CCNA Manage Maintain Devices Questions

75 of 297 questions · Page 3/4 · Manage Maintain Devices topic · Answers revealed

151
MCQeasy

A user's iOS device is enrolled in Microsoft Intune. The user reports that they cannot install the Company Portal app from the App Store. What is the most likely reason?

A.The user does not have an Apple ID.
B.The App Store is disabled by a device restriction policy.
C.The device is not enrolled in Intune.
D.The device is not supervised.
AnswerB

A device restriction policy can block the App Store.

Why this answer

If the device is already enrolled, the Company Portal app might be blocked by a configuration profile or restrictions. Option A is incorrect because the device is enrolled. Option B is incorrect because no location services required for app install.

Option D is incorrect because if the device is supervised, admins can block installation of certain apps.

152
MCQeasy

A company uses Microsoft Intune to manage iOS devices. They want to ensure that only devices with a passcode of at least 6 characters and without jailbreak can access corporate email. Which policy type should they configure?

A.Conditional Access policy
B.App protection policy
C.Device compliance policy
D.Device configuration policy
AnswerC

Compliance policies define required device configurations like passcode and jailbreak status.

Why this answer

Device compliance policies in Intune define rules for device security (e.g., passcode length, jailbreak detection). Option A is incorrect because device configuration policies set device settings but not compliance rules. Option B is incorrect because app protection policies target app-level data protection.

Option D is incorrect because conditional access uses compliance status but doesn't define the rules.

153
MCQmedium

You manage Windows 10 devices enrolled in Microsoft Intune. Users report that the Windows Update for Business policy is not applying to some devices. You verify the devices are assigned the correct update ring. What should you check first?

A.Increase the sync frequency for the devices.
B.Check if the devices are compliant with device compliance policies.
C.Ensure the Windows Update service is not disabled on the devices.
D.Verify the Intune Management Extension is installed.
AnswerC

Windows Update service must be enabled for update rings to apply.

Why this answer

Option C is correct because the Windows Update for Business policy requires Windows Update service to be enabled. If it's disabled, updates won't apply. Option A is wrong because compliance policies don't block update rings.

Option B is wrong because the Intune Management Extension is for Win32 apps, not updates. Option D is wrong because sync interval doesn't prevent policy application.

154
MCQmedium

You manage devices at Fabrikam Inc. using Microsoft Intune. You have a Windows 11 device that is not compliant because it is missing a required application. The device shows as 'Not evaluated' in Intune for the compliance policy. The user reports that the device syncs manually but still shows as non-compliant. You have verified that the device is enrolled and policy is assigned. What should you do first to resolve the issue?

A.Verify that the user has a valid Microsoft 365 license.
B.Create a new compliance policy with the same requirements and assign it to the device.
C.From the Intune console, select the device and run the 'Sync' action with the option 'Re-evaluate compliance policies'.
D.Remove the device from Intune and re-enroll it.
AnswerC

Triggers a fresh compliance evaluation.

Why this answer

Re-evaluating the compliance policy by running a sync with the Intune management extension can trigger a fresh assessment. Creating a new compliance policy is unnecessary. Removing and re-enrolling is disruptive.

Checking the user's license is not relevant to compliance evaluation.

155
MCQmedium

Your organization uses Microsoft Intune for Windows device management. Users report that after a recent update, the company VPN client fails to start. You suspect a driver conflict. Which Intune feature should you use to roll back the problematic driver without affecting other updates?

A.Windows Update Rings
B.Group Policy Administrative Templates
C.Microsoft 365 Apps Admin Center
D.Windows Driver Update Rings
AnswerD

Correct. Driver Update Rings allow managing and rolling back specific driver updates.

Why this answer

Windows Driver Update Rings (D) is the correct feature because it allows you to selectively roll back a specific driver update without affecting other Windows updates or configuration changes. This feature is designed to manage driver updates independently from quality or feature updates, enabling targeted rollbacks when a driver causes conflicts like a VPN client failure.

Exam trap

The trap here is that candidates confuse 'Windows Driver Update Rings' with 'Windows Update Rings,' assuming all update rings are identical, but Microsoft specifically separated driver update rings to allow granular control over driver deployments without affecting other updates.

How to eliminate wrong answers

Option A is wrong because Windows Update Rings control the deployment of all Windows updates (quality, feature, and driver updates) as a group, and cannot selectively roll back a single driver without reverting other updates. Option B is wrong because Group Policy Administrative Templates manage configuration settings via registry-based policies, not driver versions or rollbacks. Option C is wrong because the Microsoft 365 Apps Admin Center is used to manage Office 365 app updates and policies, not Windows drivers or device-level driver rollbacks.

156
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. Users report that after a recent software update, the Start menu layout is missing. You need to restore the Start menu layout using Intune. What should you do?

A.Create a configuration profile for Windows 10 using 'Start layout' under Administrative Templates.
B.Create a configuration profile for Windows 11 using 'Start layout' setting.
C.Create a configuration profile for Windows 10 using 'Start layout' setting under Device restrictions.
D.Create a configuration profile using Administrative Templates and configure 'Start layout' policy.
AnswerC

This is the correct setting for Windows 10.

Why this answer

Option B is correct because the 'Start layout' setting in Devices > Configuration profiles > Windows 10 > Device restrictions allows you to specify an XML file that defines the Start menu layout. Option A is wrong because this is for Windows 11. Option C is wrong because Administrative Templates do not include Start layout.

Option D is wrong because the Start layout policy is under Device restrictions, not Administrative Templates.

157
MCQhard

Refer to the exhibit. The exhibit shows a JSON representation of a managed device from Microsoft Graph API. The device shows as noncompliant. Which of the following is the most likely reason for the noncompliant status?

A.The device has not synced recently; the compliance policy may require a more recent check-in.
B.The device is company-owned, which is noncompliant by default.
C.The device is a userless device and cannot be compliant.
D.The device's operating system version is not supported.
AnswerA

Compliance policies often require devices to sync within a certain period; the last sync is March 15, which may be older than the policy threshold.

Why this answer

The JSON shows the device's lastSyncDateTime is significantly older than the current time, and the complianceState is 'noncompliant'. Microsoft Intune compliance policies require devices to check in within a configurable grace period (default 30 days for noncompliant devices, but policies can enforce a shorter interval). If the device hasn't synced recently, it fails the 'Device check-in frequency' compliance rule, marking it noncompliant.

Option A correctly identifies this as the most likely cause.

Exam trap

The trap here is that candidates often assume noncompliance is due to an unsupported OS version or ownership type, but the JSON explicitly shows a supported OS and no ownership-based policy, while the stale lastSyncDateTime is the clear indicator of a check-in failure.

How to eliminate wrong answers

Option B is wrong because company-owned devices are not noncompliant by default; ownership type (corporate vs. personal) does not directly affect compliance state unless a specific compliance policy targets ownership. Option C is wrong because userless devices (e.g., kiosk or shared devices) can be compliant if they meet all policy requirements; Intune supports device compliance for userless scenarios via device enrollment. Option D is wrong because the JSON shows the operating system version as '10.0.22621' (Windows 11 22H2), which is a supported version; there is no indication of an unsupported OS.

158
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a .pkg app to these devices. What is the recommended method?

A.Add as a Windows line-of-business app.
B.Add as a macOS web app.
C.Add as a Microsoft Store app.
D.Add as a macOS line-of-business app.
AnswerD

macOS LOB app type supports .pkg files.

Why this answer

Option B is correct because macOS LOB apps support .pkg files. Option A is wrong because macOS web apps are for web links. Option C is wrong because Windows LOB app is for Windows devices.

Option D is wrong because Microsoft Store app is for Windows.

159
MCQeasy

You need to ensure that all iOS devices enrolled in Intune automatically install required apps (e.g., Microsoft Outlook, Teams) during enrollment. Which enrollment profile setting should you configure?

A.Apple Volume Purchase Program token
B.Company Portal branding
C.Device type restriction
D.Install required apps during enrollment
AnswerD

This setting pushes required apps during the enrollment process.

Why this answer

Option B is correct because 'Install required apps during enrollment' is a setting in iOS enrollment profiles that triggers app installation as part of the setup assistant. Option A (Device type restriction) controls which devices can enroll. Option C (Company Portal branding) is for appearance.

Option D (Apple Volume Purchase Program token) is for purchasing apps, not automatic installation.

160
MCQmedium

Your organization manages Windows 10 and 11 devices using Microsoft Intune. Users report that after a recent update, the Microsoft Store for Business app 'Company Portal' fails to launch. You verify that the app is assigned as required to all devices. What should you do first to resolve the issue?

A.Enable automatic updates for Company Portal in Intune.
B.Uninstall and reinstall Company Portal from all devices.
C.Trigger a device sync from the Microsoft Intune admin center.
D.Run Windows Update troubleshooter on affected devices.
AnswerC

Forces the device to check in and receive the latest app assignment and configuration.

Why this answer

The correct first step is to trigger a device sync from the Microsoft Intune admin center. This forces the affected devices to check in with Intune, which can push down any pending policy or app configuration updates that may have been missed after the recent Windows update. Since the Company Portal app is assigned as required, a sync ensures the device receives the latest app version or remediation actions without requiring a full reinstall.

Exam trap

The trap here is that candidates may jump to a destructive or configuration-based solution (like reinstalling or enabling auto-updates) instead of recognizing that a simple device sync is the least invasive and most appropriate first troubleshooting step for an app that fails to launch after an update.

How to eliminate wrong answers

Option A is wrong because enabling automatic updates for Company Portal in Intune is a configuration setting that applies to future updates, not a troubleshooting step to fix an app that already fails to launch. Option B is wrong because uninstalling and reinstalling Company Portal from all devices is a drastic, time-consuming measure that should only be attempted after simpler troubleshooting steps like a sync have failed. Option D is wrong because the Windows Update troubleshooter addresses Windows update issues, not problems with a specific Microsoft Store for Business app like Company Portal.

161
MCQeasy

You need to deploy a line-of-business (LOB) app to Windows 10 devices managed by Intune. The app is a .msi file. Which app type should you select when adding the app in Intune?

A.Microsoft Store app
B.Web link
C.Windows app (Win32)
D.Windows line-of-business app
AnswerD

Windows LOB app type supports .msi files.

