CCNA Manage and maintain devices Questions

75 of 297 questions · Page 1/4 · Manage and maintain devices · Answers revealed

1
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only devices with a minimum OS version can access corporate email via Microsoft Outlook for iOS. Which policy type should you configure?

A.Device configuration policy
B.Conditional Access policy
C.Device compliance policy
D.App protection policy (MAM)
AnswerD

App protection policies can require a minimum OS version for managed apps.

Why this answer

Option D is correct because App Protection Policies (MAM) allow you to target specific apps like Microsoft Outlook for iOS with conditional launch settings, including minimum OS version requirements. This policy applies at the app layer without requiring device enrollment, making it ideal for controlling access to corporate data in Outlook on iOS devices based on OS version.

Exam trap

The trap here is that candidates often confuse Device Compliance Policies (Option C) with app-level OS version controls, not realizing that MAM policies can enforce OS version requirements directly on the app without device enrollment.

How to eliminate wrong answers

Option A is wrong because Device Configuration Policies manage device settings (e.g., Wi-Fi, VPN, restrictions) but do not enforce OS version requirements for app-level access. Option B is wrong because Conditional Access policies control access at the authentication layer (e.g., requiring compliant devices) but cannot enforce a minimum OS version specifically for the Outlook app on iOS without device compliance integration. Option C is wrong because Device Compliance Policies evaluate device-level compliance (e.g., OS version, jailbreak status) but require device enrollment and are not app-specific; they would block all access from non-compliant devices, not just Outlook.

2
MCQeasy

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a PowerShell script that runs at every device startup to map network drives based on the user's security group membership. The script should run in the system context and should not require user interaction. How should you configure the script deployment in Intune?

A.Add the script as a Windows PowerShell script in Intune and assign it to users, so it runs when users log in.
B.Use Proactive remediations in Intune to run the script on a schedule.
C.Add the PowerShell script as a Windows PowerShell script in Intune, set the execution context to 'System', and configure the script to run at device startup.
D.Create a device configuration profile that includes the script as a custom setting.
AnswerC

Intune PowerShell scripts can run in system context and at startup.

Why this answer

Option A is correct because Intune supports PowerShell scripts that can run in the system context and be set to run at startup. Option B is incorrect because the script needs to run at startup, not on demand. Option C is incorrect because a device configuration profile cannot run scripts.

Option D is incorrect because Proactive remediations are for detecting and fixing issues, not for running scripts at startup.

3
MCQhard

Refer to the exhibit. The JSON snippet shows a dynamic device group configuration in Microsoft Intune. What is the effect of the 'enrollmentTimeDeviceMembershipLimit' property set to 15?

A.The group will only contain devices that have been enrolled for at least 15 days
B.Only devices enrolled in the last 15 days are eligible
C.Limits the number of devices in the group to 15
D.Devices added to the group will be removed after 15 days from enrollment
AnswerD

This property sets a time limit for membership after enrollment.

Why this answer

Option B is correct. The enrollmentTimeDeviceMembershipLimit property defines how many days after enrollment a device remains in the dynamic group. Option A is wrong because it does not limit total devices.

Option C is wrong because it does not limit scope tags. Option D is wrong because it does not limit assignments.

4
MCQeasy

You manage Windows 10 devices with Microsoft Intune. You need to deploy a PowerShell script that runs in the user context to configure user settings. What type of script should you use?

A.A platform script for Windows.
B.A PowerShell script deployed via Intune Management Extension.
C.A discovery script.
D.A remediation script.
AnswerB

PowerShell scripts can run in user context.

Why this answer

Option B is correct because Microsoft Intune supports PowerShell scripts that can run in the user context. Option A is wrong because remediation scripts are for proactive remediations. Option C is wrong because platform scripts are for macOS/Linux.

Option D is wrong because discovery scripts are for detecting issues.

5
Multi-Selecteasy

Which TWO of the following are valid remote assistance tools for Windows devices managed by Microsoft Intune? (Choose two.)

Select 2 answers
A.Windows Remote Management (WinRM)
B.Remote Desktop
C.Quick Assist
D.Skype
E.TeamViewer
AnswersC, E

Quick Assist is a Windows built-in tool for remote assistance.

Why this answer

Quick Assist is a built-in Windows tool that allows remote assistance connections and is fully supported for managed devices in Microsoft Intune. It uses Remote Desktop Protocol (RDP) for screen sharing and control, and can be deployed and configured via Intune policies, making it a valid remote assistance option.

Exam trap

The trap here is that candidates often confuse Remote Desktop (full remote access) with remote assistance (attended, consent-based support), leading them to select Remote Desktop instead of Quick Assist or TeamViewer.

6
Multi-Selectmedium

Which TWO settings can be configured in a Microsoft Intune device compliance policy for iOS/iPadOS?

Select 2 answers
A.Allow app installation from App Store only
B.Block USB devices
C.Require a password
D.Minimum OS version
E.Jailbroken devices
AnswersC, D

This is a compliance setting.

Why this answer

Option C is correct because Intune device compliance policies for iOS/iPadOS include a setting to require a password on the device, which can enforce specific password complexity rules such as minimum length, number of complex characters, and lockout behavior. This setting is a core compliance requirement for securing devices that access corporate resources.

Exam trap

The trap here is that candidates often confuse settings available in device compliance policies with those in device configuration profiles, mistakenly thinking restrictions like app store installation or USB blocking are compliance settings, when they are actually managed under configuration profiles.

7
Multi-Selecthard

You need to configure a Microsoft Intune policy to ensure that only devices with a minimum OS version can access corporate email. Which THREE policy types can enforce this requirement?

Select 3 answers
A.Device compliance policy
B.App protection policy
C.Enrollment restrictions
D.Device configuration profile
E.Conditional access policy
AnswersA, B, E

Compliance policy can require minimum OS version.

Why this answer

Options A, C, and D are correct. A: Device compliance policy can mark devices as non-compliant if OS version is below minimum. C: Conditional access policy can block access based on device state.

D: App protection policy can require minimum app version, which maps to OS version in some contexts. Option B is wrong because configuration profiles do not enforce access. Option E is wrong because enrollment restrictions block enrollment, not access after enrollment.

8
MCQeasy

You manage Android Enterprise devices with Microsoft Intune. You need to ensure that work profile apps are automatically installed when a user enlists their device. What should you configure?

A.Auto-enrollment with app assignment to the 'All devices' group.
B.A device configuration policy to allow Google Play Store.
C.A compliance policy for work profile.
D.A managed Google Play app assignment with 'Required' intent.
AnswerA

Auto-enrollment allows automatic app installation during enrollment.

Why this answer

In Android Enterprise, you can configure 'Auto-enrollment' to automatically install required apps in the work profile when the device enrolls. Option A is incorrect because compliance policies do not install apps. Option C is incorrect because configuration policies do not install apps.

Option D is incorrect because the Google Play Store is used for distribution, but the trigger is auto-enrollment.

9
MCQeasy

You need to remotely wipe a lost corporate-owned iOS device that is enrolled in Microsoft Intune. Which action should you perform in the Intune console?

A.Retire.
B.Wipe.
C.Delete.
D.Reset.
AnswerB

Wipe performs a factory reset, suitable for lost devices.

Why this answer

The 'Wipe' action performs a factory reset on the device. Option B is incorrect because 'Retire' removes management and corporate data but does not wipe personal data (and is less thorough). Option C is incorrect because 'Delete' removes the device from management without wiping.

Option D is incorrect because 'Reset' is not a standard action.

10
MCQmedium

Your organization uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR) to manage endpoint security. You need to ensure that all Windows 10 devices are onboarded to Defender for Endpoint via Microsoft Intune. Which policy type should you use?

A.Endpoint detection and response policy
B.Antivirus policy
C.Firewall policy
D.Windows Security experience policy
AnswerA

EDR policy is used to onboard devices to Defender for Endpoint.

Why this answer

To onboard Windows 10 devices to Microsoft Defender for Endpoint via Intune, you must use an Endpoint detection and response (EDR) policy. This policy type deploys the required onboarding configuration package (a .cmd script or .xml file) that registers the device with the Defender for Endpoint service, enabling sensor data collection and threat detection. Antivirus, Firewall, and Windows Security experience policies manage separate security features but do not handle the initial onboarding process.

Exam trap

The trap here is that candidates confuse 'onboarding' with 'configuring existing security features,' mistakenly selecting Antivirus policy because they think Defender Antivirus must be enabled first, when in fact onboarding is a distinct prerequisite handled only by the EDR policy.

How to eliminate wrong answers

Option B (Antivirus policy) is wrong because it configures Microsoft Defender Antivirus settings (e.g., real-time protection, cloud-delivered protection) but does not deploy the onboarding package required to connect the device to Defender for Endpoint. Option C (Firewall policy) is wrong because it manages Windows Defender Firewall rules and profiles, which are unrelated to the device registration and sensor activation needed for onboarding. Option D (Windows Security experience policy) is wrong because it customizes the Windows Security app interface (e.g., notifications, tamper protection) but does not include the onboarding configuration that establishes the device's connection to the Defender for Endpoint backend.

