CCNA Protect Devices Questions

75 of 163 questions · Page 1/3 · Protect Devices topic · Answers revealed

1
MCQmedium

Refer to the exhibit. You run this PowerShell script using the Microsoft Graph PowerShell SDK. What is the purpose of this script?

A.To check compliance status of devices.
B.To enroll devices in Intune.
C.To remove unsupported devices from Intune.
D.To identify devices that are not supported for compliance policies.
AnswerD

The script flags Windows RT and Windows Mobile devices.

Why this answer

Option B is correct. The script iterates through managed devices and outputs a message for Windows RT and Windows Mobile devices, indicating they are not supported for compliance. Option A is wrong because it does not remove devices.

Option C is wrong because it does not check compliance status. Option D is wrong because it does not enroll devices.

2
MCQeasy

You need to deploy a Microsoft 365 Apps for enterprise configuration to devices managed by Intune. Which policy type should you use?

A.Device configuration profile (settings catalog)
B.Managed apps policy
C.Windows update ring policy
D.Microsoft 365 Apps (Windows) configuration policy
AnswerD

This policy type is designed to configure Microsoft 365 Apps.

Why this answer

Option B is correct. Intune uses 'Microsoft 365 Apps (Windows)' configuration policies specifically for Microsoft 365 Apps. Option A is for general app deployment.

Option C is for Windows settings. Option D is for device configuration.

3
MCQmedium

Your organization uses Microsoft Entra ID joined devices and Microsoft Intune for mobile device management. A user reports that their device is not receiving compliance policies. The device shows as 'Compliant' in Intune but the Conditional Access policy still blocks access. What should you verify first?

A.Check if the compliance policy is assigned to the device's group.
B.Review the Conditional Access policy to ensure it requires compliant device.
C.Confirm the device is enrolled in Intune.
D.Verify the user is in the correct Azure AD group for Conditional Access.
AnswerC

If not enrolled, compliance policies are not applied.

Why this answer

Option C is correct because the most common cause of this issue is that the device is not enrolled in Intune, so compliance policies are not applied. Option A is wrong because the device shows as compliant, so the compliance policy is applied. Option B is wrong because the user is a member of the group.

Option D is wrong because Conditional Access policies require compliance data; the issue is that the device lacks the policy.

4
MCQmedium

Contoso has iOS/iPadOS devices managed by Intune. They need to prevent users from installing apps from outside the Apple App Store and ensure that devices with a jailbreak are blocked from accessing corporate email. Which two policies should they combine?

A.Device compliance policy and Conditional Access
B.Windows Autopilot and Intune enrollment
C.Device configuration profile and Microsoft Defender XDR
D.App protection policy and Conditional Access
AnswerA

Device compliance policy detects jailbreak; Conditional Access blocks noncompliant devices.

Why this answer

Option D is correct: Device compliance policy can detect jailbroken devices and mark them noncompliant; Conditional Access then blocks access. Option A (App protection policy) can restrict app installation to managed apps but not detect jailbreak. Option B (Device configuration profile) can enforce restrictions but jailbreak detection is a compliance feature.

Option C (Autopilot) is for provisioning only.

5
MCQmedium

Refer to the exhibit. A KQL query in Microsoft Defender XDR returns no results for PC001 and PC002 even though you know there have been antivirus detections on those devices. What is the most likely reason?

A.The timestamp range is too narrow
B.The device names are case-sensitive and are entered incorrectly
C.You do not have permissions to view events on those devices
D.The ActionType filter is incorrect for antivirus detections
AnswerD

Antivirus detection action types may be 'AntivirusDetectedMalware' or others.

Why this answer

Option C is correct: The query filters ActionType == 'AntivirusDetection', but the actual action type might be 'AntivirusDetectedMalware' or similar. Option A (Timestamp range) is 7 days, which should include recent events. Option B (DeviceName case mismatch) is possible but Defender XDR is case-insensitive by default.

Option D (Permissions) would return an error, not empty results.

6
MCQeasy

A company wants to prevent users from copying corporate data from managed Microsoft 365 apps to personal apps on iOS devices. What should they configure?

A.Intune app protection policy
B.Device compliance policy
C.Microsoft Defender for Cloud Apps session policy
D.Conditional Access policy
AnswerA

App protection policies restrict copy/paste and data transfer between apps.

Why this answer

Option B is correct: Intune app protection policies (MAM) control data transfer between managed and unmanaged apps. Option A (Device compliance policy) enforces device health but not app-level data movement. Option C (Conditional Access) controls access but not copy/paste.

Option D (Microsoft Defender for Cloud Apps) is for cloud app security, not local app data protection.

7
MCQhard

Refer to the exhibit. A Windows 10 device shows a compliance state of 'noncompliant'. The last sync was 2 hours ago. The device is managed by Intune (mdm). You have verified that the assigned compliance policy requires a device threat level of 'high' from Microsoft Defender for Endpoint. Which of the following is the most likely cause of non-compliance?

A.Microsoft Defender for Endpoint reports a medium-severity threat on the device.
B.The device OS version is below the minimum required.
C.The device has not synced with Intune for over 24 hours.
D.The device is not enrolled in Microsoft Defender for Endpoint.
AnswerA

A medium threat would make the device non-compliant if required level is high.

Why this answer

The device threat protection required security level is 'high', meaning the device must have no active threats at medium or high. If Defender for Endpoint reports a medium threat, the device will be non-compliant. Option B is correct.

