CCNA Manage and maintain devices Questions

72 of 297 questions · Page 4/4 · Manage and maintain devices · Answers revealed

226
MCQmedium

Refer to the exhibit. You have applied this compliance policy to a Windows 10 device running build 10.0.19044. The device meets all requirements except that the firewall is disabled. What will be the compliance status of the device?

A.Compliant, because the OS version is within the allowed range.
B.Non-compliant, because the firewall is disabled.
C.Compliant, because the policy includes a grace period for firewall.
D.Non-compliant, because the OS version is not within the allowed range.
AnswerB

Active firewall is required; disabling it makes the device non-compliant.

Why this answer

The policy requires activeFirewallRequired to be true. Since the firewall is disabled, the device is non-compliant. Even though other requirements are met, non-compliance in one area makes the device non-compliant.

Option A is incorrect because the policy does not have a grace period. Option B is incorrect because the device is non-compliant. Option D is incorrect because the policy is applicable.

227
MCQmedium

Your organization uses Microsoft Intune to manage iOS devices. You need to prevent users from removing the Intune Company Portal app from their devices. Which setting should you configure?

A.Block app removal in device restrictions
B.Block screen capture
C.Require PIN for app store purchases
D.Block jailbroken devices
AnswerA

Blocking app removal prevents users from uninstalling the Company Portal.

Why this answer

Option B is correct because blocking app removal prevents users from uninstalling the Company Portal. Option A is wrong because blocking jailbreak detection does not prevent app removal. Option C is wrong because blocking screen capture is unrelated.

Option D is wrong because requiring PIN is unrelated.

228
MCQmedium

Refer to the exhibit. A Microsoft Graph PowerShell cmdlet retrieves devices. What is the purpose of this query?

A.To find Windows devices that are compliant
B.To find Windows devices with an operating system version earlier than 2025
C.To find Windows devices enrolled before January 1, 2025
D.To find Windows devices that have not synced since before January 1, 2025
AnswerD

The filter checks lastSyncDateTime less than 2025-01-01.

Why this answer

Option C is correct. The filter retrieves Windows devices that have not synced since before January 1, 2025, meaning they have not synced in a long time. Option A is wrong because it is not about enrollment date.

Option B is wrong because it's about last sync, not OS version. Option D is wrong because it's not about compliance status.

229
MCQhard

Refer to the exhibit. You are configuring a Windows Update Ring policy in Microsoft Intune. You want the pilot devices to install feature updates 30 days after Microsoft releases them, but you also need to ensure that users cannot postpone updates indefinitely. However, users are reporting that updates are installing outside of active hours. What is the most likely cause?

A.The 'updateNotificationLevel' is set to 2, which suppresses user notifications about updates.
B.The 'automaticUpdateBehavior' value of 4 is incorrect; it should be set to 3 to install during active hours.
C.The device's time zone is not aligned with the active hours configured in the policy.
D.The feature update deferral of 30 days is too short; it should be 60 days to align with the pilot timeline.
AnswerC

Time zone mismatch can cause updates to install outside the intended window.

Why this answer

Option C is correct because Windows Update for Business uses the device's local time zone to determine active hours. If the device's time zone does not match the active hours configured in the Intune policy, updates can install outside the intended window, even if the policy settings are otherwise correct.

Exam trap

The trap here is that candidates often focus on deferral periods or update behavior settings, overlooking that active hours are time-zone-dependent and must match the device's local time zone to function correctly.

How to eliminate wrong answers

Option A is wrong because 'updateNotificationLevel' set to 2 controls the level of notifications shown to users (e.g., turning off restart warnings), but it does not affect when updates install relative to active hours. Option B is wrong because 'automaticUpdateBehavior' value of 4 (auto install and restart at scheduled time) is correct for enforcing updates during active hours; value 3 (auto install and notify for restart) would allow users to postpone, which contradicts the requirement to prevent indefinite postponement. Option D is wrong because the feature update deferral of 30 days is a grace period before installation, not related to active hours compliance; extending it to 60 days would not fix the time zone mismatch.

230
MCQmedium

A company uses Microsoft Intune to manage macOS devices. They need to deploy a custom plist configuration file to set security settings. Which policy type should they use?

A.Device configuration profile (custom)
B.App protection policy
C.Device compliance policy
D.Device cleanup rule
AnswerA

Custom configuration profiles allow uploading plist files for macOS.

Why this answer

Option C is correct because custom configuration profiles allow uploading plist files for macOS. Option A is wrong because compliance policies do not deploy configuration files. Option B is wrong because app protection policies are for mobile apps.

Option D is wrong because device cleanup rules are for device lifecycle.

231
MCQhard

Refer to the exhibit. The JSON snippet shows a device compliance policy for Windows 10. You assign this policy to a device group. Some devices report as noncompliant even though they have BitLocker enabled and meet password requirements. What is the most likely cause?

A.The deviceThreatProtectionEnabled setting should be false.
B.The password minimum length is too short.
C.The storageRequireEncryption setting conflicts with BitLocker.
D.The devices are not enrolled in Microsoft Defender for Endpoint.
AnswerD

Device threat protection requires Defender for Endpoint to report a threat level.

Why this answer

Option B is correct because deviceThreatProtectionEnabled and deviceThreatProtectionRequiredSecurityLevel require integration with Microsoft Defender for Endpoint (Defender XDR) to assess threat level. Option A is wrong because password length is already set. Option C is wrong because deviceThreatProtectionEnabled is set to true, but the error is due to missing Defender integration.

Option D is wrong because storageRequireEncryption is separate from BitLocker.

232
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to enforce BitLocker encryption on all devices. Some devices are not encrypting even though the policy is assigned. What should you check first?

A.Confirm that the device has a compatible TPM chip and that it is enabled.
B.Verify that Secure Boot is disabled in BIOS.
C.Ensure devices are marked as compliant in Intune.
D.Check if the BitLocker policy is using the Settings catalog.
AnswerA

BitLocker requires a TPM (1.2 or 2.0) that is enabled and initialized.

Why this answer

Option D is correct because BitLocker requires a compatible TPM; if TPM is not present or not initialized, encryption may fail. Option A is wrong because the policy does not require disabling Secure Boot. Option B is wrong because BitLocker policies are available in the Settings catalog.

Option C is wrong because device compliance does not affect BitLocker enforcement.

233
MCQmedium

Your organization uses Microsoft Intune for device management. A user reports that their Android device is not receiving a required app that is assigned as 'Required' for all users. The device shows as 'Compliant' in Intune. What is the most likely cause?

A.The device is marked non-compliant.
B.The user has not installed the Company Portal app.
C.The device is not enrolled in Intune.
D.The app is not supported on the device's Android version.
AnswerD

App incompatibility is a common reason for required apps not installing.

Why this answer

If the device is compliant but not receiving the app, the app might not be compatible with the device's Android version. Option A is incorrect because the device is enrolled if it shows in Intune. Option B is incorrect because compliance is green.

Option D is incorrect because company portal enrollment is not required for managed devices with required apps.

234
Multi-Selecteasy

Which TWO types of policies can be assigned to user groups in Microsoft Intune?

Select 2 answers
A.Device compliance policy
B.Enrollment restriction
C.App protection policy
D.Device configuration policy
E.Windows update ring
AnswersA, C

Compliance policies can be assigned to user groups to evaluate devices of those users.

Why this answer

Device compliance policy (A) can be assigned to user groups to define rules that devices must meet, such as requiring a minimum OS version or BitLocker encryption, and to trigger conditional access. App protection policy (C) can be assigned to user groups to manage how apps access and handle corporate data, even on unenrolled devices, by applying settings like PIN or data transfer restrictions.

Exam trap

The trap here is that candidates often assume all Intune policies can be assigned to user groups, but Microsoft explicitly restricts enrollment restrictions, device configuration policies, and update rings to device groups only.

235
MCQeasy

You need to configure Microsoft Defender for Endpoint on Windows 10 devices managed by Intune. What is the recommended method to onboard devices?

A.Install the Defender for Endpoint client manually on each device.
B.Use a device configuration profile in Intune to deploy the onboarding package.
C.Use the Microsoft 365 Defender portal to generate a script that users run.
D.Use Group Policy to configure the onboarding registry keys.
AnswerB

Intune is the recommended method for cloud-managed devices.

Why this answer

Option B is correct because Intune's device configuration profiles allow you to deploy the Defender for Endpoint onboarding package (a .zip containing the onboarding script and required files) directly to Windows 10 devices. This method is recommended as it integrates seamlessly with Intune's management framework, supports bulk deployment via policies, and ensures devices are properly configured without manual intervention or user interaction.

Exam trap

The trap here is that candidates often assume Group Policy (Option D) is the standard for all Windows management, but for Intune-managed devices, the recommended and supported method is the device configuration profile, not Group Policy, which requires on-premises infrastructure and does not integrate with cloud-based enrollment.

How to eliminate wrong answers

Option A is wrong because manually installing the Defender for Endpoint client on each device is not scalable for enterprise environments and contradicts the recommended automated approach via Intune. Option C is wrong because the Microsoft 365 Defender portal generates a script for local execution, but relying on users to run it introduces security risks, compliance gaps, and lacks centralized enforcement. Option D is wrong because Group Policy is not the recommended method for Intune-managed devices; while it can configure registry keys, it requires on-premises Active Directory and does not leverage Intune's cloud-native device management capabilities.

236
MCQeasy

A user's mobile device is lost. You need to remotely wipe the device using Microsoft Intune. What is the correct sequence of actions?

A.Ask the user to reset the device from the Company Portal app.
B.Create a device compliance policy with the Action for noncompliance set to 'Remote wipe'.
C.In the Microsoft Intune admin center, select the device and choose Retire/Wipe.
D.Remove the device from Microsoft Entra ID and it will automatically wipe.
AnswerC

This is the correct action to wipe a device.

Why this answer

Option A is correct because the Retire/Wipe action is performed on the device in Intune. Option B is wrong because you cannot wipe from the compliance policy. Option C is wrong because the device must be enrolled.

Option D is wrong because the user must have an Intune license.

237
Multi-Selecteasy

Which THREE are valid device management actions in Microsoft Intune? (Choose three.)