11
MCQhard

You are troubleshooting a Windows 10 device that is not receiving policy updates from Intune. The device shows 'Pending' status in the Intune console. The device is connected to the internet. What is the most likely cause?

A.The device is not connected to the network.
B.The device has a pending reboot.
C.The Intune management extension service is not running.
D.The device enrollment is expired.
AnswerC

The service must be running to receive policies.

Why this answer

Intune policies are delivered via the Intune management extension. If the service is not running or is disabled, policies cannot be applied. Option A is incorrect because the device is online.

Option B is incorrect because enrollment shows as valid. Option D is incorrect because the management extension is required for policies.

12
MCQhard

You are using Intune to manage macOS devices. You need to deploy a custom configuration profile that sets a preference for a third-party app. Which method should you use?

A.Upload an XML file with the preference settings.
B.Upload a DMG file containing the preferences.
C.Upload a property list (.plist) file.
D.Upload a JSON file with the preference settings.
AnswerC

Custom macOS profiles use plist files.

Why this answer

Option C is correct because custom configuration profiles on macOS use property list (.plist) files. Option A is incorrect; XML is not directly used for macOS profiles. Option B is incorrect; JSON is used for Windows, not macOS.

Option D is incorrect; DMG is a disk image format, not a configuration format.

13
Multi-Selecthard

You are troubleshooting a Windows 10 device that is not receiving a required security policy from Intune. The device shows as 'Not compliant' in the Intune console. Which TWO actions should you take to resolve the issue?

Select 2 answers
A.Ensure the device is in the correct Microsoft Entra ID group targeted by the policy.
B.Reissue the user's Microsoft 365 license from the admin center.
C.Reset the device's enrollment state via the Company Portal.
D.Verify that the device has an active internet connection and can reach Intune services.
E.Run Invoke-Command to remotely execute gpupdate /force.
AnswersA, D

Correct. Group assignment is essential for policy delivery.

Why this answer

Option A is correct because Intune security policies are assigned to Microsoft Entra ID groups. If the device is not a member of the targeted group, it will not receive the policy, resulting in a 'Not compliant' status. Verifying group membership ensures the policy scope is correctly applied.

Exam trap

The trap here is that candidates often confuse Intune MDM policy delivery with traditional on-premises Group Policy, leading them to select the gpupdate command (Option E) instead of recognizing that Intune relies on OMA-DM sync and network connectivity.

14
MCQhard

An organization uses Microsoft Intune to manage Windows devices. They want to deploy a Win32 app that requires admin rights to install. The app must be installed in the system context and should not require user interaction. Which installation behavior should be configured?

A.Install behavior: User, Installation purpose: Required, Device restart behavior: No specific action
B.Install behavior: System, Installation purpose: Required, Device restart behavior: No specific action, Installation visibility: Hidden
C.Install behavior: User, Installation purpose: Available
D.Install behavior: System, Installation purpose: Required, Device restart behavior: Immediately
AnswerB

System context ensures admin rights, Hidden prevents user interaction, and Required ensures installation.

Why this answer

Option D is correct because 'System' context installs the app with elevated privileges, and 'Hidden' ensures no user interaction. Option A is wrong because 'User' context does not provide admin rights. Option B is wrong because 'System' with 'Visible' shows installation progress, which may require interaction.

Option C is wrong because 'User' context cannot install with admin rights.

15
MCQhard

You have configured a Windows 10 update ring with a deadline of 3 days for quality updates. However, some devices are not installing updates within the deadline. What should you verify?

A.The devices are set to defer quality updates in Windows Update settings.
B.The devices have a feature update policy that conflicts.
C.The Intune Management Extension is installed.
D.The update ring is assigned to the correct Azure AD group.
AnswerA

Deferral settings can delay installation beyond the deadline.

Why this answer

Option D is correct because if devices are not meeting the deadline, they may be set to defer updates, which overrides the deadline. Option A is incorrect because the update ring is assigned. Option B is incorrect because the issue is not about missing feature updates.

Option C is incorrect because the Intune Management Extension does not manage Windows updates.

16
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Intune to manage devices that are not compliant? (Choose two.)

Select 2 answers
A.Automatically send an email to the user's manager.
B.Remotely wipe the device.
C.Block access to corporate resources.
D.Send a push notification to the user.
E.Mark the device as noncompliant in the Intune admin center.
AnswersD, E

Intune can notify users when their device is noncompliant.

Why this answer

Option D is correct because Microsoft Intune can send push notifications to noncompliant devices via the Company Portal app, alerting users about compliance issues and required actions. Option E is correct because marking a device as noncompliant in the Intune admin center is a manual action that updates the device's compliance state, which then triggers conditional access policies to block resources. Both actions are available for managing noncompliant devices without requiring user interaction or remote wipe.

Exam trap

The trap here is that candidates confuse the actions available directly in Intune (like sending notifications or marking noncompliant) with the downstream effects of conditional access policies (like blocking access), leading them to incorrectly select 'Block access to corporate resources' as an Intune action rather than a conditional access outcome.

17
MCQhard

Users report that after updating to Windows 11, their devices are no longer receiving policy updates from Intune. The devices appear as active and compliant in the Intune console. What is the most likely cause?

A.The devices lost compliance after the upgrade.
B.The Intune management extension is outdated and needs to be updated.
C.The MDM authority changed to Configuration Manager.
D.Windows 11 is not supported by Microsoft Intune.
AnswerB

The management extension must be updated to support Windows 11 policies.

Why this answer

Option D is correct because Windows 11 requires the Intune management extension to be updated; an outdated extension may not process policies correctly. Option A is wrong because Windows 11 is supported. Option B is wrong because the devices are compliant.

Option C is wrong because MDM authority is per tenant, not per device.

18
MCQhard

An organization uses Microsoft Intune for device management. They have a requirement that all Windows devices must have BitLocker enabled. They want to automatically remediate any device that has BitLocker disabled by running a PowerShell script. Which Intune feature should be used?

A.Device configuration profile to enable BitLocker
B.Device compliance policy with a noncompliance action to mark device as non-compliant
C.PowerShell script deployment with assignment to all devices
D.Proactive remediations with a detection script for BitLocker status and a remediation script to enable BitLocker
AnswerD

Proactive remediations can detect and automatically run remediation scripts.

Why this answer

Option B is correct because proactive remediations can detect and remediate issues like BitLocker being disabled. Option A is wrong because compliance policies only report non-compliance. Option C is wrong because configuration profiles can enable BitLocker but not run scripts.

Option D is wrong because scripts run at enrollment or on demand but not continuously.

19
MCQmedium

Refer to the exhibit. You run this PowerShell command to retrieve Windows devices. The output shows several devices with lastSyncDateTime older than 30 days and complianceState as 'noncompliant'. What is the most likely cause for these devices to be noncompliant?

A.The devices failed to enroll properly.
B.The compliance policy includes a rule for 'Maximum days since last check-in' and these devices exceeded that limit.
C.The devices are running a non-Windows operating system.
D.The devices have names that do not match the naming convention.
AnswerB

A common compliance rule requires devices to sync within a set number of days.

Why this answer

Option A is correct because compliance policy requires devices to check in periodically; if they haven't synced in 30 days, they may be marked noncompliant due to a 'last check-in' rule. Option B is wrong because device name does not affect compliance. Option C is wrong because the command filters for Windows.

Option D is wrong because there is no evidence of enrollment failure.

20
Multi-Selecthard

Which THREE actions are available in Microsoft Intune's proactive remediations for Windows devices?

Select 3 answers
A.Run a detection script to identify issues.
B.Send email alerts when issues are detected.
C.Schedule scripts to run at regular intervals.
D.Run a remediation script to fix issues.
E.Mark devices as non-compliant if remediation fails.
AnswersA, C, D

Detection scripts identify problems.

Why this answer

Proactive remediations in Microsoft Intune are designed to detect and automatically fix common issues on Windows devices without requiring user intervention. Option A is correct because the workflow begins with a detection script that runs on the device to identify specific problems, such as registry misconfigurations or missing files. This script must return an exit code indicating whether an issue exists, which then triggers the remediation script if needed.

Exam trap

The trap here is that candidates often confuse proactive remediations with compliance policies or alerting features, assuming that failed remediation can automatically trigger non-compliance or email notifications, but Intune separates these functions into distinct policies and requires additional configuration for alerts.

21
MCQeasy

Your organization uses Windows Autopilot for device provisioning. Users report that after initial setup, devices are not automatically enrolled in Microsoft Intune. What should you verify?

A.That a device configuration profile is assigned to the devices.
B.That the devices are registered in Windows Autopilot with a valid hardware hash.
C.That a Conditional Access policy is in place requiring Intune enrollment.
D.That a device compliance policy is assigned to the Autopilot devices.
AnswerB

Autopilot devices must be registered to automatically enroll in Intune.

Why this answer

Option D is correct because Autopilot devices must be registered with their hardware hash in Intune/Entra ID. Option A is wrong because a compliance policy does not affect enrollment. Option B is wrong because a configuration profile deploys settings after enrollment.

Option C is wrong because Conditional Access is post-enrollment.

22
MCQmedium

Your organization requires that all Windows 11 devices encrypt their drives with BitLocker. You have configured a BitLocker policy in Intune, but some devices show as 'Not evaluated' for the encryption status. What is the most likely reason?