Option A is incorrect because the device synced recently. Option C is incorrect because the device is enrolled. Option D is incorrect because the OS version is not mentioned in the exhibit.

8
MCQhard

You are troubleshooting an issue where Windows 10 devices are not receiving Windows updates from Intune. The update rings are configured, and the devices are enrolled. However, devices show 'Up to date' even though they are missing critical security updates. What should you verify?

A.The deferral settings are too long.
B.The update ring is assigned to the correct device group.
C.The devices have the Windows Update for Business policy assigned.
D.The devices are compliant with the compliance policy.
AnswerC

WUfB policy controls update behavior.

Why this answer

Option C is correct because the device must have the 'Windows Update for Business' (WUfB) policy assigned. Option A is wrong because compliance does not affect update deployment. Option B is wrong because the update ring is configured.

Option D is wrong because deferral settings affect timing, not delivery.

9
MCQeasy

You need to ensure that Windows 10 devices automatically receive Microsoft Defender antivirus definition updates from Microsoft. Which update channel should you configure in the endpoint protection profile?

A.Microsoft Update
B.Microsoft Update for Business
C.Windows Update
D.WSUS
AnswerA

This channel ensures definition updates from Microsoft.

Why this answer

Option D is correct because the 'Microsoft Update' channel delivers definition updates from Microsoft. Option A is wrong because Windows Update is for OS updates. Option B is wrong because WSUS is for on-premises managed updates.

Option C is wrong because Microsoft Update for Business is a service, not a channel in the profile.

10
MCQeasy

You need to wipe a lost corporate-owned iOS device that is enrolled in Intune. Which action should you perform?

A.Delete the device from Intune.
B.Retire the device.
C.Wipe the device.
D.Disable the device.
AnswerC

Wipe resets the device completely.

Why this answer

Option B is correct because 'Wipe' resets the device to factory settings. Option A is wrong because 'Retire' removes company data but leaves personal data. Option C is wrong because 'Delete' removes the device record.

Option D is wrong because 'Disable' is not an action.

11
MCQmedium

Contoso uses Microsoft Defender for Endpoint on Windows servers. They need to ensure that antivirus definitions are always up-to-date even if the server is disconnected from the internet for extended periods. What should they configure?

A.Enable Windows Update for Business group policy
B.Use Intune to deliver definition updates
C.Configure a network file share as an internal update source for Microsoft Defender Antivirus
D.Download definitions from Microsoft Update Catalog and install manually
AnswerC

Defender Antivirus supports internal file share for definition updates.

Why this answer

Option A is correct: Microsoft Defender for Endpoint can use a file share as an internal definition update source. Option B (Windows Update) requires internet. Option C (Intune) manages client devices, not servers typically.

Option D (Microsoft Update Catalog) is for manual download, not automatic updates.

12
MCQeasy

You need to ensure that only compliant devices can access Microsoft 365 resources. You create a Conditional Access policy in Microsoft Entra ID. Which condition should you use?

A.Locations condition set to trusted IPs.
B.Grant access with multi-factor authentication.
C.Require device to be marked as compliant.
D.Device platform condition set to all.
AnswerC

This is a grant control that enforces compliance.

Why this answer

Option A is correct because Conditional Access policy can require device compliance. Option B is wrong because it's not a condition. Option C is wrong because it's a control, not a condition.

Option D is wrong because it's a location condition.

13
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices automatically install critical updates from Windows Update for Business within 3 days of release. Which configuration should you use?

A.Windows Autopatch deployment policy
B.Windows feature update policy
C.Device configuration policy for Windows 10/11
D.Update rings for Windows 10 and later
AnswerD

Update rings allow configuring deferral periods for quality updates.

Why this answer

Option B is correct because 'Update rings' in Intune allow you to configure deferral periods for quality updates. Option A is wrong because Windows Autopatch is for automated patching but not for deferral periods. Option C is wrong because Feature updates are for feature updates, not quality updates.

Option D is wrong because Windows 10/11 device configuration policies do not directly manage update rings.

14
MCQhard

Refer to the exhibit. An Intune administrator finds this configuration on a Windows 10 device. What is the purpose of this setting?

A.Define the Intune MDM discovery URL
B.Set the compliance policy evaluation URL
C.Configure Windows Update service endpoint
D.Specify the Microsoft Defender ATP tenant
AnswerA

This CSP sets the MDM enrollment server URL for Intune.

Why this answer

The correct answer is that it sets the Intune management endpoint for the device. Option A is incorrect because the MDM discovery URL is not for Windows Update. Option B is incorrect because the enrollment server URL is not for compliance policy.

Option D is incorrect because the URL is for device management, not Defender ATP.

15
MCQeasy

An IT administrator needs to ensure that iOS devices enrolled in Intune require a PIN of at least 6 digits. Where should the administrator configure this setting?

A.App protection policy
B.Device compliance policy for iOS
C.Conditional Access policy
D.Enrollment restrictions
AnswerB

Compliance policies include device health and security settings like PIN length.

Why this answer

The correct answer is Device compliance policy for iOS. Option B is incorrect because enrollment restrictions control device enrollment, not settings. Option C is incorrect because app protection policies apply to apps, not device-level PIN.

Option D is incorrect because conditional access controls access, not device settings.

16
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You need to configure a policy that automatically blocks downloads of sensitive data from SharePoint Online to unmanaged devices. Which policy type should you use?

A.Activity policy
B.App discovery policy
C.Access policy
D.Session policy
AnswerD

Session policies can block downloads in real-time.

