Microsoft 365 Endpoint Administrator MD-102 (MD-102) — Questions 601675

991 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQhard

A company uses Configuration Manager to deploy Windows 11. During the deployment, several devices fail with error code 0x80070002. The administrator suspects the issue is related to missing boot images or content distribution. What should the administrator do first to resolve the issue?

A.Increase the client cache size on the affected devices.
B.Check the driver packages in the task sequence.
C.Verify that the boot image and OS image are distributed to all distribution points.
D.Recreate the task sequence with new OS image.
AnswerC

Missing content on DP causes file not found error.

Why this answer

Error code 0x80070002 translates to 'The system cannot find the file specified.' In a Configuration Manager task sequence deployment, this typically indicates that the boot image or OS image content is not available on the distribution point that the client is accessing. Verifying distribution ensures the required content is present and accessible, which is the most direct and common fix for this error.

Exam trap

The trap here is that candidates often focus on client-side issues like cache or drivers, but the error code 0x80070002 specifically points to missing or inaccessible content on the server side, making distribution verification the correct first step.

How to eliminate wrong answers

Option A is wrong because increasing client cache size does not resolve missing content on distribution points; cache size affects local storage of downloaded content, not content availability. Option B is wrong because driver packages are not the primary cause of a 'file not found' error during boot image or OS image retrieval; missing drivers would cause hardware-specific failures, not a generic 0x80070002. Option D is wrong because recreating the task sequence is unnecessary and time-consuming; the issue is content distribution, not the task sequence definition itself.

602
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. You have a requirement to ensure that all devices have BitLocker Drive Encryption enabled with a TPM protector and a recovery key escrowed to Azure AD. Additionally, you need to configure a policy that prevents users from changing the BitLocker settings. You create a device configuration profile using the 'Endpoint Protection' template for Windows 10 and later. After deploying the policy to a test group, you notice that BitLocker is not enabled on some devices. The devices meet the hardware requirements and are Azure AD joined. What is the most likely reason for the failure, and how should you resolve it?

A.Devices are not hybrid Azure AD joined; convert them to hybrid join for BitLocker policy to apply.
B.The policy does not specify a recovery key escrow location; configure it to escrow to Azure AD.
C.The policy is missing the 'Enable full disk encryption' setting or the encryption method is not specified; check the 'Windows Encryption' settings in the profile.
D.Devices are not co-managed with Configuration Manager; enable co-management to apply BitLocker policy.
AnswerC

The 'Encryption method' and 'Enable full disk encryption' settings must be configured in the profile for BitLocker to be enabled.

Why this answer

Option C is correct because the 'Endpoint Protection' template for Windows 10 and later requires explicit configuration of the 'Enable full disk encryption' setting and the encryption method (e.g., XTS-AES 128-bit) under the 'Windows Encryption' section. Without these settings, the policy does not trigger BitLocker to start encryption on the device, even if other settings like TPM protector and recovery key escrow are configured. The devices are Azure AD joined and meet hardware requirements, so the missing encryption enablement is the most likely cause.

Exam trap

The trap here is that candidates assume configuring TPM protector and recovery key escrow is sufficient to enable BitLocker, but the 'Enable full disk encryption' setting is a separate mandatory toggle that must be explicitly enabled in the policy.

How to eliminate wrong answers

Option A is wrong because BitLocker policies in Intune apply to both Azure AD joined and hybrid Azure AD joined devices; hybrid join is not a prerequisite for BitLocker policy application. Option B is wrong because the question states that the policy already includes a recovery key escrow to Azure AD, so the failure is not due to a missing escrow location. Option D is wrong because co-management with Configuration Manager is not required for Intune to manage BitLocker on Windows 11 devices; Intune can apply BitLocker policies directly via the MDM channel.

603
MCQmedium

Refer to the exhibit. You run a PowerShell command to retrieve a managed device's details. The ComplianceState is 'compliant' but the device has not synced in 7 days. What is the most likely reason?

A.The ComplianceState reflects the last sync; the device may have changed compliance since.
B.The device is compliant but not syncing because it is turned off.
C.The device is no longer enrolled but shows compliant due to a reporting delay.
D.The compliance policy was removed after the last sync.
AnswerA

Compliance state is cached until next sync.

Why this answer

Option C is correct because compliance state is evaluated during the last sync; if the device hasn't synced, the state may be outdated. Option A is wrong because compliance state does not trigger sync. Option B is wrong because the policy may still apply.

Option D is wrong because the device is still enrolled.

604
Multi-Selecthard

Which TWO actions should you take to ensure that devices are automatically enrolled in Microsoft Intune when users sign in with a work account on Windows 10/11?

Select 2 answers
A.Set the MDM user scope to 'All' or 'Some' in Azure AD.
B.In Intune, set the enrollment restriction to allow Windows devices.
C.Enable automatic Azure AD registration for Windows devices.
D.Enable co-management with Configuration Manager.
E.Configure the MDM discovery URL in Group Policy.
AnswersA, E

This determines which users get automatic enrollment.

Why this answer

Options A and D are correct. Option A: Configuring automatic MDM enrollment via Group Policy enables automatic enrollment. Option D: Adding a user scope in Azure AD join enables automatic enrollment for users.

Option B is wrong because enabling Azure AD registration is for BYOD, not automatic enrollment. Option C is wrong because co-management requires existing Configuration Manager. Option E is wrong because the MDM user scope in Intune is configured in Azure AD, not Intune alone.

605
MCQmedium

A user reports that a required app is not installing on their Android Enterprise device. The device is enrolled in Intune and shows as compliant. The app is assigned to the user. What is the most likely cause?

A.The device is not compliant with conditional access policies.
B.The user does not have the Company Portal app installed.
C.The app is not available on Managed Google Play.
D.The device does not have a work profile configured.
AnswerB

Company Portal is required for app installation on Android Enterprise.

Why this answer

If the device is enrolled but the app is not installing, the user may not have the Company Portal app. Option B is correct because the Company Portal is required for app installation. Option A is wrong because the device is compliant.

Option C is wrong because Google Play is used for store apps. Option D is wrong because work profile is already set up.

606
MCQeasy

You are troubleshooting a Windows 11 device that cannot connect to the corporate Wi-Fi network. The device is enrolled in Intune and has a Wi-Fi profile assigned. The profile uses SCEP certificate authentication. The user can connect to other Wi-Fi networks. What is the most likely cause?

A.The user's password has expired.
B.The root CA certificate required to validate the RADIUS server certificate is not installed on the device.
C.The Wi-Fi profile is not assigned to the user's device.
D.The device's Wi-Fi adapter driver is outdated.
AnswerB

Without the root CA, the device cannot trust the server's certificate, causing authentication failure.

Why this answer

The device can connect to other Wi-Fi networks but not the corporate one, indicating the issue is specific to the corporate network's authentication requirements. Since the profile uses SCEP certificate authentication, the device must trust the root CA that issued the RADIUS server certificate to validate the server during the EAP-TLS handshake. If the root CA certificate is missing, the client will reject the RADIUS server certificate, causing the connection to fail.

This is the most likely cause because the profile assignment and driver are not specific to this single network failure.

Exam trap

The trap here is that candidates confuse a missing root CA certificate with a missing client certificate, but the symptom of being able to connect to other networks isolates the problem to server-side certificate validation, not client-side enrollment.

How to eliminate wrong answers

Option A is wrong because password expiration is irrelevant to SCEP certificate authentication, which uses machine or user certificates, not passwords. Option C is wrong because the device is enrolled in Intune and has a Wi-Fi profile assigned, so the profile is present; if it were not assigned, the profile would not appear at all, but the user can see and attempt to connect. Option D is wrong because an outdated Wi-Fi adapter driver would affect all Wi-Fi connections, not just the corporate network, and the user can connect to other networks successfully.

607
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. Users report that after a recent update, the Start menu layout resets to default every time they sign in. Which Intune policy setting is most likely causing this issue?

A.Import Microsoft Edge assets policy
B.Show 'Recommended' section policy
C.Allow pinned folders policy
D.Start layout policy under Device Restrictions
AnswerD

This policy can enforce a specific layout; if set to remove custom layout, it resets on sign-in.

Why this answer

The Start layout policy under Device Restrictions (D) is the most likely cause because it enforces a specific Start menu configuration on Windows 11 devices. When this policy is set to 'Enabled' and configured with a layout XML, it reapplies the layout at every user sign-in, overriding any user customizations. This behavior matches the reported issue of the Start menu resetting to default after a recent update.

Exam trap

The trap here is that candidates may confuse policies that affect individual Start menu elements (like pinned folders or the Recommended section) with the overarching Start layout policy that enforces a complete layout reset, leading them to select a partially correct but insufficient option.

How to eliminate wrong answers

Option A is wrong because the 'Import Microsoft Edge assets policy' is used to manage Edge browser assets like bookmarks and settings, not the Start menu layout. Option B is wrong because the 'Show Recommended section policy' controls the visibility of the 'Recommended' section in the Start menu, but it does not reset the entire Start menu layout to default. Option C is wrong because the 'Allow pinned folders policy' manages which folders appear in the Start menu's pinned area, but it does not cause a full layout reset on sign-in.

608
MCQmedium

You are configuring conditional access policies in Microsoft Entra ID to require compliant devices for access to Microsoft 365 services. Some users report that they cannot access Outlook Web App (OWA) even though their device is marked as compliant in Intune. What should you verify?

A.The conditional access policy has the grant control set to 'Require device to be marked as compliant'.
B.All users have the required Microsoft 365 license.
C.The conditional access policy includes all cloud apps.
D.The device platform condition is set to iOS and Android only.
AnswerA

Without this grant, the policy might only apply other controls like MFA, not compliance.

