CCNA Deploy Windows client Questions

30 questions · Deploy Windows client · All types, answers revealed

1
MCQeasy

You need to deploy Windows 11 to a remote office with limited bandwidth. Which deployment method is most appropriate?

A.Cloud-based deployment using Windows Autopilot
B.PXE boot deployment from a local server
C.Deployment using BranchCache
D.Multicast deployment from a central location
AnswerC

BranchCache caches content locally, reducing WAN usage.

Why this answer

BranchCache is the most appropriate deployment method for a remote office with limited bandwidth because it allows clients to cache content locally from a peer after the first download, reducing WAN link usage. In Windows deployment, BranchCache can be used with Configuration Manager or standalone to distribute OS images efficiently by having clients retrieve data from local peers rather than repeatedly downloading from a central source over a slow link.

Exam trap

The trap here is that candidates often confuse BranchCache with peer caching in general or assume multicast is always the best for bandwidth savings, but multicast still requires a full WAN transfer of the image, whereas BranchCache avoids redundant WAN traffic entirely after the first download.

How to eliminate wrong answers

Option A is wrong because Windows Autopilot is a cloud-based provisioning method that requires internet connectivity to download the OS image from Microsoft Intune or Windows Update, which would consume significant bandwidth over a limited link. Option B is wrong because PXE boot deployment from a local server requires a local Distribution Point or server at the remote site, which may not be available or feasible in a remote office with limited infrastructure. Option D is wrong because multicast deployment from a central location sends a single stream to multiple clients simultaneously, but it still requires the entire OS image to traverse the WAN link once, which can saturate limited bandwidth and does not leverage local caching.

2
Multi-Selectmedium

A company is planning to deploy Windows 11 using Microsoft Deployment Toolkit (MDT). The administrator needs to ensure that the deployment can be fully automated without user interaction. Which TWO settings should be configured in the CustomSettings.ini file?

Select 2 answers
A.SkipTaskSequence=YES
B.SkipComputerBackup=YES
C.SkipBitLocker=YES
D.SkipDomainMembership=YES
E.SkipFinalSummary=YES
AnswersA, E

Skips task sequence selection.

Why this answer

Option A is correct because setting SkipTaskSequence=YES in CustomSettings.ini allows MDT to bypass the Task Sequence Wizard, enabling a fully automated, zero-touch deployment. Option E is correct because SkipFinalSummary=YES suppresses the final summary dialog that would otherwise require user acknowledgment to complete the deployment. Together, these two settings eliminate all interactive prompts during the deployment process.

Exam trap

The trap here is that candidates often assume any single Skip* setting (like SkipDomainMembership or SkipBitLocker) is sufficient for full automation, but Microsoft explicitly requires both SkipTaskSequence and SkipFinalSummary to eliminate all user interaction in MDT.

3
Matchingmedium

Match each PowerShell cmdlet to its function in Microsoft 365 management.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Connect to Microsoft Graph using delegated or app-only auth

Retrieve Intune-managed devices

Create a new device configuration policy

Update properties of a managed device

Retire a device from Intune

Why these pairings

PowerShell is used for programmatic management; these cmdlets are from Microsoft Graph PowerShell SDK.

4
Multi-Selecthard

You are configuring Windows Autopilot for a customer who has a hybrid Azure AD join deployment. The devices are self-deploying using a self-deploying profile. Which THREE prerequisites must be met for the self-deploying mode to work?

Select 3 answers
A.The device must be registered in Windows Autopilot
B.The local administrator account must be enabled
C.The device must be connected to the internet and able to reach Azure AD
D.The user must be assigned a Windows Autopilot license
E.The device must have an Azure AD Premium license (P1 or P2)
AnswersA, C, E

Registration is required for Autopilot.

Why this answer

Option A is correct because a device must be registered in Windows Autopilot to associate it with a self-deploying profile. Registration is done by uploading the device's hardware hash to the Autopilot service, which then links the device to the profile and enables automatic provisioning without user interaction.

Exam trap

The trap here is that candidates often confuse user-driven Autopilot requirements (like a user license) with device-driven self-deploying mode, leading them to incorrectly select option D instead of recognizing the device license prerequisite.

5
MCQmedium

A company plans to deploy Windows 11 to 500 devices using Microsoft Deployment Toolkit (MDT). The deployment must be fully automated with minimal user interaction. Which configuration should be used in the CustomSettings.ini file?

A.SkipApps=YES
B.UserDataLocation=AUTO
C.SkipWizard=YES
D.DoNotCreateExtraPartition=YES
AnswerC

Suppresses all wizard pages, enabling zero-touch deployment.

Why this answer

Option C is correct because `SkipWizard=YES` in the CustomSettings.ini file tells MDT to bypass all deployment wizard pages, enabling a fully unattended, zero-touch deployment. This is the specific setting required to achieve minimal user interaction during the MDT deployment process.

