CCNA Md102 Manage Applications Questions

75 of 183 questions · Page 1/3 · Md102 Manage Applications topic · Answers revealed

1
MCQhard

You are troubleshooting a Microsoft 365 Apps for enterprise deployment on Windows 10 devices managed by Intune. Users report that the apps are not installing, but the deployment status in Intune shows 'Success' for some devices and 'Failed' for others. On a failing device, you discover that the Office Deployment Tool (ODT) logs indicate '0x80070005 - Access denied'. What is the most likely cause?

A.The device has insufficient disk space for the installation.
B.The configuration.xml file has an invalid Channel attribute.
C.The device does not have internet connectivity to download Office installation files.
D.The Office Deployment Tool is running in user context instead of system context.
AnswerD

Running as user leads to access denied when writing to Program Files.

Why this answer

Option D is correct because the ODT requires administrative privileges to install Office. If the installation context is user-level, access denied occurs. Option A is wrong because network issues typically give different error codes.

Option B is wrong because configuration.xml syntax errors cause different errors. Option C is wrong because disk space errors are different.

2
MCQeasy

You need to deploy a Microsoft 365 Apps for enterprise configuration that includes Teams and Visio Pro for Microsoft 365. Users should get the full suite with both apps. What is the recommended method?

A.Use the built-in Microsoft 365 Apps for enterprise app type in Intune and select the products.
B.Instruct users to install from the Office portal.
C.Deploy a PowerShell script that runs Setup.exe /configure.
D.Create a Win32 app with the Office Deployment Tool and a configuration.xml that includes both products.
AnswerD

ODT allows full customization of products.

Why this answer

Option C is correct because the Office Deployment Tool and a custom configuration.xml allow you to specify products, languages, and update channels. Option A is wrong because Intune built-in Microsoft 365 Apps app allows selecting products but may not include Visio easily. Option B is wrong because manually installing is not scalable.

Option D is wrong because PowerShell scripts are less reliable.

3
MCQeasy

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy a VPP (Volume Purchase Program) app that is already purchased and assigned to your tenant. What is the minimum configuration required to make the app available to users?

A.Configure a device enrollment restriction to allow the app.
B.Sync the VPP token, then add the app from the store and assign it.
C.Distribute the app via the Company Portal without any additional configuration.
D.Upload the app IPA file to Intune, then create an app configuration policy.
AnswerB

Syncing the token brings in purchased licenses, then you can assign the app.

Why this answer

Option B is correct because VPP apps require a token to be synced with Intune, and then the app can be assigned as required or available. Option A is wrong because app configuration policies are optional. Option C is wrong because device enrollment restrictions don't affect app assignment.

Option D is wrong because company portal is used for available apps but not strictly required for required installs.

4
MCQeasy

You are configuring an app protection policy in Microsoft Intune for iOS/iPadOS devices. Which setting can you enforce to prevent users from copying data from a managed app and pasting it into an unmanaged app?

A.Restrict cut, copy, and paste between other apps
B.Require a PIN for access
C.Prevent iTunes and iCloud backups
D.Block managed apps from running on jailbroken devices
AnswerA

This setting restricts clipboard operations between managed and unmanaged apps.

Why this answer

Option A is correct because the 'Restrict cut, copy, and paste between other apps' setting controls data transfer. Option B is wrong because 'Prevent backup' does not restrict clipboard. Option C is wrong because 'Require PIN' is for access control.

Option D is wrong because 'Block managed apps from running on jailbroken devices' is a device condition.

5
MCQmedium

A company uses Intune to manage Windows 10 devices. They need to deploy a line-of-business (LOB) Win32 app to devices that are not assigned to any user. The app requires installation in the system context. Which installation behavior should be configured in the Intune Win32 app deployment?

A.User
B.Device
C.System
D.LoggedOnUser
AnswerC

System installs in the system context, suitable for device-wide and userless deployments.

Why this answer

Option C (System) is correct because the Win32 app must run in the system context to install without a user session, which is required for devices not assigned to any user. In Intune, the 'System' installation behavior runs the installer as the local SYSTEM account, enabling silent, elevated installations regardless of user presence.

Exam trap

The trap here is that candidates confuse 'System' with 'Device' or 'LoggedOnUser', not realizing that 'Device' is not a valid installation behavior and that 'System' is the only option that guarantees installation without a user session.

How to eliminate wrong answers

Option A (User) is wrong because it runs the installer in the user context, which requires an interactive user session and cannot install on devices without assigned users. Option B (Device) is wrong because 'Device' is not a valid installation behavior in Intune Win32 app deployment; the correct options are User, System, and LoggedOnUser. Option D (LoggedOnUser) is wrong because it runs the installer in the context of the currently logged-on user, which also requires an active user session and fails on devices with no user assigned.

6
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a line-of-business (LOB) app that is signed with a certificate not trusted by the devices. What should you do to ensure the app installs successfully?

A.Create a device configuration profile to allow sideloading.
B.Add the app to the Microsoft Store for Business.
C.Disable automatic app updates for the device group.
D.Enable the Sideloading policy for the device group.
AnswerD

Sideloading allows installation of apps signed with untrusted certificates.

Why this answer

To install an LOB app that is not signed by a trusted certificate, you must disable the Sideloading policy for the device group. Option A is correct because enabling sideloading allows installation of apps signed with untrusted certificates. Option B is wrong because allowing sideloading does not require the app to be in the Microsoft Store.

Option C is wrong because the Sideloading policy is not a device configuration profile but an app deployment policy. Option D is wrong because disabling automatic updates does not affect sideloading.

7
MCQmedium

You configured the above app protection policy for a Microsoft 365 app. Users report that they cannot paste text from the managed app into another app. What is the most likely reason?

A.The 'pinLength' requirement is not met.
B.The 'requireBiometric' setting is blocking actions.
C.The 'dataTransferPolicy' is set to 'allowNone', which prevents data from leaving the managed app.
D.The 'allowCutCopy' setting is set to false, which blocks copy, but paste is unaffected.
AnswerC

This setting blocks clipboard operations to unmanaged apps.

Why this answer

The 'dataTransferPolicy' setting controls how data can be transferred between managed and unmanaged apps. When set to 'allowNone', it prevents any data from leaving the managed app, including paste operations from the managed app into another app. This is the most direct cause of the reported issue.

Exam trap

The trap here is that candidates often confuse 'allowCutCopy' (which controls copy/cut within the app) with 'dataTransferPolicy' (which controls data leaving the app), leading them to incorrectly select Option D.

How to eliminate wrong answers

Option A is wrong because 'pinLength' only enforces a minimum PIN length for app access and does not affect data transfer or paste behavior. Option B is wrong because 'requireBiometric' controls biometric authentication for app access, not data transfer or clipboard operations. Option D is wrong because 'allowCutCopy' being set to false would block copy and cut operations within the managed app, but paste is indeed unaffected; the issue is about pasting from the managed app into another app, which is governed by 'dataTransferPolicy', not 'allowCutCopy'.

8
Multi-Selectmedium

You are configuring an app protection policy for iOS devices to protect corporate data in Microsoft Outlook. Which TWO settings prevent users from copying corporate data to personal apps?

Select 2 answers
A.Allow app to transfer data to other apps
B.Save copies of work data
C.Block screen capture and screen recording
D.Restrict cut, copy, and paste between apps
E.Encrypt app data
AnswersA, D

Setting this to 'Policy managed apps' restricts data transfer.

Why this answer

Option B and Option D are correct. 'Restrict cut, copy, and paste between apps' with policy-managed apps only prevents copying to unmanaged apps. 'Allow app to transfer data to other apps' set to 'Policy managed apps' restricts data transfer to managed apps only. Option A is wrong because encryption is for data at rest. Option C is wrong because it restricts saving to cloud but not copying.

Option E is wrong because it blocks screenshots but not copy/paste.

9
MCQmedium

You manage Windows 10 devices with Microsoft Intune. You need to deploy a line-of-business (LOB) app that is not available in the Microsoft Store. The app is an .msi file that requires admin privileges to install. Which deployment method should you use?