Select 3 answers
A.Wipe
B.Delete
C.Retire
D.Sync
E.Reboot
AnswersA, C, D

Wipe restores the device to factory settings.

Why this answer

Wipe is a valid Intune device action that restores a device to factory default settings, removing all data and corporate resources. It is typically used for devices that are lost, stolen, or being repurposed, and it can be applied to both corporate-owned and personally-owned devices enrolled in Intune.

Exam trap

Microsoft often tests the distinction between 'Wipe' and 'Retire' actions, and candidates may confuse 'Delete' with 'Retire' or assume 'Reboot' is a built-in action when it is not directly available in the Intune console.

238
MCQhard

You manage a hybrid Azure AD joined Windows 10 device with Intune. The device is showing as 'Pending' enrollment. You have verified that the user has an Intune license and the device is synced with Azure AD Connect. What is the most likely issue?

A.The user is not the primary user of the device.
B.The Group Policy for automatic Intune enrollment is not applied to the device.
C.The device is not co-managed with Configuration Manager.
D.Azure AD Connect has not synced the device object.
AnswerB

Hybrid Azure AD joined devices need a GPO with the MDM discovery URL.

Why this answer

For hybrid Azure AD joined devices, Intune enrollment requires a Group Policy to configure automatic enrollment. If that GPO is not applied, the device will show as 'Pending'. Option A is incorrect because user affinity is not the issue.

Option B is incorrect because the device is synced. Option D is incorrect because co-management is not required for Intune enrollment.

239
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. Users report that after a recent update, the corporate Wi-Fi profile no longer connects automatically. You verify the profile is still assigned and the device shows 'Not compliant' in Intune. What should you check first?

A.Review the device's compliance policy status and resolve any non-compliance.
B.Re-enroll the device in Intune.
C.Create a new Wi-Fi profile and assign it.
D.Verify the device's certificate for the Wi-Fi profile is still valid.
AnswerA

Non-compliance can block policies; resolving it will allow the Wi-Fi profile to apply.

Why this answer

The most common cause of a Wi-Fi profile not being applied is a compliance policy failure, which can block the profile. Checking the compliance policy status will help determine if the device is blocked from receiving configurations. Option A is incorrect because the device is already enrolled.

Option B is incorrect because the issue is with the existing profile, not a new one. Option D is incorrect because the certificate might be valid but the device is non-compliant.

240
MCQhard

A Windows 11 device running build 10.0.22621.500 reports as noncompliant with the policy shown. The device meets all password requirements, has BitLocker enabled, and uses Microsoft Defender for Endpoint with a 'high' security level. What is the most likely cause of noncompliance?

A.Screen timeout exceeds the policy setting
B.Device threat protection level is not set to high
C.Storage encryption is not enabled
D.OS version is above the maximum allowed
AnswerA

Policy requires lock after 5 minutes; device may have longer timeout.

Why this answer

The device is noncompliant because the screen timeout setting exceeds the policy's maximum allowed value. In Microsoft Intune, compliance policies for Windows 11 enforce specific screen timeout limits (e.g., 5 minutes for idle timeout), and even if other requirements like password, BitLocker, and Defender for Endpoint are met, a mismatch in screen timeout triggers noncompliance. The build number 10.0.22621.500 indicates Windows 11 22H2, which is within supported versions, so OS version is not the issue.

Exam trap

The trap here is that candidates assume noncompliance must be due to a security feature like encryption or threat protection, but the question explicitly states those are met, so the correct answer is the less obvious screen timeout setting, which is a common misconfiguration in Intune compliance policies.

How to eliminate wrong answers

Option B is wrong because the device uses Microsoft Defender for Endpoint with a 'high' security level, which meets the threat protection requirement; the policy likely requires a minimum level of 'high' or 'medium', and 'high' satisfies it. Option C is wrong because BitLocker is enabled, which satisfies storage encryption requirements for compliance; the policy does not require additional encryption beyond what BitLocker provides. Option D is wrong because the OS version 10.0.22621.500 corresponds to Windows 11 22H2, which is below the maximum allowed version (typically the latest supported build), and the policy does not set a maximum OS version that would exclude this build.

241
Multi-Selectmedium

You are troubleshooting an Intune-managed Windows 10 device that is not receiving a required application. Which THREE steps should you take to diagnose the issue? (Choose three.)

Select 3 answers
A.Ensure the device has network connectivity
B.Review the app requirement rules (e.g., OS version)
C.Check the app assignment status in the Intune console
D.Verify the device is compliant with compliance policies
E.Perform a factory reset on the device
AnswersA, B, C

The device must be able to reach Intune to download the app.

Why this answer

Option A is correct because network connectivity is a prerequisite for Intune-managed devices to communicate with the Microsoft Intune service. Without connectivity, the device cannot check in, download app policies, or retrieve application payloads. You should verify the device can reach endpoints like *.manage.microsoft.com and that the Windows Push Notification Services (WNS) channel is open.

Exam trap

The trap here is confusing compliance policies with app delivery prerequisites; candidates often assume a non-compliant device cannot receive any apps, but Intune separates compliance from app assignment unless conditional access is explicitly configured.

242
MCQhard

Refer to the exhibit. You are reviewing an Intune configuration profile JSON for Windows 10. The profile includes BitLocker settings. Which setting will prevent users from enabling BitLocker if another encryption method is already in use?

A.bitLockerEncryptionMethod set to aes256
B.passwordRequired set to true
C.bitLockerDisableWarningForOtherDiskEncryption set to false
D.bitLockerDisableWarningForOtherDiskEncryption set to true
AnswerC

When false, the warning is shown and BitLocker will not enable if other encryption exists.

Why this answer

Option C is correct because setting bitLockerDisableWarningForOtherDiskEncryption to false means that BitLocker will display a warning and block enabling BitLocker if another disk encryption method (such as third-party encryption) is detected on the drive. This setting enforces the requirement to prevent users from enabling BitLocker when another encryption solution is already active, ensuring compliance and avoiding conflicts.

Exam trap

The trap here is that candidates often confuse bitLockerDisableWarningForOtherDiskEncryption with a simple warning toggle, not realizing that setting it to false actively blocks BitLocker enablement when other encryption is detected, while setting it to true allows BitLocker to proceed without warning.

How to eliminate wrong answers

Option A is wrong because bitLockerEncryptionMethod set to aes256 only specifies the encryption algorithm to use (AES-256) when BitLocker is enabled; it does not control whether BitLocker can be enabled if another encryption method is already present. Option B is wrong because passwordRequired set to true mandates that a recovery password be configured for BitLocker, but it does not affect the detection or blocking of other disk encryption methods. Option D is wrong because setting bitLockerDisableWarningForOtherDiskEncryption to true would suppress the warning and allow BitLocker to be enabled even if another encryption method is in use, which is the opposite of the desired behavior.

243
MCQhard

Your organization uses Microsoft Intune to manage Android Enterprise devices (work profile). You need to ensure that corporate data on these devices is encrypted. Additionally, you want to enforce a policy that prevents users from disabling the work profile. You have created a device compliance policy that requires encryption, but some devices are marked as non-compliant even though they have encryption enabled. You suspect that the devices are using file-based encryption instead of full-disk encryption. What should you do to ensure that the devices meet the encryption requirement?

A.Enable the work profile on the devices via a device configuration profile.
B.Change the device encryption method to full-disk encryption using a device configuration profile.
C.Verify that the compliance policy is set correctly for Android Enterprise; if needed, re-evaluate the policy assignment.
D.Create a device configuration profile that enforces encryption on the work profile.
AnswerC

The compliance policy should correctly assess file-based encryption as compliant; re-evaluation may resolve false non-compliance.

Why this answer

Option B is correct because Android Enterprise devices with work profile use file-based encryption by default, which is considered compliant with Intune's encryption requirement. However, if devices are still non-compliant, you may need to check the compliance policy settings for Android Enterprise. The most likely fix is to configure the compliance policy to 'Require encryption of data storage on device' which is already done.

But if devices are still non-compliant, you might need to update the policy to include the specific encryption type. Option A is incorrect because you cannot change the encryption type via Intune. Option C is incorrect because device configuration profiles cannot change encryption type.

Option D is incorrect because work profile is already enabled.

244
MCQmedium

Refer to the exhibit. You create a compliance policy for Windows 10 devices. A device is reported as non-compliant. Upon investigation, you find that the device has a password of 6 characters. Which setting is causing the non-compliance?

A.requireCodeIntegrity
B.passwordMinimumLength
C.requireDeviceEncryption
D.requireSecureBoot
AnswerB

The policy requires minimum 8 characters, but the device has only 6.

Why this answer

Option D is correct because the policy requires a minimum password length of 8, but the device has 6. Option A is wrong because the device may have encryption. Option B is wrong because Secure Boot may be enabled.

Option C is wrong because code integrity may be enabled.

245
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices that haven't checked in for 30 days are automatically retired. Which configuration should you implement?

A.Set up an automatic enrollment policy that retires devices after 30 days of inactivity.
B.Use the Intune device cleanup rules to automatically remove devices that haven't checked in for 30 days.
C.Configure a device compliance policy with a 'Mark device noncompliant' action after 30 days of no check-in and add an action for noncompliance to retire the device.
D.Create a device configuration profile with a 'Device Health' setting to require check-in within 30 days.
AnswerC

This directly enforces retirement after 30 days of inactivity.

Why this answer

Option C is correct because Intune's compliance policies can be configured to mark devices as noncompliant after a specified period of no check-in (e.g., 30 days), and then trigger an action for noncompliance—such as retiring the device. This ensures that devices that have not communicated with Intune within the defined timeframe are automatically removed from management, meeting the requirement.

Exam trap

The trap here is that candidates often confuse Intune device cleanup rules (which simply remove stale device records from the console) with compliance policy actions (which can actually retire the device and revoke company data), leading them to select Option B incorrectly.