Exam trap

The trap here is that candidates often confuse `SkipWizard=YES` with individual `Skip*` settings, thinking they need to list each one, or they mistakenly believe `UserDataLocation=AUTO` or `DoNotCreateExtraPartition=YES` control automation level when they only affect specific deployment phases.

How to eliminate wrong answers

Option A is wrong because `SkipApps=YES` only skips the application selection page in the wizard, but the deployment still requires user interaction for other wizard pages (e.g., computer name, credentials). Option B is wrong because `UserDataLocation=AUTO` controls where user state data is stored during migration, not the level of automation or wizard skipping. Option D is wrong because `DoNotCreateExtraPartition=YES` prevents MDT from creating additional partitions (like a recovery partition) during disk configuration, but does not affect the wizard interaction or automation level.

6
Multi-Selectmedium

Which TWO options are valid methods to deploy Windows 10 to new hardware in a Configuration Manager environment?

Select 2 answers
A.Microsoft Deployment Toolkit (MDT) Lite Touch
B.Windows Autopilot self-deploying mode
C.Azure Migrate
D.Bootable media deployment
E.PXE-initiated task sequence deployment
AnswersD, E

Standard ConfigMgr deployment method.

Why this answer

Bootable media deployment (Option D) is a valid method in Configuration Manager because it allows you to create bootable USB or CD/DVD media that contains the boot image, task sequence, and required content. When the media is booted on new hardware, it initiates a task sequence that contacts the Configuration Manager site server to download the OS image and apply it, making it ideal for bare-metal deployments without network connectivity.

Exam trap

The trap here is that candidates often confuse MDT Lite Touch as a Configuration Manager deployment method, but MDT is a separate tool and Lite Touch does not use the Configuration Manager client or infrastructure, making it invalid for this context.

7
MCQmedium

A company plans to deploy Windows 11 to 500 devices using Microsoft Deployment Toolkit (MDT). The deployment must support UEFI-based devices with Secure Boot enabled. During a pilot deployment, several devices fail to boot after deployment. You suspect the issue is related to the boot image configuration. Which boot image setting should you verify?

A.Ensure the boot image is set to x64 BIOS
B.Ensure the boot image is set to x86 BIOS
C.Ensure the boot image includes the WinPE optional component for Secure Boot
D.Ensure the boot image is set to x64 UEFI
AnswerD

x64 UEFI is required for UEFI and Secure Boot.

Why this answer

UEFI-based devices with Secure Boot require a 64-bit boot image because UEFI firmware does not support legacy BIOS boot modes. Selecting an x64 UEFI boot image ensures the deployment environment is compatible with Secure Boot and GPT disk partitioning, which are mandatory for Windows 11 on UEFI systems. An incorrect boot image type (e.g., BIOS-based) will cause boot failures on UEFI-only hardware.

Exam trap

The trap here is that candidates confuse the need for a Secure Boot-specific WinPE component (Option C) with the actual requirement of selecting the correct boot image architecture and firmware type (x64 UEFI), leading them to overlook that Secure Boot support is inherent to the UEFI boot image, not an add-on component.

How to eliminate wrong answers

Option A is wrong because an x64 BIOS boot image is designed for legacy BIOS firmware, not UEFI, and will fail to boot on UEFI-only devices with Secure Boot enabled. Option B is wrong because an x86 BIOS boot image is both the wrong architecture (32-bit) and the wrong firmware type (BIOS), making it incompatible with 64-bit UEFI hardware and Secure Boot requirements. Option C is wrong because Secure Boot support in WinPE is built into the x64 UEFI boot image itself; there is no separate 'WinPE optional component for Secure Boot' — the component is automatically included when you generate an x64 UEFI boot image in MDT.

8
MCQhard

You are designing a Windows Autopilot deployment for a global organization. Devices are purchased from multiple OEMs and shipped directly to users. Some users report that their devices do not register in Autopilot automatically. You confirm the devices have Windows 11 Pro preinstalled and meet hardware requirements. What is the most likely reason for the registration failure, and what should you do to resolve it?

A.The devices are not registered in Autopilot by the OEM; collect the hardware hash using a script
B.The devices have a TPM chip that is not compliant with Autopilot requirements
C.The Autopilot deployment profile is assigned to a dynamic device group that excludes these devices
D.The devices are not connected to the internet during OOBE
AnswerA

The OEM must register the device; if not, manual hash collection is required.

Why this answer

The most likely reason is that the OEM did not register the devices in Windows Autopilot by uploading their hardware hashes to the Microsoft Partner Center. Without this registration, the devices will not be recognized during OOBE and will not automatically receive the Autopilot deployment profile. To resolve this, you must collect the hardware hash from each device using a PowerShell script (e.g., Get-WindowsAutopilotInfo.ps1) and manually upload it to Intune or the Partner Center.

