CCNA Prepare Device Infrastructure Questions

75 of 254 questions · Page 2/4 · Prepare Device Infrastructure topic · Answers revealed

76
Multi-Selecthard

Which THREE components are required for a successful Windows Autopilot self-deploying mode deployment?

Select 3 answers
A.A local administrator account created on the device.
B.Windows Autopilot device registration using the hardware hash.
C.A Microsoft 365 E3 license assigned to the user.
D.Microsoft Entra ID Premium P1 or P2 license.
E.A Windows Autopilot deployment profile assigned to the device.
AnswersB, D, E

The device must be registered in Autopilot to be recognized.

Why this answer

B is correct because Windows Autopilot self-deploying mode requires the device to be registered with Microsoft using its hardware hash. This registration links the device to an Azure AD tenant and enables the deployment profile to be downloaded automatically during the out-of-box experience, without user interaction.

Exam trap

The trap here is that candidates often assume a user license or local admin account is required, but self-deploying mode is specifically designed for userless scenarios and relies solely on device registration and a Microsoft Entra ID Premium license.

77
MCQmedium

Refer to the exhibit. You have configured a Windows Update for Business policy in Intune. Based on the JSON, what is the effect on devices?

A.Devices will not receive any updates from June 1 to July 15
B.Devices will receive all updates normally until July 15
C.Quality updates are paused from June 1 to June 30, and feature updates are paused from July 1 to July 15
D.The policy is invalid because pause dates cannot overlap
AnswerC

The pause start and expiry dates define the pause periods.

Why this answer

Option B is correct because quality updates are paused until June 30 and feature updates are paused until July 15. Devices will not receive quality updates after June 1 until June 30. Option A is wrong because feature updates are paused later.

Option C is wrong because both types are paused. Option D is wrong because there are specific pause dates.

78
Multi-Selecthard

You are designing a device management strategy for a remote workforce using Windows 10 laptops that are Azure AD joined. You need to ensure that devices can be remotely wiped if lost or stolen, and that BitLocker recovery keys are escrowed to Azure AD. Which THREE configurations should you implement?

Select 3 answers
A.Join devices to on-premises Active Directory.
B.Configure a BitLocker policy in Intune that enables key escrow to Azure AD.
C.Configure a Group Policy to escrow BitLocker keys to Active Directory.
D.Enroll devices in Microsoft Intune.
E.Ensure devices are Azure AD joined.
AnswersB, D, E

Key escrow stores recovery keys in Azure AD.

Why this answer

Options A, C, and D are correct. Intune management enables remote wipe. BitLocker policy with key escrow stores keys in Azure AD.

Azure AD join is required for key escrow. Option B is not required because key escrow works without on-premises AD. Option E is for on-premises AD joined devices.

79
Multi-Selecteasy

You are configuring Microsoft Intune for a new organization. You need to ensure that users can only enroll corporate-owned devices and are blocked from enrolling personal devices. Which TWO settings should you configure?

Select 2 answers
A.Create a conditional access policy that blocks devices not marked as corporate.
B.Configure enrollment restrictions to set 'Allow personally owned devices' to 'No'.
C.Create a conditional access policy that requires compliant devices.
D.Create a device compliance policy that marks personal devices as non-compliant.
E.Configure enrollment device platform restrictions to block personally owned devices.
AnswersB, E

This directly blocks personal device enrollment.

Why this answer

Options B and D are correct. Device type restrictions allow you to block personal devices. Enrollment restrictions include device platform and personal/corporate settings.

Option A is not a restriction setting. Option C is for compliance, not enrollment. Option E is for conditional access, not enrollment blocking.

80
Multi-Selectmedium

Which TWO actions are required to prepare Windows devices for subscription activation? (Select TWO.)

Select 2 answers
A.Ensure the device has a Windows 10/11 Pro or Education license
B.Enter a MAK key
C.Configure a KMS host key
D.Join the device to Microsoft Entra ID or hybrid Microsoft Entra ID
E.Install the Azure AD Connect tool
AnswersA, D

Subscription Activation works only on Pro and Education editions.

Why this answer

Option A is correct because subscription activation requires a qualifying base license of Windows 10/11 Pro or Education. These editions support the subscription activation feature, which upgrades the device to Windows 10/11 Enterprise without requiring a separate product key. Without this base license, the device cannot be upgraded via subscription activation.

Exam trap

The trap here is that candidates often confuse subscription activation with traditional volume activation methods (KMS or MAK) and select options B or C, or mistakenly think Azure AD Connect is required for device join, when in fact only Microsoft Entra ID or hybrid join is needed.

81
MCQhard

Refer to the exhibit. A PowerShell command is used to create a device category in Microsoft Intune. After running the command, you want to automatically assign devices to this category based on their Azure AD group membership. How should you configure this?

A.Create a dynamic device group in Azure AD that includes devices based on rules, then use that group to assign category via Intune.
B.Use a device configuration profile to set the device category.
C.Map an Azure AD group to the Intune device category in the Intune console.
D.Create a PowerShell script that runs daily to assign devices to the category based on group membership.
AnswerA

Dynamic groups can automate device categorization.

Why this answer

Option D is correct because dynamic device groups in Azure AD can use rules to assign devices to categories based on attributes. Option A is incorrect because manual assignment is not automated. Option B is incorrect because there is no direct mapping between Azure AD groups and Intune categories.

Option C is incorrect because configuration profiles do not assign categories.

82
Multi-Selecteasy

You are deploying Microsoft 365 Apps for enterprise using Microsoft Intune. Which TWO methods can you use to assign the application to users?

Select 2 answers
A.Assign to individual users directly.
B.Assign to a distribution group.
C.Assign to a dynamic group using device attributes.
D.Assign to a device group.
E.Assign to a Microsoft Entra ID user group.
AnswersD, E

Device groups allow targeting based on device membership.

Why this answer

Option D is correct because Microsoft Intune supports assigning Microsoft 365 Apps for enterprise directly to device groups, which ensures the application is installed on the specified devices regardless of which user signs in. This method is useful for shared or kiosk devices where user-based assignment would not apply. Option E is correct because assigning to a Microsoft Entra ID user group is the standard method for user-based deployment, allowing the apps to be provisioned based on user identity.

Exam trap

The trap here is that candidates often confuse distribution groups with security groups, assuming any group type can be used for Intune assignments, but only security groups (including Microsoft Entra ID groups) are supported for application targeting.

83
Multi-Selecteasy

Which TWO are valid methods to enroll iOS/iPadOS devices into Microsoft Intune?

Select 2 answers
A.Apple Configurator 2
B.Automated Device Enrollment (ADE)
C.Company Portal enrollment
D.Windows Autopilot
E.Android Zero Touch enrollment
AnswersB, C

Apple's DEP-based enrollment.

Why this answer

Options B and C are correct. Automated Device Enrollment (ADE) is the modern method for corporate devices, and Company Portal enrollment is for user-driven enrollment. Option A is wrong because Windows Autopilot is for Windows.

Option D is wrong because Android Zero Touch is for Android. Option E is wrong because Apple Configurator 2 is for supervised devices but not a primary enrollment method; it's used for setup.

84
Multi-Selecteasy

Your organization plans to use Windows Autopilot to provision new devices. Which TWO methods can you use to obtain the hardware hash for a new device?

Select 2 answers
A.Request the hardware hash from the device manufacturer (OEM)
B.Extract the hardware hash from the device BIOS
C.Run a PowerShell script on a device that is already running Windows 10 or later
D.Use Microsoft Intune to generate the hardware hash from the device serial number
E.Use Windows Configuration Designer to create a provisioning package that captures the hardware hash
AnswersA, C

OEMs can provide the hardware hash.

Why this answer

Options A and D are correct. A: If the device is already running Windows, you can use a PowerShell script to get the hardware hash. D: OEMs can provide the hardware hash during manufacturing.

Option B is wrong because the hardware hash is not available in BIOS. Option C is wrong because Windows Configuration Designer does not generate hardware hashes. Option E is wrong because Microsoft Intune can import hardware hashes but not generate them.

85
Multi-Selecthard

Which THREE are required for a successful Microsoft Intune enrollment of a Windows device?

Select 3 answers
A.A device compliance policy assigned to the device
B.MDM enrollment enabled in Microsoft Entra ID
C.Azure AD Premium P1 license
D.A valid Microsoft Intune license assigned to the user
E.Internet connectivity to Microsoft Intune service
AnswersB, D, E

Must be enabled to allow enrollment.

Why this answer

Option B is correct because Microsoft Intune requires MDM enrollment to be enabled in Microsoft Entra ID (formerly Azure AD) to allow devices to register and communicate with the Intune service. Without this setting, the device cannot complete the enrollment process, as Entra ID acts as the identity provider and enrollment authority for Intune-managed devices.

Exam trap

The trap here is that candidates often confuse post-enrollment requirements (like compliance policies or Azure AD Premium P1) with prerequisites for enrollment, leading them to select options that are only needed after the device is already enrolled.

86
MCQeasy

You need to deploy Microsoft 365 Apps to Windows devices using Microsoft Intune. The deployment must be available to users in the company portal. Which app type should you select?

A.Windows 10/11 (Microsoft 365 Apps)
B.Microsoft 365 (Web link)
C.Microsoft Store app (new)
D.Windows app (Win32)
AnswerA

This app type is specifically for Office deployment.

Why this answer

Option A is correct because Windows 10/11 (Microsoft 365 Apps) is the correct app type for deploying Office. Option B is wrong because it is for line-of-business apps. Option C is wrong because it is for web links.

Option D is wrong because it is for store apps.

87
MCQhard

Your organization uses Microsoft Intune to manage iOS devices. You need to ensure that corporate data is protected when users access Microsoft 365 apps. Which policy should you configure?

A.Use a Mobile App Configuration policy to enforce app settings.
B.Deploy an Intune App Protection Policy (APP) for Microsoft 365 apps.
C.Create a Device Compliance policy for iOS devices.
D.Configure a Conditional Access policy to require compliant devices.
AnswerB

APP protects corporate data in apps, such as preventing copy-paste or requiring PIN.

Why this answer

Option C is correct because App Protection Policies (APP) in Intune protect data at the app level, including for Microsoft 365 apps, without requiring device management. Option A is wrong because Conditional Access controls access, not data protection within apps. Option B is wrong because Device Compliance policies ensure devices are compliant, but do not protect data within apps.

Option D is wrong because Mobile App Configuration policies configure app settings, not protect data.

88
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. You create a compliance policy requiring devices to have BitLocker enabled. Some devices report as non-compliant even though BitLocker appears to be on. You discover these devices are using software-based encryption instead of hardware-based encryption. What should you do to resolve the compliance failure?