Why this answer

Option C is correct because Windows line-of-business apps are used for .msi files. Option A is wrong because Windows app (Win32) is for .exe or .intunewin files. Option B is wrong because Microsoft Store app is for store apps.

Option D is wrong because Web link is for web apps.

162
MCQeasy

A company uses Microsoft Intune to manage iOS/iPadOS devices. They need to enforce a policy that requires users to set a device passcode of at least 6 characters. Which type of policy should they create?

A.Device configuration profile
B.Device compliance policy
C.Conditional access policy
D.App protection policy
AnswerB

Device compliance policies enforce device-level settings such as passcode requirements.

Why this answer

Option A is correct because device compliance policies include password settings for iOS. Option B is wrong because configuration profiles can set password policies but compliance policies are specifically for enforcing requirements. Option C is wrong because app protection policies apply to apps, not device-level settings.

Option D is wrong because conditional access policies control access, not device settings.

163
MCQmedium

Refer to the exhibit. You apply this Intune custom OMA-URI policy to a Windows 10 device. What is the expected outcome?

A.VPN connections are allowed over cellular networks.
B.The policy will fail to apply due to an invalid OMA-URI.
C.The policy applies only to users, not devices.
D.VPN connections over cellular are blocked.
AnswerD

Correct. Value '0' disables (blocks) VPN over cellular.

Why this answer

The OMA-URI ./Device/Vendor/MSFT/Policy/Config/Connectivity/AllowCellularData refers to the policy that controls whether cellular data is allowed for VPN connections. When set to 0, it blocks VPN connections over cellular networks, enforcing that VPN traffic must use Wi-Fi or Ethernet. This is a device-level policy, not user-specific, and the OMA-URI is valid for Windows 10 devices managed by Intune.

Exam trap

The trap here is that candidates may confuse the OMA-URI path as invalid or think it applies only to users, when in fact the ./Device/ prefix explicitly targets the device scope, and the policy is a valid Windows 10 CSP setting.

How to eliminate wrong answers

Option A is wrong because setting the value to 0 blocks VPN over cellular, not allows it; a value of 1 would allow it. Option B is wrong because the OMA-URI is a valid and supported policy path for Windows 10 device configuration in Intune, so it will apply successfully. Option C is wrong because this policy is configured under the device-level node (./Device/Vendor/MSFT/...), meaning it applies to the device regardless of which user is signed in, not only to users.

164
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 and Windows 11 devices. Users report that after a recent update, their devices are stuck at the login screen and cannot access corporate resources. You suspect a configuration conflict. Which action should you take first to restore device functionality without affecting other settings?

A.Create a new device configuration profile that overrides the conflicting settings.
C.Reset the devices remotely using Intune.
D.Perform a selective wipe on the affected devices.

Why this answer

The correct first action is to use the 'Test and remediate' feature in Intune, which allows you to apply a temporary configuration to a test group of devices to identify and resolve conflicts without affecting the broader device population. This approach isolates the issue, preserves existing settings, and provides a controlled rollback if needed, aligning with best practices for troubleshooting configuration conflicts in Intune-managed Windows devices.

Exam trap

The trap here is that candidates often choose 'Reset devices remotely' or 'Selective wipe' as a quick fix, not realizing that these are destructive actions that should be reserved for security breaches or device retirement, not for resolving configuration conflicts that can be isolated and tested.

How to eliminate wrong answers

Option A is wrong because creating a new device configuration profile that overrides conflicting settings can introduce additional conflicts or unintended changes, and it does not provide a controlled, reversible test before broad deployment. Option C is wrong because resetting devices remotely using Intune is a drastic measure that erases all data and settings, which is not appropriate for a configuration conflict that can be resolved with a targeted test. Option D is wrong because performing a selective wipe removes corporate data but leaves personal data intact; however, it does not address the underlying configuration conflict and may still leave devices in a non-functional state regarding login.

165
Multi-Selectmedium

Which TWO actions can you take to improve the performance of Microsoft Intune management for Windows devices that are geographically distributed and have limited bandwidth?

Select 2 answers
A.Deploy a Configuration Manager site server at each location to act as a peer cache.
B.Increase the frequency of device sync intervals to ensure policies are applied quickly.
C.Enable Delivery Optimization to use peer-to-peer sharing within the same network.
D.Configure Windows Update for Business to use 'Download only' mode to reduce update size.
E.Disable Windows Defender real-time scanning on devices.
AnswersC, D

Peer-to-peer reduces internet bandwidth usage by sharing downloads locally.

Why this answer

Options A and D are correct. Option A reduces data transfer by using delta updates. Option D reduces network load by using delivery optimization.

Option B is wrong because more frequent sync increases network usage. Option C is wrong because it does not affect bandwidth. Option E is wrong because Peer Cache uses local peers, not internet.

166
MCQmedium

You are troubleshooting a user's Windows 11 device that cannot connect to the corporate Wi-Fi network. The device is managed by Intune and has a Wi-Fi profile assigned. The profile uses SCEP certificate authentication. The certificate is issued by your internal CA. The device shows 'No internet access' though it connects. What is the most likely issue?

A.The SSID in the profile is incorrect
B.The root CA certificate is not deployed to the device
C.The user does not have an Intune license
D.The Wi-Fi profile is not assigned to the device
AnswerB

Without the root CA, the SCEP certificate cannot be validated.

Why this answer

Option C is correct because SCEP certificate-based authentication requires the device to trust the issuing CA. If the root CA certificate is not deployed to the device, the certificate chain cannot be validated, causing authentication failure. Option A (Profile is not assigned) would prevent connection entirely.

Option B (Wrong SSID) would not connect to the wrong network. Option D (User not licensed) would not affect certificate authentication after enrollment.

167
MCQmedium

Refer to the exhibit. You run a PowerShell cmdlet to get managed devices and see the output above. The device is noncompliant. What is the most likely reason?

A.The device is not enrolled.
B.The device name is too long.
C.The OS version is not supported.
D.The device has not synced recently.
AnswerD

Last sync is more than 24 hours ago, which can cause noncompliance.

Why this answer

The device is noncompliant because it has not synced recently. In Microsoft Intune, devices must regularly check in to report their compliance status; if a device fails to sync within the configured grace period (typically 30 days by default), it is marked as noncompliant. The PowerShell output shows the device is enrolled and managed, but the last sync time is missing or outdated, triggering the noncompliant state.

Exam trap

The trap here is that candidates assume noncompliance is always due to a configuration or OS issue, but Microsoft Intune also enforces compliance based on device activity—specifically the last sync time—which is a common oversight in exam scenarios.

How to eliminate wrong answers

Option A is wrong because the device is already enrolled and managed, as indicated by the 'Managed' status in the output. Option B is wrong because device name length does not affect compliance; Intune supports names up to 256 characters and has no compliance rule for name length. Option C is wrong because the OS version is listed as '10.0.19044.1706' (Windows 10 21H2), which is a supported version for Intune management and compliance policies.

168
MCQeasy

You are a Microsoft Intune administrator for Tailwind Traders. The company has enrolled Windows 11 devices. You need to configure BitLocker encryption on all devices using Intune. You have created an endpoint security policy for BitLocker and assigned it to the correct group. After 24 hours, some devices still show as not encrypted. You verify that the devices are compliant with the policy's prerequisites. What should you do to force the policy to apply?

A.Use Group Policy Editor to configure BitLocker locally on each device.
B.Check if the devices have TPM version 2.0.
C.Re-create the BitLocker policy with a different name.
D.Remotely sync the devices from the Intune console to refresh policy.
AnswerD

Sync forces policy retrieval and application.

Why this answer

Triggering a sync on the devices will force the policy to be applied. Re-creating the policy is unnecessary. Using a local GPO is not managed centrally.

Checking the hardware is not relevant.

169
MCQeasy

Refer to the exhibit. The JSON snippet shows a Windows Update for Business policy assigned to a device group. Users report that quality updates are installed 7 days after release. Which setting controls this behavior?

A.featureUpdateDeferralPeriodInDays
B.businessReadyUpdatesOnly
C.qualityUpdateDeferralPeriodInDays
D.automaticUpdateMode
AnswerC

This setting defers quality updates by the specified number of days.

Why this answer

Option C is correct because qualityUpdateDeferralPeriodInDays is set to 7, deferring quality updates by 7 days. Option A is wrong because featureUpdateDeferralPeriodInDays controls feature updates. Option B is wrong because automaticUpdateMode controls restart behavior.

Option D is wrong because businessReadyUpdatesOnly controls which updates are offered.

170
MCQmedium

Refer to the exhibit. You have the following compliance policy assigned to a Windows 10 device running version 10.0.22000.0. The device has a password of 8 characters and is encrypted. What is the compliance status of the device?

A.Noncompliant due to password length
B.Noncompliant due to encryption
C.Compliant
D.Noncompliant due to OS version
AnswerC

All conditions are met.

Why this answer

Option B is correct because the device OS version (10.0.22000.0) is within the minimum (10.0.19041.0) and maximum (10.0.22621.0) versions, password is 8 characters (min 6), and encryption is enabled. Option A is wrong because all conditions are met. Option C is wrong because OS version is within range.

Option D is wrong because password meets requirements.

171
MCQeasy

You have created the above custom policy but it fails to apply on Windows 10 devices. What is the most likely reason?

A.The value must be an integer, not a string.
B.The OMA-URI targets the user, not the device.
C.Custom configuration policies are not supported on Windows 10.
D.The OMA-URI path is incorrect for an ADMX-backed policy.
AnswerD

ADMX policies require a specific URI format that includes the category path.

Why this answer

Option D is correct because the OMA-URI path for an ADMX-backed policy must follow the exact format: `./Device/Vendor/MSFT/Policy/Config/ADMX_<Category>/<PolicyName>`. If the path is incorrect—for example, missing the `ADMX_` prefix or using a wrong category name—the policy will fail to apply on Windows 10 devices. Custom configuration policies do support ADMX-backed policies, but the URI must precisely match the ADMX administrative template structure.

Exam trap

The trap here is that candidates assume any OMA-URI error is due to targeting (user vs. device) or data type issues, but the MD-102 exam specifically tests the precise URI syntax for ADMX-backed policies, which is a common misconfiguration point.