A.The devices do not have a TPM chip.
B.The policy is not assigned to the correct group.
C.The devices have a conflicting Group Policy.
D.Secure Boot is disabled on the devices.
AnswerA

TPM is required for BitLocker, and without it the policy cannot be evaluated.

Why this answer

Option B is correct because BitLocker requires a TPM chip to function; devices without TPM cannot evaluate the policy. Option A is incorrect because the policy is assigned. Option C is incorrect because Secure Boot is not required for BitLocker.

Option D is incorrect because BitLocker can be configured via Intune without a GPO.

23
MCQmedium

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that corporate apps are installed automatically on new devices without user interaction. Which enrollment method should you use?

A.Android Enterprise fully managed
B.Android Enterprise dedicated device
C.Android Legacy device administrator
D.Android Enterprise work profile
AnswerA

Fully managed devices allow silent app installation.

Why this answer

Android Enterprise fully managed (A) is the correct enrollment method because it allows IT to enroll corporate-owned devices into Intune with full device control, enabling automatic, silent installation of required corporate apps without any user interaction. This mode uses the Android Enterprise API to push apps via managed Google Play as required or kiosk apps, ensuring they are installed before the device is handed to the user.

Exam trap

The trap here is that candidates often confuse 'fully managed' with 'dedicated device' because both are corporate-owned, but dedicated devices lack user association and cannot automatically install user-specific corporate apps without a user context.

How to eliminate wrong answers

Option B (Android Enterprise dedicated device) is wrong because it is designed for single-purpose or kiosk devices that are not assigned to a specific user, and while it can auto-install apps, it does not support user-based app targeting or user-specific corporate app deployment without a user context. Option C (Android Legacy device administrator) is wrong because it is a deprecated enrollment method that relies on Device Admin API, which does not support automatic app installation via managed Google Play and lacks the modern app management capabilities of Android Enterprise. Option D (Android Enterprise work profile) is wrong because it is intended for BYOD scenarios where a separate work profile is created on a personal device, and while apps can be pushed, they require user consent or interaction during profile setup and are not automatically installed on new devices without user involvement.

24
MCQhard

Refer to the exhibit. You run this Microsoft Graph PowerShell command to retrieve managed devices. The output shows a device with a lastSyncDateTime of 5 days ago. What does this indicate?

A.The device was enrolled 5 days ago.
B.The device is non-compliant.
C.The device is unenrolled.
D.The device has not communicated with Intune for 5 days.
AnswerD

lastSyncDateTime indicates the last check-in time.

Why this answer

Option B is correct because lastSyncDateTime indicates when the device last communicated with Intune; 5 days ago means the device has not checked in for 5 days. Option A is wrong because complianceState is a separate property. Option C is wrong because enrollment date is in the past.

Option D is wrong because the device is still enrolled.

25
Multi-Selectmedium

You are designing a Windows 10 update strategy using Windows Update for Business and Intune. Which THREE settings should you configure to ensure updates are delivered efficiently while minimizing user disruption?

Select 3 answers
A.Set active hours to prevent restarts during work.
B.Configure a deadline for quality updates.
C.Enable Delivery Optimization for update distribution.
D.Configure a deferral period for driver updates.
E.Set a grace period after the deadline.
AnswersA, B, E

Correct. Active hours minimize disruption.

Why this answer

Setting active hours prevents restarts during work by defining a window during which Windows Update will not automatically reboot the device. This minimizes user disruption by ensuring that updates only restart the device outside of specified active hours, aligning with the goal of delivering updates efficiently while maintaining productivity.

Exam trap

The trap here is that candidates often confuse Delivery Optimization (a bandwidth-saving feature) with a setting that directly controls update timing or user disruption, leading them to select it instead of focusing on restart management policies like active hours, deadlines, and grace periods.

26
MCQhard

Refer to the exhibit. A Windows 11 device assigned to this update ring is running a released version. What is the immediate behavior after the policy applies?

A.The device will uninstall the current Insider build and revert to the released version.
B.The device will be offered the latest Windows Insider Dev Channel build.
C.The device will defer all updates by 10 days.
D.The device will install the latest released quality update immediately.
AnswerB

Correct. The servicing channel directs the device to Dev Channel builds.

Why this answer

The exhibit shows an update ring policy configured with the 'Windows Insider Program' enabled and the 'Insider Channel' set to 'Dev Channel'. Since the device is currently on a released version, applying this policy will enroll it in the Windows Insider Program and offer the latest Dev Channel build. This is the immediate behavior because the policy triggers a check for the specified Insider build, not a deferral or quality update.

Exam trap

The trap here is that candidates may confuse the 'Deferral' settings with Insider build behavior, assuming deferral periods apply to Insider builds, when in fact enabling the Insider Program overrides deferrals for feature updates and directly offers the specified channel's build.

How to eliminate wrong answers

Option A is wrong because the policy does not uninstall the current build; it enrolls the device in the Insider Program, which offers a new build without reverting the existing OS. Option C is wrong because the policy explicitly enables Insider builds, overriding any deferral settings; deferrals apply to quality updates, not feature updates from Insider channels. Option D is wrong because the policy targets Insider Dev Channel builds, not released quality updates; quality updates are managed separately via deferral periods or other policies.

27
Multi-Selectmedium

You are troubleshooting a Windows 11 device that fails to install a required Win32 app deployed via Intune. Which THREE logs or locations should you review?

Select 3 answers
A.Windows Update log (C:\Windows\WindowsUpdate.log)
B.Intune Management Extension logs in %ProgramData%\Microsoft\IntuneManagementExtension\Logs
C.The IntuneManagementExtension.log file in the agent directory.
D.Windows Registry under HKLM\Software\Microsoft\Intune
E.Windows Event Logs under Applications and Services Logs > Microsoft > Windows > AppLocker
AnswersB, C, E

These logs detail app installation attempts.

Why this answer

Option A, Option C, and Option D are correct. The Intune Management Extension logs contain details about app installation. The Windows Event Logs under Applications and Services Logs > Microsoft > Windows > AppLocker may show block events.

The %ProgramData%\Microsoft\IntuneManagementExtension\Logs folder also contains logs. Option B is incorrect because the registry is not a primary log location. Option E is incorrect because the Windows Update log is not relevant for Win32 app installation.

28
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Intune to manage Windows 10 devices?

Select 2 answers
A.Create local user accounts on the device
B.Remotely wipe a device
C.Configure DHCP settings
D.Apply BitLocker encryption policies
E.Add the device to an Active Directory group
AnswersB, D

Intune supports remote wipe.

Why this answer

Option B is correct because Microsoft Intune supports a remote wipe action that can be triggered from the Intune console to reset a Windows 10 device to factory settings or selectively remove corporate data. This is a core device management capability used for data protection when a device is lost or stolen, leveraging the Windows 10 reset functionality via the Intune management channel.

Exam trap

The trap here is that candidates often confuse Intune's device management capabilities with on-premises Group Policy or Active Directory tasks, leading them to incorrectly select options like creating local users or managing DHCP, which are outside Intune's scope.

29
MCQeasy

You need to ensure that Windows 10 devices are automatically upgraded to Windows 11 if they meet hardware requirements. Which policy should you configure in Microsoft Intune?

A.Assign a driver update policy.
B.Assign a quality update policy.
C.Assign an update ring for Windows 10.
D.Assign a Windows 10/11 feature update policy.
AnswerD

Feature update policies are used to upgrade Windows 10 to Windows 11.

Why this answer

Option A is correct because the Windows 10/11 feature update policy in Intune is designed to upgrade devices to a later version, including Windows 11. Option B is wrong because update rings control update deferral, not feature upgrades. Option C is wrong because quality updates are cumulative security updates, not feature upgrades.

Option D is wrong because drivers are separate.

30
MCQeasy

You need to deploy a custom PowerShell script to all Windows 10 devices enrolled in Intune. The script must run under the SYSTEM account. Which Intune feature should you use?

A.Proactive remediations
B.PowerShell scripts (Devices > Scripts)
C.Compliance policy
D.Device configuration profile
AnswerB

PowerShell scripts in Intune can run in the system context.

Why this answer

PowerShell scripts (Devices > Scripts) in Intune allow you to upload and assign custom PowerShell scripts that run under the SYSTEM account on Windows 10 devices. This feature is specifically designed for executing scripts during device enrollment or on a schedule, ensuring the script has elevated privileges without user interaction.

Exam trap

The trap here is that candidates often confuse Proactive remediations (which also run scripts under SYSTEM) with custom PowerShell scripts, but Proactive remediations are limited to built-in templates and cannot deploy arbitrary custom scripts.

How to eliminate wrong answers

Option A is wrong because Proactive remediations are used for detecting and fixing common support issues with built-in detection and remediation scripts, not for deploying custom PowerShell scripts under the SYSTEM account. Option C is wrong because Compliance policies evaluate device settings against defined rules and do not execute scripts. Option D is wrong because Device configuration profiles manage settings via CSPs (Configuration Service Providers) and cannot run arbitrary PowerShell scripts.

31
MCQeasy

You need to remotely wipe a lost corporate-owned iOS device enrolled in Microsoft Intune. The device is currently offline. What will happen when the device comes online?

