrollment. Option D is incorrect because iOS devices can use SCEP without a user affinity requirement.

575
MCQeasy

A company uses Microsoft Intune to manage devices. They need to report on which devices have a specific Windows update installed. Which reporting method should be used?

A.Use the Microsoft Intune admin center to view the Windows Update for Business report
B.Use Microsoft 365 Lighthouse
C.Use the Device compliance report in Intune
D.Use Microsoft Defender for Endpoint's advanced hunting
AnswerA

The Windows Update for Business report in Intune shows update status per device.

Why this answer

Option C is correct because Intune device compliance reports show update status. Option A is wrong because the built-in Windows Update for Business reports in Intune provide update compliance. Option B is wrong because Update Compliance in Azure Log Analytics is a separate service.

Option D is wrong because Microsoft Defender for Endpoint is for security, not update reporting.

576
MCQmedium

You deploy a Windows 11 kiosk device using Intune. The kiosk should run a single app (Microsoft Edge). After assignment, the device starts but shows a blank screen. What is the most likely issue?

A.The kiosk profile is not correctly assigned.
B.The device is not assigned to a user.
C.The AUMID for Microsoft Edge is not specified.
D.The device is not running Windows 10/11 Enterprise.
AnswerC

Required for single-app kiosk.

Why this answer

Option C is correct because for single-app kiosk, you must specify the AUMID of the app; Edge's AUMID is required. Option A is wrong because the issue is not about user accounts. Option B is wrong because the kiosk profile is configured.

Option D is wrong because the kiosk mode does not require Windows 10/11 Enterprise specifically.

577
MCQeasy

You manage a fleet of Android Enterprise devices. You need to ensure that only approved apps from the managed Play Store can be installed. What configuration should you enable?

A.Set the device to 'Fully managed' and disable unknown sources.
B.Deploy an app configuration policy that blocks sideloading.
C.Configure a device restriction policy to allow only managed Google Play apps.
D.Use a compliance policy to block non-compliant apps.
AnswerC

This policy enforces that only apps from the managed Play Store can be installed.

Why this answer

Option C is correct because a device restriction policy in Microsoft Intune allows you to restrict app installation to only the managed Google Play store. By configuring the 'Allow only managed Google Play apps' setting, you ensure that users cannot install apps from unapproved sources, effectively controlling the app ecosystem on Android Enterprise devices.

Exam trap

The trap here is that candidates often confuse reactive compliance policies (which detect non-compliant apps after installation) with proactive device restriction policies (which prevent installation entirely), leading them to choose Option D instead of the correct proactive setting.

How to eliminate wrong answers

Option A is wrong because setting the device to 'Fully managed' and disabling unknown sources does not restrict installations to only managed Google Play apps; it only prevents sideloading from unknown sources, but users could still install apps from the public Play Store. Option B is wrong because an app configuration policy is used to configure app-specific settings (e.g., account credentials or permissions), not to block sideloading or restrict app sources; blocking sideloading is a device restriction. Option D is wrong because a compliance policy can mark devices as non-compliant if non-approved apps are detected, but it does not prevent installation of those apps in the first place; it only reacts after the fact.

578
MCQeasy

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a security baseline that enforces BitLocker encryption and Windows Defender Antivirus settings. What is the recommended approach?

A.Create a custom configuration profile using Configuration Manager.
B.Deploy a PowerShell script via Intune to configure the settings.
C.Use the built-in Windows 10 security baseline in Intune.
D.Apply Group Policy Objects from on-premises Active Directory.
AnswerC

Security baselines are pre-configured policy templates.

Why this answer

Option A is correct because Microsoft Intune provides pre-built security baselines for Windows 10 that can be customized. Option B is wrong because Configuration Manager is on-premises and not the modern approach. Option C is wrong because Group Policy is not managed via Intune.

Option D is wrong because PowerShell scripts are not a baseline but can be used for custom configurations.

579
MCQeasy

A company uses Microsoft Intune to manage macOS devices. They need to enforce FileVault encryption on all Macs. What should they configure?