How to eliminate wrong answers

Option A is wrong because the error is not about data type mismatch; ADMX-backed policies can accept string values (e.g., registry strings) depending on the policy definition, and the question does not specify a value type conflict. Option B is wrong because the OMA-URI for device configuration policies uses the `./Device/` prefix, not `./User/`, and targeting the user would be a different scope; the issue here is the path structure, not the target. Option C is wrong because custom configuration policies are fully supported on Windows 10 via MDM; they are a core feature for deploying settings not available in the built-in configuration profiles.

172
MCQmedium

You need to deploy a custom Windows 11 feature update to a pilot group of 50 devices before rolling out to the entire organization. The devices are managed by Intune and are in a 'Pilot' Azure AD group. What is the best approach?

A.Configure a Windows Update for Business deferral policy for all devices
B.Create a custom configuration profile with update settings
C.Create a feature update profile for Windows 11 and assign to the pilot group
D.Use Group Policy to configure Windows Update settings for the pilot group
AnswerC

Feature update profiles allow targeted deployment of feature updates.

Why this answer

Option C is correct because Intune's feature update profiles are specifically designed to deploy Windows 11 feature updates to targeted Azure AD groups, such as the 'Pilot' group. This approach allows you to control the exact feature update version (e.g., Windows 11 23H2) and assign it only to the pilot devices, enabling a controlled rollout before expanding to the entire organization.

Exam trap

The trap here is that candidates often confuse feature update profiles with quality update policies or configuration profiles, mistakenly thinking any update-related setting can be applied via a configuration profile or deferral policy.

How to eliminate wrong answers

Option A is wrong because a Windows Update for Business deferral policy only delays the installation of updates; it does not deploy a specific feature update version to a targeted group. Option B is wrong because custom configuration profiles are used for device settings (e.g., security policies, app configurations), not for deploying feature updates; feature updates require a dedicated feature update profile. Option D is wrong because Group Policy is not applicable in a cloud-only Intune-managed environment; devices must be Azure AD joined and managed via Intune, and Group Policy requires on-premises Active Directory and Domain Services.

173
MCQhard

You need to ensure that Windows 10 devices automatically receive Microsoft 365 Apps updates from the Internet when not connected to the corporate network. Which update channel should you configure?

A.Monthly Enterprise Channel
B.Office Insider
C.Current Channel
D.Semi-Annual Channel
AnswerC

Current Channel delivers updates as they become available and works over the Internet.

Why this answer

The Current Channel is the correct choice because it provides the most frequent updates for Microsoft 365 Apps, and it is the only channel that supports automatic updates from the Internet (via the Office Content Delivery Network) when devices are not connected to the corporate network. This channel is designed for devices that need the latest features and security updates without relying on on-premises update infrastructure.

Exam trap

The trap here is that candidates often confuse the Monthly Enterprise Channel with the Current Channel, assuming that 'Monthly' implies automatic Internet updates, but the Monthly Enterprise Channel is actually designed for managed deployment and does not support automatic Internet-based updates for off-network devices.

How to eliminate wrong answers

Option A is wrong because the Monthly Enterprise Channel is intended for organizations that want a predictable, once-a-month update cycle and typically rely on on-premises distribution points (e.g., Configuration Manager) or cloud-based management tools, not automatic Internet-based updates for off-network devices. Option B is wrong because Office Insider is a pre-release channel for testing upcoming features and is not intended for production devices requiring stable, automatic updates from the Internet. Option D is wrong because the Semi-Annual Channel provides updates only twice a year and is designed for environments with strict change management and on-premises update control, not for devices that need to automatically receive updates from the Internet when off the corporate network.

174
MCQmedium

Refer to the exhibit. You have applied this compliance policy to a Windows 10 device running build 10.0.19044. The device meets all requirements except that the firewall is disabled. What will be the compliance status of the device?

A.Non-compliant, because the OS version is not within the allowed range.
B.Compliant, because the policy includes a grace period for firewall.
C.Compliant, because the OS version is within the allowed range.
D.Non-compliant, because the firewall is disabled.
AnswerD

Active firewall is required; disabling it makes the device non-compliant.

Why this answer

The policy requires activeFirewallRequired to be true. Since the firewall is disabled, the device is non-compliant. Even though other requirements are met, non-compliance in one area makes the device non-compliant.

Option A is incorrect because the policy does not have a grace period. Option B is incorrect because the device is non-compliant. Option D is incorrect because the policy is applicable.

175
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a configuration profile that enforces FileVault encryption. The profile must allow recovery key escrow to Intune. After deploying the profile, you notice that some devices are not encrypted. What should you check first?

A.Check if the user has logged in and acknowledged the FileVault prompt.
B.Ensure that a compliance policy is also assigned requiring encryption.
C.Ensure the devices are supervised.
D.Verify that the profile is assigned to the correct device group.
AnswerA

FileVault requires user interaction to start encryption.

Why this answer

Option A is correct because FileVault encryption on macOS requires user interaction to complete. When Intune deploys a FileVault profile with recovery key escrow, the user must log in and explicitly acknowledge the FileVault prompt to enable encryption. If the user has not done so, the device remains unencrypted regardless of the profile assignment.

Exam trap

The trap here is that candidates often assume a configuration profile alone enforces encryption immediately, overlooking the mandatory user interaction step required by macOS for FileVault activation.

How to eliminate wrong answers

Option B is wrong because compliance policies do not trigger encryption; they only report non-compliance after encryption is expected. Option C is wrong because macOS devices do not require supervision for FileVault encryption or key escrow; supervision is an iOS/iPadOS concept. Option D is wrong because if the profile were assigned to the wrong group, the profile would not appear on the device at all, but the issue here is that the profile is deployed yet encryption is not active, indicating a user interaction gap.

176
Multi-Selectmedium

Which TWO troubleshooting steps should you take when a Windows 11 device fails to enroll in Intune with error code 0x80180014?

Select 2 answers
A.Ensure that the device is in the correct enrollment profile group.
B.Recreate the device compliance policy.
C.Check if the device is already enrolled in another MDM provider.
D.Verify that the user has an appropriate Intune license assigned.
E.Check if the device has TPM 2.0 enabled.
AnswersC, D

Device might be already enrolled elsewhere.

Why this answer

Error code 0x80180014 typically indicates that the device is already enrolled with another MDM provider, such as Microsoft Configuration Manager (with co-management) or a third-party MDM like VMware Workspace ONE. Intune enforces a single-MDM enrollment policy per device; if a prior MDM enrollment is detected, the new enrollment attempt fails. Checking for existing MDM enrollment is therefore the correct first step.

Exam trap

The trap here is that candidates often assume error 0x80180014 is a licensing or compliance issue, but Microsoft specifically uses this error code to signal a duplicate or conflicting MDM enrollment, not a missing license or policy misconfiguration.

177
MCQmedium

Refer to the exhibit. You run this PowerShell command using the Microsoft Graph PowerShell SDK. What is the primary purpose of this command?

A.To list only non-compliant Windows devices.
B.To retrieve all managed devices regardless of operating system.
C.To enforce compliance on Windows devices.
D.To retrieve a list of all Windows managed devices with their compliance status.
AnswerD

Correct. The command selects complianceState for Windows devices.

Why this answer

The PowerShell command uses `Get-MgDeviceManagementManagedDevice` with a filter for `operatingSystem eq 'Windows'` and selects properties including `complianceState`. This retrieves all Windows managed devices and their compliance status, making option D correct. The command does not filter by compliance state, so it returns both compliant and non-compliant devices, and it does not enforce any compliance action.

Exam trap

The trap here is that candidates may assume the command only returns non-compliant devices because complianceState is selected, but the filter does not restrict by compliance value—it merely includes that property in the output.

How to eliminate wrong answers

Option A is wrong because the command does not filter by complianceState; it retrieves all Windows devices, not just non-compliant ones. Option B is wrong because the filter `operatingSystem eq 'Windows'` explicitly limits results to Windows devices, not all managed devices regardless of operating system. Option C is wrong because the command is a read-only GET operation that retrieves device data; it does not perform any enforcement or remediation actions on compliance.

178
MCQhard

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You have deployed a device configuration profile that configures the device's email settings for the native Mail app. Recently, the organization decided to switch to Microsoft Outlook for iOS as the primary email client. You need to ensure that users can only use Outlook for accessing corporate email, and that the native Mail app is blocked from accessing corporate data. Which combination of Intune policies should you implement?

A.Create an App Protection Policy (MAM) that restricts the transfer of corporate data to other apps and a Device Configuration Profile that sets the default mail app to Outlook.
B.Create a device compliance policy that requires the device to have Outlook installed.
C.Use device enrollment restrictions to block devices that have the native Mail app installed.
D.Create a conditional access policy for Exchange Online that blocks the native Mail app and allows only Outlook.
AnswerA

MAM policy can block data transfer to native Mail, and configuration profile sets default app.

Why this answer

Option C is correct because an App Protection Policy can block the native Mail app from opening corporate data, and a Device Configuration Profile can set the default mail app to Outlook. Option A is incorrect because a compliance policy alone does not block the native Mail app. Option B is incorrect because conditional access can block native Mail app from accessing Exchange Online, but it does not set Outlook as default.

Option D is incorrect because device enrollment restrictions do not control app usage.

179
Multi-Selectmedium

A company manages devices with Microsoft Intune. They need to deploy a line-of-business (LOB) app to iOS devices. Which TWO of the following are required?

Select 2 answers
A.The app package must be in .ipa format
B.The app must have a unique bundle ID
C.The deployment must use 'Required' installation purpose
D.The app must be assigned to a user group only
E.Apple MDM push certificate must be configured
AnswersA, B

iOS LOB apps require .ipa format.

Why this answer

Options A and C are correct. The app file must be an .ipa file, and the bundle ID must be unique. Option B is wrong because the app can be assigned to users or devices, not necessarily user groups only.

Option D is wrong because the app can be available or required. Option E is wrong because an Apple MDM push certificate is required for iOS management, not specifically for LOB app deployment.

180
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 and iOS devices. You need to deploy a certificate-based authentication solution for Wi-Fi and VPN access. You have set up a Certificate Connector for Microsoft Intune and issued a root CA certificate. You have created a trusted certificate profile for the root CA and a SCEP certificate profile for client certificates. However, iOS devices are failing to enroll for client certificates. You verify that the SCEP profile is correctly configured and assigned. What is the most likely cause?

