CCNA Manage, maintain, and protect devices Questions

35 questions · Manage, maintain, and protect devices · All types, answers revealed

1
MCQeasy

A company uses Microsoft Intune to manage iOS devices. They want to enforce a policy that requires a passcode of at least 6 characters and auto-lock after 5 minutes. Which configuration profile type should they use?

A.Device restrictions profile.
B.Wi-Fi profile.
C.VPN profile.
D.Email profile.
AnswerA

Device restrictions contain security settings like passcode and auto-lock.

Why this answer

A Device restrictions profile is the correct configuration profile type because it contains the security settings for iOS devices, including passcode requirements (minimum length, complexity) and device lock timeouts (auto-lock after minutes). This profile type enforces device-level security policies directly managed by Intune, making it the appropriate choice for requiring a 6-character passcode and 5-minute auto-lock.

Exam trap

The trap here is that candidates often confuse Device restrictions profiles with Compliance policies, but Compliance policies evaluate settings after they are applied, whereas Device restrictions profiles actually enforce the settings on the device.

How to eliminate wrong answers

Option B is wrong because a Wi-Fi profile is used to configure wireless network settings (SSID, authentication, certificates) and does not include passcode or auto-lock policies. Option C is wrong because a VPN profile configures virtual private network connections (server address, tunneling protocol, authentication) and has no settings for device passcode or lock timeout. Option D is wrong because an Email profile configures email account settings (server, username, SSL) and does not enforce device-level security policies like passcode length or auto-lock.

2
MCQhard

You are a Microsoft 365 Endpoint Administrator for a global organization with 5,000 Windows 11 devices managed by Intune. The company has a strict security policy requiring that all devices have BitLocker enabled with TPM validation, PIN, and startup key. Currently, only 80% of devices are compliant with BitLocker. After investigating, you discover that many non-compliant devices are older models that lack TPM 2.0, but they do have TPM 1.2. Additionally, some devices are virtual machines (VMs) that do not have a TPM at all. The security team insists that all devices must be encrypted, but they are willing to accept alternative configurations for devices without TPM 2.0. You need to propose a solution that maximizes security while ensuring compliance. What should you do?

A.Create a single compliance policy that requires BitLocker with TPM validation, PIN, and startup key, and exclude devices without TPM 2.0 from the policy.
B.Modify the existing compliance policy to remove the PIN requirement so that all devices can comply.
C.Create multiple compliance policies: one for devices with TPM 2.0 requiring full BitLocker, one for devices with TPM 1.2 requiring BitLocker with TPM validation, and one for VMs requiring BitLocker with startup password.
D.Downgrade all non-compliant devices to Windows 10 and enable BitLocker with TPM 1.2.
AnswerC

This addresses different hardware capabilities while maintaining encryption.

Why this answer

Option C is correct because it uses multiple compliance policies to enforce the strongest possible BitLocker configuration based on each device's TPM capabilities. Devices with TPM 2.0 can meet the full requirement (TPM validation, PIN, startup key), devices with TPM 1.2 can use TPM-only validation (since TPM 1.2 does not support PIN+startup key in the same way), and VMs without a TPM can use a startup password. This approach maximizes security while ensuring all devices remain compliant with the security policy's intent.

Exam trap

The trap here is that candidates assume a single compliance policy with exclusions is sufficient, but they overlook the need to enforce encryption on all devices by tailoring the BitLocker requirements to each device's TPM capabilities.

How to eliminate wrong answers

Option A is wrong because excluding devices without TPM 2.0 from the policy would leave them unmonitored and non-compliant, violating the requirement that all devices must be encrypted. Option B is wrong because removing the PIN requirement weakens security for devices that do support TPM 2.0, and it does not address the specific limitations of TPM 1.2 or VMs. Option D is wrong because downgrading to Windows 10 does not solve the TPM 1.2 or missing TPM issue; BitLocker on Windows 10 still requires a TPM (1.2 or 2.0) for TPM-only protection, and VMs still lack a TPM, so this would not achieve compliance.

3
MCQmedium

A company uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent update, some devices are stuck in a reboot loop. The administrator needs to identify devices affected by the issue. Which report in the Microsoft Intune admin center should the administrator use?

A.Windows Update report
B.Update compliance report
C.Device compliance report
D.Device inventory report
AnswerA

Windows Update report provides details on update deployment, including restart status.

Why this answer

The Windows Update report in the Microsoft Intune admin center provides detailed information about Windows 10 update deployments, including devices that are stuck in a reboot loop after an update. This report shows update status, errors, and pending reboots, allowing the administrator to identify affected devices and take remediation actions.

Exam trap

The trap here is that candidates often confuse the 'Update compliance report' (which is an Azure Monitor solution for broad update compliance) with the Intune-native 'Windows Update report' that specifically tracks update deployment status and reboot issues, leading them to select the wrong option.

How to eliminate wrong answers

Option B is wrong because the Update compliance report is a feature of Azure Monitor and Windows Analytics, not a native Intune report; it focuses on overall update compliance across devices but does not specifically highlight reboot loop issues. Option C is wrong because the Device compliance report shows compliance status against policies (e.g., encryption, antivirus) and does not track update-related reboot failures. Option D is wrong because the Device inventory report lists hardware and software details (e.g., OS version, installed apps) but does not include update status or reboot loop information.

4
MCQeasy

A technician is troubleshooting a Windows 11 device that is enrolled in Intune. The device reports as 'Not compliant' due to missing required updates. The administrator runs the following command on the device and receives the output shown. What should the administrator do next to resolve the compliance issue?

A.Check for a policy conflict in Intune.
B.Run a manual sync from the Company Portal app.
C.Verify network connectivity to Microsoft Update.
D.Restart the device.
AnswerD

A pending restart is blocking the updates from completing.

