CCNA Manage Maintain Devices Questions

75 of 297 questions · Page 2/4 · Manage Maintain Devices topic · Answers revealed

76
MCQhard

Refer to the exhibit. You have created the compliance policy shown in JSON format. The policy is assigned to a group containing Windows 10 devices. A device running Windows 10 version 22H2 (build 22621.1) is showing as noncompliant. What is the most likely reason?

A.The device does not have BitLocker encryption enabled.
B.The device does not have a password set.
C.The device OS version exceeds the maximum allowed version.
D.The password type is not set to alphanumeric.
AnswerC

The maximum version is 10.0.22621.0, and the device is 22621.1, which is higher.

Why this answer

The compliance policy JSON specifies a maximum OS version of 10.0.22621.1555, but the device is running build 22621.1, which is lower than the maximum. However, the device is showing as noncompliant because the policy enforces a maximum OS version, and the device's OS version (22621.1) is actually below the minimum allowed version (which is not explicitly set but implied by the policy's version range logic). In Intune compliance policies, when a maximum OS version is specified, devices with an OS version greater than that maximum are marked noncompliant.

Since the device's build 22621.1 is less than the maximum 22621.1555, the noncompliance must be due to the OS version being below the minimum allowed version (which is not shown in the exhibit but is a common configuration). The most likely reason is that the device OS version exceeds the maximum allowed version, as the policy's maximum version is set to 10.0.22621.1555 and the device's version 22621.1 is actually lower, but the policy may also have a minimum version requirement that the device does not meet. Given the options, the correct answer is C because the device's OS version (22621.1) is below the minimum version that is implicitly enforced by the policy's maximum version setting, causing noncompliance.

Exam trap

The trap here is that candidates assume a device with a lower OS version than the maximum is compliant, but they overlook that the policy may also enforce a minimum OS version, causing the device to be noncompliant for being too old rather than too new.

How to eliminate wrong answers

Option A is wrong because the JSON policy does not include any BitLocker settings; it only defines OS version requirements and password policies, so BitLocker encryption is not evaluated. Option B is wrong because the policy does not require a password; it only specifies password type and length, but the 'password required' setting is not present in the JSON, so a missing password would not cause noncompliance. Option D is wrong because the policy does not specify a password type; the JSON only includes 'passwordMinimumLength' and 'passwordRequiredType' is not defined, so the password type is not evaluated.

77
MCQhard

You have a Windows 10 device running OS version 10.0.19043.1234. The device is compliant with all settings except password requirements. The device does not have a password set. What is the compliance status?

A.Noncompliant because passwordRequired is true and no password set.
B.Noncompliant because storage encryption is not enabled.
C.Noncompliant because OS version is not within range.
D.Compliant
AnswerA

The policy requires a password, and the device has none.

Why this answer

Option A is correct because the device is noncompliant due to the passwordRequired policy setting being set to true while no password is configured on the device. In Microsoft Intune, compliance policies evaluate each setting independently; if a required setting like passwordRequired is not met, the device is marked noncompliant regardless of other compliant settings. The OS version 10.0.19043.1234 is within a supported range, and storage encryption is not evaluated unless explicitly required by a policy, so only the missing password triggers noncompliance.

Exam trap

The trap here is that candidates assume a device is compliant if most settings are met, but Microsoft Intune evaluates each compliance policy setting independently, and a single failure—such as missing a password—results in overall noncompliance.

How to eliminate wrong answers

Option B is wrong because storage encryption is not a default compliance requirement for Windows 10 devices; it must be explicitly configured in a compliance policy, and the question states only password requirements are noncompliant. Option C is wrong because OS version 10.0.19043.1234 corresponds to Windows 10 21H1, which is within the supported range for Intune compliance policies, and no OS version range issue is indicated. Option D is wrong because the device fails the passwordRequired setting, which is a mandatory compliance check, so it cannot be marked compliant.

78
MCQmedium

Your company has iOS/iPadOS devices enrolled in Microsoft Intune. You need to ensure that users cannot remove the Microsoft Intune Company Portal app from their devices. What should you configure?

A.Configure an App Configuration policy for Company Portal.
B.Configure an App Protection policy for Company Portal.
C.Configure a Required app assignment with removal prevention.
D.Configure a Device Compliance policy to require Company Portal installation.
AnswerC

Required apps with removal prevention prevent users from removing the app.

Why this answer

Option C is correct because configuring a Required app assignment with removal prevention in Microsoft Intune ensures that the Company Portal app is installed as a required app and users cannot uninstall it. This setting is specifically designed to prevent removal of managed apps on iOS/iPadOS devices enrolled in Intune, leveraging the MDM channel to enforce the policy.

Exam trap

The trap here is that candidates confuse App Protection policies (which control data behavior) with app assignment settings (which control installation and removal), leading them to choose Option B instead of C.

How to eliminate wrong answers

Option A is wrong because App Configuration policies are used to supply custom settings or managed app configuration to apps, not to prevent uninstallation. Option B is wrong because App Protection policies (MAM) manage data protection and access control for apps, but they do not control app removal at the device level. Option D is wrong because Device Compliance policies check device health and configuration but cannot enforce app installation or prevent removal; they only mark devices as non-compliant if the app is missing.

79
MCQeasy

You need to ensure that users can access corporate resources on their personal iOS devices only if they are jailbroken. Which Intune policy should you configure?

A.App Protection Policy
B.Device Configuration Policy
C.Device Compliance Policy
D.Conditional Access Policy
AnswerC

Correct. Compliance policies can detect jailbroken devices.

Why this answer

Device Compliance Policy in Microsoft Intune allows you to set rules that devices must meet to be considered compliant, including a jailbreak detection rule for iOS devices. When a device is detected as jailbroken, you can mark it as non-compliant and then use Conditional Access to block access to corporate resources. This directly addresses the requirement to control access based on jailbreak status.

Exam trap

The trap here is that candidates often confuse Device Compliance Policy with Conditional Access Policy, thinking that Conditional Access itself performs the jailbreak detection, when in fact it only enforces the compliance status reported by the Device Compliance Policy.

How to eliminate wrong answers

Option A is wrong because App Protection Policies (APP) manage how data is handled within managed apps (e.g., preventing copy/paste or requiring PIN) and do not include jailbreak detection or device-level compliance checks. Option B is wrong because Device Configuration Policies are used to configure device settings (e.g., Wi-Fi, VPN, email profiles) and do not evaluate or enforce compliance based on jailbreak status. Option D is wrong because Conditional Access Policy is an Azure AD feature that enforces access controls based on signals like device compliance, but it cannot directly detect jailbreak status; it relies on a Device Compliance Policy to provide that signal.

80
MCQmedium

A user reports that their Windows 11 device is not receiving configuration policies from Microsoft Intune. The device shows as 'active' in the Intune admin center. Which troubleshooting step should you take first?

A.Unenroll and re-enroll the device.
B.Restart the Microsoft Intune Management Extension service on the device.
C.Verify that the device is compliant with BitLocker encryption requirements.
D.Check the device's compliance policy assignment.
AnswerB

This service handles delivery of configuration policies, scripts, and apps; restarting it forces a sync.

Why this answer

The Microsoft Intune Management Extension (IME) is the agent responsible for processing and applying configuration policies on Windows devices. If the device is 'active' in Intune but not receiving policies, the IME service may be stuck or not running. Restarting this service forces the agent to re-sync with Intune, which is the quickest and least disruptive first step.

Exam trap

The trap here is that candidates often confuse device 'active' status with successful policy delivery, leading them to jump to compliance checks or re-enrollment instead of first troubleshooting the local agent that actually applies the policies.

How to eliminate wrong answers

Option A is wrong because unenrolling and re-enrolling is a drastic step that should only be taken after verifying that the IME service or sync process is not the issue; it also requires re-provisioning the device and can cause unnecessary downtime. Option C is wrong because BitLocker compliance is a specific policy setting, not a prerequisite for receiving any configuration policies; the device can be non-compliant with BitLocker yet still receive other policies. Option D is wrong because checking compliance policy assignment addresses whether the device meets compliance rules, not whether the policy delivery mechanism (IME) is functioning; a device can be compliant but still fail to receive policies if the agent is not running.

81
MCQmedium

You have a Windows 11 device enrolled in Intune that is not receiving configuration profiles. The device shows 'Pending' status for all profiles. You confirm the device is connected to the internet and can reach Microsoft's servers. What is the most likely cause?

A.The device is not in the correct security group for the profile assignment.
B.The device has a certificate issue preventing it from receiving profiles.
C.The device is not syncing with Intune.
D.The Intune service is experiencing an outage.
AnswerC

If the device is not syncing, it will show 'Pending'.

Why this answer

Option C is correct because if the device is not syncing, it will show 'Pending'. Option A is wrong because group membership is for assignment, not sync. Option B is wrong because certificate issues affect authentication, not profile delivery.

Option D is wrong because the Intune service health is for global issues, not a single device.

82
MCQeasy

An organization uses Microsoft Intune to manage Windows devices. They want to ensure that only devices with a TPM 2.0 chip can access corporate email. Which policy should be configured?

A.Device enrollment restriction to require TPM 2.0
B.Device configuration profile to enable TPM 2.0
C.Device compliance policy with a condition for TPM 2.0, combined with a conditional access policy
D.App protection policy to require TPM 2.0
AnswerC

The compliance policy checks for TPM 2.0, and conditional access blocks devices that are non-compliant.

Why this answer

Option C is correct because a compliance policy can require TPM 2.0, and conditional access can block non-compliant devices. Option A is wrong because configuration profiles do not enforce access control. Option B is wrong because app protection policies do not check hardware.

Option D is wrong because device enrollment restrictions are for enrollment, not ongoing access.

83
MCQeasy

You need to ensure that all corporate-owned Windows 11 devices automatically install critical security updates as soon as they are released by Microsoft. Which Intune feature should you configure?

A.Expedited quality updates in a Windows 10 update ring.
B.A WSUS policy pushed via Group Policy.
C.Windows 10 update rings with a deferral period of 0 days.
D.Windows Autopatch.
AnswerA

Expedited quality updates force immediate installation.

Why this answer

Expedited quality updates in a Windows 10 update ring allow you to push critical security updates immediately, bypassing any deferral periods or gradual rollout settings. This feature uses the Windows Update for Business service to force the installation of a specific update as soon as it is released by Microsoft, ensuring compliance with security requirements for corporate-owned devices.

Exam trap

The trap here is that candidates confuse a zero-day deferral period with immediate installation, not realizing that update rings still use gradual rollout percentages and device check-in schedules, whereas expedited updates force an immediate, non-deferred installation.