A.Upload the .msi file as a line-of-business app directly
B.Add the app as a Microsoft Store for Business app
C.Deploy the app using a PowerShell script in Intune
D.Use the Microsoft Win32 Content Prep Tool to wrap the .msi into an .intunewin file and deploy as a Win32 app
AnswerD

This is the standard method for deploying LOB .msi apps via Intune.

Why this answer

LOB apps in Intune require the app to be wrapped with the Microsoft Win32 Content Prep Tool. Intune can deploy .msi and .exe as Win32 apps. The correct answer is option D.

10
MCQhard

You run the above PowerShell command. The app is installed on a device, but the detection rule checks for CompanyPortal.exe in C:\Program Files. The app installs to C:\Program Files (x86) due to a 32-bit installer. What is the most likely outcome?

A.The app is successfully detected and no action is taken
B.The app installation fails with error
C.The detection rule automatically adjusts to check both folders
D.Intune repeatedly tries to install the app because it is not detected
AnswerD

Failed detection triggers reinstallation.

Why this answer

Detection rules do not automatically check both Program Files folders unless configured. The rule checks the 64-bit folder, so it will not detect the app installed in Program Files (x86) and will report as not installed. Option B is correct.

11
Drag & Dropmedium

Order the steps to deploy a Windows 10 virtual desktop in Azure using Windows 365.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

License first, then portal, create policy, configure, provision and assign.

12
MCQeasy

You need to deploy a Microsoft 365 Apps for enterprise suite to Windows 10 devices using Intune. Users are unlicensed. How should you proceed?

A.Deploy the suite as 'available' from Company Portal.
B.Use the built-in Microsoft 365 Apps (Office) app type in Intune.
C.Assign the Office 365 E3 license to all users.
D.Create a Win32 app package for Microsoft 365 Apps and deploy it.
AnswerD

Win32 packaging allows you to include a volume license key or use shared activation for unlicensed users.

Why this answer

Option D is correct because when users are unlicensed, the Microsoft 365 Apps for enterprise suite cannot be deployed via the built-in Intune app type (which relies on license activation). Creating a Win32 app package allows you to bundle the Office Deployment Tool (ODT) with a configuration XML that sets the product ID to 'O365ProPlusRetail' and disables automatic licensing checks, enabling deployment to unlicensed devices.

Exam trap

The trap here is that candidates assume the built-in Microsoft 365 Apps app type in Intune is always the correct choice, but they overlook the critical dependency on user licensing, which the question explicitly removes by stating users are unlicensed.

How to eliminate wrong answers

Option A is wrong because deploying the suite as 'available' from Company Portal still requires the user to have an Office 365 license to activate the apps; unlicensed users will see the app but cannot install or run it. Option B is wrong because the built-in 'Microsoft 365 Apps (Office)' app type in Intune is designed for licensed users and automatically triggers license-based activation; it will fail for unlicensed users. Option C is wrong because assigning Office 365 E3 licenses to all users is a licensing action, not a deployment method; while it would resolve the licensing issue, the question specifically states users are unlicensed and asks how to deploy the suite, not how to license users.

13
MCQhard

An administrator applies the app protection policy shown in the exhibit to a group of users. A user reports that they are unable to copy data from a managed app and paste it into an unmanaged app. Which setting in the policy causes this behavior?

A.requirePin is set to true.
B.dataTransferToUnmanagedApps is set to false.
C.appSharingFromLevel is set to 'policyManagedApps'.
D.disableAppEncryptionIfDeviceEncryptionIsEnabled is set to false.
AnswerB

This setting directly prevents data transfer to unmanaged apps.

Why this answer

The setting `dataTransferToUnmanagedApps` controls whether data can be transferred from a managed app to unmanaged apps via copy/paste, share, or other data-sharing mechanisms. When set to `false`, it blocks all such transfers, including pasting into unmanaged apps. This is the specific policy that prevents the user from copying data from a managed app and pasting it into an unmanaged app.

Exam trap

The trap here is that candidates often confuse `appSharingFromLevel` with `dataTransferToUnmanagedApps`, mistakenly thinking that restricting sharing to policy-managed apps also blocks copy/paste to unmanaged apps, when in fact `dataTransferToUnmanagedApps` is the explicit setting that controls clipboard-based data transfer to any unmanaged destination.

How to eliminate wrong answers

Option A is wrong because `requirePin` controls whether a PIN is required to access the managed app, not data transfer behavior. Option C is wrong because `appSharingFromLevel` set to `policyManagedApps` restricts sharing to only other apps that have the same app protection policy, but it does not block copy/paste to unmanaged apps; it allows sharing between managed apps. Option D is wrong because `disableAppEncryptionIfDeviceEncryptionIsEnabled` controls whether app-level encryption is disabled when device encryption is present, which is unrelated to data transfer restrictions.

14
Multi-Selecthard

Which THREE of the following are requirements for deploying a Win32 app via Microsoft Intune?

Select 3 answers
A.The device must have the Intune Management Extension installed separately.
B.The app installation files must be hosted on an external web server.
C.The app must be assigned to a group of users or devices.
D.Detection rules must be configured to verify installation.
E.The app must be packaged in the .intunewin format.
AnswersC, D, E

Assignment is required to target the app.

Why this answer

Options A, B, and D are correct. Win32 apps must be packed in the .intunewin format, have detection rules, and be assigned to groups. Option C is wrong because the app must be uploaded to Intune, not hosted externally.

Option E is wrong because the Intune Management Extension handles Win32 app installation, not a separate agent.

15
Multi-Selecteasy

Which TWO of the following are valid app types in Microsoft Intune for iOS/iPadOS devices?

Select 2 answers
A.Windows 10 Universal app
B.iOS line-of-business app
C.Android Enterprise system app
D.Managed Google Play iframe
E.iOS store app
AnswersB, E

For custom iOS apps.

Why this answer

Option A (iOS store app) and Option C (iOS LOB app) are valid. Option B is for Android. Option D is for Windows.

Option E is a configuration policy, not an app type.

16
MCQhard

A user reports that a required Microsoft 365 Apps for enterprise installation failed on their Windows 11 device managed by Intune. The Intune console shows the app assignment is 'Required' for the user group. The device status shows 'Pending' for over a day. You verify the device is online and checks in regularly. What is the most likely cause?

A.The user does not have a Microsoft 365 license assigned.
B.The device has not checked in with Intune recently.
C.The device does not have enough disk space.
D.The app is assigned to the device group instead of the user group.
AnswerA

Microsoft 365 Apps require a license to activate; without it, installation may stall.

Why this answer

Option C is correct because the Microsoft 365 Apps for enterprise deployment requires a valid license assigned to the user. The client may be pending because it cannot activate without a license. Option A is wrong because the device status shows 'Pending' not an error.

Option B is wrong because the device checks in regularly. Option D is wrong because the app assignment is 'Required' and the user is in the group.

17
Multi-Selecthard

Which THREE of the following are valid detection rules for a Win32 app in Intune?

Select 3 answers
A.PowerShell script (custom detection)
B.MSI product code
C.Registry (key or value exists)
D.File system (file or folder exists)
E.Network share access
AnswersA, C, D

PowerShell script detection is valid.

Why this answer

Valid detection rules include file system, registry, and PowerShell script. MSI product code is a separate built-in rule but not a general detection rule type. Option E is not a detection rule type.

18
MCQmedium

Your organization has 500 Windows 11 devices managed by Microsoft Intune. You need to deploy a third-party Win32 application (AppDeploy.exe) that requires the user to accept an end-user license agreement (EULA) during installation. The app must be installed silently without user interaction. You have created a custom script that accepts the EULA automatically. The app is packaged as an .intunewin file. You need to configure the deployment in Intune. The installation command must run the script that accepts the EULA and then launches the installer. The detection rule must check for the presence of a specific file (C:\Program Files\AppDeploy\app.exe). You want to ensure that if the installation fails, Intune retries automatically. Which of the following configurations should you choose?

