CCNA Prepare Device Infrastructure Questions

75 of 254 questions · Page 1/4 · Prepare Device Infrastructure topic · Answers revealed

1
MCQhard

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy a custom VPN configuration that uses per-app VPN and certificate-based authentication. The certificate is already deployed via a PKCS certificate profile. However, the VPN connection fails. What is the most likely reason?

A.The certificate is not trusted by the device
B.The per-app VPN profile does not include the app bundle IDs or is not associated with the certificate
C.The VPN profile is not assigned to the correct device group
D.The VPN server type is not supported by iOS
AnswerB

The per-app VPN profile must specify the apps and associate the certificate.

Why this answer

Option B is correct because per-app VPN on iOS requires a VPN profile that includes the app identifier list and associates it with the certificate, and the certificate must be properly configured. Option A is wrong because the certificate is already deployed. Option C is wrong because per-app VPN does not require a separate MDM profile for each app.

Option D is wrong because the VPN server type is not necessarily the issue.

2
Multi-Selectmedium

Which TWO actions can you perform using Windows Autopilot in Microsoft Intune?

Select 2 answers
A.Enforce security baselines on devices
B.Convert existing devices to Autopilot by uploading hardware hash
C.Deploy third-party applications automatically
D.Customize the out-of-box experience (OOBE) for users
E.Configure BIOS settings remotely
AnswersB, D

Allows redeploying existing devices.

Why this answer

Option B is correct because Windows Autopilot allows you to import a hardware hash (a unique device identifier) from existing devices into Intune, converting them into Autopilot devices. This enables you to apply Autopilot deployment profiles and customize the OOBE without requiring a full OS reinstall, leveraging the device's existing identity.

Exam trap

The trap here is that candidates confuse Windows Autopilot's OOBE customization capabilities with broader device management features like security baselines or third-party app deployment, which are handled by Intune policies after enrollment, not during the Autopilot provisioning phase.

3
MCQhard

Refer to the exhibit. You are configuring Windows enrollment restrictions in Intune. After applying this JSON, a user tries to enroll a Windows 10 device but receives an error that enrollment is blocked. What is the most likely cause?

A.The device does not meet authentication requirements
B.The enrollment is restricted to Windows Holographic only
C.The device type filter excludes Windows 10
D.The user already has 5 devices enrolled
AnswerA

requireDeviceAuthentication prevents enrollment without proper device auth.

Why this answer

The JSON configuration sets 'minimumVersion' to '10.0.22000' (Windows 11) and 'maximumVersion' to '10.0.22621.0' (Windows 11 22H2), which excludes all Windows 10 builds. Since the user is attempting to enroll a Windows 10 device, it falls outside the allowed version range, causing the enrollment block. The error message 'enrollment is blocked' aligns with a version restriction failure, not an authentication issue.

Exam trap

The trap here is that candidates assume the error 'enrollment is blocked' always points to authentication or device count limits, but the JSON's version range silently excludes Windows 10, which is the actual root cause.

How to eliminate wrong answers

Option A is incorrect because the error is not related to authentication; the JSON does not contain any authentication-related settings (e.g., 'requireMultiAuth' or 'deviceEnrollmentLimit'). Option B is incorrect because the JSON does not specify 'deviceType' or 'platform' restrictions; it only filters by OS version, not by Holographic or any specific SKU. Option C is incorrect because the device type filter is not present in the JSON; the restriction is based on OS version range, not device type.

Option D is incorrect because the JSON does not include a 'deviceEnrollmentLimit' key; the user's device count is not restricted by this configuration.

4
MCQmedium

Your organization is evaluating Microsoft Intune for device management. The security team requires that all devices be registered in Microsoft Entra ID before they can enroll in Intune. Which configuration should you implement?

A.Configure enrollment restrictions to require corporate ownership
B.Set device type restrictions to block unregistered devices
C.Configure automatic enrollment via Group Policy
D.Configure Microsoft Entra join or Microsoft Entra registration as a prerequisite for Intune enrollment
AnswerD

This ensures devices are registered in Entra ID before they can enroll in Intune.

Why this answer

Option B is correct because requiring Microsoft Entra join or registration forces device identity in Entra ID before Intune enrollment. Option A is wrong because automatic enrollment doesn't enforce registration first. Option C is wrong because device type restrictions affect allowed platforms, not identity.

Option D is wrong because enrollment restrictions apply to enrolling users/devices, not identity prerequisites.

5
MCQhard

Refer to the exhibit. An administrator runs this Graph PowerShell script. What is the purpose?

A.To output the device names of all Windows devices.
B.To list the IDs of Microsoft Entra ID joined Windows devices.
C.To list devices that are registered in Autopilot.
D.To update the enrollment type of all Windows devices.
AnswerB

Enrollment type windowsAzureADJoin indicates Entra ID join.

Why this answer

Option C is correct because the script filters for devices with enrollment type 'windowsAzureADJoin' (Microsoft Entra ID joined) and outputs their IDs. Option A is wrong because it outputs IDs, not device names. Option B is wrong because it does not check the autopilot profile.

Option D is wrong because it does not update any properties.

6
MCQeasy

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to configure a Windows 10 update ring that ensures feature updates are deferred by 120 days and quality updates are deferred by 30 days. Which settings should you configure in the update ring?

A.Set feature update deferral to 180 days and quality update deferral to 0 days.
B.Set feature update deferral to 30 days and quality update deferral to 120 days.
C.Set feature update deferral to 120 days and quality update deferral to 30 days.
D.Set both feature and quality update deferrals to 60 days.
AnswerC

This matches the required deferral periods.

Why this answer

Option C is correct because the Windows 10 update ring settings in Microsoft Intune allow you to specify deferral periods for feature updates and quality updates independently. To meet the requirement of deferring feature updates by 120 days and quality updates by 30 days, you must set the feature update deferral to 120 days and the quality update deferral to 30 days. These values directly control how long the device waits before installing the respective update types after Microsoft releases them.

Exam trap

The trap here is that candidates often confuse the deferral periods for feature and quality updates, mistakenly swapping the values or assuming a single deferral applies to both, when the question explicitly requires independent settings for each update type.

How to eliminate wrong answers

Option A is wrong because setting feature update deferral to 180 days exceeds the required 120-day deferral, and setting quality update deferral to 0 days provides no deferral, failing the 30-day requirement. Option B is wrong because it reverses the deferral periods: feature updates would be deferred only 30 days (not 120) and quality updates would be deferred 120 days (not 30), which does not match the specified requirements. Option D is wrong because setting both deferrals to 60 days would defer feature updates by only 60 days instead of the required 120 days, and quality updates by 60 days instead of 30 days, failing both conditions.

7
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that only devices running iOS 16 or later can enroll. Which configuration should you use?

A.Create a device configuration profile that requires iOS 16.0.
B.Modify the enrollment profile to require iOS 16.0.
C.Create a compliance policy that requires iOS 16.0 or later.
D.Create an enrollment platform restriction for iOS/iPadOS and set the minimum OS version to 16.0.
AnswerD

Platform restrictions block devices with older OS versions during enrollment.

Why this answer

Option A is correct because platform restrictions allow you to set minimum OS versions for enrollment. Option B is wrong because compliance policies are applied after enrollment. Option C is wrong because device configuration profiles manage settings, not enrollment.

Option D is wrong because the enrollment profile specifies enrollment method, not OS version restrictions.

8
Multi-Selecthard

Which THREE actions can be taken from the Intune admin center when a device is retired?

Select 3 answers
A.Retire
B.Remote lock
C.Reset passcode
D.Wipe
E.Delete
AnswersA, D, E

Retirement is the action itself.

Why this answer

Options B, C, and D are correct. When retiring a device, you can wipe the device (factory reset), delete the device from Intune, and also retire it which removes management. Option A is wrong because remote lock is available but not during retirement; it's a separate action.

Option E is wrong because resetting the passcode is not an option for retired devices.

9
MCQeasy

Your company is deploying Windows 11 devices using Windows Autopilot. You need to ensure that during the first boot, the device automatically joins Microsoft Entra ID, enrolls in Intune, and installs required applications. What should you provide to the device?

A.The device's hardware hash, uploaded to Intune, and an Autopilot deployment profile assigned.
B.The Configuration Manager client and a site code for automatic site assignment.
C.A provisioning package containing the MDM enrollment settings.
D.A Group Policy Object that configures automatic MDM enrollment.
AnswerA

Autopilot requires the hardware hash to identify the device and the profile to define the deployment settings.

Why this answer

Windows Autopilot uses a device-specific hardware hash that is uploaded to Intune. Based on the assigned Autopilot profile and deployment profile, the device automatically joins Entra ID and enrolls in Intune. Option A is correct.

Option B is wrong because a provisioning package is not needed for Autopilot. Option C is wrong because a Configuration Manager client is not required. Option D is wrong because Group Policy does not apply during Autopilot.

10
MCQhard

A user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the compliance status. Other devices in the same group are compliant. What is the most likely cause?

A.The device does not have a valid certificate profile.
B.The Intune Management Extension is not installed.
C.The device has a non-compliant component that prevents policy application.
D.The device's enrollment token has expired.
AnswerC

If a device is non-compliant, it may not receive further policies until remediated.

Why this answer

Option D is correct because a non-compliant component can cause the device to show 'Not evaluated' if the policy is not applied. Option A is incorrect because a valid token is required for enrollment; if it were expired, the device would not be enrolled. Option B is incorrect because the Intune management extension handles Win32 apps, not compliance policies.

Option C is incorrect because a certificate profile is not required for compliance evaluation.

11
MCQmedium

You manage a fleet of Android Enterprise devices. You need to configure a policy that prevents users from installing apps from unknown sources. Which policy type should you use?

A.Device restrictions configuration policy
B.Device compliance policy
C.App configuration policy
D.Enrollment restriction
AnswerA

Device restrictions can disable unknown sources.

Why this answer

Option C is correct because device restrictions include settings to block unknown sources. Option A is wrong because compliance policy checks security, but doesn't block installation. Option B is wrong because app configuration policies configure apps, not device settings.

Option D is wrong because enrollment restrictions control enrollment, not app installation.

12
Multi-Selecthard

You are planning a Microsoft Intune deployment for a large organization with Windows, iOS, and Android devices. You need to ensure that devices can enroll automatically when users sign in with their work accounts. Which THREE components are required?

Select 3 answers
A.Apple Push Notification service certificate (for iOS)
B.Intune licenses assigned to users
C.Microsoft Entra ID (for identity and device registration)
D.Microsoft Intune subscription (for MDM authority)
E.Configuration Manager (for co-management)
AnswersB, C, D

Users must have Intune licenses to enroll devices.

Why this answer

Option A, Option B, and Option D are correct because Microsoft Entra ID, Intune, and licensing are required for automatic enrollment. Option C is wrong because Configuration Manager is optional. Option E is wrong because Apple Push Notification service is only for iOS device management, not for automatic enrollment across all platforms.

13
Multi-Selecteasy

You are preparing infrastructure for device management. Which TWO are valid methods to enroll Windows devices into Microsoft Intune?