How to eliminate wrong answers

Option A is wrong because automatic enrollment policies are used to enroll devices into Intune, not to retire them after inactivity; there is no 'retire after inactivity' setting in enrollment policies. Option B is wrong because Intune device cleanup rules remove devices from the Intune console after a specified number of days of no check-in, but they do not trigger a retire action—they simply delete the device record, which does not send a retire command to the device or revoke company data. Option D is wrong because device configuration profiles manage settings like security policies and compliance, but they do not include a 'Device Health' setting to require check-in within a certain number of days, nor do they have the ability to trigger a retire action based on check-in frequency.

246
Multi-Selectmedium

Your organization is planning to use Microsoft Intune to manage Windows 11 devices. Which TWO are prerequisites for enrolling a Windows device in Intune?

Select 2 answers
A.Local administrator account on the device.
B.Microsoft Copilot for Microsoft 365 license.
C.Azure AD Premium P2 license.
D.Network connectivity to https://manage.microsoft.com and other Intune endpoints.
E.A Microsoft account (work or school) with an Intune license.
AnswersD, E

Connectivity is required for enrollment and management.

Why this answer

Windows 11 devices require a Microsoft account for enrollment (unless using a work or school account with automatic MDM enrollment) and network connectivity to Intune services. Option C is not a prerequisite because Intune enrollment can be done without Azure AD Premium P2. Option D is not required because a local admin account is not needed for enrollment.

Option E is not required because Copilot is optional.

247
MCQhard

A user reports that their Windows 11 device cannot connect to the corporate Wi-Fi network. In Intune, the device shows a status of 'Pending' for the Wi-Fi configuration profile. The profile is assigned to a group that includes the user. What is the most likely cause of the issue?

A.The device does not have the required root certificate installed.
B.The Wi-Fi profile is not assigned to the user's group.
C.The Wi-Fi profile requires user affinity and the device is shared.
D.The device has not checked in to Intune within the last 8 hours.
AnswerD

Devices check in periodically; a pending status means the policy hasn't been applied yet.

Why this answer

The 'Pending' status in Intune for a Wi-Fi configuration profile indicates that the policy has been assigned but not yet applied to the device. This typically occurs when the device has not performed a recent check-in with the Intune service. By default, devices check in every 8 hours, so if the device has not checked in within that window, the profile remains in a 'Pending' state until the next successful sync.

Exam trap

The trap here is that candidates often assume 'Pending' means a configuration error (like missing certificates or incorrect assignment) rather than recognizing it as a synchronization delay, which is a common Intune behavior tested on the MD-102 exam.

How to eliminate wrong answers

Option A is wrong because a missing root certificate would typically cause a connection failure after the profile is applied, not a 'Pending' status in Intune; the profile would still be delivered and show as 'Succeeded' or 'Error' depending on the certificate validation. Option B is wrong because the question explicitly states the profile is assigned to a group that includes the user, so assignment is not the issue. Option C is wrong because user affinity affects how profiles are targeted (user vs. device), but a 'Pending' status is not caused by user affinity settings; it is a sync timing issue.

248
MCQeasy

Your organization uses Microsoft Intune to manage iOS and Android devices. You need to ensure that corporate data on these devices is protected. Specifically, you want to prevent users from copying corporate data from managed apps to personal apps. You also want to ensure that when a device is lost or stolen, the corporate data can be selectively wiped without affecting personal data. Which Intune feature should you use to achieve these requirements?

A.App Protection Policies (MAM).
B.Device Compliance Policies.
C.Conditional Access Policies.
D.Device Configuration Profiles.
AnswerA

MAM policies provide data protection and selective wipe for managed apps.

Why this answer

Option A is correct because App Protection Policies (MAM) provide data protection settings such as preventing copy/paste between managed and unmanaged apps, and allow selective wipe of corporate data. Option B is incorrect because device compliance policies focus on device-level settings, not app-level data protection. Option C is incorrect because device configuration profiles configure device settings, not app data protection.

Option D is incorrect because conditional access policies control access based on compliance, but do not directly prevent copy/paste or provide selective wipe at the app level.

249
Multi-Selecthard

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a PowerShell script that runs in the user context on a schedule. Which TWO methods can you use? (Choose two.)

Select 2 answers
A.Device compliance policy with a custom script
B.Proactive remediation in Microsoft Intune
C.Configuration profile with a scheduled task
D.Line-of-business app deployment package
E.PowerShell script deployment from the Intune console
AnswersB, C

Proactive remediations can run PowerShell scripts on a schedule in user context.

Why this answer

Proactive remediations in Microsoft Intune allow you to run PowerShell scripts in the user context on a schedule, making option B correct. They are designed for detection and remediation of common support issues, supporting both user and system context execution with configurable schedules.

Exam trap

The trap here is that candidates confuse the one-time execution of Intune PowerShell scripts (option E) with the scheduled execution capability of proactive remediations, or mistakenly think a configuration profile with a scheduled task (option C) is not valid because it requires manual creation of the scheduled task XML, but it is actually a supported method for running scripts on a schedule in the user context.

250
MCQeasy

A Windows 10 device is assigned this update ring policy. A new quality update is released today. When will the device install the update?

A.In 7 days
B.In 30 days
C.Today
D.Never, because automatic update mode requires reboot with warning.
AnswerC

Deferral is 0 days, so it installs as soon as available.

Why this answer

Option C is correct because the update ring policy is configured with 'Automatic update behavior' set to 'Auto install and restart without end-user control' and 'Servicing channel' set to 'Current branch (CB)'. When a new quality update is released, devices in this configuration will download and install the update immediately, typically within 24 hours of release, without any deferral period. The policy does not specify any deferral for quality updates, so the installation occurs today.

Exam trap

The trap here is that candidates confuse the 'Automatic update behavior' setting (which controls restart behavior) with the deferral period (which controls when the update is offered), leading them to incorrectly assume that a 'reboot with warning' mode delays the installation itself.

How to eliminate wrong answers

Option A is wrong because a 7-day deferral would only apply if the update ring policy had a 'Quality update deferral period (days)' set to 7, which is not indicated in the scenario. Option B is wrong because a 30-day deferral is typically used for feature updates, not quality updates, and the policy does not specify such a deferral for quality updates. Option D is wrong because 'Automatic update mode' with 'Auto install and restart without end-user control' does not prevent installation; it allows the update to install and then reboots with a warning, but the update itself is installed immediately upon availability.

251
Multi-Selecteasy

A company uses Microsoft Intune to manage devices. They want to use a script to collect inventory data from Windows devices. Which TWO methods can be used?

Select 2 answers
A.Device configuration profile
B.Proactive remediations
C.Custom compliance policy
D.PowerShell script deployment
E.App protection policy
AnswersB, C

Detection scripts in proactive remediations can collect inventory data.

Why this answer

Options A and D are correct. Proactive remediations can run detection scripts that collect data, and custom compliance policies can use scripts to gather inventory. Option B is wrong because PowerShell scripts deployed via Intune run as scripts, not as a separate method.

Option C is wrong because device configuration profiles do not run scripts. Option E is wrong because app protection policies are for app data.

252
MCQeasy

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that when a device is lost, an IT admin can remotely wipe only the work profile, leaving the personal data intact. Which remote action should you use?

A.Wipe
B.Remove work profile
C.Retire
D.Delete
AnswerB

This action removes only the work profile, preserving personal apps and data.

Why this answer

The 'Remove work profile' action is the correct remote action for Android Enterprise personally-owned work profile devices because it specifically targets and removes only the managed work profile, including all corporate apps and data, while leaving the user's personal profile and data intact. This action is designed for BYOD scenarios where the organization needs to protect corporate data without affecting the employee's personal information.

Exam trap

The trap here is that candidates often confuse 'Retire' with 'Remove work profile' because both remove corporate data, but on Android Enterprise personally-owned work profile devices, 'Remove work profile' is the explicit and correct action name, while 'Retire' is a legacy or generic term that may not be listed as a separate action in the Intune console for this device type.

How to eliminate wrong answers

Option A is wrong because 'Wipe' performs a full factory reset of the entire device, erasing both personal and corporate data, which is not appropriate when only the work profile needs to be removed. Option C is wrong because 'Retire' is a generic action that removes management and all company data from the device, but on Android Enterprise personally-owned work profile devices, it effectively performs the same as 'Remove work profile'; however, the specific and correct action name for this scenario is 'Remove work profile', not 'Retire'. Option D is wrong because 'Delete' is not a valid remote action in Microsoft Intune for Android Enterprise devices; it typically refers to deleting the device object from the console without initiating a wipe or profile removal.

253
Multi-Selecthard

Which THREE conditions must be met for a Windows 10 device to be able to use Windows Autopilot self-deploying mode?

Select 3 answers
A.The device must be Azure AD joined.
B.The device must have a TPM 2.0 chip.
C.The device must be Hybrid Azure AD joined.
D.The device must be registered as an Autopilot device.
E.A user must be assigned to the device in Autopilot.
AnswersA, B, D

Self-deploying mode requires Azure AD join.

Why this answer

Azure AD join is required for self-deploying mode because this mode provisions a device for shared or kiosk scenarios without user interaction. The device must be joined to Azure AD to establish a device identity and allow policy application before any user signs in, which is a core requirement for the zero-touch provisioning flow.

Exam trap

The trap here is that candidates often confuse self-deploying mode with user-driven modes and incorrectly assume a user must be assigned, or they think Hybrid Azure AD join is supported in self-deploying mode, but Microsoft explicitly restricts self-deploying to Azure AD join only.

254
MCQmedium

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What is the result?

A.A list of all devices regardless of operating system.
B.A list of all Windows devices with their last activity.
C.A count of unique Windows devices per device name in the last 7 days.
D.A count of security alerts per device.
AnswerC

Correct. The query summarizes unique devices by name.

Why this answer

The KQL query uses `DeviceInfo` (a Microsoft Sentinel table for device inventory), filters with `where` to include only rows where `OperatingSystem` contains 'Windows', then uses `summarize` with `dcount(DeviceName)` to count distinct device names, and `bin(TimeGenerated, 7d)` to group by 7-day intervals. This produces a count of unique Windows devices per device name over the last 7 days, making option C correct.

Exam trap

The trap here is that candidates may misinterpret `dcount(DeviceName)` as a count of rows or a list of devices, rather than recognizing it as a distinct count aggregation, and may overlook that `DeviceInfo` is an inventory table, not an alert table.