Why this answer

The command output indicates that the Windows Update service is in a 'Stopped' state, which prevents the device from installing required updates. Restarting the device (Option D) will restart the Windows Update service and trigger a fresh update scan, allowing the device to become compliant on the next Intune check-in. This is the most direct fix for a stopped service that is blocking update installation.

Exam trap

The trap here is that candidates often assume a sync or connectivity check is needed, but the command output directly reveals a stopped service, making a restart the immediate and correct action.

How to eliminate wrong answers

Option A is wrong because a policy conflict in Intune would typically cause a different compliance status (e.g., 'Error' or 'Conflict') and would not manifest as a stopped Windows Update service; the command output clearly shows the service is not running, not a policy mismatch. Option B is wrong because running a manual sync from the Company Portal app only forces a device check-in with Intune to re-evaluate compliance policies, but it does not start the stopped Windows Update service or install missing updates; the sync would still report non-compliance if the updates are not installed. Option C is wrong because verifying network connectivity to Microsoft Update is unnecessary when the command output explicitly shows the Windows Update service is stopped; connectivity is irrelevant if the service cannot run.

5
Multi-Selecthard

A company uses Microsoft Intune to manage devices. They have a Windows 10 device that is non-compliant due to missing required updates. The administrator reviews the device and sees the update status shows 'Pending restart'. Which THREE actions should the administrator take to resolve the compliance issue?

Select 3 answers
A.Check the Update Rings policy for deferral settings.
B.Sync the device with Intune.
C.Restart the device.
D.Wait for the automatic restart from the compliance policy.
E.Re-enroll the device in Intune.
AnswersA, B, C

Deferrals may delay update installation.

Why this answer

Option A is correct because Update Rings policy deferral settings can delay the installation of required updates, causing the device to show a 'Pending restart' status without actually applying the updates. By checking and adjusting these deferral settings, the administrator can ensure updates are installed promptly, resolving the non-compliance issue.

Exam trap

The trap here is that candidates may assume waiting for an automatic restart (Option D) is sufficient, but Intune compliance policies do not enforce restarts; the administrator must take proactive steps like syncing and restarting to resolve the pending restart state.

6
MCQhard

A company manages 500 Windows 11 devices with Microsoft Intune. They use BitLocker encryption with automatic encryption enabled. Several devices report that encryption did not start. The administrator reviews the devices and finds that they are not compliant with the BitLocker policy. What is the most likely cause?

A.Devices do not have a secure boot enabled
B.Devices do not have a Trusted Platform Module (TPM) chip
C.Devices are not Azure AD joined
D.BitLocker startup key is not saved to Azure AD
AnswerB

BitLocker requires a TPM to automatically encrypt devices.

Why this answer

BitLocker automatic encryption requires a compatible TPM chip to securely store encryption keys and validate system integrity. Without a TPM, BitLocker cannot start the encryption process automatically, leading to non-compliance with the policy. The other options do not directly prevent encryption from starting.

Exam trap

The trap here is that candidates often confuse Secure Boot with TPM requirements, assuming Secure Boot is mandatory for BitLocker, when in fact the TPM is the critical hardware component for automatic encryption to initiate.

How to eliminate wrong answers

Option A is wrong because Secure Boot is recommended but not strictly required for BitLocker automatic encryption; BitLocker can still encrypt without it, though it may affect integrity validation. Option C is wrong because Azure AD join is not a prerequisite for BitLocker encryption; devices can be Azure AD registered or hybrid joined and still encrypt. Option D is wrong because saving the BitLocker startup key to Azure AD is a recovery key backup step, not a prerequisite for encryption to start; encryption can begin without this backup.

7
MCQeasy

An administrator runs the above PowerShell command on a Windows 10 device managed by Microsoft Defender for Endpoint. The device is reporting as healthy in the security console. Based on the output, which protection feature is disabled?

A.IOAV protection
B.Antimalware service
C.Real-time protection
D.Antivirus
AnswerC

RealTimeProtectionEnabled is False, so real-time protection is disabled.

Why this answer

The PowerShell command `Get-MpComputerStatus` returns the current status of Microsoft Defender Antivirus. The output shows `AMServiceEnabled : False`, which indicates the antimalware service is disabled, but the critical indicator is `RealTimeProtectionEnabled : False`. Real-time protection monitors file system activity for malware in real time; when disabled, the device may still report as healthy in the Microsoft Defender for Endpoint console if other components (e.g., cloud-delivered protection) are active, but the device is not fully protected against immediate threats.

Exam trap

The trap here is that candidates see `AMServiceEnabled : False` and assume the antimalware service is the disabled feature, but the question specifically asks which protection feature is disabled based on the output, and `RealTimeProtectionEnabled : False` is the direct answer; the antimalware service being disabled is a separate state that would also disable real-time protection, but the output explicitly lists real-time protection as disabled.

How to eliminate wrong answers

Option A is wrong because IOAV (Internet-Origin Antimalware) protection is controlled by the `IoavProtectionEnabled` property, which is not shown as False in the output; IOAV protection specifically scans downloaded files from the internet and is separate from real-time protection. Option B is wrong because `AMServiceEnabled : False` indicates the antimalware service itself is disabled, but the question asks which protection feature is disabled based on the output; the antimalware service being disabled would typically prevent real-time protection from functioning, but the direct output shows `RealTimeProtectionEnabled : False` as the explicit feature disabled. Option D is wrong because antivirus (the overall product) is not a single toggle; the output shows `AMProductEnabled : True`, meaning the antivirus product is enabled, but real-time protection (a sub-feature) is disabled.

8
MCQhard

A user reports that their Windows 10 device is not receiving policies from Microsoft Intune. The device shows as 'Not compliant' in the Intune console. You run the Get-MgDeviceManagementManagedDevice cmdlet and see that the device is enrolled and appears in the list. However, the LastSyncTime is 14 days ago. What is the most likely cause?

A.The MDM certificate has expired.
B.The device is not connected to the internet due to a proxy misconfiguration.
C.The device is not enrolled in Intune.
D.The Intune Management Extension service is not running on the device.
AnswerD

This service manages policy sync.