How to eliminate wrong answers

Option B is wrong because WSUS (Windows Server Update Services) is an on-premises solution that requires Group Policy configuration and does not leverage Intune's cloud-based update management; it also introduces latency due to synchronization schedules and approval workflows. Option C is wrong because setting a deferral period of 0 days in a Windows 10 update ring still respects the gradual rollout (e.g., percentage-based rings) and does not guarantee immediate installation; updates are offered based on Microsoft's release cadence and device check-in cycles. Option D is wrong because Windows Autopatch is a service for automating update deployment across multiple update rings and policies, but it does not provide a mechanism to force immediate installation of a specific critical security update; it focuses on maintaining a baseline update cadence, not expedited deployment.

84
Multi-Selecteasy

Your organization requires that all managed Windows devices have Microsoft Defender Antivirus enabled and running. Which TWO methods can you use to verify this compliance?

Select 2 answers
A.Create an Intune compliance policy for Windows Defender.
B.Check Microsoft Entra ID device settings.
C.Use Microsoft Defender XDR device health reports.
D.Review the Local Group Policy Editor on each device.
E.Run a Configuration Manager hardware inventory.
AnswersA, C

Correct. Compliance policies can check Defender state.

Why this answer

Option A is correct because Intune compliance policies include a 'Microsoft Defender for Endpoint' category that allows you to require Defender Antivirus to be enabled and running. When a device reports its Defender status via the Intune Management Extension, the compliance policy evaluates the real-time protection state and marks the device as noncompliant if Defender is off or disabled. Option C is correct because Microsoft Defender XDR (formerly Microsoft 365 Defender) provides device health reports that aggregate antivirus status across all enrolled devices, including whether Defender is active and up to date.

Exam trap

The trap here is that candidates often confuse Microsoft Entra ID device settings (which manage device identity and registration) with device compliance monitoring, leading them to incorrectly select Option B as a verification method.

85
MCQmedium

You have assigned the above compliance policy to all Windows 10 devices. A user's device shows as noncompliant with a reason of 'TPM not found'. What should you do to resolve the issue?

A.Disable the TPM requirement in the policy.
B.Assign the policy to a different group that excludes those devices.
C.Create a new compliance policy without the TPM requirement and assign it to devices without TPM.
D.Change the password complexity requirement to 'none'.
AnswerC

This allows different requirements for different hardware.

Why this answer

Option B is correct because the policy requires TPM (tpmEnabled: true), but the device does not have a TPM. The best action is to create a separate policy for devices without TPM and exclude them from the current policy. Option A is incorrect because the setting is required by security policy.

Option C is incorrect because the policy is already assigned. Option D is incorrect because changing the complexity requirement does not address TPM.

86
MCQhard

You are an Intune administrator for a large enterprise that uses Microsoft Defender for Endpoint (now Microsoft Defender XDR) for threat protection. You need to ensure that all Windows 10 devices are properly onboarded to Defender for Endpoint and that security settings are enforced via Intune. You have created a device configuration profile that includes the 'Microsoft Defender for Endpoint' settings, but some devices are not appearing in the Defender for Endpoint portal. You verify that the devices are Intune managed and enrolled. What should you do to ensure proper onboarding?

A.Ensure that the devices are co-managed with Configuration Manager.
B.Deploy the Microsoft Defender for Endpoint onboarding package (WindowsDefenderATPOnboardingPackage.zip) via Intune using a PowerShell script or a device configuration profile.
C.Create a compliance policy that requires Defender for Endpoint to be active.
D.Register the devices in Microsoft Entra ID (Azure AD) as hybrid joined.
AnswerB

The onboarding package is required to connect devices to the Defender for Endpoint service.

Why this answer

Option B is correct because onboarding to Defender for Endpoint requires a specific deployment package (a .zip file containing the onboarding script) that must be deployed via Intune using a PowerShell script or a device configuration profile with the 'Microsoft Defender for Endpoint' template. However, the most common missing step is deploying the onboarding package. Option A is incorrect because compliance policy does not onboard devices.

Option C is incorrect because the devices are already Intune managed. Option D is incorrect because Microsoft Entra ID registration is not the issue.

87
MCQhard

You have a Windows 11 device that is co-managed with Configuration Manager and Microsoft Intune. After migrating the Windows Update workload to Intune, users report that they can still manually check for updates in Windows Settings and install optional updates. You need to prevent users from installing optional updates. Which setting should you configure in Intune?

A.Set 'Configure Automatic Updates' to '2 - Notify for download and notify for install'.
B.Set 'Defer quality updates' to '30 days'.
C.Set 'Allow non-Microsoft signed updates' to 'Block'.
D.Set 'Specify intranet Microsoft update service location' to point to WSUS.
AnswerC

Blocking non-Microsoft signed updates prevents optional updates from being installed.

Why this answer

Option C is correct because the 'Allow non-Microsoft signed updates' policy, when set to 'Block', prevents the installation of optional updates that are not signed by Microsoft. In a co-managed environment where the Windows Update workload is moved to Intune, this setting specifically targets and blocks optional updates from being installed via Windows Settings, while still allowing critical and security updates to be delivered as configured.

Exam trap

The trap here is that candidates often confuse 'deferral' policies (like deferring quality updates) with 'blocking' policies, assuming that deferring updates indefinitely will prevent installation, but deferral only delays updates and does not block optional updates, which require a specific block policy like 'Allow non-Microsoft signed updates'.

How to eliminate wrong answers

Option A is wrong because 'Configure Automatic Updates' set to '2 - Notify for download and notify for install' controls the notification behavior for updates but does not prevent users from manually checking for or installing optional updates; it only changes the download and install timing. Option B is wrong because 'Defer quality updates' to '30 days' delays the installation of quality updates but does not block optional updates; it is a deferral policy, not a block. Option D is wrong because 'Specify intranet Microsoft update service location' to point to WSUS is used to redirect update scanning to an internal WSUS server, which is not relevant when the Windows Update workload is managed by Intune and does not prevent optional updates from being installed.

88
MCQhard

A company uses Microsoft Intune to manage Windows 10 devices with a hybrid Azure AD join configuration. Users report that they are unable to access corporate resources on their devices. You verify that the devices are enrolled and that compliance policies are applied. What should you check next?

A.Check the certificate profile assigned to the devices.
B.Verify that the devices can communicate with an on-premises domain controller.
C.Ensure the devices have a VPN connection to the corporate network.
D.Review the conditional access policies for the users.
AnswerB

Hybrid Azure AD join devices need to connect to a domain controller to complete registration.

Why this answer

In a hybrid Azure AD join configuration, devices must be able to communicate with an on-premises domain controller to authenticate and obtain Kerberos tickets for accessing corporate resources. Even if Intune enrollment and compliance policies are applied, a loss of connectivity to the domain controller (e.g., due to network changes or DNS issues) will prevent resource access. This is the most likely cause given that enrollment and compliance are verified as working.

Exam trap

The trap here is that candidates often jump to conditional access or certificate issues because they sound security-related, but the core requirement for hybrid Azure AD joined devices is on-premises domain controller connectivity for authentication.

How to eliminate wrong answers

Option A is wrong because certificate profiles are used for authentication or encryption, but the issue here is about general resource access; if certificates were the problem, you would typically see specific authentication failures rather than a complete inability to access resources. Option C is wrong because a VPN connection is not a prerequisite for hybrid Azure AD joined devices to access corporate resources; they can use DirectAccess or a cloud proxy, and the question does not indicate remote access requirements. Option D is wrong because conditional access policies control access based on conditions like compliance, but since compliance policies are already applied and verified, reviewing conditional access is a later step after confirming network connectivity to the domain controller.

89
Multi-Selecteasy

Which TWO methods can you use to enroll a Windows 10 device in Microsoft Intune?

Select 2 answers
A.Navigate to the Intune enrollment URL in a browser.
B.Use the Company Portal website to enroll.
C.Sign in to Settings > Accounts > Access work or school and connect.
D.Join the device to Azure AD during OOBE.
E.Enroll from the Microsoft 365 admin center.
AnswersC, D

This is the manual enrollment method.

Why this answer

Windows 10 devices can be enrolled via Azure AD join or by signing in with a work or school account in Settings. Option A is incorrect because Microsoft 365 admin center enrollment is not a direct method. Option B is incorrect because Company Portal is used for manual enrollment but not a separate method; it's part of the work or school account method.

Option E is incorrect because enrolling via a URL in a browser is not supported.

90
MCQhard

You are the endpoint administrator for Contoso, a company with 10,000 Windows 11 devices managed by Microsoft Intune. The devices are a mix of corporate-owned and bring-your-own-device (BYOD). You need to implement a solution that allows users to access corporate resources only if their devices meet specific security requirements: disk encryption (BitLocker), antivirus (Microsoft Defender), and a minimum OS build. Additionally, you must ensure that users cannot access corporate email from devices that are jailbroken or rooted. The solution should automatically block non-compliant devices from accessing resources and provide a notification to the user explaining the issue. You have already configured compliance policies in Intune. What should you do next to enforce the block?

A.Configure a device enrollment restriction to block non-compliant devices from Azure AD join.
B.Create a device configuration policy that blocks access to corporate resources.
C.Create an app protection policy in Intune to block access to apps.
D.Create a Conditional Access policy in Microsoft Entra ID that requires compliant device for access.
AnswerD

Conditional Access evaluates device compliance and blocks access if not compliant, with user notification.

Why this answer

Option B is correct because Conditional Access policies use the device compliance status from Intune to grant or block access to cloud apps like Exchange Online. Option A is wrong because configuring a device configuration policy only enforces settings but does not block access. Option C is wrong because app protection policies protect data within apps but do not block access based on device compliance.

Option D is wrong because blocking all devices from Azure AD would prevent access even for compliant devices.

91
MCQmedium

A user's Android device is not receiving email from the corporate Microsoft 365 tenant. The device is enrolled in Intune and shows as compliant. The email profile is assigned to the user. What should you check first?

A.Verify that the device meets the compliance policy for Android.
B.Confirm that the user has an Exchange Online license.
C.Check the device's last check-in time with Intune.
D.Ensure the device is enrolled in Intune.
AnswerC

The profile may not have been applied yet.

Why this answer

Option A is correct because the most common issue is that the email profile has not been applied due to a pending check-in. Option B is incorrect because the device is compliant. Option C is incorrect because the user has a license.

Option D is incorrect because the device is enrolled.

92
MCQeasy

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that corporate data on a device is wiped if the device is reported stolen. Which action should you configure?

A.Full wipe from the Intune console.
B.Selective wipe from the Intune console.
C.Delete the device from Microsoft Entra ID.
D.Retire the device from Intune.
AnswerB

Selective wipe removes corporate data only.

Why this answer

Option B is correct because a selective wipe on an Android Enterprise device removes only corporate data (managed apps, work profile, and policies) while preserving the user's personal data. This is the appropriate action when a device is reported stolen, as it ensures corporate data is protected without affecting the user's personal information, which aligns with the organization's data protection requirements.