Select 2 answers
A.Android Zero Touch.
B.Microsoft Entra ID join with automatic MDM enrollment.
C.Apple Business Manager.
D.Windows Autopilot.
E.Samsung Knox Mobile Enrollment.
AnswersB, D

Devices automatically enroll in Intune when joined.

Why this answer

Option A is correct because Windows Autopilot is a valid enrollment method. Option E is correct because Microsoft Entra ID join with automatic Intune enrollment is valid. Option B is wrong because Apple Business Manager is for Apple devices.

Option C is wrong because Android Zero Touch is for Android devices. Option D is wrong because Samsung Knox Mobile Enrollment is for Samsung Android devices.

14
MCQhard

Refer to the exhibit. You run the Get-AutopilotInfo script on a new Surface Pro 7. The output shows DeviceState as 'Unknown' and AssignmentStatus as 'NotAssigned'. The device is connected to the internet. What should you do to prepare this device for Autopilot deployment?

A.Upload the hardware hash to Microsoft Intune to register the device.
B.Assign an Autopilot deployment profile to the device group.
C.Run the script again with the -Online parameter.
D.Use a provisioning package to set up the device manually.
AnswerA

Registration is required for Autopilot to work.

Why this answer

The device is not yet registered in Autopilot. You need to upload the hardware hash to Intune. Option A is correct.

Option B is wrong because even if the device is already registered, the 'Unknown' state indicates it is not. Option C is wrong because using a provisioning package is not needed if Autopilot is desired. Option D is wrong because the script already works; re-running won't help.

15
MCQmedium

You are configuring Microsoft Defender for Endpoint in Microsoft Intune for Windows 10 devices. You need to ensure that when a threat is detected, the device automatically receives a remediation action. Which configuration should you use?

A.Configure a device compliance policy to mark the device as non-compliant.
B.Enable 'Manual investigation' in the endpoint security policy.
C.Create an alert rule in Microsoft Defender XDR to notify administrators.
D.Enable 'Automatic remediation' in the Microsoft Defender Antivirus policy.
AnswerD

Automatic remediation allows Defender to take action on detected threats.

Why this answer

Option D is correct because enabling 'Automatic remediation' in the Microsoft Defender Antivirus policy within Intune's endpoint security node ensures that when a threat is detected, the device automatically applies the configured remediation action (e.g., quarantine, remove, or block) without requiring manual intervention. This setting directly controls the behavior of Microsoft Defender Antivirus to act on detected threats, aligning with the requirement for automatic remediation.

Exam trap

The trap here is that candidates often confuse alerting or compliance policies with actual remediation actions, mistakenly thinking that marking a device non-compliant or creating an alert will automatically remediate the threat, when in fact only the antivirus policy's automatic remediation setting directly triggers the remediation action on the device.

How to eliminate wrong answers

Option A is wrong because configuring a device compliance policy to mark the device as non-compliant only triggers conditional access restrictions or user notifications; it does not perform any remediation action on the detected threat itself. Option B is wrong because 'Manual investigation' is not a valid setting in endpoint security policies; Microsoft Defender for Endpoint uses automated investigation and response (AIR) capabilities, and manual investigation is a separate process, not a configuration toggle. Option C is wrong because creating an alert rule in Microsoft Defender XDR only sends notifications to administrators about detected threats; it does not cause the device to automatically receive a remediation action.

16
MCQmedium

You are preparing to deploy Windows Autopilot for your organization. You have obtained the hardware hashes for 100 new devices. You need to register these devices in Microsoft Intune so that they can be associated with an Autopilot deployment profile. What should you do?

A.Use the Microsoft Store for Business to automatically register devices
B.Contact the OEM to register the devices using the device serial numbers
C.Use the Windows Configuration Designer to create a provisioning package that includes Autopilot settings
D.Upload the hardware hashes to the Autopilot devices page in the Microsoft Intune admin center
AnswerD

This is the standard method to register devices.

Why this answer

Option A is correct because you can upload the hardware hashes directly to the Autopilot devices page in Intune. Option B is wrong because the OEM can register devices for you, but you already have the hashes. Option C is wrong because Microsoft Store for Business is deprecated.

Option D is wrong because Windows Configuration Designer is for provisioning packages, not Autopilot registration.

17
MCQeasy

You need to deploy a line-of-business (LOB) app to 100 iOS devices managed by Intune. The app is signed with an enterprise certificate. Which deployment method should you use?

A.Upload the app package as an iOS LOB app in Intune
B.Add the app as a Volume Purchase Program (VPP) app
C.Use an Enterprise Code Signing certificate to deploy via MDM
D.Publish the app to the Apple App Store and deploy as public app
AnswerA

Direct method for custom enterprise apps.

Why this answer

Option A is correct because Intune supports deploying internally developed LOB apps to iOS devices by uploading the signed .ipa package directly. Since the app is already signed with an enterprise certificate, it can be distributed via Intune's iOS LOB app workflow without requiring the Apple App Store or VPP.

Exam trap

The trap here is confusing the signing certificate (used to sign the app) with the deployment method, leading candidates to select Option C, which describes a prerequisite rather than a distribution mechanism.

How to eliminate wrong answers

Option B is wrong because Volume Purchase Program (VPP) apps are purchased from the Apple App Store and assigned to devices via managed distribution, not used for custom LOB apps. Option C is wrong because Enterprise Code Signing certificates are used to sign the app, not as a deployment method; MDM deploys the app via Intune's LOB app upload, not by using the certificate directly. Option D is wrong because publishing to the Apple App Store is unnecessary and contradicts the requirement to deploy a signed LOB app; public apps are for store-distributed apps, not enterprise-signed ones.

18
MCQhard

You are planning a Windows 11 deployment for 200 devices using Microsoft Configuration Manager (current branch). The devices are currently running Windows 10. You need to perform an in-place upgrade while preserving user data and settings. The devices are located in remote offices with limited bandwidth. Which deployment method should you use?

A.Create a provisioning package with Windows 11 upgrade settings and apply it via USB drives.
B.Deploy a Windows 11 feature update using the 'Windows 10/11 feature update' servicing plan in Configuration Manager, enabling Delivery Optimization for peer-to-peer download.
C.Use Windows Autopilot to reset the device and reinstall Windows 11, restoring user data from OneDrive.
D.Create a task sequence to upgrade Windows, and configure it to download content from the internet to reduce distribution point load.
AnswerB

Feature updates in ConfigMgr perform in-place upgrades and can use Delivery Optimization to reduce bandwidth.

Why this answer

For in-place upgrades with limited bandwidth, using peer caching or Delivery Optimization is recommended. However, Configuration Manager supports 'Express updates' for feature updates? No, express updates are for quality updates. For feature updates, you can use 'Windows 10/11 feature update' via 'Windows servicing' or a task sequence.

The best approach is to use a task sequence that downloads the upgrade content from a distribution point, but to minimize bandwidth, you can enable BranchCache or use 'Download content from distribution point and run locally'. Among the options, using a task sequence with 'Pre-stage content' on USB drives or using 'Download content from distribution point and run locally' is possible. But the question asks for 'in-place upgrade while preserving user data' and 'limited bandwidth'.

Configuration Manager's 'Windows 10/11 feature update' deployment does not support preserving user data? Actually, the 'Feature update' method is an in-place upgrade that preserves apps and settings. It uses Delivery Optimization to download from peers and the internet, which can help with bandwidth. Option A is correct.

Option B is wrong because a provisioning package is for new devices. Option C is wrong because Autopilot is not for in-place upgrade. Option D is wrong because a task sequence can preserve data but requires more bandwidth unless you pre-cache content.

19
MCQmedium

You are troubleshooting a Windows 10 device that is not receiving required security updates from Microsoft Intune. The device is enrolled and shows as compliant. The update ring policy is assigned to the device. You check the Windows Update for Business logs and see that the deferral period is set correctly. What is the most likely cause?

A.The update ring is configured with an incorrect deferral period.
B.The device is not compliant with the security baseline.
C.Windows Update is blocked by the corporate firewall.
D.The update ring is not assigned to the device's group.
AnswerD

Without proper assignment, the policy does not apply to the device.

Why this answer

Option D is correct because the device is enrolled and compliant, and the deferral period is correctly set, which eliminates policy configuration issues. The most likely remaining cause is that the update ring policy is not assigned to the device's group, meaning the policy never reaches the device via Intune's policy delivery mechanism. Without proper group assignment, the Windows Update for Business settings are not applied, even if the device is compliant and the ring policy exists.

Exam trap

The trap here is that candidates assume a compliant device with a correctly configured policy will always receive updates, but they overlook the critical step of verifying that the device is actually a member of the assigned group, which is a separate prerequisite from compliance or policy configuration.

How to eliminate wrong answers

Option A is wrong because the question explicitly states that the deferral period is set correctly in the Windows Update for Business logs, so an incorrect deferral period is not the cause. Option B is wrong because the device is reported as compliant, and compliance with a security baseline is not a prerequisite for receiving update ring policies; update rings are applied via policy assignment, not compliance status. Option C is wrong because if Windows Update were blocked by a corporate firewall, the device would likely show errors connecting to Windows Update services, but the logs confirm the deferral period is correctly set, indicating the policy is being processed locally; a firewall block would prevent updates from downloading, not prevent the policy from being applied.

20
Multi-Selecthard

Your organization uses Microsoft Intune to manage iOS devices. You need to deploy an app that requires a VPN configuration when the app is launched. Which TWO options can you use to achieve this? (Choose two.)

Select 2 answers
A.Use a managed app configuration to include VPN settings.
B.Use a device compliance policy to require VPN.
C.Assign an app protection policy that enables VPN.
D.Create a device-wide VPN configuration profile.
E.Create a per-app VPN configuration profile and assign it to the app.
AnswersA, E

Managed app config can include VPN payload.

Why this answer

Options B and C are correct. A per-app VPN profile can be assigned to the app, or a managed app configuration can include VPN settings. Option A is incorrect because device-wide VPN does not restrict to specific apps.

Option D is incorrect because app protection policies do not manage VPN. Option E is incorrect because device compliance does not include VPN configuration.

21
Multi-Selectmedium

Which TWO prerequisites are required for Windows Autopilot self-deploying mode? (Choose two.)

Select 2 answers
A.A user account with Intune license
B.A Windows product key
C.MDM user affinity
D.TPM 2.0 chip
E.Network connectivity to Microsoft Intune
AnswersD, E

TPM 2.0 is required for hardware attestation.

Why this answer

Options B and C are correct. Self-deploying mode requires a physical TPM 2.0 chip for attestation and network connectivity to Microsoft Intune. Option A is wrong because a user account is not required.

Option D is wrong because a product key is not needed. Option E is wrong because a mobile device management (MDM) user affinity is not required.

22
MCQmedium

Your organization has Windows 11 devices used by remote employees. You need to ensure that only devices compliant with your security policies can access corporate email via Microsoft Outlook for Windows. What should you configure?