Why this answer

Option A is correct because the most likely cause of users being unable to access OWA despite device compliance is that the conditional access policy's grant control is not set to 'Require device to be marked as compliant'. Without this grant, the policy may apply other controls (e.g., MFA) or block access entirely, even if the device is compliant in Intune. This setting explicitly enforces that only compliant devices can access the targeted cloud apps, such as Office 365 Exchange Online.

Exam trap

The trap here is that candidates assume device compliance alone is sufficient for access, but they overlook that the conditional access policy must explicitly include the 'Require device to be marked as compliant' grant control to enforce compliance-based access.

How to eliminate wrong answers

Option B is wrong because licensing issues would prevent access to Microsoft 365 services entirely or show a license error, not specifically block OWA while the device is compliant; the scenario describes a compliance-related block, not a licensing one. Option C is wrong because including all cloud apps is not required for OWA access; the policy should target the specific app (e.g., Office 365 Exchange Online) to avoid unintended blocks on other services, and including all cloud apps could cause broader access issues unrelated to the reported symptom. Option D is wrong because restricting the device platform to iOS and Android only would block access from Windows, macOS, or other platforms, but the users are reporting issues with OWA access, and the policy should match the platforms in use; the problem is not platform-specific but rather the grant control setting.

609
MCQeasy

A user reports that their iOS device is not receiving email on their work account. The device is enrolled in Intune. You verify that the Exchange ActiveSync profile is assigned correctly. What should you check next?

A.Ensure the MDM authority is set to Intune.
B.Check if an app protection policy is assigned to the user.
C.Verify that the device is enrolled in device enrollment manager mode.
D.Check the device's compliance status in Intune.
AnswerD

Noncompliant devices are blocked by Conditional Access from accessing corporate email.

Why this answer

Option A is correct because if the device is marked as noncompliant (e.g., due to noncompliant app or OS), Conditional Access will block email access even if the profile is present. Option B is wrong because if the device is compliant, the profile is applied. Option C is wrong because MDM authority is typically set correctly.

Option D is wrong because an app protection policy is for MAM, not for email access via native mail app.

610
MCQeasy

Your company deploys Microsoft Defender for Endpoint to Windows devices managed by Microsoft Intune. You need to ensure that all devices send diagnostic data at the 'Optional diagnostic data' level. Which configuration profile type should you use?

A.Administrative templates
B.Device restrictions
C.Endpoint protection
D.Custom
AnswerB

Device restrictions include diagnostic data settings.

Why this answer

Option A is correct because 'Device restrictions' includes the 'Diagnostic data' setting to control the level of diagnostic data sent to Microsoft. Option B is wrong because 'Endpoint protection' focuses on security settings like Defender Antivirus, not diagnostic data. Option C is wrong because 'Administrative templates' are for ADMX-backed policies, but the diagnostic data setting is available in device restrictions.

Option D is wrong because 'Custom' is not the simplest way.

611
MCQhard

Refer to the exhibit. You apply this configuration profile to Windows 10 devices. A user reports that their device's diagnostic data level is set to 'Full' in Settings > Diagnostics & feedback. What is the most likely reason?

A.The user manually changed the setting after the policy applied.
B.Windows Defender is blocking the policy application.
C.A conflicting Group Policy object is overriding the Intune policy.
D.The policy is not assigned to the device or the device is not enrolled.
AnswerD

If the policy is not assigned, the device won't receive it.

Why this answer

Option B is correct because the exhibit shows telemetryLevel set to '1 - Basic', but the user sees 'Full', indicating the policy is not applying. The most common cause is that the device is not properly enrolled or the policy assignment is missing. Option A is wrong because even if the user changed it, Intune should reapply the policy.

Option C is wrong because group policies can override Intune if they are configured. Option D is wrong because the exhibit does not mention Windows Defender.

612
Multi-Selecthard

You manage a hybrid Azure AD joined environment with Microsoft Intune. You need to migrate Group Policy objects (GPOs) to Intune policies for Windows 10 devices. Which THREE tools or methods should you use?

Select 3 answers
A.MDM Migration Analysis Tool (MMAT)
B.Custom OMA-URI settings in a configuration profile
C.Desktop Analytics
D.Group Policy Analytics in Microsoft Intune
E.PowerShell scripts to apply registry settings
AnswersA, B, D

MMAT assesses GPO compatibility with MDM.

Why this answer

The MDM Migration Analysis Tool (MMAT) is correct because it analyzes existing on-premises Group Policy Objects (GPOs) and generates a report mapping each GPO setting to its equivalent MDM policy in Intune, including a readiness score. This tool directly supports the migration workflow by identifying which GPOs can be converted and which require manual intervention, making it essential for planning a GPO-to-Intune migration.

Exam trap

The trap here is that candidates often confuse Desktop Analytics (a Windows upgrade readiness tool) with Group Policy Analytics (a GPO-to-Intune migration tool), leading them to incorrectly select Desktop Analytics as a valid migration method.

613
Multi-Selecthard

Which THREE are supported reporting options in Microsoft Intune for device compliance?

Select 3 answers
A.Export compliance data to CSV
B.View compliance status for each device
C.Compliance trends over time
D.Real-time compliance dashboard
E.Scheduled email reports
AnswersA, B, C

Export is available in the compliance report.

Why this answer

Options A, B, and D are correct. A: You can export compliance reports to CSV. B: You can view compliance status per device.

D: You can view compliance trends over time. Option C is wrong because Intune does not have a built-in dashboard for real-time compliance; it updates periodically. Option E is wrong because you cannot schedule automatic email reports natively; you would need Power Automate.

614
Multi-Selecteasy

Which TWO actions can be performed using a Windows Autopilot reset? (Choose two.)

Select 2 answers
A.Change the primary user of the device
B.Reinstall Windows 11 from scratch
C.Retain the Autopilot registration
D.Remove personal files and apps
E.Remove the device from Microsoft Intune
AnswersC, D

The device remains registered for Autopilot.

Why this answer

Options B and D are correct. Autopilot reset can remove personal files and apps, and retain the device's Autopilot registration. Option A is wrong because Autopilot reset does not reinstall Windows from scratch; it uses the existing OS.

Option C is wrong because it does not remove the device from Intune. Option E is wrong because it does not change the primary user.

615
MCQmedium

Refer to the exhibit. A Microsoft Intune security baseline is configured for Windows 10 devices. What is the effect of this setting?

A.It requires a reboot for the setting to take effect.
B.It enables real-time protection for scheduled scans.
C.It disables scheduled scans when the device is in use.
D.It reduces the CPU priority of scheduled scans to minimize performance impact.
AnswerD

Enabling low CPU priority ensures scans run at lower priority, reducing impact on user tasks.

Why this answer

This setting in the Microsoft Intune security baseline for Windows 10 configures the 'Scan only if computer is on and in use' policy for Microsoft Defender Antivirus. When enabled, it reduces the CPU priority of scheduled scans to minimize performance impact on the user's active workload, ensuring that background scanning does not interfere with foreground tasks.

Exam trap

The trap here is that candidates confuse 'reducing CPU priority' with 'disabling the scan' or 'requiring a reboot', leading them to select options that describe more drastic or unrelated behaviors rather than the subtle performance tuning this setting actually performs.

How to eliminate wrong answers

Option A is wrong because this setting does not require a reboot; Intune security baseline policies are applied via the Microsoft Defender Antivirus engine and take effect immediately or on the next scheduled scan without a system restart. Option B is wrong because real-time protection is a separate policy (e.g., 'Turn on real-time protection') and is not controlled by this CPU priority setting. Option C is wrong because this setting does not disable scheduled scans when the device is in use; it only lowers the CPU priority of the scan, allowing it to run concurrently without degrading user experience.

616
MCQhard

You are deploying Windows 10 to 500 new devices using a task sequence in Microsoft Configuration Manager. The devices need to be joined to Microsoft Entra ID and enrolled in Intune automatically during OSD. Which method should you use?

A.Add a 'Provision Microsoft Entra ID' step in the task sequence, using a bulk token generated from Microsoft Entra ID.
B.Use a provisioning package (PPKG) with bulk enrollment token, applied during the task sequence.
C.Set a Group Policy that enables automatic MDM enrollment using a discovered AAD token.
D.Configure Windows Autopilot for existing devices and redeploy them.
AnswerA

This step allows Entra ID join and automatic Intune enrollment during OSD.

Why this answer

In Configuration Manager, the 'Provision Microsoft Entra ID' step in a task sequence can be used to perform a bulk token-based join. This is the recommended approach for Windows 10 devices. Option B is correct.

Option A is wrong because it's not for bulk OSD. Option C is wrong because Autopilot is for user-driven scenarios. Option D is wrong because MDM enrollment via GPO is not typically used during OSD.

617
MCQmedium

You deploy a new line-of-business app to Windows 10 devices via Intune. Users report that the app does not appear in the Company Portal. You verify that the app is assigned to the correct group. What is the most likely cause?

A.The app's installation behavior is set to 'System'.
B.The app is not supported on Windows 10.
C.Users need to add the app manually.
D.The app is assigned to the wrong group.
AnswerA

Correct. System-installed apps may not appear in Company Portal.

Why this answer

When a line-of-business (LOB) app is deployed with installation behavior set to 'System', it installs in the device context and runs as SYSTEM. The Company Portal only displays apps installed in the user context. Even though the app is assigned to the correct group, it will not appear in the Company Portal because the portal filters out system-context apps.

To make it visible, the installation behavior must be set to 'User'.

Exam trap

The trap here is that candidates assume any assigned app will appear in Company Portal, overlooking the critical distinction between system-context and user-context installation behavior in Intune.

How to eliminate wrong answers

Option B is wrong because the app is already deployed and users report it does not appear, not that it fails to install; Windows 10 supports LOB apps via Intune. Option C is wrong because Intune-managed apps are automatically available in the Company Portal when assigned; users do not need to manually add them. Option D is wrong because the question explicitly states the app is assigned to the correct group, so group misassignment is not the cause.

