CCNA Prepare infrastructure for devices Questions

29 of 254 questions · Page 4/4 · Prepare infrastructure for devices · Answers revealed

226
MCQeasy

Refer to the exhibit. A detection script for a Win32 app in Intune uses a WMI query. The script is expected to detect if BitLocker is not enabled. What will the script return if BitLocker is enabled on the device?

A.It returns the protection status as 1.
B.It returns the drive letter of the protected volume.
C.It returns no results, indicating that BitLocker is enabled.
D.It returns an error because the query is invalid.
AnswerC

No volumes match the condition when BitLocker is on.

Why this answer

Option C is correct because the query returns volumes where ProtectionStatus = 0 (not protected). If BitLocker is enabled, ProtectionStatus = 1, so no results are returned, meaning the script would return a non-detection (often $false or exit 1 depending on script). Option A is incorrect because the query does not return when protection is on.

Option B is incorrect because no results are returned. Option D is incorrect because the query is valid.

227
MCQmedium

Refer to the exhibit. You create a new update ring policy for Windows 10 devices. You assign the policy to a test group. After a week, you notice that no devices have installed any quality updates. Devices are online and enrolled. What is the most likely reason?

A.Devices are assigned a different update ring policy that defers quality updates.
B.The feature update deferral period is too long.
C.The quality update pause start date is set to a future date.
D.The policy requires a restart to take effect.
AnswerA

Conflicting policies can cause no updates to apply.

Why this answer

The policy sets QualityUpdateDeferralInDays to 0, which means no deferral, but if the pause start date is null, updates should install. However, if the devices are not receiving updates, it could be that the policy is not applied. But the exhibit shows that quality update deferral is 0, so quality updates should be installed immediately.

Option C is correct because if the quality update pause start date is not set, it does not pause updates. Actually, the issue might be that the policy is not assigned correctly. But given the options, Option B is plausible: If the devices have a conflicting update ring policy that defers quality updates, they might not install.

Option A is wrong because feature update deferral does not affect quality updates. Option D is wrong because the policy does not pause quality updates.

228
MCQmedium

You use Microsoft Intune to manage macOS devices. You need to deploy a shell script that runs on all macOS devices. What is the correct method?

A.Add a shell script under Devices > Scripts
B.Use Company Portal to distribute the script
C.Add a PowerShell script under Devices > Scripts
D.Create a custom configuration profile with Bash script
AnswerA

Intune supports shell scripts for macOS.

Why this answer

Option A is correct because Intune supports shell scripts for macOS via the Scripts blade. Option B is wrong because PowerShell is for Windows. Option C is wrong because macOS does not have a Company Portal equivalent for scripts.

Option D is wrong because there is no Bash script type in Intune; shell scripts are used.

229
MCQhard

A multinational organization uses Microsoft Entra ID joined devices with Intune. The security team wants to block enrollment of devices from non-corporate networks unless they have a compliant certificate. Which enrollment restriction should you configure?

A.Device platform restrictions
B.Conditional Access policy requiring hybrid Azure AD join
C.Compliance policy for device health
D.Enrollment device restrictions with certificate requirement
AnswerD

This allows only devices presenting a valid certificate to enroll.

Why this answer

Option D is correct because enrollment device restrictions in Intune allow you to block enrollment from non-corporate networks unless a compliant certificate is present. This is configured under 'Enrollment device restrictions' where you can set a 'Block' action for devices not on trusted networks and require a certificate for compliance, ensuring only authenticated devices can enroll from untrusted locations.

Exam trap

The trap here is confusing post-enrollment controls (compliance policies, Conditional Access) with pre-enrollment controls (enrollment restrictions), leading candidates to select options that manage devices after they are already enrolled rather than blocking enrollment itself.

How to eliminate wrong answers

Option A is wrong because device platform restrictions control which operating systems (e.g., Windows, iOS, Android) can enroll, not network-based certificate requirements. Option B is wrong because a Conditional Access policy requiring hybrid Azure AD join applies to access to cloud apps after enrollment, not to the enrollment process itself, and it does not enforce certificate-based network restrictions. Option C is wrong because compliance policies evaluate device health (e.g., encryption, jailbreak status) after enrollment, not during the enrollment flow, and cannot block enrollment from specific networks.

230
MCQhard

A user reports that their Windows 11 device is not receiving a required security baseline policy from Microsoft Intune. The device appears as compliant in the Microsoft Intune admin center. Other devices in the same group receive the policy. You verify that the policy is assigned to the correct group and that the user is a member. What is the most likely cause?