A.Set up a device compliance policy in Microsoft Purview to block non-compliant devices.
B.Create a Conditional Access policy in Microsoft Entra ID that requires device compliance, and assign the policy to the cloud app 'Office 365 Exchange Online'.
C.Configure a device filter in Exchange Online to block devices that are not managed by Intune.
D.Deploy an email security policy via Intune to block access from non-compliant devices.
AnswerB

This correctly combines Intune compliance with Entra ID Conditional Access to block non-compliant devices.

Why this answer

Conditional Access in Microsoft Entra ID can block access based on device compliance status. Intune compliance policies define the compliance requirements, and Conditional Access policies enforce the access control. Option A is correct.

Option B is wrong because device filters don't check compliance. Option C is wrong because it doesn't enforce compliance. Option D is wrong because it's for device enrollment, not access control.

23
Multi-Selecthard

Which TWO are required to enable Windows Hello for Business in a hybrid deployment? (Select TWO.)

Select 2 answers
A.Configuration Manager
B.Microsoft Entra ID Connect
C.Public Key Infrastructure (PKI)
D.Multifactor authentication (MFA)
E.Microsoft Intune
AnswersB, C

Synchronizes on-premises AD with Microsoft Entra ID.

Why this answer

In a hybrid deployment, Windows Hello for Business requires synchronization of user credentials from on-premises Active Directory to Microsoft Entra ID. Microsoft Entra ID Connect (B) provides this synchronization, enabling the device to authenticate against both on-premises and cloud resources. Additionally, a Public Key Infrastructure (PKI) (C) is required to issue the certificate-based authentication keys used by Windows Hello for Business in hybrid deployments, as the on-premises domain controllers must trust the certificates.

Exam trap

The trap here is that candidates often confuse prerequisites (like MFA) with required infrastructure components, leading them to select MFA instead of recognizing that PKI and directory synchronization are the two mandatory elements for hybrid deployments.

24
MCQhard

Your company uses Microsoft Intune to manage Windows 10 devices. You need to deploy a PowerShell script that runs in the system context during automatic enrollment. The script must run before the user logs on. Which approach should you use?

A.Add the script as a device management extension (PowerShell script) in Intune, assigned to 'All Devices'.
B.Assign the script as a compliance policy remediation.
C.Deploy the script as a proactive remediation in Microsoft Intune.
D.Embed the script in a device configuration profile using a custom OMA-URI.
AnswerA

Device management extension scripts run in system context during enrollment.

Why this answer

Option A is correct because device management extension (PowerShell scripts) in Microsoft Intune run in the system context and execute during automatic enrollment before the user logs on. This is the only Intune method that supports system-context script execution at enrollment time without requiring a user session.

Exam trap

The trap here is that candidates confuse proactive remediations (which also run PowerShell scripts) with device management extension scripts, not realizing that proactive remediations require a user session and are intended for post-enrollment health checks, not pre-logon provisioning.

How to eliminate wrong answers

Option B is wrong because compliance policy remediations run only after the device has been evaluated for compliance, which occurs after enrollment and user logon, not before. Option C is wrong because proactive remediations are designed for ongoing detection and remediation of common support issues, not for first-run deployment during automatic enrollment. Option D is wrong because custom OMA-URI profiles are used to configure device settings via CSPs, not to execute PowerShell scripts in the system context.

25
Multi-Selectmedium

Which TWO Intune policies can be used to enforce encryption on macOS devices?

Select 2 answers
A.Device Compliance policy that requires BitLocker.
B.Device Compliance policy that requires Disk Encryption.
C.Device Configuration policy (Device Restrictions) for Disk Encryption.
D.Device Configuration policy (Endpoint Protection) for FileVault.
E.Device Compliance policy that requires FileVault.
AnswersD, E

This policy configures FileVault settings.

Why this answer

Option D is correct because FileVault is the native full-disk encryption solution for macOS, and Intune's Device Configuration policy (Endpoint Protection) provides a dedicated profile to enable and enforce FileVault encryption. Option E is correct because a Device Compliance policy can also require FileVault encryption as a compliance setting, allowing conditional access to block non-compliant devices.

Exam trap

The trap here is that candidates confuse the generic 'Disk Encryption' term with the macOS-specific FileVault, or assume that BitLocker (a Windows-only feature) can be applied to macOS, leading them to select options A or B instead of the correct FileVault-based answers.

26
MCQhard

You are the endpoint administrator for Contoso, Ltd., a company with 10,000 employees. The environment includes Windows 10/11 devices, iOS/iPadOS, and Android Enterprise devices. The company recently acquired a subsidiary that uses non-compliant Android devices. The security team mandates that all devices must have encryption enabled and a PIN of at least 6 digits. Additionally, the company wants to use Microsoft Defender for Endpoint on all Windows devices. Currently, only 60% of devices are enrolled in Intune. The CIO wants to increase enrollment to 95% within 6 months. You need to design a device preparation strategy. Which approach should you recommend?

A.Deploy Windows Autopilot for all new devices and ignore existing devices.
B.Purchase a third-party MDM tool to manage non-compliant devices.
C.Ask all users to manually enroll their devices using the Company Portal app.
D.Configure automatic enrollment via Microsoft Entra ID for Windows devices, deploy conditional access policies that require compliance for iOS/Android, and run a communications campaign to drive enrollment.
AnswerD

This leverages automation and policy enforcement to increase enrollment.

Why this answer

Option D is correct because it leverages Microsoft Entra ID automatic enrollment for Windows devices (via Group Policy or MDM discovery), which scales enrollment without user intervention, and uses Conditional Access policies to enforce compliance for iOS/Android devices, requiring encryption and a 6-digit PIN. This approach addresses the 95% enrollment target within 6 months by combining automated enrollment, compliance enforcement, and user awareness, while also integrating Microsoft Defender for Endpoint for Windows devices.

Exam trap

The trap here is that candidates may assume manual enrollment (Option C) is sufficient, overlooking the scalability and enforcement capabilities of automatic enrollment and Conditional Access, which are essential for achieving high enrollment rates in a large enterprise with mixed device platforms.

How to eliminate wrong answers

Option A is wrong because ignoring existing devices leaves 40% of the current fleet unmanaged, failing to meet the 95% enrollment target; Windows Autopilot is only for new devices and does not address existing non-compliant Android devices. Option B is wrong because purchasing a third-party MDM tool introduces unnecessary cost and complexity, and does not integrate with Intune or Microsoft Defender for Endpoint, which is required for Windows devices; the goal is to increase Intune enrollment, not replace it. Option C is wrong because relying solely on manual enrollment via Company Portal is inefficient and unlikely to achieve 95% enrollment within 6 months, as it depends on user initiative and does not enforce compliance for non-compliant Android devices.

27
MCQeasy

A user reports that their Windows device is not appearing in the Intune console after enrollment. The device is joined to Microsoft Entra ID and the user has an Intune license. What should you check first?

A.Ensure that the MDM user scope in Microsoft Entra ID is set to 'All' or 'Some'.
B.Assign an Intune license to the device.
C.Verify that enrollment restrictions are not blocking the device.
D.Check if the device is compliant.
AnswerA

The MDM user scope controls automatic enrollment.

Why this answer

The most common reason a device fails to appear in the Intune console after enrollment is that the MDM user scope in Microsoft Entra ID is not configured to include the user. The MDM user scope determines which users can automatically enroll their devices into Intune; if it is set to 'None', enrollment is blocked entirely. Since the device is already joined to Microsoft Entra ID and the user has an Intune license, the first step is to verify this scope setting.

Exam trap

The trap here is that candidates often jump to troubleshooting enrollment restrictions or compliance policies, overlooking the foundational MDM user scope which must be explicitly configured to allow enrollment to proceed.

How to eliminate wrong answers

Option B is wrong because Intune licenses are assigned to users, not devices; the user already has a license, so assigning one to the device is not a valid action. Option C is wrong because enrollment restrictions (e.g., platform or version blocks) would typically cause an enrollment failure with an error message, not a silent absence from the console after a successful join. Option D is wrong because device compliance is evaluated after enrollment and does not affect whether the device appears in the Intune console; a non-compliant device still shows up.

28
MCQmedium

Your organization recently deployed Windows 11 devices managed by Microsoft Intune. You need to ensure that only approved third-party drivers are installed on these devices. What is the best approach?

A.Deploy a Windows Driver Frameworks (WDF) Coinstaller to enforce driver signing.
B.Use Device Installation Restrictions to allow only approved hardware IDs.
C.Configure Windows Update for Business group policy settings to block driver updates from Windows Update.
D.Configure a Windows Defender Application Control policy to block unsigned drivers.
AnswerC

This setting prevents drivers from being installed via Windows Update, and you can use a custom policy to allow specific approved drivers.

Why this answer

Option C is correct because Windows Update for Business (WUfB) group policy settings allow you to block driver updates from Windows Update, which prevents unauthorized third-party drivers from being installed automatically. This is the most direct and manageable approach for ensuring only approved drivers are installed on Windows 11 devices managed by Microsoft Intune, as it controls the driver update source without requiring complex driver signing or hardware ID management.

Exam trap

The trap here is that candidates often confuse driver signing enforcement (WDAC or code signing policies) with controlling the source of driver updates, leading them to choose Option D or A, when the real requirement is to block automatic driver updates from Windows Update, not to enforce signing at execution time.

How to eliminate wrong answers

Option A is wrong because Windows Driver Frameworks (WDF) Coinstaller is used to install and register driver packages, not to enforce driver signing; it does not restrict which drivers can be installed. Option B is wrong because Device Installation Restrictions based on hardware IDs can block specific devices but do not control driver updates from Windows Update; they are designed to prevent installation of devices, not drivers. Option D is wrong because Windows Defender Application Control (WDAC) blocks unsigned binaries from executing, but it does not specifically target driver updates from Windows Update; it is a broader security control that can block legitimate signed drivers if not properly configured, and it is not the best approach for simply restricting driver updates.

29
MCQhard

Refer to the exhibit. An Intune compliance policy JSON for Windows 10 devices. A device with OS version 10.0.19041.1 and no encryption reports as noncompliant. What is the most likely reason?

A.The OS version exceeds the maximum allowed version.
B.The password type is set to 'deviceDefault' which does not support numeric PIN.
C.The OS version is below the minimum requirement.
D.The device does not have BitLocker encryption enabled.
AnswerD

The policy requires encryption, and the device has none.

Why this answer

Option B is correct because the policy requires encryption (storageRequireEncryption: true) and the device does not have encryption enabled. Option A is wrong because the OS version is within range. Option C is wrong because password type is deviceDefault which includes PIN.

Option D is wrong because the OS version is within range.

30
MCQmedium

Refer to the exhibit. You are reviewing a JSON representation of a Microsoft Intune compliance policy for Windows 10. The policy is assigned to a group of devices running Windows 10 version 22H2 (build 22621). The devices are non-compliant due to the OS version. What is the most likely reason?

A.The validOperatingSystemBuildRanges property is empty, causing all builds to be non-compliant.
B.The OS build is greater than the maximum version specified.
C.The OS build is less than the minimum version.
D.The policy requires a password but the devices have no password.
AnswerB

If the device build exceeds 22621, it becomes non-compliant.

