CCNA Prepare infrastructure for devices Questions

75 of 254 questions · Page 3/4 · Prepare infrastructure for devices · Answers revealed

151
MCQeasy

Your organization wants to use Windows Autopilot to deploy new Windows 11 devices. What is required to register a device with Windows Autopilot?

A.The device's product key
B.The device's hardware hash (4K HH)
C.The user's Microsoft account
D.The device's BIOS password
AnswerB

The hardware hash uniquely identifies the device and is required for Autopilot registration.

Why this answer

Windows Autopilot requires the device's hardware hash (4K HH) to uniquely identify the device during the registration process. This hash is generated from the device's hardware components and is uploaded to the Microsoft Intune or Partner portal to associate the device with an Autopilot profile. Without the hardware hash, Autopilot cannot recognize the device as registered and will not apply the deployment profile.

Exam trap

The trap here is that candidates often confuse the hardware hash with the product key, assuming that a license or activation key is needed for Autopilot registration, but Autopilot relies solely on hardware-based identification.

How to eliminate wrong answers

Option A is wrong because the product key is used for Windows activation, not for Autopilot registration; Autopilot uses the hardware hash to identify the device. Option C is wrong because the user's Microsoft account is not required for device registration; Autopilot registration is device-centric and occurs before user sign-in. Option D is wrong because the BIOS password is a security feature for local access control and has no role in Autopilot's device identification or enrollment process.

152
MCQhard

Your company uses Microsoft Intune to manage Windows devices. Users frequently work from public Wi-Fi and the security team is concerned about unmanaged devices accessing corporate resources. You need to ensure that only devices compliant with your security policies can access Microsoft 365 services. What should you implement?

A.Deploy Windows Autopilot for all devices and require Entra ID join
B.Configure Conditional Access policies in Microsoft Entra ID that require compliant devices
C.Configure a VPN profile in Intune and enforce device compliance on the VPN server
D.Create a compliance policy in Intune and assign it to all users
AnswerB

Conditional Access enforces access control based on device compliance status from Intune.

Why this answer

Option D is correct because Conditional Access with device compliance policies is the standard approach to restrict access to compliant devices. Option A is wrong because VPN enforcement is not a direct Intune feature for conditional access. Option B is wrong because autopilot doesn't enforce access control.

Option C is wrong because compliance policies alone don't enforce access; they require Conditional Access.

153
Multi-Selecthard

Your organization uses Microsoft Intune to manage devices. You need to ensure that only approved applications can run on Windows 10 devices. Which THREE components can you use to implement application control? (Choose three.)

Select 3 answers
A.Windows Information Protection (WIP).
B.Windows Defender Application Control (WDAC).
C.Intune application control policies.
D.AppLocker.
E.BitLocker drive encryption.
AnswersB, C, D

WDAC is a code integrity policy to control what apps can run.

Why this answer

Windows Defender Application Control (WDAC) is a code integrity feature that restricts which executables, scripts, and installers can run on Windows 10 devices. It uses a trust-based model where only binaries signed by approved publishers or with specific hash values are allowed, making it a core component for application control in an Intune-managed environment.

Exam trap

The trap here is that candidates often confuse Windows Information Protection (WIP) with application control because both involve 'policies' in Intune, but WIP is strictly for data loss prevention, not for blocking or allowing application execution.

154
MCQeasy

Your organization uses Microsoft Intune to manage macOS devices. You need to ensure that all devices have FileVault disk encryption enabled. Which configuration profile type should you use?

A.Custom
B.Endpoint protection
C.Device restrictions
D.Device features
AnswerB

Endpoint protection includes FileVault settings for macOS.

Why this answer

Option B is correct because 'Endpoint protection' for macOS includes FileVault settings. Option A is wrong because 'Device features' includes settings like wallpaper and lock screen. Option C is wrong because 'Device restrictions' includes general settings, not encryption.

Option D is wrong because 'Custom' is not the standard method.

155
MCQmedium

Refer to the exhibit. An Intune administrator created this device restrictions policy for Windows 10 devices. Which statement about the policy is true?

A.The policy will block access to the Microsoft Store and Cortana.
B.The policy will apply only to the primary user of the device.
C.The policy will prevent users from installing apps from outside the Microsoft Store.
D.The policy will block the camera on all devices.
AnswerA

Both Store and Cortana are set to Block.

Why this answer

Option A is correct because the policy includes settings that block the Microsoft Store and Cortana. Option B is wrong because the policy does not block the camera; it allows it. Option C is wrong because the policy would apply to all users on the device.

Option D is wrong because the policy does not affect app installation from other sources.

156
MCQeasy

Your organization is deploying Windows devices using Windows Autopilot. You need to ensure that devices are automatically enrolled in Microsoft Intune when they are first powered on. What should you configure?

A.Join the device to Azure AD hybrid by configuring a domain join profile.
B.Create an Autopilot deployment profile with 'Assign to' set to 'All devices' and ensure the device is registered in Autopilot.
C.Configure the Enrollment Status Page (ESP) to require device enrollment.
D.Manually add the device serial number to Intune via the admin center.
AnswerB

This automatically enrolls the device in Intune during OOBE.

Why this answer

Option A is correct because the Enrollment Status Page (ESP) is not required for enrollment; Autopilot profile with Intune enrollment is the key. Option B is incorrect because the ESP is a separate configuration. Option C is incorrect because Azure AD hybrid join is not required for Autopilot.

Option D is incorrect because for new devices, the Autopilot profile triggers enrollment.

157
Multi-Selectmedium

Your organization is deploying Windows 10 devices using Windows Autopilot. You need to ensure that during the out-of-box experience (OOBE), users are required to set up Windows Hello for Business. Which TWO configurations should you apply?

Select 2 answers
A.Configure a Windows Autopilot deployment profile to require Windows Hello for Business.
B.Enable Azure AD device registration.
C.Configure a Windows Hello for Business policy in Intune device configuration.
D.Configure a Windows Hello for Business enrollment policy in Intune.
E.Deploy a custom script that enables Windows Hello.
AnswersC, D

The policy enables Hello enrollment.

Why this answer

Options B and C are correct. Windows Hello for Business deployment requires a PIN policy and enrollment policy to be configured. Option A is not required because Autopilot profiles do not directly enforce Hello.

Option D is a prerequisite but not sufficient alone. Option E is an alternative but not a direct configuration for OOBE.

158
MCQmedium

You are configuring Microsoft Intune for a school that provides iPads to students. You want students to be able to use their personal Apple IDs to install apps, but you need to ensure that the devices are enrolled in Intune and managed. Which Apple enrollment method should you use?

A.Apple Automated Device Enrollment (ADE) with user affinity
B.Apple Device Enrollment (ADE) with supervision and allow personal Apple IDs
C.Apple Device Enrollment (ADE) with Shared iPad mode
D.Apple User Enrollment
AnswerB

Supervised devices can allow personal Apple IDs while still being fully managed.

Why this answer

Option C is correct because Device Enrollment (via Apple Business Manager) allows supervised enrollment while still allowing personal Apple IDs if configured. Option A is wrong because user enrollment limits management. Option B is wrong because it uses a shared device mode without Apple IDs.

Option D is wrong because ADE is the same as Device Enrollment, but the key is allowing personal Apple IDs.

159
MCQmedium

You are planning to enroll macOS devices in Intune. Users must authenticate with their Microsoft Entra ID credentials and then be prompted to install the Company Portal app. Which enrollment method should you use?

A.User enrollment
B.Device enrollment (without user affinity)
C.Bring your own device (BYOD) enrollment
D.Automated device enrollment (with user affinity)
AnswerD

This uses Apple Business Manager and prompts for Microsoft Entra ID credentials.

Why this answer

Automated device enrollment (with user affinity) is correct because it uses Apple's Automated Device Enrollment (ADE) to supervise the device, enforce user authentication with Microsoft Entra ID, and automatically install the Company Portal app during setup. This method ensures the device is enrolled in Intune with a user context, which is required for the user to authenticate and receive the Company Portal prompt.

Exam trap

The trap here is that candidates often confuse 'Automated device enrollment' with 'Device enrollment (without user affinity)', mistakenly thinking that any automated enrollment method will prompt for user authentication and app installation, but without user affinity, the device is enrolled as a shared device with no user context.

How to eliminate wrong answers

Option A is wrong because User enrollment is designed for personally owned devices and does not support automated installation of the Company Portal app during setup; it requires manual installation and does not enforce supervision. Option B is wrong because Device enrollment (without user affinity) enrolls the device without a specific user, so users cannot authenticate with their Entra ID credentials, and the Company Portal app is not automatically installed. Option C is wrong because Bring your own device (BYOD) enrollment typically uses User enrollment or manual enrollment methods, not automated device enrollment, and does not guarantee the Company Portal app is installed automatically during the setup process.

160
MCQmedium

You deploy a Windows 11 kiosk device using Intune. The kiosk should run a single app (Microsoft Edge). After assignment, the device starts but shows a blank screen. What is the most likely issue?

A.The kiosk profile is not correctly assigned.
B.The device is not assigned to a user.
C.The AUMID for Microsoft Edge is not specified.
D.The device is not running Windows 10/11 Enterprise.
AnswerC

Required for single-app kiosk.

Why this answer

Option C is correct because for single-app kiosk, you must specify the AUMID of the app; Edge's AUMID is required. Option A is wrong because the issue is not about user accounts. Option B is wrong because the kiosk profile is configured.

Option D is wrong because the kiosk mode does not require Windows 10/11 Enterprise specifically.

161
Multi-Selecthard

Which THREE components are required for a successful Windows Autopilot deployment with user-driven Microsoft Entra ID join? (Select three.)

Select 3 answers
A.Enrollment Status Page (ESP) configuration.
B.Device registration in the Autopilot service using hardware hash.
C.On-premises Active Directory domain join.
D.Windows Autopilot deployment profile in Intune.
E.Microsoft Configuration Manager co-management.
AnswersA, B, D

ESP ensures device is fully configured before user login.