A.The device has not checked in with Intune recently or has a policy conflict
B.The user is not a member of the Azure AD group that the policy is assigned to
C.The policy is not assigned to any group
D.The device is marked as non-compliant and has been blocked
AnswerA

If the device hasn't checked in or has a conflict, it may not apply the policy.

Why this answer

Option D is correct because the problem is isolated to one device, and the user is in the correct group. The most likely cause is that the device is in a pending state such as waiting for check-in or has a conflict with another policy. Option A is wrong because if the user were not in the group, the policy would not apply to any devices, but other devices in the same group receive the policy.

Option B is wrong because the device is compliant. Option C is wrong because the policy is assigned to the group and other devices receive it.

231
Multi-Selecthard

Which THREE of the following are valid methods to enroll Android devices into Microsoft Intune?

Select 3 answers
A.Android Device Administrator
B.Android Legacy
C.Android Enterprise work profile
D.Android Open Source Project (AOSP)
E.Android Enterprise fully managed
AnswersC, D, E

Work profile is for BYOD scenarios, separating work and personal data.

Why this answer

Option C is correct because Android Enterprise work profile is a supported enrollment method in Microsoft Intune that allows users to keep their personal apps and data separate from corporate data on the same device. Intune manages the work profile using the Android Enterprise platform, which provides containerization and policy enforcement without requiring full device control.

Exam trap

The trap here is that candidates confuse 'Android Device Administrator' (a deprecated method) with 'Android Enterprise work profile' (a modern method), or mistakenly think 'Android Legacy' is a valid enrollment option when it is not a recognized Intune enrollment type.

232
Multi-Selectmedium

Which TWO are valid methods to deploy Windows 10/11 using Microsoft Intune?

Select 2 answers
A.Windows Autopilot
B.Provisioning packages (PPKG)
C.PXE boot from a distribution point
D.Network boot via WDS
E.Bootable USB media with Windows Setup
AnswersA, B

Cloud-native deployment method.

Why this answer

Windows Autopilot is a valid Intune deployment method because it uses cloud-based configuration to transform a new or existing device into a business-ready state without manual imaging. It leverages hardware hashes uploaded to Intune, which then applies policies, apps, and settings during the out-of-box experience (OOBE). This eliminates the need for traditional imaging infrastructure.

Exam trap

The trap here is that candidates confuse on-premises deployment tools (WDS, PXE, USB media) with cloud-native Intune methods, forgetting that Intune is a cloud-only MDM service that does not support direct imaging or network boot protocols.

233
MCQeasy

You need to ensure that all corporate-owned Windows devices automatically receive security updates as soon as they are released by Microsoft. Which update ring policy setting should you configure in Microsoft Intune?

A.Set the 'Microsoft product updates' setting to 'Allow'.
B.Set 'Defer quality updates' to 0 days.
C.Select the 'Windows Insider' channel for quality updates.
D.Select the 'Semi-Annual Channel' for feature updates.
AnswerB

0-day deferral means updates are installed immediately.

Why this answer

Option D is correct because the 'Defer feature updates' and 'Defer quality updates' settings control how long updates are delayed; setting them to 0 ensures immediate installation. Option A is incorrect because it is a service channel, not a deferral setting. Option B is incorrect because 'Semi-Annual Channel' delays feature updates by 4 months.

Option C is incorrect because 'Windows Insider' is for preview builds.

234
Multi-Selecthard

Which THREE components are required for a successful co-management setup between Configuration Manager and Microsoft Intune? (Choose three.)

Select 3 answers
A.Microsoft Intune tenant
B.Configuration Manager current branch
C.Service connection point (Cloud Attach)
D.Public key infrastructure (PKI) certificates
E.Microsoft Entra ID (Azure AD)
AnswersA, B, E

Intune is the cloud management side.

Why this answer

Options A, B, and D are correct. Co-management requires Azure AD (Entra ID) for identity, Intune tenant for enrollment, and Configuration Manager current branch for management. Option C is not required; a service connection point is needed for cloud attach, but not specifically for co-management.

Option E is not required; a PKI is optional.

235
Multi-Selecthard

You are planning device management for a corporate environment with Windows 10, iOS, and Android devices. You need to implement a solution that allows users to access corporate email and documents securely on their personal devices without IT managing the entire device. Which THREE components should you include?