How to eliminate wrong answers

Option A is wrong because the query explicitly filters for Windows devices (`where OperatingSystem contains 'Windows'`), so it does not return all devices regardless of OS. Option B is wrong because the query does not retrieve any 'last activity' data; it uses `dcount(DeviceName)` to count unique devices, not to list devices with their last activity timestamp. Option D is wrong because the query operates on `DeviceInfo`, which is a device inventory table, not a security alerts table; there is no alert data or alert count logic in the query.

255
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to ensure that devices cannot connect to unsecured Wi-Fi networks. Which policy type should you configure?

A.Device configuration profile with network settings.
B.Compliance policy.
C.Certificate profile.
D.Wi-Fi profile.
AnswerD

Wi-Fi profiles define allowed networks and their security settings.

Why this answer

Wi-Fi profiles in Intune allow you to configure Wi-Fi settings, including security type. To block unsecured networks, you would create a Wi-Fi profile with WPA2-Enterprise or similar. Option A is incorrect because certificates are used for authentication, not to block networks.

Option B is incorrect because compliance policies can mark devices as non-compliant but do not configure Wi-Fi. Option D is incorrect because configuration profiles for Wi-Fi are typically called Wi-Fi profiles.

256
Multi-Selectmedium

Which TWO actions can an Intune administrator take to ensure that only compliant devices can access corporate Exchange Online email?

Select 2 answers
A.Configure an Exchange Active Sync policy in Intune.
B.Create a device configuration profile to enforce security settings.
C.Deploy an app protection policy for Outlook for iOS and Android.
D.Create a device compliance policy that checks for required settings.
E.Create a conditional access policy in Microsoft Entra ID that requires devices to be marked as compliant.
AnswersD, E

Device compliance policies mark devices as compliant or non-compliant, used by conditional access.

Why this answer

Option D is correct because a device compliance policy in Intune defines the rules (e.g., requiring a minimum OS version, encryption, or a jailbreak/root status check) that a device must meet to be considered compliant. This policy is a prerequisite for conditional access, ensuring only devices that satisfy these security baselines can access corporate resources like Exchange Online.

Exam trap

The trap here is that candidates confuse device compliance policies (which check device state) with app protection policies (which protect data at the app layer), leading them to incorrectly select Option C, even though app protection policies do not enforce device-level compliance for conditional access.

257
MCQhard

You are troubleshooting a Windows 11 device that fails to install an Intune-managed update. The device has been offline for two weeks. After reconnecting, the update does not install. In the Intune console, the update shows 'Failed to install' with error code 0x800f0831. What is the most likely cause?

A.The device does not have internet connectivity.
B.The device's Windows component store is corrupted due to missing prerequisites.
C.The device does not have enough disk space.
D.The update is superseded and no longer applicable.
AnswerB

Being offline for a long time can cause prerequisite issues, leading to this error.

Why this answer

Error 0x800f0831 typically indicates a corrupted component store or missing update prerequisites. This often happens when the device is offline for a long time and missing cumulative updates. Option A is incorrect because the device is online now.

Option B is incorrect because storage space is not the issue. Option D is incorrect because connectivity is restored.

258
MCQeasy

A user reports that after resetting their Windows 10 device, they cannot re-enroll it in Intune. The device appears as 'Pending' in the admin center. What is the most likely reason?

A.The device has a stale record in Intune that needs to be deleted.
B.The user is trying to enroll with a different Azure AD account.
C.The MDM authority is not set to Intune.
D.The user does not have an Intune license assigned.
AnswerA

A previous enrollment record can block re-enrollment; deleting it resolves the issue.

Why this answer

When a Windows 10 device is reset, its existing Intune enrollment record becomes stale. The device attempts to re-enroll but the old record causes a conflict, leaving the device in a 'Pending' state in the admin center. Deleting the stale device record from Intune allows the enrollment to complete successfully.

Exam trap

The trap here is that candidates may think a 'Pending' state is due to licensing or authority misconfiguration, but the real cause is the stale device record left behind after a reset, which is a specific enrollment conflict scenario tested in MD-102.

How to eliminate wrong answers

Option B is wrong because enrolling with a different Azure AD account would typically result in a different device identity or a registration failure, not a 'Pending' state; the issue is a stale record, not an account mismatch. Option C is wrong because if the MDM authority were not set to Intune, the device would fail to enroll entirely or show an error, not remain in 'Pending'; the authority is already configured for Intune. Option D is wrong because a missing Intune license would prevent enrollment initiation or show a licensing error, not cause a 'Pending' state after a reset; the user was previously enrolled, so licensing is already in place.

259
Multi-Selecthard

Your organization uses Microsoft Intune to manage devices. You need to collect diagnostic logs from a remote Windows device without user interaction. Which THREE methods can you use?

Select 3 answers
A.MDM diagnostic log collection policy
B.Device configuration profile
C.Device diagnostics (Intune device action)
D.Microsoft Support and Recovery Assistant
E.Remote Windows PowerShell session
AnswersA, C, E

Policy can trigger log upload to Intune.

Why this answer

Device diagnostics in Intune, remote Windows PowerShell, and MDM diagnostic logs via policy all allow remote log collection. Microsoft Support and Recovery Assistant requires user input. Configuration profiles do not collect logs.

260
MCQeasy

You need to ensure that all Windows 11 devices in your organization have BitLocker enabled and the recovery key escrowed to Microsoft Entra ID. Which Intune policy should you configure?

A.Compliance Policy
B.Device Restrictions profile
C.Endpoint Protection profile
D.Device Configuration profile
AnswerC

Correct. Endpoint Protection profile includes BitLocker settings.

Why this answer

The Endpoint Protection profile in Microsoft Intune contains the BitLocker settings, including the requirement to enable BitLocker and automatically escrow the recovery key to Microsoft Entra ID. This profile is specifically designed for security configurations like disk encryption, firewall, and antivirus, making it the correct choice for this task.

Exam trap

The trap here is that candidates often confuse Compliance Policy with configuration policies, thinking that compliance can enforce BitLocker, but compliance only reports and can trigger remediation actions—it does not configure the encryption or key escrow settings itself.

How to eliminate wrong answers

Option A is wrong because Compliance Policy evaluates whether devices meet security requirements (e.g., BitLocker enabled) but cannot enforce or configure BitLocker settings or escrow keys; it only reports non-compliance. Option B is wrong because Device Restrictions profile controls device-level settings like password policies and browser restrictions, not disk encryption or key escrow. Option D is wrong because Device Configuration profile is a general container for settings like email, Wi-Fi, and certificates, but BitLocker-specific policies are managed under the dedicated Endpoint Protection profile.

261
MCQhard

Adventure Works uses Microsoft Intune for device management. You need to deploy a custom PowerShell script to all Windows 10 devices to configure a registry key for security compliance. The script is already uploaded to Intune as a PowerShell script. However, the script is not running on some devices. You have confirmed that the devices are enrolled, have the Intune Management Extension installed, and are online. What should you check first?

A.Check that the user has administrative privileges on the device.
B.Confirm that the device is running a 64-bit version of Windows.
C.Ensure the script is assigned to the device group.
D.Verify that the PowerShell execution policy on the devices allows script execution (e.g., RemoteSigned or Bypass).
AnswerD

Execution policy can block scripts.

Why this answer

The script execution policy may block scripts. The Intune Management Extension runs scripts under the system account, which respects the local execution policy. Checking the execution policy is the first step.

The script assignment should be verified if it wasn't assigned, but the question states it is uploaded; assignment is a separate step. The user's role does not affect script execution. The device's OS architecture is unlikely the issue.

262
MCQmedium

You are managing a fleet of Windows 10 devices with Microsoft Intune. You need to deploy a critical security update that Microsoft released out-of-band. The update must be installed on all devices within 24 hours. You have configured Windows Update for Business policies in Intune, but the update is not being installed on many devices. You check the update compliance reports and see that most devices are showing the update as 'pending'. What should you do to expedite the installation?

A.Modify the existing Windows Update for Business policy to set the deferral period to 0 days.
B.Create a compliance policy that requires the update to be installed and assign it to all devices.
C.Use Configuration Manager to push the update via on-premises WSUS.
D.Create an update policy for Windows 10 and later using the 'Quality update' deployment ring and set the deadline to immediate.
AnswerD

An update policy with immediate deadline forces the update installation.

Why this answer

Option D is correct because deploying an out-of-band security update with a deadline set to immediate overrides any deferral periods and forces the update to install within the specified deadline. In Intune, Windows Update for Business policies allow you to create a 'Quality update' deployment ring and set the deadline to immediate (0 days), which instructs Windows Update to download and install the update as soon as possible, bypassing normal deferral delays. This directly addresses the 'pending' status by enforcing a mandatory installation timeline.

Exam trap

The trap here is that candidates often confuse compliance policies with update enforcement, thinking that marking a device non-compliant will force an update, when in reality compliance policies only report status and require a separate update policy with a deadline to trigger installation.

How to eliminate wrong answers

Option A is wrong because modifying the existing Windows Update for Business policy to set the deferral period to 0 days only removes the delay for future updates but does not force an immediate installation of an already-pending update; the update may still wait for other conditions like active hours or scan intervals. Option B is wrong because compliance policies in Intune are used to assess device configuration and trigger remediation actions (e.g., marking a device non-compliant), but they do not directly install updates; they rely on separate update policies to enforce installation. Option C is wrong because using Configuration Manager with WSUS is a valid on-premises solution, but the question specifies a fleet managed with Microsoft Intune, and the goal is to expedite installation using Intune policies, not to introduce a hybrid management overhead that may not be available or configured.

263
MCQhard

A company uses Microsoft Intune for mobile device management. They have a group of Android Enterprise devices that need to be enrolled in a way that allows the device to have a work profile while keeping personal apps separate. Which enrollment method should be used?

A.Android Enterprise corporate-owned fully managed devices
B.Android Enterprise personally-owned devices with a work profile
C.Android Enterprise corporate-owned dedicated devices
D.Android Enterprise corporate-owned work profile
AnswerB

This allows a work profile on a personally-owned device, keeping personal apps separate.