A.Modify the compliance policy to include 'BitLocker hardware encryption' as 'not configured' or set to 'allow software encryption'.
B.Configure the compliance policy to require TPM attestation.
C.Upgrade the devices to Windows 10 Enterprise edition.
D.Change the compliance policy setting from 'require' to 'allow' for BitLocker.
AnswerA

This accommodates both encryption types.

Why this answer

Option C is correct because the compliance policy can be configured to accept both hardware and software encryption. Option A is incorrect because the TPM is used regardless of encryption type. Option B is incorrect because the policy does not need to be changed to 'required' if it already requires encryption.

Option D is incorrect because BitLocker is available on Windows 10 Pro and Enterprise.

89
MCQhard

You manage devices with Microsoft Intune. Some Windows devices are not receiving required security updates despite being assigned to an update ring for Windows 10. You verify that the devices are active and connected to the internet. What is the most likely cause?

A.The devices have a compliance policy requiring a specific version that is not yet met.
B.The update ring has a deferral period configured that delays updates for 30 days.
C.The devices are not connected to a corporate VPN.
D.Delivery Optimization is disabled on the devices.
AnswerB

Deferral periods can significantly delay update delivery.

Why this answer

The most likely cause is that the update ring has a deferral period configured that delays updates for 30 days. In Microsoft Intune, update rings for Windows 10 allow administrators to set deferral periods for quality and feature updates. A deferral period of 30 days means that even if the device is active and connected, it will not install the update until the specified number of days after Microsoft releases it.

This explains why the devices are not receiving the updates despite being compliant and online.

Exam trap

The trap here is that candidates often assume connectivity or compliance issues are the root cause, overlooking the fact that update rings can intentionally delay updates via deferral periods, which is a core configuration in Intune for staged rollouts.

How to eliminate wrong answers

Option A is wrong because a compliance policy requiring a specific version would not prevent updates from being offered; it would instead mark the device as non-compliant if the version is not met, but updates would still be available and installable. Option C is wrong because Windows Update for Business does not require a corporate VPN to receive updates; devices can download updates directly from Microsoft's update servers over the internet. Option D is wrong because Delivery Optimization is a peer-to-peer caching mechanism that speeds up update downloads but is not required for updates to be received; disabling it would not block updates entirely.

90
Multi-Selecthard

Which THREE of the following are prerequisites for using Microsoft Intune to manage Linux devices?

Select 3 answers
A.The Microsoft Intune agent installed on the Linux device.
B.A supported Linux distribution such as Ubuntu 20.04 or later.
C.The device must be joined to an on-premises Active Directory domain.
D.Network connectivity to Microsoft Intune service endpoints.
E.An Azure Active Directory Premium P2 license for each user.
AnswersA, B, D

The agent enables management and compliance reporting.

Why this answer

Option A is correct because the Microsoft Intune agent is the core component that enables communication between the Linux device and the Intune service. Without this agent installed, the device cannot enroll, receive compliance policies, or be managed. The agent handles device registration, policy retrieval, and reporting back to Intune.

Exam trap

The trap here is that candidates often assume Linux devices must be domain-joined or require premium Azure AD licensing, but Intune manages Linux as a standalone mobile device class with only basic licensing and network connectivity prerequisites.

91
Multi-Selectmedium

Your organization is planning to enroll Windows devices into Microsoft Intune using Group Policy. Which TWO prerequisites must be in place? (Choose two.)

Select 2 answers
A.An on-premises Active Directory environment.
B.A Group Policy object to enable automatic MDM enrollment.
C.A Microsoft Intune subscription must be active.
D.Azure AD Connect must be configured.
E.Devices must be Azure AD hybrid joined.
AnswersA, B

Group Policy is used to configure automatic enrollment.

Why this answer

Options B and D are correct. Group Policy enrollment requires an on-premises AD and automatic enrollment via GPO. Option A is not required because hybrid join is not mandatory.

Option C is incorrect because Azure AD Connect is needed for hybrid join but not for pure AD enrollment. Option E is incorrect because Intune subscription is required, but the question asks for prerequisites for Group Policy enrollment, which includes automatic enrollment policy.

92
MCQhard

A Windows device shows enrollment state 'Enrolled' and compliance state 'compliant', but the policy setting 'MaxInactivityTimeDeviceLock' is not applied. The exhibit shows the device JSON from Intune. What is the most likely reason?

A.The OMA-URI setting is invalid.
B.The device is not enrolled.
C.The device's group membership is still being processed, so policies are not yet applied.
D.The device is not compliant.
AnswerC

Pending status indicates group membership processing.

Why this answer

Option C is correct because when a device shows 'Enrolled' and 'Compliant' in Intune, the issue is not enrollment or compliance but policy delivery. The 'MaxInactivityTimeDeviceLock' OMA-URI setting (./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxInactivityTimeDeviceLock) is a CSP-based policy that applies via group membership targeting. If the device was recently added to the group or the group membership is still being evaluated, Intune's policy processing cycle (which runs every 15–30 minutes by default) may not have delivered the policy yet.

The JSON exhibit likely shows the device is in a pending state for policy application despite being enrolled and compliant.

Exam trap

The trap here is that candidates see 'Enrolled' and 'Compliant' and assume the device is fully healthy, but they overlook that policy application is asynchronous and depends on group membership processing, which can lag behind enrollment and compliance evaluation.

How to eliminate wrong answers

Option A is wrong because if the OMA-URI setting were invalid, the policy would show an error or 'Not applicable' status in Intune, not a missing application while the device remains compliant. Option B is wrong because the device explicitly shows enrollment state 'Enrolled', so the device is enrolled and this contradicts the premise. Option D is wrong because the device shows compliance state 'Compliant', so non-compliance is not the reason the policy is not applied.

93
Multi-Selectmedium

Which TWO prerequisites are required for Windows Autopilot self-deploying mode?

Select 2 answers
A.Device is registered in Windows Autopilot
B.A user account with Intune license
C.Windows 11/10 Pro, Enterprise, or Education edition
D.Microsoft Entra ID P1 or P2 license
E.TPM 2.0 chip on the device
AnswersA, C

Required for all Autopilot modes.

Why this answer

Options B and D are correct. Self-deploying mode requires the device to be registered in Autopilot, and it requires Windows 11/10 Pro, Enterprise, or Education. Option A is wrong because self-deploying mode does not require a user.

Option C is wrong because TPM 2.0 is required for self-deploying mode, but it is not listed as a prerequisite for device registration. Option E is wrong because the user needs an Intune license only if a user is involved.

94
Multi-Selectmedium

You are planning the deployment of Microsoft Defender for Endpoint to macOS devices managed by Microsoft Intune. Which TWO prerequisites are required?

Select 2 answers
A.Microsoft Defender for Endpoint license assigned to the user or device
B.macOS device enrollment in Microsoft Intune
C.Microsoft Intune management extension installed on the device
D.Onboarding to Microsoft Defender for Cloud
E.A VPN connection to the corporate network
AnswersA, B

A license is required.

Why this answer

Options A and C are correct. A: Microsoft Defender for Endpoint requires a license for each device. C: The macOS device must be enrolled in Intune to receive the configuration profile.

Option B is wrong because Microsoft Defender for Endpoint does not require a VPN. Option D is wrong because Microsoft Intune management extension is for Windows only. Option E is wrong because onboarding to Microsoft Defender for Cloud is optional.

95
MCQeasy

You have deployed the above Endpoint Protection configuration profile to Windows 10 devices. Some users report that their devices are not encrypted. You verify that the devices have TPM 2.0 and meet hardware requirements. What is the most likely cause?

A.The policy does not configure recovery key escrow to Azure AD.
B.The policy disables encryption for the OS drive.
C.The devices do not have a TPM chip.
D.The encryption method is not supported by the devices.
AnswerA

BitLocker requires a recovery password to be escrowed; without it, encryption may not start.

Why this answer

The correct answer is A because when BitLocker encryption is enabled via an Endpoint Protection configuration profile in Microsoft Intune, the policy must include recovery key escrow to Azure AD for encryption to proceed. Without this setting, BitLocker will not encrypt the drive, even if the device meets TPM and hardware requirements. The policy in question likely has the 'Require BitLocker recovery key to be stored in Azure AD' option set to 'Not configured' or 'No', which prevents encryption from starting.

Exam trap

The trap here is that candidates assume meeting hardware requirements (TPM 2.0) is sufficient for BitLocker encryption, overlooking the mandatory recovery key escrow configuration in the Intune policy that is required to initiate encryption.

How to eliminate wrong answers

Option B is wrong because the policy does not disable encryption for the OS drive; the issue is that encryption fails to initiate due to missing recovery key escrow, not because the OS drive encryption is explicitly disabled. Option C is wrong because the question explicitly states that the devices have TPM 2.0 and meet hardware requirements, so the absence of a TPM chip is not the cause. Option D is wrong because the encryption method (e.g., XTS-AES 128-bit or 256-bit) is supported by Windows 10 devices with TPM 2.0, and the problem is not related to encryption method incompatibility.

96
Multi-Selectmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to deploy a custom SSL certificate to all devices to authenticate to a corporate Wi-Fi network. Which TWO methods can you use to deploy the certificate?

Select 2 answers
A.Create a SCEP certificate profile in Intune.
B.Create a device compliance policy that includes the certificate.
C.Create a Wi-Fi profile and embed the certificate in the profile.
D.Create a VPN profile that includes the certificate.
E.Create a PKCS certificate profile in Intune.
AnswersA, E

SCEP profiles request and install certificates from a CA.

Why this answer

Intune supports deploying certificates via SCEP or PKCS profiles. Option A and Option D are correct. Option B is wrong because a Wi-Fi profile can reference a certificate but does not deploy the certificate itself.

Option C is wrong because a compliance policy does not deploy certificates. Option E is wrong because a VPN profile can reference a certificate but does not deploy it.

97
MCQeasy

You need to deploy Microsoft 365 Apps to 200 Windows devices using Intune. Which app type should you select in Intune?

A.Microsoft 365 Apps for Windows
B.Web link
C.Windows app (MSI)
D.Line-of-business app
AnswerA

Dedicated type for Office deployment.

Why this answer

The Microsoft 365 Apps for Windows app type in Intune is specifically designed to deploy the Microsoft 365 Apps suite (e.g., Word, Excel, Outlook) to Windows devices. It provides built-in configuration options for update channels, removal of previous Office versions, and license assignment, making it the correct choice for deploying Microsoft 365 Apps to 200 devices. Other app types lack the integrated logic to handle the suite's installation, activation, and update management.