Select 3 answers
A.Azure AD application proxy for on-premises apps
B.Device enrollment into Intune
C.Microsoft Intune app protection policies (MAM)
D.Azure AD conditional access policies
E.Device compliance policies
AnswersA, C, D

Provides secure remote access without VPN.

Why this answer

Options A, B, and C are correct. MAM policies protect app data at the application level without full device management. Conditional access controls access based on compliance.

Azure AD app proxy provides secure remote access to on-premises apps. Option D is not needed because device enrollment is not required. Option E is for device-level management, not app-level.

236
MCQhard

Your organization plans to deploy Windows Autopilot for existing devices that are currently running Windows 10. You need to convert these devices from a traditional imaging deployment to an Autopilot deployment. You want to minimize user disruption. What should you do?

A.Assign an Autopilot deployment profile to the device group in Intune.
B.Export the hardware hash from each device and upload it manually to Intune.
C.Use a provisioning package (PPKG) to reset the device and register it for Autopilot.
D.Perform a full device wipe and reimage using traditional methods, then register with Autopilot.
AnswerC

PPKG allows reset and registration with minimal user disruption.

Why this answer

Option C is correct because using a provisioning package (PPKG) to reset the device and register it for Autopilot is the recommended method for converting existing Windows 10 devices to Autopilot with minimal user disruption. The PPKG approach allows you to capture the hardware hash, reset the device, and register it with the Autopilot service in a single process, avoiding the need for a full manual wipe or reimage. This method preserves the user's data and settings during the reset, aligning with the goal of minimizing disruption.

Exam trap

The trap here is that candidates often confuse the registration step (exporting the hardware hash) with the actual conversion process, failing to recognize that a reset or provisioning package is required to complete the Autopilot enrollment without disrupting users.

How to eliminate wrong answers

Option A is wrong because assigning an Autopilot deployment profile to a device group in Intune only applies after the device is already registered with Autopilot; it does not convert an existing device or register its hardware hash. Option B is wrong because manually exporting and uploading the hardware hash is a prerequisite for registration but does not perform the conversion or reset; it requires additional steps to actually deploy Autopilot, causing more disruption. Option D is wrong because performing a full device wipe and reimage using traditional methods contradicts the goal of minimizing user disruption, as it erases all data and settings, and then registering with Autopilot adds unnecessary overhead.

237
MCQeasy

You are configuring Windows Autopilot for new devices. The devices need to be automatically enrolled in Intune and assigned to a specific group based on their serial number. What is the required step before the devices can be recognized by Autopilot?

A.Configure Intune enrollment for all users using device enrollment managers.
B.Register the devices using their hardware hash in the Microsoft Intune admin center.
C.Join the devices to Microsoft Entra ID manually before shipping.
D.Upload a CSV file with device serial numbers to Microsoft Entra ID.
AnswerB

Hardware hash registration is the standard method.

Why this answer

Before Windows Autopilot can recognize and automatically enroll devices, they must be registered as Autopilot devices. This is done by uploading their hardware hash (a unique identifier derived from the device's TPM and other hardware) into the Microsoft Intune admin center. Once registered, the device is associated with an Autopilot profile and can be automatically enrolled in Intune and assigned to a group based on its serial number during the out-of-box experience.

Exam trap

The trap here is that candidates often confuse device registration (uploading the hardware hash) with device enrollment (assigning users or policies), or mistakenly think that simply listing serial numbers in a CSV is sufficient for Autopilot recognition.

How to eliminate wrong answers

Option A is wrong because configuring Intune enrollment for all users using device enrollment managers does not register the device with Autopilot; it only allows a delegated user to enroll devices manually, bypassing the Autopilot registration requirement. Option C is wrong because manually joining devices to Microsoft Entra ID before shipping defeats the purpose of Autopilot's zero-touch provisioning; Autopilot handles the join automatically during OOBE. Option D is wrong because uploading a CSV file with device serial numbers to Microsoft Entra ID is not a supported method for Autopilot registration; Autopilot requires the hardware hash (or other identifiers like PKID or TPM hash) to be uploaded via Intune or a CSP, not just serial numbers.

238
MCQeasy

You are troubleshooting an Autopilot deployment where devices are not receiving the expected configuration policies after enrollment. The devices show as enrolled in Intune but are stuck in a 'pending' state for policy application. What is the most likely cause?