A.An endpoint security policy for disk encryption.
B.A device configuration profile with FileVault settings.
C.A device compliance policy that requires FileVault.
D.An app protection policy.
AnswerB

Device configuration profiles can enforce FileVault on macOS.

Why this answer

FileVault encryption is enforced through a device configuration profile on macOS. Option B is incorrect because compliance policies do not enforce encryption; they check it. Option C is incorrect because endpoint security policies include disk encryption but FileVault is a macOS-specific setting best configured via device configuration.

Option D is incorrect because app protection policies do not manage device encryption.

580
MCQeasy

A company uses Windows Autopilot for user-driven deployments. They want to ensure that during the out-of-box experience (OOBE), users are required to sign in with their Azure AD credentials and the device is automatically enrolled in Intune. Which Autopilot deployment profile setting should be configured?

A.Set 'Deployment mode' to 'Self-Deploying' and 'Join to Azure AD as' to 'Azure AD joined'.
B.Set 'Deployment mode' to 'User-Driven' and 'Join to Azure AD as' to 'Hybrid Azure AD joined'.
C.Set 'Deployment mode' to 'White Glove' and 'Join to Azure AD as' to 'Azure AD joined'.
D.Set 'Deployment mode' to 'User-Driven' and 'Join to Azure AD as' to 'Azure AD joined'.
AnswerD

This requires user sign-in and enrolls device in Intune.

Why this answer

Option D is correct because the scenario requires a user-driven deployment where the user signs in with Azure AD credentials during OOBE, and the device is automatically enrolled in Intune. Setting 'Deployment mode' to 'User-Driven' ensures the user authenticates during OOBE, and 'Join to Azure AD as' to 'Azure AD joined' makes the device Azure AD-joined, which triggers automatic Intune enrollment via the MDM enrollment authority configured in Azure AD.

Exam trap

The trap here is that candidates often confuse 'Self-Deploying' with 'User-Driven' because both can result in Azure AD join and Intune enrollment, but 'Self-Deploying' does not require user sign-in during OOBE, which is explicitly required in the question.

How to eliminate wrong answers

Option A is wrong because 'Self-Deploying' mode does not require user sign-in during OOBE; it uses a device token for automatic enrollment, which contradicts the requirement for user Azure AD credentials. Option B is wrong because 'Hybrid Azure AD joined' requires the device to be joined to an on-premises Active Directory and then registered with Azure AD, which is not the scenario described and does not rely solely on Azure AD credentials during OOBE. Option C is wrong because 'White Glove' (now called 'Pre-Provisioning') is a technician-driven process that pre-provisions the device before the user receives it, and the user still signs in later, but the question specifies that users sign in during OOBE, not that a technician pre-provisions.

581
MCQeasy

An organization wants to enforce encryption on all Windows 10/11 devices using Intune. Which policy type should they use?

A.Device compliance policy
B.App protection policy
C.Device configuration profile (settings catalog)
D.Endpoint security disk encryption policy
AnswerD

This policy is designed to enforce BitLocker settings.

Why this answer

Option A is correct: Endpoint security disk encryption policy in Intune manages BitLocker settings. Option B (Device compliance policy) checks encryption status but doesn't enforce it. Option C (Device configuration profile) can include some encryption settings but the dedicated endpoint security policy is recommended.

Option D (App protection policy) manages data protection at the app level, not device encryption.

582
MCQhard

Your company has a Microsoft Intune environment with Windows devices. You need to deploy a Microsoft 365 Apps update using the Semi-Annual Enterprise Channel. You have configured the update channel in an Intune administrative template. However, devices are not receiving the updates. What is the most likely cause?

A.The administrative template does not configure the update channel; you must use the Office Deployment Tool.
B.Devices are not configured for Windows Update for Business.
C.Devices need to be in the Semi-Annual Channel (Targeted) to receive updates.
D.The Semi-Annual Enterprise Channel is not supported for Microsoft 365 Apps.
AnswerA

Intune requires ODT for update channel configuration.