Exam trap

The trap here is that candidates often confuse 'full wipe' with 'selective wipe' in Android Enterprise, mistakenly thinking a full wipe is required for stolen devices, but Microsoft Intune's selective wipe is the correct and recommended action for corporate data removal while preserving personal data.

How to eliminate wrong answers

Option A is wrong because a full wipe resets the entire device to factory defaults, erasing both corporate and personal data, which is overly aggressive and may not be necessary or desired for a stolen device scenario. Option C is wrong because deleting the device from Microsoft Entra ID only removes the device object from identity management, but it does not trigger any data wipe on the device itself, leaving corporate data accessible. Option D is wrong because retiring a device from Intune removes management and wipes corporate data, but the term 'retire' is synonymous with selective wipe in Intune; however, the question specifically asks for the action to configure, and 'selective wipe' is the precise term used in the Intune console for this operation, while 'retire' is the broader action that includes selective wipe.

93
MCQhard

You are troubleshooting a Windows 11 device that fails to install a required application from the Company Portal. The app is assigned as required to the device. The device shows as compliant and has a healthy connection. What is the most likely cause?

A.The device is low on storage
B.The app is assigned to users, not devices
C.The app is available but not required
D.The device has offline files enabled
AnswerB

If the app is assigned to users instead of devices, the device may not receive the required installation.

Why this answer

When an application is assigned as required but fails to install on a compliant, connected device, the most likely cause is a mismatch in assignment targeting. In Microsoft Intune, required app assignments can be scoped to either users or devices. If the app is assigned to users but the device is not associated with a licensed user (or the user is not targeted), the device will not receive the installation policy.

The Company Portal checks user-based assignments, and without a targeted user, the required installation does not trigger.

Exam trap

The trap here is that candidates assume a compliant device with a healthy connection will always receive required apps, overlooking the critical difference between user-assigned and device-assigned app policies in Intune.

How to eliminate wrong answers

Option A is wrong because low storage would typically generate a specific error message or status in Intune (e.g., 'not enough disk space') and is not the most likely cause given the device is compliant and healthy. Option C is wrong because the question states the app is assigned as required, not available; if it were available, the user would need to manually install it, which contradicts the 'required' assignment. Option D is wrong because offline files (Client-Side Caching) do not prevent Intune from installing required applications; they affect file synchronization, not policy application.

94
MCQmedium

A user's device is enrolled in Microsoft Intune and compliant, but they cannot access corporate email via the Outlook mobile app. The app opens and shows 'Cannot connect to server'. Other users with the same device model can access email. What is the most likely cause?

A.The app protection policy is misconfigured.
B.The device model is blocked by a Conditional Access policy.
C.The device is not compliant with the compliance policy.
D.The user is blocked by a Conditional Access policy due to sign-in risk.
AnswerD

Conditional Access can block based on user risk, which would prevent access.

Why this answer

Option D is correct because the user's device is compliant and enrolled, yet the Outlook app cannot connect to the server. A Conditional Access policy that blocks access based on sign-in risk (e.g., medium or high risk detected by Azure AD Identity Protection) can target the user directly, even if the device itself is compliant. This explains why other users with the same device model are unaffected—the block is user-specific, not device-specific.

Exam trap

The trap here is that candidates assume a device compliance issue is the root cause because the error is connectivity-related, but the question explicitly states the device is compliant, forcing you to consider user-specific Conditional Access controls like sign-in risk.

How to eliminate wrong answers

Option A is wrong because a misconfigured app protection policy (MAM policy) would typically block data access or show a policy-related error, not a generic 'Cannot connect to server' message, and it would affect all users with that policy applied, not just one user. Option B is wrong because if the device model were blocked by a Conditional Access policy, all users with that model would be affected, not just a single user. Option C is wrong because the question explicitly states the device is compliant, so non-compliance cannot be the cause.

95
MCQmedium

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom shell script that runs once on each device. What should you configure?

A.A shell script with the 'Run script once per device' option.
B.A device compliance policy with a custom shell script.
C.A custom configuration profile with a script payload.
D.A managed app that includes the script.
AnswerA

Shell scripts in Intune can be set to run once per device.

Why this answer

Option A is correct because shell scripts can be deployed with a run-once frequency. Option B is wrong because a configuration profile cannot run scripts. Option C is wrong because a compliance policy does not run scripts.

Option D is wrong because a managed app is not for scripts.

96
MCQeasy

You are an Intune administrator for a company that has recently deployed Windows 11 devices. Management wants to ensure that all devices are running the latest feature update (Windows 11 23H2) within 60 days of release. You need to configure a Windows Update for Business policy in Intune to achieve this goal. Which settings should you configure?

A.Set the feature update deferral period to 60 days and assign the policy to all devices.
B.Set the feature update deferral period to 60 days and pause updates for 30 days.
C.Set the feature update deadline to 60 days and assign the policy to a device group.
D.Set the feature update deferral period to 0 days and assign to all users.
AnswerA

Deferral of 60 days means the update will be offered within 60 days after release.

Why this answer

Option A is correct because setting the feature update deferral period to 60 days in a Windows Update for Business policy ensures that devices will wait up to 60 days after Microsoft releases a feature update (e.g., Windows 11 23H2) before installing it. This meets the requirement of having all devices running the latest feature update within 60 days of release, as the deferral period defines the maximum delay from the release date. Assigning the policy to all devices ensures blanket coverage across the Windows 11 fleet.

Exam trap

The trap here is that candidates confuse the 'deferral period' (which delays the initial offering of the update) with the 'deadline' (which forces installation after the update is already available), leading them to incorrectly select a deadline-based option when the goal is to control how soon after release the update becomes available to devices.

How to eliminate wrong answers

Option B is wrong because pausing updates for 30 days would block updates entirely for that period, preventing devices from receiving the feature update within the 60-day window; the deferral period and pause are mutually exclusive controls. Option C is wrong because setting a feature update deadline to 60 days does not control the initial availability of the update—it only enforces a forced installation deadline after the update is already offered, which could result in devices not receiving the update until well after 60 days from release. Option D is wrong because setting the deferral period to 0 days would cause devices to install the feature update immediately upon release, which does not align with the goal of ensuring installation within 60 days (it would be too aggressive and could cause disruption), and assigning to all users instead of devices is less effective for device-level update management.

97
Multi-Selecthard

You are planning the deployment of Windows 11 using Intune. Which THREE components are required to perform an in-place upgrade from Windows 10?

Select 3 answers
A.A Group Policy to enable Windows Update for Business.
B.A valid Windows 11 product key.
C.The Intune Management Extension installed on the device.
D.A Windows 11 feature update profile in Intune.
E.Hardware that meets Windows 11 system requirements.
AnswersB, D, E

Required for licensing.

Why this answer

Option A, Option C, and Option D are correct. A Windows 11 feature update profile is needed to deploy the upgrade. A valid product key for Windows 11 is required.

Hardware requirements (TPM 2.0, 4GB RAM, etc.) must be met. Option B is incorrect because a Group Policy is not required; Intune can manage the upgrade. Option E is incorrect because the Intune Management Extension is not required for feature updates.

98
MCQmedium

You manage Windows 10 devices with Intune. You need to collect diagnostic logs from a remote device that is experiencing application crashes. Which Intune feature should you use?

A.Collect diagnostics
B.Company Portal app
C.Autopilot Reset
D.Windows Update for Business
AnswerA

This remote action collects logs without user intervention.

Why this answer

Option C is correct because 'Collect diagnostics' is a remote action in Intune that allows admins to gather logs from Windows devices. Option A (Company Portal) is for end users. Option B (Autopilot Reset) is for re-provisioning.

Option D (Windows Update for Business) is for updates.

99
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 and Windows 11 devices. You need to deploy a critical security update to all devices within 24 hours. The update is classified as a 'Quality Update' by Microsoft. You have configured a Windows Update for Business policy in Intune with a 'Quality update deadline' of 1 day. However, after 48 hours, some devices still have not installed the update. You verify that the devices are online and have checked in with Intune recently. What should you do to ensure the update is installed immediately on the remaining devices?

A.Ask users to restart their devices.
B.Reassign the update ring to a broader device group.
C.Use the 'Update Immediately' setting in the Windows Update for Business policy.
D.Increase the 'Quality update deadline' to 3 days.
AnswerC

This setting forces the device to check for and install available updates immediately.

Why this answer

Option D is correct because the 'Update Immediately' setting forces the device to check for and install updates without delay. Option A is wrong because the deadline is already set to 1 day; increasing it would allow more delay. Option B is wrong because restarting the device does not force update installation.

Option C is wrong because the issue is not with the update ring assignment; the policy is already applied.

100
Multi-Selecthard

Which THREE factors should you consider when planning the deployment of Windows 10 feature updates using Intune?

Select 3 answers
A.Devices must have sufficient disk space to download the update.
B.A deployment ring strategy should be used to test updates on a pilot group first.
C.The version of Windows 10 determines which update rings are available.
D.The feature update compatibility report is only available for Windows 11.
E.Deferral periods can be set to delay the update installation.
AnswersA, B, E

Sufficient disk space is required for feature updates.

Why this answer

Feature update deployment requires considering deferral periods, pilot groups, and bandwidth. Option A is incorrect because feature update compatibility reporting is available. Option B is incorrect because Windows 10 version is not relevant to update rings; update rings apply to quality updates.

Option D is correct: a deployment ring strategy helps stage updates. Option E is correct: deferral periods control timing.

101
MCQmedium

Refer to the exhibit. You run the PowerShell command above to get a list of noncompliant devices. The output shows that some devices have a complianceGracePeriodExpirationDateTime in the past. What does this indicate?

A.The compliance policy has been removed from these devices.
B.The devices are still within the grace period and can access resources.
C.The devices were recently remediated and are now compliant.
D.The devices have exceeded the grace period and should be blocked from accessing resources.
AnswerD

Past expiration means grace period has been exceeded.

Why this answer

Option B is correct because the grace period expiration in the past means the device has been noncompliant beyond the grace period, so it should be blocked. Option A is wrong because the grace period has expired. Option C is wrong because the device is noncompliant.

Option D is wrong because compliance policies are still applied.

102
MCQmedium

You deployed this endpoint protection policy to a Windows 10 device. A user reports that a known malicious file was downloaded but not blocked. What is the most likely reason?

A.Real-time scanning is set to monitorAllFiles, but the file was an archive.
B.The scan type is set to quick, which does not scan downloaded files.
C.The cloud block level is set to high, which may block unknown files, but known files might be missed.
D.The policy has not been applied to the device yet.
AnswerD

If the policy hasn't applied, settings are not active.

