CCNA Md102 Manage Applications Questions

75 of 183 questions · Page 2/3 · Md102 Manage Applications topic · Answers revealed

76
MCQmedium

A user reports that a Microsoft 365 Apps for enterprise installation on a Windows 10 device fails with error code 30088-1028. The device is managed by Intune. What is the most likely cause?

A.Windows Update is disabled on the device.
B.The device does not have enough free disk space.
C.The user does not have an appropriate license assigned.
D.The device is behind a proxy that blocks the Microsoft CDN.
AnswerB

Error 30088-1028 is disk space related.

Why this answer

Option C is correct because error 30088-1028 typically indicates insufficient disk space for installation. Option A is wrong because proxy issues cause different errors. Option B is wrong because license assignment errors are different.

Option D is wrong because Windows update is unrelated.

77
MCQhard

Refer to the exhibit. A KQL query is run in Microsoft Defender XDR for a device 'WIN10-PC'. The results show that a critical line-of-business app 'ContosoApp' version '2.0.0' has InstallationResult 'Failed' with ErrorCode '0x80073CF6'. What does this error code typically indicate?

A.The app package is not signed correctly
B.The device does not have internet connectivity
C.The user does not have permission to install apps
D.The device has insufficient disk space
AnswerA

0x80073CF6 means APPX deployment error, often signing.

Why this answer

Error 0x80073CF6 is an app installation error that often indicates a signature or package issue, or that the app requires a newer OS version. It is not a network error or disk space error.

78
MCQeasy

You are asked to recommend a solution for deploying a web application as an icon on users' Windows 10 devices managed by Intune. Which app type should you use?

A.Windows app (Win32)
B.Microsoft Store app
C.Built-in app
D.Web link
AnswerD

Web links place a shortcut to the web app on the device.

Why this answer

Web links in Intune create shortcuts to URLs on the device. Option B is correct. Option A is wrong because the Windows app (Win32) is for desktop applications.

Option C is wrong because the Built-in app type is for system apps like Edge. Option D is wrong because the Microsoft Store app type is for store apps.

79
MCQeasy

You need to deploy a custom Microsoft Edge extension to managed Windows 10 devices via Intune. Which policy type should you use?

A.Device restrictions profile
B.Compliance policy
C.Administrative Templates profile (ADMX-backed policies)
D.PowerShell script deployment
AnswerC

Supports Edge extension policies.

Why this answer

Option A is correct. An Administrative Templates profile can configure Edge policies including extension installation. Option B is wrong because a device restrictions profile does not manage extensions.

Option C is wrong because a compliance policy is not for configuration. Option D is wrong because a PowerShell script is not the recommended method for extension deployment.

80
Multi-Selectmedium

Which TWO are prerequisites for deploying Win32 apps via Microsoft Intune?

Select 2 answers
A.The Intune management extension must be installed on devices
B.The app must be signed with a Microsoft certificate
C.Devices must be Microsoft Entra ID joined or hybrid joined
D.Devices must have at least 4 GB of RAM
E.Devices must be enrolled with user affinity
AnswersA, C

The extension handles Win32 app deployment.

Why this answer

Win32 app deployment requires the Intune management extension and that devices are Microsoft Entra ID joined or hybrid joined. Options A and D are correct.

81
MCQmedium

Refer to the exhibit. You deploy this ARM template to create an Intune configuration policy for macOS devices. The policy sets the 'com.apple.ManagedClient.appstore' setting to true. What is the expected behavior on the target macOS devices?

A.Users will be allowed to install apps from the App Store.
B.App Store updates will be automatically installed.
C.Only apps purchased through Apple Business Manager will be installable.
D.Users will be blocked from installing apps from the App Store.
AnswerA

Setting enables App Store access.

Why this answer

This setting allows the App Store for managed devices. Option A is incorrect because it enables, not disables. Option B is incorrect because it allows App Store, not specific apps.

Option C is incorrect because it does not configure updates. Option D is incorrect because it does not enforce certificate.

82
MCQhard

Your organization plans to deploy a Win32 app to Windows 10 devices using Intune. The app requires the .NET Framework 4.8, which is not present on all devices. How should you handle this dependency?

A.Include the .NET installer in the same package
B.Use a PowerShell script to install .NET before the app
C.Add a dependency in Intune for the .NET Framework
D.Configure a detection rule for .NET
AnswerC

Dependencies ensure prerequisites are installed first.

Why this answer

Option D is correct because Intune's dependency feature allows pre-installing required apps. Option A is wrong because prerequisites cannot be installed via detection rules. Option B is wrong because the MSI can include .NET, but if not, dependencies are the way.

Option C is wrong because scripting dependencies is less reliable.

83
MCQmedium

Refer to the exhibit. You deploy this AppLocker policy via Microsoft Intune to Windows 10 devices. The policy is in AuditOnly mode. Users are now able to run unsigned executables. You need to block unsigned executables without affecting signed ones. What should you do?

A.Add a deny rule for all Microsoft signed executables.
B.Keep the policy in AuditOnly and rely on Windows Defender to block unsigned apps.
C.Delete the existing rule and create a new rule that explicitly allows only specific signed apps.
D.Change the EnforcementMode to 'Enabled' and add a deny rule for unsigned executables.
AnswerD

Enabling enforcement with only allow rules for signed blocks unsigned.

Why this answer

The rule allows all Microsoft signed apps but is in audit mode. To block unsigned, you must change EnforcementMode to Enabled and add a deny rule for unsigned. Option A is correct because simply enabling enforcement will block unsigned (since no allow rule for unsigned).

Option B is incorrect because adding deny rule for signed would block signed. Option C is incorrect because deleting the rule would block all executables. Option D is incorrect because audit mode does not block.

84
MCQhard

Refer to the exhibit. You are deploying Microsoft 365 Apps via Intune Win32 app packaging. The detection rule checks for the registry key existence. After installation, Intune reports the app as not detected. What is the most likely reason?

A.The detection type 'exists' is not supported for registry detection
B.The registry key path is incorrect for a 64-bit system
C.The app did not create the registry key during installation
D.The detection runs in 32-bit context and does not see the 64-bit registry key
AnswerD

32-bit detection redirected to WOW6432Node, but check32BitOn64System is false.

Why this answer

Option C is correct. The registry path uses 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\InstallRoot' but on a 64-bit system, a 32-bit app (like the detection agent) may be redirected to WOW6432Node. The check32BitOn64System is false, so it does not check the WOW6432Node path.

Option A is wrong because the path is correct on 64-bit systems for 64-bit Office. Option B is wrong because Office does install that key. Option D is wrong because the detection type 'exists' is correct.

85
MCQeasy

A company uses Microsoft Intune to manage devices. They need to ensure that a critical line-of-business app is updated automatically on all devices. Which assignment type should they use?

A.Required
B.End-user notification
C.Uninstall
D.Available for enrolled devices
AnswerA

Forces app installation and updates.

Why this answer

Required assignment forces installation and updates. Available allows user opt-in. Uninstall removes the app.

End-user notification is not an assignment type.

86
MCQeasy

You are a Microsoft 365 administrator for a school district. You have 2,000 Windows 10 devices used by students. All devices are enrolled in Microsoft Intune. You need to deploy a set of educational apps from the Microsoft Store for Education (now part of Microsoft Store for Business). The apps should be automatically installed on all student devices, and students should not be able to remove them. You have already added the apps to your Microsoft Store for Business inventory and acquired offline licenses. You have also configured Intune to sync the Microsoft Store for Business. Which action should you take in Intune to deploy the apps with the least administrative effort?

A.Create a 'Microsoft Store for Business' app in Intune, select the offline-licensed apps, and assign as 'Required' to a device group containing all student devices.
B.Use the 'Microsoft Store app (Windows)' type and assign as 'Required' to the device group.
C.Create a 'Microsoft Store for Business' app in Intune, select the online-licensed apps, and assign as 'Available' to a user group.
D.Download the app packages and deploy as Win32 apps with silent switches.
AnswerA

Offline licenses allow silent install without user interaction.