A.The device is not registered in Autopilot.
B.The user does not have an assigned Intune license.
C.The device has a slow internet connection.
D.The Autopilot profile is set to 'offline' mode.
AnswerB

Without license, policies are not applied.

Why this answer

When a device is enrolled in Intune but stuck in a 'pending' state for policy application, the most common cause is that the user account lacks an assigned Intune license. Without a license, the user cannot synchronize policies from the Intune service, even though the device itself appears in the console. This is a prerequisite for policy delivery and is often overlooked during troubleshooting.

Exam trap

The trap here is that candidates often assume a device showing as 'enrolled' means all prerequisites are met, overlooking that user license assignment is a separate requirement for policy delivery in user-driven Autopilot scenarios.

How to eliminate wrong answers

Option A is wrong because if the device were not registered in Autopilot, it would not appear as enrolled in Intune at all; the 'pending' state specifically indicates enrollment succeeded but policy application is blocked. Option C is wrong because a slow internet connection would cause timeouts or partial downloads, not a persistent 'pending' state; the device would eventually either apply policies or fail with a connectivity error. Option D is wrong because an 'offline' Autopilot profile is not a valid setting; Autopilot profiles are either 'user-driven' or 'self-deploying' modes, and 'offline' refers to offline enrollment (using a provisioning package), which still applies policies normally once the device connects to Intune.

239
MCQmedium

You need to configure device compliance for devices that are not running Windows. The devices include iOS, iPadOS, Android, and macOS. Which compliance settings are common across all platforms?

A.Require device password and not allow simple passwords.
B.Require minimum OS version.
C.Device must not be jailbroken/rooted.
D.Require BitLocker encryption.
AnswerB

All platforms support a minimum OS version compliance rule.

Why this answer

Requiring a minimum OS version is a common compliance setting across all major platforms. Option B is correct. Option A is wrong because BitLocker is Windows-only.

Option C is wrong because jailbreak detection is available only on iOS/iPadOS. Option D is wrong because requiring a password is common, but 'simple passwords' is not a standard compliance setting; the setting is 'require password' which is common, but the question asks for common settings, and 'minimum OS version' is universally supported.

240
MCQeasy

Your organization wants to use Microsoft Intune to manage Windows devices that are joined to an on-premises Active Directory domain. The devices will be hybrid Azure AD joined. Which tool should you use to configure automatic enrollment into Intune?

A.Group Policy
B.Windows Autopilot
C.System Center Updates Publisher (SCUP)
D.Configuration Manager Cloud Management Gateway (CMG)
AnswerA

Group Policy can configure the 'Enable automatic MDM enrollment using default Azure AD credentials' setting.

Why this answer

Option D is correct because Group Policy is used to configure automatic enrollment for hybrid AD-joined devices. Option A is wrong because CMG is for co-management, not enrollment. Option B is wrong because autopilot is for new devices.

Option C is wrong because SCUP is for updates.

241
MCQmedium

Your company uses Microsoft Intune to manage mobile devices. You need to ensure that corporate data on Android Enterprise work profiles is protected so that users cannot copy and paste data from work apps to personal apps. Which configuration should you implement?

A.Create an app protection policy that restricts data transfer between work and personal apps.
B.Create a device configuration policy that disables clipboard sharing.
C.Create a device compliance policy that requires a work profile.
D.Create a conditional access policy that blocks personal apps.
AnswerA

MAM policies can prevent copy/paste across profiles.

Why this answer

Option B is correct because app protection policies (MAM) can restrict data transfer between work and personal contexts. Option A is incorrect because compliance policies do not control copy/paste behavior. Option C is incorrect because configuration policies set app settings, not data protection.

Option D is incorrect because device compliance policies are not granular enough.

242
MCQeasy

You need to deploy a custom Windows 10 image to 100 new devices using Microsoft Intune. The devices are not yet enrolled. Which method should you use to deploy the image and enroll the devices?

A.Use PXE boot to deploy the image and then enroll via a provisioning package.
B.Create a bootable USB with the image and manually enroll each device.
C.Use Microsoft Configuration Manager to deploy the image and enroll via co-management.
D.Use Windows Autopilot to deploy a custom image and automatically enroll the devices.
AnswerD

Autopilot supports custom images (with Windows 11 21H2+) and auto-enrollment.

Why this answer

Option B is correct because Windows Autopilot can deploy a custom image and automatically enroll devices. Option A is wrong because PXE boot is not supported by Intune directly. Option C is wrong because USB deployment is manual.