A.Install command: 'powershell.exe -ExecutionPolicy Bypass -File AcceptEULA.ps1 && AppDeploy.exe /S', Detection rule: File 'C:\Program Files\AppDeploy\app.exe' exists, Retry: 3 attempts every 60 minutes
B.Install command: 'AppDeploy.exe /S', Detection rule: Registry 'HKLM\Software\AppDeploy\Installed' exists, Retry: 3 attempts every 60 minutes
C.Install command: 'powershell.exe -ExecutionPolicy Bypass -File AcceptEULA.ps1', Detection rule: File 'C:\Program Files\AppDeploy\app.exe' exists, Retry: None
D.Install command: 'AppDeploy.exe /S', Detection rule: File 'C:\Program Files\AppDeploy\app.exe' exists, Retry: None
AnswerA

Chains EULA acceptance and silent install; retry configured.

Why this answer

Option B is correct. Using a PowerShell script as the install command allows you to chain commands: first accept EULA, then run setup. The detection rule uses file existence.

Setting 'Retry count' to 3 and 'Retry interval' to 60 minutes provides automatic retry. Option A is wrong because it does not include the EULA acceptance. Option C is wrong because the detection rule checks registry instead of file, which may not be reliable.

Option D is wrong because it does not include retry settings.

19
Multi-Selectmedium

A company uses Microsoft Intune to manage Windows 10 devices. Users report that some required line-of-business (LOB) apps are not being installed on their devices. The apps are assigned as 'Required' to a device group that includes the affected devices. Which two actions should the administrator take to troubleshoot the issue? (Choose two.)

Select 2 answers
A.Review the Intune Management Extension logs on a device for installation errors.
B.Uninstall the app from the affected devices and reassign it as Required.
C.Check the device’s last check-in time and perform a manual sync from the Intune console.
D.Reassign the app to the device group with a different assignment type.
E.Run gpresult /r on a device to confirm the app assignment policy is applied.
AnswersA, C

Logs provide detailed error messages.

Why this answer

The Intune Management Extension (IME) is the component responsible for deploying Win32 and line-of-business (LOB) apps on Windows 10 devices. Reviewing its logs (located in %ProgramData%\Microsoft\IntuneManagementExtension\Logs) provides detailed error messages, such as download failures, dependency issues, or script execution errors, which directly indicate why a required app failed to install.

Exam trap

The trap here is that candidates confuse Intune MDM app deployment with traditional Group Policy Software Installation (GPSI) and incorrectly choose gpresult /r, not realizing Intune uses the IME and MDM channel, not Active Directory Group Policy.

20
MCQmedium

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a PKG app that requires reboot. Which app type should you select?

A.macOS LOB app
B.macOS web app
C.Microsoft 365 for macOS
D.macOS DMG app
AnswerA

Supports PKG and scripts for reboot.

Why this answer

macOS LOB app supports PKG format and can include post-install scripts. Web app is for URLs. Microsoft 365 for macOS is for Office suite.

DMG apps are for macOS. PKG is not directly supported as DMG, but LOB app can wrap PKG. Therefore, macOS LOB app is correct.

21
MCQhard

You manage iOS devices with Microsoft Intune. You need to deploy an app that is not available in the Apple App Store. The app is developed internally and signed with an enterprise certificate. Which app type should you use?

A.iOS/iPadOS app store app
B.Web link
C.Built-in app
D.iOS/iPadOS Line-of-business app
AnswerD

LOB apps are for custom or in-house iOS apps.

Why this answer

For internally developed iOS apps not in the App Store, use the iOS/iPadOS Line-of-business app type. Option A is correct. Option B is wrong because the iOS app store type is for apps from the App Store.

Option C is wrong because the Built-in app type is for pre-installed system apps. Option D is wrong because the Web link type is for web shortcuts.

22
Multi-Selecthard

Which THREE of the following are valid methods to deploy Microsoft 365 Apps for enterprise using Microsoft Intune?

Select 3 answers
A.Use the built-in Microsoft 365 Apps app type in Intune.
B.Use the Office Deployment Tool (ODT) within a script deployed via Intune.
C.Assign the apps via Azure AD application registration.
D.Package the Office installer as a Win32 app.
E.Deploy the MSI version of Office via Intune.
AnswersA, B, D

Simplest method with built-in settings.

Why this answer

Intune supports deploying via built-in Microsoft 365 Apps app type, Win32 app packaging, and using the Office Deployment Tool. Option D is incorrect because Azure AD is identity, not deployment method. Option E is incorrect because Intune does not use MSI for M365 Apps.

23
Matchingmedium

Match each Intune configuration profile type to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Control settings like password, camera, and Bluetooth

Define rules for device health and security

Deploy custom OMA-URI or Apple Configurator settings

Configure Windows Defender Firewall and BitLocker

Group Policy-like settings for Windows devices

Why these pairings

These are common profile types managed in Intune for MD-102.

24
MCQmedium

Your organization uses Intune to manage iOS/iPadOS devices. You need to deploy a custom SSL certificate to all devices for accessing an internal web app. Which profile type should you use?

A.PKCS certificate profile
B.SCEP certificate profile
C.Trusted certificate profile
D.Custom configuration profile (preferences)
AnswerC

Deploys a root CA certificate to devices.

Why this answer

Option B is correct because a trusted certificate profile deploys root CA certificates. Option A is wrong because SCEP profile is for issuing certificates via SCEP protocol, not deploying an existing certificate. Option C is wrong because PKCS profile is for certificate enrollment.

Option D is wrong because a custom configuration profile is for arbitrary settings, but certificate deployment uses dedicated certificate profiles.

25
MCQmedium

Refer to the exhibit. An Intune admin configures the above Windows Update for Business policy. Users report that quality updates are not being installed until 7 days later than expected. What is the likely reason?

A.Quality updates are paused
B.Feature updates are deferred by 30 days
C.Update notifications are set to default
D.Quality updates are deferred by 7 days
AnswerD

The deferral period causes the delay.

Why this answer

QualityUpdateDeferralPeriodInDays is set to 7, which defers updates by 7 days. This is the intended behavior; no issue. However, the question implies users think updates are late.

The policy is correct; perhaps users misunderstand. But the question asks for likely reason. The deferral period is 7 days, so updates are intentionally deferred.

The update notification level is default. Feature updates deferred 30 days. No pause.

So the quality update deferral is the cause.

26
MCQhard

An organization uses Microsoft Intune for Windows 10 device management. They need to deploy a custom Windows app (.exe) to kiosk devices. The app requires admin privileges to install, and the devices are shared. Which deployment method should be used?

A.Use a Win32 app with install context set to 'system'.
B.Assign the app as 'available' for user-install.
C.Deploy as a line-of-business app with device context.
D.Package as a Microsoft Store for Business app.
AnswerA

Win32 apps support system context installation, enabling admin-level installs on shared devices.

Why this answer

Option A is correct because Win32 apps in Microsoft Intune can be configured with the install context set to 'system', which grants the necessary admin privileges for installation and ensures the app is installed for all users on shared kiosk devices. This method uses the Intune Management Extension to run the installer with SYSTEM account privileges, bypassing user-level restrictions and supporting per-machine installations.

Exam trap

The trap here is that candidates often confuse 'device context' with 'system context', not realizing that LOB apps cannot handle .exe files and that 'available' assignments run in user context, which fails for admin-required installs on shared devices.

How to eliminate wrong answers

Option B is wrong because assigning the app as 'available' for user-install runs the installer in the user context, which lacks admin privileges and installs per-user, not per-device, making it unsuitable for shared kiosk devices. Option C is wrong because line-of-business (LOB) apps in Intune only support .msi, .appx, or .msix formats, not .exe files, and the 'device context' option for LOB apps is limited to .msi installers with system context, not custom .exe apps. Option D is wrong because packaging as a Microsoft Store for Business app requires the app to be available in the Store or repackaged as a Store-managed app, which does not support custom .exe files and cannot enforce admin privileges during installation.