618
MCQhard

A company uses Microsoft Intune to manage Windows 11 devices. They want to deploy a Win32 app that requires user interaction during installation. The app must be installed with administrative privileges. Which installation behavior setting should you configure?

A.Installation time (64-bit vs 32-bit)
B.System context (device)
C.Device restart behavior
D.User context (user)
AnswerD

Runs as the logged-on user, allowing interaction and elevation.

Why this answer

System context runs the installer as SYSTEM with no user interaction; User context runs as the logged-on user. The requirement is admin privileges and user interaction, so User context is correct because it allows the installer to run with the user's token, which can elevate if needed. System context prevents UI.

Choose behavior 'User' handles both.

619
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only corporate-owned devices can access company resources, while allowing users to enroll personal devices for limited access. You plan to use enrollment restrictions and compliance policies. What should you configure?

A.Set enrollment device platform restrictions to block personally owned devices, and create a compliance policy to mark personal devices as noncompliant.
B.Configure enrollment restrictions to block all devices from enrolling.
C.Configure a compliance policy that requires devices to be corporate-owned.
D.Create a conditional access policy that requires devices to be marked as compliant.
AnswerA

Enrollment restrictions prevent personal devices from enrolling, and compliance policies enforce the corporate ownership requirement.

Why this answer

Option A is correct because enrollment device platform restrictions can block personally owned devices from enrolling, while a compliance policy can mark personal devices that do enroll as noncompliant. This combination ensures corporate-owned devices get full access, and personal devices are either blocked or flagged for limited access via conditional access policies.

Exam trap

The trap here is that candidates often confuse compliance policies with enrollment restrictions, thinking a compliance policy alone can block enrollment, when in fact compliance policies only evaluate devices after they are enrolled and cannot prevent enrollment itself.

How to eliminate wrong answers

Option B is wrong because blocking all devices from enrolling would prevent both corporate and personal devices from accessing company resources, which does not meet the requirement to allow personal devices limited access. Option C is wrong because compliance policies can evaluate device ownership (e.g., via the 'Device ownership' setting), but they cannot enforce enrollment restrictions; they only mark devices as compliant or noncompliant after enrollment, so personal devices could still enroll and then be marked noncompliant, but the requirement to block personal devices from enrolling is not achieved. Option D is wrong because a conditional access policy that requires devices to be marked as compliant does not control enrollment; it only controls access after enrollment, so personal devices could still enroll and then be blocked from access, but the requirement to block personal devices from enrolling is not met.

620
MCQeasy

Refer to the exhibit. You are reviewing a JSON policy for Windows 10 compliance. Which of the following is required by this policy?

A.Secure Boot disabled
B.A TPM chip present and enabled
C.BitLocker drive encryption enabled
D.A password of at least 8 characters
AnswerB

'tpmRequired': true requires a TPM chip.

Why this answer

The JSON policy includes the setting 'requireTPM' with a value of 'true', which mandates that a Trusted Platform Module (TPM) chip must be present and enabled on the device to be compliant. TPM provides hardware-level security for cryptographic operations and is a key requirement for features like BitLocker, but the policy itself specifically enforces TPM presence, not encryption status.

Exam trap

The trap here is that candidates often confuse TPM requirement with BitLocker encryption, assuming that requiring TPM automatically implies BitLocker is enabled, but the policy only checks for the TPM chip itself, not the encryption state.

How to eliminate wrong answers

Option A is wrong because the policy does not reference Secure Boot at all; Secure Boot is a separate UEFI security feature that ensures only signed OS bootloaders run, and disabling it would actually reduce security, not meet a compliance requirement. Option C is wrong because while TPM is often used with BitLocker, the policy explicitly requires TPM (requireTPM: true) and does not include a setting for BitLocker drive encryption (e.g., requireEncryption or requireBitLocker). Option D is wrong because the policy does not include any password length requirement; password policies in Intune compliance are set via 'passwordMinimumLength' or similar properties, which are absent from this JSON.

621
MCQeasy

A company uses Configuration Manager to deploy Windows 11. During the deployment, the task sequence fails at the 'Apply Operating System' step. The error log shows 'Failed to find a valid operating system image package'. You verify that the operating system image package exists and is distributed to the distribution point. What is the most likely cause?

A.The client computer does not have enough disk space
B.The task sequence is not associated with the correct boot image
C.The operating system image package is not enabled for use with task sequences
D.The distribution point is not configured to support PXE boot
AnswerC

The package must be enabled for task sequences.

Why this answer

Option C is correct because when an operating system image package exists and is distributed to distribution points but the task sequence fails with 'Failed to find a valid operating system image package', the most common cause is that the image package is not enabled for use with task sequences. In Configuration Manager, each OS image package has a property 'Enable this operating system image for use in task sequences' that must be checked; if unchecked, the task sequence engine cannot reference the package during the Apply Operating System step, even though the package is present and distributed.

Exam trap

The trap here is that candidates often assume the error is due to distribution point issues (like PXE or content distribution) because the error message mentions 'failed to find', but the real cause is a simple property setting on the OS image package that is frequently overlooked during troubleshooting.

How to eliminate wrong answers

Option A is wrong because insufficient disk space would typically cause a different error, such as 'Failed to write to disk' or 'Not enough free space', not a failure to find a valid OS image package. Option B is wrong because the boot image association is critical for booting the client into WinPE, but the error occurs at the 'Apply Operating System' step, which runs after WinPE is loaded; an incorrect boot image would cause a failure earlier, during the boot process or initial task sequence start. Option D is wrong because PXE boot configuration is only relevant if the client is booting from the network; the error occurs during the task sequence execution after the client has already booted into WinPE, and the distribution point's PXE support does not affect the ability to locate an OS image package during the Apply Operating System step.

622
MCQeasy

Refer to the exhibit. You deploy this compliance policy to Windows 10 devices. A device running Windows 10 version 20H2 (OS build 19042.1234) reports as compliant. However, the device does not have BitLocker enabled. Why is the device compliant?

A.The storageRequireEncryption setting is evaluated but not enforced because the device doesn't support encryption.
B.The device is not actually compliant; the report is incorrect.
C.The password requirement is not enforced because passwordRequiredType is set to deviceDefault.
D.The OS version is above the minimum, so compliance is granted regardless of encryption.
AnswerA

If the device doesn't support encryption, the policy may not fail compliance.

Why this answer

Option B is correct because the exhibit shows 'storageRequireEncryption' is set to true, which requires encryption, but the device reports as compliant without BitLocker, indicating the setting is not enforced. Option A is wrong because password is required. Option C is wrong because the OS version is above the minimum.

Option D is wrong because the device reports compliant.

623
Drag & Dropmedium

Arrange the steps to deploy Windows 10 using Microsoft Deployment Toolkit (MDT) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

MDT deployment requires importing OS and drivers first, then creating a task sequence, updating the share, booting the client, and finally running the wizard.

624
Multi-Selectmedium

Your organization is planning to use Microsoft Intune for Windows device management. Which TWO components are required for a successful Windows Autopilot deployment?

Select 2 answers
A.Microsoft Endpoint Manager (MDM authority)
B.Microsoft Entra ID
C.Windows Server Active Directory
D.Microsoft Configuration Manager
E.Microsoft Intune
AnswersB, E

Required for identity and device registration.

Why this answer

Microsoft Entra ID (formerly Azure AD) is required for Windows Autopilot because it provides the identity and device registration infrastructure. Autopilot uses Entra ID to associate a device with its hardware hash (via the OEM or partner portal) and to authenticate the user during the out-of-box experience (OOBE). Without Entra ID, the device cannot be recognized as an Autopilot device and cannot join the cloud domain.

Exam trap

The trap here is that candidates often confuse Microsoft Endpoint Manager (the admin portal) with Intune (the actual MDM service), leading them to select Option A instead of recognizing that Intune itself is the required MDM component.

625
Multi-Selectmedium

Which TWO of the following are required to configure Windows Autopilot for existing devices?

Select 2 answers
A.A Windows product key.
B.A local administrator account on the device.
C.An Azure AD Premium P1 license.
D.A hardware hash (4K HH) from the device.
E.A device group that has an Autopilot deployment profile assigned.
AnswersD, E

The hardware hash is used to uniquely identify the device and register it in Autopilot.

Why this answer

Option D is correct because the hardware hash (4K HH) is the unique identifier that Windows Autopilot uses to associate a device with an Autopilot deployment profile. This hash must be harvested from the existing device (e.g., via a PowerShell script or a provisioning package) and uploaded to the Autopilot service to register the device. Without the hardware hash, the device cannot be recognized as an Autopilot device during the out-of-box experience (OOBE).

Exam trap

The trap here is that candidates often confuse the licensing requirement (Azure AD Premium P1) with the technical prerequisite for device registration, but the hardware hash and a device group with an assigned profile are the only two mandatory components for configuring Autopilot on existing devices.

626
MCQeasy

Your organization wants to use Windows Autopilot for user-driven deployment. Users should be able to self-deploy their devices by signing in with their corporate credentials. Which Autopilot deployment mode should you use?

A.Pre-provisioned deployment
B.Hybrid Azure AD join
C.User-driven (Azure AD join)
D.Self-deploying (Azure AD join)
AnswerC

User-driven mode prompts for user credentials.

Why this answer

Option A is correct because user-driven mode requires user sign-in during OOBE. Option B is wrong because self-deploying mode does not require user interaction. Option C is wrong because pre-provisioned deployment requires IT to pre-provision.

Option D is wrong because there is no 'hybrid' mode.

627
MCQeasy

You need to ensure that all Windows 10 devices automatically install critical security updates from Windows Update as soon as they are released. Which Windows Update for Business policy setting should you configure?

A.Set 'Update notification level' to 'Display notification'
B.Set 'Quality update deferral period' to 0 days
C.Configure active hours to allow automatic updates
D.Enable 'Pause feature updates'
AnswerB

Setting deferral period to 0 ensures updates are installed as soon as they are released.