Why this answer

Option A is correct: Using the 'Microsoft Store for Business' app type with offline licenses allows automatic sync and silent installation. Option B is for user-targeted. Option C is for online licenses.

Option D is for Win32 apps.

87
Multi-Selecthard

You are deploying a Win32 app via Intune that requires .NET Framework 4.8 as a dependency. Which THREE steps must you perform to ensure the dependency is installed before the app?

Select 3 answers
A.Configure a detection rule for .NET Framework in the main app.
B.In the main app's properties, add a dependency and select the .NET Framework app.
C.Set the dependency to 'Auto-install' so it installs before the main app.
D.Add .NET Framework 4.8 as a separate app in Intune.
E.Create a supersedence relationship where the .NET Framework app supersedes the main app.
AnswersB, C, D

Dependencies are defined in the app properties.

Why this answer

Option A, Option C, and Option D are correct. You need to add the dependency app in Intune, set the dependency for the main app, and configure auto-install for the dependency. Option B is wrong because detection rules are for the main app, not dependency order.

Option E is wrong because supercedence is for replacement, not dependencies.

88
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that only approved Microsoft Store apps can be installed on company devices. The solution must not require users to be local administrators. What should you configure?

A.Enable Conditional Access to block non-approved apps.
B.Deploy a local AppLocker policy using Intune.
C.Configure Windows Defender Application Control (WDAC) policy.
D.Assign an Intune App Protection Policy (APP) for Windows.
AnswerB

AppLocker can be configured via Intune to restrict app installations to approved Store apps.

Why this answer

A local AppLocker policy can be deployed via Intune to control app installations without requiring admin rights. Option B is incorrect because Windows Defender Application Control is more complex and not solely for Store apps. Option C is incorrect because Intune App Protection Policies apply to mobile devices, not Windows.

Option D is incorrect because Conditional Access controls access, not app installation.

89
MCQhard

You are a Microsoft 365 Endpoint Administrator for Contoso Ltd. The company has 2,000 Windows 11 devices enrolled in Microsoft Intune. You need to deploy a custom line-of-business (LOB) application (AppX package) to 500 devices used by the sales team. The app must be available in the Company Portal for users to install on demand, but it should also be automatically installed on devices that have not installed it within 7 days. Additionally, you want to ensure that the app is removed if a device is unenrolled from Intune. The sales team members are in a dynamic device group called 'Sales Devices' based on device category. You have the AppX package (.appxbundle) signed with a trusted certificate. You need to choose the correct deployment approach from the four options below.

A.Add as a Microsoft Store for Business (offline) app, assign to 'Sales Devices' group as 'Available', and configure deadline after 7 days.
B.Add as a Line-of-business app, assign to 'Sales Devices' group as 'Required', and also assign to the same group as 'Available' for Company Portal.
C.Add as a Line-of-business app, assign to 'Sales Devices' group as 'Available', and configure 'Available for enrolled devices' with deadline after 7 days.
D.Add as a Windows app (Win32), assign to a user group containing sales users as 'Required', and set deadline to 7 days.
AnswerB

Required ensures auto-install; Available allows on-demand; removal on unenroll is automatic.

Why this answer

Option C is correct: A required assignment to the device group ensures installation on all devices; the 'Available' assignment makes it visible in Company Portal; the removal on unenroll is automatic with required assignment. Option A has no required assignment. Option B uses user group, not device group.

Option D uses 'Available' assignment with deadline, but the deadline is not supported for LOB apps in that way.

90
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. They deploy a Win32 app using detection rules. The app installs but the detection rule incorrectly reports failure, causing repeated installation attempts. What is the best way to resolve this?

A.Uninstall and redeploy the app
B.Update the detection rule to accurately reflect installed state
C.Reinstall the app manually
D.Modify the installation command to suppress output
AnswerB

Corrects the false failure.

Why this answer

Updating the detection rule to accurately detect installation will prevent repeated attempts. Reinstalling may cause issues. Modifying the install command may not fix detection.

Uninstalling and redeploying is unnecessary.

91
MCQeasy

Northwind Traders is a retail company with 500 employees. They use Microsoft Intune to manage iOS devices. The company has a custom iOS app for inventory management that they need to deploy to all store managers. The app is signed with an enterprise certificate. The administrator uploads the .ipa file to Intune and assigns it as 'Required' to a device group containing the store managers' devices. After 48 hours, several managers report that the app is not installed on their devices. The administrator checks the Intune console and sees that the app status for those devices is 'Pending install'. What should the administrator do first to resolve the issue?

A.Deploy a certificate profile that installs the enterprise root certificate to the affected devices.
B.Create an app protection policy and assign it to the devices.
C.Instruct the users to install the app manually from the Company Portal app.
D.Re-upload the .ipa file to Intune with a different version number.
AnswerA

The devices need to trust the enterprise certificate.

Why this answer

The 'Pending install' status for an enterprise-signed iOS app typically indicates that the device does not trust the enterprise certificate used to sign the app. Deploying a certificate profile that installs the enterprise root certificate on the affected devices establishes trust, allowing the app to install successfully. Without this trust, iOS blocks the installation of any enterprise-signed app, even when assigned as 'Required' via Intune.

Exam trap

The trap here is that candidates may assume the issue is with the app package or assignment, rather than recognizing that iOS's enterprise app trust model requires the root certificate to be explicitly deployed to devices before installation can occur.

How to eliminate wrong answers

Option B is wrong because app protection policies (MAM) control data access and behavior within apps, not the installation of enterprise-signed apps; they do not resolve certificate trust issues. Option C is wrong because instructing users to install manually from Company Portal will still fail if the enterprise root certificate is not trusted on the device, as iOS will block the installation. Option D is wrong because re-uploading the .ipa file with a different version number does not address the underlying certificate trust issue; the app will remain in 'Pending install' until the device trusts the signing certificate.

92
MCQmedium

Your organization uses Microsoft Intune to deploy apps to Windows 11 devices. You need to ensure that a Win32 app installs only when the device has at least 4 GB of RAM. What should you configure?

A.A dependency rule that includes a RAM check
B.A return code for insufficient RAM
C.A requirement rule that specifies minimum RAM
D.A detection rule for RAM
AnswerC

Requirement rules define hardware and software prerequisites.

Why this answer

Intune Win32 apps support requirements rules, including memory (RAM) checks. Option D is correct. Option A is wrong because detection rules determine if the app is installed, not if it can install.

Option B is wrong because return codes indicate installation success or failure. Option C is wrong because dependency rules specify app dependencies, not hardware requirements.

93
MCQhard

A Win32 app 'AdobeReader' is configured as 'required' but users report the app is not installed. The above log excerpt is from a device that shows 'Installed' in Intune. What is the most likely cause?

A.The detection script incorrectly reports the app as installed.
B.The app is assigned to a different device group.
C.The app was installed but later removed by the user.
D.The device is not syncing with Intune.
AnswerA

The script returns exit code 0 and stdout 'Installed', so Intune skips enforcement. The actual app may be missing.

Why this answer

The log excerpt indicates that Intune reports the app as 'Installed' on the device, yet users confirm it is not present. This discrepancy most likely occurs because the detection script used to verify installation is flawed—it may be checking for a registry key, file, or version string that exists even when the app is not fully installed, or it may be returning a false positive. Since Intune relies entirely on the detection method to determine installation status, an incorrect script would cause Intune to mark the app as installed without the actual binaries being present.

Exam trap

The trap here is that candidates assume 'Installed' in Intune means the app is physically present on the device, but Intune only reflects what the detection method reports, not the actual file system state.

How to eliminate wrong answers

Option B is wrong because if the app were assigned to a different device group, the device would not receive the required assignment at all, and Intune would not show the app as 'Installed'—it would show 'Not applicable' or 'Pending'. Option C is wrong because if the user removed the app, Intune's next sync would detect the absence via the detection script and reinstall the app (since it's required), or at minimum change the status to 'Failed' or 'Not installed'. Option D is wrong because if the device were not syncing, Intune would show a stale or 'Last check-in' status older than 24 hours, and the app status would likely be 'Pending' or 'Unknown', not 'Installed'.