Exam trap

The trap here is that candidates often confuse the 'Microsoft 365 Apps for Windows' app type with the 'Windows app (MSI)' or 'Line-of-business app' types, mistakenly thinking they can upload an Office installer manually, but Intune requires the dedicated app type to properly handle the Click-to-Run installation and licensing integration.

How to eliminate wrong answers

Option B is wrong because a web link app type only creates a shortcut to a URL on the device's Start menu or desktop, not an actual software installation. Option C is wrong because Windows app (MSI) is used for deploying traditional MSI-based applications, but Microsoft 365 Apps is not distributed as a single MSI file; it uses the Office Deployment Tool (ODT) and Click-to-Run technology. Option D is wrong because the line-of-business (LOB) app type is intended for sideloading app packages (e.g., .intunewin, .msi, .appx) that are not available in the public store, but it does not provide the specialized configuration options for Microsoft 365 Apps, such as channel selection or exclusion of specific apps.

98
MCQmedium

Refer to the exhibit. You are reviewing an Intune compliance policy JSON for Windows 10. A device reports as non-compliant, and the compliance status details indicate that the setting 'Secure Boot' is not compliant. The device is a virtual machine. What is the most likely reason?

A.The device is not enrolled in Intune correctly.
B.The password policy is conflicting with Secure Boot.
C.The virtual machine does not have Secure Boot enabled in its firmware settings.
D.The device does not have BitLocker enabled, which is required for Secure Boot.
AnswerC

VMs often have Secure Boot disabled; enabling it in the VM settings resolves the issue.

Why this answer

Secure Boot is a hardware-based feature that ensures the system boots using only software that is trusted by the PC manufacturer. Virtual machines typically do not have Secure Boot enabled by default, or they may not support it. Option B is correct.

Option A is wrong because the device might be managed. Option C is wrong because BitLocker is separate. Option D is wrong because the password policy is not related.

99
MCQeasy

You need to ensure that all corporate devices have a standard set of security settings, including disk encryption and firewall configuration. Which Microsoft Intune feature should you use?

A.Update rings
B.Configuration profiles
C.Device enrollment profiles
D.Compliance policies
AnswerB

Configuration profiles apply settings to devices.

Why this answer

Configuration profiles in Microsoft Intune are the correct feature to deploy standard security settings such as disk encryption (e.g., BitLocker) and firewall configuration across corporate devices. These profiles define device-level policies that enforce specific configurations, including endpoint protection settings, and can be assigned to groups of devices to ensure consistent security baselines.

Exam trap

The trap here is that candidates often confuse compliance policies with configuration profiles, mistakenly thinking that compliance policies can apply settings, when in fact compliance policies only evaluate and report on settings that must already be configured by a profile or other means.

How to eliminate wrong answers

Option A (Update rings) is wrong because update rings manage the rollout and deferral of Windows updates, not the configuration of security settings like encryption or firewall rules. Option C (Device enrollment profiles) is wrong because enrollment profiles control the enrollment process and initial device setup (e.g., user affinity, enrollment restrictions), not ongoing security configurations. Option D (Compliance policies) is wrong because compliance policies define conditions that devices must meet to be considered compliant (e.g., requiring encryption), but they do not actually apply the settings; they only mark devices as non-compliant if the settings are missing, whereas configuration profiles actively enforce the settings.

100
MCQmedium

A user reports that their Windows 11 device fails to enroll in Microsoft Intune. The device is Microsoft Entra joined and the user has a valid Intune license. What should you check first?

A.Verify that BitLocker is enabled on the device.
B.Check the Enrollment Status Page (ESP) profile configuration in Intune.
C.Ensure that the device has a local administrator password set.
D.Review the Windows Autopilot deployment profile assigned to the device.
AnswerB

ESP profiles can cause enrollment failures if they are not configured correctly or if they are blocked.

Why this answer

Option B is correct because Enrollment Status Page (ESP) profiles can block enrollment if misconfigured, and checking the Intune console is the first step to see errors. Option A is wrong because BitLocker is not related to enrollment. Option C is wrong because the local admin password is not required for enrollment.

Option D is wrong because the Autopilot profile is only relevant for Autopilot deployments, not general enrollment.

101
MCQhard

Refer to the exhibit. You have assigned the above Enrollment Status Page (ESP) policy to a Windows Autopilot deployment. A user reports that the provisioning process hangs on 'Installing apps' and never completes. What is the most likely cause?

A.The ESP policy is configured to track progress for Autopilot only, but the device is not using Autopilot.
B.One of the required apps failed to install.
C.The user attempted to retry the setup and it was blocked.
D.The device reset on failure is enabled, causing a reset loop.
AnswerB

The ESP waits for app installation, and if it fails without reset, it hangs.

Why this answer

The Enrollment Status Page (ESP) policy tracks the installation of required apps during Autopilot provisioning. If a required app fails to install, the ESP will hang on 'Installing apps' indefinitely because it waits for all required apps to succeed before proceeding. This is the most common cause of a stuck ESP at the app phase.

Exam trap

The trap here is that candidates often assume the ESP hangs due to a network issue or user error, but Microsoft explicitly designs the ESP to block on required app failures, making this the primary troubleshooting focus for 'Installing apps' hangs.

How to eliminate wrong answers

Option A is wrong because the ESP policy is explicitly assigned to an Autopilot deployment, and the device is using Autopilot (the user is in provisioning). Option C is wrong because the ESP does not block retry attempts; the user can retry, but if the app continues to fail, the hang persists. Option D is wrong because 'device reset on failure' is a separate setting that triggers a full reset only after a timeout or explicit failure, not a reset loop; the device would not hang indefinitely.

102
MCQeasy

You need to configure Microsoft Intune to automatically retire a device if it has not checked in for 30 days. Where would you configure this setting?

A.Intune device cleanup rules
B.Conditional access policy
C.Device compliance policy
D.Device configuration profile
AnswerA

Cleanup rules can automatically retire inactive devices.

Why this answer

Option D is correct because device cleanup rules in Intune allow you to automatically retire devices that have not communicated for a specified period. Option A is incorrect because compliance policies handle non-compliance, not retirement based on inactivity. Option B is incorrect because conditional access controls access, not device cleanup.

Option C is incorrect because configuration policies set settings, not cleanup rules.

103
MCQeasy

Your organization is planning to deploy Microsoft Entra hybrid joined devices. What is a prerequisite for this configuration?

A.Azure AD Premium P1 license is required.
B.Microsoft Intune must be enabled for auto-enrollment.
C.Microsoft Defender for Endpoint must be deployed.
D.Microsoft Entra Connect must be installed and configured.
AnswerD

Entra Connect synchronizes on-premises AD to Entra ID, which is required for hybrid identity.

Why this answer

Microsoft Entra hybrid joined devices require synchronization of on-premises Active Directory identities to Microsoft Entra ID. Microsoft Entra Connect (or Microsoft Entra Connect Sync) is the tool that performs this identity synchronization, making it a mandatory prerequisite. Without it, the on-premises AD objects cannot be linked to Entra ID for hybrid join.

Exam trap

The trap here is that candidates often confuse licensing requirements (Premium P1) or optional management tools (Intune, Defender) with the core prerequisite of identity synchronization, which is the foundational step for hybrid join.

How to eliminate wrong answers

Option A is wrong because Azure AD Premium P1 is not a prerequisite for hybrid join; it is required for features like Conditional Access or self-service password reset, but hybrid join itself works with any Azure AD license, including Free. Option B is wrong because Microsoft Intune auto-enrollment is optional for managing hybrid joined devices but not a prerequisite for the join process itself. Option C is wrong because Microsoft Defender for Endpoint is a security solution that can be deployed on hybrid joined devices but is not required for the hybrid join configuration.

104
MCQeasy

Your organization uses Microsoft Intune for device management. You need to ensure that only corporate-owned devices can enroll in Intune. Which configuration should you use?

A.Use Device Enrollment Manager (DEM) accounts to enroll devices.
B.Assign a compliance policy that requires the device to be corporate-owned.
C.Create a device category for corporate devices and instruct users to select it during enrollment.
D.Configure enrollment restrictions to block personally owned devices.
AnswerA

DEM accounts allow enrollment of corporate-owned devices without pre-designation.

Why this answer

Option C is correct because Device Enrollment Manager (DEM) accounts allow designated users to enroll corporate-owned devices without the device needing to be pre-registered as corporate. Option A is wrong because enrollment restrictions can block personal devices but do not designate corporate ownership. Option B is wrong because a compliance policy is applied after enrollment.

Option D is wrong because device categories are used for grouping, not enrollment control.

105
MCQhard

Refer to the exhibit. You execute this PowerShell script to wipe noncompliant Windows devices. After running, you find that some compliant devices were also wiped. What is the most likely reason?

A.The filter 'operatingSystem eq 'Windows'' does not match any devices, so the script wiped all devices.
B.The script wipes only noncompliant devices, but some compliant devices had a null compliance state.
C.The script uses the wrong Graph API endpoint, causing all devices to be wiped.
D.The script does not check the device's compliance state before wiping.
AnswerC

The cmdlet Invoke-MgDeviceManagementManagedDevice does not exist; the correct cmdlet is Invoke-MgDeviceManagementManagedDeviceAction with proper parameters. The incorrect cmdlet might have unexpected behavior or default to wiping all devices.

Why this answer

Option C is correct because the script uses the wrong Graph API endpoint. The correct endpoint for wiping a device is `/deviceManagement/managedDevices/{deviceId}/wipe`, but the script likely uses an incorrect or generic endpoint (e.g., `/devices/{deviceId}/wipe` or a non-existent path), which causes the API to misinterpret the request or apply the wipe action to all devices in the tenant, including compliant ones. This is a common misconfiguration when targeting the Microsoft Graph API for Intune device actions.

Exam trap

The trap here is that candidates assume the script logic is correct and focus on the compliance filter, but the real issue is the Graph API endpoint, which is a common misconfiguration that causes unintended mass actions.

How to eliminate wrong answers

Option A is wrong because the filter 'operatingSystem eq 'Windows'' would match Windows devices, not cause a mismatch that wipes all devices; if no devices matched, the script would simply not process any devices. Option B is wrong because a null compliance state is treated as noncompliant in Intune, so wiping devices with null compliance would be expected behavior, not an error that wipes compliant devices. Option D is wrong because the script explicitly checks compliance state with the filter 'complianceState eq 1' (noncompliant), so it does check compliance before wiping; the issue is the endpoint, not the absence of a compliance check.