Why this answer

Option D is correct because Android Enterprise personally-owned devices with a work profile provide separation. Option A is wrong because corporate-owned dedicated devices are for single-purpose devices. Option B is wrong because corporate-owned fully managed devices give full control.

Option C is wrong because corporate-owned work profile is for corporate-owned devices with work profile.

264
MCQhard

Refer to the exhibit. You apply this device configuration profile to a Windows 10 device. A user downloads a file that is classified as potentially unwanted application (PUA). What action will Defender take?

A.Audit the detection and allow the download.
B.Send the file to the cloud for analysis.
C.Automatically clean the file.
D.Block the file from being downloaded.
AnswerD

PUA protection enabled blocks the file.

Why this answer

The policy has defenderPUAProtection set to 'enabled', which means PUA detection is turned on. When PUA is detected, the default action is to block the file, as PUA protection typically blocks. The malware actions defined in the policy apply to actual malware, not PUA.

Option A is incorrect because 'audit' is not configured. Option B is incorrect because the policy does not specify a custom action for PUA. Option D is incorrect because cloud-delivered protection is not related to PUA action.

265
MCQeasy

You need to wipe a lost corporate-owned Windows 10 device that is enrolled in Intune. Which action should you take?

A.Delete the device from Intune.
B.Select the device and choose Wipe.
C.Select the device and choose Retire.
D.Reset the device using the Company Portal.
AnswerB

Correct. Wipe resets the device to factory settings.

Why this answer

The Wipe action in Intune restores a Windows 10 device to its factory default settings, removing all data and corporate access. This is the appropriate action for a lost corporate-owned device because it ensures sensitive data is erased while retaining the device's enrollment record for potential recovery or re-provisioning.

Exam trap

The trap here is confusing the Retire action (which only removes management and corporate data) with the Wipe action (which performs a full factory reset), leading candidates to choose Retire when a complete data erasure is required.

How to eliminate wrong answers

Option A is wrong because deleting the device from Intune only removes the device object from the console; it does not send a wipe command to the device, so data remains intact. Option C is wrong because Retire removes managed apps and policies but preserves personal data and does not perform a full factory reset, leaving corporate data potentially accessible. Option D is wrong because the Company Portal reset is a user-initiated action that requires the device to be physically accessible and logged in, which is not possible for a lost device.

266
MCQmedium

An organization manages Windows 10 devices with Microsoft Intune. They need to deploy a PowerShell script that runs once on each device to remediate a security issue. The script should not run again after successful execution. Which configuration should be used?

A.Assign the script to all devices and set 'Run this script using the logged on credentials' to Yes
B.Use a proactive remediation with a detection script and set 'Run script on every logon' to No, and configure the remediation script to exit with code 0 on success
C.Use a proactive remediation with a detection script and set 'Run script on every logon' to Yes
D.Use a custom compliance policy with a script that runs daily
AnswerB

The detection script checks if remediation is needed; if not, the remediation script doesn't run. Setting 'Run script on every logon' to No ensures it runs only once.

Why this answer

Option C is correct because setting the script to run once and not run again on successful remediation achieves the goal. Option A is wrong because it would run every time. Option B is wrong because running once on every logon is not desired.

Option D is wrong because detection scripts are separate from remediation scripts.

267
Multi-Selectmedium

You need to ensure that corporate data on lost or stolen iOS devices is protected. Which TWO actions should you configure in Intune?

Select 2 answers
A.Enable device inventory reporting.
B.Configure a device passcode policy.
C.Perform a selective wipe to remove corporate data only.
D.Retire the device from Intune.
E.Enable remote wipe on the device.
AnswersB, E

A passcode prevents unauthorized access.

Why this answer

Option A and Option D are correct because remote wipe and passcode reset are standard data protection measures for lost devices. Option B is incorrect because selective wipe only removes corporate data, not the device. Option C is incorrect because device retire removes management but does not protect data immediately.

Option E is incorrect because device inventory is not a protective action.

268
Multi-Selecthard

You are configuring app protection policies (MAM) in Microsoft Intune for iOS devices. Which THREE settings can you configure to prevent data leakage?

Select 3 answers
A.Require device PIN.
B.Restrict web content transfer to managed browsers.
C.Restrict cut, copy, and paste between apps.
D.Prevent 'Save as' to local storage.
E.Block screenshots of corporate data.
AnswersB, C, D

Ensures web links open in managed browsers.

Why this answer

App protection policies can restrict cut/copy/paste, prevent 'Save as', and restrict web content transfer to managed browsers. Option D, blocking screenshots, is not available as a setting (though it can be done via device compliance). Option E, requiring device PIN, is a device-level setting, not app-level.

269
Multi-Selecthard

Which TWO Windows Update for Business policies can you configure using Microsoft Intune?

Select 2 answers
A.Feature update version targeting
B.Quality update deferral period
C.Driver update deferral period
D.Windows Defender definition update schedule
E.Microsoft 365 Apps update channel
AnswersA, B

Intune has a feature update policy for Windows 10/11.

Why this answer

Intune supports configuring update ring policies for deferral periods and feature update policies for targeting specific versions. Quality update deferral is part of update rings, but the question asks for policies; feature update policy is a separate policy type.

270
MCQhard

A company uses Microsoft Intune to manage iOS devices. They need to ensure that corporate data on these devices is protected if a device is lost or stolen. The solution must allow users to continue using personal apps and data after a selective wipe. What should they configure?

A.Initiate a selective wipe from the Intune console.
B.Configure a full wipe action in a compliance policy.
C.Use Remote Lock from the Intune console.
D.Create a device compliance policy that marks the device as noncompliant.
AnswerA

Selective wipe removes only managed corporate data and apps, preserving personal data.

Why this answer

Option A is correct because a selective wipe from the Intune console removes only corporate data (e.g., managed apps, email profiles, VPN configurations) while preserving personal apps and data on the iOS device. This meets the requirement of protecting corporate data on a lost or stolen device without affecting the user's personal content. Intune uses the iOS Management Profile and the built-in selective wipe capability that targets only the MDM-managed corporate partition.

Exam trap

The trap here is that candidates confuse a selective wipe with a full wipe or assume that noncompliance actions automatically perform a data wipe, but Microsoft explicitly separates these actions, and only a selective wipe preserves personal data while removing corporate data.

How to eliminate wrong answers

Option B is wrong because a full wipe (also called a factory reset) erases all data on the device, including personal apps and data, which violates the requirement to allow users to continue using personal content. Option C is wrong because Remote Lock only locks the device screen and does not remove any corporate data, so it does not protect corporate data if the device is lost or stolen. Option D is wrong because marking a device as noncompliant in a compliance policy does not automatically remove corporate data; it can trigger conditional access blocks but not a wipe action, so it fails to protect data on a lost device.

271
MCQeasy

You are a Microsoft 365 Endpoint Administrator for a medium-sized company that uses Microsoft Intune to manage its Windows 10 devices. The company recently experienced a ransomware attack that encrypted local files on several devices. To mitigate future attacks, management wants to ensure that all devices have real-time protection enabled in Microsoft Defender Antivirus and that Controlled Folder Access is turned on. You need to configure these settings via Intune. You decide to create a device configuration profile for Windows 10. What is the most efficient way to deploy these settings to all existing and future devices?

A.Create a device configuration profile and assign it to a device group that includes all devices.
B.Use PowerShell scripts deployed via Intune to enable the settings on each device.
C.Create a device configuration profile and assign it to a user group that includes all users.
D.Create a compliance policy that requires these settings and assign it to all devices.
AnswerA

Assigning to a device group ensures all devices receive the settings regardless of user.

Why this answer

Option A is correct because a device configuration profile in Intune can include Microsoft Defender Antivirus settings (such as real-time protection and Controlled Folder Access) and is assigned to a device group. This ensures that both existing and future devices that join the group automatically receive the settings, providing a scalable and efficient deployment method without requiring user interaction or additional scripts.

Exam trap

The trap here is that candidates often confuse compliance policies with configuration profiles, thinking that compliance policies can enforce settings, when in reality they only evaluate and report on settings, requiring a separate configuration profile to actually apply the desired state.

How to eliminate wrong answers

Option B is wrong because PowerShell scripts deployed via Intune are executed on a per-device or per-user basis and require manual assignment or targeting; they do not provide the same declarative, policy-driven enforcement as a device configuration profile, and they cannot be as easily applied to future devices without ongoing script management. Option C is wrong because assigning the profile to a user group applies settings based on user identity, not device identity; if a user logs into a different device, the settings may not apply, and devices without a signed-in user (e.g., kiosks) would be missed. Option D is wrong because a compliance policy is designed to report or mark devices as non-compliant, not to enforce settings; it cannot enable real-time protection or Controlled Folder Access—it only checks if those settings are present and can trigger remediation actions only if configured with a corresponding device configuration profile.

272
Multi-Selecthard

Which THREE conditions must be met for a Windows device to be able to enroll in Microsoft Intune using Microsoft Entra ID join? (Choose three.)

Select 3 answers
A.The device must be running Windows 10 or later
B.The device must have internet connectivity to Microsoft Entra ID
C.The user must have an Intune license assigned
D.The device must have a TPM 2.0 chip
E.The device must be joined to an on-premises Active Directory domain
AnswersA, B, C

Windows 10/11 are supported for Microsoft Entra ID join.

Why this answer

Option A is correct because Microsoft Entra ID join requires a minimum of Windows 10 (any edition) to support the modern authentication and device registration protocols. Devices running earlier versions like Windows 8.1 or Windows 7 lack the necessary components (e.g., the Device Registration Service client) to complete the join process. This requirement ensures the device can communicate using OAuth 2.0 and the Microsoft Entra ID device registration endpoint.

Exam trap

The trap here is that candidates often confuse the TPM 2.0 requirement for Windows Hello for Business or BitLocker with the Microsoft Entra ID join prerequisites, or mistakenly think an on-premises domain join is a stepping stone to Entra ID join, when in fact it requires a separate hybrid join path.

273
MCQmedium

A user reports that their iOS device is unable to access corporate email after updating to a new iOS version. Other iOS devices are working fine. The device is enrolled in Intune and shows as compliant. What should you check?