27
MCQeasy

You have the above compliance policy for Windows 10. A device running Windows 10 version 22H2 (build 22621.1) will be marked as?

A.Noncompliant because the OS version exceeds the maximum
B.Noncompliant because the password minimum length is not met
C.Noncompliant because the OS version is below the minimum
D.Compliant
AnswerA

The build is higher than the max allowed.

Why this answer

The policy sets osMaximumVersion to 10.0.22621. Build 22621.1 is within that version (22621 > 19041 but <= 22621). However, the policy requires min 19041, so the device is compliant.

But note: the maximum version is inclusive? In Intune, osMaximumVersion uses 'less than or equal' to the version string. 22621.1 <= 22621? Version comparison is tricky; typically, build numbers are compared as integers. 22621.1 is greater than 22621, so it would be noncompliant. Option B is correct.

28
MCQhard

You are troubleshooting a Microsoft Intune app deployment for a Win32 app that is assigned as 'Available' to a user group. The user reports that the app does not appear in Company Portal. The user is a member of the assigned group. The device is enrolled and compliant. What should you check first?

A.Review the app detection rules.
B.Confirm the app is assigned as 'Required' instead of 'Available'.
C.Verify the user is in the correct Azure AD group.
D.Check if the app is added to Company Portal as a featured app.
AnswerD

Only featured apps appear by default; otherwise users must browse.

Why this answer

Option B is correct because the app must be added to the Company Portal as a featured app or the user must browse to find it; if not visible, it may not be added. Option A is wrong because the app is assigned to the user group. Option C is wrong because the app is not required.

Option D is wrong because detection rules are for installation, not visibility.

29
MCQmedium

You need to deploy a custom Win32 app to Windows 10 devices. The app installation is silent and requires a reboot. You set the installation behavior to 'system' and the device restart behavior to 'Allow'. After deployment, users report that the app is installed but not working properly. What is the most likely cause?

A.The app requires user interaction to complete setup
B.The detection rule is misconfigured
C.The device was not restarted after installation
D.The app was not wrapped correctly with the Intune Win32 Content Prep Tool
AnswerC

A pending restart can cause apps to malfunction.

Why this answer

When the installation behavior is 'system' and a reboot is required, setting device restart behavior to 'Allow' gives users the option to postpone the restart. If they postpone, the app may not function correctly until reboot. Option D addresses this.

30
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy a Microsoft Copilot app that requires users to sign in with their work account. The app must be automatically installed without user interaction. What should you do?

A.Configure a web clip that links to the app in the App Store.
B.Create an Intune App Protection Policy for the app.
C.Add the app as a line-of-business app and deploy via Company Portal.
D.Purchase the app through Apple Business Manager and assign it as a required app in Intune.
AnswerD

VPP allows silent install on supervised devices.

Why this answer

VPP apps can be assigned as required and installed silently if device is supervised. Option B is incorrect because Company Portal requires user to initiate. Option C is incorrect because APP does not install apps.

Option D is incorrect because web clip is not the app.

31
MCQeasy

You need to deploy a Microsoft Store app (e.g., Microsoft Whiteboard) to Windows 10 devices managed by Intune. Which app type should you use?

A.Microsoft Store app (Windows)
B.Windows app (Win32)
C.Web link
D.Microsoft Store for Business (offline licensed)
AnswerA

Directly supports store apps.

Why this answer

Option A is correct because Microsoft Store apps are deployed using the 'Microsoft Store app (Windows)' type in Intune. Option B is wrong for offline apps. Option C is wrong for packaged apps.

Option D is wrong for web links.

32
Multi-Selecthard

You are troubleshooting an Intune deployment of a line-of-business (LOB) app for iOS. The app fails to install on some devices with error '0x87D13B9F'. Which THREE actions should you take to diagnose the issue?

Select 3 answers
A.Check the Intune Service Health dashboard for service incidents
B.Check if the device is supervised and that the app requires supervised mode
C.Ensure that an app configuration policy is assigned to the device
D.Verify that the app's provisioning profile has not expired
E.Confirm that the device has sufficient storage space available
AnswersB, D, E

Some LOB apps require supervised devices.

Why this answer

Options A, B, and E are correct. Verify the app is signed with a valid Apple Developer Enterprise certificate; expired certificates cause failures. Check that the device is not supervised if required; some LOB apps require supervised mode.

Ensure the device has enough storage; error can be storage-related. Option C is wrong because Intune Service Health is not specific to app deployment. Option D is wrong because app configuration policies are optional.

33
MCQeasy

Your company uses Microsoft Intune to manage Windows 10 devices. You need to deploy a Microsoft Store app (new) named 'Company Portal' to all devices. The app is already added to Intune. You want to ensure that the app is automatically installed on devices that are not yet enrolled in Intune. You assign the app to the 'All devices' group with the intent 'Required'. However, you notice that devices that enroll after the assignment do not receive the app automatically. What should you do to ensure that the app installs on newly enrolled devices?

A.Create a new assignment with 'Available' intent for the 'All devices' group
B.Ensure the 'All devices' group is a dynamic group that includes all devices
C.Re-add the app to Intune
D.Change the assignment intent to 'Available'
AnswerB

Dynamic groups automatically include new devices.

Why this answer

Option C is correct. The 'Required' assignment with 'All devices' group will apply to devices that enroll later because the assignment is dynamic. However, if the group includes 'All devices', new devices should get the app.

The issue might be that the group is a static device group. The best practice is to use a dynamic device group that includes all devices. Option A is wrong because the assignment is already required.

Option B is wrong because 'Available' requires user initiation. Option D is wrong because the app is already added.

34
Multi-Selectmedium

Which TWO actions are required to deploy a Win32 app using Microsoft Intune? (Choose two.)

Select 2 answers
A.Upload the .intunewin package file.
B.Configure detection rules.
C.Connect to Managed Google Play.
D.Assign a Microsoft Store license.
E.Sign the app with a macOS developer certificate.
AnswersA, B

The .intunewin file is the packaged app for Win32 deployment.

Why this answer

To deploy a Win32 app, you must upload the .intunewin file (which contains the installation files) and configure detection rules (to determine if the app is installed). Options A and C are correct. Option B is wrong because the app is not from the store.

Option D is wrong because Managed Google Play is for Android. Option E is wrong because macOS signing is not required for Windows apps.

35
MCQhard

An organization uses Microsoft Intune to manage iOS/iPadOS devices. They have a custom line-of-business (LOB) iOS app that must be deployed to 50 devices. The app is signed with an enterprise certificate. The administrator uploads the .ipa file to Intune and assigns it as 'Required' to a device group containing the 50 devices. After 24 hours, only 30 devices have the app installed. The remaining 20 devices show 'pending install' status. What is the most likely cause?

A.The .ipa file exceeds the maximum file size allowed for LOB apps.
B.The users on the 20 devices have not opened the Company Portal app to trigger the installation.
C.The devices do not have a trusted certificate profile that trusts the enterprise signing certificate.
D.The MDM push certificate has expired, preventing app installation.
AnswerC

Enterprise-signed apps require the device to trust the root certificate.

Why this answer

The most likely cause is that the 20 devices lack a trusted certificate profile that trusts the enterprise signing certificate. For an enterprise-signed LOB app to install on iOS/iPadOS, the device must trust the root certificate used to sign the app. Without a trusted certificate profile deployed via Intune, the installation will remain in 'pending install' status because the device cannot validate the app's signature.

Exam trap

The trap here is that candidates often assume 'pending install' means a user action is required (like opening Company Portal) or a network issue, but Microsoft Intune's MDM channel can push apps silently; the real blocker is certificate trust for enterprise-signed apps.