106
MCQmedium

Refer to the exhibit. You are evaluating a compliance policy for Windows 10. The policy is assigned to a group containing devices running Windows 10 version 1803 (build 17134.1). Which of the following devices will be marked as non-compliant?

A.A device with OS version 10.0.16299.0 (build 1709).
B.A device with OS version 10.0.17134.1 (build 1803).
C.A device with OS version 10.0.17134.2 (build 1803).
D.A device with OS version 10.0.15063.0 (build 1703).
AnswerC

This build is higher than the maximum allowed, so non-compliant.

Why this answer

The compliance policy targets Windows 10 version 1803 (build 17134.1). A device with OS version 10.0.17134.2 (build 1803) is non-compliant because its build number (17134.2) is higher than the policy's specified minimum version (17134.1), and compliance policies typically enforce a minimum OS version, not an exact match. Any device with a build number greater than the policy's defined version is marked non-compliant unless the policy explicitly allows higher versions.

Exam trap

The trap here is that candidates assume a device with a higher build number (e.g., 17134.2) is compliant because it is 'newer' than the minimum, but Intune compliance policies mark devices with a higher build number as non-compliant unless the policy explicitly uses a 'greater than or equal to' operator, which is not the default for 'Minimum OS version'.

How to eliminate wrong answers

Option A is wrong because OS version 10.0.16299.0 (build 1709) is lower than the policy's minimum version (1803), so it would be non-compliant, but the question asks which device will be marked non-compliant, and the correct answer is C. Option B is wrong because OS version 10.0.17134.1 (build 1803) exactly matches the policy's specified version, so it is compliant. Option D is wrong because OS version 10.0.15063.0 (build 1703) is lower than the minimum version, making it non-compliant, but again the correct answer is C.

107
MCQhard

You are troubleshooting an issue where users report that they cannot install required line-of-business (LOB) apps from Microsoft Intune Company Portal on their Windows 10 devices. The apps are assigned as 'Required' to a dynamic device group. You verify that the devices are enrolled and compliant. What is the most likely cause of the failure?

A.The dynamic device group is not updating membership correctly.
B.The apps are not published in the Company Portal.
C.The user is not a local administrator on the device.
D.The enrollment restrictions block installation of LOB apps.
AnswerC

LOB app installation requires local admin rights, which users typically lack on managed devices.

Why this answer

For Windows 10 devices managed by Microsoft Intune, the installation of line-of-business (LOB) apps that are assigned as 'Required' requires the user to be a local administrator on the device. This is because the Intune Management Extension (IME) runs in the context of the local system account, but the actual app installation process for LOB apps (typically .msi or .exe files) often requires elevated privileges that only a local administrator can provide. Without local admin rights, the installation fails silently or with an access denied error, even though the device is enrolled and compliant.

Exam trap

The trap here is that candidates often assume 'Required' assignments bypass user permissions or that device compliance alone guarantees installation success, overlooking the specific local administrator requirement for LOB app installations on Windows 10.

How to eliminate wrong answers

Option A is wrong because dynamic device group membership is evaluated continuously by Azure AD, and if the device meets the group's query criteria, the assignment will apply; a delay in membership update would not cause a persistent installation failure for all users. Option B is wrong because apps assigned as 'Required' are automatically pushed to devices and do not need to be published in the Company Portal for installation; the Company Portal is used for 'Available' apps, not 'Required' ones. Option D is wrong because enrollment restrictions in Intune control which devices can enroll (e.g., platform, OS version), not the installation behavior of LOB apps on already enrolled devices; they do not block app installation.

108
MCQhard

You have a Windows device with serial number ABC123 that is registered for Autopilot. The above PowerShell output shows the diagnostics. The device is not receiving the Autopilot profile. What is the most likely cause?

A.The device has not been successfully registered in Windows Autopilot.
B.The Autopilot profile is not assigned to the device group.
C.The device was previously manually imaged.
D.The device is not connected to the internet during OOBE.
AnswerA

RegistrationStatus should be 'Registered'.

Why this answer

Option A is correct because 'NotRegistered' indicates the device is not properly registered in Autopilot. Option B is incorrect because if the profile were not assigned, it would show 'NotAssigned' but still registered. Option C is incorrect because the diagnostics show registration status.

Option D is incorrect because the device can still be registered even if it has been imaged.

109
MCQhard

Your organization uses Microsoft Intune to manage devices. You have a compliance policy that requires devices to have a password of at least 6 characters. Some users report that their devices are marked as non-compliant even though they have a password set. What is the most likely cause?

A.The password length setting is set to '6' but the device requires a minimum of 8.
B.The compliance policy is assigned to device groups, but the devices are user-enrolled.
C.The compliance policy is assigned to a user group that does not include the affected users.
D.The device uses a PIN instead of a password, which is not evaluated.
AnswerC

If the policy is not assigned to the user or device group containing the users, they won't receive the policy and may be non-compliant by default.

Why this answer

Intune compliance policies for password length are specific to the platform. For example, on Android, the password length setting might be interpreted differently. However, the most common issue is that the compliance policy is not assigned to the correct group, or the device has not checked in.

But given the options, the most likely cause is that the policy is assigned to a group that the device or user is not a member of. Option C is correct. Option A is wrong because the user may be in the target group but the device might not.

Option B is wrong because the policy is correct. Option D is wrong because the password complexity setting is separate.

110
MCQeasy

You are planning a Windows Autopilot deployment for your organization. You need to ensure that during the out-of-box experience (OOBE), the user is prompted to set up Windows Hello for Business. What should you configure in the Autopilot profile?

A.Ensure the device is Azure AD joined.
B.Create a separate Windows Hello for Business policy and assign it to the device group.
C.Configure the Enrollment Status Page to show Hello setup.
D.Set 'Enable Windows Hello for Business' in the Autopilot profile.
AnswerD

The profile includes a setting to enable Hello during OOBE.

Why this answer

Option A is correct because Autopilot profiles have settings for Windows Hello for Business. Option B is incorrect because the Enrollment Status Page does not configure Hello. Option C is incorrect because a separate policy is not required; it can be set in the profile.

Option D is incorrect because Azure AD join is a prerequisite, not a configuration for Hello.

111
MCQhard

A user reports that their Windows 11 device is not receiving configuration policies from Intune. The device shows as 'Enrolled' in the Intune console but last check-in was three days ago. What is the most likely cause?

A.The Intune service is experiencing an outage
B.The device is powered off or not connected to the internet
C.The device has conflicting policies from another MDM
D.The device's enrollment certificate has expired
AnswerB

Prevents MDM check-in.

Why this answer

Option D is correct because the device may be powered off or not connected to the internet, preventing check-in. Option A is wrong because certificate expiry would affect enrollment, not check-in. Option B is wrong because Intune service outage is unlikely for a single device.

Option C is wrong because policy conflict would not prevent check-in.

112
MCQeasy

Your organization is deploying Microsoft Intune for the first time. You need to ensure that devices can enroll in Intune. Which of the following is a prerequisite for Intune enrollment?

A.A Microsoft Intune license assigned to the user
B.A VPN connection to the corporate network
C.An on-premises Active Directory domain
D.A Configuration Manager infrastructure
AnswerA

An Intune license is required for enrollment and management.

Why this answer

A Microsoft Intune license assigned to the user is a prerequisite because Intune uses Azure Active Directory (Azure AD) for identity and access management. Without an Intune license (e.g., Microsoft 365 E3, E5, or standalone Intune license) assigned to the user, the device cannot authenticate and enroll via the Intune enrollment service, as the license is required to authorize the enrollment request and apply device management policies.

Exam trap

The trap here is that candidates often confuse on-premises prerequisites (like AD or VPN) with cloud-only requirements, mistakenly thinking corporate network connectivity or legacy infrastructure is needed for Intune enrollment, when in fact only an Azure AD identity and an Intune license are required.

How to eliminate wrong answers

Option B is wrong because a VPN connection to the corporate network is not required for Intune enrollment; Intune uses internet-based enrollment over HTTPS (port 443) to the Microsoft Intune service, and devices can enroll from anywhere without a VPN. Option C is wrong because an on-premises Active Directory domain is not a prerequisite; Intune enrollment relies on Azure AD for identity, and while hybrid Azure AD join can be used, a standalone on-premises AD domain is not required for basic Intune enrollment. Option D is wrong because a Configuration Manager infrastructure is not a prerequisite; Intune is a cloud-only MDM solution, and while co-management with Configuration Manager is possible, it is optional and not required for enrollment.

113
MCQeasy

You run the PowerShell command shown in the exhibit for a managed device. The device shows as noncompliant. Which action should you take first to resolve the noncompliance?

A.Trigger a sync from Intune to force the device to check in.
B.Re-enroll the device.
C.Delete the device from Intune and re-register.
D.Assign a new compliance policy to the device.
AnswerA

Last sync is old; syncing may resolve.

Why this answer

The PowerShell command shown likely runs a compliance evaluation or sync action, but the device remains noncompliant because the evaluation results haven't been reported back to Intune. Triggering a sync from Intune forces the device to check in, upload its latest compliance status, and update the portal, which is the first troubleshooting step before considering re-enrollment or policy changes.

Exam trap

The trap here is that candidates assume noncompliance means a policy misconfiguration or enrollment failure, rather than recognizing that the device simply hasn't reported its latest compliance evaluation, making a sync the correct first action.

How to eliminate wrong answers

Option B is wrong because re-enrolling the device is unnecessary; the device is already enrolled and the issue is likely a stale compliance status, not a broken enrollment. Option C is wrong because deleting and re-registering the device is a drastic step that should only be taken if the device cannot sync or has a corrupted enrollment record, not as a first action for noncompliance. Option D is wrong because assigning a new compliance policy won't resolve noncompliance if the device hasn't reported its status; the existing policy is already assigned, and the device needs to sync to evaluate and report compliance.

114
MCQmedium

You are reviewing an ARM template for Intune device configuration. The exhibit shows a snippet. What will be the effect on Windows 10 devices?

A.Automatic updates will be disabled.
B.Users can sideload trusted apps.
C.Devices will receive updates from WSUS.
D.Developer unlock is allowed.
AnswerA

EnableAutomaticUpdate is false.

Why this answer

The ARM template snippet configures the 'UpdateNotificationLevel' setting to '1' (Disable all notifications), which is part of the 'Update' policy CSP. This setting disables automatic update checks and notifications, effectively preventing Windows 10 devices from automatically downloading and installing updates. The 'AllowAutoUpdate' setting is not present or set to '0', which would explicitly disable automatic updates, but the 'UpdateNotificationLevel' of '1' achieves the same outcome by suppressing all update-related notifications and background checks.