Why this answer

Option C is correct because the policy specifies osMinimumVersion as 10.0.19041.0 (Windows 10 2004) and osMaximumVersion as 10.0.22621.0 (Windows 10 22H2). Since 22621 is equal to the maximum, it should be compliant. However, if the devices have a newer build (e.g., 22631 from an Insider preview), they would exceed the maximum.

Option A is incorrect because 22621 is not less than 19041. Option B is incorrect because the maximum is inclusive. Option D is incorrect because the policy does not specify validOperatingSystemBuildRanges.

31
Multi-Selecthard

Which THREE permissions are required for a service account to register devices in Windows Autopilot? (Select THREE.)

Select 3 answers
A.Intune Administrator role
B.Security Reader role
C.Global Administrator role
D.Windows Autopilot device enrollment manager (DEM) permissions
E.Microsoft Entra ID join permission
AnswersA, D, E

This role allows managing Autopilot devices.

Why this answer

Option A is correct because Intune Administrator can manage Autopilot devices. Option B is correct because the account must be able to read device information in Microsoft Entra ID. Option C is correct because the account needs to add devices to Autopilot.

Option D is wrong because Security Reader cannot modify. Option E is wrong because Global Administrator is not required.

32
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. You deploy a Windows 10 feature update policy to keep devices on a specific version. After deployment, some devices report that the update is not being offered. The devices are not in a maintenance window. What is the most likely cause?

A.The devices are running a build that is newer than the target version
B.Windows Update for Business deferral or pause settings are blocking the update
C.The policy is not assigned to the correct group
D.The devices are in a maintenance window that blocks updates
AnswerB

Deferral or pause can prevent the update from being offered.

Why this answer

Option D is correct because feature update policies require that devices are not paused for updates. Option A is wrong because the policy is assigned. Option B is wrong because the devices are not in a maintenance window.

Option C is wrong because feature update policies do not require a specific build.

33
MCQhard

You manage devices with Microsoft Intune. Users report that after a recent policy update, they cannot access company SharePoint sites on their Android devices. The devices show as compliant in Intune. What is the most likely cause?

A.The SharePoint site is configured to allow access only from specific IP ranges
B.The device compliance policy has a grace period for non-compliance, and the device is still within that period
C.An app protection policy is blocking access to SharePoint from the browser
D.A Conditional Access policy requires the use of the Microsoft Edge or Microsoft Authenticator app, but users are using Chrome
AnswerD

Conditional Access can require approved client apps; using an unapproved app can block access.

Why this answer

Option A is correct because Conditional Access policies often require a specific app (e.g., Outlook, Edge) and can block access if the wrong app is used, even if the device is compliant. Option B is wrong because if the device is compliant, the CA policy should allow it. Option C is wrong because network locations can be a factor but are less likely if the device is compliant.

Option D is wrong because app protection policies are separate from SharePoint access via browser.

34
MCQeasy

You need to configure Intune to automatically retire devices that have not checked in for 90 days. Where should you set this?

A.Compliance policies
B.Enrollment restrictions
C.Windows Autopilot devices blade
D.Device cleanup rules in Intune admin center
AnswerD

This allows automatic retirement of inactive devices.

Why this answer

Device cleanup rules in the Intune admin center allow administrators to automatically retire or delete devices that have not checked in for a specified number of days. This is the correct location because the rule is specifically designed for lifecycle management of stale devices, not for compliance or enrollment policies. Setting the threshold to 90 days ensures that devices exceeding that inactivity period are removed from management.

Exam trap

The trap here is that candidates often confuse compliance policies (which can mark devices as non-compliant for inactivity) with the actual retirement action, but compliance policies do not automatically retire devices—they only trigger conditional access or user notifications, whereas device cleanup rules perform the actual removal.

How to eliminate wrong answers

Option A is wrong because compliance policies evaluate device configuration and health against rules (e.g., requiring encryption or a minimum OS version) and can mark devices as non-compliant, but they do not automatically retire devices based solely on check-in inactivity. Option B is wrong because enrollment restrictions control which devices can enroll (e.g., by platform, OS version, or device manufacturer) and do not manage post-enrollment lifecycle actions like retirement. Option C is wrong because the Windows Autopilot devices blade is used to manage Autopilot deployment profiles and device registration for zero-touch provisioning, not to configure automatic retirement rules for stale devices.

35
MCQhard

You are evaluating Windows Autopilot for a hybrid Azure AD join scenario. Devices are domain-joined on-premises and will be hybrid Azure AD joined. Which prerequisite is required for Autopilot to perform hybrid Azure AD join?

A.Devices must have line-of-sight to an on-premises domain controller.
B.Devices must have VPN connectivity to Azure.
C.An Intune connector for Active Directory must be installed.
D.Azure AD Connect must be configured with password hash sync.
AnswerA

Required to join the domain during Autopilot.

Why this answer

For hybrid Azure AD join via Windows Autopilot, the device must complete domain join during the out-of-box experience. This requires line-of-sight to an on-premises domain controller so that the domain join operation can succeed, as the device cannot join the domain without contacting a DC directly over the network.

Exam trap

The trap here is that candidates often confuse the Intune connector for Active Directory (which is needed for device writeback in hybrid scenarios) with the actual domain join requirement, but the connector does not replace the need for direct line-of-sight to a domain controller.

How to eliminate wrong answers

Option B is wrong because VPN connectivity to Azure is not required; the device needs connectivity to on-premises domain controllers, not Azure. Option C is wrong because the Intune connector for Active Directory is used for device writeback and synchronization, not for the domain join step itself. Option D is wrong because password hash sync is a feature of Azure AD Connect for authentication, not a prerequisite for hybrid Azure AD join; the device must be able to authenticate to the on-premises domain controller directly.

36
MCQmedium

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that only devices with a passcode longer than six characters can access corporate email. Which type of policy should you configure?

A.Device configuration profile
B.Device compliance policy
C.Enrollment restriction
D.App protection policy
AnswerB

Compliance policies check passcode length and are used with Conditional Access for access control.

Why this answer

Option B is correct because device compliance policies evaluate security settings like passcode length and are used with Conditional Access. Option A is wrong because configuration profiles set settings but don't enforce access. Option C is wrong because app protection policies manage data at the app level.

Option D is wrong because enrollment restrictions control which devices can enroll.

37
MCQmedium

A company uses Microsoft Intune to manage Windows 10 devices. They want to prevent users from installing unapproved applications. Which approach provides the most granular control?

A.Use the Microsoft Store for Business to deploy only approved apps.
B.Deploy AppLocker rules via Intune to allow only approved publishers.
C.Enable Windows Defender SmartScreen to block unknown apps.
D.Configure User Account Control (UAC) to always notify.
AnswerB

AppLocker provides granular control over app execution.

Why this answer

Option C is correct because AppLocker allows you to create rules based on file attributes, such as publisher, to allow only approved apps. Option A is wrong because Windows Defender SmartScreen only warns about unknown apps, but does not block installation. Option B is wrong because User Account Control (UAC) does not prevent installation.

Option D is wrong because the Microsoft Store for Business only controls store apps, not all applications.

38
MCQhard

Your organization has 500 Windows 10 devices that are currently managed by Microsoft Configuration Manager (ConfigMgr). You plan to enable co-management with Microsoft Intune to leverage cloud-based policies and conditional access. The devices are on-premises Active Directory joined and are already enrolled in ConfigMgr. You need to configure the co-management workload slider in ConfigMgr to move the 'Device configuration' workload to Intune while keeping 'Compliance policies' and 'Windows Update policies' in ConfigMgr initially. The devices should automatically enroll in Intune upon receiving the co-management policy. You have already configured Azure AD Connect for hybrid Azure AD join. What should you do next?

A.Install the Intune connector for ConfigMgr and configure the workloads.
B.Create a Group Policy that enables automatic MDM enrollment to Intune.
C.In ConfigMgr, enable co-management, select the devices for pilot, and set the 'Device configuration' workload slider to 'Pilot Intune' or 'Intune'.
D.Configure hybrid Azure AD join for all devices via Group Policy and wait for auto-enrollment.
AnswerC

This configures the workload movement and triggers Intune enrollment for pilot devices.

Why this answer

Option D is correct because to co-manage devices, you must configure the co-management properties in ConfigMgr with the correct pilot collection and workload slider. Option A is incorrect because Intune enrollment happens via ConfigMgr policy, not Azure AD join alone. Option B is incorrect because the Intune connector does not handle workload distribution.

Option C is incorrect because automatic enrollment in Intune requires Group Policy or ConfigMgr policy to trigger it.

39
MCQeasy

Your organization is deploying Windows 10 devices using Windows Autopilot. The devices are purchased from a vendor and will be shipped directly to users. You need to ensure that the devices are automatically enrolled in Intune and configured with your organization's standard settings as soon as the user turns on the device and connects to the internet. The devices should be Azure AD joined. What is the minimal configuration required?

A.Ask the vendor to configure the devices with your organization's settings before shipping.
B.Upload the device's hardware hash to Azure AD.
C.Instruct the user to manually enroll the device after receiving it.
D.Upload the device's hardware hash to Microsoft Intune.
AnswerD

The hash is needed for Autopilot device recognition.

Why this answer

Option C is correct because the hardware hash must be uploaded to Intune for Autopilot to recognize the device. Option A is incorrect because the hash is not automatically available. Option B is incorrect because the hash is uploaded to Intune, not Azure AD.

Option D is incorrect because the user does not need to perform any pre-configuration.

40
MCQeasy

Refer to the exhibit. You configure an Enrollment Status Page (ESP) policy as shown. During Windows Autopilot deployment, a device fails to install one of the required apps. What happens to the device?

A.The device blocks use and the user cannot proceed
B.The device automatically resets and retries
C.The user can skip the installation and use the device
D.The user can retry the installation
AnswerA

The device blocks use because allowDeviceUseOnInstallFailure is false.

Why this answer

Option D is correct because 'allowDeviceUseOnInstallFailure' is set to false, so the device will block use on install failure. Additionally, 'allowDeviceResetOnInstallFailure' is false, so the device will not reset. 'blockDeviceSetupRetryByUser' is true, so the user cannot retry. Option A is wrong because the user cannot retry.

Option B is wrong because the device will not reset. Option C is wrong because the user cannot skip.

41
Multi-Selectmedium

Your organization uses Microsoft Intune to manage devices. You need to configure a compliance policy for Windows devices that requires the device to be at a specific OS version and have antivirus enabled. Which TWO settings should you configure in the compliance policy?

Select 2 answers
A.Maximum OS version
B.Require antivirus (Windows Defender)
C.Minimum OS version
D.Device type
E.Storage encryption
AnswersB, C

Requires Windows Defender to be active.

Why this answer

Option A and Option D are correct because 'Minimum OS version' and 'Require antivirus' are compliance policy settings for Windows. Option B is wrong because 'Maximum OS version' is not a typical setting; usually min version is used. Option C is wrong because 'Device type' is not a compliance setting.

