CCNA Protect devices Questions

13 of 163 questions · Page 3/3 · Protect devices · Answers revealed

151
MCQeasy

Your company has 500 Windows 10 devices that are Hybrid Azure AD joined and managed by Microsoft Intune. You need to deploy a new line-of-business (LOB) app to all devices. The app is packaged as a .msi file. You create a new app in Intune and assign it to a device group containing all devices. After 24 hours, some devices report the app as 'Installed' but others show 'Failed'. You verify that the devices are online and have network connectivity. What should you do next to resolve the installation failures?

A.Use a PowerShell script to install the app on failed devices.
B.Check the Intune management extension logs on a failed device.
C.Create a new device group and assign the app again.
D.Re-assign the app to the device group.
AnswerB

Logs will show the specific error code or dependency issue.

Why this answer

Option B is correct because the most common cause of .msi installation failures is missing prerequisites or dependencies. Checking the Intune management extension logs on the device will reveal the specific error. Option A is wrong because the app is already assigned; re-assigning won't fix underlying issues.

Option C is wrong because the app is already targeted to all devices. Option D is wrong because scripts are not needed; the issue is likely with the app itself.

152
MCQmedium

Refer to the exhibit. The Intune device compliance policy shown is assigned to a group of Windows 10 devices. A user reports that their device is marked as noncompliant. The device has a password set, BitLocker enabled, Secure Boot on, and code integrity (HVCI) enabled. What is the most likely reason?

A.Secure Boot is not properly configured in UEFI
B.The device uses a biometric sign-in method instead of a password
C.Code integrity (HVCI) is not enabled
D.Device encryption is using a software-based method
AnswerB

"deviceDefault" may require a password; biometrics alone may not satisfy.

Why this answer

Option A is correct: The policy requires passwordRequiredType set to "deviceDefault" which typically means a PIN or alphanumeric password. If the user uses a biometric or picture password, it may not satisfy "deviceDefault". Option B (Secure Boot) is enabled.

Option C (Device encryption) is enabled. Option D (Code integrity) is enabled.

153
MCQmedium

Your organization uses Microsoft Intune to manage iOS and Android devices. You have a compliance policy that requires a minimum OS version: iOS 16.0 and Android 12.0. You also have a Conditional Access policy that requires compliant devices. Several users report that they cannot access corporate email on their personal Android devices. The devices are Android 11.0. You need to allow these users to access email while ensuring that corporate data is protected. What should you do?

A.Remove the Conditional Access policy for these users.
B.Update the compliance policy to accept Android 11.0.
C.Create a Conditional Access policy that grants access but requires app protection policies and session controls.
D.Ask users to upgrade their devices to Android 12.0.
AnswerC

Allows access with data protection via app policies.

Why this answer

Option C is correct because you can grant access with a session control to limit access to web only, ensuring data protection while allowing access. Option A is wrong because changing the compliance policy would lower security. Option B is wrong because Conditional Access policies are still effective for managed devices.

Option D is wrong because excluding the users would remove all protection.

154
MCQhard

Refer to the exhibit. You deploy this endpoint protection configuration to a Windows 10 device. A user reports that they cannot connect to the device via RDP. What is the most likely cause?

A.The firewall rule 'Allow RDP' is configured to block traffic.
B.The firewall rule is for outbound traffic, not inbound.
C.The malware actions are blocking RDP traffic.
D.The firewall rule 'Allow RDP' is configured to allow traffic.
AnswerA

The action is 'block', preventing RDP connections.

Why this answer

Option A is correct because the firewall rule 'Allow RDP' is set to 'block' action, which blocks inbound RDP traffic on port 3389. Option B is wrong because the action is block, not allow. Option C is wrong because the rule is for inbound, not outbound.

Option D is wrong because the malware actions do not affect RDP.

155
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a custom PowerShell script that runs during enrollment to configure network settings. What should you use?

A.Device compliance policy
B.Device configuration profile with custom OMA-URI
C.PowerShell scripts in Microsoft Intune
D.Endpoint security policy
AnswerC

Intune has a dedicated 'PowerShell scripts' section for running scripts.

Why this answer

Intune supports custom scripts via the 'PowerShell scripts' feature under 'Device management'. Option C is correct because you can add a PowerShell script to run during enrollment or at scheduled times. Option A is incorrect because compliance policies do not run scripts.

Option B is incorrect because configuration profiles can include OMA-URI settings but not arbitrary scripts. Option D is incorrect because endpoint security policies do not run scripts.

156
MCQhard

Your company uses Microsoft Intune for device management. You need to configure a Windows 10 device restriction policy that blocks the use of the camera and microphone on all devices. Which settings should you configure?

A.Camera and Microphone
B.Bluetooth and Nearby Share
C.Copy and paste and Clipboard
D.Location and Messaging
AnswerA

These settings block the camera and microphone hardware.

Why this answer

Option B is correct because the 'Camera' and 'Microphone' settings under Device restrictions control these hardware features. Option A is wrong because 'Bluetooth' and 'Nearby Share' are different features. Option C is wrong because 'Copy and paste' and 'Clipboard' are data settings.

Option D is wrong because 'Location' and 'Messaging' are not related.

157
MCQeasy

A company uses Microsoft Intune to manage Windows 11 devices. They want to ensure that only devices with a TPM 2.0 and Secure Boot enabled can access corporate resources in Microsoft Entra ID. What should they configure?