Exam trap

The trap here is that candidates confuse 'UpdateNotificationLevel' with 'AllowAutoUpdate' or think it only affects notifications, not the actual update behavior, but setting it to '1' effectively disables automatic updates by suppressing the trigger for background scans.

How to eliminate wrong answers

Option B is wrong because sideloading trusted apps is controlled by the 'ApplicationManagement' CSP, specifically the 'AllowAllTrustedApps' setting, which is not present in the template. Option C is wrong because receiving updates from WSUS requires the 'UpdateServiceUrl' or 'UpdateServiceUrlAlternate' setting to point to a WSUS server, which is not configured in the snippet. Option D is wrong because developer unlock is governed by the 'ApplicationManagement' CSP's 'AllowDeveloperUnlock' setting, which is not included in the template.

115
MCQeasy

You need to prepare on-premises Windows devices for a migration to Microsoft Intune. Which tool should you use to generate a configuration package that can be deployed via Group Policy or manual installation?

A.Windows Autopilot
B.Configuration Manager
C.Microsoft Intune Management Extension
D.Microsoft Intune Troubleshooting Tool
AnswerC

It enables enrollment and policy application on existing devices.

Why this answer

The Microsoft Intune Management Extension (IME) is the correct tool because it generates a configuration package (a .intunewin file) that can be deployed via Group Policy or manual installation to on-premises Windows devices. This package contains the IME agent and a PowerShell script that, when executed, enrolls the device into Intune and applies MDM policies, enabling a seamless migration without requiring direct network connectivity to Intune during the initial deployment.

Exam trap

The trap here is that candidates often confuse the Intune Management Extension with the Intune client software or assume that Windows Autopilot is the only way to enroll devices, but the IME is specifically designed to create a deployable package for on-premises devices that lack direct cloud connectivity.

How to eliminate wrong answers

Option A is wrong because Windows Autopilot is a cloud-first provisioning tool that requires devices to be Azure AD-joined and connected to the internet; it cannot generate a configuration package for offline deployment via Group Policy. Option B is wrong because Configuration Manager is a separate on-premises management tool that can co-manage devices with Intune but does not generate a standalone configuration package for Intune enrollment; it relies on the ConfigMgr client and cloud attach features. Option D is wrong because the Microsoft Intune Troubleshooting Tool is a diagnostic utility for analyzing enrollment and compliance issues, not a tool for generating deployment packages.

116
Multi-Selecthard

You need to configure Microsoft Intune remote help for Windows devices. Which THREE conditions must be met?

Select 3 answers
A.Users must have an Intune license assigned.
B.Devices must be connected via VPN.
C.Devices must run Windows 10/11.
D.Tenant must have Azure AD Premium P2.
E.Devices must be Intune enrolled.
AnswersA, C, E

License required for remote help.

Why this answer

Option A is correct because Microsoft Intune remote help requires each user who initiates or receives a remote help session to have an Intune license assigned. This license grants the user access to the Intune service and the remote help feature, which is a premium capability within the Microsoft Endpoint Manager admin center. Without an assigned Intune license, the user cannot authenticate or authorize remote help sessions.

Exam trap

The trap here is that candidates often assume a VPN or premium Azure AD license is necessary for remote help, but Microsoft designed the feature to work over standard internet connectivity with only Intune licensing and device enrollment.

117
MCQeasy

You need to ensure that Windows 11 devices automatically install critical updates as soon as they are released by Microsoft. Which update ring setting should you configure?

A.Set 'Update deferral period (days)' to 0 and 'Update deadline' to 0.
B.Set 'Update deferral period (days)' to 0 and 'Feature update deferral' to 7.
C.Set 'Update deferral period (days)' to 7.
D.Set 'Update deferral period (days)' to 30.
AnswerA

No deferral, immediate deadline.

Why this answer

Option A is correct because setting both 'Update deferral period (days)' to 0 and 'Update deadline' to 0 in a Windows 11 update ring ensures that critical updates are installed immediately upon release. The deferral period of 0 removes any delay before the update is offered, and the deadline of 0 forces the update to be installed without any grace period, achieving automatic and immediate installation of critical updates.

Exam trap

The trap here is that candidates often confuse 'Update deferral period' with 'Feature update deferral' or think that setting a deferral to 0 is unnecessary, but the question specifically requires immediate installation, which mandates both deferral and deadline to be 0.

How to eliminate wrong answers

Option B is wrong because setting 'Feature update deferral' to 7 introduces a 7-day delay for feature updates, which does not affect critical updates but indicates a misunderstanding that feature update deferral applies to critical updates. Option C is wrong because setting 'Update deferral period (days)' to 7 introduces a 7-day delay before critical updates are offered, preventing immediate installation. Option D is wrong because setting 'Update deferral period (days)' to 30 introduces a 30-day delay, which is the opposite of the required immediate installation.

118
MCQeasy

You need to deploy Microsoft 365 Apps to Windows devices using Intune. Users should be able to install from Company Portal. What app type should you choose in Intune?

A.Windows app (Win32)
B.Microsoft 365 Apps
C.Web link
D.Microsoft Store app
AnswerB

Dedicated app type for Office.

Why this answer

Option B is correct because Microsoft 365 Apps for Windows is a built-in app type in Intune. Option A is wrong because Windows app (Win32) is for custom applications. Option C is wrong because Microsoft Store app is for store-based apps.

Option D is wrong because the web link is for linking to external sources.

119
MCQmedium

You are planning the device enrollment strategy for a school that provides shared iPads to students. The iPads are used by multiple students throughout the day, and each student must have access to their own apps and data. Which enrollment method should you recommend?

A.Shared iPad enrollment using Apple Business Manager and Intune.
B.Automated Device Enrollment with user affinity.
C.User Enrollment
D.Device Enrollment (DEP) without user affinity.
AnswerA

Shared iPad supports multiple users with separate data.

Why this answer

Option B is correct because Shared iPad mode allows multiple users to sign in with Managed Apple IDs while data is kept separate. Option A is incorrect because User Enrollment is for personally owned devices. Option C is incorrect because Device Enrollment is for single-user corporate devices.

Option D is incorrect because it is not a standard enrollment type.

120
Multi-Selecteasy

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to configure a policy that restricts the device from taking screenshots. Which THREE settings can you use?

Select 3 answers
A.Disable screen capture.
B.Disable copy and paste.
C.Disable camera.
D.Disable Bluetooth.
E.Disable Wi-Fi.
AnswersA, B, C

Directly prevents screenshots.

Why this answer

In Intune, for Android Enterprise, you can restrict screenshots using a device restrictions profile. The settings include 'Disable screen capture' (which prevents screenshots), 'Disable camera', and 'Disable copy and paste' can also help but are not directly about screenshots. However, the question asks for 'restricts the device from taking screenshots'.

The actual setting is 'Disable screen capture'. Additionally, you can use 'Microsoft Defender for Endpoint' or 'Mobile Threat Defense' to detect screenshot attempts? No, that's not typical. The correct settings are: 'Disable screen capture' in device restrictions, 'Allow screenshots' (set to block), and possibly 'Disable Assistant'? No.

The typical setting is 'Disable screen capture'. Since it's a 'Which THREE' and only one setting directly blocks screenshots, the other two could be 'Disable camera' and 'Disable copy and paste'? Not directly. Actually, there is also 'Disable screen share'? Not in Intune.

I need to adjust: For Android, the device restrictions profile includes 'Disable screen capture' (under General). There is also 'Disable camera' and 'Disable copy and paste' under General. These three can be used together to restrict data leakage.

So options: A, B, D. Option C is wrong because 'Disable Wi-Fi' does not restrict screenshots. Option E is wrong because 'Disable Bluetooth' does not.

121
MCQmedium

Refer to the exhibit. You have configured the above Windows Autopilot profile. A device with this profile is being set up. However, the device does not appear to be provisioning correctly. What is the most likely issue?

A.The device name template is invalid.
B.The device does not have a TPM 2.0 chip.
C.The profile requires a user to sign in during deployment.
D.The language settings are not configured.
AnswerB

TPM 2.0 is required for self-deploying mode attestation.

Why this answer

Windows Autopilot self-deploying mode requires a TPM 2.0 chip to perform hardware-based attestation and automatically enroll the device without user interaction. If the device lacks TPM 2.0, the provisioning process will fail because the required cryptographic keys for attestation cannot be generated, preventing the device from completing the self-deploying profile.

Exam trap

The trap here is that candidates assume any Autopilot mode can work without TPM 2.0, but Microsoft explicitly requires TPM 2.0 for self-deploying and pre-provisioning modes, while user-driven mode can proceed with software-based attestation if TPM is unavailable.

How to eliminate wrong answers

Option A is wrong because the device name template is validated during profile creation and would cause a profile creation error, not a provisioning failure after assignment. Option C is wrong because the exhibit shows a self-deploying mode profile, which explicitly does not require user sign-in; requiring user sign-in would contradict the mode's purpose. Option D is wrong because language settings are optional in Autopilot profiles and their absence does not prevent provisioning; the device will use default language settings.

122
Multi-Selectmedium

You are planning to deploy Microsoft Intune for device management. Which TWO of the following are prerequisites for enrolling Windows 10 devices in Intune?

Select 2 answers
A.Microsoft Entra ID (Azure AD) Premium P1 or P2.
B.Microsoft Intune license assigned to the user.
C.A Microsoft account (MSA) for each user.
D.Microsoft 365 E3 subscription.
E.Azure Information Protection license.
AnswersA, B

Microsoft Entra ID is required for device identity and authentication.

Why this answer

Microsoft Entra ID (Azure AD) Premium P1 or P2 is a prerequisite because Intune relies on Azure AD for identity and conditional access policies. Without a Premium license, you cannot configure device compliance policies, deploy Windows Hello for Business, or use advanced features like Autopilot. This requirement ensures the tenant has the necessary identity management capabilities to support Intune enrollment and management.

Exam trap

The trap here is that candidates often confuse the need for an Azure AD Premium license with the base Azure AD free tier, assuming free Azure AD is sufficient for Intune enrollment, but Microsoft requires Premium for full device management features like conditional access and compliance policies.

123
Multi-Selectmedium

Which TWO actions should you take to prepare infrastructure for devices running macOS in your organization? (Select two.)

Select 2 answers
A.Deploy the Company Portal app to macOS devices.
B.Enroll macOS devices in Microsoft Intune.
C.Configure Windows Autopilot for macOS devices.
D.Join macOS devices to Microsoft Entra ID.
E.Use Group Policy to manage macOS settings.
AnswersA, B

Company Portal provides self-service app installation.