Why this answer

Option A is correct because the 'Defer feature updates' setting can be set to 0 days, but for quality updates, use 'Quality update deferral period' set to 0. However, for immediate installation, 'Automatic update behavior' set to 'Auto install and restart' is key. Option A is the best answer.

Option B is wrong because active hours are for scheduling restarts, not immediate installation. Option C is wrong because pause features delay updates. Option D is wrong because it is not a specific setting name.

628
MCQmedium

Your organization uses Windows Autopilot and Microsoft Intune. You need to ensure that during the Autopilot deployment, the device automatically installs a set of required applications (Microsoft 365 Apps, company portal, and a line-of-business app) before the user can access the desktop. Which configuration should you use?

A.Configure the Enrollment Status Page (ESP) to block device use until required apps are installed
B.Set a device compliance policy to require all apps to be installed
C.Use a PowerShell script that runs during Autopilot to install apps
D.Configure an Autopilot deployment profile with the 'Skip EULA' option
AnswerA

ESP can be configured to block device use until all required apps are installed.

Why this answer

Option B is correct because the Enrollment Status Page (ESP) can block device use until required apps are installed. Option A is wrong because Autopilot profiles do not control app installation blocking. Option C is wrong because device compliance does not control app installation.

Option D is wrong because a PowerShell script is not the best method for this requirement and does not enforce blocking.

629
MCQhard

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to configure a device compliance policy that requires devices to run Windows version 22H2 or later. When you create the policy, which option must you select for the OS version requirement?

A.Require OS version
B.Maximum OS version
C.Minimum OS version
D.Exact OS version
AnswerC

Minimum OS version ensures the device runs at least the specified version.

Why this answer

Option C is correct because the 'Minimum OS version' setting checks that the OS version is at least the specified value. Option A is wrong because 'Require' is not a version setting. Option B is wrong because 'Maximum OS version' allows versions up to a value, not above.

Option D is wrong because 'Exact OS version' requires a single version, not a minimum.

630
MCQmedium

Your company deploys Microsoft Defender for Endpoint (Defender XDR) to all Windows devices. You need to create a custom detection rule that triggers an alert when a specific PowerShell script is executed on any device. Which action should you take in the Microsoft 365 Defender portal?

A.Create a new custom detection rule based on an Advanced hunting query.
B.Configure a Device control policy to block PowerShell.
C.Add an Indicator of compromise for the script hash.
D.Create a new attack simulation training campaign.
AnswerA

Custom detection rules allow you to define custom alerts based on advanced hunting queries.

Why this answer

Option B is correct because custom detection rules are created using Advanced hunting queries. Option A is wrong because custom detection rules are not created with attack simulation training. Option C is wrong because Indicators of compromise are for blocking or allowing, not creating detection rules.

Option D is wrong because policies are for settings, not custom detections.

631
MCQeasy

Refer to the exhibit. You manage a Windows 11 device that is marked as compliant and has OS version 10.0.22621.0. You need to upgrade the device to Windows 11 version 23H2. Which Intune feature should you use?

A.Windows quality update profile
B.Windows feature update profile
C.Driver update policy
D.Compliance policy
AnswerB

Feature update profiles deploy OS feature updates.

Why this answer

A Windows feature update profile is the correct Intune feature to upgrade a Windows 11 device from one version to another (e.g., from 10.0.22621.0 to 23H2). Feature update profiles deploy new OS builds that enable feature-level changes, whereas quality updates deliver only security and cumulative fixes. This profile targets the specific version upgrade required for the device.

Exam trap

The trap here is confusing 'quality updates' (which are cumulative security fixes) with 'feature updates' (which are full OS version upgrades), leading candidates to incorrectly select the quality update profile for a version upgrade.

How to eliminate wrong answers

Option A is wrong because a Windows quality update profile delivers only monthly security and cumulative updates, not full OS version upgrades like 23H2. Option C is wrong because a driver update policy manages only device driver updates, not Windows OS version changes. Option D is wrong because a compliance policy evaluates device settings against rules but does not deploy OS upgrades; it can mark a device non-compliant but cannot perform the upgrade itself.

632
MCQhard

Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to ensure that when a device is determined to be at high risk by Defender, it is automatically blocked from accessing corporate resources. What should you configure?

A.Create a device compliance policy that uses Defender for Endpoint risk level, then use Conditional Access.
B.Configure a device compliance policy with 'Require Defender for Endpoint' setting.
C.Configure a device configuration policy to block access based on risk.
D.Configure an app protection policy to block access based on device risk.
AnswerA

This sets compliance based on risk and Conditional Access blocks non-compliant devices.

Why this answer

Option A is correct because it combines a device compliance policy that evaluates the Defender for Endpoint risk level with a Conditional Access policy that blocks access when the device is noncompliant. This is the only supported method to automatically block corporate resource access based on real-time risk assessment from Defender for Endpoint.

Exam trap

The trap here is that candidates often think a device configuration policy or app protection policy can enforce risk-based blocking, but only the combination of a compliance policy with Defender risk evaluation and Conditional Access achieves this in Intune.

How to eliminate wrong answers

Option B is wrong because 'Require Defender for Endpoint' is a compliance setting that only checks if Defender is enabled and active, not the actual risk level. Option C is wrong because device configuration policies manage settings and features, not access control based on risk. Option D is wrong because app protection policies apply to apps on unmanaged devices and do not evaluate device-level risk from Defender for Endpoint.

633
Multi-Selecteasy

Which TWO are valid methods to deploy Microsoft 365 Apps to Windows devices using Microsoft Intune? (Choose two.)

Select 2 answers
A.Use the iOS Microsoft 365 Apps deployment method.
B.Package the Office Deployment Tool as a Win32 app.
C.Upload an MSI file for Microsoft 365 Apps.
D.Use the built-in Microsoft 365 Apps deployment for Windows 10 and later.
E.Add a web link to the Office 365 portal.
AnswersB, D

The Office Deployment Tool can be wrapped as a Win32 app.

Why this answer

Options A and D are correct. Intune supports built-in Microsoft 365 Apps deployment (Office 365 suite) and Win32 app packaging. Option B is wrong because MSI is not used for Office 365.

Option C is wrong because web links are not app deployment. Option E is wrong because iOS deployment is irrelevant.

634
MCQeasy

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a Microsoft 365 Apps for enterprise suite to all devices. Which app type should you use in Intune?

A.Web link
B.Windows app (Win32)
C.Microsoft 365 Apps for Windows 10 and later
D.Line-of-business app
AnswerC

This app type is specifically designed for deploying Office 365 ProPlus.

Why this answer

Microsoft 365 Apps for enterprise is deployed using the 'Microsoft 365 Apps for Windows 10 and later' app type in Intune. Option A is correct. Option B is wrong because line-of-business apps are for custom apps.

Option C is wrong because the Windows app (Win32) type is for .exe or .msi installers. Option D is wrong because the Web link type is for shortcuts to web apps.

635
MCQhard

Refer to the exhibit. You have configured the above enrollment restriction in Microsoft Intune. A user attempts to enroll a personal Windows 11 device. What will be the outcome?

A.The device will be blocked from enrolling.
B.The device will be prompted to confirm enrollment.
C.The device will enroll but will be marked as non-compliant.
D.The device will enroll successfully because it meets the OS requirements.
AnswerA

The restriction blocks personal Windows devices from enrolling.

Why this answer

Option D is correct because the restriction blocks personal device enrollment for Windows. The device will be blocked during enrollment regardless of OS version. Option A is wrong because OS version is not checked since the restriction blocks personal devices.

Option B is wrong because the restriction is not a compliance policy. Option C is wrong because the device is not allowed.

636
Multi-Selecthard

An organization uses Configuration Manager to manage Windows 10 devices. The administrator is configuring a phased deployment for a software update. Which THREE conditions can be used to define the phases?

Select 3 answers
A.Collection membership
B.Time-based delay between phases
C.Percentage of clients
D.Device compliance status
E.Manual approval for next phase
AnswersA, C, E

Phases can target specific collections.

Why this answer

Collection membership (A) is correct because Configuration Manager phased deployments allow you to specify a target collection for each phase, such as a collection containing pilot devices for the first phase and a broader collection for subsequent phases. This enables granular control over which devices receive the update at each stage, based on existing collection membership rules.

Exam trap

The trap here is that candidates confuse phased deployment conditions with general deployment options, mistakenly thinking time-based delays or compliance status are valid phase criteria, when only collection membership, percentage of clients, and manual approval are supported.

637
Multi-Selectmedium

Which TWO methods can you use to enroll macOS devices in Microsoft Intune?

Select 2 answers
A.Google Zero Touch Enrollment
B.Windows Autopilot
C.User-initiated enrollment via Company Portal
D.Apple Configurator
E.Automated Device Enrollment (ADE)
AnswersC, E

Users can enroll manually.

Why this answer

Options A and B are correct because Automated Device Enrollment (ADE) and user-initiated enrollment are supported for macOS. Option C is wrong because Windows Autopilot is for Windows. Option D is wrong because Google Zero Touch is for Android.

Option E is wrong because Apple Configurator is for iOS only.

638
Multi-Selectmedium

Your company uses Microsoft Intune to manage Windows 10 devices. You need to deploy a Microsoft Store app (new) to a group of users. Which TWO requirements must be met?

Select 2 answers
A.The device must be joined to an on-premises Active Directory domain
B.The device must have the Microsoft Intune Management Extension installed
C.The device must have sideloading enabled
D.The device must be Azure AD joined or hybrid Azure AD joined
E.The user must have a valid Microsoft account or Azure AD account
AnswersD, E

Required for Intune management.

Why this answer

Options B and D are correct. The device must be Azure AD joined or hybrid Azure AD joined for Intune management. The user must have a Microsoft account (MSA) or Azure AD account to access the Store.