Why this answer

The Enrollment Status Page (ESP) configuration is required because it provides visibility into the provisioning process and enforces device compliance before the user can access the desktop. In a user-driven Microsoft Entra ID join Autopilot deployment, the ESP ensures that required policies, apps, and certificates are installed, preventing users from bypassing critical setup steps. Without ESP, users might gain early access to an incompletely configured device, leading to support issues.

Exam trap

The trap here is that candidates often confuse the optional Enrollment Status Page with a mandatory component, or they mistakenly believe on-premises Active Directory join is required for user-driven Autopilot, when in fact Microsoft Entra ID join is a separate, cloud-native identity option.

162
MCQeasy

You need to ensure that Windows 10 devices automatically enroll in Intune when they join Microsoft Entra ID. Which setting should you configure?

A.Compliance policies in Intune
B.MDM user scope in Microsoft Entra ID
C.Co-management slider in Configuration Manager
D.Enrollment device platform restrictions in Intune
AnswerB

This sets the scope of users who will auto-enroll their devices.

Why this answer

Option B is correct because the MDM user scope setting in Microsoft Entra ID (formerly Azure AD) controls which users can automatically enroll their Windows 10 devices into Intune when they join Entra ID. When set to 'All' or 'Some', the device triggers automatic MDM enrollment during the Entra ID join process using the MDM enrollment protocol (MS-MDE), eliminating the need for manual enrollment steps.

Exam trap

The trap here is that candidates often confuse the MDM user scope (which controls the automatic enrollment trigger) with enrollment restrictions or compliance policies, which only apply after the enrollment process has already started.

How to eliminate wrong answers

Option A is wrong because compliance policies in Intune evaluate device compliance after enrollment, not trigger or configure automatic enrollment. Option C is wrong because the co-management slider in Configuration Manager controls workload distribution between ConfigMgr and Intune for already-managed devices, not the initial automatic enrollment of Windows 10 into Intune during Entra ID join. Option D is wrong because enrollment device platform restrictions in Intune block or allow enrollment based on platform or version after the enrollment attempt is initiated, but do not enable or configure the automatic enrollment trigger itself.

163
MCQhard

Your organization uses Microsoft Defender for Endpoint (Defender XDR) and Intune. You need to ensure that when a device is found to have a critical vulnerability, a remediation action is automatically triggered. Which integration should you configure?

A.Configure a Microsoft Sentinel playbook.
B.Configure a Microsoft Foundry AI model.
C.Configure a Microsoft Purview data loss prevention policy.
D.Configure the integration between Microsoft Defender for Endpoint and Microsoft Intune.
AnswerD

This integration allows automatic remediation actions like isolating devices.

Why this answer

Option A is correct because Defender for Endpoint can integrate with Intune to trigger remediation actions. Option B is wrong because Microsoft Sentinel is for SIEM, not automatic remediation. Option C is wrong because Microsoft Purview focuses on compliance.

Option D is wrong because Microsoft Foundry is an AI platform.

164
MCQmedium

You manage devices with Microsoft Intune. Users report that enrollment fails on Android Enterprise personally-owned work profiles. After reviewing enrollment restrictions, you verify that Android Enterprise is allowed. What should you check next?

A.Confirm that the Intune Service to Service Connector is configured.
B.Verify that the Company Portal app is installed and updated on the device.
C.Check that the enrollment token has not expired.
D.Ensure Device Administrator enrollment is enabled.
AnswerB

The Company Portal app is required for Android Enterprise work profile enrollment.

Why this answer

Option C is correct because Android enrollment often requires the Company Portal app to be installed from Google Play. If the device has Google Play Services disabled or the app is missing, enrollment fails. Option A is wrong because the issue is specific to work profiles, not device administrator.

Option B is wrong because the enrollment token is for Android Enterprise dedicated devices, not personally-owned work profiles. Option D is wrong because Intune Service to Service Connector is not relevant to this enrollment type.

165
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You create a device configuration profile for kiosk mode. The profile is assigned to a device group. After syncing, the device does not enter kiosk mode. What should you check first?

A.Ensure the device is running Windows 10 Enterprise.
B.Run the Policy Manager tool on the device.
C.Verify the device is a member of the assigned device group.
D.Check the device's notification area for a policy update prompt.
AnswerC

If the device is not in the group, the policy won't apply. This is the first troubleshooting step.

Why this answer

Option B is correct because the most common issue is that the assigned user or device group does not contain the target device. Option A is wrong because kiosk mode does not require a specific Windows edition; it works on Pro and Enterprise. Option C is wrong because Policy Manager is not a real Intune feature.

Option D is wrong because notification is not required for kiosk mode to apply.

166
MCQmedium

You are configuring conditional access policies in Microsoft Entra ID to require compliant devices for access to Microsoft 365 services. Some users report that they cannot access Outlook Web App (OWA) even though their device is marked as compliant in Intune. What should you verify?

A.The conditional access policy has the grant control set to 'Require device to be marked as compliant'.
B.All users have the required Microsoft 365 license.
C.The conditional access policy includes all cloud apps.
D.The device platform condition is set to iOS and Android only.
AnswerA

Without this grant, the policy might only apply other controls like MFA, not compliance.

Why this answer

Option A is correct because the most likely cause of users being unable to access OWA despite device compliance is that the conditional access policy's grant control is not set to 'Require device to be marked as compliant'. Without this grant, the policy may apply other controls (e.g., MFA) or block access entirely, even if the device is compliant in Intune. This setting explicitly enforces that only compliant devices can access the targeted cloud apps, such as Office 365 Exchange Online.

Exam trap

The trap here is that candidates assume device compliance alone is sufficient for access, but they overlook that the conditional access policy must explicitly include the 'Require device to be marked as compliant' grant control to enforce compliance-based access.

How to eliminate wrong answers

Option B is wrong because licensing issues would prevent access to Microsoft 365 services entirely or show a license error, not specifically block OWA while the device is compliant; the scenario describes a compliance-related block, not a licensing one. Option C is wrong because including all cloud apps is not required for OWA access; the policy should target the specific app (e.g., Office 365 Exchange Online) to avoid unintended blocks on other services, and including all cloud apps could cause broader access issues unrelated to the reported symptom. Option D is wrong because restricting the device platform to iOS and Android only would block access from Windows, macOS, or other platforms, but the users are reporting issues with OWA access, and the policy should match the platforms in use; the problem is not platform-specific but rather the grant control setting.

167
MCQeasy

Your company deploys Microsoft Defender for Endpoint to Windows devices managed by Microsoft Intune. You need to ensure that all devices send diagnostic data at the 'Optional diagnostic data' level. Which configuration profile type should you use?

A.Administrative templates
B.Device restrictions
C.Endpoint protection
D.Custom
AnswerB

Device restrictions include diagnostic data settings.

Why this answer

Option A is correct because 'Device restrictions' includes the 'Diagnostic data' setting to control the level of diagnostic data sent to Microsoft. Option B is wrong because 'Endpoint protection' focuses on security settings like Defender Antivirus, not diagnostic data. Option C is wrong because 'Administrative templates' are for ADMX-backed policies, but the diagnostic data setting is available in device restrictions.

Option D is wrong because 'Custom' is not the simplest way.

168
Multi-Selecteasy

Which TWO actions can be performed using a Windows Autopilot reset? (Choose two.)

Select 2 answers
A.Change the primary user of the device
B.Reinstall Windows 11 from scratch
C.Retain the Autopilot registration
D.Remove personal files and apps
E.Remove the device from Microsoft Intune
AnswersC, D

The device remains registered for Autopilot.

Why this answer

Options B and D are correct. Autopilot reset can remove personal files and apps, and retain the device's Autopilot registration. Option A is wrong because Autopilot reset does not reinstall Windows from scratch; it uses the existing OS.

Option C is wrong because it does not remove the device from Intune. Option E is wrong because it does not change the primary user.

169
MCQmedium

Refer to the exhibit. A Microsoft Intune security baseline is configured for Windows 10 devices. What is the effect of this setting?

A.It requires a reboot for the setting to take effect.
B.It enables real-time protection for scheduled scans.
C.It disables scheduled scans when the device is in use.
D.It reduces the CPU priority of scheduled scans to minimize performance impact.
AnswerD

Enabling low CPU priority ensures scans run at lower priority, reducing impact on user tasks.

Why this answer

This setting in the Microsoft Intune security baseline for Windows 10 configures the 'Scan only if computer is on and in use' policy for Microsoft Defender Antivirus. When enabled, it reduces the CPU priority of scheduled scans to minimize performance impact on the user's active workload, ensuring that background scanning does not interfere with foreground tasks.

Exam trap

The trap here is that candidates confuse 'reducing CPU priority' with 'disabling the scan' or 'requiring a reboot', leading them to select options that describe more drastic or unrelated behaviors rather than the subtle performance tuning this setting actually performs.

How to eliminate wrong answers

Option A is wrong because this setting does not require a reboot; Intune security baseline policies are applied via the Microsoft Defender Antivirus engine and take effect immediately or on the next scheduled scan without a system restart. Option B is wrong because real-time protection is a separate policy (e.g., 'Turn on real-time protection') and is not controlled by this CPU priority setting. Option C is wrong because this setting does not disable scheduled scans when the device is in use; it only lowers the CPU priority of the scan, allowing it to run concurrently without degrading user experience.

170
MCQhard

You are deploying Windows 10 to 500 new devices using a task sequence in Microsoft Configuration Manager. The devices need to be joined to Microsoft Entra ID and enrolled in Intune automatically during OSD. Which method should you use?

A.Add a 'Provision Microsoft Entra ID' step in the task sequence, using a bulk token generated from Microsoft Entra ID.
B.Use a provisioning package (PPKG) with bulk enrollment token, applied during the task sequence.
C.Set a Group Policy that enables automatic MDM enrollment using a discovered AAD token.
D.Configure Windows Autopilot for existing devices and redeploy them.
AnswerA

This step allows Entra ID join and automatic Intune enrollment during OSD.

Why this answer

In Configuration Manager, the 'Provision Microsoft Entra ID' step in a task sequence can be used to perform a bulk token-based join. This is the recommended approach for Windows 10 devices. Option B is correct.

Option A is wrong because it's not for bulk OSD. Option C is wrong because Autopilot is for user-driven scenarios. Option D is wrong because MDM enrollment via GPO is not typically used during OSD.