Why this answer

Option A is correct because the Company Portal app is the primary interface for users to enroll macOS devices in Microsoft Intune, access corporate resources, and manage compliance. Deploying it ensures users can initiate enrollment and receive policies. Option B is correct because enrolling macOS devices in Intune is the foundational step to apply management policies, deploy apps, and enforce compliance settings via MDM.

Exam trap

The trap here is that candidates may confuse Windows-centric technologies like Autopilot and Group Policy as being cross-platform, when in fact macOS management relies on Apple-specific protocols and tools such as MDM, APNs, and Apple Business Manager.

124
MCQmedium

Your organization plans to deploy Windows 365 Cloud PCs. You need to ensure that users can connect only from compliant devices. Which configuration should you implement?

A.Create an app protection policy for Windows 365 app.
B.Configure the Cloud PC provisioning policy to allow only compliant devices.
C.Assign a device compliance policy to all users.
D.Create a Conditional Access policy requiring device to be marked as compliant.
AnswerD

Conditional Access enforces compliance requirement.

Why this answer

Option D is correct because a Conditional Access policy that requires the device to be marked as compliant is the only configuration that enforces compliance at the authentication and access level. This policy evaluates the device's compliance status (reported by Microsoft Intune) before granting access to Windows 365 Cloud PCs, ensuring that only devices meeting your organization's compliance requirements can connect.

Exam trap

The trap here is that candidates often confuse provisioning policies (which configure Cloud PCs) with access control policies (Conditional Access), leading them to select Option B, but provisioning policies do not enforce compliance-based access restrictions.

How to eliminate wrong answers

Option A is wrong because app protection policies (MAM) manage data protection within apps and do not evaluate device compliance; they are designed for unmanaged devices and cannot block access based on device compliance status. Option B is wrong because a Cloud PC provisioning policy defines the configuration and assignment of Cloud PCs (e.g., image, network, user assignments) but does not enforce access controls or compliance checks at the time of connection. Option C is wrong because assigning a device compliance policy to all users defines the compliance requirements (e.g., encryption, OS version) but does not enforce access restrictions; it only marks the device as compliant or non-compliant—a separate Conditional Access policy is needed to block non-compliant devices.

125
MCQhard

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to deploy a custom Windows 10 feature update using the Windows 10 Update Rings feature. However, the deployment fails and devices show error 0x800f0905. What is the most likely cause?

A.The device does not have enough free disk space.
B.The device is not set to the correct language for the update.
C.The feature update package is missing prerequisite updates.
D.The update ring is configured with a maintenance window that is too short.
AnswerC

The error indicates a missing component.

Why this answer

Option A is correct because error 0x800f0905 indicates missing installation files. Option B is incorrect because the update ring does not include language settings. Option C is incorrect because a maintenance window does not cause this error.

Option D is incorrect because disk space would cause a different error.

126
MCQeasy

You need to ensure that only corporate-owned devices can access Microsoft 365 apps. You plan to use Conditional Access in Microsoft Entra ID. What should you configure as the grant control?

A.Require Hybrid Azure AD joined device.
C.Require approved client app.
D.Require device to be marked as compliant.
AnswerD

Compliance policies can be configured for corporate devices.

Why this answer

Option A is correct because requiring devices to be marked as compliant in Intune filters for corporate-owned devices. Option B is wrong because Hybrid Azure AD join does not distinguish corporate vs. personal. Option C is wrong because multi-factor authentication does not check device ownership.

Option D is wrong because approval of the client app is not about device ownership.

127
MCQeasy

Your organization uses Microsoft Intune to manage devices. You need to ensure that all Windows 11 devices automatically install critical and security updates from Windows Update. Which policy should you configure?

A.Configure a device configuration profile with 'Windows Update for Business' settings.
B.Deploy a feature update policy to install the latest quality updates.
C.Create an update ring for Windows 10 and later, and set the 'Automatic update behavior' to 'Auto install and reboot' and assign it to all devices.
D.Create a device compliance policy that requires devices to have the latest updates.
AnswerC

Update rings centrally manage Windows Update settings and enforce installation.

Why this answer

Intune uses 'Update rings for Windows 10 and later' to configure Windows Update settings. Within the update ring, you can set 'Automatic update behavior' to 'Auto install and reboot' or similar. Option C is correct.

Option A is wrong because compliance policies don't control update installation. Option B is wrong because device configuration profiles can configure some update settings, but the dedicated update ring policy is the intended method. Option D is wrong because feature updates are for version upgrades, not quality updates.

128
MCQmedium

Your organization uses Microsoft Intune to manage iOS/iPadOS devices. You need to ensure that corporate data in managed apps is encrypted at rest. Which setting should you configure?

A.Device compliance policy – Require data encryption.
B.App protection policy – Data protection – Encrypt app data.
C.Enrollment restrictions – Require encrypted backup.
D.Device configuration profile – Encryption settings.
AnswerB

Encrypts app data at rest.

Why this answer

Option B is correct because App Protection Policies (APP) in Microsoft Intune include a 'Data Protection' setting called 'Encrypt app data' that enforces encryption of corporate data at rest on iOS/iPadOS devices. This setting uses hardware-backed file-level encryption (Data Protection class) to protect data in managed apps, ensuring that even if the device is lost or stolen, the data remains inaccessible without the user's passcode.

Exam trap

The trap here is that candidates often confuse device-level encryption (which is always on for iOS with a passcode) with app-level encryption, and incorrectly choose a Device Compliance Policy or Configuration Profile, not realizing that only App Protection Policies can enforce encryption specifically for corporate data within managed apps.

How to eliminate wrong answers

Option A is wrong because Device Compliance Policies can require device-level encryption (e.g., FileVault on macOS or BitLocker on Windows), but on iOS/iPadOS, encryption is always enabled by default when a passcode is set; compliance policies cannot granularly encrypt data within managed apps at rest. Option C is wrong because Enrollment Restrictions control which devices can enroll and whether backups are encrypted, but they do not encrypt corporate data within apps on the device itself. Option D is wrong because Device Configuration Profiles can enforce passcode policies or VPN settings, but they do not include a specific setting to encrypt app data at rest; that capability is exclusive to App Protection Policies.

129
MCQmedium

Your organization plans to deploy Windows 11 to 500 devices using Microsoft Intune. You need to ensure that each device receives the correct language pack and regional settings based on the user's location. Which configuration method should you use?

A.Configure Windows Autopilot with enrollment profile specifying language and region
B.Deploy a PowerShell script via Intune to set language after enrollment
C.Use Configuration Manager task sequence with language packs
D.Create a provisioning package (PPKG) with language settings and apply via USB
AnswerA

Allows per-device language and region during OOBE, cloud-native.

Why this answer

Option C is correct because Autopilot with enrollment profile allows assigning language and region settings per device during OOBE. Option A is wrong because provisioning packages (PPKG) are for bulk deployment but not dynamic per-user settings. Option B is wrong because Configuration Manager task sequences require on-premises infrastructure and are less dynamic.

Option D is wrong because PowerShell scripts run after provisioning, not during OOBE.

130
MCQeasy

Your organization plans to use Windows Autopilot for device provisioning. You need to ensure devices are automatically registered in Microsoft Entra ID when they are powered on for the first time. Which prerequisite must be met?

A.Devices must be pre-registered in Intune via an OEM or partner
B.Devices must have a TPM 2.0 chip for self-deploying mode
C.An on-premises Active Directory domain must be available
D.Users must have Microsoft Entra ID P1 or P2 licenses assigned
AnswerD

Entra ID P1 or P2 is required for Autopilot's automatic registration and device management.

Why this answer

Option C is correct because Autopilot requires Microsoft Entra ID P1 or P2 licenses to support automatic device registration. Option A is wrong because licenses are needed. Option B is wrong because Autopilot supports both Entra ID join and hybrid join.

Option D is wrong because Intune licenses are required for management but Autopilot also requires Entra ID P1.

131
MCQmedium

Your organization is rolling out Windows 11 devices using Autopilot. You need to ensure that all new devices are automatically enrolled in Microsoft Intune and configured with a custom device name prefix 'CORP-'. Which configuration should you implement?

A.Configure a Windows Autopilot deployment profile with a device name template and set 'Convert all targeted devices to Autopilot' to 'Yes'.
B.Create a device configuration profile for Windows 11 with a custom OMA-URI for device name.
C.Set a device compliance policy that requires device name prefix 'CORP-'.
D.Modify the Enrollment Status Page (ESP) policy to require device naming.
AnswerA

This directly configures enrollment and naming.

Why this answer

Option A is correct because a Windows Autopilot deployment profile allows you to specify a device name template (e.g., 'CORP-%RAND:5%') that automatically applies a custom prefix to new devices during the Autopilot enrollment process. Setting 'Convert all targeted devices to Autopilot' to 'Yes' ensures that devices added to Autopilot are automatically enrolled in Microsoft Intune, meeting both requirements.

Exam trap

The trap here is that candidates often confuse device configuration profiles (OMA-URI) or compliance policies as capable of setting device names, when in fact only the Autopilot deployment profile's device name template can enforce naming during the initial enrollment process.

How to eliminate wrong answers

Option B is wrong because a device configuration profile with a custom OMA-URI cannot rename a device during Autopilot enrollment; device naming is only supported via the Autopilot deployment profile's device name template. Option C is wrong because a device compliance policy can only report or block non-compliant devices based on naming, not enforce or apply a name prefix during enrollment. Option D is wrong because the Enrollment Status Page (ESP) policy controls the blocking of device setup until required apps or policies are installed, but it has no capability to set or enforce a device name prefix.

132
MCQmedium

Your organization is planning to deploy Windows 11 to 5000 devices using Microsoft Intune. The devices are currently a mix of Windows 10 and Windows 11 eligible hardware. You need to ensure that only devices meeting the Windows 11 hardware requirements can be upgraded. What is the most efficient way to achieve this using Intune?

A.Use Windows Autopilot to reset each device and manually verify hardware compatibility.
B.Create a Windows feature update profile targeting Windows 11 and assign it to all devices; Intune will automatically skip ineligible devices.
C.Create a dynamic device group based on TPM version and assign a Windows 10 update ring to non-compliant devices.
D.Create a compliance policy requiring TPM 2.0 and Secure Boot, then assign a Windows 11 update ring to compliant devices.
AnswerB

Intune checks hardware requirements before applying the feature update.