Why this answer

Option C is correct because session policies in Defender for Cloud Apps can monitor and control activities in real-time. Option A is wrong because access policies control access, not downloads. Option B is wrong because activity policies are for alerts, not blocking.

Option D is wrong because app discovery policies are for discovering cloud apps.

17
MCQhard

Refer to the exhibit. A Windows 10 device with OS build 10.0.19041.1 is evaluated against this compliance policy. The device meets all settings except one: the OS version is 10.0.19041.1, which is below the minimum 10.0.19041.0? Actually it is above. But wait, the device has BitLocker enabled, Secure Boot enabled, and firewall enabled. Which setting will cause the device to be non-compliant?

A.BitLocker is not enabled on the device.
B.Antivirus signatures are out of date.
C.Secure Boot is not enabled on the device.
D.The firewall is not enabled on the device.
AnswerB

The policy requires signatureOutOfDate: false, meaning signatures must be up to date.

Why this answer

Option C is correct. The policy requires osMinimumVersion "10.0.19041.0" and osMaximumVersion "10.0.19043.0". The device has 10.0.19041.1, which is above the minimum but below the maximum, so it is within range.

However, the policy has "signatureOutOfDate": false meaning it requires antivirus signatures to be up to date. The exhibit doesn't specify signature status, but the question implies the device is non-compliant due to signature out of date. Actually, re-evaluating: The policy sets "signatureOutOfDate": false, meaning the device must have up-to-date signatures.

If the device has outdated signatures, it will be non-compliant. Options A, B, and D are all satisfied per the exhibit. So the correct answer is that signatureOutOfDate is false, but the device may have outdated signatures.

However, the question asks which setting will cause non-compliance. The most likely is that the device has outdated signature definitions. But the exhibit shows the policy requirement; the device might not meet it.

Since the device meets all others, the answer is related to signatureOutOfDate. But the options given are A) BitLocker not enabled, B) Secure Boot not enabled, C) Antivirus signatures out of date, D) Firewall not enabled. The device has all these enabled except possibly signatures.

So C is correct.

18
MCQeasy

A user reports that their Windows 10 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. Which of the following is the most likely cause?

A.The device has not checked in with Intune recently.
B.The MDM authority is set to Configuration Manager.
C.The compliance policy is set to 'Not applicable' due to OS version.
D.BitLocker encryption is enabled on the device.
AnswerA

The device must sync to receive and evaluate policies.

Why this answer

The device is not syncing with Intune, so compliance policies are not evaluated. Option A is correct because the Intune Management Extension handles policy retrieval and compliance evaluation. Option B is incorrect because BitLocker is not related to policy evaluation.

Option C is incorrect because stale policies do not prevent evaluation; the device would still evaluate. Option D is incorrect because the MDM authority is already set to Intune.

19
Multi-Selectmedium

An Intune administrator needs to ensure that Windows 10 devices are compliant with security requirements. Which TWO options are valid compliance settings for Windows 10?

Select 2 answers
A.Device category must be 'Corporate'
B.Device enrollment type must be 'Corporate'
C.Require BitLocker
D.Minimum OS version
E.Require app protection policy
AnswersC, D

BitLocker is a built-in compliance setting for Windows 10.

Why this answer

The correct answers are A and D. Option B is incorrect because app protection policy is not part of compliance. Option C is incorrect because device category is not a compliance setting.

Option E is incorrect because device enrollment type is not a compliance setting.

20
Multi-Selectmedium

Your organization uses Microsoft Intune to manage Windows devices. You need to deploy a PowerShell script that runs in the user context during device enrollment. Which two conditions must be met? (Select TWO.)

Select 2 answers
A.The script must be assigned to the user scope.
B.The script must be saved as a .psm1 file.
C.The script must be assigned to device groups.
D.The script must be signed with a trusted certificate.
E.The script must be added via a custom OMA-URI policy.
AnswersA, D

User context scripts must be assigned to user groups.

Why this answer

Options A and D are correct. The script must be signed if the execution policy requires it, and the script must be assigned to the user scope. Option B is wrong because scripts can be .ps1, not .psm1.

Option C is wrong because scripts are not added via OMA-URI. Option E is wrong because scripts need to be assigned to users, not devices, for user context.

21
Multi-Selectmedium

Which TWO conditions must be met for a Windows 10 device to be considered compliant with an Intune compliance policy that requires BitLocker and Secure Boot?

Select 2 answers
A.TPM is present and enabled.
B.Secure Boot is enabled.
C.All fixed drives are encrypted with BitLocker.
D.Windows Defender Antivirus is active.
E.BitLocker is enabled on the system drive.
AnswersB, E

Secure Boot is a required setting.

Why this answer

Options A and C are correct. BitLocker must be enabled on the system drive, and Secure Boot must be enabled. Option B is wrong because TPM is required for BitLocker but not a separate compliance setting.

Option D is wrong because encryption of other drives is not required. Option E is wrong because antivirus is not part of this policy.

22
Multi-Selecteasy

Which TWO settings can be configured in a Windows 10 device restriction profile in Intune to enhance security?

Select 2 answers
A.Require BitLocker encryption
B.Disable copy and paste between apps
C.Disable the camera
D.Require a password for unlocking the device
E.Configure Windows Update for Business settings
AnswersC, D

Disabling camera is a security restriction.

Why this answer

Options A and D are correct. Disabling the camera and requiring a password are security measures. Option B is about updates, not device restrictions.

