The answer is that the device is non-compliant because its OS version exceeds the maximum allowed version specified in the policy. In Microsoft Intune compliance policies, the "Maximum OS version" setting enforces an upper build limit; if a device’s OS build number is greater than the configured value, it is marked non-compliant regardless of meeting other conditions like password, firewall, or Defender status. Here, the device runs build 10.0.22621.100, which surpasses the policy’s maximum of 10.0.22621.0, triggering the non-compliance. On the MD-102 exam, this scenario tests your understanding that Intune treats OS version thresholds as strict boundaries—a common trap is assuming only minimum versions matter. Remember the memory tip: "Max means maximum—if you go over, you’re out." This concept is critical for managing OS version compliance policy in Intune, especially when rolling out updates to avoid untested builds.
MD-102 Manage and maintain devices Practice Question
This MD-102 practice question tests your understanding of manage and maintain devices. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Refer to the exhibit. You deploy this compliance policy to a Windows 11 device running OS version 10.0.22621.100. The device has a password set, firewall active, and Defender enabled. However, the device is marked as non-compliant. What is the most likely reason?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The OS version exceeds the maximum allowed version specified in the policy.
The device OS version 10.0.22621.100 exceeds the maximum OS version specified in the policy (10.0.22621.0). In Microsoft Intune compliance policies, the 'Maximum OS version' setting marks a device as non-compliant if the device's OS build number is greater than the specified value, even if all other conditions are met. This is a common configuration to prevent devices from running untested or incompatible OS builds.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The password length is exactly 8 characters, but the policy requires more than 8.
Why it's wrong here
The policy requires minimum 8, so 8 is acceptable.
✗
Microsoft Defender is not at the required version 4.18.2207.7.
Why it's wrong here
The device has Defender enabled; version is not evaluated for compliance unless specified.
✓
The OS version exceeds the maximum allowed version specified in the policy.
Why this is correct
The device build 22621.100 is greater than the maximum 22621.0, causing non-compliance.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
✗
The device does not have a password set.
Why it's wrong here
The stem states a password is set.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates assume non-compliance is due to a missing or weak password or Defender version, overlooking that the OS version can be too high, not just too low.
Detailed technical explanation
How to think about this question
Intune compliance policies evaluate OS version using build numbers (e.g., 10.0.22621.100). The 'Maximum OS version' field is often used to block devices on preview or insider builds that may not be fully supported. When the device's build number exceeds the maximum, the device is flagged non-compliant regardless of other settings, and conditional access policies can block access to corporate resources until the OS is downgraded or the policy is updated.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this MD-102 question in full detail.
Manage and maintain devices — This question tests Manage and maintain devices — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The OS version exceeds the maximum allowed version specified in the policy. — The device OS version 10.0.22621.100 exceeds the maximum OS version specified in the policy (10.0.22621.0). In Microsoft Intune compliance policies, the 'Maximum OS version' setting marks a device as non-compliant if the device's OS build number is greater than the specified value, even if all other conditions are met. This is a common configuration to prevent devices from running untested or incompatible OS builds.
What should I do if I get this MD-102 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Refer to the exhibit. You have created the compliance policy shown in JSON format. The policy is assigned to a group containing Windows 10 devices. A device running Windows 10 version 22H2 (build 22621.1) is showing as noncompliant. What is the most likely reason?
hard
A.The device does not have BitLocker encryption enabled.
B.The device does not have a password set.
✓ C.The device OS version exceeds the maximum allowed version.
D.The password type is not set to alphanumeric.
Why C: The compliance policy JSON specifies a maximum OS version of 10.0.22621.1555, but the device is running build 22621.1, which is lower than the maximum. However, the device is showing as noncompliant because the policy enforces a maximum OS version, and the device's OS version (22621.1) is actually below the minimum allowed version (which is not explicitly set but implied by the policy's version range logic). In Intune compliance policies, when a maximum OS version is specified, devices with an OS version greater than that maximum are marked noncompliant. Since the device's build 22621.1 is less than the maximum 22621.1555, the noncompliance must be due to the OS version being below the minimum allowed version (which is not shown in the exhibit but is a common configuration). The most likely reason is that the device OS version exceeds the maximum allowed version, as the policy's maximum version is set to 10.0.22621.1555 and the device's version 22621.1 is actually lower, but the policy may also have a minimum version requirement that the device does not meet. Given the options, the correct answer is C because the device's OS version (22621.1) is below the minimum version that is implicitly enforced by the policy's maximum version setting, causing noncompliance.
Variation 2. Refer to the exhibit. A compliance policy is defined for Windows 10 devices. What is the minimum OS version required?
easy
A.Windows 10 20H2
B.Windows 10 1903
C.Windows 10 21H2
✓ D.Windows 10 2004
Why D: Option B is correct. The JSON shows 'osMinimumVersion' set to '10.0.19041.0', which is Windows 10 version 2004. Option A is wrong because 1903 is 10.0.18362. Option C is wrong because 20H2 is 10.0.19042. Option D is wrong because 21H2 is 10.0.19044.
Last reviewed: Jun 24, 2026
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This MD-102 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the MD-102 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.