A.The Certificate Connector is not configured to support iOS devices.
B.iOS devices require user affinity for SCEP enrollment, which is not configured.
C.The SCEP profile does not reference the trusted certificate profile for the root CA, or the trusted certificate profile is not assigned to iOS devices.
D.The iOS devices are not compliant with the compliance policy.
AnswerC

The SCEP profile must reference the root CA certificate profile, and both must be assigned.

Why this answer

Option C is correct because iOS devices require a trusted certificate profile for the root CA to be deployed before the SCEP profile, and the SCEP profile must reference that trusted certificate. If the reference is missing or incorrect, the SCEP enrollment will fail. Option A is incorrect because the NDES server is not required for Intune certificate deployment.

Option B is incorrect because device compliance is not a prerequisite for certificate enrollment. Option D is incorrect because iOS devices can use SCEP without a user affinity requirement.

181
MCQeasy

A company uses Microsoft Intune to manage devices. They need to report on which devices have a specific Windows update installed. Which reporting method should be used?

A.Use the Microsoft Intune admin center to view the Windows Update for Business report
B.Use Microsoft 365 Lighthouse
C.Use the Device compliance report in Intune
D.Use Microsoft Defender for Endpoint's advanced hunting
AnswerA

The Windows Update for Business report in Intune shows update status per device.

Why this answer

Option C is correct because Intune device compliance reports show update status. Option A is wrong because the built-in Windows Update for Business reports in Intune provide update compliance. Option B is wrong because Update Compliance in Azure Log Analytics is a separate service.

Option D is wrong because Microsoft Defender for Endpoint is for security, not update reporting.

182
MCQeasy

A company uses Microsoft Intune to manage macOS devices. They need to enforce FileVault encryption on all Macs. What should they configure?

A.An endpoint security policy for disk encryption.
B.A device configuration profile with FileVault settings.
C.A device compliance policy that requires FileVault.
D.An app protection policy.
AnswerB

Device configuration profiles can enforce FileVault on macOS.

Why this answer

FileVault encryption is enforced through a device configuration profile on macOS. Option B is incorrect because compliance policies do not enforce encryption; they check it. Option C is incorrect because endpoint security policies include disk encryption but FileVault is a macOS-specific setting best configured via device configuration.

Option D is incorrect because app protection policies do not manage device encryption.

183
MCQhard

Your company has a Microsoft Intune environment with Windows devices. You need to deploy a Microsoft 365 Apps update using the Semi-Annual Enterprise Channel. You have configured the update channel in an Intune administrative template. However, devices are not receiving the updates. What is the most likely cause?

A.The administrative template does not configure the update channel; you must use the Office Deployment Tool.
B.Devices are not configured for Windows Update for Business.
C.Devices need to be in the Semi-Annual Channel (Targeted) to receive updates.
D.The Semi-Annual Enterprise Channel is not supported for Microsoft 365 Apps.
AnswerA

Intune requires ODT for update channel configuration.

Why this answer

Option A is correct because when you configure the update channel for Microsoft 365 Apps via an Intune administrative template (ADMX), the setting is applied as a Group Policy preference but does not actually trigger the update mechanism. Microsoft 365 Apps updates require the Office Deployment Tool (ODT) or the Office CDN to deliver the correct channel bits. The administrative template only sets the registry key for the channel; without the ODT or a corresponding update policy, devices remain on their current channel and do not receive new updates.

Exam trap

The trap here is that candidates assume configuring the update channel via an administrative template is sufficient to change the channel and trigger updates, when in fact the template only sets a registry value and does not initiate the actual update process.

How to eliminate wrong answers

Option B is wrong because Windows Update for Business (WUfB) is not required for Microsoft 365 Apps updates; these updates are delivered independently via the Office Content Delivery Network (CDN) and managed through Office-specific policies, not Windows Update. Option C is wrong because the Semi-Annual Channel (Targeted) is a separate channel that receives updates earlier, but the Semi-Annual Enterprise Channel is a valid, supported channel; the issue is not about targeting but about the deployment mechanism. Option D is wrong because the Semi-Annual Enterprise Channel is fully supported for Microsoft 365 Apps; it is one of the standard update channels designed for enterprise environments.

184
MCQhard

You are designing a device management strategy for a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You need to ensure that devices are managed by Intune and can access on-premises resources. Which approach should you recommend?

A.Hybrid Azure AD join
B.Entra ID registered with on-premises domain join
C.Windows Autopilot self-deploying mode
D.Entra ID joined with VPN to on-premises
AnswerA

Hybrid Azure AD join allows devices to be joined to both on-premises AD and Entra ID, enabling Intune management and on-premises resource access.

Why this answer

Hybrid Azure AD join is the correct approach because it allows devices that are joined to on-premises Active Directory to also register with Microsoft Entra ID, enabling Intune management while maintaining access to on-premises resources via Kerberos/NTLM authentication. This configuration synchronizes the device object from AD to Entra ID using Azure AD Connect, creating a device identity that can be managed by Intune and can authenticate against both cloud and on-premises services without requiring a VPN.

Exam trap

The trap here is that candidates often confuse 'Entra ID registered' with 'Hybrid Azure AD join' because both involve Entra ID, but only Hybrid Azure AD join provides the on-premises domain join required for seamless resource access without a VPN.

How to eliminate wrong answers

Option B is wrong because Entra ID registered devices are only workplace-joined (personal or BYOD) and do not have a computer object in on-premises AD, so they cannot authenticate to on-premises resources using domain credentials or access domain-joined file shares without additional configuration. Option C is wrong because Windows Autopilot self-deploying mode is designed for kiosk or shared devices that are Entra ID joined only, not hybrid joined, and thus cannot natively access on-premises resources without a VPN or other connectivity solution. Option D is wrong because Entra ID joined devices with a VPN can access on-premises resources, but they are not domain-joined and therefore cannot use Kerberos authentication to on-premises AD; they rely on VPN connectivity and typically require additional solutions like Microsoft Entra application proxy or Always On VPN for seamless resource access, making it less integrated than Hybrid Azure AD join.

185
MCQeasy

You are managing Windows 10 devices with Intune. You need to deploy a PowerShell script that runs under the system context during device enrollment. Which approach should you use?

A.Deploy the script as a proactive remediation.
B.Use a device compliance policy to trigger the script.
C.Create a custom configuration profile to run the script.
D.Upload the script as a PowerShell script in Intune and assign it to the device group.
AnswerD

Intune PowerShell scripts can run in system context and execute during enrollment.

Why this answer

Option D is correct because Intune's 'PowerShell scripts' feature allows you to upload and assign scripts that run under the system context during device enrollment, specifically targeting devices in a group. This is the only native Intune method that executes scripts in the system context at enrollment time without additional configuration.

Exam trap

The trap here is that candidates confuse the 'PowerShell scripts' feature with proactive remediations or custom configuration profiles, not realizing that only the dedicated PowerShell script deployment runs under the system context during enrollment.

How to eliminate wrong answers

Option A is wrong because proactive remediations run on a schedule or on detection, not during device enrollment, and they require the Intune Management Extension to be already installed. Option B is wrong because device compliance policies evaluate device settings and trigger non-compliance actions, but they cannot execute arbitrary PowerShell scripts during enrollment. Option C is wrong because custom configuration profiles use CSPs (Configuration Service Providers) to configure settings, not to run arbitrary PowerShell scripts; they lack a mechanism to execute script files.

186
MCQmedium

Your organization has Windows 10 devices managed by Intune. You need to enforce BitLocker encryption on all devices. The devices must use a TPM protector and a recovery password. What should you configure?

A.Compliance policy for Windows 10
B.Endpoint security > Disk encryption policy
C.Windows Update for Business policy
D.Device configuration profile for Windows 10
AnswerB

Endpoint security > Disk encryption policy in Intune allows configuring BitLocker settings, including TPM protector and recovery password.

Why this answer

To enforce BitLocker encryption with a TPM protector and recovery password on Windows 10 devices managed by Intune, you must configure an Endpoint security > Disk encryption policy. This policy type specifically targets BitLocker settings, including TPM and recovery password requirements, and is designed to enforce encryption at the device level through the Intune MDM channel.

Exam trap

The trap here is that candidates often confuse Device configuration profiles (Option D) with Endpoint security policies, but Microsoft explicitly separates disk encryption into the Endpoint security node for focused management, and the exam tests this distinction.

How to eliminate wrong answers

Option A is wrong because Compliance policy for Windows 10 evaluates device compliance after encryption is applied but does not configure BitLocker settings like TPM or recovery password; it only reports on encryption status. Option C is wrong because Windows Update for Business policy controls update rings and feature updates, not disk encryption or BitLocker configuration. Option D is wrong because Device configuration profile for Windows 10 can include some BitLocker settings, but the recommended and correct method for enforcing BitLocker with specific protectors in Intune is the Endpoint security > Disk encryption policy, which provides a dedicated, streamlined interface for encryption policies.

187
MCQhard

A user has a Windows 10 device that is enrolled in Microsoft Intune. The user reports that they cannot install a required app from the Company Portal. You check the Intune console and see that the app assignment is 'Required' but the installation status shows 'Failed'. The device is compliant. What should you check first?

A.Review the Intune management extension logs on the device.
B.Verify the device compliance policy.
C.Check the Company Portal app version.
D.Reassign the app to the user.
AnswerA

Logs will show the specific error.

Why this answer

When an app installation fails, the Intune management extension logs provide detailed error information. Checking the logs on the device is the quickest way to diagnose. Option A is incorrect because the device is compliant.

Option B is incorrect because the app is assigned. Option D is incorrect because the Company Portal is not involved for required apps.

188
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. You have a requirement to ensure that all devices have BitLocker Drive Encryption enabled with a TPM protector and a recovery key escrowed to Azure AD. Additionally, you need to configure a policy that prevents users from changing the BitLocker settings. You create a device configuration profile using the 'Endpoint Protection' template for Windows 10 and later. After deploying the policy to a test group, you notice that BitLocker is not enabled on some devices. The devices meet the hardware requirements and are Azure AD joined. What is the most likely reason for the failure, and how should you resolve it?