Why this answer

The Intune Management Extension (IME) service is responsible for synchronizing policies, including compliance and configuration policies, from Intune to Windows 10 devices. If the IME service is not running, the device will not receive new policies or sync status, leading to a stale LastSyncTime (14 days ago) and a 'Not compliant' state, even though the device is enrolled and appears in the Get-MgDeviceManagementManagedDevice output.

Exam trap

The trap here is that candidates often assume a stale LastSyncTime always indicates a network or connectivity issue (like a proxy), but the question specifically states the device is enrolled and appears in the list, pointing instead to a service-level failure like the Intune Management Extension not running.

How to eliminate wrong answers

Option A is wrong because an expired MDM certificate would typically cause enrollment failure or a complete loss of communication, not just a stale sync time; the device would likely show as 'Not enrolled' or 'Pending' rather than enrolled with a 14-day-old sync. Option B is wrong because a proxy misconfiguration would prevent any internet connectivity, causing the device to fail to reach Intune entirely, which would result in a much older LastSyncTime or a 'Not connected' status, not a specific 14-day gap. Option C is wrong because the Get-MgDeviceManagementManagedDevice cmdlet output explicitly shows the device is enrolled and in the list, contradicting the claim that it is not enrolled.

9
MCQmedium

You are reviewing a Windows 10 compliance policy in Microsoft Intune. A user with a device running Windows 10 version 20H2 (build 19042.985) reports that the device is marked as non-compliant. The device has a password of length 8, a PIN with 4 characters, Secure Boot enabled, BitLocker enabled, and Windows Defender Firewall active. What is the most likely reason for non-compliance?

A.Windows Defender Firewall is not active.
B.Secure Boot is not enabled on the device.
C.The OS build number 19042.985 is below the required minimum version 19041.0.
D.The device uses a PIN with only 4 characters, which does not meet the minimum password length of 6.
AnswerD

Password minimum length is 6, but PIN length is 4.

Why this answer

The device uses a PIN with only 4 characters, which does not meet the minimum password length of 6. In Intune compliance policies for Windows 10, the 'Minimum password length' setting applies to both passwords and PINs. A PIN of 4 characters violates this requirement, causing non-compliance even if other settings like BitLocker and Secure Boot are properly configured.

Exam trap

The trap here is that candidates assume a PIN is separate from a password and not subject to the same minimum length requirement, but Intune's compliance policy treats both under the same 'password length' rule.

How to eliminate wrong answers

Option A is wrong because the user reports Windows Defender Firewall is active, and the question states it is active, so this is not the cause of non-compliance. Option B is wrong because Secure Boot is explicitly enabled on the device, as stated in the scenario. Option C is wrong because the build number 19042.985 is above the required minimum version 19041.0, so the OS version meets the compliance requirement.

10
Drag & Dropmedium

Arrange the steps to troubleshoot a BitLocker recovery key prompt on a Windows 10 device.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First identify cause, retrieve key, enter it, then address root cause.

11
MCQmedium

You are a Microsoft 365 Endpoint Administrator for a medium-sized company that uses Intune to manage Windows 10 and iOS devices. The company recently experienced a malware outbreak on several Windows 10 devices. The security team wants to implement a solution that can automatically remediate threats on Windows 10 devices by isolating them from the network and running a full antivirus scan. They also want to be alerted when a threat is detected. You have already configured Microsoft Defender for Endpoint (MDE) and devices are onboarded. What should you configure in Intune to meet these requirements?

A.Configure a device compliance policy to require Device Health Attestation (DHA) and set the action for non-compliance to 'Quarantine device'.
B.Create a device compliance policy that marks devices with active threats as non-compliant, and configure the non-compliance action to 'Retire device' and 'Send notification'.
C.Enable Windows Defender Firewall with advanced security and create an inbound rule to block all traffic.
D.Configure AppLocker to block all apps and set the action to 'Run antivirus scan'.
AnswerB

Retire action can be used to isolate and remediate, but a more accurate answer would be to use the 'Quarantine' action; however, Intune's compliance policy can trigger MDE's automatic investigation and remediation. In practice, you would use MDE's automated investigation and remediation capabilities, which can be triggered by compliance policy. Option D is the closest correct answer.

Why this answer

Option B is correct because it leverages Intune's device compliance policy to detect active threats via Microsoft Defender for Endpoint integration. When a device has an active threat, it is marked as non-compliant, and the configured non-compliance action 'Retire device' ensures the device is isolated from corporate resources, while 'Send notification' alerts the security team. This meets the requirements for automatic remediation and alerting without additional manual steps.

Exam trap

The trap here is that candidates confuse 'Quarantine device' (a compliance action that only blocks resource access) with the actual network isolation and remediation workflow, or they mistakenly think AppLocker or Firewall rules can replace MDE's automated threat response.

How to eliminate wrong answers

Option A is wrong because Device Health Attestation (DHA) verifies boot integrity (e.g., Secure Boot, BitLocker) but does not detect or remediate active malware threats; its non-compliance action 'Quarantine device' only blocks access to resources, not isolate from network or run a scan. Option C is wrong because enabling Windows Defender Firewall with an inbound rule to block all traffic is a static network control that does not automatically detect threats, isolate the device, or trigger a full antivirus scan; it also lacks alerting capabilities. Option D is wrong because AppLocker is an application control feature that blocks apps based on rules, not a threat remediation tool; it cannot run a full antivirus scan or isolate the device from the network, and it does not integrate with MDE threat detection for automatic actions.

12
MCQmedium

You have the following JSON compliance policy for Windows 10 devices in Intune. A device with OS version 10.0.19042.0, build 19042, with BitLocker enabled, Secure Boot enabled, but Code Integrity disabled reports as non-compliant. Which setting is causing the non-compliance?