A.Check the conditional access policy in Microsoft Entra ID to ensure the device platform is still supported.
B.Ensure the email profile is configured correctly.
C.Confirm that the device is still enrolled in Intune.
D.Verify that the device compliance policy includes the new iOS version.
AnswerA

A new iOS version might not be supported by the conditional access policy.

Why this answer

Option A is correct because when a device is compliant but still fails to access corporate email after an iOS update, the most likely cause is that the conditional access policy in Microsoft Entra ID (formerly Azure AD) has been updated to block the new iOS version. Conditional access policies can specify allowed device platforms and OS versions; if the new iOS version is not explicitly permitted, access will be denied even though the device is compliant. This is a common scenario after major OS updates, as administrators must update the policy to include the new version.

Exam trap

The trap here is that candidates assume a compliant device always has access, but conditional access policies can block access based on OS version even when the device is compliant, so the focus should be on the conditional access policy rather than the compliance policy or email profile.

How to eliminate wrong answers

Option B is wrong because the email profile configuration is managed by Intune and would not change automatically due to an iOS update; if other devices are working, the profile is likely correct. Option C is wrong because the device is already reported as compliant in Intune, which implies it is still enrolled; enrollment status is not affected by an OS update. Option D is wrong because the device compliance policy includes the new iOS version by default (or can be updated), and the device is showing as compliant, so the issue is not with the compliance policy itself but with the conditional access policy that enforces access based on compliance.

274
MCQmedium

A company manages Windows 10 and Windows 11 devices using Microsoft Intune. They need to ensure that devices that have not checked in with Intune for more than 30 days are automatically marked as inactive and excluded from compliance policies. Which configuration should be used?

A.Configure a compliance policy with a grace period of 30 days
B.Create a conditional access policy blocking devices inactive for 30 days
C.Set the device compliance status to 'not compliant' after 30 days of inactivity
D.Configure the Intune device cleanup rule to delete devices inactive for 30 days
AnswerD

The device cleanup rule automatically removes devices that haven't checked in for the configured number of days.

Why this answer

Option B is correct because the Intune device cleanup rule allows administrators to automatically remove devices that haven't checked in for a specified number of days. Option A is wrong because compliance policies do not handle device cleanup. Option C is wrong because conditional access policies control access, not device lifecycle.

Option D is wrong because device compliance settings do not automate cleanup.

275
MCQeasy

Refer to the exhibit. You are configuring a bulk enrollment token for Windows 10 devices in Intune. The token is set to expire on June 1, 2025. You need to ensure that devices can enroll using this token until June 30, 2025. What should you do?

A.Update the expirationDateTime property of the token.
B.Modify the tokenType to a different type.
C.Create a new bulk enrollment token with a later expiration date.
D.Re-create the token with the same name but later expiration.
AnswerA

You can edit the token and set a new expiration date.

Why this answer

The bulk enrollment token's expiration is controlled by the `expirationDateTime` property in Microsoft Intune. By updating this property to June 30, 2025, you extend the token's validity without needing to create a new token or change its type. This is the direct and supported method to adjust the expiration date of an existing token.

Exam trap

The trap here is that candidates often assume you must create a new token to change the expiration date, overlooking the fact that the existing token's `expirationDateTime` property can be updated directly via the Intune portal or Graph API.

How to eliminate wrong answers

Option B is wrong because `tokenType` defines the enrollment method (e.g., 'azureADJoin' or 'bulkEnrollment'), not the expiration date; changing it would alter the enrollment behavior, not extend the token's life. Option C is wrong because creating a new token is unnecessary and introduces a new token identifier, which would require re-distributing the token to devices, whereas the existing token can simply be updated. Option D is wrong because re-creating the token with the same name but later expiration is functionally identical to updating the `expirationDateTime` property, but it is an indirect approach that involves deleting and re-adding the token, which is less efficient and not the recommended method.

276
MCQmedium

Your organization manages Windows 10 and Windows 11 devices with Microsoft Intune. Users report that new Microsoft Store apps are not automatically installing on their devices as expected. You verify that the Intune policy 'Allow Microsoft Store for Business' is set to 'Allow'. What is the most likely reason the apps are not installing?

A.The 'Allow trust apps from Microsoft Store' policy is set to 'Block'.
B.The 'Allow trust apps from Microsoft Store' policy is set to 'Allow'.
C.The 'Allow Microsoft Store for Business' policy is set to 'Block'.
D.The 'Auto install apps from Microsoft Store' policy is disabled.
AnswerB

This policy must be enabled for automatic app installation to work.

Why this answer

For automatic app installation from the Microsoft Store, the Windows device must have the 'Allow trust apps from Microsoft Store' policy enabled. Without it, even if the Store is allowed, apps will not install automatically. Option A is incorrect because it is the opposite setting.

Option C is incorrect because the Store for Business policy is already set to allow. Option D is incorrect because the automatic install setting is separate from the Store enablement.

277
Multi-Selectmedium

You are managing devices with Microsoft Intune. You need to ensure that only compliant devices can access corporate email. Which THREE components should you configure?

Select 3 answers
A.Device configuration profile
B.Compliance policy for Microsoft Intune
C.Device compliance policy
D.Conditional Access policy in Microsoft Entra ID
E.App protection policy
AnswersB, C, D

Evaluates device compliance and reports state.

Why this answer

Conditional Access requires compliance policies to evaluate device state, device compliance policies to define rules, and Conditional Access policies to enforce access. Configuration profiles configure settings but do not enforce access. App protection policies apply to apps, not device-level access.

278
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom configuration profile that sets a specific firewall rule. However, the profile fails to apply on a subset of devices. The Intune console shows 'Conflict' status. What is the most likely cause?

A.The user does not have a macOS license
B.The macOS version is not supported by the profile
C.Another profile with overlapping settings is assigned
D.The device is not connected to the internet
AnswerC

Conflicting profiles cause 'Conflict' status in Intune.

Why this answer

Option A is correct because a configuration profile conflict occurs when two profiles with overlapping settings are assigned to the same device. Option B (Network connectivity) would show 'Pending' or 'Error'. Option C (Unsupported macOS version) would show 'Not applicable'.

Option D (User not licensed) would prevent enrollment altogether.

279
MCQhard

You are the Intune administrator for Contoso Ltd., a company with 5,000 Windows 11 devices and 1,000 iOS devices managed by Microsoft Intune. The company uses Microsoft Defender for Endpoint for threat detection. You need to implement a solution that ensures devices are compliant before they can access corporate resources. You have the following requirements: 1. Windows devices must have Defender for Endpoint running and report a threat level of 'low' or better. 2. iOS devices must have a PIN of at least 6 characters and be jailbreak-detected as 'not jailbroken'. 3. If a device becomes noncompliant, it should be blocked immediately with no grace period. 4. Noncompliant devices should receive a notification to the user. You create compliance policies for Windows and iOS. You also create a conditional access policy in Microsoft Entra ID to require compliant devices. After deploying, you find that some Windows devices that are missing Defender for Endpoint are still able to access email. What should you do to resolve this issue?

A.Configure a notification to users when their device is noncompliant.
B.Modify the conditional access policy to require a compliant device and a specific client app.
C.Enable the 'Require Defender for Endpoint' setting in the Windows compliance policy.
D.Set the required threat level to 'medium' in the Windows compliance policy.
AnswerC

This setting ensures devices without the agent are marked noncompliant.

Why this answer

Option C is correct because the Windows compliance policy must explicitly have the 'Require Defender for Endpoint' setting enabled to enforce that the Defender for Endpoint sensor is present and active on the device. Without this setting, the compliance policy only checks the threat level reported by Defender for Endpoint but does not require the sensor to be installed or running. Enabling this setting ensures that devices missing the Defender for Endpoint sensor are marked as noncompliant, which then triggers the conditional access policy to block access to corporate resources like email.

Exam trap

The trap here is that candidates often assume that setting the required threat level to 'low' automatically enforces the presence of Defender for Endpoint, but in reality, the threat level check only evaluates the last reported threat score, not the sensor's installation or running state.

How to eliminate wrong answers

Option A is wrong because configuring a notification to users when their device is noncompliant does not enforce compliance or block access; it only informs the user after the device is already noncompliant. Option B is wrong because modifying the conditional access policy to require a specific client app does not address the missing Defender for Endpoint sensor; the conditional access policy already requires a compliant device, and the issue is that the compliance policy is not correctly evaluating the Defender for Endpoint requirement. Option D is wrong because setting the required threat level to 'medium' would allow devices with a threat level of 'medium' to be compliant, which is less restrictive than 'low' and does not solve the problem of devices missing Defender for Endpoint entirely.

280
Multi-Selectmedium

Which THREE actions can you perform using Microsoft Intune's remote assistance feature for Windows devices?

Select 3 answers
A.View the user's screen.
B.Reset the device's password.
C.Transfer files to and from the device.
D.Take full control of the user's desktop.
E.Restart a Windows service.
AnswersA, C, D

Screen viewing is supported.

Why this answer

Option A is correct because Microsoft Intune's remote assistance feature, built on Windows Remote Assistance (WRA) using the Remote Desktop Protocol (RDP) over HTTPS, allows a help desk operator to view the user's screen with the user's explicit consent. This is a core capability for troubleshooting without taking control, enabling the administrator to see what the user sees in real time.

Exam trap

The trap here is that candidates confuse Intune's remote assistance with full remote control tools like TeamViewer or RDP, assuming all remote management actions (password reset, service restart) are bundled, but Microsoft deliberately limits remote assistance to view and full control only, with no administrative actions like password or service management.

281
MCQhard

You are troubleshooting a Windows 10 device that shows as 'Noncompliant' in Intune despite having all required compliance policies applied. The device is domain-joined and configured with hybrid Azure AD join. What is the most likely cause?

A.The Intune Management Extension is not installed.
B.The device is not registered in Microsoft Entra ID.
C.The device's health attestation certificate has expired.
D.The device is not enrolled in Intune.
AnswerC

Expired health attestation can cause noncompliance.