171
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only corporate-owned devices can access company resources, while allowing users to enroll personal devices for limited access. You plan to use enrollment restrictions and compliance policies. What should you configure?

A.Set enrollment device platform restrictions to block personally owned devices, and create a compliance policy to mark personal devices as noncompliant.
B.Configure enrollment restrictions to block all devices from enrolling.
C.Configure a compliance policy that requires devices to be corporate-owned.
D.Create a conditional access policy that requires devices to be marked as compliant.
AnswerA

Enrollment restrictions prevent personal devices from enrolling, and compliance policies enforce the corporate ownership requirement.

Why this answer

Option A is correct because enrollment device platform restrictions can block personally owned devices from enrolling, while a compliance policy can mark personal devices that do enroll as noncompliant. This combination ensures corporate-owned devices get full access, and personal devices are either blocked or flagged for limited access via conditional access policies.

Exam trap

The trap here is that candidates often confuse compliance policies with enrollment restrictions, thinking a compliance policy alone can block enrollment, when in fact compliance policies only evaluate devices after they are enrolled and cannot prevent enrollment itself.

How to eliminate wrong answers

Option B is wrong because blocking all devices from enrolling would prevent both corporate and personal devices from accessing company resources, which does not meet the requirement to allow personal devices limited access. Option C is wrong because compliance policies can evaluate device ownership (e.g., via the 'Device ownership' setting), but they cannot enforce enrollment restrictions; they only mark devices as compliant or noncompliant after enrollment, so personal devices could still enroll and then be marked noncompliant, but the requirement to block personal devices from enrolling is not achieved. Option D is wrong because a conditional access policy that requires devices to be marked as compliant does not control enrollment; it only controls access after enrollment, so personal devices could still enroll and then be blocked from access, but the requirement to block personal devices from enrolling is not met.

172
Multi-Selectmedium

Your organization is planning to use Microsoft Intune for Windows device management. Which TWO components are required for a successful Windows Autopilot deployment?

Select 2 answers
A.Microsoft Endpoint Manager (MDM authority)
B.Microsoft Entra ID
C.Windows Server Active Directory
D.Microsoft Configuration Manager
E.Microsoft Intune
AnswersB, E

Required for identity and device registration.

Why this answer

Microsoft Entra ID (formerly Azure AD) is required for Windows Autopilot because it provides the identity and device registration infrastructure. Autopilot uses Entra ID to associate a device with its hardware hash (via the OEM or partner portal) and to authenticate the user during the out-of-box experience (OOBE). Without Entra ID, the device cannot be recognized as an Autopilot device and cannot join the cloud domain.

Exam trap

The trap here is that candidates often confuse Microsoft Endpoint Manager (the admin portal) with Intune (the actual MDM service), leading them to select Option A instead of recognizing that Intune itself is the required MDM component.

173
Multi-Selectmedium

Which TWO of the following are required to configure Windows Autopilot for existing devices?

Select 2 answers
A.A Windows product key.
B.A local administrator account on the device.
C.An Azure AD Premium P1 license.
D.A hardware hash (4K HH) from the device.
E.A device group that has an Autopilot deployment profile assigned.
AnswersD, E

The hardware hash is used to uniquely identify the device and register it in Autopilot.

Why this answer

Option D is correct because the hardware hash (4K HH) is the unique identifier that Windows Autopilot uses to associate a device with an Autopilot deployment profile. This hash must be harvested from the existing device (e.g., via a PowerShell script or a provisioning package) and uploaded to the Autopilot service to register the device. Without the hardware hash, the device cannot be recognized as an Autopilot device during the out-of-box experience (OOBE).

Exam trap

The trap here is that candidates often confuse the licensing requirement (Azure AD Premium P1) with the technical prerequisite for device registration, but the hardware hash and a device group with an assigned profile are the only two mandatory components for configuring Autopilot on existing devices.

174
MCQhard

Refer to the exhibit. You have configured the above enrollment restriction in Microsoft Intune. A user attempts to enroll a personal Windows 11 device. What will be the outcome?

A.The device will be blocked from enrolling.
B.The device will be prompted to confirm enrollment.
C.The device will enroll but will be marked as non-compliant.
D.The device will enroll successfully because it meets the OS requirements.
AnswerA

The restriction blocks personal Windows devices from enrolling.

Why this answer

Option D is correct because the restriction blocks personal device enrollment for Windows. The device will be blocked during enrollment regardless of OS version. Option A is wrong because OS version is not checked since the restriction blocks personal devices.

Option B is wrong because the restriction is not a compliance policy. Option C is wrong because the device is not allowed.

175
MCQeasy

You need to enroll macOS devices into Microsoft Intune. What is the required enrollment method?

A.Device Enrollment Manager (DEM)
B.Apple Automated Device Enrollment (ADE)
C.Company Portal app
D.Apple Configurator
AnswerC

macOS devices enroll via the Company Portal app downloaded from the Mac App Store.

Why this answer

The Company Portal app is the required enrollment method for macOS devices when using user-driven enrollment with Intune. It allows users to authenticate, download management profiles, and register their device via the Intune Company Portal, which is the standard approach for bring-your-own-device (BYOD) scenarios or when automated enrollment is not configured.

Exam trap

The trap here is that candidates often assume Apple Automated Device Enrollment (ADE) is required for macOS enrollment, but the question asks for the required method, and ADE is optional; the Company Portal is the mandatory user-driven enrollment path when no automated method is set up.

How to eliminate wrong answers

Option A is wrong because Device Enrollment Manager (DEM) is a Windows-specific account used to enroll multiple Windows devices with a single user account, not for macOS enrollment. Option B is wrong because Apple Automated Device Enrollment (ADE) is an optional, automated enrollment method for organization-owned devices, not a required method for all macOS enrollments. Option D is wrong because Apple Configurator is a tool for manual, supervised enrollment via USB connection, typically used for iOS/iPadOS devices in shared or lab environments, not as the required method for standard macOS enrollment.

176
MCQmedium

You need to deploy Microsoft 365 Apps to 500 Windows 10 devices managed by Intune. The deployment must be automatic and should not require user interaction. What is the best method?

A.Create a Configuration Manager application and deploy to the devices.
B.Use the Office Deployment Tool (ODT) to create a package and deploy via Intune as a line-of-business (LOB) app.
C.Create a Win32 app in Intune with the installation command for Microsoft 365 Apps.
D.Assign the Microsoft 365 Apps from the Microsoft Store for Business.
AnswerC

Win32 apps allow silent deployment and can be assigned to devices.

Why this answer

Option C is correct because creating a Win32 app in Intune allows you to use the Office Deployment Tool (ODT) with a custom configuration.xml to install Microsoft 365 Apps silently. This method supports automatic, unattended deployment to 500 Windows 10 devices managed by Intune, as Win32 apps can be assigned with required intent and run in system context without user interaction.

Exam trap

The trap here is that candidates confuse the Office Deployment Tool (ODT) with the line-of-business (LOB) app method, not realizing that LOB apps cannot handle the multi-file ODT package and require a single installer file, making Win32 app the only viable Intune-native option for silent, automated Office deployment.

How to eliminate wrong answers

Option A is wrong because Configuration Manager is a separate on-premises management tool, not the best method for devices already managed solely by Intune; it introduces unnecessary complexity and requires additional infrastructure. Option B is wrong because deploying via Intune as a line-of-business (LOB) app is not suitable for Microsoft 365 Apps; LOB apps are intended for single-file installers (e.g., .msi or .exe) and do not support the multi-file ODT package or the required detection and installation logic for Office. Option D is wrong because the Microsoft Store for Business is deprecated and does not support deploying Microsoft 365 Apps to Windows 10 devices managed by Intune; it was designed for Universal Windows Platform (UWP) apps, not Win32 Office installations.

177
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that users cannot remove the Mail app that is required for corporate email. What configuration should you apply?

A.Deploy the Mail app as a required volume-purchased app using Apple Business Manager.
B.Configure a Managed App Configuration with the key 'preventManagedAppRemoval' set to true.
C.Set a device restriction policy to hide the Mail app from the home screen.
D.Assign an app protection policy that blocks the removal of corporate data.
AnswerB

This prevents the user from removing the managed app.

Why this answer

Option B is correct because a Managed App Configuration with the 'preventManagedAppRemoval' key prevents removal. Option A is incorrect because the Mail app is removed and reinstalled, not prevented. Option C is incorrect because app protection policies apply to data, not app removal.

Option D is incorrect because MDM restrictions can hide apps but not prevent uninstall by users if they have permission.

178
MCQhard

Refer to the exhibit. An administrator runs the PowerShell cmdlet shown on a new Windows 11 device. The cmdlet completes successfully, but the device does not appear in Intune under Windows Autopilot devices. What is the most likely cause?

A.The user running the cmdlet does not have the required permissions in Intune.
B.The device does not have internet access.
C.The device is already registered in Autopilot, so the cmdlet does nothing.
D.The group tag 'Marketing' is invalid.
AnswerA

The cmdlet requires Intune Administrator or similar role to upload the hash.

Why this answer

The cmdlet 'Get-WindowsAutopilotInfo.ps1' with -Online uploads the hardware hash to Intune. For it to work, the device must have internet access and the user running the cmdlet must have the appropriate permissions in Intune (e.g., Intune Administrator role). Option D is correct.

Option A is wrong because the cmdlet is for Autopilot, not for running on a device that is already Autopilot-registered. Option B is wrong because the device must be online. Option C is wrong because the group tag is optional and does not prevent upload.

179
MCQhard

A company uses Microsoft Intune to manage iOS/iPadOS devices. After enabling Apple User Enrollment (UE), some users report that they cannot install company-recommended apps from the Company Portal. What is the most likely cause?

A.Device type is restricted in enrollment restrictions
B.Apps are assigned to devices instead of users
C.VPP token is not configured for user enrollment
D.User Enrollment does not support app distribution
AnswerB

User Enrollment requires user-based assignments; device-based assignments fail.

Why this answer

Apple User Enrollment creates a per-user, per-device Managed Apple ID and a separate APNs certificate. Under User Enrollment, apps must be assigned to users (not devices) because the enrollment type lacks a device-level identity for app installation. When apps are assigned to devices, the Intune service cannot target them to User Enrollment devices, causing the installation to fail silently in Company Portal.