Why this answer

Option D is correct because if the endpoint protection policy has not been applied to the device, the Microsoft Defender for Endpoint settings (including real-time scanning and cloud-delivered protection) are not active. The policy must be successfully delivered via Microsoft Intune or Configuration Manager before any protection rules take effect. Without policy application, the device runs with default or no protection, allowing known malicious files to be downloaded without being blocked.

Exam trap

The trap here is that candidates assume a protection policy is automatically active once created, but Microsoft Intune policies require device check-in and successful application before they take effect, and the cloud block level setting is often misunderstood as affecting known malware detection.

How to eliminate wrong answers

Option A is wrong because real-time scanning set to monitorAllFiles includes archives; Microsoft Defender scans archive files (e.g., .zip, .rar) by default when monitorAllFiles is enabled, so an archive would still be scanned. Option B is wrong because the scan type (quick, full, or custom) applies to scheduled or on-demand scans, not to real-time protection; real-time scanning always inspects files as they are downloaded or accessed, regardless of the scan type setting. Option C is wrong because the cloud block level setting (high, moderate, etc.) affects how aggressively unknown files are sent to the cloud for analysis, but known malicious files are blocked locally by signature-based detection and do not rely on cloud block level; a known file would be blocked even with a high cloud block level.

103
MCQeasy

You need to retire a device in Microsoft Intune. What is the effect of retiring a device?

A.The device is unenrolled, and corporate data and apps are removed. Personal data is preserved.
B.The device is factory reset to its original settings.
C.The device remains enrolled but can no longer access corporate resources.
D.The device is deleted from Azure AD and Intune.
AnswerA

Retirement removes company data and unenrolls the device.

Why this answer

Option A is correct because retirement removes managed data and apps but retains personal data. Option B is wrong because that describes a wipe. Option C is wrong because retirement does not delete the device from Azure AD.

Option D is wrong because the device remains enrolled.

104
MCQmedium

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that only approved corporate apps can be installed on work profiles. What should you configure?

A.Device compliance policy to block noncompliant devices
B.Device restrictions configuration profile
C.App configuration policy for managed Google Play
D.Conditional access policy to require approved apps
AnswerC

App configuration policies can define an approved list of apps for work profiles.

Why this answer

To restrict app installation on Android Enterprise work profiles to only approved corporate apps, you must configure an app configuration policy for managed Google Play. This policy enforces a list of required and allowed apps, preventing users from installing unapproved apps from the Play Store on the work profile. Device compliance and conditional access policies control access to resources, not app installation, while device restrictions lack the granularity to enforce app whitelisting on managed Google Play.

Exam trap

The trap here is that candidates often confuse app configuration policies (which control app installation and settings) with app protection policies (which control data behavior within apps), leading them to incorrectly select conditional access or compliance policies instead.

How to eliminate wrong answers

Option A is wrong because device compliance policies evaluate device health (e.g., encryption, root status) and can block access to resources, but they do not control which apps can be installed on the work profile. Option B is wrong because device restrictions configuration profiles manage device settings (e.g., camera, Bluetooth) but cannot enforce a whitelist of approved apps for installation on managed Google Play. Option D is wrong because conditional access policies require approved apps for resource access (e.g., Exchange Online) but do not prevent installation of unapproved apps on the work profile; they only gate access after the app is already installed.

105
MCQhard

The above PowerShell cmdlet returns the following output: DeviceName: LAPTOP001 LastSyncDateTime: 2025-03-15T08:30:00Z ComplianceState: noncompliant ManagementState: managed OSVersion: 10.0.19044.1288 The device last synced 3 days ago. What is the most likely reason for the noncompliant status?

A.The device is running an outdated OS version.
B.The device has been retired or wiped.
C.The device has not synced in over 24 hours.
D.The device has no compliance policy assigned.
AnswerC

Many compliance policies require a recent sync to remain compliant.

Why this answer

The device last synced 3 days ago, and the output shows ComplianceState: noncompliant. In Microsoft Intune, a device that has not checked in for more than 24 hours is automatically marked as noncompliant because the compliance policies cannot be evaluated without a recent sync. The LastSyncDateTime of 2025-03-15T08:30:00Z confirms the device has not synced within the required 24-hour window, making C the correct answer.

Exam trap

The trap here is that candidates assume 'noncompliant' always means a policy rule violation (like outdated OS or missing encryption) rather than recognizing that Intune can mark a device noncompliant simply for failing to sync within the required timeframe, even if all other policies are satisfied.

How to eliminate wrong answers

Option A is wrong because the OSVersion (10.0.19044.1288) corresponds to a supported build of Windows 10 21H2, which is not inherently outdated for compliance unless a specific policy requires a newer version, and the output does not indicate an OS version mismatch. Option B is wrong because the ManagementState is 'managed', not 'retired' or 'wiped', so the device is still under management and has not been removed. Option D is wrong because if no compliance policy were assigned, the device would typically show a ComplianceState of 'unknown' or 'not evaluated', not 'noncompliant'.

106
MCQeasy

A user's device is marked as 'Noncompliant' in Microsoft Intune due to missing required updates. The device is configured with a compliance policy that requires a minimum OS version. The user claims the device is up-to-date. What should you verify first?

A.The current OS version on the device.
B.The user's license status.
C.The compliance policy is assigned to the device.
D.The device is connected to the internet.
AnswerA

The device might not have the required OS version.

Why this answer

Option A is correct because the first step in troubleshooting a noncompliant device due to a missing minimum OS version is to verify the actual OS version currently installed on the device. The user's claim that the device is up-to-date may be based on a misunderstanding of what version is required, or the device may have pending updates that have not been applied. Intune compliance policies evaluate the OS version reported by the device during check-in, so confirming the exact build number against the policy requirement is the logical starting point.

Exam trap

The trap here is that candidates may jump to verifying policy assignment or connectivity, overlooking that the most direct and immediate verification is the actual OS version on the device, which is the specific attribute being evaluated by the compliance policy.

How to eliminate wrong answers

Option B is wrong because license status affects enrollment and access to Intune features, but it does not directly cause a device to be marked noncompliant due to a missing OS version; a licensed user can still have a noncompliant device. Option C is wrong because if the compliance policy were not assigned to the device, the device would not be evaluated against that policy and would not be marked noncompliant for that reason; the fact that it is marked noncompliant indicates the policy is assigned. Option D is wrong because while internet connectivity is required for the device to check in with Intune and report compliance, the device is already reporting its noncompliant status, meaning it has communicated with the service; connectivity is not the root cause of the OS version mismatch.

107
Multi-Selecteasy

You need to deploy Microsoft Defender for Endpoint to Windows 10 devices using Microsoft Intune. Which TWO methods can you use to deploy the Microsoft Defender for Endpoint client?

Select 2 answers
A.Using Group Policy connected to Intune.
B.As a line-of-business (LOB) app in Intune.
C.From the Microsoft Store for Business.
D.Via a device configuration profile using the 'Microsoft Defender for Endpoint' CSP.
E.Via Microsoft Configuration Manager.
AnswersB, D

You can upload the MDATP installer as an LOB app.

Why this answer

You can deploy the Microsoft Defender for Endpoint client via Intune as a line-of-business app (by uploading the installer) or as part of a device configuration profile (by enabling the 'Microsoft Defender for Endpoint' configuration service provider (CSP) settings). Option C, Microsoft Store, is not applicable because Defender for Endpoint is not a store app. Option D, Group Policy, is not managed by Intune.

Option E, Configuration Manager, is a separate management tool.

108
MCQeasy

Refer to the exhibit. You are deploying Microsoft Edge via Intune as a required app for Windows devices. Which setting ensures that any previous version of Microsoft Edge is removed before installing the new version?

A.appVersion: 96.0.1054.62
B.channel: Stable
C.uninstallPrevious: true
D.intent: required
AnswerC

This removes previous versions before installing.

Why this answer

Option A is correct because 'uninstallPrevious' set to true removes previous versions. Option B is wrong because channel does not affect removal. Option C is wrong because appVersion is the version to install.

Option D is wrong because intent is 'required' meaning it must be installed.

109
MCQmedium

You manage devices with Microsoft Intune. Users report that after a recent policy change, some devices are not receiving updated policies. You verify that the devices are online and have connectivity. What should you do to force a policy refresh?

A.Ask users to restart their devices.
B.Ask users to run Windows Update.
C.Adjust the MDM sync interval in Intune.
D.In the Intune portal, select the devices and click 'Sync'.
AnswerD

The Sync action forces the devices to check in and apply latest policies.

Why this answer

Option C is correct because you can remotely trigger a sync from the Intune portal. Option A is wrong because rebooting does not force a policy refresh. Option B is wrong because Windows Update is unrelated.

Option D is wrong because the sync interval is client-side and not directly configurable from Intune.

110
MCQhard

You manage a hybrid Microsoft Entra ID environment with 5,000 Windows 10 devices enrolled in Microsoft Intune. You need to deploy a critical security update that requires a reboot to all devices within the next 4 hours. Users must be able to postpone the reboot for up to 8 hours. You configure a device restart policy in Intune. Which deadline and grace period settings should you use?

A.Deadline: 8 hours, Grace period: 4 hours
B.Deadline: 2 hours, Grace period: 12 hours
C.Deadline: 4 hours, Grace period: 8 hours
D.Deadline: 4 hours, Grace period: 30 minutes
AnswerC

Correct. The deadline ensures reboot within 4 hours, and the grace period allows postponement up to 8 hours.

Why this answer

Option C is correct because the deadline (4 hours) matches the required deployment window for the critical update, and the grace period (8 hours) allows users to postpone the reboot for up to 8 hours after the deadline. In Intune device restart policies, the deadline specifies when the update must be installed and the reboot initiated, while the grace period defines how long users can delay the restart after the deadline. With a 4-hour deadline and 8-hour grace period, the update is enforced within 4 hours, and users can postpone the reboot for up to 8 hours from that point, meeting both requirements.

Exam trap

The trap here is confusing the deadline with the grace period, leading candidates to think the deadline should be the total time allowed for postponement (8 hours) and the grace period the deployment window (4 hours), which reverses the correct logic.

How to eliminate wrong answers

Option A is wrong because a deadline of 8 hours exceeds the required 4-hour deployment window, meaning the update would not be enforced within the necessary timeframe. Option B is wrong because a deadline of 2 hours is too short, forcing the update and reboot before the 4-hour window is fully utilized, and a 12-hour grace period is excessive, allowing postponement beyond the 8-hour user flexibility requirement. Option D is wrong because a grace period of 30 minutes is far too short, preventing users from postponing the reboot for up to 8 hours as required.

111
MCQmedium

You need to provide remote assistance to a Windows 11 device managed by Intune. The user is not technically savvy. Which Intune feature should you use?

A.TeamViewer integration in Intune.
B.Company Portal.
C.Quick Assist.
D.Remote Desktop connection.
AnswerA

TeamViewer is integrated with Intune for remote assistance.