Why this answer

Option A is correct because when you configure the update channel for Microsoft 365 Apps via an Intune administrative template (ADMX), the setting is applied as a Group Policy preference but does not actually trigger the update mechanism. Microsoft 365 Apps updates require the Office Deployment Tool (ODT) or the Office CDN to deliver the correct channel bits. The administrative template only sets the registry key for the channel; without the ODT or a corresponding update policy, devices remain on their current channel and do not receive new updates.

Exam trap

The trap here is that candidates assume configuring the update channel via an administrative template is sufficient to change the channel and trigger updates, when in fact the template only sets a registry value and does not initiate the actual update process.

How to eliminate wrong answers

Option B is wrong because Windows Update for Business (WUfB) is not required for Microsoft 365 Apps updates; these updates are delivered independently via the Office Content Delivery Network (CDN) and managed through Office-specific policies, not Windows Update. Option C is wrong because the Semi-Annual Channel (Targeted) is a separate channel that receives updates earlier, but the Semi-Annual Enterprise Channel is a valid, supported channel; the issue is not about targeting but about the deployment mechanism. Option D is wrong because the Semi-Annual Enterprise Channel is fully supported for Microsoft 365 Apps; it is one of the standard update channels designed for enterprise environments.

583
Multi-Selectmedium

You are an enterprise administrator for Contoso Ltd. You need to configure Microsoft 365 tenant-wide settings for external collaboration. Which TWO actions should you take to meet the following goals: (1) allow only specific external domains to collaborate with your organization, and (2) ensure that external users are required to sign in with multi-factor authentication (MFA) before accessing shared resources?

Select 2 answers
A.Disable external sharing in the Microsoft 365 admin center for all workloads.
B.Configure the SharePoint and OneDrive domain allowlist to include only the approved external domains.
C.Configure the SharePoint and OneDrive domain blocklist to exclude all external domains except the approved ones.
D.Create a Conditional Access policy in Azure AD that requires MFA for all external users accessing your tenant.
E.Enable B2B direct connect in the cross-tenant access settings for the approved external domains.
AnswersB, D

This restricts sharing to only the domains in the allowlist, meeting goal 1.

Why this answer

Option B is correct because configuring the SharePoint and OneDrive domain allowlist restricts external sharing to only the approved external domains, meeting the first goal. Option D is correct because a Conditional Access policy in Azure AD can require MFA for all external users, satisfying the second goal by enforcing authentication requirements before access to shared resources.

Exam trap

The trap here is that candidates often confuse domain allowlists with blocklists, or assume that B2B direct connect settings (which manage cross-tenant access for Teams) can enforce MFA, when in fact only Conditional Access policies provide that control for external users accessing shared resources.

584
Multi-Selecthard

Which THREE components are required for a successful Windows Autopilot deployment with user-driven Microsoft Entra ID join? (Select three.)

Select 3 answers
A.Enrollment Status Page (ESP) configuration.
B.Device registration in the Autopilot service using hardware hash.
C.On-premises Active Directory domain join.
D.Windows Autopilot deployment profile in Intune.
E.Microsoft Configuration Manager co-management.
AnswersA, B, D

ESP ensures device is fully configured before user login.

Why this answer

The Enrollment Status Page (ESP) configuration is required because it provides visibility into the provisioning process and enforces device compliance before the user can access the desktop. In a user-driven Microsoft Entra ID join Autopilot deployment, the ESP ensures that required policies, apps, and certificates are installed, preventing users from bypassing critical setup steps. Without ESP, users might gain early access to an incompletely configured device, leading to support issues.

Exam trap

The trap here is that candidates often confuse the optional Enrollment Status Page with a mandatory component, or they mistakenly believe on-premises Active Directory join is required for user-driven Autopilot, when in fact Microsoft Entra ID join is a separate, cloud-native identity option.