Option D is wrong because Configuration Manager is a separate tool.

243
MCQmedium

Your organization uses Windows Autopilot for user-driven deployments. You need to ensure that during the out-of-box experience (OOBE), users are prompted to set up Windows Hello for Business. Which setting should you configure in the Autopilot profile?

A.Skip privacy settings
B.Windows Hello for Business
C.Device name template
D.Language (Region)
AnswerB

This setting enables Hello enrollment during OOBE.

Why this answer

Option C is correct because the 'Windows Hello for Business' setting in the Autopilot profile controls this behavior. Option A is wrong because the 'Language' setting is for locale. Option B is wrong because 'Skip privacy settings' bypasses privacy, not Hello.

Option D is wrong because 'Device name template' is for naming.

244
MCQmedium

A user has an Android Enterprise fully managed device. The device is enrolled in Microsoft Intune and all policies are applied. However, the user cannot install a required app from the managed Play Store. The app appears in the company portal but fails to install. What should you check first?

A.Ensure that the device has a policy to allow installation of unapproved apps.
B.Check if the device's enrollment token is still valid.
C.Check if the app is available in the unmanaged Play Store.
D.Verify that the app has been approved in the managed Google Play store.
AnswerD

Apps must be approved before deployment.

Why this answer

Option B is correct because managed Play Store apps require approval. Option A is incorrect unless the app is not available in the managed store. Option C is incorrect because enrollment token is for enrollment, not app installation.

Option D is incorrect because unapproved apps are not blocked by default.

245
MCQmedium

You have the above profile assigned to a macOS device. After the profile is applied, the device shows FileVault as 'Encrypted'. However, the recovery key is not escrowed to Intune. What is the most likely reason?

A.FileVault encryption is not enabled on the device.
B.The recovery key type should be 'Institutional recovery key'.
C.The 'Show recovery key' setting is not configured, so the user is not prompted to escrow.
D.Personal recovery key rotation is enabled, causing a conflict.
AnswerC

User must be prompted to escrow.

Why this answer

Option D is correct because 'Show recovery key: Not configured' means the user is not prompted to escrow the key. Option A is incorrect because encryption is enabled. Option B is incorrect because rotation is enabled.

Option C is incorrect because the key type is personal.

246
MCQhard

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a custom Windows security baseline that includes specific BitLocker settings. What is the best approach to create and assign this configuration?

A.Use a compliance policy with custom settings to enforce BitLocker.
B.Create a new security baseline from scratch and include the BitLocker settings.
C.Copy the built-in Windows security baseline and customize the BitLocker settings in the copy.
D.Edit the built-in Windows security baseline and add the BitLocker settings.
AnswerC

Intune allows you to duplicate a baseline and modify settings.

Why this answer

Option B is correct because custom security baselines in Intune are created by copying the built-in baseline and modifying settings. Option A is wrong because you cannot edit the built-in baseline directly. Option C is wrong because custom baselines are created from existing baselines, not from scratch.

Option D is wrong because security baselines are not configured via compliance policies.

247
MCQhard

Refer to the exhibit. You deploy this compliance policy to Windows 10 devices. Some devices running Windows 10 22H2 (build 19045.3803) are marked as noncompliant. What is the most likely reason?

A.The device has a password length of 6 characters, not meeting the minimum of 8.
B.The policy requires a firewall, but Windows Defender Firewall is disabled on the device.
C.The device is not enrolled in Microsoft Intune.
D.The device is running a build outside the allowed OS version range specified in the policy.
AnswerA

The policy requires a minimum password length of 8, so a device with a shorter password would be noncompliant.

Why this answer

Option A is correct because the compliance policy specifies a minimum password length of 8 characters, and devices with a password length of 6 characters fail this requirement. In Microsoft Intune, compliance policies evaluate device settings against defined rules, and a password length below the minimum is a common reason for noncompliance. The devices are running Windows 10 22H2 (build 19045.3803), which is within the allowed OS version range, so the issue is specifically the password policy.

Exam trap

The trap here is that candidates may assume the noncompliance is due to a missing firewall or OS version mismatch, but the exhibit clearly shows only password policy settings, so the focus should be on the password length requirement.