How to eliminate wrong answers

Option A is wrong because Intune's maximum file size for LOB apps is 2 GB, and the .ipa file would typically be much smaller; exceeding this limit would cause an upload failure, not a 'pending install' status. Option B is wrong because when an app is assigned as 'Required' in Intune, the installation is pushed silently via the MDM channel and does not require the user to open the Company Portal app. Option D is wrong because an expired MDM push certificate would prevent all MDM communication, not just app installations on a subset of devices, and the other 30 devices successfully installed the app, proving the push certificate is valid.

36
Multi-Selectmedium

A company is planning to deploy a custom Win32 app to Windows 10 devices using Intune. The app requires a .NET Framework 4.8 prerequisite. Which TWO methods can the administrator use to ensure the prerequisite is installed?

Select 2 answers
A.Require users to manually install the prerequisite
B.Use Group Policy to deploy the prerequisite
C.Add the prerequisite as a dependency in the app deployment
D.Package the prerequisite into the same Win32 app
E.Create a custom detection script that installs the prerequisite if missing
AnswersC, E

Dependencies allow automatic installation of prerequisites.

Why this answer

Option C is correct because Intune Win32 app deployment supports dependencies, allowing an administrator to specify .NET Framework 4.8 as a required dependency. When configured, Intune automatically installs the dependency before the main app, ensuring the prerequisite is present without manual intervention or additional scripting.

Exam trap

The trap here is that candidates often confuse 'packaging the prerequisite into the same app' (Option D) as a valid method, but Intune requires dependencies to be separate app entries with their own detection rules, not bundled installers.

37
MCQeasy

Your organization has devices enrolled in Microsoft Intune that are not domain-joined. You need to deploy a LOB app that requires a license key stored in a file. The app must be installed automatically when devices are enrolled. What should you do?

A.Package the app as a Win32 app and include a script to copy the license file.
B.Use a Microsoft Store for Business app and include the license as a dependency.
C.Join devices to Azure AD and use Group Policy to install.
D.Create an Intune App Protection Policy to deploy the license.
AnswerA

Win32 app allows custom installation scripts.

Why this answer

Intune can deploy Win32 app with script that reads license file. Option B is incorrect because Store apps cannot include custom license files. Option C is incorrect because APP does not install apps.

Option D is incorrect because Azure AD joined is not required for Intune.

38
MCQmedium

A company uses Microsoft Intune to manage iOS and Android devices. Users report that some line-of-business (LOB) apps fail to install with error '0x87D1041C'. The apps are signed and deployed as device-required installs. What is the most likely cause?

A.The user is not assigned to the app deployment.
B.The app is not compliant with the device's OS version.
C.The device does not have the required app configuration policy.
D.The app is signed with a different certificate than the one uploaded to Intune.
AnswerD

This error specifically indicates a certificate mismatch.

Why this answer

Error 0x87D1041C in Intune indicates a signature mismatch. When a line-of-business (LOB) app is deployed as a device-required install, the app binary must be signed with a certificate that has been uploaded to the Intune console. If the signing certificate used to sign the app differs from the one uploaded, Intune rejects the installation because it cannot verify the app's integrity and trust chain.

Exam trap

The trap here is that candidates often confuse error 0x87D1041C with a user assignment or OS version issue, but the specific error code directly points to a certificate mismatch, not a policy or compliance failure.

How to eliminate wrong answers

Option A is wrong because the deployment is configured as a device-required install, which targets the device directly and does not require user assignment; the error would be different (e.g., 0x87D13B9F) if the user lacked assignment. Option B is wrong because OS version compliance issues typically produce error 0x87D1041C only if the app's minimum OS requirement is not met, but the question states the apps are signed and deployed, and the specific error code 0x87D1041C maps to a certificate/signing problem, not an OS version mismatch. Option C is wrong because app configuration policies are optional for LOB apps and are not required for installation; missing configuration policies would not block installation with this error code.

39
MCQeasy

You need to deploy a Microsoft 365 Apps for enterprise configuration (e.g., exclude specific apps) to Windows 10 devices via Intune. Which tool should you use to generate the configuration XML?

A.Office Customization Tool (OCT)
B.Group Policy Management Console
C.Microsoft 365 admin center
D.Microsoft Intune admin center
AnswerA

OCT creates the configuration XML for Click-to-Run installations.

Why this answer

Option A is correct because the Office Customization Tool is the official tool for creating configuration XML for Click-to-Run. Option B is wrong because the Microsoft 365 admin center is for user management. Option C is wrong because Group Policy Management Console is for on-premises.

Option D is wrong because Intune does not generate XML.

40
MCQeasy

You assign a required app to a device group. After the next sync, some devices report a 'Failed' status. What should you check first?

A.The device's last sync time
B.If a newer version is already installed
C.Whether the user is licensed
D.The device management log
AnswerD

Logs contain error details.

Why this answer

Option B is correct because the device log provides details on why the installation failed. Option A is wrong because the user may not be relevant. Option C is wrong because the same version may be the cause, but logs give specifics.

Option D is wrong because sync status is not detailed enough.

41
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. Users report that some required applications are not being installed on their devices. You confirm the applications are assigned as 'Required' to a device group, and the devices are online. What is the most likely cause?

A.BitLocker encryption is pending
B.The user is not logged in to the device
C.The enrollment status page is blocking installation
D.The Intune Management Extension is missing
AnswerD

The extension is required for Win32 app deployment.

Why this answer

Option C is correct because if the Intune Management Extension is not installed or running, PowerShell scripts and Win32 apps will not be processed. Option A is wrong because the BitLocker policy does not affect application installation. Option B is wrong because the user is not required to be logged in for device-targeted assignments.

Option D is wrong because the enrollment status page does not block required app installs.

42
MCQhard

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy an internal web app as a web clip on users' devices. The app requires users to authenticate with their organization credentials. Which configuration is required to ensure a seamless single sign-on experience?

A.Add the web clip with 'Managed App Configuration' including SSO key
B.Enable 'Use managed browser' in the app assignment
C.Deploy a VPN configuration that forces traffic through the corporate network
D.Configure the web clip with 'Full screen' option enabled
AnswerA

Managed App Configuration allows setting SSO for web clips.

Why this answer

For web clips on iOS/iPadOS, to enable single sign-on, you must configure a Managed App Configuration with SSO settings. Option C is correct because using the 'managed app configuration' with 'SSO' key allows the app to use Microsoft Entra ID authentication without prompting.

43
MCQmedium

Contoso uses Intune to manage iOS/iPadOS devices. You need to ensure that only approved apps from the Microsoft Store can be installed on corporate devices. What should you configure?

A.App Protection Policies (APP)
B.Device Compliance policies
C.iOS/iPadOS App Configuration policies
D.Managed App Policies (MAM)
AnswerD

MAM policies can restrict installation to approved apps.

Why this answer

App Protection Policies (APP) are for data protection on managed apps, not app installation restrictions. Device Compliance policies enforce compliance, not app control. iOS/iPadOS App Config policies provide configuration, not restrictions. Managed App Policies (MAM) are for app protection.

Option B is correct because Managed App Policies can restrict app installation to approved apps.

44
MCQmedium

A company uses Microsoft Intune to manage Windows 10 devices. They deployed a Win32 app as 'required' but some devices show 'pending install'. The app is configured with a detection rule that checks for a registry key. What should you check first?

A.Increase the app installation timeout.
B.Ensure the device has connectivity to Intune.
C.Reassign the app to a different security group.
D.Check if the detection rule is incorrectly marking the app as installed.
AnswerD

A pre-existing registry key can cause Intune to skip installation, resulting in 'pending install'.

Why this answer

Option D is correct because the most common reason for a 'pending install' status when a detection rule is configured is that the rule is incorrectly detecting the app as already installed. Intune evaluates the detection rule before attempting installation; if the rule finds the registry key (even if the app is not fully functional), Intune skips the installation and reports 'pending' or 'installed' without actually deploying the app. This is a frequent misconfiguration where the detection rule is too broad or references a key that exists from a previous installation or unrelated software.

Exam trap

The trap here is that candidates often assume 'pending install' means a connectivity or timeout issue, but the real cause is a misconfigured detection rule that falsely reports the app as already installed, preventing the installation from executing.