A.requireCodeIntegrity
B.minimumOsVersion
C.requireSecureBoot
D.requireDeviceEncryption
AnswerA

Code Integrity is disabled, causing non-compliance.

Why this answer

The device reports as non-compliant because the compliance policy requires `requireCodeIntegrity` to be enabled, but the device has Code Integrity disabled. Even though BitLocker and Secure Boot are enabled, and the OS version meets the minimum requirement, the absence of Code Integrity enforcement triggers non-compliance. In Intune, Windows 10 compliance policies evaluate each setting independently, and a failure on any required setting results in overall non-compliance.

Exam trap

The trap here is that candidates often assume Secure Boot or BitLocker alone satisfy all security requirements, but Intune's `requireCodeIntegrity` is a separate, independent check that specifically enforces runtime code validation, and failing to enable it causes non-compliance even when other security features are active.

How to eliminate wrong answers

Option B is wrong because `minimumOsVersion` is satisfied by OS version 10.0.19042.0 (build 19042), which is above the typical minimum (e.g., 10.0.17763 for 1809), so it is not causing non-compliance. Option C is wrong because `requireSecureBoot` is enabled on the device, as stated in the scenario, so Secure Boot is compliant. Option D is wrong because `requireDeviceEncryption` is satisfied by BitLocker being enabled, which provides full device encryption, so this setting is compliant.

13
MCQeasy

You are deploying Microsoft Defender for Endpoint to Windows 10 devices managed by Microsoft Intune. After onboarding, you need to verify that the sensor is running. Which cmdlet should you use on the device?

A.Get-Service -Name WinDefend
B.Get-DefenderEndpoint
C.Get-MpComputerStatus
D.Get-Service -Name Sense
AnswerD

The Defender for Endpoint sensor service is named 'Sense'.

Why this answer

The correct cmdlet is Get-Service -Name Sense because the Microsoft Defender for Endpoint sensor runs as a Windows service named 'Sense' (Microsoft Defender Advanced Threat Protection Service). Checking this service confirms the sensor is installed and running, which is the standard verification step after onboarding devices to Defender for Endpoint.

Exam trap

The trap here is that candidates confuse the Defender for Endpoint sensor service (Sense) with the Windows Defender Antivirus service (WinDefend) or mistakenly use a non-existent cmdlet like Get-DefenderEndpoint, leading them to choose an incorrect verification method.

How to eliminate wrong answers

Option A is wrong because Get-Service -Name WinDefend checks the Windows Defender Antivirus service (WinDefend), not the Defender for Endpoint sensor. Option B is wrong because Get-DefenderEndpoint is not a valid PowerShell cmdlet; the correct cmdlet for checking sensor status is Get-MpComputerStatus or Get-Service -Name Sense. Option C is wrong because Get-MpComputerStatus retrieves antimalware status and definitions, not the running state of the Defender for Endpoint sensor service.

14
MCQhard

An organization uses Microsoft Intune to manage Windows 10 devices. They deploy a PowerShell script via Intune to install a custom application. The script runs successfully on some devices but fails on others with error code 0x80070002. What is the most likely cause?

A.The script execution exceeds the 60-minute timeout.
B.The user does not have local administrator privileges on the failing devices.
C.The script references a file path that does not exist on the failing devices.
D.The PowerShell execution policy is set to Restricted on the failing devices.
AnswerC

Error 0x80070002 is 'File not found'.

Why this answer

Option B is correct because the script likely references a file that is not present. Option A is wrong because execution policy can be bypassed by Intune. Option C is wrong because admin rights are granted.

Option D is wrong because script timeout would give a different error.

15
MCQhard

A company uses Microsoft Intune to manage Windows 10 devices. A user reports that their device is not receiving critical security updates despite being compliant with all update policies. You verify that the device is online and communicating with Intune. Which action should you take to resolve the issue?

A.Verify that the device meets the minimum hardware requirements for the update.
B.Force a sync from the device via Intune Company Portal or Settings > Accounts > Access work or school.
C.Reassign the device to a different Update Ring policy that has no feature update deferral.
D.Review the Windows Update Rings policy assigned to the device and adjust the deferral settings for quality updates.
AnswerD

Deferral settings can delay updates; adjusting them can resolve the issue.

Why this answer

The user's device is compliant and online, but not receiving critical security updates. The most likely cause is that the Windows Update Rings policy assigned to the device has a deferral period configured for quality updates, which delays the installation of security patches. Adjusting the deferral settings for quality updates to 0 days ensures that critical security updates are installed immediately upon release, resolving the issue without changing the feature update deferral.

Exam trap

The trap here is that candidates confuse 'force sync' with 'force update installation,' not realizing that a sync only retrieves policy and update metadata, but the deferral period still prevents the update from being offered until it expires.

How to eliminate wrong answers

Option A is wrong because minimum hardware requirements are checked by Windows Update itself before offering an update, and a device that is compliant with update policies would already meet those requirements; this is not a policy-related issue. Option B is wrong because forcing a sync only triggers the device to check for new policies and pending updates from Intune, but if the deferral period is still in effect, the sync will not cause the critical updates to be installed—they will remain deferred. Option C is wrong because reassigning to a different Update Ring policy that has no feature update deferral does not address the quality update deferral; feature update deferral controls major version upgrades, not critical security patches, and changing it would not resolve the delay in receiving quality updates.

16
MCQeasy

An organization uses Configuration Manager to deploy software updates to Windows 10 devices. The administrator wants to ensure that devices receive updates from the local distribution point rather than the cloud. Which boundary group option should be configured?

A.Prefer distribution points over cloud sources
B.Enable peer caching
C.Use cloud distribution points only
D.Fallback to cloud sources
AnswerA

This setting forces clients to use local distribution points first.

Why this answer

Option A is correct because the 'Prefer distribution points over cloud sources' boundary group option ensures that clients will attempt to download software updates from a local distribution point before falling back to a cloud-based source. This setting directly controls client behavior to prioritize on-premises distribution points, which aligns with the administrator's goal of keeping traffic local and avoiding cloud egress.