Exam trap

The trap here is that candidates often assume the issue is with TPM or connectivity during OOBE, but the core problem is that the device was never registered in Autopilot by the OEM, which is a prerequisite for automatic profile assignment.

How to eliminate wrong answers

Option B is wrong because TPM compliance is not a prerequisite for Autopilot registration; Autopilot requires TPM 2.0 only for self-deploying mode, but the question does not specify that mode, and devices with non-compliant TPM would still register and show in Intune. Option C is wrong because dynamic device group membership is evaluated after a device is registered in Autopilot; if the device is not registered, the group assignment is irrelevant. Option D is wrong because internet connectivity during OOBE is required for Autopilot to download the profile, but the issue here is that the device never appears in Autopilot at all, which indicates a registration failure, not a connectivity problem.

9
MCQhard

You are a Microsoft 365 Endpoint Administrator for a mid-sized company with 5,000 Windows 10 devices. The company is planning to migrate to Windows 11. You are tasked with deploying Windows 11 using a phased approach with Windows Autopilot. You have configured an Autopilot deployment profile for self-deploying mode targeting all Windows 10 devices in a dynamic device group. However, during the first wave of deployment, you notice that devices that have been upgraded to Windows 11 via an in-place upgrade are not automatically transitioning to the Autopilot experience. Instead, they boot directly to the existing Windows 10 desktop without any Autopilot enrollment. You verify that the devices are registered in Autopilot and that the deployment profile is assigned correctly. What is the most likely cause of this issue?

A.The Autopilot profile has a pre-provisioning policy that blocks self-deploying mode
B.The devices have not been reset to OOBE state after the in-place upgrade
C.The Autopilot profile is configured for user-driven mode instead of self-deploying mode
D.The devices are not connected to the internet during the first boot after upgrade
AnswerB

Autopilot requires OOBE; upgrade doesn't trigger OOBE.

Why this answer

Windows Autopilot requires the device to be in an Out-of-Box Experience (OOBE) state to trigger the enrollment process. An in-place upgrade to Windows 11 preserves the existing user state and settings, so the device boots directly to the desktop without entering OOBE. Even though the device is registered in Autopilot and the profile is assigned, the Autopilot experience only initiates when the device is reset to OOBE (e.g., via a Windows reset or a fresh start).

Therefore, the most likely cause is that the devices have not been reset to OOBE state after the in-place upgrade.

Exam trap

The trap here is that candidates assume Autopilot enrollment will automatically trigger after any upgrade or reboot on a registered device, but they overlook the critical requirement that the device must be in OOBE state to initiate the Autopilot process.

How to eliminate wrong answers

Option A is wrong because a pre-provisioning policy does not block self-deploying mode; pre-provisioning is an optional phase that can be used with self-deploying mode, and it does not prevent the Autopilot enrollment from starting. Option C is wrong because the question states the profile is configured for self-deploying mode, and if it were misconfigured for user-driven mode, the device would still attempt to enroll (but prompt for user credentials) rather than boot directly to the desktop. Option D is wrong because internet connectivity is required for Autopilot enrollment, but the issue here is that the device never enters the OOBE phase where it would check for connectivity; the device boots to the existing desktop, so connectivity is not the blocking factor.

10
MCQmedium

A company manages 500 Windows 10 devices using Microsoft Intune. They plan to upgrade to Windows 11. The IT team wants to ensure that only devices meeting the Windows 11 hardware requirements are allowed to upgrade. They need to block the upgrade on devices that do not meet the requirements, and provide a clear error message to users. What should the IT team configure?

A.Configure a Windows 11 readiness policy in Intune and assign it to all devices.
B.Configure a feature update policy for Windows 10 and Windows 11 in Intune.
C.Create a compliance policy with Windows 11 requirements and assign it to all devices.
D.Use a device configuration profile to set the 'TargetReleaseVersion' policy for Windows 11.
AnswerA

Windows 11 readiness policy blocks upgrade on non-compliant devices and shows a custom message.

Why this answer

Option A is correct because a Windows 11 readiness policy in Intune is specifically designed to evaluate device hardware compatibility against Windows 11 requirements and block the upgrade on non-compliant devices while displaying a custom error message to users. This policy uses the Windows Health Monitoring and the TPM 2.0 attestation checks to enforce the hardware requirements before the upgrade can proceed.

Exam trap

The trap here is that candidates often confuse a compliance policy (which only reports non-compliance) with a readiness policy (which actively blocks the upgrade and provides a user-facing error), leading them to select Option C instead of A.

How to eliminate wrong answers

Option B is wrong because a feature update policy for Windows 10 and Windows 11 only controls the deployment of the feature update itself (e.g., which version to install) but does not include hardware readiness checks or the ability to block the upgrade with a custom error message based on hardware requirements. Option C is wrong because a compliance policy with Windows 11 requirements can mark devices as non-compliant but does not block the upgrade process; compliance policies are used for conditional access and device health, not for controlling the upgrade workflow. Option D is wrong because the 'TargetReleaseVersion' policy is a device configuration profile setting that specifies which Windows version to target (e.g., Windows 11) but does not perform hardware readiness checks or provide a user-facing error message when requirements are not met.