Why this answer

TeamViewer integration in Intune allows an IT admin to initiate a remote assistance session directly from the Intune admin center, without requiring the user to install additional software or share a session code. This is ideal for non-technical users because the admin can start the session, and the user only needs to accept a consent prompt on their device.

Exam trap

The trap here is that candidates often choose Quick Assist because it is a free, built-in Windows tool, but they overlook that it requires the user to generate and share a code, making it unsuitable for non-technical users in a managed Intune environment.

How to eliminate wrong answers

Option B is wrong because Company Portal is a self-service app for users to install apps, enroll devices, and access company resources; it does not provide remote control or screen-sharing capabilities. Option C is wrong because Quick Assist is a built-in Windows tool that requires the user to generate a security code and share it with the admin, which is too complex for a non-technical user and is not integrated with Intune management. Option D is wrong because Remote Desktop Connection (RDP) is typically blocked by default in managed environments for security reasons, requires the device to be on the same network or VPN, and is not designed for attended remote assistance with user consent.

112
MCQmedium

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that only approved corporate apps can be installed on these devices. Which restriction profile setting should you configure?

A.Allow app installation from App Store only
B.Require app store password
C.Allow managed apps to unmanaged accounts
D.Allow automatic app downloads
AnswerB

This ensures only authorized users can install apps.

Why this answer

Option C is correct because 'Require app store password' ensures that the user must provide the Apple ID password to purchase or download apps. Option A is incorrect; while it prevents installing apps from unknown sources, iOS already blocks that. Option B is incorrect because it manages app data, not installation.

Option D is incorrect because it manages automatic app downloads.

113
MCQmedium

Your organization uses Microsoft Defender for Endpoint (Microsoft Defender XDR). You need to ensure that all Windows 10 devices report their security health to Microsoft Defender for Endpoint. Some devices are showing as inactive. What is the most likely cause?

A.The devices are not enrolled in Microsoft Intune.
B.The Microsoft Defender for Endpoint sensor is not installed or configured correctly.
C.The devices are not compliant with conditional access policies.
D.The devices have lost connectivity to the internet.
AnswerB

The sensor must be onboarded to communicate with the Defender for Endpoint service.

Why this answer

The Microsoft Defender for Endpoint sensor is the core component that collects and reports security telemetry from Windows 10 devices to the Defender for Endpoint cloud service. If the sensor is not installed, is missing, or is misconfigured (e.g., due to a corrupted installation or incorrect onboarding script), the device will appear as inactive in the Microsoft 365 Defender portal, even if the device is otherwise healthy and connected.

Exam trap

The trap here is that candidates often confuse device enrollment (Intune) with sensor onboarding, assuming that a device must be managed by Intune to report to Defender for Endpoint, when in fact any Windows 10 device can be onboarded via a simple script or GPO.

How to eliminate wrong answers

Option A is wrong because enrollment in Microsoft Intune is not a prerequisite for Defender for Endpoint reporting; devices can be onboarded via Group Policy, local script, or other methods without Intune. Option C is wrong because conditional access compliance policies control access to cloud apps, not the reporting of security health to Defender for Endpoint; a non-compliant device can still report telemetry. Option D is wrong because while internet connectivity is required for the sensor to communicate with the cloud, the question states some devices are inactive, not all; if connectivity were the issue, all devices would likely be affected, and the sensor would still attempt to report (showing as 'misconfigured' rather than 'inactive').

114
Multi-Selecthard

Your organization is implementing a zero-trust security model using Microsoft Intune. Devices must be compliant before accessing corporate resources. You need to deploy compliance policies for Windows 10 devices that require BitLocker encryption and a minimum OS version. Which two policy settings should you configure? (Choose two.)

Select 2 answers
A.Minimum OS version.
B.Require device health attestation.
C.Require firewall (Windows Defender Firewall).
D.Require encryption of data storage on device.
E.Maximum OS version.
AnswersA, D

This setting ensures the device meets the minimum OS version requirement.

Why this answer

Option A is correct because the 'Minimum OS version' setting in a Windows 10 compliance policy ensures that devices must be running at least a specified build number (e.g., 10.0.19041 for Windows 10 20H1). This directly enforces the zero-trust requirement that only devices with a supported, up-to-date OS can access corporate resources, reducing exposure to known vulnerabilities. Option D is correct because the 'Require encryption of data storage on device' setting mandates BitLocker encryption on the system drive, which is a core data protection control in a zero-trust model.

Exam trap

The trap here is that candidates often confuse 'Require encryption of data storage on device' with 'Require device health attestation,' mistakenly thinking health attestation covers encryption, when in fact health attestation focuses on boot integrity and does not enforce BitLocker status.

115
MCQhard

Refer to the exhibit. You see the following Intune device properties for a Windows device. The device is noncompliant and the grace period expires on 2025-02-20. Today is 2025-02-15. The compliance policy requires a minimum OS version of 10.0.19041 but the device is on 10.0.18363. What will happen if the device does not become compliant before the grace period expires?

A.The device will automatically update to the required OS version
B.The device will be blocked from accessing corporate resources
C.The device will be retired immediately
D.The device will be retired after the grace period expires
AnswerD

After grace period, the configured noncompliance action (e.g., retire) will be applied.

Why this answer

Option D is correct because when a noncompliant device's grace period expires, Intune enforces the compliance policy by retiring the device. Retirement removes the device from Intune management and revokes access to corporate resources, but it does not immediately block access or force an OS update. The grace period allows a window for remediation; after expiration, the device is marked for retirement.

Exam trap

The trap here is that candidates confuse the immediate conditional access block (which can occur during noncompliance) with the post-grace-period retirement action, or assume Intune can force OS updates automatically.

How to eliminate wrong answers

Option A is wrong because Intune does not have the capability to automatically push OS version updates to Windows devices; compliance policies only report noncompliance and trigger actions like blocking access or retirement, not OS upgrades. Option B is wrong because blocking access (conditional access) occurs when the device is noncompliant, but the grace period allows continued access until it expires; after expiration, the device is retired, not merely blocked. Option C is wrong because retirement is not immediate upon noncompliance; it occurs only after the grace period expires, as specified in the policy configuration.

116
MCQeasy

A user reports that their Microsoft Intune enrolled device is not receiving required compliance policies. The device shows as 'Not evaluated' in the Microsoft Intune admin center. What is the most likely cause?

A.The device is not connected to the internet
B.The Intune Management Extension is not installed
C.The user does not have an Intune license assigned
D.The device is not enrolled in Intune
AnswerB

Without the extension, policies cannot be evaluated, leading to 'Not evaluated'.

Why this answer

Option D is correct because compliance policies require the Intune Management Extension to be installed and running to evaluate and apply policies. Option A (Network connectivity) would show as 'Not compliant' or 'Unknown', not 'Not evaluated'. Option B (Device is unenrolled) would show as 'Not enrolled'.

Option C (User lacks license) would prevent enrollment but not cause 'Not evaluated' after enrollment.

117
MCQhard

You are deploying Windows 11 devices using Windows Autopilot. Some devices are not registering in Microsoft Intune. You have verified that the hardware hashes are uploaded correctly. What is the most likely cause?

A.The devices are not connected to the internet.
B.The hardware hashes are invalid.
C.The devices are not running Windows 11 Pro or Enterprise.
D.The user does not have an Intune license.
AnswerA

Autopilot requires internet connectivity to register with Intune.

Why this answer

Option A is correct because Windows Autopilot requires internet connectivity during the out-of-box experience (OOBE) to contact the Autopilot deployment service and Microsoft Intune. Without internet access, the device cannot download the Autopilot profile or register in Intune, even if hardware hashes are correctly uploaded. The hardware hash upload is a separate step that does not guarantee the device can later connect to the service.

Exam trap

The trap here is that candidates often assume hardware hash upload is the only prerequisite for Autopilot registration, overlooking the critical requirement for internet connectivity during the device's initial boot process.

How to eliminate wrong answers

Option B is wrong because the question explicitly states that the hardware hashes are uploaded correctly, so invalid hashes are not the issue. Option C is wrong because Windows Autopilot supports Windows 11 Pro, Enterprise, and Education editions; the device not registering is not caused by running an unsupported edition. Option D is wrong because the user license is not required for device registration via Autopilot; device enrollment occurs before user sign-in, and Intune licenses are only needed for user-based management after enrollment.

118
MCQhard

Refer to the exhibit. You have configured the compliance policy shown above. A user reports that their Windows 11 device is compliant with all settings except the threat level. The device has no threat protection agent installed. What will happen when the user tries to access corporate resources?

A.Access is granted but the user receives a warning notification.
B.Access is blocked only after a 24-hour grace period.
C.Access is blocked immediately.
D.Access is granted because the device meets all other compliance requirements.
AnswerC

Device is noncompliant and action is to block immediately.

Why this answer

The compliance policy requires a minimum threat level, which cannot be evaluated because the device has no threat protection agent installed. In Microsoft Intune, when a required compliance setting cannot be assessed (e.g., no agent), the device is treated as non-compliant, and access is blocked immediately. There is no grace period for missing required agents, and conditional access enforces the block at the time of the access request.

Exam trap

The trap here is that candidates assume a grace period applies to all non-compliance scenarios, but grace periods are only applicable to specific settings (like password expiration) and not to missing required agents or unassessable settings.

How to eliminate wrong answers

Option A is wrong because access is not granted with a warning; Intune conditional access blocks non-compliant devices immediately, and a warning notification is only sent if the device is compliant but has a warning-level issue. Option B is wrong because a 24-hour grace period applies only to specific non-compliance actions (e.g., password expiration) when configured in a compliance policy, not to missing required agents like a threat protection agent. Option D is wrong because meeting all other compliance requirements does not override the specific threat level requirement; the device is non-compliant overall, and access is blocked.

119
MCQmedium

You need to implement a solution that automatically wipes a company-owned Windows 10 device when it has not connected to Intune for 30 days. Which Intune feature should you configure?

A.A PowerShell script that runs on the device to self-destruct after 30 days.
B.Compliance policy with a device health rule for 'Maximum days since last check-in' and a non-compliance action to retire the device.
C.Device cleanup rules to automatically delete devices after 30 days.
D.Device configuration profile with a setting to require periodic check-in.
AnswerB

This combination allows automatic retirement after a period of inactivity.

Why this answer

Option B is correct because a compliance policy can mark a device as non-compliant if it hasn't checked in for a specified period, and then a conditional access policy can block access. However, automatic wipe is not automatic; you can configure a non-compliance action to retire or wipe. Option A is wrong because configuration profiles don't enforce check-in.

Option C is wrong because device cleanup is for stale records, not automatic wipe. Option D is wrong because scripts don't run on disconnected devices.