A.Configure Windows Hello for Business in Intune
B.Deploy an attack surface reduction rule in Microsoft Defender XDR
C.Use Windows Autopilot to enforce TPM and Secure Boot during provisioning
D.Create a Conditional Access policy that requires device compliance and a device compliance policy that checks TPM 2.0 and Secure Boot
AnswerD

Conditional Access with compliance policy enforces health requirements before access.

Why this answer

Option B is correct: Conditional Access with device compliance policy is the standard method to enforce device health before granting access. Option A (Windows Hello for Business) is for passwordless authentication, not device health enforcement. Option C (Attack surface reduction) is a Defender policy for threat protection.

Option D (Autopilot) is for device provisioning, not access control.

158
Multi-Selecteasy

Which TWO methods can be used to enroll Android devices in Microsoft Intune?

Select 2 answers
A.Apple Device Enrollment Program (DEP).
B.Android device administrator.
C.Android Enterprise corporate-owned work profile.
D.Android Enterprise fully managed.
E.Windows Autopilot.
AnswersB, C

Legacy method, still supported.

Why this answer

Options A and D are correct. Android Enterprise corporate-owned work profile is for company-owned devices, and Android device administrator (legacy) is also an option. Option B is wrong because iOS supervision is for iOS.

Option C is wrong because Windows Autopilot is for Windows. Option E is wrong because Android Enterprise fully managed is for corporate-owned devices with a single user, but work profile is also valid.

159
MCQhard

Your organization uses Microsoft Intune to manage Windows 11 devices. You notice that some devices are not receiving security updates even though update rings are assigned. What is the most likely cause?

A.Devices are noncompliant and blocked from receiving updates
B.Devices are not enrolled in Intune
C.Update ring policy has a deferral period configured that delays updates
D.Devices are not connected to the internet
AnswerC

Deferral periods can significantly delay update installation.

Why this answer

Option D is correct: Windows Update for Business deferral settings in update rings can delay or pause updates. Option A (Device compliance) doesn't block updates. Option B (Network connectivity) would affect all devices.

Option C (Enrollment) if assigned, policy should apply.

160
MCQmedium

Your company uses Microsoft Intune to manage iOS devices. You have an app protection policy that requires a PIN to access corporate data. Users report that they can access corporate data without entering a PIN after the first time. You want to ensure that the PIN is required every time the app is opened. What should you configure?

A.Set 'Require PIN to access' to 'Yes'.
B.Require device PIN instead of app PIN.
C.Set 'PIN reset after number of hours' to 0.
D.Set 'Timeout' to 1 minute.
AnswerC

0 forces PIN entry every time.

Why this answer

Option B is correct because setting the PIN reset to 'Number of hours' with a value of 0 forces PIN entry every time. Option A is wrong because access for work account is not the issue. Option C is wrong because timeout is for inactivity, not app reopen.

Option D is wrong because device PIN is separate from app PIN.

161
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that all devices have a passcode of at least 6 characters and that devices are updated to the latest iOS version. You create a compliance policy. After assigning the policy, some devices are marked as non-compliant even though they have a passcode. What is the most likely cause?

A.The devices have multiple compliance policies applied.
B.iOS devices do not support compliance policies.
C.The devices have not checked in with Intune since the policy was assigned.
D.The policy was assigned to a user group instead of a device group.
AnswerC

Devices need to check in to receive and report compliance status.

Why this answer

Option D is correct because compliance policies have a grace period; if the device hasn't checked in, it shows as non-compliant. Option A is wrong because Intune can enforce compliance on iOS. Option B is wrong because the policy can target iOS devices.

Option C is wrong because having multiple policies does not inherently cause non-compliance.

162
MCQmedium

Your company uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data in Microsoft 365 apps is protected even if a device is compromised. Which App Protection Policy setting should you configure?

A.Configure device compliance policy to require jailbreak detection.
B.Configure App Protection Policy with 'Restrict cut, copy, and paste' and 'Allow app to transfer data to other apps' set to Policy managed apps.
C.Configure device configuration profile to require device PIN.
D.Configure App Protection Policy to require app PIN.
AnswerB

This restricts data transfer to managed apps only.

Why this answer

Option C is correct because the 'Data transfer' settings control how data can be moved between apps, including preventing transfer to unmanaged apps. Option A is wrong because jailbreak detection is a device condition, not an app-level data protection. Option B is wrong because device PIN is a device-level policy.

Option D is wrong because app PIN is for access control, not data transfer.

163
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to ensure that only devices with a Trusted Platform Module (TPM) version 2.0 and Secure Boot enabled can access corporate email. What should you configure?

A.Create a compliance policy with device health rules.
B.Configure Windows Hello for Business with TPM requirement.
C.Create a conditional access policy that requires compliant device.
D.Create a device configuration policy to enable Secure Boot.
AnswerA

Device health rules in compliance policies can require TPM and Secure Boot.

Why this answer

Compliance policies in Intune can check device health attestation, including TPM and Secure Boot. Option A is correct because a compliance policy with device health rules enforces these requirements. Option B is incorrect because conditional access policies apply after compliance.

Option C is incorrect because configuration policies do not enforce access. Option D is incorrect because Windows Hello for Business is for authentication, not device health.

← PreviousPage 3 of 3 · 163 questions total

Ready to test yourself?

Try a timed practice session using only Protect devices questions.