Exam trap

The trap here is that candidates confuse enrollment restrictions (which block enrollment) with app assignment scope (which blocks app installation after enrollment), and assume User Enrollment cannot distribute apps at all, when in fact it only requires user-based assignment.

How to eliminate wrong answers

Option A is wrong because enrollment restrictions (like device type or OS version) block enrollment itself, not app installation after enrollment; the users are already enrolled, so restrictions are not the cause. Option C is wrong because a VPP token is required for volume-purchased apps, but User Enrollment supports app distribution without a VPP token if apps are free or assigned via user-based assignment; the token issue would affect all apps, not just company-recommended ones. Option D is wrong because User Enrollment does support app distribution—it supports managed app configuration and assignment, but only when apps are assigned to users, not devices.

180
MCQmedium

Your organization uses Microsoft Defender for Endpoint. You need to ensure that devices onboarding to Microsoft Defender for Endpoint are automatically assigned to a specific device group based on their operating system version. What should you use?

A.Manually tag each device in the Microsoft 365 Defender portal.
B.Configure device group rules in Microsoft Defender for Endpoint using OS version condition.
C.Use Microsoft Entra ID dynamic groups based on device OS.
D.Create a Microsoft Intune compliance policy that tags devices by OS version.
AnswerB

Device group rules can automatically assign devices based on criteria.

Why this answer

Device group rules in Microsoft Defender for Endpoint allow you to automatically assign devices to groups based on conditions such as operating system version. This is the correct approach because it uses the built-in grouping engine that evaluates device attributes during onboarding, ensuring consistent and automated assignment without manual intervention.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID dynamic groups (which are for identity and access management) with Defender for Endpoint device group rules (which are for security operations and automation), leading them to choose Option C incorrectly.

How to eliminate wrong answers

Option A is wrong because manually tagging each device in the Microsoft 365 Defender portal is not automated and does not scale for large environments; it also does not use OS version as a condition. Option C is wrong because Microsoft Entra ID dynamic groups are based on Azure AD device attributes and are used for identity-based access control, not for Defender for Endpoint device group assignment, which requires Defender-specific grouping rules. Option D is wrong because Microsoft Intune compliance policies are used to enforce device health and compliance settings, not to tag devices for Defender for Endpoint grouping; they do not create device groups in Defender.

181
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to configure FileVault disk encryption for all devices. After deploying the policy, some devices report that encryption is pending. What is the most likely reason?

A.The user has not approved the recovery key escrow.
B.The devices are enrolled using user enrollment.
C.The devices require a PIN to be set for recovery.
D.The devices are not supervised.
AnswerA

User must approve escrow when prompted.

Why this answer

Option B is correct because FileVault encryption requires the user to approve the recovery key escrow. Option A is incorrect because macOS devices can be encrypted via Intune. Option C is incorrect because user enrollment does not affect FileVault policy applicability.

Option D is incorrect because a PIN is not required for FileVault; it uses a password.

182
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that devices that are not compliant are blocked from accessing corporate resources. Which configuration should you use?

A.Create a device compliance policy and assign it to users.
B.Create a device configuration profile that restricts access.
C.Create a Conditional Access policy that requires compliant devices.
D.Configure enrollment restrictions to block non-compliant devices.
AnswerC

Conditional Access enforces access based on compliance.

Why this answer

Conditional Access policies in Azure AD are the correct mechanism to enforce access controls based on device compliance status. By creating a policy that requires devices to be marked as compliant, you ensure that only compliant devices can access corporate resources, while non-compliant devices are blocked at the authentication level. This integrates with Intune compliance policies to evaluate device health before granting access.

Exam trap

The trap here is that candidates often confuse the role of a compliance policy (which only evaluates and reports) with the enforcement mechanism (Conditional Access), leading them to select Option A as the answer.

How to eliminate wrong answers

Option A is wrong because a device compliance policy alone only reports compliance status and can trigger actions like sending notifications or marking devices as non-compliant, but it does not block access to corporate resources; it requires a Conditional Access policy to enforce the block. Option B is wrong because a device configuration profile is used to configure device settings (e.g., password policies, restrictions) and does not enforce access control or block non-compliant devices from resources. Option D is wrong because enrollment restrictions control which devices can enroll in Intune, not whether already enrolled devices that become non-compliant are blocked from accessing corporate resources.

183
MCQhard

A company uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent update, some devices are unable to connect to the corporate Wi-Fi network. The Wi-Fi profile is deployed via Intune. Which troubleshooting step should you take first?

A.Recreate the Wi-Fi profile in Intune with new settings
B.Run the 'netsh wlan show profiles' command on affected devices
C.Check the Intune console for Wi-Fi profile assignment and conflict status
D.Review Microsoft Entra ID sign-in logs for authentication failures
AnswerC

Directly shows profile deployment and conflicts.

Why this answer

Option A is correct because checking the Intune console for profile assignment and conflict is the fastest way to identify deployment issues. Option B is wrong because reviewing sign-in logs does not show Wi-Fi profile status. Option C is wrong because event logs are more granular and time-consuming.

Option D is wrong because recreating the profile may not address the root cause.

184
MCQeasy

Your organization is implementing Microsoft Entra ID join for Windows devices. You need to ensure that when users sign in with their Microsoft Entra ID credentials, they automatically get access to company resources without additional authentication. Which feature should you enable?

A.Device compliance policies
B.Windows Hello for Business
C.Conditional Access policies
D.Primary Refresh Token (PRT)
AnswerD

PRT is obtained upon sign-in and provides SSO to cloud resources.

Why this answer

Option C is correct because Microsoft Entra ID joined devices use Primary Refresh Token (PRT) for SSO. Option A is incorrect because Windows Hello for Business provides passwordless sign-in but is not required for automatic resource access. Option B is incorrect because Conditional Access policies control access, not automatic authentication.

Option D is incorrect because device compliance policies are for compliance, not SSO.

185
Multi-Selectmedium

Your organization is preparing to deploy Windows 11 using Microsoft Intune. You need to ensure that all devices meet the minimum hardware requirements for Windows 11 before upgrade. Which THREE checks should you perform?

Select 3 answers
A.Check that Secure Boot is enabled.
B.Check that the processor is at least 1GHz with 1 core.
C.Check that the device has TPM 2.0 enabled.
D.Check that the device has at least 4GB of RAM.
E.Check that the device has at least 32GB of storage.
AnswersA, C, D

Secure Boot is required.

Why this answer

Options A, B, and C are correct. TPM 2.0, Secure Boot, and 4GB RAM are minimum requirements. Option D is incorrect because the requirement is 64GB storage.

Option E is incorrect because the requirement is 1GHz or faster with 2 cores.

186
MCQmedium

Refer to the exhibit. You run the PowerShell command shown to create a compliance policy. However, when you check the compliance status of a Windows 11 device, it shows as compliant even though the device does not have BitLocker enabled. What is the most likely reason?

A.The policy has not been assigned to the device or its user group.
B.The BitLocker setting is not supported on Windows 11.
C.The policy was not saved correctly due to a syntax error.
D.The device does not have a TPM chip, which is required for BitLocker, but the compliance policy does not check TPM.
AnswerA

Unless assigned, the policy does not evaluate.

Why this answer

The compliance policy has BitLockerEnabled set to $true, which should require BitLocker. However, the device might be showing as compliant because the policy has not been assigned to the device, or the device has not evaluated the policy. But the most likely reason from the options is that the device is not subject to the policy because it is not assigned.

Option C is correct. Option A is wrong because the policy was created. Option B is wrong because the setting is correct.

Option D is wrong because TPM is required but not related to BitLocker compliance directly.

187
MCQmedium

You are responsible for deploying Microsoft 365 Apps for enterprise to Windows 10 devices using Microsoft Intune. You want to ensure that users receive the Current Channel with updates delivered directly from the Office Content Delivery Network (CDN). You also want to minimize bandwidth usage on your network. What should you configure?

A.Configure a local update server using BranchCache.
B.Set the update path to the Office CDN and enable Office automatic updates.
C.Use a configuration profile to disable peer-to-peer distribution.
D.Enable delivery optimization and set the Office update channel to Current Channel.
AnswerD

Delivery optimization with peer-to-peer reduces bandwidth.

Why this answer

To minimize bandwidth, you can enable peer-to-peer distribution and configure delivery optimization. Option C is correct because enabling delivery optimization with peer-to-peer reduces network load. Option A is wrong because CDN is the default but does not minimize bandwidth.

Option B is wrong because BranchCache is not used for Office updates. Option D is wrong because peer-to-peer is the recommended approach.

188
MCQeasy

You need to deploy Microsoft 365 Apps to 1000 devices using Microsoft Intune. The devices are a mix of Windows 10 and Windows 11. Which app deployment method should you use to ensure the latest version is always installed?

A.Deploy a line-of-business app from the installation file.
B.Deploy a Win32 app with the Office Deployment Tool.
C.Deploy Microsoft 365 Apps for enterprise as a built-in app type in Intune.
D.Deploy a custom script that installs Office from a network share.
AnswerC

Built-in type ensures automatic updates from CDN.

Why this answer

Option C is correct because the Microsoft 365 Apps for enterprise built-in app type in Intune is specifically designed to deploy and manage Office with automatic updates from the Office Content Delivery Network (CDN). This method ensures that devices always receive the latest version of Microsoft 365 Apps without requiring manual intervention or custom configuration, as Intune handles the deployment policy and update channel settings natively.

Exam trap

The trap here is that candidates often choose Option B (Win32 app with ODT) because they know ODT is the standard tool for Office deployment, but they overlook that the built-in app type in Intune provides a simpler, more reliable method that automatically handles update channel configuration and ensures the latest version is always installed without custom scripting.