How to eliminate wrong answers

Option A is wrong because increasing the installation timeout would not resolve a detection rule that incorrectly marks the app as installed; timeout issues typically affect downloads or installations that are genuinely in progress, not a false positive detection. Option B is wrong because if the device lacked connectivity to Intune, the status would likely be 'not applicable' or 'error' rather than 'pending install', and Intune would report a communication failure. Option C is wrong because reassigning the app to a different security group would not fix a detection rule logic error; the issue is with how the app is detected on the device, not with group membership or targeting.

45
MCQhard

You manage a fleet of Windows 10 devices with Microsoft Intune. You need to deploy a Win32 app that has a complex installation requiring multiple command-line parameters. The app must be available to users in the Company Portal. What is the best way to handle the installation parameters?

A.Deploy a PowerShell script via Intune that runs the installer with parameters.
B.Configure detection rules to run a script that passes parameters.
C.Use the Intune Win32 app packaging to specify the installation command with parameters.
D.Use an administrative template to set parameters before installing.
AnswerC

The .intunewin file includes the command line.

Why this answer

Intune Win32 app deployment allows specifying installation command and parameters in the app package. Option B is incorrect because detection rules do not install. Option C is incorrect because PowerShell scripts can be included but not as separate assignment.

Option D is incorrect because administrative templates configure settings, not install apps.

46
Multi-Selectmedium

A company uses Microsoft Intune to manage Android Enterprise devices. They have a requirement to deploy a set of apps that are critical for business operations. Which TWO app deployment policies should the administrator configure to ensure the apps are always available and up-to-date?

Select 2 answers
A.Enable 'Auto-update' for the apps in the managed Play Store.
B.Assign the apps as 'Required' to the device group.
C.Configure the app to allow users to update manually.
D.Assign the apps as 'Available for enrolled devices' to the device group.
E.Set the app assignment type to 'Uninstall' for the device group.
AnswersA, B

Auto-update ensures apps stay current.

Why this answer

Option A is correct because enabling 'Auto-update' for apps in the managed Play Store ensures that critical business apps are automatically updated to the latest version without user intervention, maintaining security and functionality. Option B is correct because assigning apps as 'Required' to a device group forces installation on all targeted devices, guaranteeing that the apps are always present for business operations.

Exam trap

The trap here is that candidates often confuse 'Available for enrolled devices' with 'Required', not realizing that only 'Required' forces installation, while 'Available' relies on user action, which fails the 'always available' requirement.

47
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a .pkg app that is signed by a developer certificate that is not yet trusted on the devices. What must you do to allow the installation?

A.Deploy the app as a line-of-business app with the 'Allow user to bypass' option enabled.
B.Use a device configuration policy to trust the developer certificate before deploying the app.
C.Instruct users to manually approve the installation in System Preferences.
D.Convert the .pkg to a .dmg and deploy via Microsoft Store for Business.
AnswerB

Trusting the certificate allows the .pkg to run.

Why this answer

Option B is correct because you can use a kernel extension profile to allow the developer ID, or use a custom attribute. Alternatively, you can deploy the app as a line-of-business app and use the 'Allow user to bypass' option. But the best approach is to trust the developer certificate via a configuration profile.

Option A is wrong because MDM can deploy unsigned apps only if the device is supervised. Option C is wrong because user approval is not enough. Option D is wrong because the app store is not used.

48
Drag & Dropmedium

Order the steps to configure a Windows 10 device for Microsoft 365 Apps deployment via Intune.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Begin in Intune admin center, add a new app, choose Microsoft 365 Apps, configure suite, and assign.

49
MCQhard

You have an Intune-managed Windows 10 device that is not receiving app updates. The app was deployed as a Win32 app with a detection rule. You verify that the device is online and the Intune Management Extension is running. What should you check first?

A.The detection rule is set to 'File exists'.
B.The app is assigned as 'Required' in the assignment.
C.The Intune Management Extension is up to date.
D.The app assignment schedule is configured to update.
AnswerD

The update schedule must be set for the app to receive updates.

Why this answer

The app update frequency is controlled by the app assignment schedule. Option A is correct because if the assignment is set to 'Available' or 'Required' but not 'Update', the app will not update automatically. Option B is wrong because the extension runs regardless.

Option C is wrong because logs would not show update policy. Option D is wrong because detection rules are for installation, not updates.

50
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a line-of-business (LOB) app that requires a reboot after installation. Which deployment configuration should you use to ensure the app installs and the device reboots outside of business hours?

A.Available assignment without deadline
B.Available assignment with a deadline and a grace period for reboot
C.Uninstall assignment for all devices
D.Required assignment with a reboot behavior of 'Immediate'
AnswerB

Allows flexible installation and postpones reboot within grace period.

Why this answer

Option B is correct because the 'Available' assignment with 'Deadline' and 'Grace period' allows users to install the app during non-business hours and provides a grace period before forced reboot. Option A is wrong because 'Required' assignment with 'Immediate' reboot would force reboot immediately. Option C is wrong because 'Uninstall' assignment removes the app.

Option D is wrong because 'Available' without deadline does not enforce reboot timing.

51
MCQhard

You are troubleshooting an Intune-managed iOS device that cannot install a VPP (Volume Purchase Program) app. The device shows a 'License Not Found' error. The app is assigned as 'Available' without device enrollment. What is the most likely cause?

A.The app is configured to remove when the device leaves management.
B.The Apple VPP token has expired.
C.The device is not compliant with conditional access policies.
D.The device is enrolled without user affinity (device enrollment).
AnswerD

VPP apps need user affinity to assign licenses.

Why this answer

Option B is correct because VPP apps require user enrollment for Apple VPP token to assign licenses; device enrollment does not support user-based licensing. Option A is wrong because app removal policy is irrelevant. Option C is wrong because device compliance is not the issue.

Option D is wrong because the token is valid.

52
MCQhard

Your organization deploys Microsoft Defender for Endpoint (now Microsoft Defender XDR) on Windows 10 devices using Intune. After deployment, some devices show 'Defender service is not running' in the security console. The devices are online and compliant. What is the most likely cause?

A.Tamper protection is enabled and blocking the service.
B.The devices are not compliant with the Defender policy.
C.Windows Firewall is blocking Defender updates.
D.A third-party antivirus is installed and active.
AnswerD

Defender disables when another AV is active.

Why this answer

Option C is correct because if another antivirus product is active, Defender will disable itself to avoid conflict. Option A is wrong because compliance policy does not disable service. Option B is wrong because tamper protection prevents changes, not failure.

Option D is wrong because firewall is unrelated.

53
Multi-Selecthard

Which THREE of the following are valid detection rule types for a Win32 app in Microsoft Intune? (Select THREE.)

Select 3 answers
A.Windows feature
B.MSI product code
C.File system
D.Registry
E.DNS query
AnswersB, C, D

Detects based on MSI product GUID.

Why this answer

File, registry, and MSI product code are valid detection rules. PowerShell script is also valid but not listed. Script is valid; however, the three listed are file, registry, and MSI.

PowerShell script is also a detection rule type. But the question asks for three from the options. I need to choose three correct ones.

File, registry, and MSI product code are all valid. DNS query is not a detection rule. So A, B, C.

54
MCQmedium

Your organization manages Windows devices with Intune and uses Azure Information Protection (AIP) to classify documents. You are deploying the AIP client as a Win32 app. After deployment, some users report that the AIP add-in is not visible in Office applications. What should you check first?

A.Confirm that Office is updated to the latest version.
B.Ensure that the required .NET Framework and Visual Studio Tools for Office runtime are installed.
C.Verify that the user has local administrator rights.
D.Check if the device has internet access to activate the client.
AnswerB

These are prerequisites for the add-in to load.

Why this answer

Option C is correct because the AIP client requires the .NET Framework and Visual Studio Tools for Office runtime. Missing prerequisites cause the add-in to not load. Option A is wrong because user permissions affect installation but not add-in visibility after install.