94
Multi-Selecthard

Which THREE factors can cause a required app deployment to fail on a Windows 10 device managed by Intune? (Choose three.)

Select 3 answers
A.The device has an app update policy that blocks updates.
B.The device is not connected to the internet.
C.The user is not assigned to the app.
D.The device does not meet the app's requirement rules.
E.The app's dependency is not installed.
AnswersB, D, E

Internet connectivity is required to download the app.

Why this answer

App deployment can fail for several reasons: if the device lacks connectivity to Intune (A), if the device does not meet the app's requirement rules (C), or if the app's dependency is not installed (D). Option B is wrong because user not being assigned does not affect required app deployment; the device itself must be targeted. Option E is wrong because app updates are not blocked by policies; they are configured by the admin.

95
MCQhard

You are the Intune administrator for a company that uses Microsoft Entra ID (Azure AD) for identity. You have a line-of-business (LOB) iOS app that is distributed via Intune using volume purchase program (VPP) tokens. The app requires a configuration policy to set the server URL. You have assigned the app as 'Required' to all users in the 'Sales' group. Some users report that the app does not show the configured server URL. You verify that the app configuration policy is assigned to the same 'Sales' group. The app installs successfully. You check the Intune console and see that the app configuration policy has a status of 'Pending' for some devices. The devices are company-owned iPhones running iOS 16. What is the most likely cause of the configuration not applying?

A.The iOS version does not support app configuration
B.The app configuration policy is not assigned to the correct group
C.The devices are not supervised
D.The app is not deployed via VPP correctly
AnswerC

App configuration policies for VPP apps require supervised mode.

Why this answer

Option D is correct. For VPP apps, app configuration policies must be assigned to the same group as the app assignment. Additionally, the configuration policy must be targeted to devices, not users, for iOS.

However, the status 'Pending' suggests the policy is not yet applied; the likely cause is that the devices are not supervised. App configuration policies for iOS require supervised devices when using VPP. Option A is wrong because the app is required and installs successfully.

Option B is wrong because the policy is assigned, but status is pending. Option C is wrong because iOS version is compatible.

96
MCQeasy

A company uses Microsoft Intune to manage Windows 10 devices. They need to deploy Microsoft 365 Apps for enterprise to 500 devices. The devices are in a hybrid Azure AD joined configuration. The administrator wants to use Intune to deploy the apps. Which deployment method should the administrator use?

A.Use the Office Deployment Tool (ODT) to create a configuration file and deploy via Intune as a Win32 app.
B.Use Group Policy to deploy the Office 2019 suite.
C.Add a 'Microsoft 365 Apps for Windows 10 and later' app in Intune and assign it to the devices.
D.Upload the Office installation files as a line-of-business (LOB) app.
AnswerC

This is the recommended method for deploying Microsoft 365 Apps via Intune.

Why this answer

Option C is correct because Intune provides a built-in 'Microsoft 365 Apps for Windows 10 and later' app type that is specifically designed to deploy and manage Microsoft 365 Apps for enterprise. This method uses Intune's native integration with the Office Content Delivery Network (CDN) to download and install the latest version of Office, and it supports hybrid Azure AD joined devices without requiring additional tools or configuration files.

Exam trap

The trap here is that candidates often overcomplicate the solution by choosing the Office Deployment Tool (Option A) because they think it provides more control, but they miss that Intune's native 'Microsoft 365 Apps' app type is the simplest and most appropriate method for standard deployments, especially when no custom XML configuration is required.

How to eliminate wrong answers

Option A is wrong because while the Office Deployment Tool (ODT) can be used to create a configuration file, deploying it as a Win32 app is unnecessarily complex and bypasses Intune's native Office app management capabilities, which provide automatic updates and simplified assignment. Option B is wrong because Group Policy is not an Intune deployment method; it relies on on-premises Active Directory and does not integrate with Intune for cloud-managed device deployment. Option D is wrong because uploading Office installation files as a line-of-business (LOB) app is intended for single-file or simple app packages, not for the multi-component, dynamically updated Microsoft 365 Apps suite, and it would require manual updates and lack the built-in configuration options.

97
MCQeasy

You manage a fleet of Android Enterprise devices. You need to ensure that only approved apps from the managed Play Store can be installed. What configuration should you enable?

A.Set the device to 'Fully managed' and disable unknown sources.
B.Deploy an app configuration policy that blocks sideloading.
C.Configure a device restriction policy to allow only managed Google Play apps.
D.Use a compliance policy to block non-compliant apps.
AnswerC

This policy enforces that only apps from the managed Play Store can be installed.

Why this answer

Option C is correct because a device restriction policy in Microsoft Intune allows you to restrict app installation to only the managed Google Play store. By configuring the 'Allow only managed Google Play apps' setting, you ensure that users cannot install apps from unapproved sources, effectively controlling the app ecosystem on Android Enterprise devices.

Exam trap

The trap here is that candidates often confuse reactive compliance policies (which detect non-compliant apps after installation) with proactive device restriction policies (which prevent installation entirely), leading them to choose Option D instead of the correct proactive setting.

How to eliminate wrong answers

Option A is wrong because setting the device to 'Fully managed' and disabling unknown sources does not restrict installations to only managed Google Play apps; it only prevents sideloading from unknown sources, but users could still install apps from the public Play Store. Option B is wrong because an app configuration policy is used to configure app-specific settings (e.g., account credentials or permissions), not to block sideloading or restrict app sources; blocking sideloading is a device restriction. Option D is wrong because a compliance policy can mark devices as non-compliant if non-approved apps are detected, but it does not prevent installation of those apps in the first place; it only reacts after the fact.

98
MCQhard

Contoso Ltd. is a financial services company with 2,000 users. They use Microsoft Intune to manage Windows 10 devices. The company has a strict security policy that requires all devices to have a specific set of security applications installed: an antivirus (AV) app, a disk encryption app, and a VPN client. These apps are all line-of-business (LOB) Win32 apps packaged as .intunewin files. The administrator created a Win32 app for each and assigned them as 'Required' to all devices. After the deployment, the administrator notices that the apps are not installing on approximately 10% of devices. The devices are online and have connectivity. The Intune Management Extension is running. When the administrator checks the Intune Management Extension logs on a failing device, they see the following error: 'Failed to download content. Error: 0x80070002 - The system cannot find the file specified.' What is the most likely cause?

A.The content for the Win32 app was not uploaded correctly or is missing from Intune.
B.The Intune Management Extension does not have permission to install apps on those devices.
C.The user is not logged in, so the app cannot be installed.
D.The app detection rules do not match the installed version.
AnswerA

The error indicates the file cannot be found, suggesting the content is missing.

Why this answer

The error 0x80070002 ('The system cannot find the file specified') in the Intune Management Extension logs indicates that the client is attempting to download the Win32 app content from Intune, but the content blob is missing or inaccessible. This typically occurs when the .intunewin file was not uploaded correctly, the upload was interrupted, or the content was deleted from Intune after assignment. Since the extension is running and connectivity is confirmed, the issue is server-side content availability, not client-side permissions or detection logic.

Exam trap

The trap here is that candidates often confuse a download failure with a detection rule mismatch or permission issue, but the specific error code 0x80070002 points directly to missing content on the server side, not client-side configuration problems.

How to eliminate wrong answers

Option B is wrong because the Intune Management Extension runs as SYSTEM and does not require additional permissions to install apps; a permission issue would manifest as an access denied error, not a 'file not found' error. Option C is wrong because Win32 apps assigned as 'Required' install in the system context regardless of user login state; user presence is irrelevant for system-context installations. Option D is wrong because detection rules only affect whether the app is considered installed after the download and installation attempt; they do not cause a download failure with error 0x80070002, which occurs before any detection logic runs.

99
MCQeasy

You need to enable users to install company apps from a private store on their iOS devices. Which Microsoft Intune feature should you use?