Option E is wrong because 'Storage encryption' is typically covered by BitLocker, not separate.

42
MCQhard

Refer to the exhibit. An Intune administrator configures an Autopilot deployment profile with the shown settings. During OOBE, a device fails to install a required app and enrollment fails. What will happen to the device?

A.The device will be allowed to proceed because enrollment status is notStarted.
B.The device will retry enrollment automatically.
C.The device will be blocked from completing OOBE.
D.The device will be blocked until retry due to pendingRetry setting.
AnswerC

Failure action is set to block.

Why this answer

Option B is correct because the setting "deviceEnrollmentFailureAction": "block" will block the device from proceeding if enrollment fails. Option A is wrong because the status is "notStarted". Option C is wrong because the block settings for notApplicable, pendingRetry, and timeout are false, but the failure action is block.

Option D is wrong because the device will not retry automatically.

43
MCQeasy

You need to manage updates for Windows 10 devices using Microsoft Intune. You want to ensure that critical security updates are installed within 7 days of release, while feature updates are deferred for 60 days. Which approach should you use?

A.Create a Windows update ring policy with quality update deferral set to 7 days and feature update deferral set to 60 days.
B.Create a Windows feature update profile to deploy the latest feature update after 60 days.
C.Create a device compliance policy requiring devices to install updates within 7 days.
D.Configure Windows Update for Business settings via a configuration profile.
AnswerA

Update rings allow granular deferral settings for quality and feature updates.

Why this answer

Option A is correct because Windows update ring policies in Microsoft Intune allow granular control over both quality (security) and feature update deferral periods. Setting quality update deferral to 7 days ensures critical security patches are installed within a week, while feature update deferral of 60 days delays non-security feature updates. This directly meets the requirement without additional profiles or compliance policies.

Exam trap

The trap here is that candidates often confuse update ring policies (which manage deferral periods) with feature update profiles (which target specific versions) or compliance policies (which only report compliance status), leading them to select B or C instead of the correct ring-based approach.

How to eliminate wrong answers

Option B is wrong because a Windows feature update profile is used to deploy a specific feature update version (e.g., Windows 10 22H2) to devices, not to manage deferral periods for ongoing updates; it does not control quality update timing. Option C is wrong because device compliance policies can require a minimum OS version or patch level but cannot enforce specific deferral periods for quality or feature updates; they are for compliance evaluation, not update scheduling. Option D is wrong because configuring Windows Update for Business settings via a configuration profile is a legacy approach that lacks the unified deferral management available in update ring policies; update rings are the modern, recommended method in Intune for controlling update deferrals.

44
MCQmedium

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to enroll a personally owned device with a work profile. Which enrollment method should the user use?

A.Android Enterprise fully managed enrollment.
B.Android Enterprise personally owned work profile enrollment.
C.Android Enterprise corporate-owned work profile enrollment.
D.Corporate-owned dedicated device enrollment.
AnswerB

This creates a work profile on a personal device.

Why this answer

Option B is correct because Android Enterprise personally owned devices with a work profile use the 'Bring your own device' (BYOD) enrollment method. Option A is wrong because corporate-owned dedicated devices use a different method. Option C is wrong because fully managed devices are corporate-owned.

Option D is wrong because corporate-owned work profile is for corporate devices with work profile.

45
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. You deploy a PowerShell script via Intune management extension to install a legacy application. The script runs successfully on most devices, but fails on devices that have the 'LocalSystem' account disabled. What should you do to resolve the issue?

A.Configure the script to run in the user context by modifying the script settings in Intune
B.Change the script to run as the logged-on user using a scheduled task
C.Deploy the script using Microsoft Configuration Manager instead
D.Re-enable the LocalSystem account on the affected devices
AnswerA

Intune allows scripts to run in user context, which may resolve the issue.

Why this answer

Option D is correct because the Intune management extension runs scripts in the system context, but if the LocalSystem account is disabled, the script may fail. Running the script in the user context may bypass this issue. Option A is wrong because changing the script to run as a different user is not directly supported.

Option B is wrong because the management extension is required. Option C is wrong because re-enabling LocalSystem is not recommended and may have security implications.

46
MCQhard

Your company has a Microsoft 365 E5 subscription. You are planning to deploy Windows 11 using Microsoft Intune. You need to ensure that devices automatically receive English (US) language pack and regional settings during the provisioning process. You plan to use a provisioning package (PPKG) created with Windows Configuration Designer. What should you include in the PPKG?

A.Add a PowerShell script that runs during Autopilot to set language and region.
B.Include the 'Language' and 'RegionalSettings' settings in the PPKG.
C.Assign an Intune Language Pack policy to the device group.
D.Create a Group Policy Object that sets language and region, and link it to the device OU.
AnswerB

Windows Configuration Designer allows embedding language and regional settings directly.

Why this answer

Windows Configuration Designer (WCD) directly supports configuring language and regional settings within a provisioning package (PPKG) through built-in settings. Including the 'Language' and 'RegionalSettings' settings in the PPKG ensures these configurations are applied during the out-of-box experience (OOBE) or provisioning process, without requiring additional scripts or policies. This is the most efficient and supported method for offline or Autopilot pre-provisioning scenarios.

Exam trap

The trap here is that candidates often assume a PowerShell script or Intune policy is required for language configuration, overlooking that Windows Configuration Designer provides native, first-class settings for language and region within a PPKG.

How to eliminate wrong answers

Option A is wrong because adding a PowerShell script that runs during Autopilot to set language and region is unnecessary and less reliable; the PPKG can natively set these settings without scripting, and Autopilot does not guarantee script execution before user logon for language pack installation. Option C is wrong because Intune Language Pack policies are designed for deploying language packs to already-provisioned devices, not for setting regional settings during the initial provisioning process via a PPKG. Option D is wrong because Group Policy Objects (GPOs) require domain-joined devices and Active Directory, which are not applicable during the provisioning phase of a PPKG-based deployment, and GPOs cannot be applied during OOBE.

47
Multi-Selectmedium

You are planning to deploy Microsoft 365 Apps to Windows devices using Microsoft Intune. Which TWO methods can you use to deploy Microsoft 365 Apps? (Choose two.)

Select 2 answers
A.Android store app type.
B.Windows Installer (Win32) app type using the Office Deployment Tool.
C.Web link app type pointing to the Office website.
D.iOS store app type.
E.Microsoft 365 Apps for Windows app type in Intune.
AnswersB, E

Win32 apps can deploy Office via the Office Deployment Tool.

Why this answer

Option B is correct because the Windows Installer (Win32) app type in Intune allows you to deploy Microsoft 365 Apps using the Office Deployment Tool (ODT), which provides granular control over installation settings, languages, and update channels. Option E is correct because Intune includes a dedicated 'Microsoft 365 Apps for Windows' app type that simplifies deployment by automatically configuring the ODT XML and handling the installation process without manual scripting.

Exam trap

The trap here is that candidates often confuse the 'Web link' app type with a valid deployment method, thinking it will trigger an installation, when in fact it only provides a browser shortcut to the Office website without any local installation.

48
MCQhard

You are the endpoint administrator for Contoso, a company with 5,000 employees. The organization uses Microsoft Intune for device management and Microsoft Entra ID for identity. The current environment includes: - 3,000 Windows 11 Enterprise devices (corporate-owned, managed via Intune) - 1,500 iOS devices (corporate-owned, managed via Intune) - 500 Android devices (BYOD, managed via Intune with work profile) - 200 macOS devices (corporate-owned, managed via Intune) You need to implement a solution to automatically enroll new Windows 11 devices purchased from a vendor. The devices should be pre-provisioned with the organization's configuration and applications without requiring IT staff to touch them. Additionally, you need to ensure that only compliant devices can access corporate email and documents. The solution must minimize manual effort and leverage cloud-based services. You have the following requirements: 1. Zero-touch enrollment for new Windows 11 devices. 2. Devices must be automatically configured with security policies and required applications. 3. Conditional access to Microsoft 365 resources based on device compliance. 4. Support for both corporate and BYOD devices. Which of the following actions should you take FIRST to meet the zero-touch enrollment requirement?

A.Create a dynamic device group in Microsoft Entra ID that includes all Windows 11 devices.
B.Assign Microsoft Intune licenses to all users who will receive the new devices.
C.Register the devices in Windows Autopilot by providing the hardware hash to the Microsoft Intune admin center.
D.Create a compliance policy that requires BitLocker encryption and a minimum OS version.
AnswerC

Registering the hardware hash is the first step to enable Autopilot, which provides zero-touch deployment.

Why this answer

Option C is correct because Windows Autopilot is the cloud-based zero-touch deployment solution that uses hardware hashes to register devices in Intune, enabling them to automatically enroll and receive configurations without IT intervention. This directly meets the requirement for pre-provisioned Windows 11 devices with no manual touch.

Exam trap

The trap here is confusing post-enrollment configuration steps (like creating groups or compliance policies) with the prerequisite enrollment mechanism, leading candidates to select a step that is necessary but not sufficient for zero-touch deployment.

How to eliminate wrong answers

Option A is wrong because creating a dynamic device group in Entra ID is a post-enrollment step for applying policies or targeting apps, not a mechanism for zero-touch enrollment itself. Option B is wrong because assigning Intune licenses is a prerequisite for enrollment but does not automate the enrollment process; it must be combined with Autopilot registration to achieve zero-touch. Option D is wrong because creating a compliance policy enforces security settings after enrollment, but it does not initiate or automate the enrollment process.

49
Multi-Selecthard

You are configuring Windows Hello for Business in Microsoft Intune. Which THREE settings are required to enable Windows Hello for Business on Windows 10 devices?

Select 3 answers
A.Configure a certificate enrollment policy for smart cards.
B.Set minimum PIN length to at least 4 digits.
C.Enable biometric authentication.
D.Enable Windows Hello for Business in the identity protection policy.
E.Configure a PIN complexity policy.
AnswersB, D, E

A minimum PIN length is required.

Why this answer

Option B is correct because Windows Hello for Business requires a minimum PIN length of at least 4 digits when configured via Intune's identity protection policy. This setting is mandatory to enforce a baseline level of security for the PIN-based authentication method, and Intune will not enable Windows Hello for Business without a defined minimum PIN length.

Exam trap

The trap here is that candidates often assume biometric authentication is required for Windows Hello for Business, but Microsoft explicitly allows PIN-only deployments, and the mandatory settings are enabling the feature and configuring PIN complexity (including minimum length).

50
MCQeasy

Your organization requires that all corporate laptops be encrypted. You manage Windows 10 devices with Microsoft Intune. Which policy should you configure?

A.Enable Device Encryption in Windows settings.
B.Configure a FileVault policy for Windows devices.
C.Create a BitLocker policy in Intune Endpoint Protection.
D.Deploy an Encrypting File System (EFS) policy.
AnswerC

BitLocker provides full disk encryption and can be managed via Intune.