Why this answer

A device that is hybrid Azure AD joined and domain-joined but shows as 'Noncompliant' in Intune, despite having all required compliance policies applied, is most likely failing compliance due to an expired health attestation certificate. Intune uses Windows Health Attestation Service (HAS) to verify device integrity; if the attestation certificate has expired, the device cannot prove its health status, causing it to be marked noncompliant even when policies are correctly assigned.

Exam trap

The trap here is that candidates often assume noncompliance is due to missing enrollment or registration, but the question explicitly states the device is hybrid joined and enrolled, so the real issue is a stale or expired health attestation certificate that prevents the compliance check from completing.

How to eliminate wrong answers

Option A is wrong because the Intune Management Extension is used for deploying PowerShell scripts and Win32 apps, not for compliance evaluation; compliance is handled by the Intune agent and the enrollment state. Option B is wrong because the device is described as hybrid Azure AD joined, which inherently means it is registered in Microsoft Entra ID (Azure AD); lack of registration would prevent hybrid join from succeeding. Option D is wrong because the device is already enrolled in Intune (it shows as 'Noncompliant' in Intune), so the issue is not a lack of enrollment but a failure in the compliance check process.

282
MCQhard

Your organization uses Microsoft Defender for Endpoint. You need to configure automatic investigation and response for devices. Which setting in the Microsoft Defender XDR portal should you adjust?

A.Automated investigation and response
B.Threat analytics
C.Device inventory
D.Alert queue
AnswerA

Correct. This page contains settings for automation.

Why this answer

The correct setting is 'Automated investigation and response' because it directly controls the configuration of automatic investigation and response (AIR) capabilities in Microsoft Defender for Endpoint. This setting allows administrators to enable or disable automated investigations, set the automation level (e.g., full, semi, or no automation), and define remediation actions for devices. Without adjusting this setting, the automatic investigation and response workflow cannot be tailored to the organization's security requirements.

Exam trap

The trap here is that candidates often confuse the 'Automated investigation and response' configuration with the 'Alert queue' or 'Threat analytics' because they all appear under the same XDR portal section, but only the AIR setting directly manages the automation behavior for device-level response actions.

How to eliminate wrong answers

Option B is wrong because Threat Analytics is a feature that provides threat intelligence, vulnerability reports, and mitigation recommendations, but it does not configure the automatic investigation and response behavior for devices. Option C is wrong because Device Inventory is a list of all managed devices with their security status and configuration details, not a setting to enable or adjust automated response actions. Option D is wrong because Alert Queue is a view of security alerts generated by Defender for Endpoint, and while it allows manual triage of alerts, it does not control the automation level or response configuration for investigations.

283
MCQmedium

Your organization uses Microsoft Intune to manage 1,000 Windows 10 devices and 500 iOS devices. You need to enforce device compliance policies. For Windows devices, you require BitLocker encryption and Windows Defender Antivirus enabled. For iOS devices, you require a passcode of at least 6 characters and device encryption. Devices that become noncompliant should be marked as such and users should receive a notification email. After 7 days of noncompliance, the device should be blocked from accessing corporate email. You also need to create a report that shows the compliance status of all devices. Which combination of actions should you take?

A.Create Windows and iOS compliance policies with the required settings. Configure actions for noncompliance: send email immediately and block access after 7 days. Use the built-in compliance report.
B.Create app protection policies to require encryption and passcode. Use conditional access to block noncompliant devices.
C.Create device configuration profiles for BitLocker and encryption. Use conditional access to block noncompliant devices. Manually generate reports using PowerShell.
D.Use Autopilot to enforce encryption and passcode. Use Intune reporting for compliance status.
AnswerA

Compliance policies with actions and conditional access meet all requirements.

Why this answer

Option A is correct because compliance policies define the rules, and conditional access blocks access. The compliance report is built-in. Option B is wrong because configuration profiles do not enforce compliance.

Option C is wrong because app protection policies do not enforce device-level compliance. Option D is wrong because Autopilot does not enforce compliance.

284
MCQhard

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data on these devices is automatically removed when a user is unenrolled from Intune. Which action should you configure?

A.Configure a selective wipe policy.
B.Configure a compliance policy to mark the device as noncompliant.
C.Configure a remote lock action.
D.Configure a full wipe action.
AnswerA

Selective wipe removes corporate data while leaving personal data intact.

Why this answer

A selective wipe policy in Microsoft Intune removes only corporate data from an iOS device while leaving personal data intact. When a user is unenrolled from Intune, the selective wipe targets managed apps and their associated data, ensuring that company information is automatically removed without affecting the user's personal content.

Exam trap

The trap here is that candidates often confuse selective wipe with full wipe, assuming that any data removal requires a complete device reset, but the exam tests the specific Intune behavior where selective wipe is the correct method for removing only corporate data upon unenrollment.

How to eliminate wrong answers

Option B is wrong because configuring a compliance policy to mark the device as noncompliant does not automatically remove corporate data; it triggers conditional access blocks or notifications but requires a separate wipe action. Option C is wrong because a remote lock action only locks the device screen and does not remove any data. Option D is wrong because a full wipe action resets the entire device to factory settings, removing both corporate and personal data, which is not the requirement for selective removal of corporate data only.

285
MCQmedium

Your organization uses Microsoft Intune for Windows device management. You need to deploy a PowerShell script to all Windows 10 devices to remediate a security issue. The script must run in the user context. What is the best approach?

A.Add the script to Intune as a PowerShell script and set 'Run this script using the logged on credentials' to Yes.
B.Create a device configuration profile with a custom OMA-URI setting to execute the script.
C.Use a device compliance policy to trigger the script when noncompliant.
D.Use Intune proactive remediations and configure the script to run as a detection script.
AnswerA

This runs the script in the user context.

Why this answer

Option A is correct because Intune's PowerShell script deployment feature allows you to upload a script and set 'Run this script using the logged on credentials' to Yes, which executes the script in the user context on Windows 10 devices. This is the only native Intune method that directly supports running a PowerShell script in the user context without additional configuration or third-party tools.

Exam trap

The trap here is that candidates often confuse the execution context of Intune PowerShell scripts (user vs. system) and assume proactive remediations or compliance policies can run scripts in the user context, but only the PowerShell script deployment feature with the logged-on credentials option supports this.

How to eliminate wrong answers

Option B is wrong because a device configuration profile with a custom OMA-URI setting can only execute scripts in the system context via the DeviceManagement/Remediation CSP, not in the user context. Option C is wrong because a device compliance policy cannot directly trigger script execution; it only evaluates compliance and can mark devices noncompliant, but does not run remediation scripts. Option D is wrong because Intune proactive remediations run detection and remediation scripts in the system context by default, not the user context, and cannot be configured to run as a detection script in the user context.

286
MCQmedium

A company uses Microsoft Intune to manage iOS/iPadOS devices. They require that all corporate data on devices be protected with a passcode of at least 6 digits. Which policy type should you configure?

A.Device configuration policy (settings catalog).
B.Conditional Access policy.
C.Device compliance policy.
D.App protection policy.
AnswerC

Compliance policies evaluate passcode settings and mark devices as non-compliant if not met.

Why this answer

Option C is correct because device compliance policies can require a passcode length and complexity. Option A is wrong because device configuration policies include passcode settings but are not used for compliance assessment. Option B is wrong because app protection policies protect data at the app level, not the device level.

Option D is wrong because conditional access policies grant access based on compliance, but do not configure passcode requirements.

287
Multi-Selectmedium

A company uses Microsoft Intune to manage iOS devices. They need to enforce a policy that requires a passcode of at least 6 characters, allows Touch ID, and automatically wipes the device after 10 failed attempts. Which three settings should be configured in a device restrictions profile for iOS? (Choose three.)

Select 3 answers
A.Number of failed attempts before wipe.
B.Maximum passcode age (days).
C.Minimum passcode length.
D.Allow simple passcode.
E.Allow Touch ID.
AnswersA, C, E

This triggers a wipe after 10 failed attempts.

Why this answer

Option A is correct because the 'Number of failed attempts before wipe' setting directly enforces the requirement to automatically wipe the device after 10 failed passcode attempts. This setting is part of the device restrictions profile for iOS and triggers a device wipe when the specified threshold of consecutive incorrect passcode entries is reached.

Exam trap

The trap here is that candidates often confuse 'Maximum passcode age' with the wipe-on-failed-attempts setting, or mistakenly think 'Allow simple passcode' is required to enable Touch ID, when in fact Touch ID is a separate toggle that does not depend on simple passcode being allowed.

288
MCQhard

You are troubleshooting a Windows 11 device that fails to receive a PowerShell script deployed via Intune. The script is assigned to a group containing the device. Other policies on the device apply successfully. What should you check first?

A.Ensure the device has internet connectivity.
B.Check the Windows PowerShell execution policy on the device.
C.Check that the script is digitally signed.
D.Verify that the device is in the correct security group.
AnswerB

PowerShell scripts require the execution policy to be set to allow scripts.

Why this answer

Option B is correct because PowerShell scripts require the execution policy to be set to allow scripts. Option A is wrong because group assignment is correct. Option C is wrong because network issues would affect all policies.

Option D is wrong because script signing is required if the execution policy is restricted, but the first step is to check the execution policy.

289
MCQeasy

You are the endpoint administrator for Contoso Ltd. The company uses Microsoft Intune to manage Windows 11 devices. You need to deploy a critical security update to all devices within 24 hours. The update is a quality update (KB5001234). You have created an update ring policy named 'Critical Ring' assigned to all devices. The policy currently has a deferral period of 7 days. You need to ensure that the update is installed immediately. What should you do?

A.Change the update ring policy deadline to 7 days to ensure devices have enough time.
B.Create a new feature update policy for KB5001234 and assign it to all devices.
C.Modify the 'Critical Ring' update ring policy to set the quality update deferral period to 0 days and the deadline for updates to 1 day.
D.Use the Windows Server Update Services (WSUS) console to approve the update for immediate installation.
AnswerC

Removes deferral and sets a short deadline.

Why this answer

The update ring policy controls deferral and deadline. To install immediately, set deferral to 0 and deadline to 1 day. Creating a feature update policy is for feature updates, not quality updates.