120
MCQmedium

You manage Windows 10 devices enrolled in Microsoft Intune. Users report that the Company Portal app is not installing required apps. You verify that the devices are compliant and checked in recently. What is the most likely cause?

A.The users are not members of the Azure AD group assigned to the required app.
B.The devices are not connected to a Wi-Fi network configured in Intune.
C.The devices are not compliant with the compliance policy.
D.The enrollment restrictions are blocking the devices from receiving apps.
AnswerA

App assignment targeting is based on group membership; if users are not in the group, the app won't be required.

Why this answer

Option A is correct because if users are not members of the Azure AD group targeted for the app, the app will not be required. Option B is wrong because compliance does not affect app assignment targeting. Option C is wrong because Wi-Fi profiles are not required for app installation.

Option D is wrong because enrollment restrictions block enrollment, not app installation.

121
MCQeasy

You need to retire a corporate-owned iOS device that is no longer in use. The device is enrolled in Intune with user affinity. Which action should you perform?

A.Disable the device in Intune.
B.Wipe the device from Intune.
C.Retire the device from Intune.
D.Delete the device from Microsoft Entra ID.
AnswerC

Retire removes management and corporate data.

Why this answer

Option C is correct because the 'Retire' action in Intune removes the managed app data and policies from the device while preserving the user's personal data, which is appropriate for a corporate-owned device with user affinity that is no longer in use. Retiring also removes the device from Intune management and revokes the company portal access, ensuring compliance without unnecessary data loss.

Exam trap

The trap here is that candidates often confuse 'Retire' with 'Wipe' or 'Disable', not realizing that Retire is the correct action for removing corporate data without affecting personal data on a corporate-owned device with user affinity.

How to eliminate wrong answers

Option A is wrong because disabling a device in Intune only blocks it from synchronizing and receiving policies, but does not remove corporate data or unenroll the device, leaving it partially managed. Option B is wrong because wiping the device performs a factory reset, which would erase all data including personal content, which is excessive for a corporate-owned device that simply needs to be decommissioned. Option D is wrong because deleting the device from Microsoft Entra ID removes the device object from Azure AD but does not trigger the Intune retirement process, leaving the device still enrolled and potentially able to access resources.

122
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent update, some devices are no longer receiving compliance policies. You verify that the devices are enrolled and show as active in Intune. What should you check first?

A.Verify that the compliance policy is assigned to the correct Windows version.
B.Check if the devices can connect to the Intune service.
C.Ensure the users are members of the correct Azure AD group.
D.Re-enroll the devices in Intune.
AnswerA

The update may have changed the OS version, and the policy might not target that version.

Why this answer

Option B is correct because the compliance policy may not have been updated to target the new Windows version after the update. Option A is wrong because connectivity issues would affect all policies, not just compliance. Option C is wrong because if the device is enrolled and active, the enrollment record is intact.

Option D is wrong because compliance policies are not tied to user group membership in this scenario.

123
MCQeasy

A user's iOS device is enrolled in Microsoft Intune and is compliant. However, the user cannot access corporate email in the Outlook mobile app. The app displays an error that the device is not compliant. What is the most likely cause?

A.The user's Intune license has expired.
B.The Outlook app is not installed on the device.
C.A compliance policy was updated requiring a newer OS version or additional security settings.
D.The device is not enrolled in Intune.
AnswerC

Updated policies can cause previously compliant devices to become non-compliant.

Why this answer

Option C is correct because Intune compliance policies are evaluated in real time when a user attempts to access corporate resources. If an administrator updates a policy to require a newer iOS version or additional security settings (e.g., passcode complexity, encryption), the device may become non-compliant even if it was previously compliant. The Outlook app checks device compliance via the Intune SDK and will block access if the device no longer meets the policy requirements, displaying the 'device not compliant' error.

Exam trap

The trap here is that candidates assume the error means the device is not enrolled or that the app is missing, but the question explicitly states the device is enrolled and compliant, so the most likely cause is a policy change that retroactively affects compliance status.

How to eliminate wrong answers

Option A is wrong because an expired Intune license would prevent the user from enrolling the device or accessing Intune-managed resources entirely, but the device is already enrolled and compliant, and the error specifically states non-compliance, not a licensing issue. Option B is wrong because if the Outlook app were not installed, the user would not be able to launch it or see an error within the app; the error is displayed by the app itself, confirming it is installed. Option D is wrong because the question explicitly states the device is enrolled in Intune and compliant, so the device is enrolled; the error is due to a change in compliance status, not enrollment status.

124
MCQhard

Users report that their Android Enterprise fully managed devices are not receiving email profiles pushed from Intune. You confirm the devices are enrolled and show as compliant. What is the most likely cause?

A.The devices are using work profile instead of fully managed.
B.The devices are not compliant with the compliance policy.
C.A device restrictions profile blocks the email app.
D.The 'Android Device Policy' app is not set to 'Required' in the app configuration policy.
AnswerD

This app is essential for managing fully managed devices.

Why this answer

Option B is correct because the Android Enterprise system app 'Android Device Policy' must be set to 'Required' in the app configuration policy. Without it, profiles may not apply. Option A is wrong because compliance does not affect profile delivery.

Option C is wrong because the device restrictions profile does not block email profiles. Option D is wrong because work profile vs fully managed is a separate enrollment method; profiles should work on fully managed devices.

125
Multi-Selecteasy

You need to configure conditional access for managed devices accessing Exchange Online. Which THREE conditions can be used?

Select 3 answers
A.Device platform (e.g., iOS, Android).
B.Device risk level from Microsoft Defender XDR.
C.Device compliance status.
D.App protection policy status.
E.User location based on IP address.
AnswersA, B, C

Platform can be restricted.

Why this answer

Option A, Option B, and Option E are correct. Conditional access can use device compliance, device platform (e.g., iOS, Android), and device risk from Microsoft Defender XDR. Option C is incorrect because user location is a condition but not device-specific; it is based on IP address.

Option D is incorrect because app protection policies are not a condition in conditional access; they are separate policies.

126
MCQmedium

Your organization uses Microsoft Intune to manage devices. You need to ensure that only compliant devices can access corporate Exchange Online email. Which conditional access policy setting should you use?

A.Require device to be marked as compliant.
C.Require app protection policy.
D.Require device to be enrolled in Intune.
AnswerA

This ensures only compliant devices access corporate resources.

Why this answer

Conditional access in Microsoft Entra ID can require device compliance as a grant control. The 'Require device to be marked as compliant' option ensures only compliant devices get access. Option A is incorrect because MFA is separate.

Option B is incorrect because app protection policies are for mobile app management. Option D is incorrect because device enrollment is not enough; compliance is required.

127
MCQmedium

Refer to the exhibit. You have a compliance policy for Windows 10 devices. A device reports as non-compliant with the reason 'TPM not found'. The device does have a TPM 2.0 chip but it is disabled in BIOS. What should you do to resolve the compliance issue?

A.Replace the device's motherboard.
B.Enable the TPM in the device's BIOS settings.
C.Assign a grace period for the device.
D.Remove the tpmRequired setting from the compliance policy.
AnswerB

This will allow the TPM to be detected.

Why this answer

Option B is correct because the device has a TPM 2.0 chip that is disabled in BIOS. Enabling the TPM in BIOS allows the device to report its TPM presence to Microsoft Intune, satisfying the compliance policy's tpmRequired setting. No hardware replacement, grace period, or policy modification is needed when the TPM is physically present but disabled.

Exam trap

The trap here is that candidates may assume a 'TPM not found' error indicates missing hardware, leading them to choose motherboard replacement or policy removal, rather than recognizing that a disabled TPM in BIOS is a common configuration issue that can be resolved without hardware changes.

How to eliminate wrong answers

Option A is wrong because replacing the motherboard is unnecessary when the TPM chip is already present and functional; the issue is only that it is disabled in BIOS. Option C is wrong because assigning a grace period would only delay enforcement of the non-compliance, not resolve the underlying TPM detection failure. Option D is wrong because removing the tpmRequired setting from the compliance policy would lower the security baseline, whereas the correct action is to enable the existing TPM hardware.

128
MCQeasy

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that only devices with a passcode of at least 6 characters can access corporate email. What should you create?

A.A device compliance policy with a required passcode length of 6.
B.A device configuration profile with a passcode payload.
C.An app protection policy for Microsoft Outlook.
D.A conditional access policy requiring compliant devices.
AnswerA

Device compliance policies enforce device-level security requirements.

Why this answer

Option A is correct because a device compliance policy enforces passcode requirements. Option B is wrong because a device configuration profile can only configure settings, not enforce compliance. Option C is wrong because an app protection policy applies to apps, not device-level passcode.

Option D is wrong because a conditional access policy works with compliance, not alone.

129
MCQeasy

You manage a fleet of iOS devices enrolled in Microsoft Intune. You need to ensure that only approved apps can be installed on corporate devices. Which policy type should you configure?

A.Device Configuration Profile with 'Allow app installation only from App Store' setting.
B.App Configuration Policy to restrict app installation.
C.Device Compliance Policy with 'Require approved apps' setting.
D.App Protection Policy with 'Allow only managed apps' setting.
AnswerD

This restricts installation to apps managed by Intune.

Why this answer

Option D is correct because App Protection Policies (APP) in Microsoft Intune control which apps can access corporate data on iOS devices. The 'Allow only managed apps' setting restricts data transfer and app usage to apps that are managed by Intune, effectively preventing installation of unapproved apps. This is the appropriate policy for enforcing approved app installation on corporate devices.

Exam trap

The trap here is that candidates confuse App Protection Policies (which control app-level data access and approved app lists) with Device Compliance Policies (which evaluate device-level settings), leading them to select Option C despite the absence of a 'Require approved apps' setting in compliance policies.

How to eliminate wrong answers

Option A is wrong because Device Configuration Profiles with 'Allow app installation only from App Store' control the source of app installation (App Store vs. sideloading), not which specific apps are approved; it does not restrict unapproved apps from being installed from the App Store. Option B is wrong because App Configuration Policies are used to supply custom settings or managed app configurations to apps, not to restrict app installation or enforce approval lists. Option C is wrong because Device Compliance Policies evaluate device health and settings (e.g., jailbreak detection, minimum OS version), but they do not have a 'Require approved apps' setting; compliance policies can mark devices noncompliant based on app inventory but do not block installation.

130
MCQeasy

You need to block users from enrolling personal Android devices in Microsoft Intune. Which enrollment restriction should you configure?

A.Set the 'Block personally owned devices' restriction for Android.
B.Set the 'Block Android' platform restriction.
C.Set the 'Block Android Enterprise' device type restriction.
D.Configure a device compliance policy to mark personal devices as non-compliant.
AnswerA

This blocks only personal devices while allowing corporate-owned.