Why this answer

Option C is correct because Microsoft Intune's Endpoint Protection policy includes a dedicated BitLocker settings section that allows administrators to enforce encryption on Windows 10 devices. This policy centrally manages BitLocker drive encryption, recovery key escrow to Azure AD, and encryption method (e.g., XTS-AES 128-bit), meeting the requirement for corporate laptop encryption.

Exam trap

The trap here is confusing file-level encryption (EFS) with full-disk encryption (BitLocker), or assuming that Device Encryption in Windows settings is the same as BitLocker, when in fact Device Encryption is a limited feature only available on specific hardware and lacks the management capabilities of Intune's BitLocker policy.

How to eliminate wrong answers

Option A is wrong because 'Enable Device Encryption' in Windows settings is a client-side toggle that only enables hardware-based encryption on devices that support InstantGo (Modern Standby), and it cannot be centrally managed or enforced via Intune policy. Option B is wrong because FileVault is Apple's full-disk encryption technology for macOS, not applicable to Windows 10 devices. Option D is wrong because Encrypting File System (EFS) provides file-level encryption, not full-disk encryption, and is managed via NTFS permissions or Group Policy, not Intune's endpoint protection policies for BitLocker.

51
MCQhard

You are deploying Windows 10 to 100 new devices using Microsoft Deployment Toolkit (MDT). You want to integrate with Microsoft Intune for post-deployment management. Which MDT integration method should you use?

A.Use Microsoft Configuration Manager to deploy the devices and then co-manage with Intune.
B.Configure Windows Autopilot for the devices and skip MDT.
C.Create a provisioning package in MDT that includes the Intune enrollment configuration and apply it during the deployment task sequence.
D.Install the Intune connector for MDT and configure it during deployment.
AnswerC

The provisioning package can include MDM enrollment settings.

Why this answer

Option A is correct because MDT can generate a provisioning package that includes Intune enrollment details, which is applied during deployment. Option B is incorrect because MDT does not directly integrate with Intune via a connector. Option C is incorrect because Configuration Manager integration is separate.

Option D is incorrect because Autopilot is a different deployment method.

52
Multi-Selectmedium

You are configuring Microsoft Intune device compliance policies for Windows 10. Which THREE settings can be evaluated by compliance policies? (Choose three.)

Select 3 answers
A.Windows Firewall status
B.Minimum OS version
C.BitLocker encryption status
D.Password policy (length, complexity)
E.Threat level from Microsoft Defender for Endpoint
AnswersB, D, E

Compliance can require a minimum OS version.

Why this answer

Options A, B, and E are correct. Compliance policies can evaluate threat level, OS version, and password settings. Option C is incorrect because BitLocker is evaluated by device configuration policies, not compliance.

Option D is incorrect because firewall status is a configuration policy, not typically a compliance setting.

53
Multi-Selectmedium

Your organization uses Microsoft Intune to manage corporate-owned iOS devices. You need to ensure that devices are supervised and can be configured with restrictions that cannot be removed by the user. Which THREE steps must you take?

Select 3 answers
A.Add devices to Apple Business Manager (ABM).
B.Configure automated device enrollment (formerly DEP) in ABM and link to Intune.
C.Create an iOS enrollment profile in Intune with 'Supervised' enabled.
D.Assign a user to each device during enrollment.
E.Create a device compliance policy that requires supervision.
AnswersA, B, C

ABM is required for supervision.

Why this answer

Options A, B, and C are correct. Supervising devices requires Apple Business Manager, automated enrollment, and a supervision profile. Option D is not required because supervised devices do not need user affinity for supervision.

Option E is for device compliance, not supervision.

54
MCQhard

You are troubleshooting a Windows 10 device that fails to enroll in Microsoft Intune. The device shows error code 0x8018000b. You verify that the user has a valid Intune license and that the device is running Windows 10 Pro. What is the most likely cause of the enrollment failure?

A.The device is running Windows 10 Home edition.
B.MDM enrollment is blocked by a local Group Policy or registry setting.
C.The device is not connected to the internet.
D.The device has an expired certificate required for enrollment.
AnswerB

This error code indicates enrollment is disabled via policy.

Why this answer

Option C is correct because error 0x8018000b typically indicates that MDM enrollment is blocked via Group Policy or registry. Option A is incorrect because the error is specific to MDM enrollment blocking. Option B is incorrect because the device edition is Pro, which supports enrollment.

Option D is incorrect because certificate issues usually produce different errors.

55
Multi-Selecthard

Which THREE factors should you consider when planning a Microsoft Intune migration from Configuration Manager?

Select 3 answers
A.The use of co-management to gradually move workloads.
B.The ability to manage on-premises servers with Intune.
C.The compatibility of existing application packages with Intune formats (Win32, LOB).
D.The need for an on-premises Intune server.
E.Network bandwidth requirements for device communication with Intune.
AnswersA, C, E

Co-management enables you to manage devices with both Configuration Manager and Intune, allowing a phased migration.

Why this answer

Option A is correct because co-management allows you to attach your existing Configuration Manager deployment to Microsoft Intune, enabling a gradual migration of workloads (e.g., compliance policies, device configuration, Windows Update policies) at your own pace. This hybrid approach lets you keep some management functions on-premises while testing and shifting others to the cloud, minimizing disruption and providing a rollback path.

Exam trap

The trap here is that candidates often assume Intune can manage on-premises servers like Configuration Manager does, or that an on-premises Intune server exists, when in reality Intune is purely cloud-based and cannot replace Configuration Manager for server management.

56
MCQmedium

Your organization uses Microsoft Defender for Endpoint (Defender XDR) to manage endpoint security. You need to ensure that all Windows devices report their security baselines compliance to Intune. Which configuration should you verify?

A.Devices are onboarded to Defender for Endpoint
B.Group Policy objects are linked to the domain
C.Security baselines are configured and assigned in Intune endpoint security
D.Devices are registered in Microsoft 365 Defender portal
AnswerC

Directly manages baseline compliance.

Why this answer

Option C is correct because Intune security baselines are the mechanism that defines and enforces security configuration policies on Windows devices. To report compliance with those baselines, the baselines must first be configured and assigned to the devices via Intune endpoint security. Without this assignment, devices have no baseline to compare against, and compliance reporting will not occur.

Exam trap

The trap here is that candidates often confuse onboarding to Defender for Endpoint (which enables security telemetry and threat detection) with the separate requirement of configuring and assigning Intune security baselines to enforce and report compliance.

How to eliminate wrong answers

Option A is wrong because onboarding devices to Defender for Endpoint ensures they can send telemetry and be managed for threat detection, but it does not by itself configure or report on security baseline compliance; that requires Intune security baseline policies. Option B is wrong because Group Policy objects are a traditional on-premises management tool that does not report compliance to Intune; Intune uses its own policy engine and MDM channel, not GPOs. Option D is wrong because registering devices in the Microsoft 365 Defender portal is part of the Defender for Endpoint onboarding process and does not create or assign security baseline policies; compliance reporting to Intune requires the Intune security baseline assignment.

57
MCQhard

You are the endpoint administrator for Contoso Ltd., a multinational company with 10,000 Windows 10 and 11 devices managed by Microsoft Intune. The company recently acquired a subsidiary that uses on-premises Active Directory and Configuration Manager. The subsidiary's devices are not joined to Microsoft Entra ID. Your goal is to migrate these devices to cloud management with Intune within six months. The subsidiary has 2,000 devices, all running Windows 10. The devices are currently domain-joined and managed by ConfigMgr. You need to choose the most efficient migration strategy that minimizes user disruption and leverages existing investments. The subsidiary has a high-speed WAN link to the corporate network. You have the following options: A) Use ConfigMgr to deploy a task sequence that performs a wipe-and-load with Windows Autopilot, then enroll in Intune. B) Use ConfigMgr co-management with Intune, then gradually transition workloads to Intune, and finally switch devices to Entra ID join. C) Use a provisioning package (PPKG) to join devices to Entra ID and enroll in Intune, while keeping ConfigMgr client for legacy apps. D) Use Windows Autopilot for existing devices by uploading hardware hashes, resetting devices, and re-provisioning. Which option should you choose?

A.Use a provisioning package (PPKG) to join devices to Entra ID and enroll in Intune, while keeping ConfigMgr client for legacy apps
B.Use ConfigMgr co-management with Intune, then gradually transition workloads to Intune, and finally switch devices to Entra ID join
C.Use Windows Autopilot for existing devices by uploading hardware hashes, resetting devices, and re-provisioning
D.Use ConfigMgr to deploy a task sequence that performs a wipe-and-load with Windows Autopilot, then enroll in Intune
AnswerB

Smooth migration with minimal disruption.

Why this answer

Option B is correct because co-management allows you to gradually transition Configuration Manager workloads to Intune without disrupting existing management, leveraging the existing ConfigMgr infrastructure and high-speed WAN link. This minimizes user disruption by keeping devices domain-joined initially, then switching to Entra ID join after workloads are migrated, which is the most efficient path for 2,000 existing domain-joined devices.

Exam trap

The trap here is that candidates often choose Autopilot or PPKG options because they seem 'modern,' but for existing domain-joined devices with ConfigMgr, co-management is the least disruptive and most efficient migration path, not a full wipe or provisioning package.

How to eliminate wrong answers

Option A is wrong because using a provisioning package (PPKG) to join devices to Entra ID and enroll in Intune while keeping the ConfigMgr client creates a dual-management scenario without the benefit of co-management's workload transition capabilities, leading to conflicts and no gradual migration path. Option C is wrong because Windows Autopilot for existing devices requires uploading hardware hashes and resetting devices, which causes significant user disruption (data loss, re-provisioning) and does not leverage the existing ConfigMgr investment or the high-speed WAN link. Option D is wrong because using ConfigMgr to deploy a task sequence that performs a wipe-and-load with Windows Autopilot is overly disruptive (full wipe, data loss) and inefficient compared to co-management, which allows a phased, non-destructive migration.

58
MCQhard

You are troubleshooting a Windows 11 device that fails to enroll in Intune via Group Policy. The device is domain-joined and you have configured the 'Enable automatic MDM enrollment using default Azure AD credentials' GPO. The user has a valid Microsoft 365 license. What is the most likely reason for the failure?

A.The device is not registered in Azure AD.
B.The GPO is not linked to the correct organizational unit.
C.The user does not have an Intune license assigned.
D.The device does not have a service connection point configured.
AnswerA

Devices must be registered in Azure AD for the GPO to trigger enrollment.

Why this answer

Option D is correct because the GPO trigger requires the device to be registered in Azure AD; domain-join alone is not enough. Option A is wrong because the user license is present. Option B is wrong because the GPO is correct.

Option C is wrong because the service connection point is for SCCM.

59
Multi-Selectmedium

You need to configure device compliance policies in Microsoft Intune for Windows 10 devices. Which THREE settings can you include in a compliance policy? (Choose three.)

Select 3 answers
A.Require BitLocker.
B.Maximum OS version.
C.Allow camera.
D.Require a password to unlock the device.
E.Minimum OS version.
AnswersA, D, E

BitLocker is a device health setting in compliance policies.