585
MCQhard

Contoso Ltd. is a financial services company with 2,000 users. They use Microsoft Intune to manage Windows 10 devices. The company has a strict security policy that requires all devices to have a specific set of security applications installed: an antivirus (AV) app, a disk encryption app, and a VPN client. These apps are all line-of-business (LOB) Win32 apps packaged as .intunewin files. The administrator created a Win32 app for each and assigned them as 'Required' to all devices. After the deployment, the administrator notices that the apps are not installing on approximately 10% of devices. The devices are online and have connectivity. The Intune Management Extension is running. When the administrator checks the Intune Management Extension logs on a failing device, they see the following error: 'Failed to download content. Error: 0x80070002 - The system cannot find the file specified.' What is the most likely cause?

A.The content for the Win32 app was not uploaded correctly or is missing from Intune.
B.The Intune Management Extension does not have permission to install apps on those devices.
C.The user is not logged in, so the app cannot be installed.
D.The app detection rules do not match the installed version.
AnswerA

The error indicates the file cannot be found, suggesting the content is missing.

Why this answer

The error 0x80070002 ('The system cannot find the file specified') in the Intune Management Extension logs indicates that the client is attempting to download the Win32 app content from Intune, but the content blob is missing or inaccessible. This typically occurs when the .intunewin file was not uploaded correctly, the upload was interrupted, or the content was deleted from Intune after assignment. Since the extension is running and connectivity is confirmed, the issue is server-side content availability, not client-side permissions or detection logic.

Exam trap

The trap here is that candidates often confuse a download failure with a detection rule mismatch or permission issue, but the specific error code 0x80070002 points directly to missing content on the server side, not client-side configuration problems.

How to eliminate wrong answers

Option B is wrong because the Intune Management Extension runs as SYSTEM and does not require additional permissions to install apps; a permission issue would manifest as an access denied error, not a 'file not found' error. Option C is wrong because Win32 apps assigned as 'Required' install in the system context regardless of user login state; user presence is irrelevant for system-context installations. Option D is wrong because detection rules only affect whether the app is considered installed after the download and installation attempt; they do not cause a download failure with error 0x80070002, which occurs before any detection logic runs.

586
MCQeasy

You need to enable users to install company apps from a private store on their iOS devices. Which Microsoft Intune feature should you use?

A.Volume Purchase Program (VPP)
B.Mobile Application Management (MAM) policies
C.Certificate profiles
D.Company Portal app
AnswerA

VPP enables distribution of licensed apps to devices.

Why this answer

Volume Purchase Program (VPP) allows distribution of purchased apps. Option A is correct. Option B is wrong because Company Portal is the client, not the feature.

Option C is wrong because MAM policies are for data protection. Option D is wrong because certificate profiles are for authentication.

587
MCQeasy

Your organization uses Microsoft Intune to manage Android enterprise devices. You need to ensure that only approved apps from the managed Google Play store can be installed on work profiles. Which configuration should you use?

A.Configure a device compliance policy that requires 'Allow installation from unknown sources' to be disabled
B.Use a conditional access policy to block unapproved apps
C.Create an app configuration policy that blocks side-loading
D.Assign a device restriction policy that sets 'Allow all apps' to false
AnswerA

Disabling unknown sources restricts installation to managed Google Play.

Why this answer

For Android enterprise with work profiles, you can allow users to install apps only from managed Google Play by configuring the device restriction policy. Option B is correct.

588
MCQeasy

You need to ensure that Windows 10 devices automatically enroll in Intune when they join Microsoft Entra ID. Which setting should you configure?

A.Compliance policies in Intune
B.MDM user scope in Microsoft Entra ID
C.Co-management slider in Configuration Manager
D.Enrollment device platform restrictions in Intune
AnswerB

This sets the scope of users who will auto-enroll their devices.

Why this answer

Option B is correct because the MDM user scope setting in Microsoft Entra ID (formerly Azure AD) controls which users can automatically enroll their Windows 10 devices into Intune when they join Entra ID. When set to 'All' or 'Some', the device triggers automatic MDM enrollment during the Entra ID join process using the MDM enrollment protocol (MS-MDE), eliminating the need for manual enrollment steps.