Exam trap

The trap here is that candidates often confuse 'Prefer distribution points over cloud sources' with 'Fallback to cloud sources,' mistakenly thinking that allowing fallback is the same as prioritizing local sources, when in fact the fallback option only enables cloud use as a last resort without establishing a preference order.

How to eliminate wrong answers

Option B is wrong because 'Enable peer caching' configures clients to share content with each other within the same boundary group, but it does not influence the preference between local distribution points and cloud sources; it is a separate optimization for peer-to-peer content distribution. Option C is wrong because 'Use cloud distribution points only' would force clients to exclusively use cloud sources, which is the opposite of the desired behavior to avoid the cloud. Option D is wrong because 'Fallback to cloud sources' allows clients to use cloud distribution points as a backup when local distribution points are unavailable, but it does not prioritize local distribution points over cloud sources; it merely permits cloud fallback.

17
MCQeasy

A company uses Microsoft Intune to manage devices. They want to ensure that when a device is reported as lost or stolen, the IT admin can remotely wipe the device. Which action should the admin take in the Intune console?

A.Select the device and choose 'Retire'.
B.Select the device and choose 'Wipe'.
C.Select the device and choose 'Reset'.
D.Select the device and choose 'Delete'.
AnswerB

Wipe performs a factory reset, removing all data.

Why this answer

The 'Wipe' action in Microsoft Intune restores a device to its factory default settings, removing all corporate and personal data. This is the appropriate action for a lost or stolen device to prevent unauthorized access to company data. The 'Retire' action only removes managed app data and policies but leaves personal data intact, which is insufficient for a security breach scenario.

Exam trap

The trap here is that candidates often confuse 'Retire' with 'Wipe', assuming both remove data equally, but 'Retire' only removes managed corporate data while leaving personal data and device access intact, making it unsuitable for lost or stolen scenarios.

How to eliminate wrong answers

Option A is wrong because 'Retire' removes only managed corporate data and policies from the device, leaving personal data and the device itself functional, which does not fully protect data on a lost or stolen device. Option C is wrong because 'Reset' is not a standard Intune action; the correct term is 'Wipe' for factory reset, and 'Reset' may be confused with a local device reset that is not initiated via Intune. Option D is wrong because 'Delete' removes the device object from Intune management but does not perform a remote wipe, leaving the device and its data untouched.

18
Multi-Selectmedium

A company uses Microsoft Intune to manage Windows 10 devices. The administrator needs to configure Windows Defender Firewall rules via a device configuration profile. Which TWO settings can be configured?

Select 3 answers
A.Configure notification settings
B.Set default inbound action
C.Enable local firewall merge
D.Set default outbound action
E.Configure log file location
AnswersB, C, D

Default inbound action (allow/block) can be configured.

Why this answer

Option B is correct because the Windows Defender Firewall device configuration profile in Microsoft Intune includes the 'Default inbound action' setting, which allows administrators to specify whether inbound connections that do not match an explicit rule should be blocked or allowed. This setting is a core firewall behavior control that can be enforced via a device configuration profile (Windows 10 and later) under the 'Endpoint Protection' category.

Exam trap

The trap here is that candidates often assume 'Set default outbound action' is configurable in the same profile because it mirrors the inbound setting, but the MD-102 exam tests that only the inbound default action is exposed in the Intune device configuration profile for Windows Defender Firewall rules.

19
Matchingmedium

Match each Microsoft 365 Apps update channel to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Monthly updates with new features first

Monthly security and quality updates

Updates twice a year (January and July)

Early access to upcoming features

Insider builds for testing

Why these pairings

Update channels control how Microsoft 365 Apps are updated, relevant for MD-102.

20
Multi-Selecthard

You manage a hybrid Azure AD joined environment with Microsoft Intune. You need to migrate Group Policy objects (GPOs) to Intune policies for Windows 10 devices. Which THREE tools or methods should you use?

Select 3 answers
A.MDM Migration Analysis Tool (MMAT)
B.Custom OMA-URI settings in a configuration profile
C.Desktop Analytics
D.Group Policy Analytics in Microsoft Intune
E.PowerShell scripts to apply registry settings
AnswersA, B, D

MMAT assesses GPO compatibility with MDM.

Why this answer

The MDM Migration Analysis Tool (MMAT) is correct because it analyzes existing on-premises Group Policy Objects (GPOs) and generates a report mapping each GPO setting to its equivalent MDM policy in Intune, including a readiness score. This tool directly supports the migration workflow by identifying which GPOs can be converted and which require manual intervention, making it essential for planning a GPO-to-Intune migration.

Exam trap

The trap here is that candidates often confuse Desktop Analytics (a Windows upgrade readiness tool) with Group Policy Analytics (a GPO-to-Intune migration tool), leading them to incorrectly select Desktop Analytics as a valid migration method.

21
Multi-Selecthard

An organization uses Configuration Manager to manage Windows 10 devices. The administrator is configuring a phased deployment for a software update. Which THREE conditions can be used to define the phases?

Select 3 answers
A.Collection membership
B.Time-based delay between phases
C.Percentage of clients
D.Device compliance status
E.Manual approval for next phase
AnswersA, C, E

Phases can target specific collections.

Why this answer

Collection membership (A) is correct because Configuration Manager phased deployments allow you to specify a target collection for each phase, such as a collection containing pilot devices for the first phase and a broader collection for subsequent phases. This enables granular control over which devices receive the update at each stage, based on existing collection membership rules.

Exam trap

The trap here is that candidates confuse phased deployment conditions with general deployment options, mistakenly thinking time-based delays or compliance status are valid phase criteria, when only collection membership, percentage of clients, and manual approval are supported.