11
Drag & Dropmedium

Arrange the steps to perform a Windows 10 feature update using Windows Update for Business in Intune.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create the ring, set version and rollout, assign, then monitor.

12
Drag & Dropmedium

Arrange the steps to configure Conditional Access for Microsoft 365 in Azure AD.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Sign in, go to Conditional Access, create policy, set conditions, set controls, enable.

13
Multi-Selecthard

Which THREE conditions must be met for a device to automatically enroll in Windows Autopilot?

Select 3 answers
A.The device must have BitLocker Drive Encryption enabled
B.The device must be Azure AD joined or Hybrid Azure AD joined
C.The device must have internet connectivity during OOBE
D.The device must be running Windows 10 version 1709 or later
E.The user must be a Global Administrator in Azure AD
AnswersB, C, D

Autopilot requires Azure AD join.

Why this answer

Option B is correct because Windows Autopilot requires the device to be either Azure AD joined or Hybrid Azure AD joined to establish a managed identity in the cloud. This identity enables the device to automatically receive a configuration profile that triggers the Autopilot deployment profile during the out-of-box experience (OOBE). Without this join state, the device cannot be recognized as an Autopilot-managed device.

Exam trap

The trap here is that candidates often confuse the prerequisites for Autopilot enrollment with post-enrollment security requirements, mistakenly selecting BitLocker (Option A) as a condition when it is actually a compliance setting applied after the device is enrolled.

14
MCQhard

You are deploying a custom Windows 10 image to 200 new laptops using MDT. The deployment fails on several devices at the 'Apply Operating System' step with error 0x80070070. The laptops have 60 GB SSDs and 4 GB RAM. What is the most likely cause?

A.The laptops have insufficient RAM (4 GB) to run the deployment.
B.The deployment share is not accessible over the network.
C.The custom image is missing critical drivers.
D.The custom image is too large for the 60 GB SSD.
AnswerD

Error 0x80070070 means 'Not enough disk space'. The image likely exceeds available space.

Why this answer

Error 0x80070070 translates to 'insufficient disk space' (ERROR_DISK_FULL). During the 'Apply Operating System' step, MDT decompresses the custom WIM image and applies it to the local disk. With a 60 GB SSD, if the custom image (including drivers, updates, and applications) exceeds the available free space after partitioning, the deployment fails.

This is the most direct cause given the error code and hardware constraints.

Exam trap

The trap here is that candidates often confuse error 0x80070070 with a RAM issue (since low RAM can cause other errors) or assume network connectivity is the problem, but the error code explicitly points to disk space, not memory or network.

How to eliminate wrong answers

Option A is wrong because 4 GB RAM is sufficient for MDT deployment of Windows 10; the minimum requirement is 2 GB (64-bit), and the error code specifically indicates disk space, not memory. Option B is wrong because network accessibility issues would typically produce error 0x80070035 (network path not found) or 0x80004005 (access denied), not a disk space error. Option C is wrong because missing critical drivers would cause a different error, such as 0x80070570 (corrupted or missing files) or a BSOD during boot, not a disk space error during the apply phase.

15
MCQeasy

An organization needs to deploy Windows 11 to remote users who do not have access to the corporate network. The devices are brand new and have internet connectivity. Which deployment method should the administrator recommend?

A.Use Configuration Manager with a task sequence over VPN.
B.Use PXE boot from a distribution point at the local office.
C.Use Windows Autopilot with user-driven mode.
D.Deploy using MDT with a bootable USB drive.
AnswerC

Autopilot enables cloud-based deployment.

Why this answer

Windows Autopilot with user-driven mode is the correct choice because it enables remote, zero-touch deployment of new Windows 11 devices using only internet connectivity. The devices are pre-registered in Autopilot, and during the out-of-box experience (OOBE), they automatically download the organization-specific configuration, join Azure AD, and enroll in MDM without requiring any VPN or on-premises infrastructure.

Exam trap

The trap here is that candidates often assume VPN or PXE are viable for remote deployments, but they overlook the fundamental requirement that brand-new devices have no pre-existing network configuration or corporate connectivity, making internet-based Autopilot the only practical option.

How to eliminate wrong answers

Option A is wrong because Configuration Manager task sequences over VPN require the device to first establish a VPN connection to the corporate network, which is not possible for brand-new devices that lack pre-configured VPN profiles and have no prior network access. Option B is wrong because PXE boot relies on a local network broadcast and a distribution point on the same subnet; remote users without corporate network access cannot reach a PXE server, and PXE does not work over the internet. Option D is wrong because deploying with MDT using a bootable USB drive requires physical delivery of the USB media to each remote user, which is not a scalable or practical solution for a large number of remote devices and does not leverage internet connectivity for deployment.