Exam trap

The trap here is that candidates often confuse the MDM user scope (which controls the automatic enrollment trigger) with enrollment restrictions or compliance policies, which only apply after the enrollment process has already started.

How to eliminate wrong answers

Option A is wrong because compliance policies in Intune evaluate device compliance after enrollment, not trigger or configure automatic enrollment. Option C is wrong because the co-management slider in Configuration Manager controls workload distribution between ConfigMgr and Intune for already-managed devices, not the initial automatic enrollment of Windows 10 into Intune during Entra ID join. Option D is wrong because enrollment device platform restrictions in Intune block or allow enrollment based on platform or version after the enrollment attempt is initiated, but do not enable or configure the automatic enrollment trigger itself.

589
MCQhard

Your organization uses Microsoft Defender for Endpoint (Defender XDR) and Intune. You need to ensure that when a device is found to have a critical vulnerability, a remediation action is automatically triggered. Which integration should you configure?

A.Configure a Microsoft Sentinel playbook.
B.Configure a Microsoft Foundry AI model.
C.Configure a Microsoft Purview data loss prevention policy.
D.Configure the integration between Microsoft Defender for Endpoint and Microsoft Intune.
AnswerD

This integration allows automatic remediation actions like isolating devices.

Why this answer

Option A is correct because Defender for Endpoint can integrate with Intune to trigger remediation actions. Option B is wrong because Microsoft Sentinel is for SIEM, not automatic remediation. Option C is wrong because Microsoft Purview focuses on compliance.

Option D is wrong because Microsoft Foundry is an AI platform.

590
MCQhard

You are deploying a Win32 app that requires administrator privileges to install. The app runs on Windows 11 devices. How should you configure the app in Intune to ensure it installs with elevated privileges?

A.Set the app install behavior to 'System'.
B.Set the app to run in user context.
C.Use a PowerShell script to run the installer.
D.Configure a detection rule to check for admin rights.
AnswerA

System context runs the installer with elevated privileges.

Why this answer

Win32 apps can be configured to run in system context. Option C is correct. Option A is wrong because user context would fail if admin rights required.

Option B is wrong because detection rules are for installation detection. Option D is wrong because PowerShell scripts can be used but the app itself should be configured to run as system.

591
MCQhard

You are designing a device management strategy for a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You need to ensure that devices are managed by Intune and can access on-premises resources. Which approach should you recommend?

A.Hybrid Azure AD join
B.Entra ID registered with on-premises domain join
C.Windows Autopilot self-deploying mode
D.Entra ID joined with VPN to on-premises
AnswerA

Hybrid Azure AD join allows devices to be joined to both on-premises AD and Entra ID, enabling Intune management and on-premises resource access.

Why this answer

Hybrid Azure AD join is the correct approach because it allows devices that are joined to on-premises Active Directory to also register with Microsoft Entra ID, enabling Intune management while maintaining access to on-premises resources via Kerberos/NTLM authentication. This configuration synchronizes the device object from AD to Entra ID using Azure AD Connect, creating a device identity that can be managed by Intune and can authenticate against both cloud and on-premises services without requiring a VPN.

Exam trap

The trap here is that candidates often confuse 'Entra ID registered' with 'Hybrid Azure AD join' because both involve Entra ID, but only Hybrid Azure AD join provides the on-premises domain join required for seamless resource access without a VPN.

How to eliminate wrong answers

Option B is wrong because Entra ID registered devices are only workplace-joined (personal or BYOD) and do not have a computer object in on-premises AD, so they cannot authenticate to on-premises resources using domain credentials or access domain-joined file shares without additional configuration. Option C is wrong because Windows Autopilot self-deploying mode is designed for kiosk or shared devices that are Entra ID joined only, not hybrid joined, and thus cannot natively access on-premises resources without a VPN or other connectivity solution. Option D is wrong because Entra ID joined devices with a VPN can access on-premises resources, but they are not domain-joined and therefore cannot use Kerberos authentication to on-premises AD; they rely on VPN connectivity and typically require additional solutions like Microsoft Entra application proxy or Always On VPN for seamless resource access, making it less integrated than Hybrid Azure AD join.