A.Devices are not hybrid Azure AD joined; convert them to hybrid join for BitLocker policy to apply.
B.The policy does not specify a recovery key escrow location; configure it to escrow to Azure AD.
C.The policy is missing the 'Enable full disk encryption' setting or the encryption method is not specified; check the 'Windows Encryption' settings in the profile.
D.Devices are not co-managed with Configuration Manager; enable co-management to apply BitLocker policy.
AnswerC

The 'Encryption method' and 'Enable full disk encryption' settings must be configured in the profile for BitLocker to be enabled.

Why this answer

Option C is correct because the 'Endpoint Protection' template for Windows 10 and later requires explicit configuration of the 'Enable full disk encryption' setting and the encryption method (e.g., XTS-AES 128-bit) under the 'Windows Encryption' section. Without these settings, the policy does not trigger BitLocker to start encryption on the device, even if other settings like TPM protector and recovery key escrow are configured. The devices are Azure AD joined and meet hardware requirements, so the missing encryption enablement is the most likely cause.

Exam trap

The trap here is that candidates assume configuring TPM protector and recovery key escrow is sufficient to enable BitLocker, but the 'Enable full disk encryption' setting is a separate mandatory toggle that must be explicitly enabled in the policy.

How to eliminate wrong answers

Option A is wrong because BitLocker policies in Intune apply to both Azure AD joined and hybrid Azure AD joined devices; hybrid join is not a prerequisite for BitLocker policy application. Option B is wrong because the question states that the policy already includes a recovery key escrow to Azure AD, so the failure is not due to a missing escrow location. Option D is wrong because co-management with Configuration Manager is not required for Intune to manage BitLocker on Windows 11 devices; Intune can apply BitLocker policies directly via the MDM channel.

189
MCQmedium

Refer to the exhibit. You run a PowerShell command to retrieve a managed device's details. The ComplianceState is 'compliant' but the device has not synced in 7 days. What is the most likely reason?

A.The ComplianceState reflects the last sync; the device may have changed compliance since.
B.The device is compliant but not syncing because it is turned off.
C.The device is no longer enrolled but shows compliant due to a reporting delay.
D.The compliance policy was removed after the last sync.
AnswerA

Compliance state is cached until next sync.

Why this answer

Option C is correct because compliance state is evaluated during the last sync; if the device hasn't synced, the state may be outdated. Option A is wrong because compliance state does not trigger sync. Option B is wrong because the policy may still apply.

Option D is wrong because the device is still enrolled.

190
MCQeasy

You are troubleshooting a Windows 11 device that cannot connect to the corporate Wi-Fi network. The device is enrolled in Intune and has a Wi-Fi profile assigned. The profile uses SCEP certificate authentication. The user can connect to other Wi-Fi networks. What is the most likely cause?

A.The user's password has expired.
B.The root CA certificate required to validate the RADIUS server certificate is not installed on the device.
C.The Wi-Fi profile is not assigned to the user's device.
D.The device's Wi-Fi adapter driver is outdated.
AnswerB

Without the root CA, the device cannot trust the server's certificate, causing authentication failure.

Why this answer

The device can connect to other Wi-Fi networks but not the corporate one, indicating the issue is specific to the corporate network's authentication requirements. Since the profile uses SCEP certificate authentication, the device must trust the root CA that issued the RADIUS server certificate to validate the server during the EAP-TLS handshake. If the root CA certificate is missing, the client will reject the RADIUS server certificate, causing the connection to fail.

This is the most likely cause because the profile assignment and driver are not specific to this single network failure.

Exam trap

The trap here is that candidates confuse a missing root CA certificate with a missing client certificate, but the symptom of being able to connect to other networks isolates the problem to server-side certificate validation, not client-side enrollment.

How to eliminate wrong answers

Option A is wrong because password expiration is irrelevant to SCEP certificate authentication, which uses machine or user certificates, not passwords. Option C is wrong because the device is enrolled in Intune and has a Wi-Fi profile assigned, so the profile is present; if it were not assigned, the profile would not appear at all, but the user can see and attempt to connect. Option D is wrong because an outdated Wi-Fi adapter driver would affect all Wi-Fi connections, not just the corporate network, and the user can connect to other networks successfully.

191
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. Users report that after a recent update, the Start menu layout resets to default every time they sign in. Which Intune policy setting is most likely causing this issue?

A.Import Microsoft Edge assets policy
B.Show 'Recommended' section policy
C.Allow pinned folders policy
D.Start layout policy under Device Restrictions
AnswerD

This policy can enforce a specific layout; if set to remove custom layout, it resets on sign-in.

Why this answer

The Start layout policy under Device Restrictions (D) is the most likely cause because it enforces a specific Start menu configuration on Windows 11 devices. When this policy is set to 'Enabled' and configured with a layout XML, it reapplies the layout at every user sign-in, overriding any user customizations. This behavior matches the reported issue of the Start menu resetting to default after a recent update.

Exam trap

The trap here is that candidates may confuse policies that affect individual Start menu elements (like pinned folders or the Recommended section) with the overarching Start layout policy that enforces a complete layout reset, leading them to select a partially correct but insufficient option.

How to eliminate wrong answers

Option A is wrong because the 'Import Microsoft Edge assets policy' is used to manage Edge browser assets like bookmarks and settings, not the Start menu layout. Option B is wrong because the 'Show Recommended section policy' controls the visibility of the 'Recommended' section in the Start menu, but it does not reset the entire Start menu layout to default. Option C is wrong because the 'Allow pinned folders policy' manages which folders appear in the Start menu's pinned area, but it does not cause a full layout reset on sign-in.

192
Multi-Selecthard

Which THREE are supported reporting options in Microsoft Intune for device compliance?

Select 3 answers
A.Export compliance data to CSV
B.View compliance status for each device
C.Compliance trends over time
D.Real-time compliance dashboard
E.Scheduled email reports
AnswersA, B, C

Export is available in the compliance report.

Why this answer

Options A, B, and D are correct. A: You can export compliance reports to CSV. B: You can view compliance status per device.

D: You can view compliance trends over time. Option C is wrong because Intune does not have a built-in dashboard for real-time compliance; it updates periodically. Option E is wrong because you cannot schedule automatic email reports natively; you would need Power Automate.

193
MCQmedium

You deploy a new line-of-business app to Windows 10 devices via Intune. Users report that the app does not appear in the Company Portal. You verify that the app is assigned to the correct group. What is the most likely cause?

A.The app's installation behavior is set to 'System'.
B.The app is not supported on Windows 10.
C.Users need to add the app manually.
D.The app is assigned to the wrong group.
AnswerA

Correct. System-installed apps may not appear in Company Portal.

Why this answer

When a line-of-business (LOB) app is deployed with installation behavior set to 'System', it installs in the device context and runs as SYSTEM. The Company Portal only displays apps installed in the user context. Even though the app is assigned to the correct group, it will not appear in the Company Portal because the portal filters out system-context apps.

To make it visible, the installation behavior must be set to 'User'.

Exam trap

The trap here is that candidates assume any assigned app will appear in Company Portal, overlooking the critical distinction between system-context and user-context installation behavior in Intune.

How to eliminate wrong answers

Option B is wrong because the app is already deployed and users report it does not appear, not that it fails to install; Windows 10 supports LOB apps via Intune. Option C is wrong because Intune-managed apps are automatically available in the Company Portal when assigned; users do not need to manually add them. Option D is wrong because the question explicitly states the app is assigned to the correct group, so group misassignment is not the cause.

194
MCQeasy

Refer to the exhibit. You are reviewing a JSON policy for Windows 10 compliance. Which of the following is required by this policy?

A.Secure Boot disabled
B.A TPM chip present and enabled
C.BitLocker drive encryption enabled
D.A password of at least 8 characters
AnswerB

'tpmRequired': true requires a TPM chip.

Why this answer

The JSON policy includes the setting 'requireTPM' with a value of 'true', which mandates that a Trusted Platform Module (TPM) chip must be present and enabled on the device to be compliant. TPM provides hardware-level security for cryptographic operations and is a key requirement for features like BitLocker, but the policy itself specifically enforces TPM presence, not encryption status.

Exam trap

The trap here is that candidates often confuse TPM requirement with BitLocker encryption, assuming that requiring TPM automatically implies BitLocker is enabled, but the policy only checks for the TPM chip itself, not the encryption state.

How to eliminate wrong answers

Option A is wrong because the policy does not reference Secure Boot at all; Secure Boot is a separate UEFI security feature that ensures only signed OS bootloaders run, and disabling it would actually reduce security, not meet a compliance requirement. Option C is wrong because while TPM is often used with BitLocker, the policy explicitly requires TPM (requireTPM: true) and does not include a setting for BitLocker drive encryption (e.g., requireEncryption or requireBitLocker). Option D is wrong because the policy does not include any password length requirement; password policies in Intune compliance are set via 'passwordMinimumLength' or similar properties, which are absent from this JSON.

195
MCQeasy

Your organization wants to use Windows Autopilot for user-driven deployment. Users should be able to self-deploy their devices by signing in with their corporate credentials. Which Autopilot deployment mode should you use?

A.Pre-provisioned deployment
B.Hybrid Azure AD join
C.User-driven (Azure AD join)
D.Self-deploying (Azure AD join)
AnswerC

User-driven mode prompts for user credentials.

Why this answer

Option A is correct because user-driven mode requires user sign-in during OOBE. Option B is wrong because self-deploying mode does not require user interaction. Option C is wrong because pre-provisioned deployment requires IT to pre-provision.

Option D is wrong because there is no 'hybrid' mode.

196
MCQeasy

You need to ensure that all Windows 10 devices automatically install critical security updates from Windows Update as soon as they are released. Which Windows Update for Business policy setting should you configure?

A.Set 'Update notification level' to 'Display notification'
B.Set 'Quality update deferral period' to 0 days
C.Configure active hours to allow automatic updates
D.Enable 'Pause feature updates'
AnswerB

Setting deferral period to 0 ensures updates are installed as soon as they are released.

Why this answer

Option A is correct because the 'Defer feature updates' setting can be set to 0 days, but for quality updates, use 'Quality update deferral period' set to 0. However, for immediate installation, 'Automatic update behavior' set to 'Auto install and restart' is key. Option A is the best answer.

Option B is wrong because active hours are for scheduling restarts, not immediate installation. Option C is wrong because pause features delay updates. Option D is wrong because it is not a specific setting name.