A.Volume Purchase Program (VPP)
B.Mobile Application Management (MAM) policies
C.Certificate profiles
D.Company Portal app
AnswerA

VPP enables distribution of licensed apps to devices.

Why this answer

Volume Purchase Program (VPP) allows distribution of purchased apps. Option A is correct. Option B is wrong because Company Portal is the client, not the feature.

Option C is wrong because MAM policies are for data protection. Option D is wrong because certificate profiles are for authentication.

100
MCQeasy

Your organization uses Microsoft Intune to manage Android enterprise devices. You need to ensure that only approved apps from the managed Google Play store can be installed on work profiles. Which configuration should you use?

A.Configure a device compliance policy that requires 'Allow installation from unknown sources' to be disabled
B.Use a conditional access policy to block unapproved apps
C.Create an app configuration policy that blocks side-loading
D.Assign a device restriction policy that sets 'Allow all apps' to false
AnswerA

Disabling unknown sources restricts installation to managed Google Play.

Why this answer

For Android enterprise with work profiles, you can allow users to install apps only from managed Google Play by configuring the device restriction policy. Option B is correct.

101
MCQhard

You are deploying a Win32 app that requires administrator privileges to install. The app runs on Windows 11 devices. How should you configure the app in Intune to ensure it installs with elevated privileges?

A.Set the app install behavior to 'System'.
B.Set the app to run in user context.
C.Use a PowerShell script to run the installer.
D.Configure a detection rule to check for admin rights.
AnswerA

System context runs the installer with elevated privileges.

Why this answer

Win32 apps can be configured to run in system context. Option C is correct. Option A is wrong because user context would fail if admin rights required.

Option B is wrong because detection rules are for installation detection. Option D is wrong because PowerShell scripts can be used but the app itself should be configured to run as system.

102
MCQhard

You are deploying a line-of-business (LOB) app to iOS devices managed by Intune. The app requires a specific configuration to access internal resources. Which approach should you use to deliver the configuration?

A.Assign a custom device configuration profile
B.Create an App Configuration Policy targeting managed devices
C.Deploy an App Protection Policy
D.Use Apple Volume Purchase Program (VPP) tokens
AnswerB

App config policies deliver settings to apps.

Why this answer

Option A is correct because an App Configuration Policy for managed devices can deliver settings to LOB apps. Option B is wrong because VPP is for volume purchasing, not configuration. Option C is wrong because a custom profile might not apply to apps.

Option D is wrong because app protection policies manage data protection, not app configuration.

103
MCQmedium

A user reports that a required app is not installing on their Android Enterprise device. The device is enrolled in Intune and shows as compliant. The app is assigned to the user. What is the most likely cause?

A.The device is not compliant with conditional access policies.
B.The user does not have the Company Portal app installed.
C.The app is not available on Managed Google Play.
D.The device does not have a work profile configured.
AnswerB

Company Portal is required for app installation on Android Enterprise.

Why this answer

If the device is enrolled but the app is not installing, the user may not have the Company Portal app. Option B is correct because the Company Portal is required for app installation. Option A is wrong because the device is compliant.

Option C is wrong because Google Play is used for store apps. Option D is wrong because work profile is already set up.

104
MCQhard

A company uses Microsoft Intune to manage Windows 11 devices. They want to deploy a Win32 app that requires user interaction during installation. The app must be installed with administrative privileges. Which installation behavior setting should you configure?

A.Installation time (64-bit vs 32-bit)
B.System context (device)
C.Device restart behavior
D.User context (user)
AnswerD

Runs as the logged-on user, allowing interaction and elevation.

Why this answer

System context runs the installer as SYSTEM with no user interaction; User context runs as the logged-on user. The requirement is admin privileges and user interaction, so User context is correct because it allows the installer to run with the user's token, which can elevate if needed. System context prevents UI.

Choose behavior 'User' handles both.

105
MCQeasy

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a Microsoft 365 Apps for enterprise suite to all devices. Which app type should you use in Intune?

A.Web link
B.Windows app (Win32)
C.Microsoft 365 Apps for Windows 10 and later
D.Line-of-business app
AnswerC

This app type is specifically designed for deploying Office 365 ProPlus.

Why this answer

Microsoft 365 Apps for enterprise is deployed using the 'Microsoft 365 Apps for Windows 10 and later' app type in Intune. Option A is correct. Option B is wrong because line-of-business apps are for custom apps.

Option C is wrong because the Windows app (Win32) type is for .exe or .msi installers. Option D is wrong because the Web link type is for shortcuts to web apps.

106
Multi-Selectmedium

Your company uses Microsoft Intune to manage Windows 10 devices. You need to deploy a Microsoft Store app (new) to a group of users. Which TWO requirements must be met?

Select 2 answers
A.The device must be joined to an on-premises Active Directory domain
B.The device must have the Microsoft Intune Management Extension installed
C.The device must have sideloading enabled
D.The device must be Azure AD joined or hybrid Azure AD joined
E.The user must have a valid Microsoft account or Azure AD account
AnswersD, E

Required for Intune management.

Why this answer

Options B and D are correct. The device must be Azure AD joined or hybrid Azure AD joined for Intune management. The user must have a Microsoft account (MSA) or Azure AD account to access the Store.

Option A is wrong because domain join alone is insufficient; device must be enrolled in Intune. Option C is wrong because sideloading is not required for Store apps. Option E is wrong because Microsoft Intune Management Extension is for Win32 apps, not Store apps.

107
MCQeasy

You deploy a Microsoft 365 Apps for enterprise suite via Intune to Windows devices. Users report that updates are not being applied automatically. You need to ensure that updates are installed from the Office Content Delivery Network (CDN) without user intervention. What should you configure?

A.Configure Delivery Optimization to download from peers.
B.Configure the Office update channel via an Intune administrative template (ADMX).
C.Enable Windows Update for Business to manage Office updates.
D.Use the Office Deployment Tool to set update settings.
AnswerB

ADMX templates allow setting update path to CDN.

Why this answer

Office update channel can be set via Intune administrative template. Option B is incorrect because Windows Update for Business does not manage Office updates. Option C is incorrect because Office Deployment Tool is for initial deployment.

Option D is incorrect because Delivery Optimization is for peer caching, not update source.

108
MCQmedium

You are reviewing the Intune Win32 app configuration for FinanceApp. The app fails to install on a Windows 10 device running version 1809. The installation log shows no errors. What is the most likely reason?

A.The detection rule finds the finance.exe file already exists.
B.The device does not meet the minimum Windows release requirement.
C.The install experience is set to system but the device is user enrolled.
D.The install command line is missing a silent switch.
AnswerA

The detection rule uses 'exists' and if the file is present, Intune considers the app installed.

Why this answer

Option B is correct because the requirement rule specifies a minimum Windows release of 10.0.16299 (RS3/1709) but the device runs 1809 (10.0.17763) which meets the requirement, so it should install. However, the detection rule checks for the existence of finance.exe. If the file already exists from a previous installation, the detection rule will mark the app as installed, causing Intune to skip the installation.

Option A is wrong because the requirement is met. Option C is wrong because the install experience is system. Option D is wrong because the command line is correct.

109
MCQmedium

Refer to the exhibit. You are reviewing an Intune app protection policy (APP) JSON for Windows. A user complains that they cannot copy data from a managed app. Which setting is causing this?

A.encryptAppData is set to true
B.cutCopyAllowed and pasteAllowed are set to false
C.orgRestriction is set to true
D.requirePin is set to true
AnswerB

Directly disables copy and paste.

Why this answer

Option C is correct. The 'cutCopyAllowed' and 'pasteAllowed' settings are both set to false, preventing copy/paste from managed apps. Option A is wrong because 'orgRestriction' controls data transfer to other apps, not copy/paste.

Option B is wrong because encryptAppData is about encryption, not copy/paste. Option D is wrong because pin requirement does not affect copy/paste.

110
MCQmedium

You are using Microsoft Intune to deploy a custom Windows app that is packaged as an .msi. The app requires a reboot after installation. You want to minimize user disruption. What is the best deployment strategy?