Manually approving in WSUS is not relevant as Intune manages updates. Changing the deadline to 7 days would not meet the 24-hour requirement.

290
MCQmedium

A company uses Microsoft Intune to manage Windows devices. They want to deploy a custom line-of-business (LOB) app as a Win32 app. The app requires .NET Framework 4.8 and must be installed silently. Which file type should you use for the app deployment in Intune?

A..msi
B..appx
C..intunewin
D..exe
AnswerC

.intunewin is the required format for Win32 app deployment via Intune.

Why this answer

The .intunewin file is required for Win32 app deployment in Intune because it packages the installation files and detection rules into a single format that Intune can process. For a custom LOB app that needs silent installation and has dependencies like .NET Framework 4.8, the .intunewin wrapper allows you to specify the installation command (e.g., msiexec /i app.msi /qn) and detection logic, which is not possible with raw .msi or .exe files in the Win32 app context.

Exam trap

The trap here is that candidates mistakenly think a raw .exe or .msi can be deployed as a Win32 app in Intune, but Intune requires the .intunewin wrapper to handle detection, dependencies, and installation behavior for non-Store apps.

How to eliminate wrong answers

Option A is wrong because .msi files can be deployed directly as line-of-business apps in Intune, but they do not support the Win32 app deployment method's advanced features like custom detection rules, dependencies, or requirement rules; for a Win32 app, you must wrap the .msi in an .intunewin file. Option B is wrong because .appx files are used for Universal Windows Platform (UWP) apps, not Win32 apps, and they require a different deployment pipeline (e.g., Store or LOB app type). Option D is wrong because .exe files cannot be deployed directly as Win32 apps in Intune without being wrapped in an .intunewin file; the .intunewin packaging tool is required to encapsulate the .exe and its installation parameters.

291
Multi-Selecteasy

Which TWO methods can be used to enroll Android devices in Microsoft Intune?

Select 2 answers
A.Android Enterprise corporate-owned devices with work profile
B.Android Enterprise personally-owned devices with work profile
C.Android Device Administrator
D.Apple Business Manager
E.Windows Autopilot
AnswersA, B

This is a valid enrollment method.

Why this answer

Options B and D are correct. Android Enterprise corporate-owned devices with work profile and Android Enterprise personally-owned devices with work profile are standard enrollment methods. Option A is wrong because Apple Business Manager is for iOS.

Option C is wrong because Windows Autopilot is for Windows. Option E is wrong because Android Device Administrator is deprecated.

292
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to configure a policy that automatically retires a device if it does not check in for 30 days. Which policy type should you configure?

A.Device configuration policy
B.Compliance policy
C.Windows Update for Business policy
D.Device health attestation policy
AnswerB

Compliance policies can include a grace period and action for non-compliance, including retiring devices after a specified period of inactivity.

Why this answer

A compliance policy in Microsoft Intune can include a 'Maximum days since device last checked in' setting. When a device fails to check in for the specified period (e.g., 30 days), Intune marks it as noncompliant, and a conditional access policy or automated action (such as retiring the device) can be triggered. This directly meets the requirement to automatically retire a device after 30 days of inactivity.

Exam trap

The trap here is that candidates often confuse a device configuration policy (which controls settings) with a compliance policy (which enforces conditions and triggers actions like retirement), leading them to select Option A instead of B.

How to eliminate wrong answers

Option A is wrong because a device configuration policy manages settings like passwords, encryption, and restrictions, but it does not include a check-in timeout or retirement trigger. Option C is wrong because a Windows Update for Business policy controls update deferrals and delivery optimization, not device check-in monitoring or retirement. Option D is wrong because a device health attestation policy verifies boot integrity and security features (e.g., Secure Boot, BitLocker) via the TPM, but it does not enforce a check-in interval or automatic retirement.

293
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate email. You configure a Conditional Access policy in Microsoft Entra ID targeting Exchange Online. What else must you configure in Intune to enforce compliance?

A.Device compliance policies.
B.No additional configuration is needed.
C.Device configuration policies.
D.App protection policies.
AnswerA

Compliance policies must be configured and assigned to devices.

Why this answer

Option A is correct because device compliance policies evaluate device health and report compliance status to Entra ID, which Conditional Access uses. Option B is wrong because device configuration policies do not affect compliance. Option C is wrong because app protection policies are for mobile apps, not device compliance.

Option D is wrong because compliance policies are required, not optional.

294
Multi-Selecthard

Which THREE conditions must be met for a Windows 10 device to be co-managed with Microsoft Intune and Microsoft Configuration Manager? (Choose three.)

Select 3 answers
A.The device must be enrolled in Microsoft Intune.
B.The device must have the Configuration Manager client installed.
C.The device must be Azure AD joined or hybrid Azure AD joined.
D.The device must be hybrid Azure AD joined.
E.The device must have the Intune Management Extension installed.
AnswersA, B, C

Intune enrollment is required for co-management.

Why this answer

Option A is correct because a device must be enrolled in Microsoft Intune to establish the co-management authority. Intune enrollment allows the device to receive policies and apps from the cloud, which is a prerequisite for splitting workloads between Configuration Manager and Intune. Without enrollment, the device cannot be managed by Intune at all.

Exam trap

The trap here is that candidates often think hybrid Azure AD join is mandatory (Option D), but Microsoft actually allows either Azure AD join or hybrid Azure AD join, and they confuse the Intune Management Extension (Option E) as a prerequisite when it is automatically installed post-enrollment for specific app deployment scenarios.

295
MCQmedium

You are implementing Windows Autopilot for your organization. You need to ensure that during the first boot, the device automatically enrolls in Microsoft Intune and joins Microsoft Entra ID. What is the minimum requirement for the device?

A.The device must have a local administrator account.
B.The device must be joined to an on-premises Active Directory domain.
C.The device must have a TPM 2.0 chip.
D.The device must be registered in Autopilot with a valid profile.
AnswerD

Autopilot requires registration and profile assignment.

Why this answer

Option D is correct because Windows Autopilot requires the device to be registered in the Autopilot service with a valid profile assigned. This profile contains the settings that dictate the out-of-box experience (OOBE), including automatic enrollment into Microsoft Intune and joining Microsoft Entra ID (formerly Azure AD). Without a registered Autopilot profile, the device will not trigger the automated enrollment and join process during first boot.

Exam trap

The trap here is that candidates often confuse hardware prerequisites (like TPM 2.0) with the mandatory requirement of a registered Autopilot profile, leading them to select Option C instead of D.

How to eliminate wrong answers

Option A is wrong because a local administrator account is not a prerequisite for Autopilot; the device can be a standard user device and still enroll via Autopilot. Option B is wrong because Autopilot devices are designed to join Microsoft Entra ID directly, not an on-premises Active Directory domain; hybrid join is an optional configuration, not a minimum requirement. Option C is wrong because while TPM 2.0 is recommended for self-deploying mode and Windows Hello for Business, it is not a minimum requirement for user-driven Autopilot enrollment and Entra ID join; devices without TPM 2.0 can still use user-driven mode with password-based authentication.

296
MCQhard

You have assigned the compliance policy shown in the exhibit to all Windows devices. A Windows 11 device running build 10.0.22621.1500 reports as noncompliant. Which setting is causing the noncompliance?

A.OS version is above the maximum allowed
B.Password minimum length is not met
C.Device threat protection level is below medium
D.TPM is not present
AnswerA

The device build 22621.1500 exceeds the maximum 22621.1000.

Why this answer

The compliance policy in the exhibit specifies a maximum OS version of 10.0.22621.1000, but the Windows 11 device is running build 10.0.22621.1500, which is above that maximum. Intune compares the device's OS version against the configured maximum OS version setting; if the device's version exceeds the maximum, it is marked as noncompliant. This setting is used to prevent devices with newer, potentially untested builds from accessing corporate resources.

Exam trap

The trap here is that candidates often assume noncompliance is due to missing security features like TPM or password policies, but the exhibit clearly shows a maximum OS version setting that the device's build exceeds, making it the direct cause.

How to eliminate wrong answers

Option B is wrong because the compliance policy does not include a password minimum length requirement, so the device cannot be noncompliant due to that setting. Option C is wrong because the policy does not configure a device threat protection level; the device threat protection setting is not present in the exhibit, so it cannot cause noncompliance. Option D is wrong because the policy does not require TPM presence; the TPM setting is not configured in the exhibit, so a missing TPM would not trigger noncompliance.

297
MCQmedium

Refer to the exhibit. You run the PowerShell command shown and get the output. You need to force an immediate sync for PC-001. Which cmdlet should you use?

A.Sync-IntuneDevice -DeviceId ...
B.Start-DeviceSync -DeviceName PC-001
C.Invoke-IntuneDeviceAction -DeviceId ... -Action Sync
D.Update-IntuneDevice -DeviceId ...
AnswerA

This cmdlet initiates a sync with Intune.

Why this answer

The correct cmdlet is Sync-IntuneDevice, which is specifically designed to trigger an immediate synchronization for a Microsoft Intune-managed device by specifying its DeviceId. This cmdlet sends a sync request to the Intune service, forcing the device to check in and apply any pending policies or actions without waiting for the next scheduled sync interval.

Exam trap

The trap here is that candidates often confuse Invoke-IntuneDeviceAction with a sync action because it supports many device actions, but they fail to recognize that the correct parameter value for a sync is 'SyncDevice' (not 'Sync'), and that Sync-IntuneDevice is the dedicated cmdlet for this purpose.

How to eliminate wrong answers

Option B is wrong because Start-DeviceSync is not a valid Microsoft Intune cmdlet; it does not exist in the Microsoft Graph or Intune PowerShell module. Option C is wrong because Invoke-IntuneDeviceAction is a valid cmdlet but it requires an -Action parameter with a value like 'SyncDevice', not just 'Sync', and it is used for remote device actions such as wipe or retire, not for triggering a policy sync. Option D is wrong because Update-IntuneDevice is not a standard Intune cmdlet; it may be confused with Update-AutopilotDevice or similar, but it does not perform a sync action.

← PreviousPage 4 of 4 · 297 questions total

Ready to test yourself?

Try a timed practice session using only Manage and maintain devices questions.