Option C is about encryption. Option E is about copy/paste.

23
MCQhard

Your organization uses Windows Autopilot for device deployment. After a device completes the user-driven deployment, it appears in Microsoft Entra ID as 'Azure AD registered' instead of 'Azure AD joined'. What should you modify to ensure the device is joined?

A.Modify the Autopilot deployment profile to set 'Join to Azure AD as' to 'Azure AD joined'.
B.Add the device to a hybrid Azure AD join profile.
C.Modify the Autopilot deployment profile to set 'Join to Azure AD as' to 'Azure AD registered'.
D.Modify the enrollment restrictions to block personally owned devices.
AnswerA

This setting controls whether the device is joined or registered.

Why this answer

Option A is correct because the Autopilot profile determines the join type; setting it to 'Azure AD joined' ensures the device is joined, not registered. Option B is wrong for the same reason. Option C is wrong because enrollment restrictions affect user enrollment, not the join type.

Option D is wrong because the domain join profile is for hybrid scenarios.

24
MCQhard

Refer to the exhibit. A PowerShell script is used to check the encryption compliance state of Windows devices managed by Intune. Some devices return a State of 'notApplicable' for the Encryption setting. What does this indicate?

A.The device has pending actions to enable encryption
B.The compliance policy is not assigned to the device
C.The device's operating system edition does not support the encryption setting
D.The device does not require encryption per policy
AnswerC

Some editions like Home don't support BitLocker, so setting is not applicable.

Why this answer

Option B is correct: 'notApplicable' means the device's operating system or edition does not support the encryption setting (e.g., Windows 10 Home lacks BitLocker device encryption). Option A (encryption is not required) would show 'compliant'. Option C (policy not assigned) would show 'notEvaluated'.

Option D (pending) would show 'pending'.

25
Multi-Selecteasy

You are configuring Microsoft Defender for Endpoint for your organization. You need to ensure that devices are onboarded to the service. Which two methods can you use to onboard Windows 10 devices? (Choose two.)

Select 2 answers
A.PowerShell script
B.Group Policy
C.Microsoft Intune
D.Microsoft Endpoint Manager
E.Microsoft Configuration Manager
AnswersB, C

Group Policy can deploy the onboarding configuration.

Why this answer

Options A and C are correct. Group Policy and Microsoft Intune are both supported methods for onboarding devices. Option B is wrong because Microsoft Endpoint Manager is a suite that includes Intune, but the specific method is Intune.

Option D is wrong because Microsoft Configuration Manager (SCCM) is for on-premises management and is not a direct onboarding method. Option E is wrong because PowerShell can be used for scripting, but it is not a primary onboarding method.

26
MCQmedium

You manage Android Enterprise devices with work profiles. A user reports that corporate apps are not appearing in the work profile after enrollment. The device shows as enrolled in Microsoft Intune. What is the most likely cause?

A.The device is not connected to the internet.
B.The device is not compliant with corporate policies.
C.The work profile was not created or was removed on the device.
D.The corporate apps are not assigned to the user.
AnswerC

Without a work profile, corporate apps have no container to install into.

Why this answer

Option C is correct because if the work profile is not set up correctly on the device, corporate apps won't appear. Option A is wrong because if apps were assigned, they should deploy; the issue is with the profile. Option B is wrong because assignment not applied would affect all devices, not just one.

Option D is wrong because compliance policies don't affect app visibility.

27
MCQhard

You are troubleshooting a Windows 10 device that is showing as non-compliant in Intune. The exhibit shows the PowerShell output from the Microsoft Graph API. Based on the output, what is the most likely reason for the non-compliance?

A.The device does not have a compliant operating system version
B.BitLocker drive encryption is not enabled on the device
C.The device is not running a supported version of Windows 10
D.The device has a third-party antivirus installed
AnswerB

The 'RequireEncryption' reason indicates BitLocker is missing.

Why this answer

Option B is correct because the output shows the non-compliance reason is 'RequireEncryption', indicating BitLocker is not enabled. Option A is wrong because the reason is specifically about encryption. Option C is wrong because the reason is not about antivirus.

Option D is wrong because the reason is specific to encryption.

28
Multi-Selecteasy

Which TWO of the following are valid methods to wipe a Windows 10 device using Microsoft Intune? (Select TWO.)

Select 2 answers
A.Factory reset from Windows Settings
B.Retire (selective wipe)
C.Remote lock
D.Delete device from Intune
E.Full wipe (remote wipe)
AnswersB, E

Retire removes corporate data from the device.

Why this answer

Option B and Option D are correct. A remote wipe resets the device to factory settings, and a retire removes corporate data while keeping personal data. Option A is wrong because a remote lock only locks the device.

Option C is wrong because a device delete just removes the device from management without wiping. Option E is wrong because a factory reset is a user action, not an Intune action.

29
MCQhard

Your organization uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR) to manage device threat detection. You have integrated Defender for Endpoint with Intune for compliance. Some devices are showing as non-compliant due to 'active threats' that are actually low-risk. How can you adjust the compliance policy to allow low-risk threats?

A.Modify the Conditional Access policy to require device compliance.
B.Configure the 'Machine risk score' in Defender for Endpoint.
C.Whitelist the specific threats in Defender for Endpoint.
D.Set the 'Threat level' in the Intune compliance policy to 'Low'.
AnswerD

This allows devices with low-risk threats to be compliant.