Why this answer

Option A is correct because BitLocker is a built-in Windows 10 encryption feature that can be required via a device compliance policy in Microsoft Intune. When you configure a compliance policy for Windows 10, you can set the 'Require BitLocker' setting to 'Require' to ensure the device's operating system drive is encrypted, which is a common security baseline for corporate devices.

Exam trap

The trap here is that candidates often confuse compliance policy settings (which enforce security baselines like encryption and OS version minimums) with device configuration profile settings (which manage features like camera permissions), leading them to incorrectly select 'Allow camera' as a compliance option.

60
MCQmedium

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to ensure that only devices with TPM 2.0 and UEFI Secure Boot enabled can enroll. Which configuration profile setting should you configure?

A.Create a Conditional Access policy requiring compliant devices
B.Configure a BitLocker policy in Endpoint Security
C.Set a compliance policy for device health
D.Enable Device Health Attestation (DHA) in enrollment restrictions
AnswerD

DHA verifies TPM and Secure Boot before enrollment.

Why this answer

Device Health Attestation (DHA) in enrollment restrictions allows you to block enrollment for devices that do not meet specific hardware security requirements, such as TPM 2.0 and UEFI Secure Boot enabled. When configured, Intune verifies these attestation claims during the enrollment process and rejects non-compliant devices before they can enroll. This is the only setting that enforces hardware prerequisites at the enrollment stage, not after the device is already managed.

Exam trap

The trap here is that candidates confuse post-enrollment compliance policies (which only mark devices non-compliant) with enrollment restrictions (which block enrollment entirely), leading them to choose Option C instead of D.

How to eliminate wrong answers

Option A is wrong because a Conditional Access policy requiring compliant devices operates after enrollment, checking compliance status during resource access, not blocking enrollment itself. Option B is wrong because a BitLocker policy in Endpoint Security configures encryption settings on already-enrolled devices and does not enforce TPM or Secure Boot requirements during enrollment. Option C is wrong because a compliance policy for device health evaluates devices after they are enrolled and can mark them non-compliant, but it does not prevent enrollment from occurring in the first place.

61
MCQeasy

You need to deploy Windows 10 Enterprise to 100 new computers using Microsoft Intune. The computers are not yet joined to Microsoft Entra ID. What is the recommended method?

A.Join each device to Entra ID manually and then enroll in Intune.
B.Create a provisioning package using Windows Configuration Designer and deploy via USB.
C.Register the devices in Windows Autopilot and deploy an Autopilot profile.
D.Use a Configuration Manager task sequence to deploy the OS.
AnswerC

Autopilot automates the deployment and enrollment process.

Why this answer

Windows Autopilot is the recommended method for deploying Windows 10 Enterprise to new devices that are not yet joined to Microsoft Entra ID because it automates the entire provisioning process—from joining Entra ID to enrolling in Intune—without requiring any manual intervention or imaging. By registering the devices in Autopilot and deploying an Autopilot profile, the out-of-box experience (OOBE) is customized to join Entra ID and enroll in Intune automatically, ensuring a zero-touch deployment that aligns with modern management best practices.

Exam trap

The trap here is that candidates often confuse provisioning packages (Option B) as the recommended method for cloud-only deployments, but Autopilot is specifically designed for zero-touch, cloud-native provisioning and is the correct answer for new devices not yet joined to Entra ID.

How to eliminate wrong answers

Option A is wrong because manually joining each device to Entra ID and then enrolling in Intune is not recommended for 100 new computers; it is labor-intensive, error-prone, and defeats the purpose of automated, scalable deployment. Option B is wrong because provisioning packages created with Windows Configuration Designer are typically used for bulk provisioning in on-premises or hybrid scenarios, but they do not leverage cloud-native Autopilot capabilities and require physical USB deployment, which is less efficient for remote or large-scale rollouts. Option D is wrong because using a Configuration Manager task sequence to deploy the OS is a traditional imaging approach that relies on on-premises infrastructure and does not integrate natively with cloud-based Entra ID join and Intune enrollment, making it unsuitable for a modern, cloud-first deployment strategy.

62
Multi-Selectmedium

Which TWO of the following are benefits of using Windows Autopilot for device provisioning?

Select 2 answers
A.Eliminates the requirement for a Microsoft Entra ID subscription.
B.Allows end users to set up their own devices with minimal IT involvement.
C.Enables device provisioning over a VPN connection.
D.Reduces the need for custom imaging and manual setup.
E.Supports deployment without any internet connectivity.
AnswersB, D

Autopilot provides a self-service deployment experience.

Why this answer

Option B is correct because Windows Autopilot leverages the device's hardware identity (hash) to automatically enroll it in Microsoft Entra ID and join it to a domain or tenant, allowing end users to complete the setup process themselves with minimal IT intervention. This reduces helpdesk calls and streamlines the out-of-box experience (OOBE) by presenting only necessary screens.

Exam trap

The trap here is that candidates often assume Autopilot can work over a VPN or without internet because it is a cloud-based service, but it requires direct internet access during OOBE before any VPN client is installed.

63
MCQmedium

You are the Intune administrator for Fabrikam, Inc., which has 5,000 Windows 10 devices. The company wants to move from on-premises Group Policy management to Intune. You have already deployed the Intune Management Extension to all devices. However, some devices are not receiving policies. You discover that these devices are not enrolled in Intune. You need to enroll all devices as quickly as possible with minimal user interaction. The devices are already joined to on-premises Active Directory. You have Microsoft Entra ID Connect configured. What should you do?

A.Configure the MDM user scope in Microsoft Entra ID to All, and ensure devices are hybrid joined.
B.Distribute a script to each user to run manually.
C.Deploy Windows Autopilot to reset and re-enroll each device.
D.Use the Intune Enrollment Status Page to force enrollment.
AnswerA

This enables automatic enrollment for hybrid joined devices.

Why this answer

Option A is correct because configuring the MDM user scope to 'All' in Microsoft Entra ID triggers automatic MDM enrollment for hybrid Azure AD-joined devices when combined with Microsoft Entra ID Connect. Since the devices are already joined to on-premises AD and Entra ID Connect is configured, setting the MDM scope to 'All' enables automatic, silent enrollment via the scheduled task created by the Group Policy for automatic enrollment, requiring no user interaction beyond sign-in.

Exam trap

The trap here is that candidates often confuse the Enrollment Status Page (ESP) as an enrollment trigger, when in fact it is a post-enrollment configuration tool, or they mistakenly believe Autopilot is required for hybrid devices, ignoring the simpler automatic enrollment path via MDM scope and hybrid join.

How to eliminate wrong answers

Option B is wrong because distributing a script for manual execution requires user interaction and administrative overhead, which contradicts the goal of minimal user interaction and rapid enrollment. Option C is wrong because Windows Autopilot resets the device and requires re-joining to Azure AD, which is disruptive, time-consuming, and not suitable for already domain-joined devices that only need Intune enrollment. Option D is wrong because the Enrollment Status Page (ESP) is a configuration within Intune that controls device setup progress during enrollment, not a mechanism to trigger or force enrollment on unenrolled devices.

64
MCQmedium

Your organization is migrating from on-premises Active Directory to Microsoft Entra ID. You plan to use Windows Autopilot for new devices. Which prerequisite must be met for Autopilot to work with Entra ID?

A.Devices must be registered in Autopilot using hardware hash
B.Devices must be domain-joined to on-premises AD
C.An Azure AD Premium P2 license must be assigned
D.Configuration Manager must be deployed for OS imaging
AnswerA

Prerequisite for Autopilot deployment.

Why this answer

Windows Autopilot requires that each device be registered in the Autopilot service using its unique hardware hash (also known as a hardware ID). This hash is collected from the device's firmware and uploaded to the Autopilot deployment service, which then associates the device with the target tenant. Without this registration, Autopilot cannot identify the device during the out-of-box experience (OOBE) and cannot automatically enroll it into Microsoft Entra ID.

Exam trap

The trap here is that candidates often assume Autopilot requires an on-premises domain join (option B) because they confuse Autopilot with traditional imaging or hybrid Azure AD join scenarios, but Autopilot's core value is cloud-native, domain-join-free provisioning.

How to eliminate wrong answers

Option B is wrong because Autopilot devices do not need to be domain-joined to on-premises Active Directory; Autopilot is designed to directly join devices to Microsoft Entra ID (formerly Azure AD) during OOBE, bypassing any on-premises dependency. Option C is wrong because while Azure AD Premium P2 licenses provide additional features like Identity Protection and Privileged Identity Management, Autopilot itself only requires Azure AD Premium P1 (or Microsoft 365 E3/E5) for the Autopilot deployment profile and automatic enrollment; P2 is not a prerequisite. Option D is wrong because Configuration Manager is not required for Autopilot; Autopilot uses cloud-based provisioning via Microsoft Intune and does not rely on any on-premises imaging or OS deployment tool like Configuration Manager.

65
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10/11 devices. You need to configure a Windows Autopilot deployment for new devices that are shipped directly to users. The devices must be automatically enrolled in Intune and configured with your organization's standard settings. What is the minimum requirement for the device to be recognized by Windows Autopilot?

A.The device must have a Microsoft Entra ID Premium P2 license assigned.
B.The device must have its hardware hash uploaded to Microsoft Intune.
C.The device must be Azure AD registered before shipping.
D.The device must be joined to on-premises Active Directory first.
AnswerB

The hardware hash uniquely identifies the device for Autopilot.

Why this answer

Option D is correct because Windows Autopilot requires the device's hardware hash to be uploaded to the Autopilot service. Option A is incorrect because devices do not need to be joined to on-premises AD first. Option B is incorrect because Azure AD join is configured during the Autopilot process, not a prerequisite.

Option C is incorrect because the hardware hash is the minimum requirement, not a Microsoft Entra ID Premium license (though some features may require it).

66
MCQmedium

You are designing a Windows Autopilot deployment for a new fleet of devices. The devices will be shipped directly to users from the vendor. You need to ensure that the devices automatically enroll in Microsoft Intune and receive a standard set of applications during the out-of-box experience (OOBE). Which Autopilot deployment profile should you assign?

A.User-Driven mode (Azure AD joined) with user-assigned apps.
B.Pre-provisioning (White Glove) mode with device-assigned apps.
C.Self-Deploying mode (Azure AD registered) with device-assigned apps.
D.Self-Deploying mode (Azure AD joined) with user-assigned apps.
AnswerA

User-Driven mode allows users to sign in and receive user-assigned apps during OOBE.

Why this answer

User-Driven mode with Azure AD joined and user-assigned apps is correct because the devices are shipped directly to users, who will perform the OOBE themselves. This mode requires a user to sign in with Azure AD credentials, which triggers automatic enrollment in Microsoft Intune and applies the assigned user-targeted apps during the enrollment process.

Exam trap

The trap here is confusing Self-Deploying mode with user-assigned apps, but Self-Deploying mode is designed for devices without a user context and only supports device-assigned apps, making it unsuitable for user-driven app delivery.