A.The device must be unenrolled first and then wiped.
B.The device will be wiped immediately after a grace period of 24 hours.
C.The device will receive the wipe command the next time it checks in with Intune.
D.The wipe command will be queued only if the device is supervised.
AnswerC

Intune stores the command and delivers it on next device check-in.

Why this answer

Option B is correct because the wipe command is stored in the Intune service and sent when the device checks in. Option A is wrong because Intune does not wait for a grace period. Option C is wrong because the device does not need to be unenrolled first.

Option D is wrong because the wipe is not queued only for supervised devices.

32
MCQmedium

Your organization uses Microsoft Intune to manage iOS devices. You need to deploy a custom configuration profile to configure Wi-Fi settings for corporate devices. Which method should you use?

A.Use a Microsoft Entra ID (Azure AD) device configuration policy.
B.Use a PowerShell script to apply the settings.
C.Use a custom configuration profile in Intune.
D.Use a Microsoft Defender for Endpoint security policy.
AnswerC

Custom profiles allow deploying settings not available in built-in templates.

Why this answer

Custom configuration profiles are created using Apple Configurator or manually, and then uploaded to Intune for deployment.

33
MCQhard

Refer to the exhibit. You have an Intune configuration that includes a compliance policy and a device configuration policy for Windows 10 devices. You deploy both policies to a group of devices. After deployment, some devices are marked as non-compliant even though they have BitLocker enabled and Windows Defender Antivirus running. Which setting is most likely causing the conflict?

A.The compliance policy requires password, but the device configuration policy does not configure any password settings, leading to non-compliance.
B.The compliance policy requires encryption, but the device configuration policy does not enforce BitLocker startup PIN, causing compliance failure.
C.The device configuration policy sets scanParameter to 'fullscan', which may interfere with compliance checks.
D.The compliance policy requires Defender, but the device configuration policy sets cloudBlockLevel to 'high', which may conflict with some devices.
AnswerA

The compliance policy requires a password, but the device configuration policy does not set a password policy, so devices may not have a compliant password.

Why this answer

Option D is correct because the compliance policy requires encryption (bitLocker) but the device configuration policy sets 'requireStartupPin' to false, and the compliance policy does not require a startup PIN. However, the compliance policy requires a password with minimum length 6. The device configuration policy does not set a password policy, so the password requirement from compliance may not be met if the device does not have a local password set.

But the most direct conflict is that the compliance policy requires encryption (which might require a startup PIN on some devices) while the device configuration policy explicitly disables the startup PIN requirement, potentially causing the device to not meet the encryption requirement if the device's BitLocker configuration is not fully compliant. However, the exhibit does not show a password configuration policy; the compliance policy requires password, but there is no device configuration policy setting password. Thus, the device may be non-compliant because it lacks a password.

Option A is wrong because Defender is not the issue. Option B is wrong because there is no device health attestation requirement. Option C is wrong because cloud block level does not affect compliance.

The correct answer is that the device configuration policy does not set a password policy, so the compliance password requirement may not be met. But the options are limited: the best answer is D, as the missing password configuration leads to non-compliance.

34
Multi-Selecteasy

You need to deploy Windows updates to a group of devices using Microsoft Intune. Which TWO policies should you configure to ensure updates are applied within a maintenance window?

Select 2 answers
A.Assignment filter
B.Device compliance policy
C.Windows 10 and later update ring
D.Windows 10 and later quality update
E.Windows 10 and later feature update
AnswersC, E

Update rings manage update deferral, deadline, and maintenance windows.

Why this answer

Update rings control the deferral and deadline settings, while feature update policies deploy specific feature versions. Quality update policies are not a separate policy type; they are part of update rings. Assignment filters and compliance policies do not directly configure update deployment.

35
MCQhard

Refer to the exhibit. You create a custom configuration profile in Intune for Windows 10 devices. The profile is assigned to a test device, but the telemetry setting is not applied. The device is managed and compliant. What is the most likely reason?

A.The device is not compliant with the baseline policy.
B.The OMA-URI path for AllowTelemetry is incorrect.
C.The AllowTelemetry policy value must be an integer, not a string, or the device needs a Windows 10 version that supports this setting.
D.The custom profile conflicts with a built-in policy that sets telemetry to full.
AnswerC

AllowTelemetry expects an integer (0-3); OMA-URI string type may cause failure. Also, some settings require specific builds.

Why this answer

Option C is correct because the AllowTelemetry policy requires a value of 0 to disable telemetry, but the OMA-URI string must match the expected data type; the value '0' as a string may not be accepted, or the device may require a specific version. Option A is wrong because the custom profile overwrites, it doesn't conflict with built-in policies. Option B is wrong because the device is compliant.

Option D is wrong because the OMA-URI path is correct.

36
MCQeasy

Your company has 500 iOS devices enrolled in Microsoft Intune. The devices are used by sales representatives to access customer data. You need to ensure that if a device is lost or stolen, an administrator can remotely lock the device and display a custom message with a phone number to call. Which remote action should the administrator use?

A.Remote lock
B.Reset passcode
C.Wipe
D.Retire
AnswerA

Remote lock locks the device and can display a custom message with a phone number.

Why this answer

Option A is correct because 'Remote lock' locks the device and allows a custom message to be displayed. Option B is wrong because 'Wipe' performs a factory reset, which would erase all data and prevent the message from being shown. Option C is wrong because 'Retire' removes company data only, does not lock the device.

Option D is wrong because 'Reset passcode' changes the passcode but does not display a custom message.

37
MCQhard

You manage devices with Microsoft Intune. You need to deploy a line-of-business (LOB) app that is signed with a certificate not trusted by the devices. The app requires installation in the system context. Which deployment method should you use?

A.Microsoft Store for Business app
B.Win32 app
C.Microsoft Intune LOB app (msi/appx)
D.Web link
AnswerB

Win32 apps can be unsigned and run in system context.

Why this answer

Win32 apps in Microsoft Intune support installation in the system context via the 'Install behavior' setting, and they can be deployed using a custom installation script that handles certificate trust issues (e.g., by installing the signing certificate first or using a silent install switch). This method also allows the app to run with elevated privileges, which is required for system-context installation, and does not depend on the device trusting the app's signing certificate at deployment time.

Exam trap

The trap here is that candidates often assume 'LOB app' must use the Intune LOB app type (MSI/APPX), but the requirement for system context and untrusted certificate forces the use of the Win32 app type, which provides the flexibility to handle certificate trust via scripting.

How to eliminate wrong answers

Option A is wrong because Microsoft Store for Business apps require the device to trust the Microsoft Store certificate chain and cannot be deployed in the system context; they are per-user installs. Option C is wrong because Intune LOB apps (MSI/APPX) require the app to be signed with a certificate that is already trusted by the device (e.g., via a PKI or pre-installed root), and they do not support custom installation logic to bypass certificate trust issues. Option D is wrong because a web link simply opens a URL in the browser and does not install any software, let alone in the system context.

38
MCQhard

Refer to the exhibit. You are creating a device filter in Microsoft Intune to target a policy to Windows 10 Pro devices. The filter should only apply to devices running OS build 1904x (20H1 or later). However, some devices with build 1904x and SKU Professional are not receiving the policy. What is the most likely reason?

A.The -startsWith operator does not work for osVersion property.
B.The device must be enrolled via Autopilot for filters to apply.
C.The filter rule syntax is incorrect because of the parentheses.
D.The device.skuFamily property value is case-sensitive and may not match 'Professional'.
AnswerD

Case sensitivity can cause mismatches.

Why this answer

Option D is correct because the `device.skuFamily` property in Microsoft Intune is case-sensitive. When creating a device filter rule, the value 'Professional' must exactly match the case of the SKU family string returned by the device. If the actual SKU family is reported as 'Professional' with a different casing (e.g., 'professional' or 'PROFESSIONAL'), the filter will not match, causing the policy not to apply to those devices.

Exam trap

The trap here is that candidates often assume property values in Intune filters are case-insensitive, leading them to overlook the exact casing requirement for `device.skuFamily`, and instead focus on unrelated syntax or enrollment requirements.

How to eliminate wrong answers

Option A is wrong because the `-startsWith` operator is fully supported for the `osVersion` property in Intune device filters, and it is commonly used to match OS build versions like '1904x'. Option B is wrong because device filters in Intune do not require Autopilot enrollment; they work with any enrolled Windows device, regardless of enrollment method. Option C is wrong because parentheses are valid in filter rule syntax for grouping conditions, and the provided syntax does not contain an error related to parentheses.

39
MCQeasy

A user reports that their Windows 11 device is not receiving security updates. The device is enrolled in Microsoft Intune and shows as compliant. You check the Update Rings policy and see that the device is assigned to a ring that defers updates by 30 days. What should you do to ensure the device gets the latest security updates immediately?

A.Change the compliance policy to require immediate updates.
B.Run Windows Update manually on the device.
C.Re-enroll the device in Intune.
D.Assign the device to a different update ring with a 0-day deferral.
AnswerD

This ensures the device receives updates without delay.