197
MCQeasy

Refer to the exhibit. You manage a Windows 11 device that is marked as compliant and has OS version 10.0.22621.0. You need to upgrade the device to Windows 11 version 23H2. Which Intune feature should you use?

A.Windows quality update profile
B.Windows feature update profile
C.Driver update policy
D.Compliance policy
AnswerB

Feature update profiles deploy OS feature updates.

Why this answer

A Windows feature update profile is the correct Intune feature to upgrade a Windows 11 device from one version to another (e.g., from 10.0.22621.0 to 23H2). Feature update profiles deploy new OS builds that enable feature-level changes, whereas quality updates deliver only security and cumulative fixes. This profile targets the specific version upgrade required for the device.

Exam trap

The trap here is confusing 'quality updates' (which are cumulative security fixes) with 'feature updates' (which are full OS version upgrades), leading candidates to incorrectly select the quality update profile for a version upgrade.

How to eliminate wrong answers

Option A is wrong because a Windows quality update profile delivers only monthly security and cumulative updates, not full OS version upgrades like 23H2. Option C is wrong because a driver update policy manages only device driver updates, not Windows OS version changes. Option D is wrong because a compliance policy evaluates device settings against rules but does not deploy OS upgrades; it can mark a device non-compliant but cannot perform the upgrade itself.

198
MCQhard

Your organization uses Microsoft Intune and Microsoft Defender for Endpoint. You need to ensure that when a device is determined to be at high risk by Defender, it is automatically blocked from accessing corporate resources. What should you configure?

A.Create a device compliance policy that uses Defender for Endpoint risk level, then use Conditional Access.
B.Configure a device compliance policy with 'Require Defender for Endpoint' setting.
C.Configure a device configuration policy to block access based on risk.
D.Configure an app protection policy to block access based on device risk.
AnswerA

This sets compliance based on risk and Conditional Access blocks non-compliant devices.

Why this answer

Option A is correct because it combines a device compliance policy that evaluates the Defender for Endpoint risk level with a Conditional Access policy that blocks access when the device is noncompliant. This is the only supported method to automatically block corporate resource access based on real-time risk assessment from Defender for Endpoint.

Exam trap

The trap here is that candidates often think a device configuration policy or app protection policy can enforce risk-based blocking, but only the combination of a compliance policy with Defender risk evaluation and Conditional Access achieves this in Intune.

How to eliminate wrong answers

Option B is wrong because 'Require Defender for Endpoint' is a compliance setting that only checks if Defender is enabled and active, not the actual risk level. Option C is wrong because device configuration policies manage settings and features, not access control based on risk. Option D is wrong because app protection policies apply to apps on unmanaged devices and do not evaluate device-level risk from Defender for Endpoint.

199
Multi-Selecteasy

Which TWO are valid methods to deploy Microsoft 365 Apps to Windows devices using Microsoft Intune? (Choose two.)

Select 2 answers
A.Use the iOS Microsoft 365 Apps deployment method.
B.Package the Office Deployment Tool as a Win32 app.
C.Upload an MSI file for Microsoft 365 Apps.
D.Use the built-in Microsoft 365 Apps deployment for Windows 10 and later.
E.Add a web link to the Office 365 portal.
AnswersB, D

The Office Deployment Tool can be wrapped as a Win32 app.

Why this answer

Options A and D are correct. Intune supports built-in Microsoft 365 Apps deployment (Office 365 suite) and Win32 app packaging. Option B is wrong because MSI is not used for Office 365.

Option C is wrong because web links are not app deployment. Option E is wrong because iOS deployment is irrelevant.

200
Multi-Selectmedium

Which TWO methods can you use to enroll macOS devices in Microsoft Intune?

Select 2 answers
A.Google Zero Touch Enrollment
B.Windows Autopilot
C.User-initiated enrollment via Company Portal
D.Apple Configurator
E.Automated Device Enrollment (ADE)
AnswersC, E

Users can enroll manually.

Why this answer

Options A and B are correct because Automated Device Enrollment (ADE) and user-initiated enrollment are supported for macOS. Option C is wrong because Windows Autopilot is for Windows. Option D is wrong because Google Zero Touch is for Android.

Option E is wrong because Apple Configurator is for iOS only.

201
Multi-Selecthard

Which THREE components are required to deploy a Win32 app via Microsoft Intune?

Select 3 answers
A.Detection rule
B.A .intunewin file
C.PowerShell script for post-installation
D.Dependency on another app
E.Install command
AnswersA, B, E

Detection rules determine whether the app is already installed.

Why this answer

A detection rule is required because Intune needs a method to verify whether the Win32 app is already installed on the device. Without a detection rule, Intune cannot determine if the installation succeeded or if the app needs to be reinstalled. The detection rule can be based on a file, registry key, or custom script, and it is mandatory for any Win32 app deployment.

Exam trap

The trap here is that candidates often confuse optional features like dependencies or post-installation scripts with required components, leading them to select those options instead of the three mandatory ones: detection rule, .intunewin file, and install command.

202
MCQhard

You are troubleshooting a Windows 10 device that is not receiving Intune policies. The device is enrolled and shows as 'Active' in the Intune admin center. You run the Get-MgDeviceManagementManagedDevice cmdlet and the device's managementAgent is 'mdm'. Which of the following is the most likely cause of the issue?

A.The device is co-managed and the workload is set to Configuration Manager.
B.The device's enrollment certificate has expired.
C.The device's last sync time is more than 24 hours ago.
D.The device is retired from Intune.
AnswerC

A device that has not synced recently will not receive new policies.

Why this answer

Option C is correct because the device's last sync time being more than 24 hours ago indicates that the device has not checked in with Intune within the required interval. Intune policies are delivered during a sync cycle, and if the device hasn't synced recently, it will not receive new or updated policies. The managementAgent being 'mdm' confirms the device is MDM-managed, so the sync interval is critical for policy delivery.

Exam trap

The trap here is that candidates often assume an 'Active' status means the device is fully communicating, but Intune's 'Active' status only indicates successful enrollment, not recent policy sync; the last sync time is the key metric for policy delivery.

How to eliminate wrong answers

Option A is wrong because co-management with the workload set to Configuration Manager would mean that Configuration Manager handles the specific workload (e.g., compliance policies), but the device would still receive other Intune policies unless the workload is explicitly set to Configuration Manager for the policy type in question. Option B is wrong because an expired enrollment certificate would prevent the device from authenticating with Intune entirely, causing it to show as 'Pending' or 'Unhealthy', not 'Active'. Option D is wrong because a retired device would be removed from Intune management and would not show as 'Active' in the admin center.

203
MCQmedium

Refer to the exhibit. The ARM template snippet attempts to deploy a Windows 10 Security Baseline policy in Intune. The deployment fails. What is the most likely reason?

A.Intune configuration policies cannot be deployed via ARM templates.
B.The apiVersion is not supported.
C.The templateId is incorrect.
D.The setting value is invalid.
AnswerA

Intune uses Microsoft Graph, not ARM.

Why this answer

The ARM template uses wrong structure; Intune configuration policies are not deployed via ARM templates in this manner. The resource type is incorrect. Intune policies are managed via Microsoft Graph, not ARM.

Option A is incorrect because the API version is valid. Option B is incorrect because baselines are available. Option D is incorrect because the template reference is correct.

204
MCQeasy

A user reports that their Android Enterprise work profile device is not receiving email from the corporate Exchange Online account. The device is enrolled in Intune and shows as compliant. The Outlook app is installed but cannot connect. What should you check first?

A.Email profile configuration in Intune
B.App protection policy settings
C.Device compliance policy settings
D.Intune license assignment
AnswerA

Misconfigured server address or authentication method prevents connection.

Why this answer

Option B is correct because the most common issue is incorrect email profile configuration (server, authentication). Option A (Device compliance) is fine. Option C (App protection policies) affects data leakage, not connectivity.

Option D (Intune license) would affect enrollment, not app connection.

205
Multi-Selectmedium

Which TWO actions can you perform using the Microsoft Intune admin center to manage a Windows device that is enrolled in Intune?

Select 2 answers
A.Format the hard disk
B.Restart the device
C.Sync the device
D.Install a printer driver
E.Change BIOS settings
AnswersB, C

Restart is a supported remote action.

Why this answer

Option B is correct because the Microsoft Intune admin center provides a 'Restart' remote action that triggers a reboot on a managed Windows device. This action is useful for applying pending updates or troubleshooting without requiring end-user interaction, and it leverages the Intune management extension to execute the restart command.

Exam trap

The trap here is that candidates may confuse Intune's remote actions with full remote control capabilities (like SCCM's remote tools) and assume actions like formatting or driver installation are possible, when in fact Intune only supports a limited set of non-destructive management actions such as restart, sync, wipe, and retire.

206
Multi-Selectmedium

Which TWO actions should you take to ensure that Windows Update for Business settings are applied to all Windows 10 devices in your organization? (Choose two)

Select 2 answers
A.Configure a WSUS server to synchronize updates.
B.Create an update ring policy in Microsoft Intune.
C.Assign the update ring policy to a Microsoft Entra ID group that contains all devices.
D.Enable peer-to-peer content sharing for Windows updates.
E.Create a device compliance policy to enforce update installation.
AnswersB, C

Update ring policies configure Windows Update for Business settings.

Why this answer

B is correct because Windows Update for Business (WUfB) policies are configured through update ring policies in Microsoft Intune, which control how and when Windows 10 devices receive updates from Microsoft's update servers. This allows organizations to manage update deployment without needing on-premises infrastructure like WSUS.

Exam trap

The trap here is that candidates often confuse WSUS with Windows Update for Business, thinking both are required, or they mistakenly believe a compliance policy can enforce update ring settings, when in fact update rings are a separate policy type in Intune.

207
MCQhard

Refer to the exhibit. You deploy this compliance policy to a Windows 11 device running OS version 10.0.22621.100. The device has a password set, firewall active, and Defender enabled. However, the device is marked as non-compliant. What is the most likely reason?

A.The password length is exactly 8 characters, but the policy requires more than 8.
B.Microsoft Defender is not at the required version 4.18.2207.7.
C.The OS version exceeds the maximum allowed version specified in the policy.
D.The device does not have a password set.
AnswerC

The device build 22621.100 is greater than the maximum 22621.0, causing non-compliance.