How to eliminate wrong answers

Option B is wrong because the policy does not include a firewall requirement; the exhibit shows only password-related settings, so a disabled firewall would not cause noncompliance. Option C is wrong because the devices are already managed by Intune (they are marked as noncompliant, which requires enrollment), so the issue is not lack of enrollment. Option D is wrong because the devices are running build 19045.3803, which is within the allowed OS version range specified in the policy (Windows 10 22H2), so the build is not outside the allowed range.

248
MCQhard

You manage devices with Microsoft Intune. You need to deploy a line-of-business (LOB) app to iOS devices. The app is signed with an enterprise certificate. Some devices report installation failure with error code 0x87D13B9F. What is the most likely cause?

A.The app package is not signed.
B.The app is not available in the Apple App Store.
C.The enterprise signing certificate is not trusted on the device.
D.The device does not have enough storage space.
AnswerC

Error 0x87D13B9F indicates that the app's signing certificate is not trusted, often because the certificate profile is missing.

Why this answer

Error code 0x87D13B9F in Microsoft Intune typically indicates a signing certificate trust issue. Since the app is signed with an enterprise certificate, the device must have that certificate installed and trusted in its trusted root store. If the certificate is not trusted, iOS will reject the installation, producing this specific error.

Exam trap

The trap here is that candidates may confuse a signing error (missing certificate trust) with a packaging error (unsigned app), but the error code 0x87D13B9F specifically points to trust, not signature absence.

How to eliminate wrong answers

Option A is wrong because the question explicitly states the app is signed with an enterprise certificate, so the package is signed. Option B is wrong because line-of-business (LOB) apps are deployed directly via Intune and do not require availability in the Apple App Store. Option D is wrong because insufficient storage space would generate a different error (e.g., 0x87D13B9E or a storage-specific code), not 0x87D13B9F.

249
MCQmedium

You have deployed the above compliance policy in Microsoft Intune. A Windows 10 device running version 10.0.19042.0 is marked as noncompliant. You verify that the device meets all password, encryption, firewall, and Defender requirements. What is the most likely reason for noncompliance?

A.The device is running a version higher than the maximum OS version.
B.The device is running a version lower than the minimum OS version.
C.The device's antivirus software is not Microsoft Defender.
D.The device does not have a TPM 2.0 chip.
AnswerA

The device version 10.0.22622.0 exceeds the maximum OS version 10.0.22621.0.

Why this answer

The compliance policy includes a maximum OS version rule, and the device is running version 10.0.19042.0. Since this version is higher than the configured maximum, the device is marked as noncompliant even though it meets all other requirements. In Intune, OS version rules are evaluated as strict comparisons, so exceeding the maximum triggers noncompliance regardless of other settings.

Exam trap

The trap here is that candidates assume noncompliance must be due to a missing security requirement (like antivirus or encryption), but the question explicitly states those are met, leading them to overlook the OS version rule as the cause.

How to eliminate wrong answers

Option B is wrong because the device version 10.0.19042.0 is not lower than any typical minimum OS version (e.g., 10.0.17763 for Windows 10 1809), and the question states the device meets all password, encryption, firewall, and Defender requirements, implying the minimum OS version is satisfied. Option C is wrong because the question explicitly verifies that the device meets Defender requirements, meaning Microsoft Defender is active and compliant. Option D is wrong because TPM 2.0 is not a default compliance setting in Intune for Windows 10; it is only required if explicitly configured in a compliance policy, and the question does not indicate such a rule.

250
MCQhard

Refer to the exhibit. You are configuring a device compliance policy in Microsoft Intune for Windows devices. Based on the JSON configuration, what will happen if a device does not have a password set?

A.The device will be marked non-compliant but no action is taken until the grace period expires
B.The device will be marked non-compliant and after 24 hours access will be blocked, then retired after 72 hours
C.The device will be retired immediately because password is not set
D.The device will be immediately blocked from accessing corporate resources
AnswerB

The scheduled actions define block after 24h, then retire after 72h.

Why this answer

Option C is correct because the compliance policy has a grace period of 24 hours before blocking, and then 72 hours before retiring. The device is not immediately blocked. Option A is wrong because there is a grace period.

Option B is wrong because there are two actions: block then retire. Option D is wrong because the device is not immediately retired; it goes through block first.

251
MCQhard

Refer to the exhibit. You have configured a Windows update ring using the JSON above. Today is March 10, 2025. Devices assigned to this ring are not receiving any quality updates. What is the most likely reason?