16
Multi-Selectmedium

A company is deploying Windows 11 using a task sequence in Configuration Manager. They encounter an issue where the task sequence fails on devices that have BitLocker enabled. Which TWO actions should you take to ensure the task sequence completes successfully on BitLocker-enabled devices?

Select 2 answers
A.Add a 'Preprovision BitLocker' step before the 'Apply Operating System' step
B.Ensure the boot image includes the Microsoft BitLocker Administration and Monitoring (MBAM) optional component
C.Add a 'Suspend BitLocker' step before the 'Format and Partition Disk' step
D.Ensure the boot image includes the BitLocker optional component in WinPE
E.Disable Secure Boot in the device BIOS
AnswersC, D

Suspending BitLocker allows partition modifications.

Why this answer

Option C is correct because suspending BitLocker before the 'Format and Partition Disk' step prevents the task sequence from failing due to BitLocker-protected volumes. When BitLocker is active, the disk cannot be repartitioned or formatted without first suspending protection, as the Trusted Platform Module (TPM) validation and encryption keys would be invalidated. Option D is correct because the boot image must include the BitLocker optional component in WinPE to enable BitLocker-related operations (e.g., suspend, resume, preprovision) during the task sequence execution.

Exam trap

The trap here is that candidates often confuse 'Preprovision BitLocker' (used to enable encryption after OS deployment) with 'Suspend BitLocker' (used to temporarily disable protection during disk operations), leading them to incorrectly select Option A instead of Option C.

17
MCQmedium

A company is using Microsoft Deployment Toolkit (MDT) to deploy Windows 11 to 200 new laptops. The deployment includes applications such as Microsoft 365 Apps for enterprise and a line-of-business (LOB) application. The LOB application requires a specific registry key to be set before installation. You have added a 'Set Registry' step in the task sequence before the application installation step. During a test deployment, the LOB application fails to install. The MDT logs show that the registry key is set correctly, but the application installer still fails. You suspect the application requires a reboot after setting the registry key. The task sequence does not have a reboot step after the registry change. Which step should you add to the task sequence?

A.Add a 'Wait' step for 60 seconds
B.Add a 'Set Task Sequence Variable' step to set a reboot variable
C.Add a 'Restart Computer' step immediately after the 'Set Registry' step
D.Add a 'Run Command Line' step to run gpupdate /force
AnswerC

This ensures the registry change takes effect before application installation.

Why this answer

Option C is correct because the LOB application requires a reboot after the registry key is set to make the change effective. In MDT, a 'Restart Computer' step forces a system restart, ensuring the registry modification is recognized by the application installer. Without this reboot, the installer may read stale registry data and fail, even though the key is correctly written.

Exam trap

The trap here is that candidates may think a simple wait or Group Policy refresh is sufficient, overlooking that some applications require a reboot to recognize registry changes, and that MDT's 'Restart Computer' step is the only way to enforce that reboot at the correct point in the task sequence.

How to eliminate wrong answers

Option A is wrong because a 60-second 'Wait' step does not cause a reboot; it merely pauses the task sequence, so the registry change remains unapplied from the installer's perspective. Option B is wrong because setting a task sequence variable like 'SMSTSRebootRequested' can trigger a reboot later, but without an explicit 'Restart Computer' step, the reboot may not occur at the correct point in the sequence, or the variable may be ignored if not properly handled. Option D is wrong because 'gpupdate /force' refreshes Group Policy settings, not registry keys set directly by the task sequence; it does not cause a reboot and is irrelevant to making a manually written registry key effective.

18
MCQmedium

An administrator is deploying Windows 11 using Configuration Manager. The task sequence fails on some devices during the 'Apply Operating System' step with a notice that the image file is not valid. All other devices succeed. What is the most likely cause?

A.The boot image is not compatible with the device firmware.
B.The distribution point is out of disk space.
C.The task sequence variable OSDPackagePath is missing.
D.The OS image download was corrupted on the client.
AnswerD

Corrupted download causes invalid image error on specific clients.

Why this answer

Option D is correct because a corrupted OS image download on the client will cause the 'Apply Operating System' step to fail with an 'image file is not valid' error. Since the issue occurs only on some devices, a per-client download corruption (e.g., due to network interruption or disk I/O errors during BITS transfer) is the most likely cause, while the image itself remains valid on the distribution point.

Exam trap

The trap here is that candidates often assume a distribution point or boot image problem because those are common causes of task sequence failures, but the 'some devices succeed' clue points to a client-specific corruption rather than a global infrastructure issue.

How to eliminate wrong answers

Option A is wrong because a boot image incompatible with device firmware would cause a failure earlier in the task sequence, typically during the boot phase or when loading Windows PE, not during the 'Apply Operating System' step. Option B is wrong because if the distribution point were out of disk space, the failure would affect all clients attempting to download the OS image, not just some devices. Option C is wrong because the OSDPackagePath variable is automatically set by Configuration Manager during task sequence processing; if it were missing, the task sequence would fail consistently on all devices, not selectively.