Option A is wrong because domain join alone is insufficient; device must be enrolled in Intune. Option C is wrong because sideloading is not required for Store apps. Option E is wrong because Microsoft Intune Management Extension is for Win32 apps, not Store apps.

639
Multi-Selecthard

Which THREE components are required to deploy a Win32 app via Microsoft Intune?

Select 3 answers
A.Detection rule
B.A .intunewin file
C.PowerShell script for post-installation
D.Dependency on another app
E.Install command
AnswersA, B, E

Detection rules determine whether the app is already installed.

Why this answer

A detection rule is required because Intune needs a method to verify whether the Win32 app is already installed on the device. Without a detection rule, Intune cannot determine if the installation succeeded or if the app needs to be reinstalled. The detection rule can be based on a file, registry key, or custom script, and it is mandatory for any Win32 app deployment.

Exam trap

The trap here is that candidates often confuse optional features like dependencies or post-installation scripts with required components, leading them to select those options instead of the three mandatory ones: detection rule, .intunewin file, and install command.

640
MCQhard

You are troubleshooting a Windows 10 device that is not receiving Intune policies. The device is enrolled and shows as 'Active' in the Intune admin center. You run the Get-MgDeviceManagementManagedDevice cmdlet and the device's managementAgent is 'mdm'. Which of the following is the most likely cause of the issue?

A.The device is co-managed and the workload is set to Configuration Manager.
B.The device's enrollment certificate has expired.
C.The device's last sync time is more than 24 hours ago.
D.The device is retired from Intune.
AnswerC

A device that has not synced recently will not receive new policies.

Why this answer

Option C is correct because the device's last sync time being more than 24 hours ago indicates that the device has not checked in with Intune within the required interval. Intune policies are delivered during a sync cycle, and if the device hasn't synced recently, it will not receive new or updated policies. The managementAgent being 'mdm' confirms the device is MDM-managed, so the sync interval is critical for policy delivery.

Exam trap

The trap here is that candidates often assume an 'Active' status means the device is fully communicating, but Intune's 'Active' status only indicates successful enrollment, not recent policy sync; the last sync time is the key metric for policy delivery.

How to eliminate wrong answers

Option A is wrong because co-management with the workload set to Configuration Manager would mean that Configuration Manager handles the specific workload (e.g., compliance policies), but the device would still receive other Intune policies unless the workload is explicitly set to Configuration Manager for the policy type in question. Option B is wrong because an expired enrollment certificate would prevent the device from authenticating with Intune entirely, causing it to show as 'Pending' or 'Unhealthy', not 'Active'. Option D is wrong because a retired device would be removed from Intune management and would not show as 'Active' in the admin center.

641
MCQeasy

You deploy a Microsoft 365 Apps for enterprise suite via Intune to Windows devices. Users report that updates are not being applied automatically. You need to ensure that updates are installed from the Office Content Delivery Network (CDN) without user intervention. What should you configure?

A.Configure Delivery Optimization to download from peers.
B.Configure the Office update channel via an Intune administrative template (ADMX).
C.Enable Windows Update for Business to manage Office updates.
D.Use the Office Deployment Tool to set update settings.
AnswerB

ADMX templates allow setting update path to CDN.

Why this answer

Office update channel can be set via Intune administrative template. Option B is incorrect because Windows Update for Business does not manage Office updates. Option C is incorrect because Office Deployment Tool is for initial deployment.

Option D is incorrect because Delivery Optimization is for peer caching, not update source.

642
MCQmedium

Refer to the exhibit. The ARM template snippet attempts to deploy a Windows 10 Security Baseline policy in Intune. The deployment fails. What is the most likely reason?

A.Intune configuration policies cannot be deployed via ARM templates.
B.The apiVersion is not supported.
C.The templateId is incorrect.
D.The setting value is invalid.
AnswerA

Intune uses Microsoft Graph, not ARM.

Why this answer

The ARM template uses wrong structure; Intune configuration policies are not deployed via ARM templates in this manner. The resource type is incorrect. Intune policies are managed via Microsoft Graph, not ARM.

Option A is incorrect because the API version is valid. Option B is incorrect because baselines are available. Option D is incorrect because the template reference is correct.

643
MCQeasy

A user reports that their Android Enterprise work profile device is not receiving email from the corporate Exchange Online account. The device is enrolled in Intune and shows as compliant. The Outlook app is installed but cannot connect. What should you check first?

A.Email profile configuration in Intune
B.App protection policy settings
C.Device compliance policy settings
D.Intune license assignment
AnswerA

Misconfigured server address or authentication method prevents connection.

Why this answer

Option B is correct because the most common issue is incorrect email profile configuration (server, authentication). Option A (Device compliance) is fine. Option C (App protection policies) affects data leakage, not connectivity.

Option D (Intune license) would affect enrollment, not app connection.

644
Multi-Selectmedium

A company uses Microsoft Intune to manage Windows 10 devices. They need to deploy a line-of-business (LOB) app that is not available in the Microsoft Store. The app is packaged as an .msi file. Which TWO steps are required to deploy this app via Intune?

Select 2 answers
A.Upload the .msi file directly as a Microsoft Store for Business app.
B.Install the app on a file server and configure a shortcut.
C.Assign the app to a group of users or devices.
D.Convert the .msi file to the .intunewin format using the Microsoft Win32 Content Prep Tool.
E.Create a PowerShell script to install the app silently.
AnswersC, D

App must be assigned to a target group.

Why this answer

Option C is correct because after preparing the Win32 app, you must assign it to a group of users or devices in Intune to trigger deployment. Without assignment, the app is uploaded but not installed on any target. This step is mandatory for any Intune-managed app deployment.

Exam trap

The trap here is that candidates often think uploading the .msi directly is sufficient, but Intune requires the .intunewin wrapper for Win32 apps, and they may also mistakenly believe a PowerShell script is mandatory for silent installation when the .msi’s built-in silent switches can be specified in the app deployment configuration.

645
MCQhard

You have an Intune-managed device that is not receiving compliance policies. You check the Intune console and see the device status is 'Pending'. The device is connected to the internet and can sync. What is the most likely cause?

A.The device's time zone is incorrect
B.The device's certificate has expired
C.The device has not checked in with Intune for more than 7 days
D.The device is not connected to the internet
AnswerC

If a device does not check in, its status becomes pending.

Why this answer

Option A is correct because a pending status often indicates that the device has not checked in recently. Option B is wrong because a certificate issue would show an error. Option C is wrong because incorrect time zone would not cause pending.

Option D is wrong because the device is connected and can sync, so network connectivity is not the issue.

646
MCQeasy

You need to enroll macOS devices into Microsoft Intune. What is the required enrollment method?

A.Device Enrollment Manager (DEM)
B.Apple Automated Device Enrollment (ADE)
C.Company Portal app
D.Apple Configurator
AnswerC

macOS devices enroll via the Company Portal app downloaded from the Mac App Store.

Why this answer

The Company Portal app is the required enrollment method for macOS devices when using user-driven enrollment with Intune. It allows users to authenticate, download management profiles, and register their device via the Intune Company Portal, which is the standard approach for bring-your-own-device (BYOD) scenarios or when automated enrollment is not configured.

Exam trap

The trap here is that candidates often assume Apple Automated Device Enrollment (ADE) is required for macOS enrollment, but the question asks for the required method, and ADE is optional; the Company Portal is the mandatory user-driven enrollment path when no automated method is set up.

How to eliminate wrong answers

Option A is wrong because Device Enrollment Manager (DEM) is a Windows-specific account used to enroll multiple Windows devices with a single user account, not for macOS enrollment. Option B is wrong because Apple Automated Device Enrollment (ADE) is an optional, automated enrollment method for organization-owned devices, not a required method for all macOS enrollments. Option D is wrong because Apple Configurator is a tool for manual, supervised enrollment via USB connection, typically used for iOS/iPadOS devices in shared or lab environments, not as the required method for standard macOS enrollment.

647
MCQmedium

You manage Windows 10 devices with Intune. You need to ensure that only approved apps can run on corporate devices. You configure AppLocker via a custom OMA-URI. However, users can still run unapproved apps. What is the most likely reason?

A.The device must be running Windows 10 Pro edition.
B.AppLocker rules can only be configured via Group Policy, not OMA-URI.
C.The AppLocker policy is set to 'Audit only' mode.
D.The policy is assigned to a device group instead of a user group.
AnswerD

AppLocker policies are user-based; device group assignment does not enforce rules on users.

Why this answer

Option D is correct because AppLocker rules are applied per user, not per device. If the policy is assigned to user groups but the user is not in the scope, the rules do not apply. Option A is wrong because AppLocker can be configured via OMA-URI.

Option B is wrong because AppLocker works on Windows 10/11 Enterprise and Education editions. Option C is wrong because uninstalling the app does not enforce rules.

648
Multi-Selecthard

Which TWO of the following are valid reasons to use Windows Autopilot Reset? (Select TWO.)

Select 2 answers
A.To reassign a device to a new user without re-imaging.
B.To enroll a new device that was not purchased through an OEM.
C.To change a device from Azure AD joined to Hybrid Azure AD joined.
D.To deploy a custom Windows image to a device.
E.To quickly resolve device performance issues by resetting to a clean state.
AnswersA, E

Autopilot Reset allows repurposing a device quickly.

Why this answer

Option A and Option C are correct. Autopilot Reset can be used to reapply a device to a new user and to quickly resolve device issues by resetting while keeping enrollment. Option B is wrong because Autopilot Reset does not provide a fresh OS image; it resets to a known good state.

Option D is wrong because Autopilot Reset is for existing devices, not for adding new devices. Option E is wrong because Autopilot Reset does not change the join type.

649
MCQhard

During a Windows 10 in-place upgrade using Configuration Manager, the task sequence fails with error code 0x800706BE. The smsts.log shows 'Failed to run the action: Upgrade Operating System'. What is the most likely cause?