Why this answer

Option C is correct because the Intune compliance policy for Defender for Endpoint has a 'Threat level' setting that can be set to 'Low' to allow low-risk threats. Option A is wrong because you cannot whitelist specific threats. Option B is wrong because it's not a Conditional Access policy setting.

Option D is wrong because the threat level is configured in the compliance policy, not in Defender.

30
MCQeasy

You manage devices with Microsoft Intune. You need to deploy a Windows 10 feature update to a pilot group of devices. Which profile type should you use?

A.Windows 10 configuration profile
B.Windows 10 compliance policy
C.Windows 10 update ring profile
D.Windows 10 feature update profile
AnswerD

This profile type is designed for deploying feature updates like version upgrades.

Why this answer

Option A is correct because 'Windows 10 feature update' is specifically for deploying feature updates. Option B is wrong because 'Windows 10 update ring' is for quality updates and deferrals. Option C is wrong because 'Windows 10 compliance policy' checks device compliance.

Option D is wrong because 'Windows 10 configuration profile' configures settings.

31
Multi-Selecthard

Which TWO conditions in a Conditional Access policy can be used to enforce device compliance for access to Microsoft 365 services?

Select 2 answers
A.Sign-in risk
B.Locations (trusted IPs)
C.Applications (e.g., Exchange Online)
D.Client apps (Browser, Mobile apps and desktop clients)
E.Device state (Compliant or Domain joined)
AnswersD, E

Client apps condition can require compliant device for specific app types.

Why this answer

Options A and C are correct. 'Device state' includes compliant and domain-joined conditions. 'Client apps' can target specific apps. Option B is about location. Option D is about sign-in risk.

Option E is about application.

32
Multi-Selectmedium

Your organization uses Microsoft Intune to manage mobile devices. You need to configure compliance policies that trigger conditional access. Which TWO conditions can be used in a device compliance policy?

Select 2 answers
A.Device is enrolled in a specific MDM authority.
B.App must have a minimum version.
C.Minimum OS version is 14.0.
D.Device is not jailbroken or rooted.
E.SD card encryption is enabled.
AnswersC, D

Compliance policies can specify minimum OS version.

Why this answer

Options A and D are correct. Device compliance policies can check for jailbroken/rooted devices (A) and require a minimum OS version (D). Option B is wrong because app protection policies, not compliance policies, manage app-level restrictions.

Option C is wrong because device compliance policies do not enforce encryption of SD cards; they can require device encryption but not specifically SD card. Option E is wrong because device compliance policies do not require a specific MDM authority; they assume Intune.

33
MCQmedium

Your company uses Intune to manage iOS devices. You need to deploy a new app that is available in the Apple App Store. You create an iOS store app in Intune and assign it as 'Required' to a group of users. After 24 hours, some users report that the app is not installed. You verify that the app is available in the App Store and that the devices are online. The devices are supervised and enrolled via Apple Business Manager. What should you do first to troubleshoot the issue?

A.Review the iOS device restrictions policy
B.Confirm that the devices are enrolled in Intune
C.Check the app configuration policy for the app
D.Verify that a VPP token is configured and assigned
AnswerD

Supervised devices require a VPP token for app distribution.

Why this answer

Option B is correct because Volume Purchase Program (VPP) tokens are required for managed app distribution on supervised devices. Option A is incorrect because app configuration policies are not required for installation. Option C is incorrect because iOS restrictions are not blocking installation.

Option D is incorrect because the devices are enrolled and online.

34
MCQmedium

You manage Windows 10 devices with Intune. After deploying a new compliance policy requiring BitLocker, many devices show as non-compliant. You verify that BitLocker is enabled on the system drive. What is the most likely cause?

A.BitLocker recovery key is not backed up to Microsoft Entra ID
B.The device has multiple drives and BitLocker is not enabled on all
C.The device does not have a TPM chip
D.The compliance policy requires 'Encryption' but the device reports 'Encrypted'
AnswerD

The compliance policy might require a specific encryption method or report that doesn't match.

Why this answer

Option D is correct. The compliance policy requires reporting of encryption status via a specific setting. Option A is about TPM not being reported correctly.

Option B is about recovery key backup. Option C is about other drives.

35
MCQeasy

A user reports that their Windows 11 device is not receiving compliance policies from Microsoft Intune. The device shows as 'Not evaluated' in the Microsoft Intune admin center. Which step should you take first to resolve the issue?

A.Disconnect the device from Microsoft Entra ID and rejoin.
B.On the device, go to Settings > Accounts > Access work or school, select the account, and click Sync.
C.Delete and recreate the compliance policy in Microsoft Intune.
D.Re-enroll the device in Microsoft Intune.
AnswerB

Forcing a sync triggers a policy evaluation.

Why this answer

Option B is correct because forcing a sync from the device can refresh the policy evaluation and resolve the 'Not evaluated' status. Option A is wrong because the device is already enrolled. Option C is wrong because the issue is with policy evaluation, not configuration.

Option D is wrong because the device is already joined.

36
MCQmedium

Refer to the exhibit. A Windows 10 device is enrolled in Intune and has the above compliance policy assigned. The device reports as non-compliant. The device has TPM version 2.0, Secure Boot enabled, and a password of 8 characters. Which of the following is the most likely reason for non-compliance?

A.The OS version is outside the allowed range.
B.The device does not have a TPM chip.
C.Secure Boot is not enabled.
D.The password length is less than 6 characters.
AnswerA

The policy restricts OS version; the device likely has a newer build.