592
MCQmedium

You manage devices with Microsoft Intune. Users report that enrollment fails on Android Enterprise personally-owned work profiles. After reviewing enrollment restrictions, you verify that Android Enterprise is allowed. What should you check next?

A.Confirm that the Intune Service to Service Connector is configured.
B.Verify that the Company Portal app is installed and updated on the device.
C.Check that the enrollment token has not expired.
D.Ensure Device Administrator enrollment is enabled.
AnswerB

The Company Portal app is required for Android Enterprise work profile enrollment.

Why this answer

Option C is correct because Android enrollment often requires the Company Portal app to be installed from Google Play. If the device has Google Play Services disabled or the app is missing, enrollment fails. Option A is wrong because the issue is specific to work profiles, not device administrator.

Option B is wrong because the enrollment token is for Android Enterprise dedicated devices, not personally-owned work profiles. Option D is wrong because Intune Service to Service Connector is not relevant to this enrollment type.

593
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You create a device configuration profile for kiosk mode. The profile is assigned to a device group. After syncing, the device does not enter kiosk mode. What should you check first?

A.Ensure the device is running Windows 10 Enterprise.
B.Run the Policy Manager tool on the device.
C.Verify the device is a member of the assigned device group.
D.Check the device's notification area for a policy update prompt.
AnswerC

If the device is not in the group, the policy won't apply. This is the first troubleshooting step.

Why this answer

Option B is correct because the most common issue is that the assigned user or device group does not contain the target device. Option A is wrong because kiosk mode does not require a specific Windows edition; it works on Pro and Enterprise. Option C is wrong because Policy Manager is not a real Intune feature.

Option D is wrong because notification is not required for kiosk mode to apply.

594
Matchingmedium

Match each Microsoft 365 Apps update channel to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Monthly updates with new features first

Monthly security and quality updates

Updates twice a year (January and July)

Early access to upcoming features

Insider builds for testing

Why these pairings

Update channels control how Microsoft 365 Apps are updated, relevant for MD-102.

595
MCQeasy

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data in Microsoft Outlook is protected even if the device is not enrolled in MDM. Which policy should you deploy?

A.Device compliance policy
B.Device configuration profile
C.Conditional Access policy
D.App protection policy (MAM)
AnswerD

MAM policies protect app data without device enrollment.

Why this answer

Option B is correct. App protection policies (MAM) protect data in apps without requiring device enrollment. Option A is for MDM.

Option C is for compliance. Option D is for device configuration.

596
MCQeasy

You are deploying Windows 10 devices using Autopilot. You need to ensure that during the out-of-box experience (OOBE), users are blocked from bypassing the sign-in screen by clicking 'Skip for now'. Which setting should you configure in the Enrollment Status Page (ESP) profile?

A.Block user from signing in automatically
B.Block Windows Setup page
C.Require device compliance
D.Block device setup failure
AnswerA

This setting forces users to sign in with their Microsoft account during OOBE.

Why this answer

The correct answer is B because the ESP profile can block device setup failure and force sign-in. Option A is wrong because blocking local installation is not directly related. Option C is wrong because blocking Windows Setup is not an ESP setting.

Option D is wrong because requiring compliance is separate from OOBE sign-in.

597
MCQeasy

You are managing Windows 10 devices with Intune. You need to deploy a PowerShell script that runs under the system context during device enrollment. Which approach should you use?

A.Deploy the script as a proactive remediation.
B.Use a device compliance policy to trigger the script.
C.Create a custom configuration profile to run the script.
D.Upload the script as a PowerShell script in Intune and assign it to the device group.
AnswerD

Intune PowerShell scripts can run in system context and execute during enrollment.