Why this answer

The device OS version 10.0.22621.100 exceeds the maximum OS version specified in the policy (10.0.22621.0). In Microsoft Intune compliance policies, the 'Maximum OS version' setting marks a device as non-compliant if the device's OS build number is greater than the specified value, even if all other conditions are met. This is a common configuration to prevent devices from running untested or incompatible OS builds.

Exam trap

The trap here is that candidates assume non-compliance is due to a missing or weak password or Defender version, overlooking that the OS version can be too high, not just too low.

How to eliminate wrong answers

Option A is wrong because the policy does not specify a minimum password length; it only requires a password to be set, and the device has one. Option B is wrong because the policy does not specify a required version for Microsoft Defender; it only requires Defender to be enabled, which it is. Option D is wrong because the device does have a password set, as stated in the scenario.

208
MCQeasy

Your company uses Microsoft Intune to manage Windows 10 devices. You need to ensure that all devices have Windows Defender Antivirus real-time protection enabled. What should you configure?

A.Create a device compliance policy requiring antivirus.
B.Create a device configuration policy for Windows Defender Antivirus and enable Real-time protection.
C.Use Administrative Templates to configure Windows Defender Antivirus.
D.Use the Endpoint security node to configure Antivirus policies.
AnswerB

This enables real-time protection.

Why this answer

Option C is correct because the 'Real-time protection' setting in a device configuration policy for Windows Defender Antivirus enables real-time scanning. Option A is wrong because compliance policies do not enable features. Option B is wrong because Administrative Templates include similar settings but the dedicated Antivirus policy is more straightforward.

Option D is wrong because endpoint security policies include Antivirus settings as well.

209
MCQmedium

Your organization is planning to deploy Windows 10 updates using Windows Update for Business. You need to ensure that critical security updates are installed within 7 days of release. Which configuration should you use?

A.Create a feature update policy for Windows 10
B.Configure a deferral period of 7 days for quality updates
C.Set a deadline for quality updates to 7 days
D.Pause quality updates for 7 days
AnswerB

Deferral ensures updates are installed after a set number of days from release.

Why this answer

To ensure critical security updates are installed within 7 days of release using Windows Update for Business, you configure a deadline for quality updates. A deadline forces the device to install the update by a specified number of days after the update is published, regardless of any deferral period. Setting the deadline to 7 days ensures that the update is installed within that timeframe, meeting the requirement.

Exam trap

The trap here is confusing a deferral period with a deadline; candidates often think that setting a deferral of 7 days means the update will be installed in 7 days, but deferral actually delays the start of the update process, not the completion date.

How to eliminate wrong answers

Option A is wrong because feature update policies are used to manage major version upgrades (e.g., Windows 10 22H2), not quality or security updates. Option B is wrong because a deferral period delays the installation of updates; setting a 7-day deferral would postpone the update by 7 days, not ensure it is installed within 7 days of release. Option D is wrong because pausing quality updates stops them from being installed entirely for a specified period, which is the opposite of ensuring timely installation.

210
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a PowerShell script that runs during the device provisioning process, before the user signs in. The script should be assigned to a device group containing all Autopilot devices. Which method should you use?

A.Use a device context PowerShell script in Intune and assign it to the device group.
B.Add the script as a Windows 10 platform script in Intune.
C.Assign the script to a user group containing the users.
D.Deploy the script as a device configuration profile.
AnswerA

Device context scripts run in the system context before user sign-in.

Why this answer

Option A is correct because a device context PowerShell script in Intune runs in the system context before the user signs in, making it ideal for provisioning tasks on Autopilot devices. Assigning it to a device group ensures the script executes on the target devices regardless of which user signs in, aligning with the requirement for pre-user-sign-in execution.

Exam trap

The trap here is that candidates confuse user context scripts (which require a signed-in user) with device context scripts (which run in the system context), leading them to choose user group assignment or configuration profiles instead of the correct device group assignment.

How to eliminate wrong answers

Option B is wrong because 'Windows 10 platform script' is not a valid Intune deployment method; scripts are deployed as PowerShell scripts, not platform scripts. Option C is wrong because assigning the script to a user group would cause it to run in user context, which requires a user sign-in and does not meet the pre-sign-in requirement. Option D is wrong because device configuration profiles are used for settings and policies, not for running PowerShell scripts; they cannot execute script code.

211
Multi-Selectmedium

You need to onboard devices to Microsoft Defender for Endpoint using Microsoft Intune. Which THREE methods are supported?

Select 3 answers
A.Group Policy with administrative templates
B.Microsoft 365 Apps admin center
C.Intune endpoint security policy for Microsoft Defender for Endpoint
D.Windows Server Update Services
E.Microsoft Defender for Endpoint onboarding configuration profile in Intune
AnswersA, C, E

Onboarding via GPO for domain-joined devices.

Why this answer

Intune security policies, Microsoft Defender for Endpoint onboarding configuration profiles, and Group Policy can onboard devices. Microsoft 365 Apps admin center is for Office, not Defender. Windows Server Update Services is for updates.

212
Multi-Selectmedium

Which TWO actions can you perform in Microsoft Intune to remediate a noncompliant Windows device that has been marked as noncompliant due to missing antivirus? (Choose two.)

Select 2 answers
A.Send a sync command to the device to re-evaluate compliance.
B.Deploy a proactive remediation script to detect and install antivirus.
C.Send a notification to the user to install antivirus via Windows Security.
D.Run a PowerShell script from Intune to install the missing antivirus.
E.Create a Conditional Access policy to block the device until fixed.
AnswersB, D

Proactive remediations can automatically fix issues.

Why this answer

Options A and C are correct. You can either use an Intune script to install the antivirus or use a remediation script via proactive remediations. Option B is wrong because Conditional Access blocks access but does not remediate.

Option D is wrong because retry sync does not install antivirus. Option E is wrong because Windows Security app is user action, not Intune.

213
MCQhard

Your organization uses Microsoft Intune to manage Windows devices. You need to deploy a custom Line-of-Business (LOB) app that is signed with a certificate not trusted by the devices. The app must be available to users in the Company Portal. What should you do?

A.Upload the app to Microsoft Store for Business and assign it as offline.
B.Enable side-loading of apps on the target devices using Group Policy.
C.Upload the app as a LOB app in Intune and assign it to the target group.
D.Convert the app to a .appx package and sign it with a trusted certificate.
AnswerC

Intune LOB deployment does not require the device to trust the signing certificate; Intune handles trust.

Why this answer

Option C is correct because Intune natively supports deploying signed Line-of-Business (LOB) apps directly to managed Windows devices, even if the signing certificate is not trusted by the devices. Intune handles the app delivery through the Company Portal, and the app will install as long as the device is enrolled and the app is assigned to the target group. The certificate trust issue is irrelevant for LOB app deployment via Intune because Intune does not validate the certificate chain for LOB apps; it only requires the app to be signed.

Exam trap

The trap here is that candidates assume a certificate not trusted by devices prevents any deployment, but Intune's LOB app deployment does not require the certificate to be trusted by the device; the app will still appear in Company Portal and attempt installation, though the installation may fail if the device lacks side-loading or developer mode settings.

How to eliminate wrong answers

Option A is wrong because uploading the app to Microsoft Store for Business and assigning it as offline requires the app to be signed with a certificate that is trusted by the devices (typically a Microsoft or trusted CA certificate), and the scenario specifies the certificate is not trusted. Option B is wrong because enabling side-loading via Group Policy allows installation of unsigned or untrusted apps, but it does not make the app available in the Company Portal; side-loading is a device-level configuration, not an app distribution method through Intune. Option D is wrong because converting the app to a .appx package and signing it with a trusted certificate would resolve the trust issue, but the question asks what you should do given the current certificate is not trusted—this option changes the app itself rather than leveraging Intune's existing capability to deploy the app as-is.

214
MCQeasy

You need to remotely wipe a lost corporate-owned iOS device that is managed by Intune. Which action should you use?

A.Wipe
B.Reset
C.Delete
D.Retire
AnswerA

Wipe performs a factory reset.

Why this answer

Option C is correct because the 'Wipe' action performs a factory reset. Option A is wrong because 'Retire' removes management but keeps user data. Option B is wrong because 'Delete' removes the device from Intune without wiping.

Option D is wrong because 'Reset' is not a standard Intune action; the correct term is 'Wipe'.

215
MCQhard

Your organization uses Microsoft Intune to manage Windows devices. You need to ensure that only users in the Sales department can enroll their devices. What should you configure?

A.An Intune role-based access control (RBAC) role for Sales users.
B.A device configuration profile assigned to Sales users.
C.A Conditional Access policy that requires device compliance.
D.Enrollment restrictions that allow only users in the Sales group.
AnswerD

Enrollment restrictions can be scoped to specific user groups.

Why this answer

Option C is correct because enrollment restrictions can be configured to allow or block enrollment based on user groups. Option A is wrong because Conditional Access controls access after enrollment. Option B is wrong because device configuration profiles do not control enrollment.

Option D is wrong because role-based access controls admin actions, not user enrollment.

216
MCQhard

Your organization has 5,000 Windows 10 devices managed by Microsoft Intune. You are planning to upgrade them to Windows 11. The devices must meet the Windows 11 hardware requirements. You need to identify which devices are eligible for upgrade and then deploy Windows 11 using a feature update policy in Intune. You have the following requirements: (1) Generate a report of devices that are not eligible due to TPM 2.0 or CPU incompatibility. (2) Deploy Windows 11 to eligible devices using a phased approach: first to IT department (200 devices), then to pilot users (500 devices), and finally to all remaining devices. (3) Ensure that devices in the IT department receive the update within 7 days of Microsoft's release, while pilot users receive it after 30 days, and remaining devices after 60 days. (4) Monitor deployment progress and roll back if critical issues are detected. What should you do?

A.Create feature update policies for Windows 10 and later, targeting each group with appropriate deferral settings. Use the Windows 11 readiness report to identify eligible devices.
B.Configure Windows Update for Business group policies in on-premises AD.
C.Use update rings with different deferral periods for each group.
D.Use Windows Autopilot to deploy Windows 11 images to devices.
AnswerA

Feature update policies are designed for OS upgrades and support deferrals.

Why this answer

Option C is correct because feature update policies allow you to specify deferral periods and target groups. The readiness report identifies incompatibilities. Option A is wrong because update rings are for quality updates, not feature updates.