Why this answer

The policy requires the OS version to be between 10.0.19041.0 and 10.0.19045.0. If the device has a newer OS version like 10.0.19046.0, it would exceed the maximum. Option D is correct because the device may have an OS version outside the range.

Option A is incorrect because the device has TPM. Option B is incorrect because Secure Boot is enabled. Option C is incorrect because the password length meets the minimum.

37
MCQeasy

You need to ensure that devices enrolled in Microsoft Intune automatically receive Windows quality updates as soon as they are released. Which update ring setting should you configure?

A.Set 'Driver update deferral period (days)' to 0
B.Set 'Quality update deferral period (days)' to 0
C.Set 'Feature update deferral period (days)' to 0
D.Set 'Microsoft product updates' to 'Allow'
AnswerD

Correct. This setting allows quality updates to be installed automatically.

Why this answer

Option A is correct. The 'Microsoft product updates' setting, when set to 'Allow', ensures that Windows quality updates are installed. Option B is for feature updates.

Option C is for driver updates. Option D is for update deferral periods.

38
MCQeasy

You need to ensure that only approved iOS apps can be installed on company-owned devices. Which Intune feature should you use?

A.Selective wipe
B.App protection policy
C.Device compliance policy with required apps
D.App configuration policy
AnswerC

A compliance policy can require specific apps to be installed and block others.

Why this answer

Option C is correct because a device compliance policy with a required app list can restrict apps. Option A is wrong because app protection policies apply to app data, not installation. Option B is wrong because app configuration policies configure app settings.

Option D is wrong because selective wipe removes data, not prevent installations.

39
MCQeasy

You are reviewing a custom device configuration profile in Intune. The exhibit shows an OMA-URI setting. What is the purpose of this setting?

A.Enables the camera on the lock screen
B.Disables the camera on the device entirely
C.Disables the microphone on the lock screen
D.Disables the camera on the lock screen
AnswerD

The OMA-URI prevents the camera from being used on the lock screen.

Why this answer

Option C is correct because the OMA-URI 'PreventLockScreenCamera' with value '1' disables the camera on the lock screen. Option A is wrong because it disables the camera on the lock screen, not the camera generally. Option B is wrong because it disables the camera, not microphone.

Option D is wrong because it disables the camera on the lock screen, not all settings.

40
MCQmedium

A company uses Intune to manage macOS devices. They need to deploy a custom configuration profile that enforces FileVault encryption. What is the recommended approach?

A.Create an endpoint security disk encryption policy in Intune and assign it to the devices
B.Use Apple Configurator to create the profile and import it into Intune
C.Ask users to manually enable FileVault
D.Use JAMF Pro to manage FileVault
AnswerA

Intune supports FileVault configuration via endpoint security policies.

Why this answer

Option D is correct: Intune provides a built-in FileVault setting in the endpoint security disk encryption policy for macOS. Option A (Apple Configurator) is a local tool, not for MDM. Option B (JAMF Pro) is a third-party MDM, not Microsoft Intune.

Option C (Manual configuration) is not scalable.

41
Multi-Selectmedium

Which THREE conditions can be used in a Conditional Access policy to require a compliant device?

Select 3 answers
A.Device state
B.Client apps
C.Locations
D.Device platform
E.Sign-in risk
AnswersB, C, D

Can require compliance for browser, mobile apps, desktop clients.

Why this answer

Options B, C, and E are correct. Option B: Device platform can be selected to target specific OS. Option C: Client apps condition can apply to mobile apps and desktop clients.

Option E: Locations condition can be used to require compliance only from specific IP ranges. Option A is wrong because risk is a separate condition but not a 'device condition' per se; it's a signal. Option D is wrong because device state is used for hybrid Azure AD joined, not compliance.

42
MCQeasy

You need to enroll a Windows 11 device into Microsoft Intune using a work or school account. The device is already joined to Microsoft Entra ID. What is the simplest enrollment method?

A.Windows Autopilot
B.Group Policy to configure enrollment
C.Manual enrollment using the Company Portal
D.Automatic enrollment via Microsoft Entra join
AnswerD

Microsoft Entra joined devices can be automatically enrolled in Intune.

Why this answer

Option C is correct because Microsoft Entra joined devices automatically enroll in Intune when configured. Option A is wrong because Autopilot requires additional setup. Option B is wrong because manual enrollment requires extra steps.

Option D is wrong because GPO is for on-premises devices.

43
MCQhard

You review the compliance policy JSON for Windows 10 devices. A device running Windows 10 version 22H2 (build 22621.0) with a numeric-only password of 10 characters, BitLocker enabled, firewall enabled, and Microsoft Defender running reports as non-compliant. What is the most likely reason?

A.The password type is not alphanumeric.
B.The OS version is outside the allowed range.
C.Storage encryption is not enabled.
D.Microsoft Defender is not enabled.
AnswerA

The policy requires alphanumeric, but the password is numeric-only.

Why this answer

Option B is correct because the policy requires alphanumeric password, but the device has numeric-only. Option A is wrong because build 22621.0 is within the range (minimum 19045, maximum 22621). Option C is wrong because storage encryption is required and BitLocker is enabled.

Option D is wrong because defender is enabled.