A.Assign the app as available to a user group.
B.Assign the app as available to a device group.
C.Assign the app as required to a device group.
D.Assign the app as required with a deadline.
AnswerB

Users can install at their convenience and handle reboot.

Why this answer

Option B is correct because assigning to device as available lets users choose when to install, and they can schedule the reboot. Option A is wrong because required install may force reboot at inconvenient times. Option C is wrong because available to user still reboots immediately after install via Company Portal.

Option D is wrong because deadline settings are for required installs.

111
MCQeasy

You are using Microsoft Intune to deploy a Win32 app (MyApp.exe) to Windows 10 devices. The app requires .NET Framework 4.8 as a dependency. You have created a Win32 app for .NET Framework 4.8 and set it as a dependency for MyApp. However, when you assign MyApp to a device group, the installation fails because .NET Framework is not installed first. The detection rules for MyApp are correctly configured. What should you do to ensure that the dependency is installed before MyApp?

A.Assign the dependency app to the same device group with a higher priority.
B.Modify the detection rule for the dependency app to check a different file.
C.Require that all devices have .NET Framework 4.8 pre-installed before enrollment.
D.Enable 'Auto-install dependency' in the dependency settings of MyApp.
AnswerD

This ensures the dependency is installed first.

Why this answer

Option C is correct because dependencies in Intune are automatically installed before the parent app only when Auto-install dependency is enabled. Option A is wrong because order of assignment does not guarantee installation order. Option B is wrong because detection rule is for app existence, not installation order.

Option D is wrong because requiring devices to have .NET pre-installed is not feasible.

112
MCQmedium

A company uses Microsoft Intune to manage Android Enterprise personally-owned work profile devices. They need to deploy a managed app that restricts data transfer between work and personal profiles. Which app configuration policy should they use?

A.Compliance policy
B.Managed app configuration policy
C.App protection policy
D.Device configuration policy
AnswerB

Configures app-specific settings like data transfer restrictions.

Why this answer

Managed app configuration policy allows setting app-specific restrictions. App protection policy is for data protection but is separate. Compliance policy is for device compliance.

Device configuration policy for device settings. Therefore, managed app configuration policy is correct for app-level restrictions.

113
MCQmedium

Refer to the exhibit. You are reviewing a Win32 app deployment configuration in Microsoft Intune. The detection rule checks for a registry key under HKLM. The app is set to install in user context. A user reports that the app appears as 'Installed' for some users but not others on the same device. What is the most likely cause?

A.The detection type 'exists' should be 'value' to check the DisplayName.
B.The install experience should be 'system' to write to HKLM.
C.The detection rule uses HKLM but the app installs per user, so the key may not exist for all users.
D.The 'check32BitOn64System' flag is set to false, causing detection to fail on 64-bit systems.
AnswerC

User-context install may write to HKCU, not HKLM.

Why this answer

Option A is correct because the detection rule uses HKLM (machine-level), but the app installs per user; the detection might succeed for one user and not another if the registry key is written per user. Option B is wrong because 32-bit on 64-bit is false. Option C is wrong because detection type 'exists' does not check value.

Option D is wrong because install context does not affect detection rule location.

114
MCQmedium

You are planning to deploy a Win32 app to Windows 10 devices using Microsoft Intune. The app requires a specific registry key to be present before installation. How should you ensure the prerequisite is met?

A.Configure the installation behavior as 'System' to bypass user context.
B.Add the registry key as a dependency.
C.Set a requirement rule for the registry key.
D.Configure a detection rule to verify the registry key exists.
AnswerD

Detection rules can be used to check prerequisites.

Why this answer

Option A is correct because you can use detection rules to check for the registry key; if not found, Intune will not attempt installation. Option B is wrong because requirements rules are for architecture/OS. Option C is wrong because dependencies are for other apps.

Option D is wrong because installation behavior is for user context.

115
MCQeasy

A user reports that a required line-of-business (LOB) app does not appear on their Windows 11 device enrolled in Microsoft Intune. The app was deployed as a 'Required' assignment to a dynamic device group. The device is compliant and shows as 'Active' in Intune. What is the most likely cause?

A.The app requires manual approval from Microsoft Store for Business.
B.The user is not a member of the device group.
C.The device was offline during the last check-in.
D.The app is assigned to users instead of devices.
AnswerC

Required apps are installed during check-in; offline devices may miss the policy.

Why this answer

Option C is correct because the device might have been offline when the policy evaluation occurred, and the app installation may be pending. Option A is wrong because assignment filters are not mentioned. Option B is wrong because user-targeted apps are different.

Option D is wrong because the app is not managed by Microsoft Store for Business.

116
MCQeasy

You need to deploy an Android Enterprise app to corporate-owned work profile devices. The app is available on Google Play. Which deployment method should you use?

A.Microsoft Store for Business
B.Managed Google Play
C.Apple Business Manager
D.Side-loading via Intune
AnswerB

Managed Google Play is the app store for Android Enterprise.

Why this answer

Managed Google Play is the store for Android Enterprise apps. Option C is correct. Option A is wrong because Apple Business Manager is for iOS.

Option B is wrong because Microsoft Store is for Windows. Option D is wrong because side-loading is not recommended for work profiles.

117
MCQhard

Refer to the exhibit. An administrator retrieves a list of Win32 apps. They notice that one app shows installExperience as 'system' and detectionRules as 'fileVersion' with version '1.0.0'. The app fails to install on some devices. The event viewer on a failing device shows 'The app was installed but detection rule did not match'. What is the most likely cause?

A.The PowerShell cmdlet is deprecated
B.The installExperience should be 'user' instead of 'system'
C.The app requires a reboot that is not handled
D.The detection rule expects version 1.0.0 but the installed version is different
AnswerD

Version mismatch causes detection failure.

Why this answer

The detection rule checks for file version '1.0.0' but the app installs a different version. System context is fine. The install command might be correct.

The detection rule is likely incorrect or too strict.

118
MCQhard

Your organization uses Microsoft Defender for Endpoint. You need to ensure that all Windows devices have the Defender Antivirus platform update installed. Which Intune app type should you use?

A.Windows app (Win32)
B.Microsoft Defender for Endpoint app type
C.Microsoft 365 Apps for enterprise
D.Line-of-business app
AnswerB

Intune includes a specific app type for Defender updates.

Why this answer

Option C is correct because Defender updates are deployed as a built-in app type in Intune. Option A is wrong because a Win32 app is not needed. Option B is wrong because it's an update, not a line-of-business app.

Option D is wrong because it's not a Microsoft 365 app.

119
MCQmedium

Refer to the exhibit. An Intune administrator configured a Win32 app with the settings shown. What is the expected behavior when the app installation exits with return code 3010?

A.The device restarts immediately
B.The installation is marked as failed
C.The device may restart after installation outside of active hours
D.The app is not installed
AnswerC

Soft reboot triggers a deferred restart.

Why this answer

Option B is correct because return code 3010 is mapped to 'softReboot', which means a reboot is required and the device may reboot after installation during maintenance hours. Option A is wrong because the restart is not immediate. Option C is wrong because success is not indicated by 3010.

Option D is wrong because the app is still considered installed.

120
Multi-Selectmedium

Your organization uses Microsoft Intune to manage Windows devices. You are deploying a Win32 app that requires a reboot to complete installation. You want to control the reboot behavior to minimize user disruption. Which TWO settings can you configure in the Intune Win32 app properties to manage reboot? (Choose two.)

Select 2 answers
A.Allow restart after installation (in assignment)
B.Device restart behavior
C.Restart deadline
D.Restart grace period
E.Restart notification text
AnswersA, B

This can be set to Yes or No in the assignment settings.

Why this answer

Options B and D are correct. Device restart behavior controls if restarts are suppressed or blocked. The 'Allow restart after installation' option in the app assignment can also be set.

Option A is for Android. Option C is for macOS. Option E is for iOS.

121
MCQmedium

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to deploy a managed Google Play app to a device. The app appears in the managed Google Play store but the deployment status shows 'Failed'. What is the most likely cause?