How to eliminate wrong answers

Option A is wrong because deploying a line-of-business (LOB) app from an installation file requires manual packaging and does not support automatic updates to the latest version; it also lacks the built-in update channel management that Microsoft 365 Apps require. Option B is wrong because while deploying a Win32 app with the Office Deployment Tool (ODT) can install Office, it requires custom configuration of the update channel and does not inherently ensure the latest version is always installed unless you manually configure the CDNBaseUrl and update settings; it also adds unnecessary complexity compared to the built-in app type. Option D is wrong because deploying a custom script that installs Office from a network share relies on a static source that must be manually updated, and it does not integrate with Intune's update management or the Office CDN, making it impossible to guarantee the latest version is always installed across all devices.

189
MCQeasy

Refer to the exhibit. An Autopilot device registration JSON. What does the '%RAND:5%' placeholder do?

A.It inserts the device's model name.
B.It generates a random 5-character string.
C.It inserts the device's serial number.
D.It inserts the user's principal name.
AnswerB

This ensures unique names.

Why this answer

Option C is correct because %RAND:5% generates a random 5-character string to ensure unique device names. Option A is wrong because it's not based on serial. Option B is wrong because it's not the model.

Option D is wrong because it's not user-specific.

190
MCQeasy

Your company plans to deploy Microsoft 365 Apps to 500 devices using Microsoft Intune. You want to ensure that the Office suite is installed with only Word, Excel, and PowerPoint. Which approach should you use?

A.Use Microsoft Intune to deploy Office by selecting the built-in Office 365 app type and then modify the installation options.
B.Use the Microsoft 365 admin center to assign licenses and then have users install from the portal.
C.Use Microsoft Intune to deploy Office by configuring a Win32 app with the Office Deployment Tool and a custom XML.
D.Use Microsoft Configuration Manager to deploy Office with a task sequence.
AnswerC

ODT with XML allows selecting specific Office apps.

Why this answer

Option A is correct because the Office Deployment Tool allows you to configure which products are installed via an XML configuration file. Option B is incorrect because the Click-to-Run tool is part of the ODT but not the primary method. Option C is incorrect because Intune itself does not install Office without an XML configuration.

Option D is incorrect because the Microsoft 365 admin center is for service configuration, not client installation.

191
MCQhard

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that work profile apps are encrypted and that the device owner cannot uninstall the Company Portal app. Which configuration profile should you deploy?

A.Device configuration profile with custom OMA-URI
B.Device restrictions for Android Enterprise fully managed
C.Device restrictions for Android Enterprise work profile
D.Compliance policy for Android Enterprise
AnswerC

This profile can enforce encryption and block removal of apps.

Why this answer

Option C is correct because the 'Device restrictions for Android Enterprise work profile' profile includes settings to enforce encryption of work profile apps and to prevent the uninstallation of the Company Portal app. Specifically, the 'Require work profile encryption' setting ensures that work profile data is encrypted, and the 'Block uninstall of Company Portal' setting prevents the device owner from removing the Company Portal app. These settings are only available within the work profile restrictions profile, not in other profile types.

Exam trap

The trap here is that candidates often confuse 'Device restrictions for Android Enterprise work profile' with 'Device restrictions for Android Enterprise fully managed' or assume that a compliance policy can enforce configuration settings, when in fact the work profile restrictions profile is the only one that combines both encryption enforcement and app uninstall prevention for personally owned devices with work profiles.

How to eliminate wrong answers

Option A is wrong because custom OMA-URI profiles are used for settings not available in the Intune UI, but the required encryption and uninstall prevention settings are natively available in the work profile restrictions profile, making a custom OMA-URI unnecessary and less precise. Option B is wrong because 'Device restrictions for Android Enterprise fully managed' applies to corporate-owned devices with a single user, not to work profiles on personally owned devices; it lacks the specific settings to block uninstallation of the Company Portal app from the work profile. Option D is wrong because compliance policies evaluate device compliance (e.g., encryption status) but cannot enforce configuration settings like preventing app uninstallation; they are reactive, not proactive.

192
Multi-Selectmedium

Your company is deploying iOS devices using Apple Business Manager and Intune. You need to ensure that devices are automatically configured with Wi-Fi settings, email profiles, and a list of required apps during the initial setup. Which THREE configurations should you create in Intune?

Select 3 answers
A.A device configuration profile for Wi-Fi settings.
B.A Windows configuration designer provisioning package.
C.A device compliance policy for iOS.
D.A device configuration profile for email settings.
E.An iOS app configuration policy for required apps.
AnswersA, D, E

Wi-Fi profile configures wireless settings.

Why this answer

Options B, C, and D are correct. Device configuration profiles can push Wi-Fi and email settings. Required apps can be assigned as mandatory.

Option A is not used for iOS. Option E is for compliance, not configuration.

193
MCQhard

You manage devices with Microsoft Intune. A user reports that their Windows 11 device is not receiving updates from Windows Update for Business. The device shows as compliant in Intune. You verify that update rings are assigned to the device. What should you check next?

A.Check if the device has a compliance policy that blocks updates.
B.Ensure that the device is not configured for dual scan.
C.Check the device's delivery optimization settings.
D.Verify that the update ring is assigned to the correct Azure AD group.
AnswerC

Delivery optimization can prevent updates if misconfigured.

Why this answer

Option C is correct because delivery optimization settings control how Windows Update for Business downloads updates, and misconfigured settings (e.g., peer caching or bandwidth throttling) can prevent updates from being received even when update rings are properly assigned. Since the device is compliant and update rings are assigned, the next logical step is to verify that delivery optimization is not blocking or delaying the download. This aligns with Intune's troubleshooting workflow for Windows Update for Business issues.

Exam trap

The trap here is that candidates assume compliance or group assignment is the root cause, but Microsoft Intune's update delivery relies on delivery optimization as a prerequisite, and the exam tests the understanding that update rings only define the deferral policy, not the download mechanism.

How to eliminate wrong answers

Option A is wrong because compliance policies in Intune do not block updates; they enforce device configuration requirements (e.g., encryption, OS version) and mark devices non-compliant if unmet, but they do not prevent Windows Update from receiving updates. Option B is wrong because dual scan (configuring both Windows Update for Business and WSUS) is a potential issue, but it is not the next check after verifying update ring assignment and compliance; dual scan typically causes update conflicts, not a complete failure to receive updates. Option D is wrong because the question already states that update rings are assigned to the device, so verifying the Azure AD group assignment is redundant and not the next logical step.

194
MCQhard

A company uses Microsoft Intune to manage Windows 10 devices. They need to deploy a custom security baseline that includes blocking PowerShell scripts from running unless they are signed by a trusted publisher. Which configuration should be applied?

A.Set the PowerShell Execution Policy to 'AllSigned' via Administrative Templates.
B.Create a Windows Defender Application Control (WDAC) policy that blocks unsigned scripts.
C.Enable BitLocker with Secure Boot to validate script integrity.
D.Configure AppLocker rules to deny execution of PowerShell scripts.
AnswerA

This policy requires all scripts to be signed by a trusted publisher before running.

Why this answer

Option A is correct because setting the PowerShell Execution Policy to 'AllSigned' via Administrative Templates in Intune ensures that PowerShell scripts can only run if they are signed by a trusted publisher. This policy is enforced through Group Policy or Intune's Settings Catalog, directly controlling the PowerShell execution policy at the machine level, which meets the requirement for a custom security baseline.

Exam trap

The trap here is that candidates often confuse AppLocker or WDAC with PowerShell Execution Policy, thinking they achieve the same granular control over script signing, but only the PowerShell Execution Policy directly enforces the 'AllSigned' requirement for PowerShell scripts.

How to eliminate wrong answers

Option B is wrong because Windows Defender Application Control (WDAC) controls which executables, scripts, and drivers can run based on code integrity policies, but it does not specifically enforce a signature requirement for PowerShell scripts in the same granular way as the PowerShell Execution Policy; WDAC can block unsigned scripts but is broader and not the targeted configuration for PowerShell execution policy. Option C is wrong because BitLocker with Secure Boot validates the integrity of the boot process and system files, not script execution policies; it does not control whether PowerShell scripts must be signed. Option D is wrong because AppLocker rules can deny execution of PowerShell scripts, but they do not enforce a signature requirement from a trusted publisher; AppLocker can block or allow based on path, publisher, or hash, but the specific requirement for scripts to be signed by a trusted publisher is best achieved via the PowerShell Execution Policy set to 'AllSigned'.

195
Multi-Selecteasy

You are configuring Windows Update for Business policies in Microsoft Intune. You want to ensure that devices receive quality updates (security fixes) as soon as they are released, but defer feature updates for up to 60 days. Which TWO settings should you configure?

Select 2 answers
A.Set 'Defer quality updates (days)' to 0.
B.Set 'Feature update channel' to 'Semi-Annual Channel'.
C.Set 'Update notification level' to 'Turn off notifications'.
D.Set 'Defer quality updates (days)' to 60.
E.Set 'Defer feature updates (days)' to 60.
AnswersA, E

0 days means immediate installation of quality updates.

Why this answer

Options B and D are correct. Setting deferral for quality updates to 0 ensures immediate installation. Setting feature update deferral to 60 days delays feature updates.

Option A is not a setting in update rings. Option C is incorrect because feature updates should be deferred, not quality. Option E is a service channel, not a deferral setting.

196
Multi-Selecthard

You are troubleshooting an issue where Windows 10 devices are not receiving policies from Microsoft Intune. The devices are enrolled and show as 'active' in the console. Which THREE steps should you take to diagnose the problem?

Select 3 answers
A.Verify the last sync time in Intune console.
B.Re-register the device in Azure AD.
C.Check the device's local firewall rules for Intune ports.
D.Re-enroll the device by removing and re-adding it in Intune.
E.Collect MDM diagnostic logs from the device.
AnswersA, D, E

If last sync is old, the device may not be communicating.

Why this answer

Options A, C, and E are correct. Checking the sync time helps determine if the device is communicating. Re-enrolling can fix some issues.

Checking the MDM diagnostic logs provides detailed error info. Option B is not necessary because the device is already enrolled. Option D is not a standard troubleshooting step.

197
MCQmedium

Refer to the exhibit. The JSON shows a managed device's properties retrieved from Microsoft Graph. The device's complianceState is 'noncompliant'. Which step should you take next to investigate why the device is noncompliant?