Why this answer

The device is assigned to an update ring that defers updates by 30 days, which is why it is not receiving the latest security updates despite being compliant. To immediately receive the latest updates, you must assign the device to a different update ring with a 0-day deferral, as update rings in Microsoft Intune control the deferral period for Windows Update for Business. Changing the ring triggers the device to check for updates based on the new policy, ensuring immediate availability of security updates.

Exam trap

The trap here is that candidates may think manually running Windows Update or changing compliance policies can override the update ring deferral, but only reassigning to a different ring with a shorter deferral period will actually change the update behavior.

How to eliminate wrong answers

Option A is wrong because compliance policies in Intune do not control update deferral settings; they enforce device health and configuration requirements, not update ring deferral periods. Option B is wrong because manually running Windows Update on the device will still respect the deferral period set by the assigned update ring policy, so it will not bypass the 30-day delay. Option C is wrong because re-enrolling the device in Intune does not change the update ring assignment; the device would still be subject to the same deferral policy unless the ring assignment is explicitly changed.

40
Multi-Selectmedium

Which TWO settings can you configure in a Microsoft Intune device compliance policy for Android Enterprise devices?

Select 2 answers
A.Encryption
B.Require a password to unlock the device
C.Minimum OS version
D.Disable camera
E.Maximum OS version
AnswersB, C

This is a compliance setting.

Why this answer

Option B is correct because Microsoft Intune device compliance policies for Android Enterprise require a password to unlock the device as a configurable setting. This setting enforces a lock screen password, which is a fundamental security requirement for compliance evaluation. It directly controls device access and is a standard compliance check for Android Enterprise work profiles and fully managed devices.

Exam trap

The trap here is that candidates confuse device compliance policies with device configuration profiles, assuming settings like disabling the camera or controlling encryption are part of compliance, when they are actually managed under separate configuration policies.

41
MCQmedium

Refer to the exhibit. You run the PowerShell cmdlet in Microsoft Graph to list managed Windows devices. The output shows that several devices have a complianceState of 'noncompliant' but lastSyncDateTime is recent. What is the most likely reason for noncompliance?

A.The devices are running a non-Windows OS.
B.The devices have not synced recently.
C.The devices do not meet the assigned compliance policies.
D.The admin lacks permissions to view compliance details.
AnswerC

Noncompliance occurs when devices fail compliance policy rules.

Why this answer

Option A is correct because noncompliance indicates that the device does not meet one or more compliance rules. Option B is wrong because recent sync means connectivity is fine. Option C is wrong because the cmdlet returns results, so permissions are fine.

Option D is wrong because the query filters by Windows OS, so OS is correct.

42
MCQhard

Refer to the exhibit. The JSON shows a device queried from Microsoft Graph. The device shows as compliant, but the user reports that they are unable to access corporate resources. The conditional access policy requires device compliance. What is a likely reason for the access issue?

A.The device has not synced recently, so the compliance state may be outdated.
B.The device compliance state is actually non-compliant.
C.The device is managed by MAM instead of MDM.
D.The device enrollment date is too recent.
AnswerA

Last sync is at 10:30, which might be too old for conditional access.

Why this answer

The lastSyncDateTime is 2025-12-01 at 10:30, but the current time might be later (e.g., 12:00). If the device has not synced recently, the compliance state might be stale. Conditional access may require a recent sync.

Option A is incorrect because compliance is compliant. Option B is incorrect because management agent is MDM, not MAM. Option D is incorrect because enrolledDateTime is not relevant.

43
MCQhard

You manage devices with Microsoft Intune. You need to ensure that only devices with a specific BIOS serial number can enroll. What should you configure?

A.Enrollment restrictions that block devices by hardware identifier.
B.A device category with a dynamic group based on BIOS serial.
C.A device compliance policy that checks BIOS serial number.
D.A Conditional Access policy that requires a compliant device.
AnswerA

Enrollment restrictions can block devices based on hardware IDs like BIOS serial numbers.

Why this answer

Option D is correct because enrollment restrictions allow you to block devices based on hardware identifiers like BIOS serial numbers. Option A is wrong because compliance policies apply after enrollment. Option B is wrong because Conditional Access applies after enrollment.

Option C is wrong because device categories are organizational labels, not hardware-based filters.

44
MCQmedium

You need to configure a Windows 10 device to automatically install updates from a specific branch readiness level. Which setting in the Update ring policy should you configure?

A.Automatic update behavior
B.Quality update deferral period
C.Feature update deferral period
D.Branch readiness level
AnswerD

This setting determines the branch for updates.

Why this answer

Option A is correct because 'Branch readiness level' defines which updates the device receives (e.g., Windows Insider, Semi-Annual Channel). Option B is wrong because 'Quality update deferral period' delays updates but does not set branch. Option C is wrong because 'Feature update deferral period' delays feature updates.

Option D is wrong because 'Automatic update behavior' controls installation behavior.

45
MCQhard

A company uses Microsoft Intune to manage macOS devices. A security audit requires that all macOS devices must have FileVault encryption enabled. Compliance policy reports show that 90% of devices are compliant, but 10% are non-compliant. You review the non-compliant devices and find that FileVault is enabled on them. What is the most likely cause of the non-compliance?

A.FileVault is not actually enabled on those devices.
B.The recovery key is not escrowed to Intune.
C.The devices are not supervised.
D.The compliance policy is not assigned to those devices.
AnswerB

Key escrow is required for compliance.

Why this answer

Intune compliance policy for macOS FileVault checks both encryption status and whether the recovery key has been escrowed to Intune. If the key is not escrowed, the device is considered non-compliant. Option A is incorrect because FileVault is enabled.

Option B is incorrect because the key escrow setting is separate from encryption. Option D is incorrect because the policy is correctly applied.

46
MCQhard

You manage Windows 11 devices with Microsoft Intune. Some users report that their device is marked as noncompliant even though it meets all compliance rules. You discover that the devices have not checked in with Intune for over 30 days. What should you do to prevent this issue?

A.Configure a device configuration profile to set the MDM enrollment URL.
B.Create a Conditional Access policy to block devices that haven't checked in.
C.In the device compliance policy, set the 'Days until device is considered noncompliant' option to 30.
D.Enable automatic re-enrollment for Windows devices in Intune.
AnswerC

This setting marks devices as noncompliant if they haven't checked in within the specified days.

Why this answer

Option C is correct because configuring a device compliance policy to mark devices as noncompliant after a missed check-in (e.g., 30 days) ensures stale devices are flagged. Option A is wrong because a configuration profile cannot set a check-in interval. Option B is wrong because Conditional Access does not change check-in behavior.

Option D is wrong because automatic re-enrollment is not a built-in feature for this scenario.

47
MCQhard

You are implementing Windows Autopilot for a new fleet of devices. You need to ensure that during the out-of-box experience (OOBE), the device automatically joins Microsoft Entra ID and is enrolled in Intune. Which configuration is required?

A.Upload corporate identifiers for each device.
B.Configure the Enrollment Status Page in Intune.
C.Create an Autopilot deployment profile assigned to the devices.
D.Create a dynamic device group in Microsoft Entra ID.
AnswerC

The profile defines the OOBE experience, including Entra ID join and Intune enrollment.

Why this answer

Option C is correct because an Autopilot deployment profile specifies the out-of-box experience (OOBE) settings, including the option to automatically join the device to Microsoft Entra ID and enroll it in Intune. Without a deployment profile assigned to the device, Autopilot will not enforce these behaviors during OOBE.

Exam trap

The trap here is that candidates often confuse the prerequisite step of registering the device (uploading corporate identifiers) with the configuration step that actually defines the OOBE behavior (the deployment profile), leading them to select Option A instead of C.

How to eliminate wrong answers

Option A is wrong because uploading corporate identifiers (e.g., hardware hashes) registers the device with Autopilot but does not configure the OOBE behavior; it only enables the device to be recognized by the Autopilot service. Option B is wrong because the Enrollment Status Page (ESP) controls the post-enrollment device setup experience (e.g., app and policy installation progress), not the initial join or enrollment actions during OOBE. Option D is wrong because a dynamic device group in Microsoft Entra ID is used for targeting policies or applications after enrollment, not for triggering or configuring the Autopilot OOBE flow.

48
MCQhard

Refer to the exhibit. You are reviewing a Windows 10 compliance policy JSON. What is the purpose of the 'osMinimumVersion' setting?

A.It sets the Windows Update for Business ring to that version.
B.It requires the device to be on a specific feature update.
C.It defines the minimum OS build version that the device must have to be compliant.
D.It forces the device to update to that version.
AnswerC

Devices below this version are non-compliant.

Why this answer

Option B is correct because osMinimumVersion specifies the minimum OS build version required for compliance. Option A is wrong because it does not enforce automatic updates. Option C is wrong because it does not check the update ring.

Option D is wrong because it does not require a specific feature update; it's a build number.

49
MCQeasy

Your organization uses Microsoft Intune to manage Windows devices. You need to ensure that only IT administrators can manually install apps from the Microsoft Store. Which setting should you configure in a device restriction policy?

A.Enable 'Private store only' in Microsoft Store for Business settings.
B.Disable 'Automatic app updates' in the device restriction policy.
C.Set 'Allow application store' to 'Block' for non-admin users.
D.Configure 'Require a password for app purchases' to 'Yes'.
AnswerC

Blocking the store prevents non-admins from installing apps manually.