Why this answer

Option D is correct because Intune's 'PowerShell scripts' feature allows you to upload and assign scripts that run under the system context during device enrollment, specifically targeting devices in a group. This is the only native Intune method that executes scripts in the system context at enrollment time without additional configuration.

Exam trap

The trap here is that candidates confuse the 'PowerShell scripts' feature with proactive remediations or custom configuration profiles, not realizing that only the dedicated PowerShell script deployment runs under the system context during enrollment.

How to eliminate wrong answers

Option A is wrong because proactive remediations run on a schedule or on detection, not during device enrollment, and they require the Intune Management Extension to be already installed. Option B is wrong because device compliance policies evaluate device settings and trigger non-compliance actions, but they cannot execute arbitrary PowerShell scripts during enrollment. Option C is wrong because custom configuration profiles use CSPs (Configuration Service Providers) to configure settings, not to run arbitrary PowerShell scripts; they lack a mechanism to execute script files.

598
MCQmedium

Your organization has Windows 10 devices managed by Intune. You need to enforce BitLocker encryption on all devices. The devices must use a TPM protector and a recovery password. What should you configure?

A.Compliance policy for Windows 10
B.Endpoint security > Disk encryption policy
C.Windows Update for Business policy
D.Device configuration profile for Windows 10
AnswerB

Endpoint security > Disk encryption policy in Intune allows configuring BitLocker settings, including TPM protector and recovery password.

Why this answer

To enforce BitLocker encryption with a TPM protector and recovery password on Windows 10 devices managed by Intune, you must configure an Endpoint security > Disk encryption policy. This policy type specifically targets BitLocker settings, including TPM and recovery password requirements, and is designed to enforce encryption at the device level through the Intune MDM channel.

Exam trap

The trap here is that candidates often confuse Device configuration profiles (Option D) with Endpoint security policies, but Microsoft explicitly separates disk encryption into the Endpoint security node for focused management, and the exam tests this distinction.

How to eliminate wrong answers

Option A is wrong because Compliance policy for Windows 10 evaluates device compliance after encryption is applied but does not configure BitLocker settings like TPM or recovery password; it only reports on encryption status. Option C is wrong because Windows Update for Business policy controls update rings and feature updates, not disk encryption or BitLocker configuration. Option D is wrong because Device configuration profile for Windows 10 can include some BitLocker settings, but the recommended and correct method for enforcing BitLocker with specific protectors in Intune is the Endpoint security > Disk encryption policy, which provides a dedicated, streamlined interface for encryption policies.

599
MCQhard

You are deploying a line-of-business (LOB) app to iOS devices managed by Intune. The app requires a specific configuration to access internal resources. Which approach should you use to deliver the configuration?

A.Assign a custom device configuration profile
B.Create an App Configuration Policy targeting managed devices
C.Deploy an App Protection Policy
D.Use Apple Volume Purchase Program (VPP) tokens
AnswerB

App config policies deliver settings to apps.

Why this answer

Option A is correct because an App Configuration Policy for managed devices can deliver settings to LOB apps. Option B is wrong because VPP is for volume purchasing, not configuration. Option C is wrong because a custom profile might not apply to apps.

Option D is wrong because app protection policies manage data protection, not app configuration.

600
MCQhard

A user has a Windows 10 device that is enrolled in Microsoft Intune. The user reports that they cannot install a required app from the Company Portal. You check the Intune console and see that the app assignment is 'Required' but the installation status shows 'Failed'. The device is compliant. What should you check first?

A.Review the Intune management extension logs on the device.
B.Verify the device compliance policy.
C.Check the Company Portal app version.
D.Reassign the app to the user.
AnswerA

Logs will show the specific error.

Why this answer

When an app installation fails, the Intune management extension logs provide detailed error information. Checking the logs on the device is the quickest way to diagnose. Option A is incorrect because the device is compliant.

Option B is incorrect because the app is assigned. Option D is incorrect because the Company Portal is not involved for required apps.

Page 7

Page 8 of 14

Page 9