Back to Microsoft 365 Endpoint Administrator MD-102 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Microsoft 365 Endpoint Administrator MD-102 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
MD-102
exam code
Microsoft
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related MD-102 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

You are a Teams administrator. After running the PowerShell script shown in the exhibit, users report they cannot communicate with federated users from 'trusted.com'. What is the most likely cause?

Exhibit

Refer to the exhibit.
```
$session = New-CsOnlineSession -Verbose
Import-PSSession $session
Set-CsTenantFederationConfiguration -Identity Global -AllowFederatedUsers $true
Set-CsTenantFederationConfiguration -Identity Global -AllowPublicUsers $false
Set-CsTenantFederationConfiguration -Identity Global -BlockedDomains @{Add="suspicious.com"}
Set-CsTenantFederationConfiguration -Identity Global -AllowedDomains @{Add="trusted.com"}
Remove-CsOnlineSession $session
```
Question 2hardmultiple choice
Full question →

Refer to the exhibit. The JSON snippet shows the Azure AD Identity Protection MFA registration policy configuration for the Contoso tenant. A new user, Jane, joins the company and is assigned a license. Jane attempts to access the Azure portal and is prompted to register for MFA. She registers successfully. However, the next day, she is again prompted to register for MFA. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "identityProtection": {
    "mfaRegistrationPolicy": {
      "state": "enabled",
      "excludeUsers": ["admin@contoso.com"],
      "includeUsers": ["allUsers"],
      "policySettings": {
        "blockOnUnregister": false,
        "remindRegistrationInDays": 14
      }
    }
  }
}```
Question 3mediummultiple choice
Full question →

Refer to the exhibit. A Windows 10 device is showing as non-compliant. The compliance policy 'Require BitLocker' is assigned to all devices. The device does not have BitLocker enabled. However, the user is able to access corporate email on the device. What is the most likely reason for this?

Exhibit

Refer to the exhibit.

```
Device ID: 12345
Compliance Status: Non-compliant
Last Check-in: 2024-03-15 14:32:00

Policy assignments:
- Compliance Policy: 'Require BitLocker' (assigned to all devices)
- Configuration Profile: 'Device Restrictions' (assigned to group 'Sales')

Device details:
- OS: Windows 10 Pro 22H2
- BitLocker: Not enabled
- User: user@contoso.com
- Group membership: 'Sales' group
```
Question 4easymultiple choice
Full question →

An administrator runs the above PowerShell command on a Windows 10 device managed by Microsoft Defender for Endpoint. The device is reporting as healthy in the security console. Based on the output, which protection feature is disabled?

Exhibit

Refer to the exhibit.

```
PowerShell Output:

PS C:\> Get-MpComputerStatus | Select-Object AMServiceEnabled, AntivirusEnabled, RealTimeProtectionEnabled, IoavProtectionEnabled

AMServiceEnabled        : True
AntivirusEnabled        : True
RealTimeProtectionEnabled : False
IoavProtectionEnabled   : True
```
Question 5mediummultiple choice
Full question →

Refer to the exhibit. You are reviewing a JSON representation of a Microsoft Intune compliance policy for Windows 10. The policy is assigned to a group of devices running Windows 10 version 22H2 (build 22621). The devices are non-compliant due to the OS version. What is the most likely reason?

Exhibit

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "description": "Windows 10 compliance policy",
  "passwordRequired": true,
  "passwordMinimumLength": 8,
  "passwordRequireToUnlockFromIdle": true,
  "passwordMinutesOfInactivityBeforeLock": 15,
  "osMinimumVersion": "10.0.19041.0",
  "osMaximumVersion": "10.0.22621.0",
  "storageRequireEncryption": true,
  "activeFirewallRequired": true,
  "validOperatingSystemBuildRanges": []
}
Question 6hardmultiple choice
Full question →

Refer to the exhibit. You run the Get-AutopilotInfo script on a new Surface Pro 7. The output shows DeviceState as 'Unknown' and AssignmentStatus as 'NotAssigned'. The device is connected to the internet. What should you do to prepare this device for Autopilot deployment?

Exhibit

Get-AutopilotInfo -Online

SerialNumber : ABC123
HardwareHash : 1234567890ABCDEF...
ProductName : Surface Pro 7
Manufacturer : Microsoft
DeviceState : AutopilotClientState = Unknown
AssignmentStatus : NotAssigned
Question 7mediummultiple choice
Full question →

Refer to the exhibit. You create a new update ring policy for Windows 10 devices. You assign the policy to a test group. After a week, you notice that no devices have installed any quality updates. Devices are online and enrolled. What is the most likely reason?

Exhibit

New-DeviceConfigurationPolicy -Name 'Windows Update Ring' -Windows10UpdateRing -FeatureUpdateDeferralInDays 60 -QualityUpdateDeferralInDays 0 -FeatureUpdatePauseStartDate $null -QualityUpdatePauseStartDate $null
Question 8mediummultiple choice
Full question →

Refer to the exhibit. You have a compliance policy for Windows 10 devices. A device reports as non-compliant with the reason 'TPM not found'. The device does have a TPM 2.0 chip but it is disabled in BIOS. What should you do to resolve the compliance issue?