22
Multi-Selectmedium

A company uses Microsoft Intune to manage Windows 10 devices. They need to deploy a line-of-business (LOB) app that is not available in the Microsoft Store. The app is packaged as an .msi file. Which TWO steps are required to deploy this app via Intune?

Select 2 answers
A.Upload the .msi file directly as a Microsoft Store for Business app.
B.Install the app on a file server and configure a shortcut.
C.Assign the app to a group of users or devices.
D.Convert the .msi file to the .intunewin format using the Microsoft Win32 Content Prep Tool.
E.Create a PowerShell script to install the app silently.
AnswersC, D

App must be assigned to a target group.

Why this answer

Option C is correct because after preparing the Win32 app, you must assign it to a group of users or devices in Intune to trigger deployment. Without assignment, the app is uploaded but not installed on any target. This step is mandatory for any Intune-managed app deployment.

Exam trap

The trap here is that candidates often think uploading the .msi directly is sufficient, but Intune requires the .intunewin wrapper for Win32 apps, and they may also mistakenly believe a PowerShell script is mandatory for silent installation when the .msi’s built-in silent switches can be specified in the app deployment configuration.

23
MCQmedium

An administrator uses Configuration Manager to manage Windows 10 devices. The administrator wants to deploy a custom Windows application as an Application model deployment type. The application requires a reboot. Which deployment purpose should the administrator use to allow users to control the installation timing?

A.Mandatory
B.Pre-deploy
C.Required
D.Available
AnswerD

Available deployments allow users to install at their convenience from Software Center.

Why this answer

The Available deployment purpose allows users to see the application in Software Center and choose when to install it, including scheduling the required reboot at their convenience. This gives users control over installation timing, which is the stated requirement. Required and Mandatory deployments force installation according to a schedule, removing user choice.

Exam trap

The trap here is that candidates confuse 'Available' with 'Required' because both can deliver applications, but only Available gives users control over installation timing and reboot scheduling.

How to eliminate wrong answers

Option A is wrong because Mandatory is not a valid deployment purpose in Configuration Manager; the correct term for a forced installation is Required. Option B is wrong because Pre-deploy is not a deployment purpose; it refers to pre-staging content on distribution points, not controlling user installation timing. Option C is wrong because Required deployment forces the application to install according to a defined deadline, which does not allow users to control when the installation occurs.

24
MCQmedium

A company uses Microsoft Intune to manage Windows 10 devices. They need to ensure that only devices with BitLocker enabled can access corporate email via Exchange Online. Which configuration should the administrator use to enforce this requirement?

A.Create a Device Compliance policy for Windows 10 with the 'Require encryption of data storage on device' setting enabled.
B.Create a Conditional Access policy that requires device compliance and assign it to Exchange Online.
C.Create an App Protection policy for the Outlook mobile app that requires device encryption.
D.Configure Windows Defender Firewall to block non-BitLocker encrypted devices.
AnswerB

Conditional Access can enforce access based on compliance, which includes BitLocker status.

Why this answer

Option B is correct because a Conditional Access policy in Azure AD can require that devices accessing Exchange Online be marked as compliant in Intune. By combining a Device Compliance policy that requires encryption (BitLocker) with a Conditional Access policy targeting Exchange Online, only compliant devices with BitLocker enabled will be granted access to corporate email.

Exam trap

The trap here is that candidates confuse Device Compliance policies (which only report status) with Conditional Access policies (which enforce access control), leading them to pick Option A, thinking compliance alone blocks access.

How to eliminate wrong answers

Option A is wrong because a Device Compliance policy alone does not enforce access control; it only evaluates and reports compliance status. Without a Conditional Access policy to block non-compliant devices, devices without BitLocker can still access Exchange Online. Option C is wrong because App Protection policies apply to mobile apps (like Outlook for iOS/Android) and manage data protection at the app level, not device-level encryption like BitLocker on Windows 10.

Option D is wrong because Windows Defender Firewall controls network traffic based on IP/port rules, not device encryption status; it cannot enforce BitLocker requirements for Exchange Online access.

25
MCQmedium

A company uses Microsoft Intune to manage iOS/iPadOS devices. The compliance policy requires a minimum OS version of 15.0. A user reports that their iPad running iOS 14.8 cannot access company email and shows as non-compliant. However, the device is up to date with the latest available OS for that hardware. What should you do to allow the device to access email while maintaining security?

A.Configure a compliance grace period of 30 days on the policy.
B.Change the minimum OS version to 14.8 in the policy.
C.Delete the compliance policy that requires iOS 15.0.
D.Request the user to update the iPad to iOS 15.0.
AnswerA

A grace period allows temporary access while the user updates.

Why this answer

Option A is correct because a compliance grace period allows the device to remain non-compliant for a specified duration (e.g., 30 days) without immediately blocking access to company resources. This gives the user time to update the OS if possible, but since the iPad hardware cannot go beyond iOS 14.8, the grace period still permits email access while the device is marked non-compliant, maintaining security by not permanently exempting the device.

Exam trap

The trap here is that candidates often choose to lower the OS version requirement (Option B) or delete the policy (Option C) as a quick fix, failing to recognize that a grace period is the designed Intune feature to handle temporary or hardware-limited non-compliance without compromising the overall security baseline.

How to eliminate wrong answers

Option B is wrong because lowering the minimum OS version to 14.8 would permanently weaken the security baseline for all devices, not just the one that cannot update. Option C is wrong because deleting the compliance policy entirely removes the OS version requirement for all devices, which is an overreaction and compromises security. Option D is wrong because requesting the user to update to iOS 15.0 is impossible on hardware that does not support that version, so it is not a viable solution.

26
MCQhard

A company uses Microsoft Intune to manage iOS devices. The administrator configures a device compliance policy that requires a minimum OS version of 15.0. Users report that devices running iOS 14.8 are marked non-compliant even after updating to iOS 15.0. What is the most likely cause?