Why this answer

Option B is correct because a Windows feature update profile in Intune automatically checks device hardware eligibility before applying the Windows 11 upgrade. Intune queries the Windows Update for Business service, which evaluates TPM 2.0, Secure Boot, CPU generation, and RAM requirements; devices that do not meet the minimum hardware requirements are skipped without any manual intervention or additional configuration.

Exam trap

The trap here is that candidates confuse compliance policies (which only report or block access) with feature update profiles (which natively enforce hardware gating), leading them to choose Option D, which would still attempt the upgrade on non-compliant devices and cause deployment failures.

How to eliminate wrong answers

Option A is wrong because Windows Autopilot is designed for device provisioning and resetting, not for hardware compatibility verification; manually checking 5000 devices is inefficient and defeats the purpose of automated management. Option C is wrong because creating a dynamic device group based solely on TPM version is insufficient—Windows 11 requires a combination of TPM 2.0, Secure Boot, CPU, and RAM checks, and assigning a Windows 10 update ring to non-compliant devices does not prevent upgrades on ineligible hardware. Option D is wrong because a compliance policy can report non-compliance but does not block the upgrade; a Windows 11 update ring would still attempt to upgrade non-compliant devices, potentially causing failures, whereas a feature update profile inherently skips ineligible devices.

133
MCQmedium

You are deploying Windows 11 devices using Autopilot. The devices are purchased from a hardware vendor and need to be registered in your tenant. You want to ensure that the vendor can register the devices on your behalf without granting them full user privileges. What should you configure?

A.Export the device list from the vendor and import it via CSV in Microsoft Intune.
B.Add the vendor as a global administrator in Microsoft Entra ID.
C.Provide the vendor with a bulk enrollment token and URL.
D.Create a custom device preparation profile with delegated admin privileges.
AnswerD

Custom profiles allow limited, delegated permissions for vendor registration.

Why this answer

Option D is correct because a custom device preparation profile with delegated admin privileges allows a hardware vendor to register devices in your tenant via Autopilot without granting them full user privileges. This profile grants the vendor scoped permissions to upload device hashes and associate them with your tenant, using delegated administration in Microsoft Entra ID to limit access to only the necessary actions for device enrollment.

Exam trap

The trap here is that candidates often confuse device registration (adding hardware hashes to Autopilot) with device enrollment (using a token to enroll devices), leading them to incorrectly select the bulk enrollment token option (C) instead of the delegated admin privileges option (D).

How to eliminate wrong answers

Option A is wrong because exporting a device list from the vendor and importing it via CSV in Microsoft Intune requires the vendor to have direct access to your tenant or you to manually handle the import, which does not delegate the registration process to the vendor securely. Option B is wrong because adding the vendor as a global administrator in Microsoft Entra ID grants them full administrative access to your entire tenant, which violates the principle of least privilege and is unnecessary for device registration. Option C is wrong because a bulk enrollment token and URL are used for Windows Autopilot self-deploying mode or user-driven mode enrollment, but they do not delegate the ability to register devices on your behalf; the token is for enrolling devices, not for registering them in the Autopilot service.

134
MCQeasy

Users have iOS/iPadOS devices enrolled in Intune. You need to ensure that corporate data in managed apps is encrypted at rest. What should you configure?

A.iOS native encryption feature
B.Compliance policy for iOS/iPadOS
C.App protection policy for iOS/iPadOS
D.Device configuration profile with encryption settings
AnswerC

MAM policies can encrypt app data.

Why this answer

Option B is correct because app protection policies can enforce encryption of app data. Option A is wrong because compliance policies do not encrypt app data. Option C is wrong because device configuration profiles manage device settings, not app-level encryption.

Option D is wrong because iOS itself encrypts at the device level, but not app-specific data.

135
MCQhard

Your organization uses Microsoft Defender for Endpoint (now Microsoft Defender XDR) and Microsoft Intune. You need to ensure that devices that are deemed 'at risk' by Microsoft Defender for Endpoint are automatically blocked from accessing corporate resources. What should you configure?

A.An app protection policy in Intune that blocks access based on device risk.
B.A compliance policy that marks devices as noncompliant based on Defender for Endpoint risk, and a conditional access policy that blocks noncompliant devices.
C.A conditional access policy that requires device to be compliant, and a compliance policy that uses the Defender for Endpoint device risk level.
D.A device configuration policy that disables network access for at-risk devices.
AnswerB

This combination ensures that devices with high risk are blocked from accessing resources.

Why this answer

Option D is correct because the Device Health Attestation Service evaluates device health, but for Defender for Endpoint risk, you need a conditional access policy that uses the 'Require device to be marked as compliant' grant control, combined with a compliance policy that uses the 'Require the device to be at or under the Device Threat Level' setting. However, the option D says: 'A conditional access policy that requires the device to be marked as compliant, and a compliance policy that uses the Microsoft Defender for Endpoint device risk level.' That is exactly what is needed. Option A is wrong because an app protection policy is for app-level, not device-level.

Option B is wrong because a device configuration policy does not enforce access control. Option C is wrong because a compliance policy alone does not block access; it only marks noncompliant.

136
Multi-Selecteasy

You are planning to deploy Microsoft Defender for Endpoint on Windows 10 devices managed by Intune. Which TWO prerequisites must be met before deploying?

Select 2 answers
A.Devices must be joined to Azure AD.
B.A Microsoft Defender for Endpoint license must be assigned.
C.Devices must be enrolled in Microsoft Intune.
D.Devices must have a third-party antivirus uninstalled.
E.An Azure AD Premium license must be assigned.
AnswersB, C

License is required to use the service.

Why this answer

Options A and D are correct. Devices must be enrolled in Intune to receive the configuration. A Defender for Endpoint license is required.

Option B is not required because Defender is built into Windows 10. Option C is not a prerequisite. Option E is not required for deployment.

137
Multi-Selecthard

Your organization uses Microsoft Intune to manage Windows 11 devices. You need to configure a policy that prevents users from installing apps from outside the Microsoft Store. Which TWO settings can you use?

Select 2 answers
A.Set 'Windows Update for Business' to defer feature updates.
B.Enable 'Windows Defender Firewall' to block inbound connections from non-store apps.
C.Use the 'AppLocker' settings in a device configuration profile to allow only Store apps.
D.Enable 'BitLocker' to encrypt the system drive.
E.Configure 'SmartScreen' settings to block untrusted apps.
AnswersC, E

AppLocker can enforce store-only app installation.

Why this answer

In Intune, you can use a device configuration profile (Settings Catalog) to configure 'AppLocker' or 'SmartScreen' settings. Specifically, 'AppLocker' can block non-store apps, and 'SmartScreen' can block unknown apps. Option A and Option D are correct.

Option B is wrong because Windows Defender Firewall does not control app installation. Option C is wrong because BitLocker is for encryption. Option E is wrong because Windows Update for Business controls updates.

138
MCQeasy

You are the Intune administrator for a small business with 50 Windows 10 devices that are currently managed by a legacy on-premises MDM. The company wants to move to Microsoft Intune for cloud management. All devices are already joined to Microsoft Entra ID. You need to migrate the devices to Intune management without resetting them. You have the following options: A) Use Windows Autopilot to reset the devices and re-enroll. B) Use the 'Switch to Intune' option in the device's 'Access work or school' settings. C) Use a provisioning package (PPKG) to enroll devices. D) Use Group Policy to configure MDM enrollment. Which option should you choose?

A.Use Windows Autopilot to reset the devices and re-enroll
B.Use Group Policy to configure MDM enrollment
C.Use the 'Switch to Intune' option in the device's 'Access work or school' settings
D.Use a provisioning package (PPKG) to enroll devices
AnswerC

Non-disruptive migration for Entra ID joined devices.

Why this answer

The 'Switch to Intune' option in the device's 'Access work or school' settings is the correct choice because it allows a seamless migration from a legacy on-premises MDM to Microsoft Intune without requiring a device reset. This feature, available on Windows 10 devices already joined to Microsoft Entra ID, triggers an automatic MDM enrollment switch by communicating with the Intune service, preserving all existing data and settings.

Exam trap

The trap here is that candidates often confuse the 'Switch to Intune' option with a simple enrollment method, assuming any enrollment method (like PPKG or Group Policy) can perform a non-destructive migration, when in fact only the built-in switch option is designed to handle the transition from an existing MDM without a reset.

How to eliminate wrong answers

Option A is wrong because Windows Autopilot resets the device to an out-of-box state, which would wipe all data and settings, contradicting the requirement to migrate without resetting. Option B is wrong because Group Policy can configure MDM enrollment via the MDM enrollment authority policy, but it does not provide a direct 'switch' mechanism; it would require additional configuration and may not cleanly transition from an existing MDM without manual intervention or a reset. Option D is wrong because a provisioning package (PPKG) is used for initial enrollment or re-enrollment, but applying it to an already managed device would likely cause conflicts or require a reset, and it does not support a non-destructive migration from a legacy MDM.

139
MCQeasy

You are preparing to deploy Windows 11 to 500 devices using Microsoft Intune. The devices are currently running Windows 10 22H2. You need to ensure that the in-place upgrade from Windows 10 to Windows 11 completes successfully. Which policy type should you configure in Intune to deliver the upgrade?

A.Deploy a configuration profile with the Windows 11 installation script.
B.Create a Windows update ring profile targeting Windows 11.
C.Create a Windows feature update profile targeting Windows 11.
D.Configure a device compliance policy requiring Windows 11.
AnswerC

Windows feature update profiles are designed to deploy feature updates like Windows 11 in Intune.

Why this answer

A Windows feature update profile in Intune is specifically designed to deliver feature updates like upgrading from Windows 10 to Windows 11. It uses the Windows Update for Business (WUfB) service to orchestrate the in-place upgrade, ensuring the device meets prerequisites and the upgrade completes successfully. This is the correct policy type for managing OS version upgrades at scale.

Exam trap

The trap here is confusing a Windows update ring profile (which controls update behavior but not the target version) with a Windows feature update profile (which explicitly specifies the target OS version for an upgrade), leading candidates to incorrectly choose Option B.

How to eliminate wrong answers

Option A is wrong because Intune does not support deploying a configuration profile with an installation script for OS upgrades; configuration profiles manage settings, not OS installation or upgrade scripts. Option B is wrong because a Windows update ring profile controls the update deferral, delivery optimization, and restart behavior for quality and feature updates, but it does not specify the target OS version for an upgrade; it only manages how updates are applied, not which feature update is installed. Option D is wrong because a device compliance policy enforces security and configuration requirements (e.g., requiring Windows 11) but does not initiate or deliver the upgrade; it only reports non-compliance if the device is not running the required OS.