A.The device is enrolled in a personally-owned work profile.
B.The device is not allowed to access the managed Google Play store.
C.The app is not approved in the managed Google Play store.
D.The device does not have Google Play Services installed.
AnswerA

Some apps require corporate-owned enrollment.

Why this answer

Option C is correct because managed Google Play apps require that the device is enrolled in corporate-owned work profile or fully managed mode. If the device is in personally-owned work profile, some apps may fail. Option A is wrong because Google Play Services are required for all Android devices.

Option B is wrong because store access is controlled by policy. Option D is wrong because the app is in the managed store.

122
Multi-Selecthard

Which TWO methods can you use to deploy a custom Windows app that is not available in the Microsoft Store to multiple devices managed by Intune?

Select 2 answers
A.Line-of-business app
B.Win32 app management
C.Microsoft Store for Business app
D.Web app
E.Built-in app
AnswersA, B

LOB apps support .msi and .intunewin for Windows.

Why this answer

Line-of-business (LOB) app deployment is correct because it allows you to upload and distribute custom Windows apps (e.g., .msi, .appx, or .exe) that are not in the Microsoft Store to Intune-managed devices. This method is specifically designed for internal or third-party apps that are not publicly available, using Intune's app packaging and assignment capabilities.

Exam trap

The trap here is that candidates often confuse 'Web app' with a method to install an actual application, when it only creates a web link shortcut and does not deploy any executable code to the device.

123
Multi-Selectmedium

Which TWO of the following are supported app types for deploying to iOS devices via Microsoft Intune?

Select 2 answers
A.Web link
B.iOS line-of-business app
C.iOS store app
D.Android app
E.Win32 app
AnswersB, C

iOS LOB apps are supported.

Why this answer

iOS store apps and iOS line-of-business apps are supported. Web links are for any device but not an app type. Win32 and Android are not for iOS.

124
MCQeasy

A user reports that Microsoft 365 Apps for enterprise is not installing on their Windows 10 device. The app is assigned as 'Available' to the user group. What must the user do to trigger the installation?

A.Wait for the next device sync
B.Open the Company Portal app and install from there
C.Restart the device
D.Log off and log back in
AnswerB

Users install available apps through Company Portal.

Why this answer

Option B is correct because available app installs require user interaction via the Company Portal. Option A is wrong because the app is not required. Option C is wrong because the user can initiate install anytime.

Option D is wrong because no restart is needed before install.

125
Multi-Selecthard

You are planning the deployment of Microsoft 365 Apps for enterprise to Windows 10 devices. You need to minimize network bandwidth during installation. Which THREE actions should you take?

Select 3 answers
A.Use the Office Deployment Tool with a local source
B.Configure BranchCache
C.Enable peer caching for Office 365 Content
D.Download the full installation files from the internet
E.Use express updates for Office
AnswersA, C, E

Installs from local share instead of internet.

Why this answer

Options A, B, and E are correct because they reduce bandwidth usage. Option C is wrong because it increases bandwidth. Option D is wrong because LAN delivery does not reduce internet usage.

126
MCQmedium

An administrator deploys an iOS app as 'Required' to a group of devices using Intune. The app fails to install on some devices with error '0x87D13B9F'. What is the most likely cause?

A.The devices have insufficient storage space
B.The app is not compatible with the iOS version on those devices
C.The app is not signed with an Apple Enterprise Developer certificate
D.The devices are not supervised
AnswerD

Required app deployment on iOS requires the device to be in supervised mode.

Why this answer

Error 0x87D13B9F in Intune indicates that the device is not supervised. For iOS/iPadOS, Intune requires devices to be in Supervised mode to install 'Required' apps silently without user interaction. Without supervision, the device cannot accept managed app installations pushed by MDM, causing the deployment to fail.

Exam trap

The trap here is that candidates often confuse generic installation failures (like storage or compatibility) with the specific supervised-mode requirement, because the error code is not immediately intuitive and many assume 'Required' apps can install on any device.

How to eliminate wrong answers

Option A is wrong because insufficient storage space typically generates a different error (e.g., 0x87D13B9E or a generic installation failure), not 0x87D13B9F. Option B is wrong because iOS version incompatibility usually results in error 0x87D13B9C or a 'not supported' message, not this specific code. Option C is wrong because the app signing certificate (Enterprise vs.

App Store) is unrelated to this error; Intune can deploy both types, and signing issues produce errors like 0x87D13B9A or 'invalid profile'.

127
MCQhard

Your organization manages Android Enterprise personally-owned work profile devices with Microsoft Intune. You need to deploy a managed Google Play app to these devices. The app is already approved in managed Google Play and added to Intune. When you assign the app as 'Required' to a user group, some users report that the app is not installed on their devices, and they do not see it in the work profile. You verify that the devices are enrolled and checked in with Intune. The app is listed as 'Pending' in the Intune console for those devices. What is the most likely cause?

A.The app is not approved in managed Google Play for the organization.
B.The devices do not have a VPN profile configured.
C.The users do not have an app protection policy assigned.
D.The managed Google Play Store app is disabled on the devices.
AnswerD

If disabled, apps cannot be installed in the work profile.

Why this answer

Option D is correct because in a work profile, the managed Google Play Store app must be present and active; if it is disabled, apps cannot be installed. Option A is wrong because the app is already approved. Option B is wrong because VPN is not required.

Option C is wrong because there is no app protection policy requirement for installation.

128
MCQhard

You are troubleshooting an app deployment issue. A Win32 app fails to install on some Windows 10 devices. The Intune management extension logs show error code 0x80070643. What is the most likely cause?

A.The app package is corrupted
B.The device does not meet the minimum OS version requirement
C.A pending reboot from a previous installation is blocking the install
D.The user does not have admin privileges
AnswerC

0x80070643 often means 'Installation failure, reboot required'.

Why this answer

Error 0x80070643 is a Windows Installer error that typically indicates a failed installation. The most common cause with Intune is that the app requires a reboot from a previous installation. Option C is correct.

129
Multi-Selecteasy

You are configuring a Microsoft Intune app configuration policy for a managed iOS app. Which THREE types of settings can you include in the policy?

Select 3 answers
A.Permissions such as location or camera
B.Configuration settings (key-value pairs)
C.Compliance rules for the app
D.Network requirements like VPN
E.Connection string for a backend service
AnswersA, B, E

Permissions can be configured in app config.

Why this answer

Option A, Option B, and Option D are correct. App configuration policies can include configuration settings (key-value pairs), connection strings, and permissions. Option C is wrong because compliance rules are in compliance policies.

Option E is wrong because network requirements are in device configuration.

130
Multi-Selectmedium

Which TWO of the following can be used to deploy Microsoft 365 Apps to Windows devices managed by Microsoft Intune? (Select TWO.)

Select 2 answers
A.Configuration Manager
B.Intune built-in 'Microsoft 365 Apps for Windows 10 and later' app type
C.Group Policy
D.Win32 app wrapper
E.Microsoft 365 Apps admin center
AnswersB, E

Built-in app type specifically for Office deployment.

Why this answer

The Microsoft 365 Apps admin center can manage deployment of Office. The Intune built-in 'Microsoft 365 Apps for Windows 10 and later' app type is designed for this. Group Policy is not used in Intune.

Configuration Manager is separate. A Win32 app wrapper can also deploy but is not the built-in method; however, it is possible. The question expects the two primary methods: Intune built-in app and Microsoft 365 Apps admin center.

But Win32 app is also valid; however, the built-in app is preferred. Since 'Select TWO', the best two are Intune built-in and Microsoft 365 Apps admin center. Win32 app wrapper is possible but less direct.

I'll go with Intune built-in and Microsoft 365 Apps admin center.

131
MCQmedium

You are deploying a new line-of-business (LOB) app to Windows 10 devices managed by Microsoft Intune. The app requires a specific registry key to be set before installation. What is the best approach to ensure the registry key is applied before the app installs?