Exhibit

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "passwordRequired": true,
  "passwordMinimumLength": 6,
  "passwordRequiredType": "numeric",
  "requireDeviceEncryption": true,
  "firewallEnabled": true,
  "antivirusEnabled": true,
  "antispywareEnabled": true,
  "tpmRequired": true
}
Question 9hardmultiple choice
Full question →

Refer to the exhibit. You are reviewing a Win32 app configuration in Microsoft Intune. The app is not installing on some Windows 10 devices. Which is the most likely reason?

Exhibit

{
  "properties": {
    "displayName": "Win32 App Deployment",
    "description": "Deploy custom script",
    "publisher": "Contoso",
    "installExperience": "system",
    "requirementRule": {
      "@odata.type": "#microsoft.graph.win32LobAppRequirement",
      "operator": "greaterThanOrEqual",
      "value": "10.0.19041"
    },
    "detectionRule": {
      "@odata.type": "#microsoft.graph.win32LobAppDetection",
      "path": "C:\\Program Files\\Contoso\\App.exe",
      "fileOrFolderName": "App.exe",
      "check32BitOn64System": false
    },
    "installCommandLine": "setup.exe /silent",
    "uninstallCommandLine": "setup.exe /uninstall"
  }
}
Question 10mediummultiple choice
Full question →

Refer to the exhibit. You run the PowerShell command above to get a list of noncompliant devices. The output shows that some devices have a complianceGracePeriodExpirationDateTime in the past. What does this indicate?

Exhibit

Get-DeviceManagement_ManagedDevices | Where-Object {$_.complianceState -eq 'noncompliant'} | Select-Object deviceName, lastSyncDateTime, complianceGracePeriodExpirationDateTime
Question 11mediummultiple choice
Full question →

Refer to the exhibit. You run this PowerShell command to retrieve Windows devices. The output shows several devices with lastSyncDateTime older than 30 days and complianceState as 'noncompliant'. What is the most likely cause for these devices to be noncompliant?

Exhibit

Get-IntuneManagedDevice -Filter "operatingSystem eq 'Windows'" | Select-Object id, deviceName, lastSyncDateTime, complianceState
Question 12hardmultiple choice
Full question →

Refer to the exhibit. You see the following Intune device properties for a Windows device. The device is noncompliant and the grace period expires on 2025-02-20. Today is 2025-02-15. The compliance policy requires a minimum OS version of 10.0.19041 but the device is on 10.0.18363. What will happen if the device does not become compliant before the grace period expires?

Exhibit

{
  "deviceId": "12345",
  "deviceName": "CONTOSO-PC",
  "managedDeviceOwnerType": "company",
  "enrolledDateTime": "2025-01-15T10:00:00Z",
  "lastSyncDateTime": "2025-02-10T08:00:00Z",
  "operatingSystem": "Windows",
  "complianceState": "noncompliant",
  "complianceGracePeriodExpirationDateTime": "2025-02-20T10:00:00Z",
  "userPrincipalName": "user@contoso.com"
}
Question 13easymultiple choice
Full question →

Refer to the exhibit. You manage a Windows 11 device that is marked as compliant and has OS version 10.0.22621.0. You need to upgrade the device to Windows 11 version 23H2. Which Intune feature should you use?

Exhibit

{
  "deviceId": "67890",
  "deviceName": "SALES-LAPTOP",
  "operatingSystem": "Windows",
  "osVersion": "10.0.22621.0",
  "complianceState": "compliant",
  "lastSyncDateTime": "2025-03-01T12:00:00Z",
  "enrolledDateTime": "2025-02-01T09:00:00Z",
  "userPrincipalName": "sales@contoso.com"
}
Question 14mediummultiple choice
Full question →

Refer to the exhibit. You have the following compliance policy assigned to a Windows 10 device running version 10.0.22000.0. The device has a password of 8 characters and is encrypted. What is the compliance status of the device?

Exhibit

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "passwordRequired": true,
  "passwordMinimumLength": 6,
  "passwordRequiredType": "deviceDefault",
  "passwordMinutesOfInactivityBeforeLock": 15,
  "passwordExpirationDays": 90,
  "passwordPreviousPasswordBlockCount": 5,
  "osMinimumVersion": "10.0.19041.0",
  "osMaximumVersion": "10.0.22621.0",
  "storageRequireEncryption": true
}
Question 15mediummultiple choice
Full question →

Refer to the exhibit. You have applied this compliance policy to a Windows 10 device running build 10.0.19044. The device meets all requirements except that the firewall is disabled. What will be the compliance status of the device?

Exhibit

{
  "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
  "passwordRequired": true,
  "passwordMinimumLength": 6,
  "passwordRequiredType": "deviceDefault",
  "osMinimumVersion": "10.0.19041.0",
  "osMaximumVersion": "10.0.22621.0",
  "storageRequireEncryption": true,
  "activeFirewallRequired": true,
  "defenderEnabled": true
}

These MD-102 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style MD-102 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.