A.The device has not checked in with Intune after the update
B.The compliance policy requires a grace period
C.The update was not applied successfully
D.The compliance policy is not assigned to the correct user group
AnswerA

Compliance evaluation occurs at check-in; if the device hasn't checked in, status remains.

Why this answer

The most likely cause is that the device has not checked in with Intune after the update. Intune relies on periodic check-ins to evaluate compliance; if the device updated to iOS 15.0 but hasn't completed a check-in, Intune still sees the last reported OS version (14.8) and marks it non-compliant. A forced sync or waiting for the next scheduled check-in resolves this.

Exam trap

The trap here is that candidates assume the compliance policy is evaluated in real-time or that a successful OS update automatically triggers a compliance re-evaluation, when in fact Intune relies on scheduled or manual check-ins to refresh device state.

How to eliminate wrong answers

Option B is wrong because a grace period gives users time to remediate non-compliance (e.g., update the OS) but does not affect the reporting of the current OS version after an update; the issue is about stale data, not a delay in enforcement. Option C is wrong because users report the update was applied, and the problem is that Intune hasn't received the new version, not that the update failed—failed updates would typically leave the device on 14.8 with no change. Option D is wrong because the compliance policy is assigned and affecting the correct devices (they are marked non-compliant), so assignment to the wrong group would mean no compliance evaluation at all, not a stale version mismatch.

27
Matchingmedium

Match each Windows 10/11 edition to its applicable Microsoft 365 feature.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Supports MDM and basic compliance policies

Full feature set including Windows Defender Application Guard

Similar to Enterprise but for academic institutions

Pro features with education-specific settings

Not supported for MDM enrollment

Why these pairings

Edition support is crucial for endpoint management in MD-102.

28
MCQhard

A company uses Microsoft Intune to manage Windows 10 devices. They have a compliance policy that requires BitLocker to be enabled. Some devices are marked as non-compliant even though BitLocker appears to be on. The administrator runs 'manage-bde -status' on a non-compliant device and sees that the protection status is 'Protection Off'. What is the most likely cause?

A.The BitLocker key protectors are missing or have been removed.
B.The TPM is not initialized.
C.The device has a recovery password protector but no TPM protector.
D.The device uses a different encryption method (e.g., XTS-AES 256 vs AES 128).
AnswerA

Without key protectors, BitLocker protection is suspended.

Why this answer

The compliance policy requires BitLocker to be enabled, but 'manage-bde -status' shows 'Protection Off'. This indicates that while the drive is encrypted, BitLocker is not actively protecting the data because the key protectors (such as the TPM protector) are missing or have been removed. Intune checks the protection status, not just encryption state, so when protectors are absent, the device is marked non-compliant.

Exam trap

The trap here is that candidates confuse 'encrypted' with 'protected'—BitLocker can encrypt a drive without active protection if key protectors are missing, and Intune compliance policies specifically require protection to be on, not just encryption to be present.

How to eliminate wrong answers

Option B is wrong because if the TPM were not initialized, BitLocker would typically fail to enable or would show a different status (e.g., 'TPM is not ready'), not 'Protection Off' on an already encrypted drive. Option C is wrong because having a recovery password protector without a TPM protector is a valid configuration (e.g., on devices without TPM) and would still show 'Protection On' if the protector is present and active. Option D is wrong because the encryption method (e.g., XTS-AES 256 vs AES 128) does not affect the protection status; it only determines the algorithm used for encryption, and Intune compliance policies do not check for encryption method mismatch.

29
MCQmedium

A company deploys Windows 10 Enterprise devices managed by Microsoft Intune. Users report that after a recent Windows update, the Start menu layout is reset to default on some devices. The company uses a custom Start menu layout XML policy. How should the administrator ensure the custom layout is reapplied automatically after feature updates?

A.Use a Feature Update policy in Intune to set the 'Start layout XML' setting.
B.Deploy a provisioning package with the custom layout to all devices via Intune.
C.Configure the 'Start layout' policy under User Configuration > Administrative Templates > Start Menu and Taskbar to point to the XML file.
D.Reapply the Start layout policy manually after each feature update.
AnswerC

The Start layout policy is reapplied during policy refresh, which occurs after feature updates.

Why this answer

Option C is correct because the 'Start layout' policy under User Configuration > Administrative Templates > Start Menu and Taskbar in a Group Policy Object (GPO) or Intune Administrative Template profile is designed to persistently enforce a custom Start layout XML. When a Windows feature update resets the Start menu to default, this policy automatically reapplies the custom layout at next user logon or policy refresh, ensuring consistency without manual intervention.

Exam trap

The trap here is that candidates confuse Feature Update policies (which manage version upgrades) with configuration policies (which enforce settings like Start layout), leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because a Feature Update policy in Intune controls which Windows version is installed, not the Start layout configuration; it does not contain a 'Start layout XML' setting. Option B is wrong because a provisioning package applies settings only during initial device setup or reset, not dynamically after a feature update; it is not designed for ongoing policy enforcement. Option D is wrong because manual reapplication is not an automated solution and contradicts the requirement for automatic reapplication after feature updates.

30
Drag & Dropmedium

Arrange the steps to troubleshoot a Windows 10 device failing to enroll in Microsoft Intune.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Start with basic connectivity and licensing, then check logs for errors, verify prerequisites, and retry.

31
MCQmedium

A company uses Microsoft Intune to manage Windows 10 devices. The security team reports that several devices are missing critical security updates. You need to ensure that devices install updates within 7 days of release. What should you configure?

A.Create a compliance policy for Windows 10 update compliance.
B.Create an update ring for Windows 10 with a deadline of 7 days.
C.Create a device configuration profile for Windows 10 updates.
D.Configure a Windows Update for Business policy in Group Policy.
AnswerB

Update rings enforce update installation deadlines.

Why this answer

Option B is correct because update rings in Microsoft Intune allow you to configure Windows Update for Business settings, including a deadline for feature and quality updates. Setting a deadline of 7 days ensures that devices must install released updates within that timeframe, directly addressing the requirement for timely installation of critical security updates.

