Question 657 of 991
Manage and maintain deviceshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the device is non-compliant because its OS version exceeds the maximum allowed version specified in the policy. In Microsoft Intune compliance policies, the "Maximum OS version" setting enforces an upper build limit; if a device’s OS build number is greater than the configured value, it is marked non-compliant regardless of meeting other conditions like password, firewall, or Defender status. Here, the device runs build 10.0.22621.100, which surpasses the policy’s maximum of 10.0.22621.0, triggering the non-compliance. On the MD-102 exam, this scenario tests your understanding that Intune treats OS version thresholds as strict boundaries—a common trap is assuming only minimum versions matter. Remember the memory tip: "Max means maximum—if you go over, you’re out." This concept is critical for managing OS version compliance policy in Intune, especially when rolling out updates to avoid untested builds.

MD-102 Manage and maintain devices Practice Question

This MD-102 practice question tests your understanding of manage and maintain devices. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Device compliance policy for Windows 10 devices",
  "displayName": "Windows 10 Compliance Policy v2",
  "passwordRequired": true,
  "passwordMinimumLength": 8,
  "passwordRequiredType": "deviceDefault",
  "passwordMinutesOfInactivityBeforeLock": 15,
  "storageRequireEncryption": true,
  "activeFirewallRequired": true,
  "defenderEnabled": true,
  "defenderVersion": "4.18.2207.7",
  "osMinimumVersion": "10.0.19042.0",
  "osMaximumVersion": "10.0.22621.0"
}

Refer to the exhibit. You deploy this compliance policy to a Windows 11 device running OS version 10.0.22621.100. The device has a password set, firewall active, and Defender enabled. However, the device is marked as non-compliant. What is the most likely reason?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Full question →

Exhibit

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Device compliance policy for Windows 10 devices",
  "displayName": "Windows 10 Compliance Policy v2",
  "passwordRequired": true,
  "passwordMinimumLength": 8,
  "passwordRequiredType": "deviceDefault",
  "passwordMinutesOfInactivityBeforeLock": 15,
  "storageRequireEncryption": true,
  "activeFirewallRequired": true,
  "defenderEnabled": true,
  "defenderVersion": "4.18.2207.7",
  "osMinimumVersion": "10.0.19042.0",
  "osMaximumVersion": "10.0.22621.0"
}

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The OS version exceeds the maximum allowed version specified in the policy.

The device OS version 10.0.22621.100 exceeds the maximum OS version specified in the policy (10.0.22621.0). In Microsoft Intune compliance policies, the 'Maximum OS version' setting marks a device as non-compliant if the device's OS build number is greater than the specified value, even if all other conditions are met. This is a common configuration to prevent devices from running untested or incompatible OS builds.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The password length is exactly 8 characters, but the policy requires more than 8.

    Why it's wrong here

    The policy requires minimum 8, so 8 is acceptable.

  • Microsoft Defender is not at the required version 4.18.2207.7.

    Why it's wrong here

    The device has Defender enabled; version is not evaluated for compliance unless specified.

  • The OS version exceeds the maximum allowed version specified in the policy.

    Why this is correct

    The device build 22621.100 is greater than the maximum 22621.0, causing non-compliance.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The device does not have a password set.

    Why it's wrong here

    The stem states a password is set.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates assume non-compliance is due to a missing or weak password or Defender version, overlooking that the OS version can be too high, not just too low.

Detailed technical explanation

How to think about this question

Intune compliance policies evaluate OS version using build numbers (e.g., 10.0.22621.100). The 'Maximum OS version' field is often used to block devices on preview or insider builds that may not be fully supported. When the device's build number exceeds the maximum, the device is flagged non-compliant regardless of other settings, and conditional access policies can block access to corporate resources until the OS is downgraded or the policy is updated.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related MD-102 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free MD-102 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this MD-102 question test?

Manage and maintain devices — This question tests Manage and maintain devices — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The OS version exceeds the maximum allowed version specified in the policy. — The device OS version 10.0.22621.100 exceeds the maximum OS version specified in the policy (10.0.22621.0). In Microsoft Intune compliance policies, the 'Maximum OS version' setting marks a device as non-compliant if the device's OS build number is greater than the specified value, even if all other conditions are met. This is a common configuration to prevent devices from running untested or incompatible OS builds.

What should I do if I get this MD-102 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

2 more ways this is tested on MD-102

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Refer to the exhibit. You have created the compliance policy shown in JSON format. The policy is assigned to a group containing Windows 10 devices. A device running Windows 10 version 22H2 (build 22621.1) is showing as noncompliant. What is the most likely reason?

hard
  • A.The device does not have BitLocker encryption enabled.
  • B.The device does not have a password set.
  • C.The device OS version exceeds the maximum allowed version.
  • D.The password type is not set to alphanumeric.

Why C: The compliance policy JSON specifies a maximum OS version of 10.0.22621.1555, but the device is running build 22621.1, which is lower than the maximum. However, the device is showing as noncompliant because the policy enforces a maximum OS version, and the device's OS version (22621.1) is actually below the minimum allowed version (which is not explicitly set but implied by the policy's version range logic). In Intune compliance policies, when a maximum OS version is specified, devices with an OS version greater than that maximum are marked noncompliant. Since the device's build 22621.1 is less than the maximum 22621.1555, the noncompliance must be due to the OS version being below the minimum allowed version (which is not shown in the exhibit but is a common configuration). The most likely reason is that the device OS version exceeds the maximum allowed version, as the policy's maximum version is set to 10.0.22621.1555 and the device's version 22621.1 is actually lower, but the policy may also have a minimum version requirement that the device does not meet. Given the options, the correct answer is C because the device's OS version (22621.1) is below the minimum version that is implicitly enforced by the policy's maximum version setting, causing noncompliance.

Variation 2. Refer to the exhibit. A compliance policy is defined for Windows 10 devices. What is the minimum OS version required?

easy
  • A.Windows 10 20H2
  • B.Windows 10 1903
  • C.Windows 10 21H2
  • D.Windows 10 2004

Why D: Option B is correct. The JSON shows 'osMinimumVersion' set to '10.0.19041.0', which is Windows 10 version 2004. Option A is wrong because 1903 is 10.0.18362. Option C is wrong because 20H2 is 10.0.19042. Option D is wrong because 21H2 is 10.0.19044.

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This MD-102 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the MD-102 exam.