19
MCQeasy

A company uses Windows Autopilot for user-driven deployments. They want to ensure that during the out-of-box experience (OOBE), users are required to sign in with their Azure AD credentials and the device is automatically enrolled in Intune. Which Autopilot deployment profile setting should be configured?

A.Set 'Deployment mode' to 'Self-Deploying' and 'Join to Azure AD as' to 'Azure AD joined'.
B.Set 'Deployment mode' to 'User-Driven' and 'Join to Azure AD as' to 'Hybrid Azure AD joined'.
C.Set 'Deployment mode' to 'White Glove' and 'Join to Azure AD as' to 'Azure AD joined'.
D.Set 'Deployment mode' to 'User-Driven' and 'Join to Azure AD as' to 'Azure AD joined'.
AnswerD

This requires user sign-in and enrolls device in Intune.

Why this answer

Option D is correct because the scenario requires a user-driven deployment where the user signs in with Azure AD credentials during OOBE, and the device is automatically enrolled in Intune. Setting 'Deployment mode' to 'User-Driven' ensures the user authenticates during OOBE, and 'Join to Azure AD as' to 'Azure AD joined' makes the device Azure AD-joined, which triggers automatic Intune enrollment via the MDM enrollment authority configured in Azure AD.

Exam trap

The trap here is that candidates often confuse 'Self-Deploying' with 'User-Driven' because both can result in Azure AD join and Intune enrollment, but 'Self-Deploying' does not require user sign-in during OOBE, which is explicitly required in the question.

How to eliminate wrong answers

Option A is wrong because 'Self-Deploying' mode does not require user sign-in during OOBE; it uses a device token for automatic enrollment, which contradicts the requirement for user Azure AD credentials. Option B is wrong because 'Hybrid Azure AD joined' requires the device to be joined to an on-premises Active Directory and then registered with Azure AD, which is not the scenario described and does not rely solely on Azure AD credentials during OOBE. Option C is wrong because 'White Glove' (now called 'Pre-Provisioning') is a technician-driven process that pre-provisions the device before the user receives it, and the user still signs in later, but the question specifies that users sign in during OOBE, not that a technician pre-provisions.

20
MCQhard

A company uses Configuration Manager to deploy Windows 11. During the deployment, several devices fail with error code 0x80070002. The administrator suspects the issue is related to missing boot images or content distribution. What should the administrator do first to resolve the issue?

A.Increase the client cache size on the affected devices.
B.Check the driver packages in the task sequence.
C.Verify that the boot image and OS image are distributed to all distribution points.
D.Recreate the task sequence with new OS image.
AnswerC

Missing content on DP causes file not found error.

Why this answer

Error code 0x80070002 translates to 'The system cannot find the file specified.' In a Configuration Manager task sequence deployment, this typically indicates that the boot image or OS image content is not available on the distribution point that the client is accessing. Verifying distribution ensures the required content is present and accessible, which is the most direct and common fix for this error.

Exam trap

The trap here is that candidates often focus on client-side issues like cache or drivers, but the error code 0x80070002 specifically points to missing or inaccessible content on the server side, making distribution verification the correct first step.

How to eliminate wrong answers

Option A is wrong because increasing client cache size does not resolve missing content on distribution points; cache size affects local storage of downloaded content, not content availability. Option B is wrong because driver packages are not the primary cause of a 'file not found' error during boot image or OS image retrieval; missing drivers would cause hardware-specific failures, not a generic 0x80070002. Option D is wrong because recreating the task sequence is unnecessary and time-consuming; the issue is content distribution, not the task sequence definition itself.

21
MCQeasy

A company uses Configuration Manager to deploy Windows 11. During the deployment, the task sequence fails at the 'Apply Operating System' step. The error log shows 'Failed to find a valid operating system image package'. You verify that the operating system image package exists and is distributed to the distribution point. What is the most likely cause?

A.The client computer does not have enough disk space
B.The task sequence is not associated with the correct boot image
C.The operating system image package is not enabled for use with task sequences
D.The distribution point is not configured to support PXE boot
AnswerC

The package must be enabled for task sequences.

Why this answer

Option C is correct because when an operating system image package exists and is distributed to distribution points but the task sequence fails with 'Failed to find a valid operating system image package', the most common cause is that the image package is not enabled for use with task sequences. In Configuration Manager, each OS image package has a property 'Enable this operating system image for use in task sequences' that must be checked; if unchecked, the task sequence engine cannot reference the package during the Apply Operating System step, even though the package is present and distributed.

Exam trap

The trap here is that candidates often assume the error is due to distribution point issues (like PXE or content distribution) because the error message mentions 'failed to find', but the real cause is a simple property setting on the OS image package that is frequently overlooked during troubleshooting.