Exam trap

The trap here is that candidates often confuse compliance policies (which only report on update status) with update rings (which enforce installation deadlines), leading them to choose Option A instead of B.

How to eliminate wrong answers

Option A is wrong because compliance policies evaluate device configuration and health (e.g., required updates installed) but do not enforce an installation deadline; they only report non-compliance. Option C is wrong because device configuration profiles manage settings like security policies or certificates, not update deadlines or rings. Option D is wrong because Group Policy is a traditional on-premises management tool that does not integrate with Intune for cloud-managed devices; the question specifies Microsoft Intune management, so a cloud-native solution (update ring) is required.

32
Multi-Selecteasy

Which TWO actions are supported by Microsoft Intune for managing macOS devices?

Select 2 answers
A.Configure Windows Hello for Business.
B.Apply device compliance policies.
C.Enable BitLocker encryption.
D.Deploy software update policies.
E.Deploy .app applications.
AnswersB, D

Intune supports compliance policies for macOS.

Why this answer

Option B is correct because Microsoft Intune supports device compliance policies for macOS devices, allowing administrators to define rules (e.g., OS version, encryption status, firewall settings) that devices must meet to be considered compliant. These policies are evaluated by the Intune Company Portal app on macOS and can trigger conditional access controls to block non-compliant devices from accessing corporate resources.

Exam trap

The trap here is that candidates often assume .app applications are deployable via Intune because they are common on macOS, but Intune requires .pkg or .dmg formats for managed deployment, and .app bundles are only used for manual installation or through Apple's Volume Purchase Program (VPP).

33
Multi-Selectmedium

You are configuring Microsoft Intune to manage Windows 10 devices. Which TWO actions are required to enable BitLocker encryption on devices?

Select 2 answers
A.Create a device configuration profile for endpoint protection and enable BitLocker settings.
B.Create a compliance policy that requires BitLocker.
C.Ensure the device has a TPM version 2.0 chip.
D.Configure a device cleanup rule.
E.Deploy a Windows 10 update ring.
AnswersA, C

This profile configures BitLocker on devices.

Why this answer

Option A is correct because BitLocker settings are configured via a device configuration profile for endpoint protection in Microsoft Intune. This profile includes policies such as requiring TPM startup PIN or startup key, encryption method, and OS drive encryption. Without this profile, BitLocker cannot be enforced or configured on managed Windows 10 devices.

Exam trap

The trap here is that candidates confuse a compliance policy (which only reports/remediates) with a configuration profile (which actually applies settings), and they may also mistakenly think a TPM requirement is an administrative action rather than a device prerequisite.

34
MCQhard

You are troubleshooting a Windows 10 device that is enrolled in Microsoft Intune. The device shows as 'Pending' in the Intune console. The user confirms that the device was enrolled using a provisioning package. Which log file should you review to diagnose the enrollment failure?

A.%windir%\temp\MdmEnrollment.log
B.%ProgramData%\Microsoft\Provisioning\ProvisioningPackage.log
C.%windir%\Panther\setupact.log
D.Event Viewer under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider
AnswerB

This log contains provisioning package enrollment details.

Why this answer

When a Windows 10 device is enrolled using a provisioning package, the provisioning engine logs detailed information about the package processing and enrollment steps in %ProgramData%\Microsoft\Provisioning\ProvisioningPackage.log. This log captures the execution of the provisioning package, including any errors during enrollment, making it the correct source for diagnosing a 'Pending' status caused by a provisioning package failure.

Exam trap

The trap here is that candidates confuse the general MDM enrollment log (MdmEnrollment.log) with the provisioning package-specific log, not realizing that provisioning package enrollment uses a completely separate logging path and engine.

How to eliminate wrong answers

Option A is wrong because MdmEnrollment.log is used for MDM enrollment initiated via Settings or manual enrollment, not for provisioning package-based enrollment. Option C is wrong because setupact.log is a Windows Setup log used for OS installation and upgrade troubleshooting, not for provisioning package or MDM enrollment issues. Option D is wrong because the DeviceManagement-Enterprise-Diagnostics-Provider logs in Event Viewer capture general MDM client events but are not the primary log for provisioning package execution; the provisioning engine writes its own dedicated log file.

35
MCQhard

A company applies the above BitLocker policy to Windows 10 devices via Intune. An administrator discovers that some devices are not encrypting. The administrator checks a device and finds that it has no TPM chip. Which setting in the policy will cause encryption to fail?

A.requireTpm
B.recoveryKeyRotation
C.encryptionMethod
D.requireStartupPin
AnswerA

If requireTpm is true, devices without TPM will not encrypt.

Why this answer

The 'requireTpm' setting enforces that BitLocker will only start encryption if a Trusted Platform Module (TPM) chip is present on the device. If a device lacks a TPM, this policy setting causes the encryption process to fail outright, as BitLocker cannot meet the mandatory hardware requirement.

Exam trap

The trap here is that candidates may think 'requireStartupPin' is the direct cause of failure on a TPM-less device, but the policy's 'requireTpm' setting is evaluated first and will block encryption entirely before any PIN requirement is even considered.

How to eliminate wrong answers

Option B (recoveryKeyRotation) is wrong because it controls how often the recovery key is rotated in Azure AD, not whether encryption starts; it has no effect on TPM absence. Option C (encryptionMethod) is wrong because it specifies the algorithm (e.g., AES 128/256) used after encryption begins, not a prerequisite for starting encryption. Option D (requireStartupPin) is wrong because it requires a PIN at startup but still relies on a TPM to validate that PIN; without a TPM, this setting also fails, but the question asks which setting in the policy causes failure, and 'requireTpm' is the direct cause—if 'requireTpm' is set to 'true', encryption fails regardless of other settings.

Ready to test yourself?

Try a timed practice session using only Manage, maintain, and protect devices questions.