Option B is wrong because Autopilot is for initial provisioning, not upgrades. Option D is wrong because Windows Update for Business group policies are not managed via Intune.

217
MCQmedium

You need to ensure that Windows 10 devices in your organization receive the latest quality updates within 7 days of release. You configure a Windows Update for Business policy in Intune with a deferral period of 7 days. After two weeks, some devices have not installed the updates. What is the most likely reason?

A.The devices are configured to receive updates from WSUS instead of Windows Update.
B.The deferral period is too short; Microsoft recommends 14 days.
C.The policy is configured to apply only to devices in a specific Azure AD group.
D.Devices have not synced with Intune to receive the updated policy.
AnswerD

Devices must sync to get the policy; if they miss sync, updates are not enforced.

Why this answer

Option D is correct because Windows Update for Business policies in Intune are not applied in real time; devices must check in with the Intune service to receive the updated policy. The default sync interval for Intune-managed Windows 10 devices is approximately 8 hours, and if a device has not synced since the policy was configured, it will not yet have the new deferral settings. This explains why some devices have not installed the updates even after two weeks, as they may have missed the sync window or have a longer check-in cycle.

Exam trap

The trap here is that candidates often assume that configuring a Windows Update for Business policy in Intune immediately applies to all targeted devices, overlooking the critical requirement for devices to complete an Intune sync before the policy takes effect.

How to eliminate wrong answers

Option A is wrong because if devices were configured to receive updates from WSUS, they would ignore Windows Update for Business policies entirely, but the question states the policy was configured in Intune and the issue is that some devices have not installed updates, not that they are using a different update source. Option B is wrong because the deferral period of 7 days is technically valid and not inherently too short; Microsoft does not mandate a 14-day deferral, and the problem is about policy delivery, not the deferral duration. Option C is wrong because while a policy can be scoped to a specific Azure AD group, the question does not indicate that the policy was scoped incorrectly; the issue is that devices have not synced, not that they are in the wrong group.

218
Multi-Selecteasy

Which TWO are valid methods to enroll Windows devices in Microsoft Intune?

Select 2 answers
A.Apple Business Manager
B.Manual enrollment using work or school account
C.Windows Autopilot
D.Android Enterprise
E.Azure AD Join
AnswersB, C

Manual enrollment is a valid method.

Why this answer

Options A and D are correct. A: Windows Autopilot is a modern enrollment method. D: Manual enrollment via Settings > Accounts > Access work or school is valid.

Option B is wrong because Apple Business Manager is for Apple devices. Option C is wrong because Android Enterprise is for Android. Option E is wrong because Azure AD Join is a prerequisite, not an enrollment method.

219
MCQeasy

You need to deploy a critical security update to 500 Windows 10 devices managed by Intune. The update must be installed by the end of the week. Which deployment method should you use?

A.Create a Windows 10 update ring in Intune and enable expedited quality updates.
B.Configure a Windows Update for Business deferral policy in Intune.
C.Use Windows Autopatch to automatically deploy the update.
D.Create a WSUS policy and push it via Group Policy.
AnswerA

Intune can expedite critical updates using update rings.

Why this answer

Option A is correct because Intune's expedited quality updates allow you to bypass standard deferral periods and force-install critical security updates within days, not weeks. This is the only method that guarantees installation by the end of the week for 500 devices managed solely by Intune, as it leverages the Windows Update service with a reduced deadline (e.g., 2 days) and immediate restart behavior.

Exam trap

The trap here is that candidates confuse 'expedited updates' with 'deferral policies' or 'Autopatch,' assuming any automated update method will meet a tight deadline, but only expedited quality updates bypass the built-in deferral windows and enforce a short installation deadline.

How to eliminate wrong answers

Option B is wrong because configuring a Windows Update for Business deferral policy delays the update by a set number of days (e.g., 7–30 days), which contradicts the requirement to install it by the end of the week. Option C is wrong because Windows Autopatch is designed for ongoing, automated patch management with gradual rollout rings (e.g., Test, First, Fast, Broad) and does not support emergency expedited deployment for a single critical update within a short timeframe. Option D is wrong because WSUS and Group Policy require on-premises infrastructure and Active Directory, which are not applicable to devices managed solely by Intune in a cloud-only or hybrid scenario without domain connectivity.

220
MCQmedium

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to deploy a custom app that is not available in the Google Play Store. Which app deployment method should you use?

A.Add the app as a Managed Google Play app.
B.Deploy the app as a web link to the APK file.
C.Add the app as a line-of-business (LOB) app and upload the APK file.
D.Use the iOS LOB app deployment method.
AnswerC

LOB app deployment allows side-loading custom APKs.

Why this answer

Option B is correct because line-of-business (LOB) apps are used for custom apps not in the store. Option A is wrong because Managed Google Play only offers store apps. Option C is wrong because Web links are not apps.

Option D is wrong because iOS-specific deployment is irrelevant.

221
Multi-Selecthard

Which THREE features are available in Microsoft Intune's Windows Autopilot for existing devices?

Select 3 answers
A.Collect hardware hash from the existing device.
B.Deploy a provisioning package using a USB drive.
C.Reset the device and re-enroll it using Autopilot.
D.Automatically convert the device to an Autopilot device without user interaction.
E.Apply Autopilot profiles to macOS devices.
AnswersA, B, C

Hardware hash is collected to register the device.

Why this answer

Options A, C, and D are correct because Windows Autopilot for existing devices supports collecting hardware hash, deploying a provisioning package, and resetting the device. Option B is wrong because converting a device to Autopilot is done via hardware hash upload, not during deployment. Option E is wrong because Autopilot is for Windows, not macOS.

222
Multi-Selecthard

Which THREE conditions can be used to create a dynamic device group in Microsoft Entra ID for Intune management? (Choose three.)

Select 3 answers
A.Enrollment profile name (e.g., 'Autopilot Profile')
B.Last sign-in time of the user
C.Installed application version
D.Device model (e.g., 'Surface Pro 7')
E.Operating system version (e.g., 'Windows 11 22H2')
AnswersA, D, E

Enrollment profile name is a valid device attribute.

Why this answer

Options B, C, and D are correct. Dynamic groups can be based on device model, operating system version, and enrollment profile name. Option A is wrong because last login time is not a valid attribute for dynamic device groups.

Option E is wrong because application version is not a device attribute.

223
MCQhard

You are planning to deploy a custom line-of-business (LOB) app to 200 Windows 11 devices using Intune. The app requires a specific registry key to be present before installation. What should you do?

A.Add the app as a dependency for another app that creates the registry key.
B.Use an app configuration policy to set the registry key before the app installs.
C.Add a requirement rule to the app deployment that runs a PowerShell script to check for the registry key.
D.Create a custom compliance policy to enforce the registry key.
AnswerC

Requirement rules can use PowerShell scripts to check prerequisites.

Why this answer

Option C is correct because Intune's requirement rules allow you to run a PowerShell script that checks for the existence of a specific registry key before the app installs. If the script returns a non-zero exit code, Intune will not proceed with the installation, ensuring the prerequisite is met. This is the only option that directly enforces a precondition for the app installation without requiring additional apps or policies.

Exam trap

The trap here is that candidates often confuse requirement rules (which block installation if unmet) with detection rules (which determine if an app is already installed), or they mistakenly think app configuration policies can modify the Windows registry, when in fact they are limited to mobile device management (MDM) settings for specific platforms.

How to eliminate wrong answers

Option A is wrong because adding the app as a dependency for another app that creates the registry key would require the LOB app to be installed first, which is the opposite of what is needed—the registry key must be present before the LOB app installs. Option B is wrong because app configuration policies are used to configure app settings (e.g., for managed iOS/iPadOS or Android apps) and cannot create or modify registry keys on Windows devices. Option D is wrong because custom compliance policies evaluate device compliance after enrollment and can mark a device as non-compliant, but they do not prevent or block the installation of a specific app; they only trigger remediation or conditional access actions.

224
Multi-Selectmedium

Your organization uses Microsoft Intune to manage devices. You need to deploy a line-of-business (LOB) app to iOS devices. Which TWO conditions must be met?

Select 2 answers
A.The iOS devices must have the distribution profile installed.
B.The app must be packaged as an .appx file.
C.The app must be signed with an Apple Enterprise Developer certificate.
D.The app must be assigned to devices only, not users.
E.The app must be distributed via the Apple App Store.
AnswersA, C

The distribution profile trusts the enterprise developer.

Why this answer

Options B and D are correct. The app must be signed with an Enterprise Developer certificate (B), and the iOS devices must have the distribution profile installed (D). Option A is wrong because the app file is an .ipa, not .appx.

Option C is wrong because the app must be uploaded to Intune, not distributed via MDM. Option E is wrong because the app must be assigned to users or devices.

225
MCQmedium

A company uses Microsoft Intune to manage Windows 11 devices. Users report that the Company Portal app is not showing required applications. You verify that the devices show as 'Compliant' in Microsoft Intune. Which configuration should you check first?

A.Check the Microsoft Entra ID (Azure AD) configuration for the device.
B.Check the Windows Update for Business ring assignments.
C.Check the device compliance policy settings.
D.Check the application assignments in Intune.
AnswerD

If the user or device is not assigned to the application, it will not appear in Company Portal.

Why this answer

Option D is correct because the most common reason required applications are not visible in Company Portal is that the applications have not been assigned to the user or device group. Even if a device is compliant, Intune will only display applications that are assigned with an 'Available' intent to the user or device. Checking application assignments first directly addresses the symptom without assuming other configurations are misconfigured.

Exam trap

The trap here is that candidates often assume compliance policy issues cause application visibility problems, but Intune separates compliance evaluation from application assignment; a compliant device can still miss apps if the assignments are misconfigured.

How to eliminate wrong answers

Option A is wrong because Microsoft Entra ID (Azure AD) configuration primarily controls authentication, device registration, and conditional access, not the visibility of assigned applications in Company Portal. Option B is wrong because Windows Update for Business ring assignments control update deferral and delivery optimization, not application deployment or visibility. Option C is wrong because the device is already marked as 'Compliant', so compliance policy settings are not the cause; compliance policies affect conditional access and device health, not the display of assigned applications.

← PreviousPage 3 of 4 · 297 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage Maintain Devices questions.