140
MCQmedium

You are the endpoint administrator for a healthcare organization that uses Intune to manage 500 iOS devices used by clinicians. The devices are enrolled as corporate-owned, user-approved devices via Apple Business Manager (ABM). You need to deploy a new custom electronic health record (EHR) app that is not in the App Store. The app is distributed as an .ipa file signed with an enterprise certificate. The app must be installed silently without user interaction. The devices are supervised and managed with iOS MDM. You have the following options: A) Deploy the app as an iOS LOB app in Intune and assign to device groups. B) Deploy the app as a Volume Purchase Program (VPP) app. C) Use Apple Configurator to sideload the app via USB. D) Distribute the app via a web link to the .ipa hosted on a public CDN. Which option should you choose?

A.Deploy the app as a Volume Purchase Program (VPP) app
B.Use Apple Configurator to sideload the app via USB
C.Deploy the app as an iOS LOB app in Intune and assign to device groups
D.Distribute the app via a web link to the .ipa hosted on a public CDN
AnswerC

Allows silent installation on supervised devices.

Why this answer

Option C is correct because deploying the app as an iOS LOB app in Intune allows you to upload the enterprise-signed .ipa file directly and assign it to device groups. Since the devices are supervised and enrolled via ABM, Intune can silently install the app using MDM commands without user interaction, leveraging the device's trust for enterprise certificates.

Exam trap

The trap here is that candidates confuse VPP apps with LOB apps, assuming VPP can handle any app distribution, but VPP is strictly for App Store apps, while LOB apps are required for custom enterprise-signed .ipa files.

How to eliminate wrong answers

Option A is wrong because VPP apps are only for apps distributed through the Apple App Store, not for custom enterprise-signed .ipa files. Option B is wrong because Apple Configurator sideloading via USB requires physical device connection and user interaction, which violates the silent installation requirement. Option D is wrong because distributing via a web link to the .ipa on a public CDN would require users to manually download and trust the enterprise certificate, and it does not support silent installation via MDM.

141
MCQeasy

A company wants to deploy Microsoft 365 Apps to 200 devices using Intune. They need to ensure that the deployment is available only to devices that meet a specific minimum OS version. Which feature should they use?

A.Assign the app and configure 'Require device compliance' with a filter for minimum OS version.
B.Assign the app with 'Uninstall' intent.
C.Assign the app as 'Available for enrolled devices' without filters.
D.Assign the app as 'Required' to all devices.
AnswerA

Device compliance filters can enforce OS version requirements.

Why this answer

Option B is correct because 'Require device compliance' in assignment allows filtering by OS version. Option A is wrong because 'Required' installs to all assigned devices. Option C is wrong because 'Available for enrolled devices' makes it optional.

Option D is wrong because 'Uninstall' removes the app.

142
MCQeasy

You need to ensure that only compliant devices can access corporate email in Exchange Online. Which Conditional Access policy setting should you configure?

A.Require device to be marked as compliant
C.Require hybrid Azure AD joined device
D.Require approved client app
AnswerA

Directly enforces compliance for access.

Why this answer

Option A is correct because 'Require device to be marked as compliant' is the standard setting for this scenario. Option B is wrong because multi-factor authentication is separate. Option C is wrong because hybrid Azure AD join is for device identity, not compliance.

Option D is wrong because app protection policies are for mobile app management, not device compliance.

143
MCQmedium

You are troubleshooting a Windows device that is not receiving policies from Microsoft Intune. The device shows as 'Not evaluated' or 'Pending' in the Intune console. The device is enrolled and connected to the internet. What is the most likely cause?

A.The device is marked as non-compliant.
B.The device does not have a valid device certificate.
C.The device has not checked in with the Intune service recently.
D.The device enrollment profile has expired.
AnswerC

Devices must check in to receive policy updates.

Why this answer

When a device shows as 'Not evaluated' or 'Pending' in the Intune console, it indicates that the Intune service has not received a recent check-in from the device. Even if the device is enrolled and connected to the internet, it must periodically communicate with the Intune service to retrieve policies; the default check-in interval is approximately 8 hours, and if the device misses this window, policies remain unevaluated.

Exam trap

The trap here is that candidates often assume policy delivery failures are due to compliance or certificate issues, but the MD-102 exam specifically tests the understanding that a device must actively check in with the Intune service to receive policies, and a 'Pending' status directly indicates a missed check-in.

How to eliminate wrong answers

Option A is wrong because a non-compliant device still receives policies from Intune; compliance status affects conditional access, not policy delivery. Option B is wrong because while a valid device certificate is required for enrollment, the issue described is about policy retrieval after enrollment, and a missing or expired certificate would typically cause enrollment failure or a different error state, not a 'Not evaluated' status. Option D is wrong because enrollment profiles are used during the enrollment process itself; once a device is enrolled, the profile is no longer relevant for ongoing policy delivery, and an expired profile would prevent enrollment, not cause a 'Pending' state for already-enrolled devices.

144
Multi-Selecteasy

Your organization is implementing Windows Autopilot. Which TWO prerequisites must be met before you can use Autopilot?

Select 2 answers
A.An on-premises Active Directory domain
B.Microsoft Intune licenses
C.Configuration Manager
D.Microsoft Entra ID P1 or P2 licenses
E.TPM 2.0 chip on all devices
AnswersB, D

Intune licenses are required for device management.

Why this answer

Option B and Option D are correct because Autopilot requires Microsoft Entra ID P1/P2 and Intune licenses. Option A is wrong because on-prem AD is not required. Option C is wrong because Configuration Manager is not required.

Option E is wrong because a TPM is only required for self-deploying mode.

145
MCQhard

Your organization has an existing Microsoft Intune environment. You need to configure a Windows 11 device to automatically enroll in Intune when a user signs in with their Microsoft Entra ID credentials. The device is joined to Microsoft Entra ID. What should you do?

A.Set the MDM user scope in Microsoft Entra ID to 'All' or 'Some'.
B.Configure the MDM discovery URL in Microsoft Entra ID.
C.Create an enrollment restriction that allows Windows devices.
D.Assign a device compliance policy to the user.
AnswerA

This enables automatic enrollment for Microsoft Entra ID joined devices.

Why this answer

Option D is correct because Microsoft Entra ID joined devices automatically enroll in Intune when the MDM user scope is set to 'All' or 'Some'. Option A is wrong because the MDM discovery URL is configured automatically for Microsoft Entra ID joined devices. Option B is wrong because enrollment restrictions do not trigger automatic enrollment.

Option C is wrong because device compliance policies are applied after enrollment.

146
MCQhard

Your organization uses Microsoft Intune for device management. You have a compliance policy that requires Windows devices to have BitLocker enabled. A user reports that their device is marked as non-compliant even though BitLocker is turned on. What is the most likely cause?

A.The BitLocker recovery key is not escrowed to Microsoft Entra ID
B.BitLocker is only enabled on data drives, not the system drive
C.The device is running a version of Windows that does not support BitLocker
D.The device does not have a TPM chip
AnswerA

The compliance policy checks for recovery key backup; missing escrow causes non-compliance.

Why this answer

Option B is correct because the compliance policy often checks for the recovery key being escrowed to Entra ID, not just encryption. Option A is wrong because TPM is checked but not the primary issue. Option C is wrong because BitLocker on OS drive is required.

Option D is wrong because version compatibility is usually not the issue.

147
MCQmedium

You are planning the enrollment of 500 Android Enterprise personally-owned work profile devices. Management requires that users must not be able to remove the work profile from their device. Which enrollment method should you use?

A.Android Enterprise dedicated devices
B.Android Enterprise corporate-owned work profile
C.Android Enterprise fully managed
D.Android Enterprise personally-owned work profile
AnswerA

Dedicated devices are fully managed and users cannot remove the work profile.

Why this answer

Option C is correct because Android Enterprise dedicated devices are fully managed and cannot have the work profile removed by the user. Option A is wrong because personally-owned work profile allows users to remove the work profile. Option B is wrong because corporate-owned work profile is for company-owned devices.

Option D is wrong because fully managed is for corporate-owned devices.

148
MCQmedium

Your organization uses Microsoft Defender for Endpoint (part of Microsoft Defender XDR) on all Windows devices. You need to ensure that devices that are not actively reporting to Defender for Endpoint are flagged as non-compliant in Intune. What should you configure?

A.Create a Conditional Access policy requiring device compliance and blocking access if not compliant.
B.Enable 'Require BitLocker' compliance setting.
C.Deploy a PowerShell script via Intune that checks the Defender service status and reports to Intune custom compliance.
D.Add a compliance policy setting: 'Require the device to be at or under the machine risk score' with a low score.
AnswerD

This setting uses Defender for Endpoint risk score to evaluate compliance. If the device is not reporting, the score is not available, causing non-compliance.

Why this answer

Intune compliance policies can include a rule to require that the device is marked as a 'healthy' device by Microsoft Defender for Endpoint. This rule evaluates the device's sensor state. Option A is correct.

Option B is wrong because it's for device health attestation, not Defender. Option C is wrong because Conditional Access does not flag compliance; it enforces access. Option D is wrong because a compliance policy for Defender is not a script.

149
MCQhard

You need to configure Windows Update for Business policies using Intune. You want to defer feature updates by 60 days and quality updates by 14 days. Which policy setting should you use?

A.Windows compliance policy
B.Windows 10 and later update ring
C.Windows feature update policy
D.Windows driver update policy
AnswerB

Allows configuring deferral periods.

Why this answer

Option A is correct because the Update Rings policy includes settings for deferral periods. Option B is wrong because feature updates policy is for version targeting. Option C is wrong because driver updates policy is separate.

Option D is wrong because Windows Update for Business is not a compliance policy.

150
MCQeasy

A company plans to deploy Windows 11 to 500 new devices using Windows Autopilot. The devices are purchased from a hardware vendor that supports OEM registration. Which prerequisite must be met to ensure Autopilot can automatically enroll these devices?

A.The devices must be registered in Microsoft Intune via the hardware vendor or manually.
B.The organization must have a hybrid Azure AD join configuration in place.
C.BitLocker must be enabled on the devices before they are shipped.
D.A local administrator account must be created on each device prior to deployment.
AnswerA

Autopilot requires device registration in Intune for automatic enrollment.

Why this answer

Option A is correct because Autopilot requires the device to be registered in Microsoft Intune (or Entra ID) before it can be automatically enrolled. Option B is wrong because a local admin account is not required. Option C is wrong because a hybrid join configuration is optional.

Option D is wrong because BitLocker is not a prerequisite for enrollment.

← PreviousPage 2 of 4 · 254 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Prepare Device Infrastructure questions.