A.Verify the last sync time to ensure the device is communicating.
B.Query the device's compliance policy status via Graph API or Intune console.
C.Check if the device is properly enrolled by verifying azureADRegistered.
D.Check if the device is jailbroken or rooted.
AnswerB

The compliance policy details will reveal the failing policy.

Why this answer

Option B is correct because the compliance policy details will show which specific policy is failed. Option A is incorrect because the device is already enrolled. Option C is incorrect because last sync time is recent.

Option D is incorrect because jailbreak is not applicable to Windows.

198
MCQeasy

You have the above JSON policy assigned to a Windows 10 device. A user reports that they are unable to set a password that meets the policy. Which additional setting is required for the password to be accepted?

A.Increase passwordMinimumLength to 10.
B.Set passwordExpirationDays to 0 to never expire.
C.Ensure the password includes characters from at least 3 character sets.
D.Set passwordRequiredType to 'alphanumeric' (it is already set).
AnswerC

The policy requires 3 character sets.

Why this answer

Option C is correct because passwordMinimumCharacterSetCount of 3 requires the user to include characters from 3 different sets (e.g., uppercase, lowercase, digits). The other options are not directly related to the issue. Option A is incorrect because alphanumeric includes letters and numbers.

Option B is incorrect because 8 is already set. Option D is incorrect because expiration is not about acceptance.

199
MCQhard

During Windows Autopilot deployment, devices fail to enroll in Intune with error code 0x80180014. You confirm the device is registered in Autopilot and has internet connectivity. What is the most likely cause?

A.Enrollment restrictions are blocking personal devices.
B.The device is not registered in Autopilot.
C.The user account lacks an Intune license.
D.TPM attestation failed due to hardware incompatibility.
AnswerC

Common cause of this error.

Why this answer

Option D is correct because error 0x80180014 indicates that the user does not have an Intune license assigned. Option A is wrong because the device is already registered. Option B is wrong because the issue is not enrollment restrictions.

Option C is wrong because the error is not related to TPM attestation.

200
Multi-Selecthard

You are configuring Windows Information Protection (WIP) in Microsoft Intune. You want to protect corporate data from being accidentally shared to personal locations while still allowing the user to work productively. Which THREE settings should you configure?

Select 3 answers
A.Configure a device configuration profile to enable WIP.
B.Set the 'Share over' data transfer policy to 'Block'.
C.Define network boundaries (corporate IP ranges, DNS suffixes).
D.Configure the data recovery agent certificate.
E.Add protected apps that are allowed to access corporate data.
AnswersC, D, E

Network boundaries help identify corporate data.

Why this answer

Options A, B, and D are correct. Protected apps are allowed to access corporate data. The data recovery agent ensures encrypted data can be recovered.

Network boundaries define corporate network locations. Option C is not a WIP setting. Option E is for configuration profiles, not WIP.

201
MCQeasy

Refer to the exhibit. You are configuring a Windows Autopilot profile. The profile specifies enrollmentType as 'azureAdJoined'. Which scenario does this profile support?

A.Self-deploying mode where no user interaction is required.
B.User-driven deployment with Microsoft Entra ID join.
C.Hybrid Microsoft Entra ID join with on-premises domain controller.
D.On-premises Active Directory domain join only.
AnswerB

User-driven Entra ID join is the standard scenario.

Why this answer

Option B is correct because the enrollmentType 'azureAdJoined' in a Windows Autopilot profile specifically configures a user-driven deployment that joins the device to Microsoft Entra ID (formerly Azure AD). In this mode, the end user provides their Microsoft Entra ID credentials during the out-of-box experience (OOBE), and the device is registered as a Microsoft Entra ID joined device, enabling single sign-on and compliance policies without requiring on-premises infrastructure.

Exam trap

The trap here is that candidates often confuse 'azureAdJoined' with self-deploying mode (option A) because both result in Microsoft Entra ID join, but the key differentiator is that self-deploying mode requires additional profile settings (like a device enrollment manager account) and is intended for kiosk or shared devices, not user-driven scenarios.

How to eliminate wrong answers

Option A is wrong because self-deploying mode uses enrollmentType 'azureADJoined' but with a different profile setting (selfDeployingMode = true) and requires no user interaction; the question specifies only enrollmentType as 'azureAdJoined', which does not imply self-deploying mode. Option C is wrong because hybrid Microsoft Entra ID join requires an on-premises domain controller and uses enrollmentType 'azureADHybridJoined' or a profile configured for hybrid join, not 'azureAdJoined'. Option D is wrong because on-premises Active Directory domain join is not supported by Windows Autopilot; Autopilot only supports Microsoft Entra ID join or hybrid Microsoft Entra ID join, and 'azureAdJoined' explicitly targets cloud-only join.

202
MCQmedium

Your organization plans to deploy Windows 11 devices using Windows Autopilot. You need to ensure that each device is automatically enrolled in Intune and receives a custom configuration profile during the out-of-box experience (OOBE). Which two components are required?

A.A device configuration profile assigned to the device
B.A Microsoft Defender for Endpoint policy
C.An Autopilot deployment profile
D.A compliance policy
E.Windows Autopilot hardware hash
AnswerA, C

This applies settings during or after enrollment.

Why this answer

A device configuration profile assigned to the device is required because it defines the custom settings (e.g., security baselines, app restrictions, or network configurations) that must be applied during the out-of-box experience. Without this profile, the device would enroll in Intune but would not receive the specific custom configuration needed for the organization's compliance and operational requirements.

Exam trap

The trap here is that candidates often confuse the Autopilot deployment profile (which handles enrollment and OOBE branding) with the device configuration profile (which applies settings), and they may incorrectly select the hardware hash as a required component instead of the device configuration profile.

How to eliminate wrong answers

Option B is wrong because a Microsoft Defender for Endpoint policy is a security workload that protects devices post-enrollment, but it is not required for automatic enrollment or applying a custom configuration profile during OOBE. Option D is wrong because a compliance policy evaluates device settings after enrollment to enforce compliance, but it does not trigger enrollment or deliver a custom configuration profile during OOBE. Option E is wrong because the Windows Autopilot hardware hash is used to register a device with the Autopilot service and identify it, but it is not a component that directly enables automatic enrollment or profile delivery; the Autopilot deployment profile and device configuration profile are the two required components.

203
MCQhard

You have deployed the compliance policy shown in the exhibit. A Windows 10 device reports as non-compliant. The device has Windows 10 version 21H2 (build 19044.1288), password is set with 8 characters and includes numbers only, firewall is active, Defender is enabled, and BitLocker is on. Which setting is causing non-compliance?

A.passwordMinimumLength
B.passwordRequiredType
C.osMinimumVersion
D.activeFirewallRequired
AnswerB

The password is numbers only, not alphanumeric.

Why this answer

Option C is correct because the policy requires 'alphanumeric' password (letters and numbers), but the device uses numbers only. Option A is wrong because the device build 19044.1288 is within the allowed range (19042.0 to 19045.999). Option B is wrong because password length of 8 meets the minimum.

Option D is wrong because the firewall is active.

204
MCQhard

Your organization uses Microsoft Defender for Endpoint to manage device security. You need to ensure that all Windows devices are reporting security events to Microsoft Defender XDR. You have verified that the Microsoft Defender for Endpoint service is running on the devices. However, some devices show as 'inactive' in the Microsoft Defender XDR console. What is the most likely cause?

A.The device is not compliant with Intune compliance policies.
B.The device is not enrolled in Microsoft Intune.
C.The device does not have Microsoft Defender Antivirus enabled.
D.The Microsoft Defender for Endpoint sensor is not connected to the cloud service.
AnswerD

Inactive status typically indicates a communication issue between the sensor and the cloud.

Why this answer

The 'inactive' status in Microsoft Defender XDR indicates that the Defender for Endpoint sensor on the device has lost connectivity to the cloud service. Even if the service is running locally, the sensor must maintain an active HTTPS connection (using TLS 1.2 or higher) to the Defender for Endpoint backend to send telemetry and receive policy updates. Without this cloud connectivity, the device cannot report security events, resulting in the 'inactive' state.

Exam trap

The trap here is that candidates assume a running service equals full functionality, but the exam tests the distinction between the local service state and the cloud connectivity required for the sensor to report as 'active' in the console.

How to eliminate wrong answers

Option A is wrong because Intune compliance policies govern device configuration and access control, not the reporting status of Defender for Endpoint; a non-compliant device can still be active in Defender XDR. Option B is wrong because enrollment in Microsoft Intune is not a prerequisite for Defender for Endpoint; devices can be onboarded via Group Policy, local script, or other methods without Intune. Option C is wrong because Microsoft Defender Antivirus is a separate component; the Defender for Endpoint sensor can function and report events even if the antivirus is disabled or replaced by a third-party solution.

205
MCQmedium

A user reports that their Windows 10 device is not receiving configuration policies from Intune. The device shows as 'Enrolled' but the last check-in was 5 days ago. What is the most likely cause?

A.The device is connected through a VPN that blocks Intune traffic.
B.The device has not checked in for more than 7 days, causing Intune to mark it as inactive.
C.The device has been unenrolled from Intune.
D.The Intune Connector for Active Directory is not configured.
AnswerB

Intune requires regular check-ins; a 5-day gap may indicate connectivity issues.

Why this answer

Option C is correct because if the device has not checked in for more than 7 days, it may be considered inactive and policies won't be delivered. Option A is wrong because a VPN can still allow check-in if internet is available. Option B is wrong because the enrollment was successful.

Option D is wrong because the Intune connector is for on-premises scenarios.

206
MCQeasy

You have a hybrid Azure AD joined Windows 10 device that is managed by Microsoft Intune. The device is not receiving policies. You verify that the device is enrolled and shows in Intune. You also verify that the user has an appropriate license. What should you check next?

A.Verify the MDM discovery URL and enrollment configuration in Microsoft Entra ID.
B.Re-enroll the device in Intune.
C.Ensure the device has internet connectivity.
D.Assign a compliance policy to the device.
AnswerA

Incorrect MDM configuration can prevent policy delivery.

Why this answer

The device is hybrid Azure AD joined and enrolled in Intune, but policies are not applying. Since enrollment and licensing are confirmed, the next likely cause is a misconfiguration in the MDM discovery URL or enrollment scope in Microsoft Entra ID (formerly Azure AD). This URL tells devices where to find the Intune MDM service; if it is incorrect or not configured, the device cannot retrieve policies even though it appears enrolled.