Why this answer

Option C is correct because the 'Allow application store' setting in a device restriction policy controls whether users can access the Microsoft Store. Setting it to 'Block' for non-admin users prevents them from manually installing apps, while IT administrators (who have local admin rights) can still install apps via the Store. This setting is enforced through Intune's policy management and applies to Windows devices managed by Microsoft Intune.

Exam trap

The trap here is that candidates often confuse the 'Allow application store' setting with store visibility or purchase controls, thinking that blocking the entire store or requiring a password for purchases achieves the same result, but only the explicit block for non-admin users prevents manual installations.

How to eliminate wrong answers

Option A is wrong because 'Private store only' in Microsoft Store for Business settings restricts the visible catalog to private apps but does not prevent non-admin users from manually installing apps; it only limits which apps they see. Option B is wrong because disabling 'Automatic app updates' controls whether apps update automatically, not whether users can manually install apps from the Store. Option D is wrong because 'Require a password for app purchases' applies to purchase transactions, not to manual installations of free apps or to blocking installation by non-admin users.

50
MCQmedium

A user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. The user has confirmed that the device is enrolled and connected to the internet. Which is the most likely cause?

A.The device is not enrolled in Microsoft Intune.
B.The device has a Device Lock policy applied that blocks evaluation.
C.The Intune Management Extension is not installed or not running.
D.The user does not have a Microsoft 365 E3 license assigned.
AnswerC

The Intune Management Extension is needed for compliance evaluation on Windows devices.

Why this answer

Option B is correct because when a device shows 'Not evaluated,' it typically means the Intune Management Extension is missing or not running, which is required for compliance evaluation. Option A is wrong because the device is enrolled. Option C is wrong because Windows 10/11 licenses are not required for compliance.

Option D is wrong because Device Lock policies are not related to compliance evaluation.

51
Multi-Selecteasy

You need to deploy a Windows 10 feature update to a pilot group. Which TWO steps are required in Microsoft Intune?

Select 2 answers
A.Create a feature update policy for Windows 10.
B.Create a driver update policy for Windows 10.
C.Assign the feature update policy to a device group containing pilot devices.
D.Create an update ring for Windows 10.
E.Create a compliance policy for Windows 10.
AnswersA, C

Feature update policy specifies the target version.

Why this answer

Options B and E are correct. B: Create a feature update profile targeting Windows 10 version 22H2. E: Assign the profile to the pilot device group.

Option A is wrong because update rings are for quality updates. Option C is wrong because compliance policies are not for updates. Option D is wrong because driver updates are separate.

52
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only devices with TPM 2.0 and Secure Boot enabled can access Microsoft 365 resources. What is the best approach?

A.Create an app protection policy targeting Microsoft 365 apps.
B.Create a device configuration policy to enable TPM and Secure Boot.
C.Create a device compliance policy requiring TPM and Secure Boot, and a Conditional Access policy to block non-compliant devices.
D.Create a Conditional Access policy requiring TPM and Secure Boot.
AnswerC

This combination enforces the requirements and blocks access.

Why this answer

Device compliance policies can check for TPM 2.0 and Secure Boot, and Conditional Access blocks non-compliant devices. Option A is incorrect because device configuration policies do not enforce access. Option B is incorrect because app protection policies are for app-level protection.

Option D is incorrect because Conditional Access alone cannot check hardware attributes without a compliance policy.

53
Multi-Selecthard

Which THREE steps are required to deploy a Windows 10 feature update (e.g., version 22H2) to a group of test devices using Intune?

Select 3 answers
A.Create a Windows 10 feature update deployment policy.
B.Ensure the test devices are in a group that targets the feature update.
C.Create a device compliance policy for the target version.
D.Create a Windows 10 update ring with expedited updates.
E.Assign the policy to the test device group.
AnswersA, B, E

A feature update deployment policy is needed.

Why this answer

Option A is correct because a Windows 10 feature update deployment policy is the specific Intune policy type designed to deliver feature updates (like version 22H2) to devices. This policy allows you to specify the target version and control the rollout, which is required for deploying feature updates via Intune.

Exam trap

The trap here is confusing update rings (which manage quality updates and deferral settings) with feature update policies (which target specific feature versions), leading candidates to incorrectly select expedited update rings for feature updates.

54
Multi-Selecthard

Which THREE prerequisites are required to enable Windows Autopilot for existing devices?

Select 3 answers
A.The device must be domain-joined to an on-premises Active Directory
B.The device must be running Windows 10 or Windows 11 Pro, Enterprise, or Education edition
C.The device must have a TPM 2.0 chip
D.The device must have internet connectivity during the out-of-box experience
E.The device must be registered in Intune using its hardware hash
AnswersB, D, E

Autopilot requires these editions.

Why this answer

Options A, C, and D are correct. Autopilot requires Windows 10/11 Pro/Enterprise/Edu, the device to be registered in Intune, and internet connectivity. Option B is wrong because a TPM is not strictly required for Autopilot (except for self-deploying mode).

Option E is wrong because an on-premises DC is not needed for pure cloud Autopilot.

55
MCQmedium

You manage Windows 10 devices with Microsoft Intune. Users report that after a recent Windows update, some devices fail to enroll in mobile device management (MDM). You verify that the devices are domain-joined and can reach the internet. Which configuration should you check first?

A.Confirm that the user is assigned a Microsoft Entra ID P1 license.
B.Verify that the BitLocker recovery key is backed up to Microsoft Entra ID.
C.Ensure the Windows Defender Firewall allows inbound RPC traffic.
D.Check that the MDM enrollment URL (https://enrollment.manage.microsoft.com) is reachable and not blocked by a proxy.
AnswerD

The enrollment URL must be reachable for successful MDM enrollment.

Why this answer

Option D is correct because the MDM enrollment URL must be accessible and properly configured in Group Policy or Intune. Option A is wrong because BitLocker is not related to enrollment. Option B is wrong because Windows Defender Firewall is not the primary cause.

Option C is wrong because user credentials are valid but routing is the issue.

56
MCQhard

Refer to the exhibit. You are reviewing a Win32 app configuration in Microsoft Intune. The app is not installing on some Windows 10 devices. Which is the most likely reason?

A.The devices have an OS version lower than 10.0.19041.
B.The install command line is missing the /silent switch.
C.The detection rule path is incorrect.
D.The install experience is set to system, but should be user.
AnswerA

The requirement rule sets a minimum OS version of 10.0.19041.

Why this answer

The correct answer is A because the exhibit shows the 'Minimum OS version' requirement set to 10.0.19041 (Windows 10 version 20H1/2004). Devices with an OS build lower than this threshold will fail to install the Win32 app, as Intune enforces this requirement before executing the installation command. This is a common configuration issue when deploying apps to a mixed-OS environment.

Exam trap

The trap here is that candidates often focus on the install command or detection rules as the cause of installation failure, overlooking the explicit OS version requirement that prevents installation from even starting on incompatible devices.

How to eliminate wrong answers

Option B is wrong because the install command line is not missing the /silent switch; the exhibit shows the command includes '--silent' (or a similar silent flag), so the absence of /silent is not the issue. Option C is wrong because the detection rule path being incorrect would cause the app to appear as 'Not Installed' on devices where it actually installed, not prevent installation from starting. Option D is wrong because the install experience set to 'system' is correct for system-wide installations; setting it to 'user' would install per-user and could cause issues, but the exhibit shows 'system' is selected, so this is not the problem.

57
Multi-Selectmedium

Which THREE are valid Windows Autopilot deployment scenarios?

Select 3 answers
A.Self-deploying
B.App-driven
C.User-driven
D.Policy-driven
E.White glove
AnswersA, C, E

Self-deploying is for shared devices.

Why this answer

Windows Autopilot self-deploying is a valid deployment scenario where a device can be automatically configured without user interaction, using a hardware hash to enroll in Azure AD and Intune. This scenario is ideal for kiosks, digital signage, or shared devices that require zero-touch provisioning.

Exam trap

The trap here is that candidates confuse deployment phases or management concepts (like app or policy deployment) with the three official Autopilot deployment scenarios, which are strictly self-deploying, user-driven, and white glove (pre-provisioning).

58
Multi-Selecteasy

Which TWO actions can you perform using the Microsoft Intune admin center to manage Windows devices? (Choose two)

Select 2 answers
A.Reset a user's password.
B.View hardware inventory of a device.
C.Remotely sync a device with Intune.
D.Manage on-premises Active Directory objects.
E.Assign Microsoft 365 licenses to a user.
AnswersB, C

Inventory is visible in the device properties.

Why this answer

Option B is correct because the Microsoft Intune admin center provides a hardware inventory view for managed Windows devices, displaying details such as processor, RAM, disk space, and firmware version. This data is collected via the Intune Management Extension and device inventory reports, enabling administrators to assess device compliance and readiness without requiring on-premises tools.

Exam trap

The trap here is that candidates confuse user management tasks (password reset, license assignment) with device management actions, or assume Intune can manage on-premises AD objects, when Intune's scope is strictly cloud-based device and app management via MDM and MAM.

59
MCQhard

You manage Windows 10 devices with Microsoft Intune. You need to deploy a PowerShell script that runs every time a device boots, before the user logs on. The script is signed. What is the correct deployment approach?