A.Incompatible third-party drivers
B.Corrupted setup files in the OS upgrade package
C.Insufficient disk space on the system drive
D.Antivirus software blocking the upgrade process
AnswerD

Antivirus can block RPC calls, causing 0x800706BE.

Why this answer

Error code 0x800706BE is a generic 'The remote procedure call failed' error, which in the context of a Configuration Manager task sequence during an in-place upgrade is most commonly caused by antivirus software interfering with the setup process. Antivirus real-time scanning can lock files or block critical RPC calls that the Windows Setup engine requires, leading to the 'Failed to run the action: Upgrade Operating System' failure in smsts.log.

Exam trap

The trap here is that candidates often associate error 0x800706BE with generic setup corruption or disk space issues, but Microsoft specifically documents this RPC error as being caused by third-party security software blocking the upgrade process.

How to eliminate wrong answers

Option A is wrong because incompatible third-party drivers typically cause hardware-specific errors like 0x80070570 or 0x80070002, not the RPC-related 0x800706BE. Option B is wrong because corrupted setup files usually result in file hash mismatch errors (e.g., 0x80070017) or extraction failures, not an RPC failure. Option C is wrong because insufficient disk space triggers a specific error code 0x80070070 or a 'Not enough space' message in setupact.log, not 0x800706BE.

650
MCQmedium

Refer to the exhibit. You configure this Enrollment Status Page (ESP) policy for Windows Autopilot deployments. During a deployment, a device fails to install a required app. What happens?

A.The device will be blocked from use until the app is installed or the device is reset.
B.The user can retry the installation manually.
C.The timeout will extend by 60 minutes.
D.The device will automatically retry the installation.
AnswerA

The policy blocks use on failure.

Why this answer

Option C is correct because 'allowDeviceUseOnInstallFailure' is set to false, so the device will be blocked from use if an installation fails. Option A is wrong because 'blockDeviceSetupRetryByUser' is true, meaning the user cannot retry. Option B is wrong because 'allowDeviceResetOnInstallFailure' is true, but that allows a reset, not a retry.

Option D is wrong because the timeout is 60 minutes, but the failure occurs within that period.

651
MCQmedium

You need to deploy Microsoft 365 Apps to 500 Windows 10 devices managed by Intune. The deployment must be automatic and should not require user interaction. What is the best method?

A.Create a Configuration Manager application and deploy to the devices.
B.Use the Office Deployment Tool (ODT) to create a package and deploy via Intune as a line-of-business (LOB) app.
C.Create a Win32 app in Intune with the installation command for Microsoft 365 Apps.
D.Assign the Microsoft 365 Apps from the Microsoft Store for Business.
AnswerC

Win32 apps allow silent deployment and can be assigned to devices.

Why this answer

Option C is correct because creating a Win32 app in Intune allows you to use the Office Deployment Tool (ODT) with a custom configuration.xml to install Microsoft 365 Apps silently. This method supports automatic, unattended deployment to 500 Windows 10 devices managed by Intune, as Win32 apps can be assigned with required intent and run in system context without user interaction.

Exam trap

The trap here is that candidates confuse the Office Deployment Tool (ODT) with the line-of-business (LOB) app method, not realizing that LOB apps cannot handle the multi-file ODT package and require a single installer file, making Win32 app the only viable Intune-native option for silent, automated Office deployment.

How to eliminate wrong answers

Option A is wrong because Configuration Manager is a separate on-premises management tool, not the best method for devices already managed solely by Intune; it introduces unnecessary complexity and requires additional infrastructure. Option B is wrong because deploying via Intune as a line-of-business (LOB) app is not suitable for Microsoft 365 Apps; LOB apps are intended for single-file installers (e.g., .msi or .exe) and do not support the multi-file ODT package or the required detection and installation logic for Office. Option D is wrong because the Microsoft Store for Business is deprecated and does not support deploying Microsoft 365 Apps to Windows 10 devices managed by Intune; it was designed for Universal Windows Platform (UWP) apps, not Win32 Office installations.

652
MCQmedium

Your company uses Microsoft Intune to manage Windows 10 devices. You have a compliance policy that requires devices to have a minimum of 4GB RAM and 64GB disk space. Several devices are marked non-compliant due to disk space. You check the devices and find they have 60GB free. The compliance policy checks total disk capacity, not free space. You need to allow these devices to be compliant. What should you do?

A.Upgrade the disk on these devices to 128GB.
B.Change the compliance policy to check free disk space instead of total capacity.
C.Modify the compliance policy to require a minimum of 60GB disk capacity.
D.Create a script to free up disk space on the devices.
AnswerC

This accommodates the existing hardware.

Why this answer

Option C is correct because the compliance policy in Microsoft Intune checks total disk capacity, not free space. By lowering the minimum required total disk capacity to 60GB, devices with 60GB total disk space will meet the policy requirement and become compliant, without needing hardware changes or scripts.

Exam trap

The trap here is that candidates confuse 'free disk space' with 'total disk capacity,' assuming the policy can be changed to check free space, but Intune's built-in compliance policies only evaluate total capacity.

How to eliminate wrong answers

Option A is wrong because upgrading disks to 128GB is unnecessary and costly; the issue is the policy threshold, not hardware inadequacy. Option B is wrong because Intune compliance policies for Windows 10 devices do not support checking free disk space; they only evaluate total disk capacity. Option D is wrong because freeing up disk space does not change the total disk capacity, which is what the policy evaluates.

653
MCQmedium

You are reviewing the Intune Win32 app configuration for FinanceApp. The app fails to install on a Windows 10 device running version 1809. The installation log shows no errors. What is the most likely reason?

A.The detection rule finds the finance.exe file already exists.
B.The device does not meet the minimum Windows release requirement.
C.The install experience is set to system but the device is user enrolled.
D.The install command line is missing a silent switch.
AnswerA

The detection rule uses 'exists' and if the file is present, Intune considers the app installed.

Why this answer

Option B is correct because the requirement rule specifies a minimum Windows release of 10.0.16299 (RS3/1709) but the device runs 1809 (10.0.17763) which meets the requirement, so it should install. However, the detection rule checks for the existence of finance.exe. If the file already exists from a previous installation, the detection rule will mark the app as installed, causing Intune to skip the installation.

Option A is wrong because the requirement is met. Option C is wrong because the install experience is system. Option D is wrong because the command line is correct.

654
Multi-Selectmedium

Which TWO actions can you perform using the Microsoft Intune admin center to manage a Windows device that is enrolled in Intune?

Select 2 answers
A.Format the hard disk
B.Restart the device
C.Sync the device
D.Install a printer driver
E.Change BIOS settings
AnswersB, C

Restart is a supported remote action.

Why this answer

Option B is correct because the Microsoft Intune admin center provides a 'Restart' remote action that triggers a reboot on a managed Windows device. This action is useful for applying pending updates or troubleshooting without requiring end-user interaction, and it leverages the Intune management extension to execute the restart command.

Exam trap

The trap here is that candidates may confuse Intune's remote actions with full remote control capabilities (like SCCM's remote tools) and assume actions like formatting or driver installation are possible, when in fact Intune only supports a limited set of non-destructive management actions such as restart, sync, wipe, and retire.

655
MCQhard

Your company uses Microsoft Intune to manage Windows 11 devices. You need to deploy a configuration that requires users to use Windows Hello for Business (WHfB) and prohibits the use of FIDO2 security keys. Which CSP and value should you configure?

A.Set 'UseFIDO2' to 0 in the PassportForWork CSP.
B.Set 'EnableWindowsHelloForBusiness' to true in the PassportForWork CSP.
C.Set 'RequireSecurityDevice' to true in the PassportForWork CSP.
D.Set 'UseFIDO2' to 1 in the PassportForWork CSP.
AnswerA

This disables FIDO2 security keys while WHfB is enabled via other policies.

Why this answer

Option C is correct because the PassportForWork CSP's 'UseFIDO2' key, when set to 0 (disabled), prohibits FIDO2 keys while other policies enable WHfB. Option A is wrong because setting 'UseFIDO2' to 1 would allow FIDO2. Option B is wrong because 'EnableWindowsHelloForBusiness' enables WHfB but does not affect FIDO2.

Option D is wrong because setting 'RequireSecurityDevice' forces TPM but does not address FIDO2.

656
Multi-Selectmedium

Which TWO actions should you take to ensure that Windows Update for Business settings are applied to all Windows 10 devices in your organization? (Choose two)

Select 2 answers
A.Configure a WSUS server to synchronize updates.
B.Create an update ring policy in Microsoft Intune.
C.Assign the update ring policy to a Microsoft Entra ID group that contains all devices.
D.Enable peer-to-peer content sharing for Windows updates.
E.Create a device compliance policy to enforce update installation.
AnswersB, C

Update ring policies configure Windows Update for Business settings.

Why this answer

B is correct because Windows Update for Business (WUfB) policies are configured through update ring policies in Microsoft Intune, which control how and when Windows 10 devices receive updates from Microsoft's update servers. This allows organizations to manage update deployment without needing on-premises infrastructure like WSUS.

Exam trap

The trap here is that candidates often confuse WSUS with Windows Update for Business, thinking both are required, or they mistakenly believe a compliance policy can enforce update ring settings, when in fact update rings are a separate policy type in Intune.

657
MCQhard

Refer to the exhibit. You deploy this compliance policy to a Windows 11 device running OS version 10.0.22621.100. The device has a password set, firewall active, and Defender enabled. However, the device is marked as non-compliant. What is the most likely reason?

A.The password length is exactly 8 characters, but the policy requires more than 8.
B.Microsoft Defender is not at the required version 4.18.2207.7.
C.The OS version exceeds the maximum allowed version specified in the policy.
D.The device does not have a password set.
AnswerC

The device build 22621.100 is greater than the maximum 22621.0, causing non-compliance.