44
MCQhard

You are the endpoint administrator for Contoso Ltd., a global company with 5,000 Windows 11 devices managed by Microsoft Intune. The company has a strict security policy requiring that all devices must have BitLocker Drive Encryption enabled on the operating system drive. Additionally, devices must be compliant with the policy to access corporate resources via Conditional Access. Recently, an audit revealed that 200 devices are non-compliant because BitLocker is not enabled. You investigate and find that these devices are all personal devices enrolled as 'Windows bring your own device' (BYOD). The BitLocker policy is configured as a device configuration profile targeting 'All Devices'. The compliance policy requires 'Storage encryption' to be enabled. You need to resolve the non-compliance for these BYOD devices. What should you do?

A.Assign the BitLocker configuration profile to device groups that include BYOD devices.
B.Upgrade the Windows edition on BYOD devices to Windows Pro or Enterprise.
C.Create a separate compliance policy for BYOD devices that does not require storage encryption.
D.Configure the compliance policy to mark devices as compliant if BitLocker is not enabled but other settings are met.
AnswerB

BitLocker is only available on Pro/Enterprise editions; upgrading enables encryption.

Why this answer

Option C is correct because BitLocker is not available on Windows Home edition, and BYOD devices often run Windows Home. Changing the enforcement to non-compliant but allowing access via Conditional Access exception is not correct. Option A is wrong because encryption is required but not available.

Option B is wrong because the policy is correctly assigned. Option D is wrong because a device compliance policy cannot enable BitLocker on Home edition.

45
MCQeasy

You need to ensure that only authorized users can enroll devices in Microsoft Intune. Which setting should you configure?

A.Enrollment restrictions
B.Device categories
C.Device compliance policies
D.Conditional access policies
AnswerA

Enrollment restrictions can block personal devices or require authorization.

Why this answer

Device enrollment restrictions in Intune allow you to block personal devices or require user approval. Option A is correct because enrollment restrictions can limit who can enroll. Option B is incorrect because device compliance policies apply after enrollment.

Option C is incorrect because conditional access policies control access to resources, not enrollment. Option D is incorrect because device categories are for grouping, not blocking enrollment.

46
MCQmedium

You have a hybrid Microsoft Entra ID joined Windows 10 device that is co-managed with Configuration Manager and Intune. You want Intune to manage Windows Update for Business settings. Which slider setting should you configure in Configuration Manager?

A.Move the slider for 'Windows Update policies' to 'Intune'
B.Move the slider for 'Endpoint protection' to 'Intune'
C.Move the slider for 'Resource access' to 'Intune'
D.Move the slider for 'Device configuration' to 'Intune'
AnswerA

This delegates update management to Intune.

Why this answer

Option A is correct. The slider for 'Windows Update policies' must be set to 'Intune' to delegate update management. Option B is for device configuration.

Option C is for resource access. Option D is for endpoint protection.

47
MCQhard

Your company uses Microsoft Intune to manage 1,000 Windows 10 devices. You need to deploy a security baseline that includes BitLocker encryption, Windows Defender Antivirus settings, and firewall rules. You create a security baseline policy in Intune and assign it to a group containing all devices. After 48 hours, you notice that only 800 devices have applied the baseline. The remaining 200 devices show 'Pending' status. These devices are online and have network connectivity. What is the most likely cause and solution?

A.The devices need a reboot to apply the baseline settings; schedule a reboot.
B.The devices are not in the correct group; re-assign the policy.
C.Re-create the security baseline and assign again.
D.The devices have low battery; plug them in.
AnswerA

Many security baseline settings require reboot.

Why this answer

Option D is correct because the security baseline uses Configuration Service Provider (CSP) settings that require a reboot to apply. Scheduling a reboot during maintenance hours will apply the baseline. Option A is wrong because the baseline is assigned.

Option B is wrong because the devices are online. Option C is wrong because re-creating the policy won't help if the devices need a reboot.

48
MCQmedium

Your organization, Fabrikam, uses Microsoft Intune to manage iOS/iPadOS and Android devices. You need to implement a solution that ensures company email can only be accessed from the Outlook mobile app, and that data from the Outlook app cannot be copied to personal apps. You also need to ensure that when a user leaves the company, the corporate data in Outlook is removed without affecting personal data. You plan to use app protection policies (MAM). The devices are not enrolled in Intune (unmanaged). You configure the app protection policies for Outlook on iOS and Android. However, users report that they can still copy email content to personal apps. What should you check?

A.Ensure that the devices are enrolled in Intune.
B.Check that the device compliance policy is assigned.
C.Verify that the 'Cut, copy, and paste' setting in the app protection policy is set to 'No' or 'Policy managed apps'.
D.Confirm that the Outlook app is a managed app in Intune.
AnswerC

This setting controls data transfer to other apps.

Why this answer

Option A is correct because the policy settings for 'Allow cut, copy, and paste' must be set to 'No' or 'Policy managed apps' to prevent data transfer. Option B is wrong because the policy can be applied without device enrollment. Option C is wrong because the Outlook app is supported.

Option D is wrong because device compliance is not required for MAM policies on unmanaged devices.

49
MCQmedium

Refer to the exhibit. You run a PowerShell command to check the assignment status of device configuration profiles. The 'BitLocker Policy' shows 'Pending'. What does 'Pending' indicate?

A.The policy is waiting for user approval
B.The policy assignment failed due to a conflict
C.The policy has been successfully applied
D.The policy has been assigned to the device but not yet applied
AnswerD

Pending indicates the policy is queued for application.

Why this answer

Option C is correct. 'Pending' means the policy has been assigned but not yet applied to the device. Option A is for errors. Option B is not a status.

Option D is for success.