A.Create a compliance policy that requires the registry key and mark the app as required.
B.Use a device configuration policy to set the registry key, then assign the app as available.
C.Include a PowerShell script in the app's installation command that sets the registry key before the main installer runs.
D.Define a requirement rule in the Win32 app that checks for the registry key; if missing, use a proactive remediation script to create it.
AnswerD

Requirement rules block installation until conditions are met, and proactive remediation can enforce the prerequisite.

Why this answer

Option C is correct because Win32 app detection rules can include registry checks, and using a requirement rule (e.g., registry key exists) ensures the app installs only after the key is present. Option A is wrong because app configuration policies don't apply before installation. Option B is wrong because PowerShell scripts can run during installation but not as a prerequisite.

Option D is wrong because compliance policies are for device state, not pre-installation steps.

132
MCQeasy

You need to deploy a web link as an app to Android Enterprise work profile devices. Users should see the link in the Company Portal app. What type of app should you add in Microsoft Intune?

A.iOS/iPadOS web clip
B.Android store app
C.Managed Google Play web link
D.Windows app package (MSI)
AnswerC

Web links are added as web links in Managed Google Play.

Why this answer

Option A is correct because a web link is added as a 'Managed Google Play web link' for Android Enterprise. Option B is wrong because iOS web clips are for iOS. Option C is wrong because Windows app packages are for Windows.

Option D is wrong because Android store app is for store apps, not web links.

133
MCQeasy

Refer to the exhibit. You are deploying a line-of-business iOS app. Which statement is correct about this app?

A.The app requires iOS 15.0 or later.
B.The app can only be installed on iPads.
C.The app will expire on December 31, 2025.
D.The app has no expiration date.
AnswerC

expirationDateTime is set to 2025-12-31T23:59:59Z.

Why this answer

The app is a managed iOS LOB app. minimumSupportedOperatingSystem v14_0 is true, meaning iOS 14.0 is the minimum. Options A and B are wrong because the app is for both iPhone and iPad. Option D is wrong because expiration is set.

134
MCQmedium

You are reviewing an iOS LOB app configuration in Intune. The app is assigned to a user group that includes both iPhone and iPad users. Users with iPhones report that the app does not appear in Company Portal. What is the most likely reason?

A.The bundle ID is incorrect for the app.
B.The build number is missing.
C.The app version is not specified.
D.The app is configured to deploy only to iPads.
AnswerD

The JSON shows 'iPhoneAndIPod: false', so iPhones are excluded.

Why this answer

Option A is correct because the applicableDeviceType is set to iPad only, so iPhones are excluded. Option B is wrong because the bundle ID is set. Option C is wrong because version is set.

Option D is wrong because build number is set.

135
MCQmedium

You need to deploy Microsoft 365 Apps for enterprise to 500 Windows 10 devices using Microsoft Intune. Devices are in multiple time zones. You want to minimize network impact during business hours. Which deployment approach should you use?

A.Use Intune 'Microsoft 365 Apps for Windows 10 and later' built-in app type with delivery optimization.
B.Deploy the offline installer using Intune Win32 app packaging.
C.Configure dynamic installation from Microsoft 365 Apps admin center with gradual rollout and set maintenance window.
D.Assign the app to a device group and set deadline for immediate installation.
AnswerC

Allows scheduling and uses CDN.

Why this answer

Option D is correct because dynamic installation via Microsoft 365 Apps admin center allows scheduling outside business hours and uses CDN for bandwidth efficiency. Option A is wrong because offline installer is not scalable. Option B is wrong because delivery optimization helps but does not schedule.

Option C is wrong because it does not address time zones.

136
MCQhard

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom PKG file that requires administrative privileges to install. The deployment must be silent without user interaction. What should you do?

A.Use a shell script to run the PKG installer with sudo privileges via a launch daemon.
B.Add the PKG to Apple Business Manager and distribute via VPP.
C.Deploy the PKG as a line-of-business app in Intune and assign it as required.
D.Place the PKG in a network share and instruct users to install via Company Portal.
AnswerC

Intune supports PKG deployment silently on macOS.

Why this answer

Intune uses shell scripts to handle post-install tasks; however, PKG deployment on macOS can be done via Intune with a script that uses the 'installer' command with admin privileges via a launch daemon. Option B is incorrect because MDM can push PKG directly with silent install. Option C is incorrect because VPP is for App Store apps.

Option D is incorrect because Company Portal is for user-initiated installs.

137
MCQhard

Your organization is migrating from on-premises SCCM to Microsoft Intune. You have a Win32 app that requires a custom script to run after installation. The app must be available to users in a remote office with limited internet connectivity. What should you use to deploy the app?

A.Configure a cloud management gateway (CMG) to distribute the app.
B.Store the app in Azure Files and mount it on devices.
C.Use a PowerShell script deployed via Intune to download the app from a local file share.
D.Deploy the Win32 app via Intune with Delivery Optimization and peer caching enabled.
AnswerD

This reduces internet bandwidth usage for remote offices.

Why this answer

Delivery Optimization and peer caching help with bandwidth. Option B is incorrect because scripts can be included in Win32 app. Option C is incorrect because CMG is not needed if using Intune.

Option D is incorrect because Azure Files is not for Intune app delivery.

138
MCQeasy

You need to make a web app available to users in your organization through Microsoft Intune Company Portal. Which app type should you create in Intune?

A.iOS store app
B.Web app
C.Windows app (Win32)
D.Android store app
AnswerB

Web apps are used to publish web links in Company Portal.

Why this answer

Option D is correct because a web app in Intune creates a shortcut that appears in Company Portal. Option A is wrong because iOS store apps are for iOS devices. Option B is wrong because Android store apps are for Android.

Option C is wrong because Windows app (Win32) is for executable installers.

139
MCQhard

An administrator is troubleshooting why a Win32 app is repeatedly installed on a device. The exhibit shows a log snippet. What is the most likely cause of the repeated installation?

A.The app writes the detection file to a temporary folder that is cleaned periodically
B.The app requires a reboot to complete installation
C.The detection rule runs before the install completes
D.The exit code 0 is misinterpreted as failure
AnswerA

If the file is in a temp folder, it may be deleted, causing detection to fail on subsequent scans.

Why this answer

Option A is correct because if the Win32 app's detection file is written to a temporary folder (e.g., %TEMP% or C:\Windows\Temp) that is periodically cleaned by disk cleanup policies or the Storage Sense feature, Intune will no longer detect the app as installed after the file is removed. This causes the Microsoft Intune Management Extension to re-run the installation on the next sync cycle, leading to a repeated installation loop. The detection rule relies on the persistent presence of the file, so its removal triggers reinstallation.

Exam trap

The trap here is that candidates assume a detection rule failure is due to timing (Option C) or exit code issues (Option D), but the real-world cause is often a transient detection artifact that gets cleaned, not a logic error in the installation process.

How to eliminate wrong answers

Option B is wrong because a required reboot does not cause repeated installation; Intune marks the app as installed after the exit code 0 is received, and a pending reboot only delays further actions, not reinstallation. Option C is wrong because the detection rule runs after the installation script completes and returns an exit code, not before; the log snippet would show a detection failure only after the install attempt finishes. Option D is wrong because exit code 0 is universally interpreted as success by Intune's Win32 app management; a misinterpretation would require a custom detection rule or a non-standard exit code mapping, which is not indicated.

140
MCQeasy

You need to deploy a line-of-business app to 100 Windows 10 devices that are managed by Microsoft Intune. The app installer is a .msi file. Which app type should you select when adding the app in Microsoft Intune?

A.Microsoft Store app (Windows)
B.Windows app (Line-of-business)
C.Web link
D.Windows app (Win32)
AnswerD

Win32 app supports .msi, .exe, and PowerShell scripts for deployment.

Why this answer

Windows app (Win32) supports .msi, .exe, and .ps1. Line-of-business (Windows) is for .msi only but deprecated. Microsoft Store app is for store apps.

Web link is for web apps. Option B is correct because Win32 app is the recommended type for .msi deployments.