Why this answer

The device OS version 10.0.22621.100 exceeds the maximum OS version specified in the policy (10.0.22621.0). In Microsoft Intune compliance policies, the 'Maximum OS version' setting marks a device as non-compliant if the device's OS build number is greater than the specified value, even if all other conditions are met. This is a common configuration to prevent devices from running untested or incompatible OS builds.

Exam trap

The trap here is that candidates assume non-compliance is due to a missing or weak password or Defender version, overlooking that the OS version can be too high, not just too low.

How to eliminate wrong answers

Option A is wrong because the policy does not specify a minimum password length; it only requires a password to be set, and the device has one. Option B is wrong because the policy does not specify a required version for Microsoft Defender; it only requires Defender to be enabled, which it is. Option D is wrong because the device does have a password set, as stated in the scenario.

658
MCQeasy

Your company uses Microsoft Intune to manage Windows 10 devices. You need to ensure that all devices have Windows Defender Antivirus real-time protection enabled. What should you configure?

A.Create a device compliance policy requiring antivirus.
B.Create a device configuration policy for Windows Defender Antivirus and enable Real-time protection.
C.Use Administrative Templates to configure Windows Defender Antivirus.
D.Use the Endpoint security node to configure Antivirus policies.
AnswerB

This enables real-time protection.

Why this answer

Option C is correct because the 'Real-time protection' setting in a device configuration policy for Windows Defender Antivirus enables real-time scanning. Option A is wrong because compliance policies do not enable features. Option B is wrong because Administrative Templates include similar settings but the dedicated Antivirus policy is more straightforward.

Option D is wrong because endpoint security policies include Antivirus settings as well.

659
MCQmedium

Your organization is planning to deploy Windows 10 updates using Windows Update for Business. You need to ensure that critical security updates are installed within 7 days of release. Which configuration should you use?

A.Create a feature update policy for Windows 10
B.Configure a deferral period of 7 days for quality updates
C.Set a deadline for quality updates to 7 days
D.Pause quality updates for 7 days
AnswerB

Deferral ensures updates are installed after a set number of days from release.

Why this answer

To ensure critical security updates are installed within 7 days of release using Windows Update for Business, you configure a deadline for quality updates. A deadline forces the device to install the update by a specified number of days after the update is published, regardless of any deferral period. Setting the deadline to 7 days ensures that the update is installed within that timeframe, meeting the requirement.

Exam trap

The trap here is confusing a deferral period with a deadline; candidates often think that setting a deferral of 7 days means the update will be installed in 7 days, but deferral actually delays the start of the update process, not the completion date.

How to eliminate wrong answers

Option A is wrong because feature update policies are used to manage major version upgrades (e.g., Windows 10 22H2), not quality or security updates. Option B is wrong because a deferral period delays the installation of updates; setting a 7-day deferral would postpone the update by 7 days, not ensure it is installed within 7 days of release. Option D is wrong because pausing quality updates stops them from being installed entirely for a specified period, which is the opposite of ensuring timely installation.

660
MCQmedium

Refer to the exhibit. You are reviewing an Intune app protection policy (APP) JSON for Windows. A user complains that they cannot copy data from a managed app. Which setting is causing this?

A.encryptAppData is set to true
B.cutCopyAllowed and pasteAllowed are set to false
C.orgRestriction is set to true
D.requirePin is set to true
AnswerB

Directly disables copy and paste.

Why this answer

Option C is correct. The 'cutCopyAllowed' and 'pasteAllowed' settings are both set to false, preventing copy/paste from managed apps. Option A is wrong because 'orgRestriction' controls data transfer to other apps, not copy/paste.

Option B is wrong because encryptAppData is about encryption, not copy/paste. Option D is wrong because pin requirement does not affect copy/paste.

661
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that users cannot remove the Mail app that is required for corporate email. What configuration should you apply?

A.Deploy the Mail app as a required volume-purchased app using Apple Business Manager.
B.Configure a Managed App Configuration with the key 'preventManagedAppRemoval' set to true.
C.Set a device restriction policy to hide the Mail app from the home screen.
D.Assign an app protection policy that blocks the removal of corporate data.
AnswerB

This prevents the user from removing the managed app.

Why this answer

Option B is correct because a Managed App Configuration with the 'preventManagedAppRemoval' key prevents removal. Option A is incorrect because the Mail app is removed and reinstalled, not prevented. Option C is incorrect because app protection policies apply to data, not app removal.

Option D is incorrect because MDM restrictions can hide apps but not prevent uninstall by users if they have permission.

662
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a PowerShell script that runs during the device provisioning process, before the user signs in. The script should be assigned to a device group containing all Autopilot devices. Which method should you use?

A.Use a device context PowerShell script in Intune and assign it to the device group.
B.Add the script as a Windows 10 platform script in Intune.
C.Assign the script to a user group containing the users.
D.Deploy the script as a device configuration profile.
AnswerA

Device context scripts run in the system context before user sign-in.

Why this answer

Option A is correct because a device context PowerShell script in Intune runs in the system context before the user signs in, making it ideal for provisioning tasks on Autopilot devices. Assigning it to a device group ensures the script executes on the target devices regardless of which user signs in, aligning with the requirement for pre-user-sign-in execution.

Exam trap

The trap here is that candidates confuse user context scripts (which require a signed-in user) with device context scripts (which run in the system context), leading them to choose user group assignment or configuration profiles instead of the correct device group assignment.

How to eliminate wrong answers

Option B is wrong because 'Windows 10 platform script' is not a valid Intune deployment method; scripts are deployed as PowerShell scripts, not platform scripts. Option C is wrong because assigning the script to a user group would cause it to run in user context, which requires a user sign-in and does not meet the pre-sign-in requirement. Option D is wrong because device configuration profiles are used for settings and policies, not for running PowerShell scripts; they cannot execute script code.

663
MCQmedium

A user has a Windows 11 device that is enrolled in Intune. The device is compliant, but the user cannot install apps from the Company Portal. The Company Portal shows 'This app is not available for your device'. The app is assigned to the user and the device meets the minimum requirements. What should you check?

A.Check if the device meets the minimum OS version.
B.Check app assignment to user groups.
C.Check if the app supports Windows 11.
D.Check device compliance policy.
AnswerC

The app might not be compatible with Windows 11.

Why this answer

Option D is correct because if the app requires a specific device type (e.g., Windows 10) and the device is Windows 11, it might not be supported. Option A is wrong because the device is compliant. Option B is wrong because the app is assigned.

Option C is wrong because the device meets requirements.

664
MCQmedium

You are using Microsoft Intune to deploy a custom Windows app that is packaged as an .msi. The app requires a reboot after installation. You want to minimize user disruption. What is the best deployment strategy?

A.Assign the app as available to a user group.
B.Assign the app as available to a device group.
C.Assign the app as required to a device group.
D.Assign the app as required with a deadline.
AnswerB

Users can install at their convenience and handle reboot.

Why this answer

Option B is correct because assigning to device as available lets users choose when to install, and they can schedule the reboot. Option A is wrong because required install may force reboot at inconvenient times. Option C is wrong because available to user still reboots immediately after install via Company Portal.

Option D is wrong because deadline settings are for required installs.

665
MCQmedium

A company is using Windows Autopilot for user-driven deployments. Users report that after OOBE, the device is not Azure AD joined. The enrollment status page shows 'Securing your device' for over an hour. What should you check first?

A.Verify that the device has internet connectivity
B.Confirm that the enrollment status page timeout is set correctly
C.Ensure the device's hardware hash is uploaded and an Autopilot profile is assigned
D.Check that the user has Intune license
AnswerC

Without profile assignment, device may not join Azure AD.

Why this answer

Option C is correct because the device must have its hardware hash uploaded to Intune and an Autopilot profile assigned before it can join Azure AD during OOBE. Without this, the device falls back to a generic provisioning state, causing the 'Securing your device' screen to hang indefinitely as it waits for the Autopilot profile to trigger the Azure AD join.

Exam trap

The trap here is that candidates often assume internet connectivity or licensing is the root cause, but the specific symptom of a prolonged 'Securing your device' screen points directly to a missing or misconfigured Autopilot profile assignment.

How to eliminate wrong answers

Option A is wrong because internet connectivity is already verified by the fact that the Enrollment Status Page (ESP) is displaying 'Securing your device' — the device has reached Intune, so connectivity is not the issue. Option B is wrong because the ESP timeout setting controls how long the ESP waits before allowing the user to bypass it, not the Azure AD join process; a timeout misconfiguration would cause the ESP to skip or fail, not hang for over an hour. Option D is wrong because an Intune license is required for the user to enroll the device, but the ESP is already processing, meaning the user has a license; the issue is that the device lacks the Autopilot profile to direct the Azure AD join.

666
MCQhard

Refer to the exhibit. An administrator runs the PowerShell cmdlet shown on a new Windows 11 device. The cmdlet completes successfully, but the device does not appear in Intune under Windows Autopilot devices. What is the most likely cause?

A.The user running the cmdlet does not have the required permissions in Intune.
B.The device does not have internet access.
C.The device is already registered in Autopilot, so the cmdlet does nothing.
D.The group tag 'Marketing' is invalid.
AnswerA

The cmdlet requires Intune Administrator or similar role to upload the hash.

Why this answer

The cmdlet 'Get-WindowsAutopilotInfo.ps1' with -Online uploads the hardware hash to Intune. For it to work, the device must have internet access and the user running the cmdlet must have the appropriate permissions in Intune (e.g., Intune Administrator role). Option D is correct.

Option A is wrong because the cmdlet is for Autopilot, not for running on a device that is already Autopilot-registered. Option B is wrong because the device must be online. Option C is wrong because the group tag is optional and does not prevent upload.

667
Multi-Selectmedium

You need to onboard devices to Microsoft Defender for Endpoint using Microsoft Intune. Which THREE methods are supported?