Why this answer

Option B is correct because the 'Block personally owned devices' restriction prevents personal devices from enrolling. Option A is wrong because that restricts device platform, not ownership. Option C is wrong because device type restrictions are for platform, not ownership.

Option D is wrong because compliance policies do not block enrollment.

131
MCQeasy

A company is planning to use Windows Autopilot to deploy new devices. They want to ensure that devices are automatically enrolled in Microsoft Intune when a user signs in with their Microsoft Entra ID credentials. Which configuration is required?

A.Configure an Enrollment Status Page (ESP) profile in Intune.
B.Create a device compliance policy with the Action for noncompliance set to 'Enforce enrollment'.
C.Set device enrollment restrictions to allow all device platforms.
D.Configure MDM auto-enrollment in Microsoft Intune admin center.
AnswerA

ESP profile enables automatic enrollment during Autopilot.

Why this answer

Option A is correct because you need to configure an Enrollment Status Page (ESP) policy that allows automatic enrollment. Option B is wrong because MDM auto-enrollment is configured in Microsoft Entra ID, not Intune. Option C is wrong because a compliance policy does not enforce enrollment.

Option D is wrong because device enrollment restrictions do not enable automatic enrollment.

132
Multi-Selecthard

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that only devices with a passcode can access corporate resources. Which THREE configurations should you implement?

Select 3 answers
A.Device configuration profile with passcode settings
B.Windows Autopilot deployment profile
C.Conditional Access policy requiring compliant devices
D.App protection policy with passcode for managed apps
E.Device compliance policy with passcode requirement
AnswersA, C, E

Configures passcode on devices.

Why this answer

Device compliance policy with passcode rule, Conditional Access policy requiring compliant devices, and device configuration profile with passcode settings all enforce passcode. App protection policies apply to apps, not device-level. Autopilot is for Windows devices.

133
MCQmedium

Your organization has a mix of Windows 10 and Windows 11 devices managed by Intune. You need to enforce BitLocker encryption on all devices. Which policy type should you configure?

A.Device configuration profile with Administrative Templates.
B.Endpoint Protection profile in Device restrictions.
C.Device compliance policy.
D.Windows Update ring policy.
AnswerB

Endpoint Protection profile contains BitLocker settings.

Why this answer

Option A is correct because BitLocker settings are configured in the Endpoint Protection profile under device restrictions. Option B is wrong because the Update ring policy manages Windows Update settings. Option C is wrong because the Device compliance policy evaluates compliance but does not enforce BitLocker.

Option D is wrong because the Device configuration profile for 'Administrative Templates' can include BitLocker, but the standard method is the Endpoint Protection profile.

134
MCQeasy

Your organization has 200 Windows 10 devices that are not yet managed. You need to enroll them in Microsoft Intune. The devices are already joined to on-premises Active Directory. You want to enable hybrid Azure AD join and automatic enrollment via Group Policy. The devices are located in multiple sites with limited internet bandwidth. You need to minimize the amount of data transferred over the WAN during enrollment. What should you do?

A.Use Azure AD Connect to sync the devices to Azure AD and then enable automatic enrollment via Group Policy.
B.Configure a staging server to perform the initial Azure AD sync and then enable automatic enrollment via Group Policy.
C.Use Windows Autopilot to reset the devices and enroll them in Intune.
D.Manually enroll each device by signing in to the Company Portal.
AnswerB

Staging reduces WAN traffic by syncing locally.

Why this answer

Option B is correct because deploying a staging server (or an Azure AD Connect staging server) allows the initial device synchronization to Azure AD to occur locally, minimizing WAN traffic. After the sync, you can enable automatic enrollment via Group Policy, which only sends lightweight registration requests over the network rather than full device data.

Exam trap

The trap here is that candidates often assume Azure AD Connect is always the best choice for hybrid join, but they overlook the staging server feature specifically designed to minimize WAN traffic during initial bulk syncs.

How to eliminate wrong answers

Option A is wrong because using Azure AD Connect to sync devices directly over the WAN would transfer the full device objects and attributes across limited bandwidth links, increasing data transfer rather than minimizing it. Option C is wrong because Windows Autopilot resets the devices and requires internet connectivity for cloud-based provisioning, which would consume significant bandwidth and is not designed to minimize WAN data transfer during enrollment. Option D is wrong because manually enrolling each device via the Company Portal requires user interaction and still transfers enrollment data over the network, failing to minimize WAN traffic and being impractical for 200 devices.

135
MCQeasy

A user's Windows 11 device is not receiving the Company Portal app after enrollment. The device is enrolled in Microsoft Intune. What is the most likely cause?

A.The device is not compliant with security policies.
B.The device is running Windows 10 instead of Windows 11.
C.The device is not connected to the internet.
D.The user does not have an Intune license.
AnswerC

Company Portal download requires internet connectivity.

Why this answer

The Company Portal app is delivered to enrolled devices via Intune, but the initial download and installation require an active internet connection to reach Microsoft's cloud services. If the device is not connected to the internet, the enrollment process may complete locally, but the Company Portal app will not be pushed or installed until connectivity is restored. This is the most likely cause because the question states the device is already enrolled, ruling out licensing or compliance issues that would prevent enrollment itself.

Exam trap

The trap here is that candidates often assume compliance policies or licensing are the root cause for missing apps, but the question explicitly states the device is enrolled, which already confirms a valid license and a successful initial connection, making internet connectivity the most logical remaining factor.

How to eliminate wrong answers

Option A is wrong because non-compliance with security policies does not block the installation of the Company Portal app; it may restrict access to resources or trigger remediation, but the app is still delivered. Option B is wrong because the Company Portal app is fully supported on Windows 10 (version 1607 and later) and Windows 11; the OS version is not a factor. Option D is wrong because the user must have an Intune license to enroll the device, and since the device is already enrolled, the license is present; a missing license would prevent enrollment entirely, not just the app delivery.

136
Multi-Selecteasy

Which TWO methods can you use to deploy Microsoft 365 Apps to Windows 10 devices managed by Intune?

Select 2 answers
A.Use the Microsoft 365 Apps (Windows) app type in Intune.
B.Use the Microsoft 365 Apps admin center to create a configuration and deploy via Intune.
C.Use the Office Deployment Tool wrapped as a Win32 app.
D.Use Group Policy to assign Office installation.
E.Deploy the Microsoft Store version of Office.
AnswersA, B

This built-in app type simplifies deployment.

Why this answer

Option A is correct because the 'Microsoft 365 Apps (Windows)' app type in Intune is a built-in deployment method specifically designed to install Office 365 ProPlus (now Microsoft 365 Apps) on managed Windows 10 devices. It allows you to select the installation channel, language, and update settings directly from the Intune console without needing external tools.

Exam trap

The trap here is that candidates often confuse the 'Microsoft 365 Apps (Windows)' app type with the Office Deployment Tool wrapped as a Win32 app, thinking both are equally native Intune methods, but the question specifically asks for methods that use Intune—and the ODT wrapper is a custom deployment, not a native Intune app type.

137
MCQhard

You are troubleshooting an iPhone that cannot enroll in Microsoft Intune. The user receives an error stating 'This device is already enrolled in another MDM.' What is the most likely cause?

A.The device is already enrolled in Apple Business Manager or another MDM.
B.The device has a VPN configuration installed.
C.The device is not running the latest iOS version.
D.The user's license is expired.
AnswerA

Apple devices can only be enrolled in one MDM at a time. The device must be removed from the other MDM first.

Why this answer

The error 'This device is already enrolled in another MDM' indicates that the iPhone has an existing MDM profile that conflicts with Intune enrollment. This typically occurs when the device is already enrolled in Apple Business Manager (ABM) or another MDM solution, as iOS enforces a single MDM enrollment per device. Intune cannot overwrite an existing MDM profile without first removing it.

Exam trap

The trap here is that candidates may confuse MDM enrollment conflicts with other common issues like outdated OS or licensing, but the specific error message directly points to an existing MDM profile, not generic configuration or access problems.

How to eliminate wrong answers

Option B is wrong because a VPN configuration does not prevent MDM enrollment; it is a separate network setting that can coexist with an MDM profile. Option C is wrong because while an outdated iOS version might cause compatibility issues, it does not produce the specific 'already enrolled' error; Intune supports a range of iOS versions with appropriate requirements. Option D is wrong because an expired user license would block Intune enrollment with a different error (e.g., 'License not found' or 'Access denied'), not the 'already enrolled' message.

138
MCQhard

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that only approved apps can be installed on corporate-owned devices. Which configuration profile type should you use?

A.Email profile.
B.Device features profile.
C.Apple Configurator enrollment profile.
D.Device restrictions profile with 'Allow app installation from App Store only' set to 'Block'.
AnswerD

This blocks installation of apps not from the App Store.

Why this answer

Option B is correct because a device restrictions profile with 'Allow app installation from App Store only' and a compliant apps policy can restrict apps. Option A is wrong because the Apple Configurator enrollment profile is for device enrollment, not app control. Option C is wrong because the Device Features profile manages settings like wallpaper.

Option D is wrong because the Email profile configures mail settings.

139
MCQhard

You are designing a Windows 11 update strategy for a fleet of 500 devices managed by Intune. The organization requires that critical security updates be applied within 7 days, but feature updates can be delayed up to 60 days. Which Update Rings configuration should you use?

A.Assign a Quality Update policy with deferral of 7 days
B.Create an Update Ring with quality update deferral of 7 days and feature update deferral of 60 days
C.Configure Windows Update for Business via Group Policy on-premises
D.Assign a Feature Update policy with deferral of 60 days
AnswerB

Update Rings allow separate deferrals for quality and feature updates.

Why this answer

Option C is correct because Update Rings in Intune allow setting deferral periods separately for quality (security) updates and feature updates. You can set quality update deferral to 7 days and feature update deferral to 60 days. Option A (Windows Update for Business group policy) is a legacy method.

Option B (Feature update policy) alone doesn't control quality updates. Option D (Quality update policy) alone doesn't control feature updates.

140
MCQhard

You are planning a Windows 11 deployment for 500 new devices using Windows Autopilot. The devices will be shipped directly to users from the manufacturer. You need to ensure that the devices are automatically enrolled in Intune and joined to Microsoft Entra ID. What should you do?

A.Register the device hashes in Intune and assign an Autopilot deployment profile
B.Pre-install the Intune Management Extension on each device
C.Configure a provisioning package and include it with the shipment
D.Create a hybrid Azure AD join configuration in Intune
AnswerA

Registering device hashes and assigning an Autopilot deployment profile with the desired join type is the standard approach.

Why this answer

Option A is correct because Windows Autopilot uses device hashes (hardware IDs) to identify devices in Intune. By registering these hashes and assigning an Autopilot deployment profile, the devices are automatically enrolled in Intune and joined to Microsoft Entra ID during the out-of-box experience (OOBE), without requiring manual intervention or additional infrastructure.