How to eliminate wrong answers

Option A is wrong because insufficient disk space would typically cause a different error, such as 'Failed to write to disk' or 'Not enough free space', not a failure to find a valid OS image package. Option B is wrong because the boot image association is critical for booting the client into WinPE, but the error occurs at the 'Apply Operating System' step, which runs after WinPE is loaded; an incorrect boot image would cause a failure earlier, during the boot process or initial task sequence start. Option D is wrong because PXE boot configuration is only relevant if the client is booting from the network; the error occurs during the task sequence execution after the client has already booted into WinPE, and the distribution point's PXE support does not affect the ability to locate an OS image package during the Apply Operating System step.

22
Drag & Dropmedium

Arrange the steps to deploy Windows 10 using Microsoft Deployment Toolkit (MDT) in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

MDT deployment requires importing OS and drivers first, then creating a task sequence, updating the share, booting the client, and finally running the wizard.

23
MCQhard

During a Windows 10 in-place upgrade using Configuration Manager, the task sequence fails with error code 0x800706BE. The smsts.log shows 'Failed to run the action: Upgrade Operating System'. What is the most likely cause?

A.Incompatible third-party drivers
B.Corrupted setup files in the OS upgrade package
C.Insufficient disk space on the system drive
D.Antivirus software blocking the upgrade process
AnswerD

Antivirus can block RPC calls, causing 0x800706BE.

Why this answer

Error code 0x800706BE is a generic 'The remote procedure call failed' error, which in the context of a Configuration Manager task sequence during an in-place upgrade is most commonly caused by antivirus software interfering with the setup process. Antivirus real-time scanning can lock files or block critical RPC calls that the Windows Setup engine requires, leading to the 'Failed to run the action: Upgrade Operating System' failure in smsts.log.

Exam trap

The trap here is that candidates often associate error 0x800706BE with generic setup corruption or disk space issues, but Microsoft specifically documents this RPC error as being caused by third-party security software blocking the upgrade process.

How to eliminate wrong answers

Option A is wrong because incompatible third-party drivers typically cause hardware-specific errors like 0x80070570 or 0x80070002, not the RPC-related 0x800706BE. Option B is wrong because corrupted setup files usually result in file hash mismatch errors (e.g., 0x80070017) or extraction failures, not an RPC failure. Option C is wrong because insufficient disk space triggers a specific error code 0x80070070 or a 'Not enough space' message in setupact.log, not 0x800706BE.

24
MCQmedium

A company is using Windows Autopilot for user-driven deployments. Users report that after OOBE, the device is not Azure AD joined. The enrollment status page shows 'Securing your device' for over an hour. What should you check first?

A.Verify that the device has internet connectivity
B.Confirm that the enrollment status page timeout is set correctly
C.Ensure the device's hardware hash is uploaded and an Autopilot profile is assigned
D.Check that the user has Intune license
AnswerC

Without profile assignment, device may not join Azure AD.

Why this answer

Option C is correct because the device must have its hardware hash uploaded to Intune and an Autopilot profile assigned before it can join Azure AD during OOBE. Without this, the device falls back to a generic provisioning state, causing the 'Securing your device' screen to hang indefinitely as it waits for the Autopilot profile to trigger the Azure AD join.

Exam trap

The trap here is that candidates often assume internet connectivity or licensing is the root cause, but the specific symptom of a prolonged 'Securing your device' screen points directly to a missing or misconfigured Autopilot profile assignment.

How to eliminate wrong answers

Option A is wrong because internet connectivity is already verified by the fact that the Enrollment Status Page (ESP) is displaying 'Securing your device' — the device has reached Intune, so connectivity is not the issue. Option B is wrong because the ESP timeout setting controls how long the ESP waits before allowing the user to bypass it, not the Azure AD join process; a timeout misconfiguration would cause the ESP to skip or fail, not hang for over an hour. Option D is wrong because an Intune license is required for the user to enroll the device, but the ESP is already processing, meaning the user has a license; the issue is that the device lacks the Autopilot profile to direct the Azure AD join.

25
MCQhard

An organization is deploying Windows 10 using Configuration Manager task sequences. During a pilot deployment, the task sequence fails with error code 0x80070002. What is the most likely cause?

A.The device does not meet minimum hardware requirements
B.The task sequence includes a duplicate step
C.The boot image is missing or corrupted
D.The distribution point is unreachable
AnswerC

0x80070002 indicates file not found; boot image is essential for deployment.

Why this answer

Error code 0x80070002 translates to 'The system cannot find the file specified.' In the context of a Configuration Manager task sequence, this typically indicates that the boot image (WIM file) referenced by the task sequence is missing from the distribution point or is corrupted. The boot image is required to start Windows PE and initiate the OS deployment; if it cannot be located or loaded, the task sequence fails immediately.