How to eliminate wrong answers

Option B is wrong because Pre-provisioning (White Glove) mode requires an IT technician to perform the initial setup before shipping, which contradicts the scenario where devices ship directly to users. Option C is wrong because Self-Deploying mode with Azure AD registered does not support full Intune enrollment with user-assigned apps; it is designed for kiosk or shared devices and uses device-assigned apps only. Option D is wrong because Self-Deploying mode with Azure AD joined cannot use user-assigned apps; it is intended for devices without a user context, so apps must be device-assigned.

67
Multi-Selecthard

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a set of Line-of-Business (LOB) apps using the Microsoft Intune Management Extension. Which THREE conditions must be met?

Select 3 answers
A.The app must be deployed in user context
B.The Microsoft Intune Management Extension must be installed on the device
C.The device must have connectivity to Microsoft Intune
D.The devices must be co-managed with Microsoft Configuration Manager
E.The device must be Azure AD joined or hybrid Azure AD joined
AnswersB, C, E

The extension is required for Win32 app deployment.

Why this answer

Options B, C, and D are correct. B: The Intune Management Extension is required to deploy PowerShell scripts and Win32 apps. C: The device must be Azure AD joined or hybrid Azure AD joined.

D: The device must have connectivity to Intune. Option A is wrong because LOB apps can be deployed to Intune-managed devices without Configuration Manager. Option E is wrong because the management extension runs as SYSTEM, not user context.

68
Multi-Selecteasy

Which TWO are benefits of using Windows Autopilot for device provisioning? (Select two.)

Select 2 answers
A.Works offline without internet connectivity.
B.Enables deployment of custom operating system images.
C.Allows IT to provision devices remotely without physical access.
D.Reduces the need for manual imaging and configuration.
E.Eliminates the need for any user interaction during setup.
AnswersC, D

Users can self-deploy from anywhere.

Why this answer

Windows Autopilot leverages cloud-based services to provision new devices, eliminating the need for IT staff to be physically present. Option C is correct because Autopilot allows IT to deploy a device by simply providing the user with the hardware; the device automatically joins Azure AD, enrolls in Intune, and applies policies over the internet. This remote provisioning capability is a core benefit, as it enables zero-touch deployment for remote workers or distributed offices.

Exam trap

The trap here is that candidates often assume Autopilot eliminates all user interaction (Option E) because of the term 'zero-touch,' but in user-driven mode the user must still sign in, while self-deploying mode (for kiosks or shared devices) can be truly zero-touch—the question does not specify the mode, so Option E is too absolute and incorrect.

69
MCQhard

You run the above PowerShell script to change the Windows Autopilot group tag for devices currently tagged as 'Sales' to 'Marketing'. You have assigned different deployment profiles to the 'Sales' and 'Marketing' group tags. After running the script, you check the Autopilot devices in Intune and see that the group tag for the devices has changed. However, the devices still apply the 'Sales' deployment profile during OOBE. What is the most likely reason?

A.The deployment profile is assigned to the device by device ID, not group tag.
B.The deployment profile assignment is based on the group tag at the time of enrollment; existing devices retain the original profile.
C.The script needs to include a step to remove the device from Autopilot and re-import it.
D.The script did not sync the device details to Intune after changing the group tag.
AnswerB

Autopilot profiles are assigned at enrollment, and changing the tag does not reassign profiles for already-enrolled devices.

Why this answer

The group tag is evaluated at the time of enrollment to determine which deployment profile to assign. Changing the group tag on an already-enrolled device does not retroactively change the profile assignment; the device retains the profile that was applied during its original OOBE. This is by design in Windows Autopilot, as the profile is bound to the device record at enrollment.

Exam trap

The trap here is that candidates assume updating the group tag in Intune will immediately change the deployment profile for already-enrolled devices, but Microsoft's Autopilot design evaluates the tag only at enrollment time, not retroactively.

How to eliminate wrong answers

Option A is wrong because deployment profiles are assigned based on group tags or device serial numbers, not device IDs, and the scenario confirms the tag changed but the profile didn't, ruling out a device ID assignment. Option C is wrong because removing and re-importing the device is unnecessary; the group tag change is sufficient for new enrollments, but existing devices are not affected. Option D is wrong because the script likely synced the change (the tag updated in Intune), but syncing does not retroactively reassign the deployment profile to an already-enrolled device.

70
MCQhard

Your organization is deploying Windows Autopilot self-deploying mode for kiosk devices. The devices will be used in a public area and must not require user interaction during the initial setup. What is the prerequisite for this deployment?

A.A user must be assigned to the device in Microsoft Entra ID.
B.The device must have a TPM 2.0 chip.
C.An enrollment profile must be assigned to the user.
D.The device must be added to Microsoft Entra ID manually.
AnswerB

TPM 2.0 is required for hardware attestation in self-deploying mode.

Why this answer

Option A is correct because self-deploying mode requires the device to be a physical device with a TPM 2.0 chip for attestation. Option B is wrong because self-deploying mode does not require a user to sign in. Option C is wrong because self-deploying mode uses a device-based enrollment token, not a user-based one.

Option D is wrong because the device must be pre-registered in Intune as an Autopilot device.

71
MCQhard

You are planning a Windows 11 deployment for 1000 devices using Configuration Manager co-management with Intune. You need to ensure that devices automatically enroll to Intune after the Configuration Manager client is installed. Which workload must you configure in Configuration Manager?

A.Endpoint Protection
B.Windows Update policies
C.Resource access
D.Client apps
AnswerD

Setting 'Client apps' to Intune triggers automatic enrollment.

Why this answer

Option B is correct because the 'Client apps' workload enables automatic enrollment to Intune. Option A is wrong because 'Windows Update policies' is for update management. Option C is wrong because 'Endpoint Protection' is separate.

Option D is wrong because 'Resource access' is not the correct workload.

72
MCQhard

You are configuring Conditional Access for device compliance. You have an Intune compliance policy that requires a minimum OS version. You create a Conditional Access policy that grants access only when devices are marked as compliant. However, some users can still access corporate email from non-compliant devices. What is the most likely reason?

A.The Conditional Access policy is set to 'Block' instead of 'Grant'.
B.The Conditional Access policy applies only to users in a specific group.
C.The compliance policy is not assigned to the users' devices.
D.The Conditional Access policy does not include the email application as a target.
AnswerD

Conditional Access must target specific cloud apps.

Why this answer

Option C is correct because Conditional Access policies require a cloud app to be targeted. Option A is incorrect because the policy would block access if applied. Option B is incorrect because compliance policy is separate from Conditional Access.

Option D is incorrect because the policy would apply to all users if included.

73
MCQhard

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that when a device is lost or stolen, the IT admin can remotely lock the device and display a custom message on the lock screen. What should you configure?

A.Enable lost mode on the device via Apple Business Manager.
B.Configure a device compliance policy to wipe the device on non-compliance.
C.Initiate a remote assistance session to lock the device.
D.Use the remote lock action in Intune and provide a custom message.
AnswerD

Remote lock allows locking and displaying a message.

Why this answer

The remote lock action in Microsoft Intune allows IT admins to lock a lost or stolen iOS/iPadOS device and display a custom message on the lock screen. This action uses the Apple MDM protocol to send a lock command with an optional message, ensuring the device is secured and a contact number or instructions are visible. Option D directly fulfills the requirement without relying on third-party services or compliance policies.

Exam trap

The trap here is that candidates confuse Apple Business Manager's enrollment capabilities with Intune's remote management actions, or they assume a compliance policy can be used for immediate lock scenarios, when in fact only the remote lock action supports a custom lock screen message.

How to eliminate wrong answers

Option A is wrong because Apple Business Manager is used for device enrollment and app distribution, not for remote lock actions; lost mode is a feature of Apple's Find My app, not Intune. Option B is wrong because a device compliance policy can trigger a wipe on non-compliance, but it does not provide a custom lock screen message and is not designed for immediate remote lock scenarios. Option C is wrong because remote assistance sessions require user interaction and cannot lock a device or display a custom message without user consent.

74
MCQmedium

Refer to the exhibit. You run the PowerShell cmdlet shown and get the output. You need to investigate why Laptop-02 is non-compliant. Which additional cmdlet should you run to get the non-compliance reasons?

A.Get-MgDeviceManagementManagedDeviceCompliancePolicyState -ManagedDeviceId 87654321-4321-4321-4321-123456789abc
B.Get-MgDeviceManagementDeviceCompliancePolicySettingStateSummary -DeviceCompliancePolicyId <id>
C.Get-MgDeviceManagementManagedDeviceConfigurationState -ManagedDeviceId 87654321-4321-4321-4321-123456789abc
D.Get-MgDeviceManagementDeviceConfigurationState -ManagedDeviceId 87654321-4321-4321-4321-123456789abc
AnswerA

This retrieves compliance policy state and reasons.

Why this answer

Option B is correct because Get-MgDeviceManagementManagedDeviceCompliancePolicyState retrieves the compliance policy state and reasons for each device. Option A is wrong because Get-MgDeviceManagementDeviceConfigurationState gets device configuration states, not compliance reasons. Option C is wrong because Get-MgDeviceManagementManagedDeviceConfigurationState gets configuration state.

Option D is wrong because Get-MgDeviceManagementDeviceCompliancePolicySettingStateSummary summarizes settings, not per-device reasons.

75
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices automatically receive the latest feature updates from the Windows 11 servicing channel. You configure a Windows 10 feature update policy targeting the devices. However, after 24 hours, devices still show Windows 10 version 22H2. What is the most likely cause?

A.Windows Update for Business is disabled in group policy.
B.The policy is a Windows 10 feature update policy, but devices need a Windows 11 feature update policy to upgrade to Windows 11.
C.The policy is not assigned to a device group containing the devices.
D.Devices have not been restarted after policy assignment.
AnswerB

Windows 10 feature update policies only apply to Windows 10 devices for feature updates within Windows 10. To upgrade to Windows 11, a Windows 11 feature update policy must be used.

Why this answer

A Windows 10 feature update policy is designed to move devices between Windows 10 feature versions (e.g., 22H2 to 23H2). To upgrade devices from Windows 10 to Windows 11, you must use a Windows 11 feature update policy, which specifically targets the Windows 11 servicing channel. Since the policy targets Windows 10 feature updates, it will not trigger the OS upgrade to Windows 11, leaving devices on Windows 10 22H2.

Exam trap

The trap here is that candidates assume a 'feature update policy' generically applies to any OS upgrade, but Microsoft Intune strictly separates Windows 10 and Windows 11 feature update policies, and using the wrong one will not trigger the OS version upgrade.

How to eliminate wrong answers

Option A is wrong because disabling Windows Update for Business via group policy would block all Windows Updates, not just feature updates, and the question states the policy is configured in Intune, which overrides local GP if properly set. Option C is wrong because the policy is described as targeting the devices, and if it were not assigned to a device group, the devices would not receive the policy at all, but the issue is that the policy type is incorrect for the desired upgrade. Option D is wrong because restarting devices does not change the policy type; a Windows 10 feature update policy will never upgrade to Windows 11 regardless of reboots.

Page 1 of 4 · 254 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Prepare Device Infrastructure questions.