A.Use a proactive remediation script set to run at device startup.
B.Package the script as a Win32 app and deploy it with installation behavior set to 'System'.
C.Deploy the script as a PowerShell script in Intune, configured to run in system context at device startup.
D.Add the script as a device configuration profile (OMA-URI).
AnswerC

This allows the script to run before user logon in system context.

Why this answer

To run a script at boot before user logon, use a PowerShell script in Intune that runs in the system context at device startup. Option A is incorrect because proactive remediations typically run after the user logs in. Option B is incorrect because device configuration profiles don't run scripts on boot.

Option D is incorrect because app deployment runs apps in user context after logon.

60
MCQhard

You manage devices with Microsoft Intune and have enabled co-management with Configuration Manager. You need to ensure that Windows Update policies are managed by Intune for all co-managed Windows 10 devices. Which workload slider should you set in Configuration Manager?

A.Endpoint Protection
B.Windows Update Policies
C.Client Apps
D.Device Configuration
AnswerB

Correct. This workload controls update management.

Why this answer

In a co-management scenario, the workload slider determines which management authority handles specific workloads. Setting the 'Windows Update Policies' slider to 'Intune' directs Windows Update for Business policies to be applied via Intune, overriding Configuration Manager policies for co-managed Windows 10 devices. This ensures that update rings and deferral settings configured in Intune are enforced.

Exam trap

The trap here is that candidates often confuse the 'Windows Update Policies' slider with the 'Endpoint Protection' slider, mistakenly thinking update management is part of security policies, but the slider specifically governs Windows Update for Business policies, not Defender or antivirus updates.

How to eliminate wrong answers

Option A is wrong because the Endpoint Protection workload slider controls antimalware and firewall policies (e.g., Defender for Endpoint), not Windows Update policies. Option C is wrong because the Client Apps workload slider governs the deployment of applications (e.g., MSI, Win32 apps) from Intune or Configuration Manager, not update management. Option D is wrong because the Device Configuration workload slider manages settings like compliance policies and resource access (e.g., VPN, Wi-Fi), not Windows Update policies.

61
MCQmedium

You manage Windows 10 devices with Microsoft Intune. A user reports that their device is not receiving required compliance policies, and the device status in Intune shows 'Not evaluated' for compliance. You confirm the device is enrolled and able to sync. What should you check first?

A.Verify that the user is assigned an Intune license.
B.Run the 'dsregcmd /status' command to check the device registration status.
C.Check that the device has a TPM chip enabled and Secure Boot turned on.
D.Ensure the compliance policy is assigned to a group that includes the user or device.
AnswerD

The compliance policy must be assigned to a group containing the user or device.

Why this answer

Option D is correct because a compliance policy must be assigned to a group containing the user or device for it to be evaluated. Even if the device is enrolled and syncing, without assignment the policy will not apply, resulting in a 'Not evaluated' status in Intune.

Exam trap

The trap here is that candidates confuse 'Not evaluated' with a device health or configuration issue, when it actually points to a missing policy assignment or group membership problem.

How to eliminate wrong answers

Option A is wrong because an Intune license is required for enrollment and sync, which the user already has (device is enrolled and syncing), so licensing is not the cause of 'Not evaluated' status. Option B is wrong because 'dsregcmd /status' checks Azure AD registration and hybrid join status, not compliance policy assignment or evaluation; the device is already enrolled and syncing, indicating registration is fine. Option C is wrong because TPM and Secure Boot are prerequisites for BitLocker or device health attestation, not for compliance policy evaluation; their absence would cause specific compliance failures, not a 'Not evaluated' status.

62
MCQhard

You are troubleshooting a Windows 11 device that is enrolled in Microsoft Intune. The device shows 'Pending' status for a required app deployment. The app is a line-of-business (LOB) app. The device has been online for the past 24 hours. What is the most likely cause?

A.The device does not have internet connectivity to download the app.
B.The device's certificate for Intune is expired.
C.The Intune management extension is not installed on the device.
D.The device requires a restart to complete previous updates.
AnswerC

LOB apps require the extension, which may be missing.

Why this answer

The Intune management extension is responsible for deploying line-of-business (LOB) apps and PowerShell scripts on Windows devices. If this extension is not installed, the device will show a 'Pending' status for required app deployments because the Intune service cannot initiate the download or installation. Since the device has been online, connectivity is not the issue, and the extension must be present to process the deployment.

Exam trap

The trap here is that candidates often assume a 'Pending' status is always due to network issues or pending reboots, but Microsoft specifically tests the requirement of the Intune management extension for LOB app deployments on Windows devices.

How to eliminate wrong answers

Option A is wrong because the device has been online for the past 24 hours, indicating internet connectivity is available, and a 'Pending' status typically does not result from transient connectivity issues. Option B is wrong because an expired Intune certificate would cause the device to appear as 'Not compliant' or 'Unhealthy' in the Intune console, not a 'Pending' status for a specific app deployment. Option D is wrong because a pending restart would affect the installation of updates, not the initial download or deployment status of an LOB app, and the device would still show the app as 'Pending' only if the management extension were missing.

63
Multi-Selectmedium

Which TWO actions can you perform on a managed device from the Microsoft Intune admin center?

Select 2 answers
A.Change the primary user
B.Change the enrolled user
C.Restart the device
D.Sync the device
E.Change the device name
AnswersC, D

Remote restart is available in Intune.

Why this answer

Option A and D are correct. A: You can sync a device to force a check-in. D: You can restart a device remotely.

Option B is wrong because you cannot change the primary user from the device blade; you need to re-enroll. Option C is wrong because you cannot change the device name for corporate-owned devices; it's usually auto-generated. Option E is wrong because you cannot change the enrolled user; you need to wipe and re-enroll.

64
MCQeasy

You need to ensure that only compliant devices can access Exchange Online. Which Intune policy should you use?

A.Device compliance policy
B.App protection policy
C.Conditional Access policy
D.Device configuration profile
AnswerC

Conditional Access blocks non-compliant devices.

Why this answer

Option B is correct because Conditional Access with device compliance evaluates compliance. Option A is wrong because a compliance policy defines compliance but does not enforce access. Option C is wrong because a device configuration profile configures settings.

Option D is wrong because an app protection policy manages app-level protection.

65
Multi-Selecthard

An organization uses Microsoft Intune to manage Windows devices. They need to configure a policy to enforce disk encryption on devices. Which THREE of the following are valid encryption options?

Select 3 answers
A.BitLocker
B.Encrypting File System (EFS)
C.Device encryption
D.FileVault
E.APFS encryption
AnswersA, C, D

BitLocker is a full disk encryption feature for Windows.

Why this answer

Options A, C, and D are correct. BitLocker is for Windows devices, FileVault is for macOS, and device encryption is a built-in Windows feature. Option B is wrong because Encrypting File System (EFS) is file-level encryption, not full disk encryption.

Option E is wrong because Apple File System (APFS) encryption is for macOS, but it's not a separate policy in Intune; FileVault is used.

66
MCQeasy

Refer to the exhibit. You are reviewing a Windows 10 update ring configuration JSON. What does the 'automaticUpdateBehavior' setting control?

A.The level of update notifications
B.How long to defer feature updates
C.Whether updates are installed automatically and if the user can control reboot timing
D.The branch readiness level
AnswerC

This setting defines the installation and reboot behavior.

Why this answer

Option D is correct because automaticUpdateBehavior controls how updates are installed and whether the user has control over reboots. Option A is wrong because deferral days are separate. Option B is wrong because notification level is separate.

Option C is wrong because branch readiness is not in this JSON.

67
Multi-Selecthard

Which THREE steps are required to configure a Windows 10 device for kiosk mode using Microsoft Intune? (Choose three)

Select 3 answers
A.Configure Autopilot for the device.
B.Create a device compliance policy to enforce kiosk mode.
C.Create a device configuration profile with the kiosk settings.
D.Assign the kiosk profile to a Microsoft Entra ID group containing the target devices.
E.Ensure the device is enrolled in Microsoft Intune.
AnswersC, D, E

Kiosk settings are configured via a configuration profile.

Why this answer

Option C is correct because a device configuration profile in Microsoft Intune is the mechanism used to define the specific kiosk settings, such as the user account, app type (e.g., single-app or multi-app kiosk), and browser configuration. This profile applies the kiosk mode configuration to the device via the Windows 10/11 kiosk policy CSP (Policy Configuration Service Provider).

Exam trap

The trap here is that candidates confuse device compliance policies with device configuration profiles, mistakenly thinking compliance policies can enforce kiosk mode, when in fact compliance policies only evaluate and report on device health and security settings.

68
MCQhard

A user has an iOS device enrolled in Intune. The device is lost, and you need to immediately prevent unauthorized access to corporate data. The device contains both corporate and personal data. Which action should you take?

A.Disable the user's account in Microsoft Entra ID
B.Initiate a selective wipe
C.Initiate a full wipe
D.Use Remote Lock to lock the device
AnswerD

Remote lock immediately locks the device, preventing access.

Why this answer

Remote Lock immediately locks the iOS device, preventing unauthorized access to both corporate and personal data without altering the device's content. This is the correct first step to secure data while preserving the ability to recover the device later, as it does not remove any data or accounts.