Option B is wrong because network connectivity is not the primary issue. Option D is wrong because Office updates don't remove the add-in.

55
MCQeasy

Refer to the exhibit. You see this JSON in an Intune policy for a Windows 10 device. What type of app is being deployed?

A.Win32 app
B.Web app
C.Line-of-business app
D.Microsoft Store app
AnswerD

The type is windowsStoreApp.

Why this answer

Option A is correct because the @odata.type is 'microsoft.graph.windowsStoreApp', indicating a Microsoft Store app. Option B is wrong because Win32 apps have a different type. Option C is wrong because LOB apps use a different type.

Option D is wrong because web apps use a different type.

56
MCQeasy

An organization uses Microsoft Intune to manage Windows 11 devices. They want to deploy a custom script that runs during device provisioning (ESP – Enrollment Status Page). Which app type should they use?

A.Line-of-business app
B.Win32 app
C.PowerShell script (Device configuration)
D.Proactive remediations
AnswerC

Can run during ESP.

Why this answer

Option B is correct because PowerShell scripts can be run as a 'Windows PowerShell script' in Intune and can be included in ESP. Option A is wrong because Win32 apps are deployed after ESP. Option C is wrong because LOB apps are for MSI/EXE.

Option D is wrong because proactive remediations run after enrollment.

57
Multi-Selectmedium

Which THREE conditions must be met for an iOS line-of-business app to be successfully installed via Intune?

Select 3 answers
A.The app must be assigned to a security group.
B.The app must be signed with an Apple Developer Enterprise Distribution certificate.
C.The device UDID must be registered with Apple Business Manager.
D.The app must be uploaded as a .ipa file.
E.The user must have an active Apple ID.
AnswersB, C, D

Enterprise certificate is required for LOB apps.

Why this answer

Option B is correct because iOS line-of-business (LOB) apps distributed outside the App Store must be signed with an Apple Developer Enterprise Distribution certificate to be trusted by the device. This certificate allows the app to run without being individually approved by Apple, which is required for Intune-managed enterprise deployment. Without this signing, the device will reject the installation due to code signing validation failures.

Exam trap

The trap here is that candidates often confuse the prerequisites for App Store apps (which require an Apple ID) with those for enterprise LOB apps, leading them to incorrectly select 'active Apple ID' as a requirement.

58
MCQmedium

Your company uses Microsoft Intune to manage Windows 10 and 11 devices. You have been asked to deploy a Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus) configuration that includes Word, Excel, PowerPoint, and Outlook. The deployment must be assigned to a group of 200 devices that are not connected to the internet during initial setup; they will get updates from a local Distribution Point (DP) on the network. You have created a Win32 app using the Office Deployment Tool (ODT) with a configuration XML that specifies the products and updates source. Which additional step is necessary to ensure the installation succeeds without internet?

A.Enable the 'Allow devices to discover network content' setting in Intune.
B.Download the Office installation files to each device before deployment.
C.Set the Office channel to 'Current' in the Intune app properties.
D.Include the SourcePath attribute in the configuration XML pointing to the local DP.
AnswerD

ODT needs to know where to get installation files.

Why this answer

Option A is correct because the ODT configuration XML must include the SourcePath attribute pointing to the local DP for installation files. Option B is wrong because the local DP already hosts the files; no additional download required. Option C is wrong because network discovery is not needed if the path is specified.

Option D is wrong because the channel is specified in the XML, not in Intune app properties.

59
Multi-Selectmedium

Your organization uses Intune to manage iOS devices. You need to deploy a custom configuration for a line-of-business app. Which TWO methods can you use?

Select 2 answers
A.App Configuration Policy for managed devices
B.App Protection Policy
C.iOS app configuration file in the app package
D.App Configuration Policy for managed apps
E.Device Configuration Profile
AnswersA, C

Delivers settings to LOB apps.

Why this answer

Options A and D are correct because they allow custom app configuration. Option B is wrong because it's for app store apps. Option C is wrong because app protection policies do not configure app settings.

Option E is wrong because device features are not app-specific.

60
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a line-of-business (LOB) app that is signed with a certificate not trusted by the devices. Which app deployment method should you use?

A.Microsoft Store for Business (MSFB) app
B.Windows app (sideloading)
C.Web app
D.Line-of-business (LOB) app
AnswerD

LOB app type allows sideloading of apps with custom certificates.

Why this answer

Option B is correct because LOB apps that are not signed with a trusted certificate must be installed using the 'Line-of-business app' type in Intune, which allows sideloading. Option A is wrong because the Microsoft Store for Business is for store apps only. Option C is wrong because side-loading requires a specific license or sideloading key but is not the primary Intune deployment method.

Option D is wrong because web apps are for links, not binary installations.

61
MCQhard

Refer to the exhibit. You run the PowerShell command on a Windows 10 device to troubleshoot why a Win32 app did not install. What information does this command provide?

A.The start of an app installation attempt
B.The list of assigned policies
C.The result of a completed app installation
D.Errors from the last sync
AnswerA

Event 1001 logs the beginning of an installation.

Why this answer

Option C is correct because Event ID 1001 in the Intune Management Extension log indicates the start of an app installation. Option A is wrong because it does not show policies. Option B is wrong because it does not show errors specifically.

Option D is wrong because it shows the start, not the completion.

62
MCQhard

Refer to the exhibit. You are deploying a line-of-business app to Windows 10 devices. The JSON shows the app configuration in Microsoft Graph. Which of the following is true about this deployment?

A.The device will restart automatically after installation.
B.The app will only install if the product code matches.
C.The app will install in system context.
D.The app will be installed from the Microsoft Store for Business.
AnswerC

useDeviceContext: true means system context installation.

Why this answer

The JSON is for a Windows Mobile MSI app. useDeviceContext: true means the app installs in device context (system). suppress device restart means the device will not restart after install. Option C is correct. Option A is wrong because the app is line-of-business, not store.

Option B is wrong because restart is suppressed. Option D is wrong because productCode is for detection.

63
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy a custom vertical market app that is not available in the Apple App Store. The app is distributed as an .ipa file signed with an enterprise certificate. You have uploaded the .ipa file to Intune. However, when you assign the app to a user group, the installation fails on devices with the error 'Unable to download app'. The devices are enrolled as user-affinity devices with Device Enrollment Program (DEP). You have verified that the enterprise certificate is trusted on the devices. What is the most likely cause of the failure?

A.The app package does not include an icon file.
B.The devices do not have a VPN configuration profile installed.
C.The app is not purchased through the Volume Purchase Program (VPP).
D.The devices are not in Supervised mode.
AnswerD

Enterprise apps require supervised mode for silent installation.

Why this answer

Option B is correct because enterprise-signed apps require the device to be in Supervised mode for silent installation without user prompts. Without supervision, the user must manually trust the certificate or the app may fail. Option A is wrong because VPN configuration is not required for app download.

Option C is wrong because VPP is for store apps, not enterprise-signed. Option D is wrong because the icon file is not critical for installation.

64
MCQhard

You are designing an app protection policy (APP) for Microsoft 365 mobile apps accessing corporate data on iOS devices. The security team requires that when a user opens a work document in the Microsoft Word app, the user must authenticate with Face ID or a passcode. Which setting should you configure?

A.Require PIN or Face ID for access (iOS)
B.Block managed apps from running on jailbroken devices
C.Encrypt app data
D.Require app PIN when device PIN is not set
AnswerA

This setting enforces authentication on app access.

Why this answer

Option A is correct because 'Require PIN or Face ID for access' controls access to the app itself, including when opening documents. Option B is wrong because jailbreak/root detection is a device condition. Option C is wrong because encryption is for data at rest.

Option D is wrong because 'Block managed apps from running on jailbroken devices' is a device-level check.

65
Multi-Selecteasy

Which TWO of the following are required to deploy an iOS line-of-business app via Microsoft Intune? (Select TWO.)