Select 3 answers
A.Group Policy with administrative templates
B.Microsoft 365 Apps admin center
C.Intune endpoint security policy for Microsoft Defender for Endpoint
D.Windows Server Update Services
E.Microsoft Defender for Endpoint onboarding configuration profile in Intune
AnswersA, C, E

Onboarding via GPO for domain-joined devices.

Why this answer

Intune security policies, Microsoft Defender for Endpoint onboarding configuration profiles, and Group Policy can onboard devices. Microsoft 365 Apps admin center is for Office, not Defender. Windows Server Update Services is for updates.

668
Multi-Selectmedium

Which TWO actions can you perform in Microsoft Intune to remediate a noncompliant Windows device that has been marked as noncompliant due to missing antivirus? (Choose two.)

Select 2 answers
A.Send a sync command to the device to re-evaluate compliance.
B.Deploy a proactive remediation script to detect and install antivirus.
C.Send a notification to the user to install antivirus via Windows Security.
D.Run a PowerShell script from Intune to install the missing antivirus.
E.Create a Conditional Access policy to block the device until fixed.
AnswersB, D

Proactive remediations can automatically fix issues.

Why this answer

Options A and C are correct. You can either use an Intune script to install the antivirus or use a remediation script via proactive remediations. Option B is wrong because Conditional Access blocks access but does not remediate.

Option D is wrong because retry sync does not install antivirus. Option E is wrong because Windows Security app is user action, not Intune.

669
MCQhard

A company uses Microsoft Intune to manage iOS/iPadOS devices. After enabling Apple User Enrollment (UE), some users report that they cannot install company-recommended apps from the Company Portal. What is the most likely cause?

A.Device type is restricted in enrollment restrictions
B.Apps are assigned to devices instead of users
C.VPP token is not configured for user enrollment
D.User Enrollment does not support app distribution
AnswerB

User Enrollment requires user-based assignments; device-based assignments fail.

Why this answer

Apple User Enrollment creates a per-user, per-device Managed Apple ID and a separate APNs certificate. Under User Enrollment, apps must be assigned to users (not devices) because the enrollment type lacks a device-level identity for app installation. When apps are assigned to devices, the Intune service cannot target them to User Enrollment devices, causing the installation to fail silently in Company Portal.

Exam trap

The trap here is that candidates confuse enrollment restrictions (which block enrollment) with app assignment scope (which blocks app installation after enrollment), and assume User Enrollment cannot distribute apps at all, when in fact it only requires user-based assignment.

How to eliminate wrong answers

Option A is wrong because enrollment restrictions (like device type or OS version) block enrollment itself, not app installation after enrollment; the users are already enrolled, so restrictions are not the cause. Option C is wrong because a VPP token is required for volume-purchased apps, but User Enrollment supports app distribution without a VPP token if apps are free or assigned via user-based assignment; the token issue would affect all apps, not just company-recommended ones. Option D is wrong because User Enrollment does support app distribution—it supports managed app configuration and assignment, but only when apps are assigned to users, not devices.

670
MCQhard

Your organization uses Microsoft Defender for Endpoint (now part of Defender XDR) and Intune. You need to create a device compliance policy that triggers automatic remediation when a device has a 'Medium' severity alert from Defender. Which setting should you configure?

A.Configure 'Device threat level' to 'Medium' and mark as noncompliant
B.Set 'Noncompliance action' to 'Mark device noncompliant'
C.Create a Conditional Access policy to block devices with medium alerts
D.Enable 'Require the device to be at or under the Machine Risk Score'
AnswerA

This uses Defender's threat level to enforce compliance.

Why this answer

Option C is correct. The 'Device threat level' compliance setting uses the Defender for Endpoint threat score to mark devices non-compliant. Option A is for integration enablement.

Option B is for non-compliance actions. Option D is for conditional access.

671
MCQmedium

Your organization uses Microsoft Defender for Endpoint. You need to ensure that devices onboarding to Microsoft Defender for Endpoint are automatically assigned to a specific device group based on their operating system version. What should you use?

A.Manually tag each device in the Microsoft 365 Defender portal.
B.Configure device group rules in Microsoft Defender for Endpoint using OS version condition.
C.Use Microsoft Entra ID dynamic groups based on device OS.
D.Create a Microsoft Intune compliance policy that tags devices by OS version.
AnswerB

Device group rules can automatically assign devices based on criteria.

Why this answer

Device group rules in Microsoft Defender for Endpoint allow you to automatically assign devices to groups based on conditions such as operating system version. This is the correct approach because it uses the built-in grouping engine that evaluates device attributes during onboarding, ensuring consistent and automated assignment without manual intervention.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID dynamic groups (which are for identity and access management) with Defender for Endpoint device group rules (which are for security operations and automation), leading them to choose Option C incorrectly.

How to eliminate wrong answers

Option A is wrong because manually tagging each device in the Microsoft 365 Defender portal is not automated and does not scale for large environments; it also does not use OS version as a condition. Option C is wrong because Microsoft Entra ID dynamic groups are based on Azure AD device attributes and are used for identity-based access control, not for Defender for Endpoint device group assignment, which requires Defender-specific grouping rules. Option D is wrong because Microsoft Intune compliance policies are used to enforce device health and compliance settings, not to tag devices for Defender for Endpoint grouping; they do not create device groups in Defender.

672
MCQhard

You are implementing Microsoft Defender for Endpoint on Windows Server devices managed by Microsoft Intune. After onboarding, the devices show as 'Inactive' in the Microsoft Defender XDR portal. Which action should you take?

A.Modify the Windows Security app configuration policy to enable real-time protection.
B.Restart the Microsoft Defender for Endpoint service on the devices.
C.Re-run the onboarding script on the devices.
D.Uninstall and reinstall the Microsoft Defender for Endpoint agent.
AnswerB

Restarting the service can re-establish communication.

Why this answer

Option D is correct because 'Inactive' status often indicates that the sensor data is not being sent, which can be resolved by restarting the Microsoft Defender for Endpoint service. Option A is wrong because the issue is not with the onboarding script. Option B is wrong because modifying a policy is not needed for activation.

Option C is wrong because reinstallation is excessive.

673
MCQhard

Your organization uses Microsoft Intune to manage Windows devices. You need to deploy a custom Line-of-Business (LOB) app that is signed with a certificate not trusted by the devices. The app must be available to users in the Company Portal. What should you do?

A.Upload the app to Microsoft Store for Business and assign it as offline.
B.Enable side-loading of apps on the target devices using Group Policy.
C.Upload the app as a LOB app in Intune and assign it to the target group.
D.Convert the app to a .appx package and sign it with a trusted certificate.
AnswerC

Intune LOB deployment does not require the device to trust the signing certificate; Intune handles trust.

Why this answer

Option C is correct because Intune natively supports deploying signed Line-of-Business (LOB) apps directly to managed Windows devices, even if the signing certificate is not trusted by the devices. Intune handles the app delivery through the Company Portal, and the app will install as long as the device is enrolled and the app is assigned to the target group. The certificate trust issue is irrelevant for LOB app deployment via Intune because Intune does not validate the certificate chain for LOB apps; it only requires the app to be signed.

Exam trap

The trap here is that candidates assume a certificate not trusted by devices prevents any deployment, but Intune's LOB app deployment does not require the certificate to be trusted by the device; the app will still appear in Company Portal and attempt installation, though the installation may fail if the device lacks side-loading or developer mode settings.

How to eliminate wrong answers

Option A is wrong because uploading the app to Microsoft Store for Business and assigning it as offline requires the app to be signed with a certificate that is trusted by the devices (typically a Microsoft or trusted CA certificate), and the scenario specifies the certificate is not trusted. Option B is wrong because enabling side-loading via Group Policy allows installation of unsigned or untrusted apps, but it does not make the app available in the Company Portal; side-loading is a device-level configuration, not an app distribution method through Intune. Option D is wrong because converting the app to a .appx package and signing it with a trusted certificate would resolve the trust issue, but the question asks what you should do given the current certificate is not trusted—this option changes the app itself rather than leveraging Intune's existing capability to deploy the app as-is.

674
MCQmedium

An administrator uses Configuration Manager to manage Windows 10 devices. The administrator wants to deploy a custom Windows application as an Application model deployment type. The application requires a reboot. Which deployment purpose should the administrator use to allow users to control the installation timing?

A.Mandatory
B.Pre-deploy
C.Required
D.Available
AnswerD

Available deployments allow users to install at their convenience from Software Center.

Why this answer

The Available deployment purpose allows users to see the application in Software Center and choose when to install it, including scheduling the required reboot at their convenience. This gives users control over installation timing, which is the stated requirement. Required and Mandatory deployments force installation according to a schedule, removing user choice.

Exam trap

The trap here is that candidates confuse 'Available' with 'Required' because both can deliver applications, but only Available gives users control over installation timing and reboot scheduling.

How to eliminate wrong answers

Option A is wrong because Mandatory is not a valid deployment purpose in Configuration Manager; the correct term for a forced installation is Required. Option B is wrong because Pre-deploy is not a deployment purpose; it refers to pre-staging content on distribution points, not controlling user installation timing. Option C is wrong because Required deployment forces the application to install according to a defined deadline, which does not allow users to control when the installation occurs.

675
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to configure FileVault disk encryption for all devices. After deploying the policy, some devices report that encryption is pending. What is the most likely reason?

A.The user has not approved the recovery key escrow.
B.The devices are enrolled using user enrollment.
C.The devices require a PIN to be set for recovery.
D.The devices are not supervised.
AnswerA

User must approve escrow when prompted.

Why this answer

Option B is correct because FileVault encryption requires the user to approve the recovery key escrow. Option A is incorrect because macOS devices can be encrypted via Intune. Option C is incorrect because user enrollment does not affect FileVault policy applicability.

Option D is incorrect because a PIN is not required for FileVault; it uses a password.

Page 8

Page 9 of 14

Page 10