Exam trap

The trap here is that candidates often confuse 'immediate prevention of unauthorized access' with data removal, leading them to choose a wipe option, but Remote Lock is the correct first step because it secures the device without destroying personal data or requiring re-enrollment.

How to eliminate wrong answers

Option A is wrong because disabling the user's account in Microsoft Entra ID revokes access to cloud services but does not lock the device itself, leaving local data accessible. Option B is wrong because a selective wipe removes only corporate data and apps, which still leaves personal data exposed and does not immediately prevent access to the device. Option C is wrong because a full wipe erases all data, including personal content, which is overly destructive and irreversible; it should only be used as a last resort after confirming the device cannot be recovered.

69
MCQhard

Your organization uses Microsoft Intune to manage devices. You need to deploy a PowerShell script that runs every time a user logs in to a Windows 10 device. The script must run with administrative privileges. Which deployment approach should you use?

A.Package the script as a Win32 app and assign it as required.
B.Deploy the script as a proactive remediation in Intune.
C.Use Intune PowerShell scripts targeting the user, with a scheduled task triggered by logon.
D.Use a custom compliance policy to run the script.
AnswerC

Intune PowerShell scripts can run in user context; a scheduled task triggered at logon can elevate privileges.

Why this answer

Option D is correct because Microsoft Intune supports PowerShell scripts running in the user context on login, and using a scheduled task triggered by logon can run with elevated privileges. Option A is wrong because Proactive remediations run on a schedule, not on logon. Option B is wrong because a Win32 app can be set to run once, not on every logon.

Option C is wrong because custom compliance policies evaluate compliance, not run scripts on login.

70
MCQhard

You are designing a Windows Update for Business deployment for a hybrid environment with 5,000 devices. You need to ensure that critical security updates are deployed within 48 hours while allowing feature updates to be delayed up to 60 days. Which policy configuration should you use?

A.Configure a 'Quality update deadline' of 2 days and a 'Feature update deadline' of 60 days.
B.Use a 'Quality update deferral period' of 48 hours and a 'Feature update deferral period' of 60 days in a Windows 10 update ring.
C.Set the 'Update notification level' to '2 - Disable all notifications' and configure active hours.
D.Configure a 'Quality update deferral period' of 2 days and a 'Feature update deferral period' of 60 days.
AnswerA

Deadline policies are the modern approach to enforce update installation within a specific timeframe.

Why this answer

Option A is correct because Windows Update for Business uses 'deadline' policies to enforce when updates must be installed, not deferral periods. A 'Quality update deadline' of 2 days ensures critical security updates are installed within 48 hours, while a 'Feature update deadline' of 60 days allows feature updates to be delayed up to 60 days. Deferral periods only postpone when an update is offered, not when it must be installed, making deadlines the appropriate mechanism for enforcing installation timelines.

Exam trap

The trap here is that candidates confuse deferral periods with deadlines, assuming a deferral of 2 days achieves the same result as a 2-day deadline, but deferrals only delay the offer while deadlines enforce installation timing.

How to eliminate wrong answers

Option B is wrong because deferral periods delay the offer of updates but do not enforce an installation deadline; a 48-hour deferral would only delay when the quality update is first offered, not ensure it is installed within 48 hours. Option C is wrong because notification settings and active hours control user experience and restart timing, not the deployment timeline for security or feature updates. Option D is wrong because a deferral period of 2 days for quality updates only delays the offer by 2 days, failing to guarantee installation within 48 hours; deadlines are required to enforce the installation window.

71
MCQmedium

A user reports that their Windows 11 device is not receiving Microsoft 365 Apps updates from Intune. You verify the device is enrolled and compliant. The device has a Microsoft 365 Apps update policy assigned. What is the most likely cause?

A.The Microsoft 365 Apps update channel is not configured in the policy
B.The device is in a low-power state and not checking in for updates
C.The device is not connected to the internet
D.The device has an older version of Office installed that does not support Intune management
AnswerB

If the device is in a low-power state, update policies may not apply until it is active.

Why this answer

The most likely cause is that the device is in a low-power state (e.g., sleep or hibernation) and not checking in for updates. Intune relies on the Microsoft 365 Apps update service, which uses a scheduled task that runs only when the device is awake and connected. If the device is in a low-power state, it cannot execute the update check, even though it is enrolled and compliant.

Exam trap

The trap here is that candidates often assume the update channel must be configured (Option A) or that internet connectivity is the issue (Option C), but Intune policies have default channels and the device is already compliant, so the real culprit is the device's power state preventing the update check from running.

How to eliminate wrong answers

Option A is wrong because if the update channel were not configured, the policy would either fail to apply or use a default channel, but the device would still attempt to check for updates; the issue is that the device is not checking in at all. Option C is wrong because the question states the device is enrolled and compliant, which requires internet connectivity for Intune communication; if it were not connected, the device would not be compliant or would show as disconnected. Option D is wrong because all versions of Office that support Intune management (Microsoft 365 Apps, Office 2019 or later) can receive updates via Intune policies; an older version like Office 2016 would not be managed by Intune at all, but the device is already enrolled and has a policy assigned.

72
MCQeasy

You need to enforce encryption on Windows 10 devices managed by Intune. Which policy type should you configure?

A.Endpoint Protection profile
B.Device compliance policy
C.Windows Update for Business policy
D.Device configuration profile (settings catalog)
AnswerA

Endpoint Protection profiles include settings for BitLocker encryption.

Why this answer

Endpoint Protection profiles in Intune include the 'Windows Encryption' settings category, which allows you to enforce BitLocker Drive Encryption on Windows 10 devices. This profile directly manages encryption policies such as requiring BitLocker on OS and fixed drives, configuring encryption methods (e.g., XTS-AES 128-bit), and setting recovery password options. It is the correct policy type for enforcing encryption because it specifically targets security settings like device encryption and BitLocker.

Exam trap

The trap here is that candidates confuse Device Compliance Policies (which can check encryption status) with the actual policy that enforces encryption, leading them to select Option B, but compliance policies are read-only evaluations and cannot configure BitLocker settings.

How to eliminate wrong answers

Option B is wrong because Device Compliance Policies evaluate whether devices meet security requirements (e.g., encryption status) but do not configure or enforce encryption settings; they only mark devices as compliant or non-compliant. Option C is wrong because Windows Update for Business policies manage update rings, deferrals, and feature updates, not encryption or BitLocker settings. Option D is wrong because while the Settings Catalog in Device Configuration Profiles can include many settings, it does not contain the specific 'Windows Encryption' or 'BitLocker' policy categories that are exclusive to Endpoint Protection profiles for encryption enforcement.

73
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only corporate-owned Windows 10 devices are allowed to access Microsoft 365 services. You have configured a conditional access policy to require compliant devices. What else must you do to identify corporate-owned devices?

A.Configure a device compliance policy to require corporate ownership.
B.Set enrollment restrictions to block personally owned devices.
C.Deploy an app protection policy to block personal devices.
D.Add corporate device identifiers (e.g., serial numbers) in Intune.
AnswerD

Corporate identifiers allow Intune to automatically mark devices as corporate-owned upon enrollment.

Why this answer

Option A is correct because you need to add corporate device identifiers (e.g., serial numbers) in Intune so that devices can be marked as corporate-owned. Option B is wrong because app protection policies manage data within apps, not device ownership. Option C is wrong because compliance policies do not set ownership.

Option D is wrong because enrollment restrictions block personal devices but do not mark devices as corporate.

74
Multi-Selecteasy

Which TWO of the following are device configuration settings you can manage with Microsoft Intune? (Choose two.)

Select 2 answers
A.Application settings for Microsoft 365 Apps
B.Device restrictions (e.g., camera, Bluetooth)
C.Wi-Fi profiles
D.Lock screen settings
E.Email profiles for Exchange Online
AnswersB, D

Device restrictions are part of device configuration.

Why this answer

Device restrictions, such as disabling the camera or Bluetooth, are a core configuration setting in Microsoft Intune. These are managed through device configuration profiles that enforce policies on devices, regardless of the user logged in. Option B is correct because Intune's device restrictions profile allows administrators to control hardware and system features at the device level.

Exam trap

The trap here is that candidates often confuse device restrictions with other configuration profile types like Wi-Fi or email profiles, but the question specifically asks for 'device configuration settings' that manage device-level features, not connectivity or account settings.

75
MCQeasy

You need to deploy a line-of-business (LOB) iOS app to company-owned devices using Microsoft Intune. The app is signed with an enterprise certificate. Which deployment method should you use?

A.Managed Browser app.
B.iOS/iPadOS LOB app.
C.iOS/iPadOS store app.
D.Volume Purchase Program (VPP) app.
AnswerB

LOB app type supports custom enterprise-signed apps.

Why this answer

For LOB iOS apps signed with an enterprise certificate, Intune uses the iOS/iPadOS LOB app type. The app must be uploaded as an .ipa file. Option A is incorrect because VPP is for public apps.

Option B is incorrect because the iOS/iPadOS store app type is for public apps. Option D is incorrect because the managed browser is a specific app, not relevant.

Page 1 of 4 · 297 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage and maintain devices questions.