Exam trap

The trap here is that candidates often confuse hybrid Azure AD join with Microsoft Entra ID join, or think provisioning packages are needed for Autopilot, when in fact Autopilot is designed for zero-touch, cloud-only scenarios without any on-premises dependency.

How to eliminate wrong answers

Option B is wrong because the Intune Management Extension is automatically installed during Intune enrollment, not pre-installed on devices before Autopilot runs. Option C is wrong because provisioning packages (PPKG files) are used for manual or bulk provisioning, not for the zero-touch, cloud-driven Autopilot scenario where devices are shipped directly to users. Option D is wrong because hybrid Azure AD join requires a connection to on-premises Active Directory and is not the default for Autopilot; the scenario specifies Microsoft Entra ID join, not hybrid.

141
MCQeasy

Refer to the exhibit. A compliance policy is defined for Windows 10 devices. What is the minimum OS version required?

A.Windows 10 20H2
B.Windows 10 1903
C.Windows 10 21H2
D.Windows 10 2004
AnswerD

10.0.19041 corresponds to Windows 10 version 2004.

Why this answer

Option B is correct. The JSON shows 'osMinimumVersion' set to '10.0.19041.0', which is Windows 10 version 2004. Option A is wrong because 1903 is 10.0.18362.

Option C is wrong because 20H2 is 10.0.19042. Option D is wrong because 21H2 is 10.0.19044.

142
MCQhard

Refer to the exhibit. You apply this device configuration profile to a group of Windows 10 devices. Users report that they receive update notifications outside of active hours. Which setting should you modify to suppress notifications during active hours?

A.Set updateNotificationLevel to 'turnOffAllNotifications'.
B.Modify activeHoursStart and activeHoursEnd to cover the full day.
C.Set cloudBlockLevel to 'normal'.
D.Set detectionFrequency to a higher value.
AnswerA

This disables all Windows Update notifications.

Why this answer

The setting updateNotificationLevel controls whether Windows Update displays notifications to users. Setting it to 'turnOffAllNotifications' suppresses all update notifications, including those that appear outside of active hours. This is the correct configuration to prevent users from seeing update notifications during active hours.

Exam trap

The trap here is that candidates often confuse active hours (which control update installation timing) with notification suppression, leading them to incorrectly choose modifying active hours instead of the dedicated notification control setting.

How to eliminate wrong answers

Option B is wrong because modifying activeHoursStart and activeHoursEnd to cover the full day would prevent updates from being installed during that time, but it does not suppress the notifications themselves; users would still receive update notifications outside the defined active hours. Option C is wrong because cloudBlockLevel is a Microsoft Defender for Endpoint setting that controls cloud-delivered protection levels, not Windows Update notification behavior. Option D is wrong because detectionFrequency controls how often the device checks for updates, not whether notifications are shown; increasing it would not suppress notifications.

143
MCQeasy

You need to ensure that corporate devices automatically install critical Windows updates within 24 hours of release. Which update ring setting should you configure in Intune?

A.Grace Period for Restarts (days)
B.Defer Quality Updates (days)
C.Update Deadline for Quality Updates (days)
D.Active Hours
AnswerC

This setting enforces installation by a deadline.

Why this answer

The 'Update Deadline for Quality Updates (days)' setting in Intune's update ring policy enforces a deadline by which quality updates must be installed. Configuring this to 1 day ensures that devices install critical Windows updates within 24 hours of release, as the deadline triggers automatic installation and restart after the specified number of days.

Exam trap

The trap here is that candidates confuse 'Defer Quality Updates' (which delays updates) with 'Update Deadline for Quality Updates' (which enforces installation timing), leading them to incorrectly select Option B thinking it controls installation speed.

How to eliminate wrong answers

Option A is wrong because 'Grace Period for Restarts (days)' controls how long after the deadline a user can postpone a restart, not the time to install the update. Option B is wrong because 'Defer Quality Updates (days)' delays the availability of updates, which would prevent automatic installation within 24 hours of release. Option D is wrong because 'Active Hours' defines a time window during which restarts are avoided, but does not enforce a deadline for update installation.

144
Multi-Selectmedium

Which TWO actions can you perform to reduce the amount of time it takes for a Windows 10 device to receive a new policy from Microsoft Intune?

Select 2 answers
A.Increase the policy refresh interval in the device configuration profile.
B.Manually trigger a sync from the device's Settings > Accounts > Access work or school.
C.Restart the device.
D.Change the device's DNS to point to a local Intune server.
E.Configure the device to sync more frequently using the Intune management extension.
AnswersB, E

Manual sync triggers immediate policy retrieval.

Why this answer

Reducing the check-in frequency can be done by configuring more frequent sync intervals via the Intune management extension, or by manually triggering a sync from the device. Option A is incorrect because increasing the frequency would increase time. Option C is incorrect because rebooting does not trigger a policy sync.

Option D is incorrect because the policy refresh interval is not configurable via device policies.

145
MCQhard

You apply the custom policy shown in the exhibit to a Windows 11 device. Users report that they cannot use Bluetooth devices (e.g., mouse, keyboard) after the policy applies. Which setting in the policy is causing this issue?

A.allowBluetooth set to false
B.allowStorageCard set to false
C.allowCopyPaste set to false
D.allowCamera set to false
AnswerA

Disabling Bluetooth prevents all Bluetooth devices from connecting.

Why this answer

Option D is correct because 'allowBluetooth' is set to false, which disables Bluetooth functionality entirely, including peripherals. Option A (allowCamera) affects camera only. Option B (allowCopyPaste) affects clipboard.

Option C (allowStorageCard) affects external storage.

146
MCQmedium

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a company-specific application (a .pkg file) to all macOS devices. The application requires a specific configuration file that must be placed in the /Library/Application Support/ directory. You also need to ensure that the application is installed silently without user interaction. How should you configure the deployment in Intune?

A.Use a shell script in Intune to download and install the .pkg file from a secure URL.
B.Create a device configuration profile for macOS that includes the app installation settings.
C.Add the .pkg file as a macOS line-of-business app in Intune, specify installation arguments for silent install, and include a script to copy the configuration file post-install.
D.Use Apple Volume Purchase Program (VPP) to distribute the app as a managed app.
AnswerC

This is the standard method for deploying custom macOS apps with configuration.

Why this answer

Option A is correct because Intune supports deploying macOS line-of-business apps (.pkg) with installation arguments for silent installation, and you can include a script to copy the configuration file. Option B is incorrect because the volume purchase program (VPP) is for purchasing apps, not custom deployment. Option C is incorrect because a device configuration profile cannot install .pkg apps.

Option D is incorrect because shell scripts can install apps but are less integrated than the LOB app deployment.

147
MCQhard

You are designing a Windows 365 Cloud PC provisioning policy. The requirement is that when a user is assigned a Cloud PC, it must automatically have Microsoft Defender for Endpoint configured with real-time protection enabled and a custom firewall rule allowing only specific IPs. Which approach should you use?

A.Create an Intune device configuration profile using the Settings Catalog and assign it to the Azure AD group containing Cloud PC users.
B.Include the settings in the Windows 365 provisioning policy.
C.Create a PowerShell script that runs during provisioning and apply it via Azure Automation.
D.Use a Group Policy Object (GPO) applied via on-premises AD.
AnswerA

Settings Catalog allows granular configuration of Defender and firewall settings.

Why this answer

Option A is correct because Intune device configuration profiles using the Settings Catalog allow granular control over Microsoft Defender for Endpoint settings (e.g., real-time protection) and custom firewall rules. These profiles can be assigned to an Azure AD group containing Cloud PC users, ensuring the settings are applied automatically after provisioning via the Windows 365 service, which integrates with Intune for post-provisioning management.

Exam trap

The trap here is that candidates mistakenly think Windows 365 provisioning policies can include security configurations, but in reality, they only define infrastructure settings, while all post-provisioning management (including Defender and firewall rules) must be handled by Intune policies.

How to eliminate wrong answers

Option B is wrong because Windows 365 provisioning policies only define Cloud PC configuration (e.g., region, network, image) and do not support granular security settings like Defender or custom firewall rules; those must be applied via Intune after provisioning. Option C is wrong because PowerShell scripts run during provisioning via Azure Automation are not natively integrated with Windows 365 provisioning; the recommended approach is to use Intune configuration profiles, which are designed for post-provisioning device management. Option D is wrong because Group Policy Objects (GPOs) require on-premises Active Directory and domain-joined devices, but Cloud PCs are Azure AD-joined or Hybrid Azure AD-joined by default and do not support direct GPO application without additional infrastructure like Group Policy Administrative Templates in Intune.

148
Multi-Selecteasy

You are troubleshooting a Windows device that is not receiving policies from Intune. Which TWO actions should you take?

Select 2 answers
A.Configure a Conditional Access policy
B.Reset the user's password
C.Verify the device is enrolled in Intune
D.Check the device sync status in the Intune console
E.Review the app protection policy assignment
AnswersC, D

Device must be enrolled to receive policies.

Why this answer

Check the device sync status in Intune and verify the device is enrolled. App protection policies are for app configuration, not device policy delivery. Conditional Access policies do not directly affect policy delivery.

Checking user credentials does not resolve policy delivery issues.

149
MCQeasy

Refer to the exhibit. The JSON shows a compliance policy for Windows 10 devices. A device is marked as non-compliant even though it has a password of length 8, firewall enabled, and Defender enabled. What is the most likely cause?

A.Microsoft Defender is not running.
B.The device firewall is not active.
C.The device does not lock after inactivity.
D.The device password is not complex enough.
AnswerC

The policy requires lock after inactivity.

Why this answer

The policy requires 'passwordRequireToUnlockFromIdle' which means the device must be locked after inactivity. If the device is not set to lock automatically, it will be non-compliant. Option A is incorrect because the password meets length.

Option B is incorrect because firewall is enabled. Option D is incorrect because Defender is enabled.

150
Multi-Selectmedium

Which TWO actions can you perform using the Microsoft Intune admin center to manage Windows 11 devices remotely? (Choose two.)

Select 2 answers
A.Collect diagnostics
B.Deploy a line-of-business app
C.Restart the device
D.Create a VPN profile
E.Assign a compliance policy
AnswersA, C

Remote diagnostics collection is a remote action.

Why this answer

Options A and D are correct. 'Restart' is a remote action to reboot a device. 'Collect diagnostics' gathers logs remotely. Option B (Create a VPN profile) is a configuration policy, not a remote action. Option C (Assign a compliance policy) is a configuration assignment.

Option E (Deploy a line-of-business app) is an app deployment, not a remote action.

← PreviousPage 2 of 4 · 297 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage Maintain Devices questions.