141
MCQmedium

Your organization uses Microsoft Intune to manage 1,500 Windows 10 and 500 macOS devices. You need to deploy Microsoft Edge (Stable channel) to all Windows devices. The deployment must ensure that Edge is set as the default browser, and that the 'SmartScreen' feature is enabled. You also want to ensure that users cannot change the default browser setting. You have created a configuration profile with the required settings. The Edge app is available in the Microsoft Store for Business. Which deployment method should you use to meet all requirements with the least administrative effort?

A.Use a PowerShell script to install Edge and apply settings via registry.
B.Deploy Edge as a Win32 app using the offline installer, and apply the configuration profile separately.
C.Use the 'Microsoft Edge for Windows 10 and later' built-in app type in Intune, assign it as 'Required' to a device group, and apply the configuration profile.
D.Deploy Edge as a Microsoft Store for Business app and use OMA-URI to set default browser.
AnswerC

Built-in app type simplifies deployment and policy application.

Why this answer

Option A is correct: Using the built-in 'Microsoft Edge for Windows 10 and later' app type in Intune allows you to set default browser and manage policies via configuration profiles. Option B is manual and less integrated. Option C requires scripting.

Option D is not a built-in feature.

142
MCQhard

Contoso Ltd. uses Microsoft Intune to manage Windows 11 devices. They need to deploy a Line-of-Business (LOB) app (ContosoApp.msi) to 500 devices in a pilot group. The app requires admin privileges and must be installed in the system context. The deployment must be silent with no user interaction, and the installation status must be reported to Intune. They have created a Win32 app wrapper and uploaded the .intunewin file. Which configuration should they choose in the Intune Win32 app properties to meet the requirements?

A.Install behavior: User, Device restart behavior: No specific action
B.Install behavior: System, Device restart behavior: No specific action
C.Install behavior: System, Device restart behavior: Suppress restarts
D.Install behavior: User, Device restart behavior: Block restarts until installation completes
AnswerB

System context provides admin privileges, and No specific action avoids restart prompts.

Why this answer

Option D is correct because setting Install behavior to System and Device restart behavior to No specific action allows the app to install silently with admin privileges and no user interaction. Option A is wrong because User install context does not provide system-level privileges. Option B is wrong because Suppress restarts only suppresses restart prompts but does not prevent restarts caused by the installer; No specific action is safer.

Option C is wrong because using User install context with app requiring admin rights will fail.

143
MCQeasy

You are deploying a line-of-business (LOB) app to iOS devices using Microsoft Intune. The app is signed with an enterprise certificate. Users report that the app installs but crashes immediately on launch. What is the most likely cause?

A.The Intune company portal app is not installed.
B.The app is not signed.
C.The app requires a VPN connection.
D.The enterprise developer certificate is not trusted on the device.
AnswerD

iOS requires manual trust of enterprise cert before launching.

Why this answer

If the app is not trusted (developer not manually trusted on device), iOS will block launch. Option A is incorrect because the app is signed with enterprise cert. Option C is irrelevant.

Option D is possible but trust is more common first step.

144
Multi-Selecteasy

Which TWO of the following are types of app protection policies (APP) in Microsoft Intune?

Select 2 answers
A.macOS
B.iOS/iPadOS
C.Windows 10/11
D.Web apps
E.Android
AnswersB, E

APP is supported for iOS/iPadOS.

Why this answer

Options A and B are correct. App protection policies can be configured for iOS/iPadOS and Android. Option C is wrong because there is no separate policy for Windows.

Option D is wrong because there is no policy for macOS. Option E is wrong because there is no separate policy for web apps; web apps use the same policies if wrapped.

145
MCQeasy

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to deploy a Microsoft 365 Apps for Enterprise to work profiles. Which app type should you select in Intune?

A.Web app
B.Android Enterprise system app
C.Line-of-business app
D.Managed Google Play app
AnswerD

Microsoft 365 Apps is available as a Managed Google Play app.

Why this answer

Microsoft 365 Apps for Enterprise is a managed Google Play app. Android Enterprise system apps are pre-installed. Line-of-business apps are custom.

Web apps are for shortcuts. Therefore, selecting Managed Google Play app is correct.

146
MCQmedium

A company uses Microsoft Intune to manage Windows devices. They want to ensure that only approved Microsoft Store apps can be installed on corporate devices. Which configuration policy should they use?

A.Windows app control policy
B.Windows app sideloading policy
C.Microsoft Store for Business app policy
D.Windows app inventory policy
AnswerA

This policy can enforce app control rules to allow only approved apps.

Why this answer

A Windows app inventory policy collects installed apps but does not restrict installation. A Microsoft Store for Business app policy is used to deploy and manage store apps. A Windows app sideloading policy controls sideloading, not store app installation.

Therefore, a Windows app control policy is correct because it can enforce app control rules, including allowing only approved store apps.

147
Multi-Selecthard

Which TWO of the following are valid reasons to use a Windows PowerShell script deployment instead of a Win32 app in Intune?

Select 2 answers
A.Configuring Windows Update for Business policies
B.Applying a temporary security configuration change quickly
C.Modifying registry settings on a schedule
D.Installing an MSI with silent switches
E.Deploying a complex application with multiple files
AnswersB, C

Scripts are ideal for quick changes.

Why this answer

Option A (quick fix) and Option C (registry changes) are valid for scripts. Option B is better for Win32. Option D applies to both.

Option E is for configuration profiles.

148
Multi-Selecthard

A company uses Microsoft Intune to manage Windows 10 devices. They are deploying a Win32 app using the Intune Management Extension. The app requires a reboot and must ensure that the installation completes successfully before the device is allowed to restart. Which TWO deployment settings should be configured?

Select 2 answers
A.Enable 'Delivery optimization' for the app
B.Set 'Device restart behavior' to 'Require device restart'
C.Set 'Device restart behavior' to 'No specific action'
D.Configure 'Supersedence' to replace the app
E.Configure 'Return codes' for 'Soft reboot' as 'No action'
AnswersC, E

Prevents Intune from forcing a reboot, allowing installation to complete.

Why this answer

Option C is correct because setting 'Device restart behavior' to 'No specific action' allows Intune to complete the Win32 app installation without forcing an immediate reboot, which is necessary when the app itself handles the reboot or when you want to control the restart timing. This setting prevents the Intune Management Extension from triggering a restart before the installation is fully complete, ensuring the app's post-installation processes (e.g., file copies, registry writes) finish successfully.

Exam trap

The trap here is that candidates often confuse 'Device restart behavior' with a simple toggle for requiring a reboot, missing that 'No specific action' is the correct choice when the app itself manages the reboot, and they overlook the need to also configure 'Return codes' for 'Soft reboot' as 'No action' to prevent the IME from misinterpreting a soft reboot code as an installation failure.

149
MCQhard

A user reports that a required app is not installed on their Windows 11 device managed by Intune. The app appears in the Microsoft Intune admin center with a status of 'Pending - Install Pending'. You verify that the device is online and has network connectivity. What is the most likely cause?

A.The Intune Management Extension has not synced with the service yet.
B.The user is not targeted with the app assignment.
C.The app is assigned as 'Available' instead of 'Required'.
D.The device is not compliant with conditional access policies.
AnswerA

The extension syncs every hour; pending status indicates the policy has not been received.

Why this answer

If the app is pending install, the Intune Management Extension may not have downloaded the policy yet. Option C is correct because the extension checks for new policies every hour. Option A is wrong because user not targeted would show 'Not applicable'.

Option B is wrong because app is already assigned as required. Option D is wrong because compliance does not affect app assignment.

150
MCQmedium

Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a company portal app that allows users to enroll their devices. Which app type should you use?

A.Built-in app
B.iOS and macOS store app
C.Web link
D.macOS LOB app
AnswerB

Company Portal for macOS is available in the Mac App Store.

Why this answer

For macOS, the Company Portal app is available as a Microsoft app from the macOS App Store. In Intune, you add it as an 'iOS and macOS store app' (Mac App Store). Option B is correct.

← PreviousPage 2 of 3 · 183 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Md102 Manage Applications questions.