Exam trap

The trap here is that candidates assume a successfully enrolled device will always receive policies, but Microsoft Entra ID's MDM configuration acts as a gatekeeper that must be correctly set for policy delivery to function.

How to eliminate wrong answers

Option B is wrong because re-enrolling the device would not fix a configuration issue with the MDM discovery URL or enrollment scope; it would only repeat the same enrollment process that already succeeded. Option C is wrong because internet connectivity is already implied by the device being enrolled and showing in Intune; without connectivity, enrollment itself would fail. Option D is wrong because assigning a compliance policy assumes the device can receive policies, but the core issue is that the device is not receiving any policies at all, so a compliance policy would not be delivered either.

207
MCQhard

You are troubleshooting an Intune enrollment issue on a Windows 10 device. The device is Microsoft Entra joined, but the enrollment status shows 'Pending'. What is the most likely cause?

A.The device is not compliant with a conditional access policy.
B.The device does not have BitLocker enabled.
C.The Enrollment Status Page (ESP) profile is not assigned to the device.
D.The MDM authority is not set to Intune.
AnswerC

ESP profiles can cause the enrollment to hang in 'Pending' if not configured or if there is a timeout.

Why this answer

Option B is correct because the Enrollment Status Page (ESP) can cause a 'Pending' state if it is waiting for a profile or policy. Option A is wrong because MDM authority is set at tenant level, not per device. Option C is wrong because BitLocker is not related to enrollment.

Option D is wrong because compliance policies are evaluated after enrollment.

208
Multi-Selectmedium

Your organization plans to use Microsoft Intune to manage macOS devices. Which TWO prerequisites are required for macOS enrollment?

Select 2 answers
A.An Apple Push Notification service (APNs) certificate.
B.A user enrollment certificate from a public CA.
C.A Volume Purchase Program (VPP) token.
D.Microsoft Entra ID join or registration.
E.A Microsoft Configuration Manager connector.
AnswersA, D

APNs certificate is required for all Apple device management in Intune.

Why this answer

An Apple Push Notification service (APNs) certificate is required for macOS enrollment because it establishes a persistent, secure connection between Microsoft Intune and Apple's servers. This certificate enables Intune to send management commands, policies, and app installations to macOS devices. Without a valid APNs certificate, Intune cannot communicate with enrolled devices, making enrollment impossible.

Exam trap

The trap here is that candidates often confuse optional post-enrollment features (like VPP tokens or Configuration Manager connectors) with mandatory enrollment prerequisites, or mistakenly think a public CA certificate is needed when Intune handles certificate provisioning internally.

209
MCQeasy

You need to deploy a line-of-business (LOB) app to 100 Windows 10 devices managed by Intune. The app is packaged as an .msi file. Which app type should you choose in Intune?

A.Windows app (Win32)
B.Line-of-business app
C.Web link
D.Microsoft Store app
AnswerB

Intune supports .msi as a line-of-business app.

Why this answer

For Windows LOB apps, Intune supports .msi, .exe, .appx, and .msix. The 'Line-of-business app' type is used for .msi files. Option A is correct.

Option B is wrong because 'Windows app (Win32)' is for .intunewin files. Option C is wrong because 'Microsoft Store app' is for store apps. Option D is wrong because 'Web link' is for web apps.

210
MCQhard

You are troubleshooting a Windows 10 device that fails to enroll in Intune manually via 'Access work or school'. The user receives the error 'We couldn't auto-discover a management endpoint matching the username entered'. What is the most likely cause?

A.The user does not have an Intune license assigned
B.The DNS CNAME record for enrollment is missing or incorrect
C.The MDM authority is not set to Intune
D.The device firewall is blocking traffic to manage.microsoft.com
AnswerB

Auto-discovery requires correct DNS record.

Why this answer

The error 'We couldn't auto-discover a management endpoint matching the username entered' indicates that the device cannot resolve the user's domain to an Intune MDM server via DNS. This is a classic symptom of a missing or incorrect DNS CNAME record (e.g., 'EnterpriseEnrollment.contoso.com' pointing to 'manage.microsoft.com'), which is required for automatic MDM discovery during manual enrollment. Without this record, the device cannot locate the Intune enrollment endpoint.

Exam trap

The trap here is that candidates often confuse a DNS discovery failure with a connectivity or licensing issue, but the specific wording 'auto-discover a management endpoint' is a direct clue that DNS CNAME resolution is the root cause, not firewall or license problems.

How to eliminate wrong answers

Option A is wrong because an Intune license is required for enrollment, but the error message specifically points to auto-discovery failure, not a licensing issue; a missing license would typically result in a 'not authorized' or 'license not found' error. Option C is wrong because the MDM authority being set to Intune is a prerequisite for enrollment, but the error here is about DNS resolution, not authority configuration; if the authority were misconfigured, the error would occur later in the process (e.g., after endpoint discovery). Option D is wrong because a firewall blocking traffic to manage.microsoft.com would cause a connection timeout or 'cannot reach server' error, not a discovery failure; the error occurs before any HTTPS traffic is attempted, during the DNS lookup phase.

211
Multi-Selectmedium

Which THREE are valid methods to prepare an existing Windows 10 device for Intune management? (Select THREE.)

Select 3 answers
A.Install and sign in to the Company Portal app
B.Deploy a Group Policy to trigger enrollment
C.Use a provisioning package created with Windows Configuration Designer
D.Join the device to Azure AD without MDM auto-enrollment
E.Enroll the device via Settings > Accounts > Access work or school
AnswersA, C, E

Company Portal can enroll devices.

Why this answer

Option A is correct because the Company Portal app is the primary client interface for Intune enrollment on Windows 10. When a user signs in with their work or school account, the app triggers the MDM enrollment process via the Windows Management Framework, registering the device with the Intune service and applying compliance policies.

Exam trap

The trap here is that candidates often confuse 'Azure AD join' with 'Intune enrollment' — joining Azure AD alone does not enroll the device in Intune unless MDM auto-enrollment is explicitly configured, making option D a distractor.

212
Multi-Selecteasy

Which TWO are valid methods to enroll Windows devices into Microsoft Intune?

Select 2 answers
A.VPN connection
B.Cloud Management Gateway
C.Azure AD join
D.Bulk enrollment using provisioning package
E.Windows Autopilot
AnswersD, E

Bulk enrollment token method.

Why this answer

Option D is correct because Windows provisioning packages (PPKG) created with Windows Configuration Designer allow bulk enrollment of Windows devices into Intune without user interaction. This method is ideal for large-scale deployments where devices are not yet Azure AD joined or Autopilot-registered, as the PPKG contains the enrollment credentials and settings to automatically join the device to Azure AD and enroll it in Intune during the out-of-box experience (OOBE).

Exam trap

The trap here is confusing prerequisites or supporting technologies (like VPN, CMG, or Azure AD join) with actual enrollment methods, leading candidates to select options that are necessary for enrollment but do not themselves perform the enrollment action.

213
MCQmedium

Your company has 200 iOS devices that are enrolled in Microsoft Intune via Apple Business Manager. The devices are used by field sales representatives who need access to the corporate CRM app and email. You need to ensure that if a device is lost or stolen, the corporate data can be removed without affecting personal data. The devices are configured with user affinity. What should you do?

A.Perform a full wipe on the device from Intune.
B.Retire the device from Intune.
C.Perform a selective wipe (corporate data removal) from Intune.
D.Create a device compliance policy to mark the device as noncompliant.
AnswerC

Selective wipe removes only managed corporate data.

Why this answer

Option B is correct because selective wipe removes only corporate data while leaving personal data intact on devices with user affinity. Option A is incorrect because full wipe removes all data. Option C is incorrect because retiring the device removes it from management but does not remove data.

Option D is incorrect because compliance policies do not remove data.

214
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10/11 devices. You need to ensure that devices are enrolled automatically without user interaction and that the enrollment status page (ESP) is configured to block device use until required apps are installed. What should you configure?

A.Configure a Group Policy to auto-enroll devices into Intune
B.Configure a device enrollment manager (DEM) account
C.Configure Windows Autopilot self-deploying mode and an Enrollment Status Page profile
D.Configure co-management with Microsoft Configuration Manager
AnswerC

Windows Autopilot self-deploying mode enables zero-touch enrollment, and ESP can block device use until required apps are installed.

Why this answer

Option C is correct because Windows Autopilot with self-deploying mode allows zero-touch enrollment, and the Enrollment Status Page (ESP) can be configured to block device use until required apps are installed. Option A is wrong because co-management requires Configuration Manager and does not provide zero-touch enrollment. Option B is wrong because DEM is for Android and iOS, not Windows.

Option D is wrong because GPO does not provide automatic enrollment into Intune.

215
MCQmedium

You manage a fleet of 2,000 iOS devices for a healthcare organization. The devices are used by clinicians and must be enrolled in Intune. Due to security requirements, you must ensure that devices are supervised and that the Company Portal app is installed automatically. You have Apple Business Manager (ABM) set up with Intune. You need to configure the enrollment process so that when a new device is unboxed and turned on, it automatically enrolls and receives the required configuration. Which enrollment method should you use?

A.Device enrollment (without user affinity)
B.Company Portal enrollment
C.Automated Device Enrollment (ADE) with user affinity
D.User enrollment (BYOD)
AnswerC

This provides supervision and automatic app installation.

Why this answer

Automated Device Enrollment (ADE) with user affinity is the correct method because it leverages Apple Business Manager (ABM) to supervise devices automatically during the initial setup, enforces the required supervision state, and installs the Company Portal app via a mandatory VPP app assignment. User affinity ensures that each device is associated with a specific clinician, enabling user-based policies and conditional access. This meets the healthcare organization's security requirements for supervised devices and automatic app deployment.

Exam trap

The trap here is that candidates often choose Device enrollment without user affinity (Option A) thinking it is sufficient for supervised devices, but they overlook the requirement for user-specific policies and conditional access that only user affinity can provide.