Exam trap

The trap here is that candidates often associate error 0x80070002 with a network connectivity issue (Option D) or a hardware problem (Option A), but the error code specifically indicates a missing file, not a network or hardware failure.

How to eliminate wrong answers

Option A is wrong because minimum hardware requirements would produce a different error (e.g., 0x80070570 or a pre-flight check failure), not a file-not-found error. Option B is wrong because a duplicate step in the task sequence would cause a validation error during editing or a runtime conflict, but not a 0x80070002 error, which is specifically a file access issue. Option D is wrong because an unreachable distribution point would result in a network-related error (e.g., 0x80072EFE or 0x80004005), not a file-not-found error; the boot image must be present on the distribution point for the task sequence to even begin.

26
Matchingmedium

Match each Co-management workload to its management authority when co-managed.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Intune

Intune (if Windows Update for Business selected)

Intune

Configuration Manager or Intune

Configuration Manager or Intune

Why these pairings

Co-management workloads can be piloted to Intune; these are common choices.

27
MCQmedium

A company plans to deploy Windows 11 to 500 new devices using Microsoft Deployment Toolkit (MDT). The devices have various hardware configurations. The deployment must include language packs and regional settings. Which deployment method should the administrator use to minimize manual intervention?

A.Create a custom task sequence in MDT that includes language packs and regional settings.
B.Use Windows Configuration Designer to create a provisioning package with language settings.
C.Create a task sequence in Configuration Manager without MDT integration.
D.Use Windows Autopilot with a custom profile to deploy language packs.
AnswerA

Task sequences automate deployment including language and region.

Why this answer

Option A is correct because MDT allows the administrator to create a custom task sequence that integrates language packs and regional settings directly into the deployment process. This approach automates the entire deployment with minimal manual intervention, as the task sequence handles all configuration steps without requiring post-deployment adjustments.

Exam trap

The trap here is that candidates often confuse provisioning packages (Option B) or Autopilot (Option D) as suitable for offline image customization, when in fact they only apply settings at runtime and cannot inject language packs into the OS image during deployment.

How to eliminate wrong answers

Option B is wrong because Windows Configuration Designer provisioning packages are designed for runtime configuration and cannot inject language packs into the offline Windows image during deployment; they apply settings after the OS is installed, requiring additional manual steps. Option C is wrong because Configuration Manager without MDT integration lacks the flexible task sequence engine needed to seamlessly inject language packs and regional settings during the deployment process, making it less efficient for this scenario. Option D is wrong because Windows Autopilot is a cloud-based deployment method that does not support injecting language packs into the OS image; it relies on existing images and applies settings post-deployment, which does not minimize manual intervention for language pack integration.

28
Matchingmedium

Match each Microsoft 365 Defender feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Endpoint detection and response (EDR) and antivirus

Protection for email and collaboration tools

Detect and investigate advanced attacks on-premises

Cloud access security broker (CASB) for SaaS apps

Identify and remediate vulnerabilities

Why these pairings

These are core Microsoft 365 Defender components covered in MD-102.

29
Multi-Selecthard

An organization uses Configuration Manager to deploy Windows 11. The administrator needs to ensure that after deployment, the devices are automatically enrolled in Microsoft Intune for co-management. Which THREE actions are required?

Select 3 answers
A.Enable WinRM on the target devices.
B.Configure Azure AD hybrid join in the environment.
C.Configure the Intune Connector in Configuration Manager.
D.Enable co-management in Configuration Manager.
E.Configure a Group Policy for automatic Intune enrollment.
AnswersB, C, D

Devices must be Azure AD hybrid joined.

Why this answer

Azure AD hybrid join is required for co-management because it allows devices to be registered in both on-premises Active Directory and Azure AD, enabling them to be managed by both Configuration Manager and Intune simultaneously. Without hybrid join, devices cannot authenticate to Intune for enrollment, as co-management relies on Azure AD identity for device registration and policy assignment.

Exam trap

The trap here is that candidates often confuse automatic Intune enrollment via Group Policy (Option E) as a required step for co-management, but in the co-management workflow, enrollment is handled by the Configuration Manager client after the Intune Connector and hybrid join are configured, making the Group Policy redundant.

30
MCQhard

A company uses Configuration Manager to deploy Windows 10 to 2000 devices. After deployment, several devices report that the Start menu layout is not applied. The administrator used a provisioning package to configure Start layout. What is the most likely cause of the issue?

A.Group Policy settings are overriding the Start layout configuration.
B.The devices are not Azure AD joined.
C.The provisioning package was not signed properly.
D.The provisioning package was applied after user first logon.
AnswerA

GP can override provisioning package settings.

Why this answer

Option C is correct because provisioning packages apply during OOBE and may be overwritten by Group Policy. Option A is wrong because user profile issue would not affect all. Option B is wrong because MDM is not used.

Option D is wrong because the package is applied, just overridden.

Ready to test yourself?

Try a timed practice session using only Deploy Windows client questions.