A.The quality update deferral of 7 days has not yet elapsed since the last update.
B.The quality update pause has expired, but quality updates are still blocked.
C.Quality updates are paused until March 15, 2025.
D.Feature updates are deferred for 30 days, preventing all updates.
AnswerC

The pause is active, blocking quality updates.

Why this answer

Option C is correct because the JSON configuration includes 'qualityUpdatesPauseStartDate': '2025-03-01' and 'qualityUpdatesPauseExpiryDate': '2025-03-15'. Since today is March 10, 2025, the pause is still active and will block all quality updates until March 15. The pause overrides any deferral settings, so devices will not receive quality updates regardless of the 7-day deferral period.

Exam trap

The trap here is that candidates often confuse 'deferral' with 'pause' and assume a short deferral period is the cause, overlooking that an active pause overrides all deferral settings for that update type.

How to eliminate wrong answers

Option A is wrong because the 7-day quality update deferral is irrelevant while a pause is active; the pause explicitly blocks updates until its expiry date. Option B is wrong because the pause has not expired (it expires on March 15, 2025), so updates are still blocked by the pause, not by an expired pause. Option D is wrong because feature update deferral settings do not affect quality updates; quality and feature update policies are independent in Windows Update for Business.

252
MCQmedium

You are setting up Microsoft Intune for the first time. You need to ensure that users can enroll their iOS devices using the Company Portal app. You have configured the enrollment restrictions to allow iOS enrollment. However, users report that they see an error 'This device is not allowed to enroll' when trying to enroll. What is the most likely cause?

A.A conditional access policy requires compliant devices.
B.The Apple MDM push certificate is not configured.
C.The enrollment restrictions are set to block personally owned devices.
D.The users have not accepted the terms of use.
AnswerC

If personal devices are blocked, users get 'not allowed to enroll' error.

Why this answer

Option D is correct because enrollment restrictions must allow personal devices if users are using personal iOS devices. Option A is wrong because Apple MDM push certificate is required for enrollment, but the error message is different. Option B is wrong because terms of use appear after enrollment attempt.

Option C is wrong because conditional access policies do not block enrollment but access after enrollment.

253
MCQeasy

Your company uses Microsoft Intune to manage devices. You need to ensure that all corporate-owned iOS devices automatically enroll in Intune when users sign in with their work account. Which enrollment method should you configure?

A.Apple Configurator enrollment
B.Device Enrollment Manager (DEM) account
C.Apple Automated Device Enrollment (ADE)
D.User-initiated enrollment via Company Portal
AnswerC

ADE enables zero-touch deployment where devices enroll automatically when the user signs in with a work account.

Why this answer

Apple Automated Device Enrollment (ADE) is the correct method because it enables zero-touch, automated enrollment for corporate-owned iOS devices. When ADE is configured with Intune, devices are automatically enrolled during the initial setup assistant when the user signs in with their work account, without requiring manual intervention or the Company Portal app.

Exam trap

The trap here is that candidates often confuse Apple Configurator enrollment (a manual, wired method) with ADE (an automated, over-the-air method), or they think user-initiated enrollment via Company Portal can be automated, but it requires manual steps by the user.

How to eliminate wrong answers

Option A is wrong because Apple Configurator enrollment is a manual, wired method intended for small-scale or shared device scenarios, not for automatic enrollment at scale when users sign in. Option B is wrong because the Device Enrollment Manager (DEM) account is used to enroll multiple devices using a single shared account, not to trigger automatic enrollment per user sign-in. Option D is wrong because user-initiated enrollment via Company Portal requires the user to manually download the app and enroll, which does not meet the requirement for automatic enrollment when signing in with a work account.

254
MCQeasy

Refer to the exhibit. You are reviewing an Intune management intent configuration. What does this setting configure on Windows devices?

A.Disables the Windows Firewall for all network profiles
B.Enables the Windows Firewall for the public network profile
C.Enables Microsoft Defender Antivirus real-time protection
D.Disables the Windows Firewall for the domain network profile
AnswerB

The setting enables firewall on public profile.

Why this answer

Option A is correct because the setting ID references Windows Firewall public profile enable firewall, and the value '1' means enabled. Option B is wrong because it's firewall, not Defender. Option C is wrong because it's public profile, not domain.

Option D is wrong because it enables, not disables.

← PreviousPage 4 of 4 · 254 questions total

Ready to test yourself?

Try a timed practice session using only Prepare infrastructure for devices questions.