How to eliminate wrong answers

Option A is wrong because Device enrollment (without user affinity) does not associate devices with a specific user, which is required for clinician-specific policies and conditional access in a healthcare environment. Option B is wrong because Company Portal enrollment requires the user to manually install the Company Portal app and initiate enrollment, which does not guarantee automatic supervision or zero-touch deployment. Option D is wrong because User enrollment (BYOD) is designed for personally owned devices and does not support supervision or automated configuration via ABM, failing the security requirement for supervised devices.

216
MCQhard

You need to configure Windows 10 devices to automatically encrypt their drives using BitLocker when they enroll in Microsoft Intune. You have created a BitLocker policy in Endpoint Security. However, after enrollment, some devices are not encrypted. You verify that the devices have a TPM 2.0 and meet hardware requirements. What is the most likely reason for the failure?

A.The devices do not have Secure Boot enabled.
B.The TPM is not enabled in the BIOS.
C.The BitLocker policy does not require a recovery password to be saved to Azure AD.
D.The devices are not compliant with the BitLocker compliance policy.
AnswerC

Without recovery key escrow, BitLocker may not encrypt.

Why this answer

BitLocker requires a recovery key to be escrowed to Azure AD before encryption can proceed when managed via Intune. If the policy does not mandate saving the recovery password to Azure AD, the encryption process will fail silently on devices that meet all hardware prerequisites, including TPM 2.0. This is a common configuration oversight in Endpoint Security BitLocker policies.

Exam trap

The trap here is that candidates assume hardware readiness (TPM, Secure Boot) is sufficient for automatic encryption, but Intune requires explicit recovery key escrow to Azure AD as a gating condition.

How to eliminate wrong answers

Option A is wrong because Secure Boot is not a prerequisite for BitLocker; it is recommended for system integrity but BitLocker can function without it. Option B is wrong because the TPM is already confirmed as present and meeting hardware requirements (TPM 2.0), so it must be enabled in the BIOS for the devices to be recognized. Option D is wrong because compliance policies evaluate device settings after encryption; non-compliance with a BitLocker compliance policy would be a result of encryption failure, not the root cause.

217
MCQeasy

You need to deploy a Win32 app to Windows devices using Intune. The app requires admin privileges to install. How should you configure the deployment?

A.Set the install context to system.
B.Set the install context to user.
C.Assign the app as required for all users.
D.Use a line-of-business app type instead.
AnswerA

System context runs with admin rights.

Why this answer

Option C is correct because Win32 apps can be configured to install in system context (admin privileges). Option A is wrong because user context does not provide admin rights. Option B is wrong because the app is Win32, not line-of-business.

Option D is wrong because the assignment can be device-based.

218
MCQmedium

Your organization plans to deploy Windows Autopilot for new devices. You need to ensure that the hardware hashes are uploaded to Microsoft Intune before the devices are shipped to users. What is the recommended approach?

A.Add the device to Microsoft Entra ID before shipping.
B.Obtain the hardware hash from the device manufacturer or reseller.
C.Use Microsoft Configuration Manager to collect the hardware hash.
D.Run a PowerShell script on each device to capture the hardware hash.
AnswerB

OEMs and resellers can upload hashes to Intune via the OEM API.

Why this answer

Option A is correct because the OEM or reseller can upload the hardware hash directly to Intune via the OEM API or Partner Center. Option B is wrong because running a PowerShell script on the device requires it to be powered on, which delays the process. Option C is wrong because Configuration Manager can upload hashes but requires the device to be on the network.

Option D is wrong because Microsoft Entra ID does not store hardware hashes.

219
Multi-Selecteasy

Which TWO are prerequisites for co-management with Microsoft Intune and Configuration Manager? (Select TWO.)

Select 2 answers
A.Devices enrolled in Microsoft Intune
B.Configuration Manager current branch
C.On-premises Active Directory
D.Public Key Infrastructure (PKI)
E.Hybrid Microsoft Entra ID joined devices
AnswersA, E

Co-management requires Intune enrollment.

Why this answer

Option A is correct because devices must be enrolled in Microsoft Intune to establish the co-management authority. Co-management requires that the client is managed by both Configuration Manager and Intune simultaneously, and Intune enrollment is the mechanism that enables the cloud-based management workload. Without Intune enrollment, the device cannot receive policies or apps from Intune, breaking the co-management relationship.

Exam trap

The trap here is that candidates often confuse infrastructure prerequisites (like Configuration Manager current branch or PKI) with device-level prerequisites, leading them to select options that are required for the setup but not for the device itself, or they assume hybrid Azure AD join is mandatory when pure Azure AD join with Intune enrollment is sufficient.

220
MCQhard

You are planning a Windows 11 deployment using Microsoft Intune. The organization has a requirement that all devices must have BitLocker enabled with a TPM protector. You configure a BitLocker policy in Intune. However, some devices report that BitLocker is not enabled. What is the most likely reason?

A.The devices have TPM version 1.2 instead of 2.0.
B.The devices are not joined to Microsoft Entra ID.
C.The BitLocker policy is configured only for Windows 11 Enterprise devices.
D.The devices are running Windows 10 instead of Windows 11.
AnswerA

Windows 11 requires TPM 2.0 for BitLocker.

Why this answer

The most likely reason is that the devices have TPM version 1.2 instead of 2.0. BitLocker requires a TPM 2.0 chip to support the TPM protector when using the default Intune policy settings; TPM 1.2 is not supported for this configuration in Windows 11, as Microsoft requires TPM 2.0 for BitLocker system drive encryption with a TPM protector.

Exam trap

The trap here is that candidates may assume the issue is OS version (Windows 10 vs 11) or Entra ID join status, but the core requirement is TPM 2.0, which is a hardware prerequisite for Windows 11 and BitLocker TPM protector enforcement in Intune.

How to eliminate wrong answers

Option B is wrong because devices do not need to be joined to Microsoft Entra ID for BitLocker to be enabled via Intune; they can be hybrid joined or managed via co-management, and the policy can still apply. Option C is wrong because the BitLocker policy in Intune is not limited to Windows 11 Enterprise; it can be configured for Windows 11 Pro, Education, and Enterprise editions. Option D is wrong because Windows 10 devices also support BitLocker with TPM 2.0, and the policy would still apply if the TPM version is 2.0; the issue is specifically TPM version, not the OS version.

221
MCQeasy

A company uses Microsoft Intune to manage iOS devices. They need to ensure that only devices with a passcode of at least 6 characters can access corporate email. Which type of policy should they create?

A.App protection policy
B.Enrollment restriction
C.Device configuration policy
D.Device compliance policy
AnswerD

Device compliance policies can require a passcode length for conditional access.

Why this answer

Option A is correct because device compliance policies enforce security requirements like passcode length. Option B is wrong because configuration policies set settings but don't enforce compliance. Option C is wrong because app protection policies target app-level protection.

Option D is wrong because enrollment restrictions control device types.

222
MCQeasy

You are troubleshooting an issue where a user reports that their Windows device is not receiving compliance policies from Intune. The device shows as 'Not compliant' in the Intune console. What is the most likely cause?

A.The user does not have an Intune license assigned.
B.The device is not enrolled in Intune.
C.The compliance policy is stale and needs to be re-assigned.
D.The device has no network connectivity.
AnswerB

Enrolled devices are required to receive policies.

Why this answer

Option B is correct because if the device is not enrolled in Intune, it cannot receive policies. Option A is wrong because even if the user is not licensed, the device may still enroll but policies may not apply. Option C is wrong because a stale policy would still apply.

Option D is wrong because network connectivity affects policy retrieval, not enrollment.

223
Multi-Selecthard

Your organization uses Microsoft Intune and you need to configure Windows Autopilot for hybrid Microsoft Entra ID join. Which THREE components are required?

Select 3 answers
A.A domain join profile (configured in Intune).
B.A device compliance policy.
C.An Autopilot deployment profile.
D.An MDM push certificate.
E.An enrollment status page profile.
AnswersA, C, E

Specifies on-premises AD domain for hybrid join.

Why this answer

A domain join profile is required for hybrid Microsoft Entra ID join because it provides the on-premises Active Directory domain information that the device needs during Autopilot provisioning. Without this profile, the device cannot complete the domain join step, which is essential for establishing the hybrid identity state.

Exam trap

The trap here is that candidates often confuse the requirement for a device compliance policy with the need for a domain join profile, not realizing that compliance policies are applied after enrollment and are not prerequisites for the Autopilot hybrid join process.

224
Multi-Selectmedium

Which TWO actions should you take to prepare a Windows 10 device for a deployment using Windows Autopilot?

Select 2 answers
A.Join the device to Microsoft Entra ID manually.
B.Ensure the device has an internet connection during the out-of-box experience.
C.Enable BitLocker encryption on the device.
D.Upgrade the device to the latest Windows 10 version.
E.Collect the hardware hash of the device.
AnswersB, E

Internet connectivity is required to download the Autopilot profile and complete enrollment.

Why this answer

Option B is correct because Windows Autopilot requires an internet connection during the Out-of-Box Experience (OOBE) to download the Autopilot profile from the Microsoft Intune service and to authenticate with Microsoft Entra ID. Without connectivity, the device cannot complete the enrollment or apply the deployment profile.

Exam trap

The trap here is that candidates often think manual Entra ID join or BitLocker are required steps, but Autopilot is designed to automate these tasks, and the only strict prerequisite is network connectivity during OOBE.

225
MCQmedium

You are troubleshooting a Windows 10 device that fails to install a required application from Microsoft Intune. The device shows the application as 'Enforced' but never installs. The application is a line-of-business (LOB) app. What should you check first?

A.Ensure the app is assigned to a device group using 'Required' intent.
B.Verify that the Intune Management Extension is installed on the device.
C.Check if the application package has a valid code signing certificate.
D.Check if the app is available in the Microsoft Store for Business.
AnswerC

LOB apps must be signed with a trusted certificate.

Why this answer

Option A is correct because LOB apps require a valid code signing certificate. Option B is incorrect because the Intune Management Extension handles Win32 apps, not LOB apps. Option C is incorrect because LOB apps do not require a specific distribution method.

Option D is incorrect because the app may not be in the catalog but can still be uploaded.

← PreviousPage 3 of 4 · 254 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Prepare infrastructure for devices questions.