Select 2 answers
A.iOS app package file (.ipa)
B.Apple Developer signing certificate
C.iOS provisioning profile
D.Volume purchase program (VPP) token
E.MDM push certificate
AnswersA, C

The app binary.

Why this answer

An .ipa file is the app package. A provisioning profile is needed for app installation. An MDM push certificate is for device management, not app deployment.

A VPP token is for volume purchasing. A signing certificate is needed for development, but the provisioning profile includes signing info. So the two required are .ipa and provisioning profile.

66
MCQmedium

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom .pkg app to all macOS devices. What app type should you create in Intune?

A.macOS app (line-of-business)
B.Windows app (Win32)
C.Web link
D.iOS app (line-of-business)
AnswerA

macOS line-of-business app supports .pkg and .dmg files.

Why this answer

macOS app (line-of-business) supports .pkg and .dmg. Option D is correct. Option A is wrong because Windows app is for Windows.

Option B is wrong because iOS app is for iOS. Option C is wrong because web link is for URLs.

67
MCQeasy

A company wants to deploy Microsoft 365 Apps for enterprise to Windows 10 devices using Intune. They need to ensure that the apps are updated automatically from the Office Content Delivery Network (CDN). Which update channel should they select in the Office app deployment configuration?

A.Semi-Annual Enterprise Channel
B.Current Channel
C.Monthly Enterprise Channel
D.Insider Channel
AnswerC

Monthly Enterprise Channel is the recommended channel for enterprises, delivering updates monthly from the CDN.

Why this answer

The Monthly Enterprise Channel is the correct choice because it provides a predictable, once-per-month update cadence with security and quality updates, and it is designed for enterprise environments that require automatic updates from the Office Content Delivery Network (CDN) via Intune. This channel balances receiving new features sooner than the Semi-Annual Enterprise Channel while still offering managed deployment through configuration profiles.

Exam trap

The trap here is that candidates often confuse the Monthly Enterprise Channel with the Current Channel, assuming that 'Monthly' implies the same rapid update frequency as Current Channel, when in fact Current Channel updates multiple times per month and is not the recommended default for managed enterprise deployments.

How to eliminate wrong answers

Option A is wrong because the Semi-Annual Enterprise Channel only receives updates twice per year, which would delay critical security updates and does not align with the requirement for automatic updates from the CDN with a more frequent cadence. Option B is wrong because the Current Channel delivers updates multiple times per month, which can introduce frequent feature changes that may not be suitable for enterprise environments needing stability and predictable testing cycles. Option D is wrong because the Insider Channel is intended for early testing and validation of pre-release builds, not for production deployment with automatic updates from the CDN.

68
MCQeasy

You need to deploy Microsoft Edge for Business to Windows 10 devices using Microsoft Intune. Which app type should you select in the Intune portal?

A.Web link
B.Windows app (Win32)
C.Microsoft 365 Apps
D.Built-in app
AnswerD

Edge for Business is listed under built-in apps.

Why this answer

Microsoft Edge for Business is available as a built-in app in Intune (for Windows 10). Option C is correct.

69
MCQhard

A user on a Windows 11 device managed by Intune reports that a required Win32 app is not installing. The Intune console shows the app assignment is 'Required' and the device status is 'Error'. You review the detection rules and find that the app is detected by file version. The app installs successfully when run manually with admin rights. What is the most likely cause?

A.The installation script returns a non-zero exit code.
B.The detection rule is incorrectly matching an existing file version.
C.The Intune Management Extension is not running.
D.The installation script fails in system context.
AnswerB

A false positive detection can cause Intune to skip installation and report error.

Why this answer

Option D is correct because the detection rule may be checking for a file version that already exists (e.g., from a previous version), causing Intune to think the app is already installed. Option A is wrong because the app installs manually. Option B is wrong because the script exit code would show as failed.

Option C is wrong because admin rights are available manually but the system context may differ.

70
MCQhard

An organization uses Microsoft Intune to manage iOS devices. They need to deploy an internal line-of-business (LOB) app that is signed with an enterprise certificate. The app must be available to users who are members of a dynamic Microsoft Entra ID group. Which deployment method should you use?

A.Use a VPP token to deploy the app
B.Configure a managed open-in policy
C.Assign the LOB app as 'Required' to the dynamic group
D.Assign the LOB app as 'Available' to the dynamic group
AnswerD

Makes the app available in Company Portal for group members.

Why this answer

Assigning the app to the dynamic group as an available deployment will make it visible in the Company Portal. Required deployment forces installation, not ideal. A volume purchase program (VPP) is for store apps.

Managed open-in is a data protection feature.

71
MCQhard

Refer to the exhibit. You query Microsoft Graph API and receive this JSON for a managed device. App2 installation failed. The app is a Win32 app deployed as required. The device is compliant and enrolled via MDM. What is the most likely reason for the failure?

A.The Intune Management Extension is not installed.
B.The app is not assigned to the user.
C.The app version is incompatible with the device OS.
D.The device is not compliant.
AnswerA

IME is required for Win32 apps on MDM devices.

Why this answer

Win32 apps require the Intune Management Extension (IME) to install on MDM-only devices. Without IME, installation fails. Option A is incorrect because device is compliant.

Option B is incorrect because assigned to user or device. Option C is incorrect because compliance does not block installation. Option D is incorrect because version is correct.

72
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom .pkg app that requires specific installation parameters. Which app type should you select?

A.Line-of-business app
B.macOS app (DMG)
C.Windows app (Win32)
D.macOS app (PKG)
AnswerB

DMG app type supports .pkg files embedded in disk images.

Why this answer

For macOS, custom .pkg apps are deployed using the 'macOS app (DMG)' type, which supports .pkg files embedded in a .dmg. Option D is correct. Option A is wrong because the Line-of-business app type is for iOS/iPadOS.

Option B is wrong because the macOS app (PKG) type does not exist natively; .pkg is handled via DMG. Option C is wrong because the Windows app (Win32) type is for Windows only.

73
Multi-Selectmedium

Which THREE of the following are required to deploy a Win32 app using Microsoft Intune?

Select 3 answers
A.Product code
B.Detection rule
C.Return codes for success
D.Dependencies
E.Installation command
AnswersB, C, E

Required to determine if app is installed.

Why this answer

Options A, B, and C are required: a detection rule to verify installation, an installation command, and a return code for success. Option D is optional; Option E is only for MSI apps.

74
MCQhard

You deploy a Win32 app via Intune to Windows 10 devices. The app installs successfully, but the detection rule incorrectly reports the app as not installed, causing Intune to attempt reinstallation repeatedly. Which detection rule method is most likely causing this issue?

A.MSI product code detection uses a product code that does not match the installed app
B.File existence detection checks for a file that is installed by the app
C.Registry detection checks for a registry key that is created by the app
D.Custom script detection returns exit code 0 even if app is not present
AnswerA

Mismatched product code causes detection failure.

Why this answer

Option D is correct because if the MSI product code is used but the product code is wrong or missing, Intune will not detect the app. Option A is wrong because file existence detection is straightforward if path is correct. Option B is wrong because registry detection is reliable if key exists.

Option C is wrong because custom script detection can work if script returns correct exit code.

75
MCQhard

You are deploying a Win32 app that requires .NET Framework 4.8. You create a dependency in Intune for the .NET Framework app. However, some devices fail to install the parent app even though .NET Framework is present. What is the most likely issue?

A.The dependency version is set to 'Greater than' instead of 'Greater than or equal to'.
B.The dependency detection rule does not match the actual .NET installation.
C.The parent app is set to install before the dependency.
D.The dependency is set to 'Do not install automatically'.
AnswerB

Intune uses detection rules to determine if dependency is present.

Why this answer

Option D is correct because dependency rules check for app presence by detection method; if the detection method is not configured correctly, Intune may think .NET is not installed. Option A is wrong because dependencies do not check version by default. Option B is wrong because dependencies can be set to auto-install.

Option C is wrong because the parent app does not install before dependency.

Page 1 of 3 · 183 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Md102 Manage Applications questions.