50
MCQhard

A company uses Microsoft Defender for Endpoint to manage endpoint security. They observe that some devices are not reporting vulnerability data to Microsoft Defender XDR. Which component is most likely misconfigured?

A.Microsoft Sentinel workspace
B.Microsoft Defender for Endpoint sensor on the devices
C.Intune MDM authority
D.Microsoft Purview compliance portal
AnswerB

The sensor collects vulnerability data; missing sensor stops reporting.

Why this answer

Option A is correct: Microsoft Defender for Endpoint relies on its agent (sensor) to collect vulnerability data. If the sensor is not installed or running, vulnerability data won't be reported. Option B (Intune MDM) manages device configuration but not vulnerability reporting.

Option C (Microsoft Purview) is for compliance and data loss prevention. Option D (Microsoft Sentinel) ingests data from Defender but is not the source.

51
MCQmedium

You have a Windows 10 device that is managed by Intune and enrolled in Microsoft Defender for Endpoint. The device is reporting a high number of false positive detections from Microsoft Defender Antivirus. You need to configure an exclusion for a specific folder path to reduce false positives. Where should you configure the exclusion?

A.In a device compliance policy
B.In Group Policy
C.In the endpoint protection profile for Microsoft Defender Antivirus in Intune
D.In Microsoft Defender Security Center
AnswerC

Exclusions are set within the antivirus settings of the endpoint protection profile.

Why this answer

Option A is correct because exclusions for Microsoft Defender Antivirus are configured in the endpoint protection profile in Intune. Option B is wrong because compliance policies do not handle exclusions. Option C is wrong because Microsoft Defender Security Center is for security operations, not configuration.

Option D is wrong because Group Policy is not used when devices are managed by Intune.

52
Multi-Selecteasy

You are configuring Microsoft Intune for Windows 10 devices. Which two settings can you enforce using a device restrictions profile? (Select TWO.)

Select 2 answers
A.Disable the camera
B.Set default web browser
C.Set battery saver threshold
D.Configure Windows Update for Business settings
E.Require a password for device unlock
AnswersA, E

Device restrictions include hardware disabling.

Why this answer

Options A and D are correct. Device restrictions can disable the camera and require a password. Option B is wrong because battery saver is a system setting, not a restriction.

Option C is wrong because Windows Update settings are in update rings. Option E is wrong because default browser is set via settings catalog, not device restrictions.

53
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Intune to protect devices from malware?

Select 2 answers
A.Create network segmentation rules
B.Enable email attachment scanning
C.Deploy third-party antivirus software
D.Enforce Windows Defender Antivirus real-time protection
E.Configure Windows Defender Firewall rules
AnswersD, E

Intune can configure antivirus settings.

Why this answer

Options A and C are correct. Intune can enforce Windows Defender Antivirus settings and manage Windows Defender Firewall. Option B is wrong because Intune does not directly manage third-party AV.

Option D is wrong because Intune does not manage email filtering. Option E is wrong because Intune does not manage network segmentation.

54
MCQhard

An organization uses Microsoft Defender for Cloud Apps to monitor cloud app usage. The security team wants to automatically apply an Intune app protection policy (APP) when a user accesses a risky app from an unmanaged device. What should the administrator use?

A.Conditional Access App Control with session control
B.Device configuration policy
C.App protection policy assignment to users
D.Device compliance policy
AnswerA

Session control can enforce APP when a risky app is accessed.

Why this answer

The correct answer is Conditional Access App Control with session policies. Option A is incorrect because compliance policies apply to devices, not app sessions. Option B is incorrect because APP can be targeted to users but not triggered automatically by risk.

Option D is incorrect because device configuration profiles do not react to cloud app risk.

55
Multi-Selecthard

Which THREE components are essential for a Microsoft Defender for Endpoint deployment on Windows 10 devices? (Choose three.)

Select 3 answers
A.Cloud-delivered protection enabled
B.Microsoft Defender for Endpoint sensor
C.Microsoft Defender Antivirus
D.Microsoft Intune management agent
E.Microsoft 365 Apps for enterprise
AnswersA, B, C

Cloud protection provides real-time defense.

Why this answer

Options A, B, and D are correct: The Defender for Endpoint sensor, Microsoft Defender Antivirus, and cloud-delivered protection are core components. Option C (Intune) is a management tool but not essential for the agent to function. Option E (Microsoft 365 Apps) is unrelated.

56
MCQeasy

You need to configure BitLocker encryption for Windows 10 devices managed by Intune. You create a device configuration profile for endpoint protection. After assigning, devices show 'BitLocker not enabled' in the Intune console. What is the most likely cause?

A.The profile is assigned to a user group instead of a device group.
B.The devices do not have a TPM chip.
C.Secure Boot is not enabled on the devices.
D.The devices are running Windows 10 Home edition.
AnswerB

BitLocker requires TPM for seamless encryption; without TPM, a USB startup key is needed.

Why this answer

Option B is correct because BitLocker requires a TPM chip on the device. If the device does not have TPM or it is disabled, BitLocker cannot be enabled. Option A is wrong because the profile is assigned to devices.

Option C is wrong because BitLocker is available on Windows 10 Pro and Enterprise. Option D is wrong because Windows 10 can be encrypted with or without Secure Boot.

57
MCQhard

Refer to the exhibit. You are deploying a custom OMA-URI policy to Windows 10 devices. What is the effect of this policy?

A.Windows Update is configured to defer updates.
B.Device telemetry is set to enhanced.
C.Windows Defender is disabled.
D.Cortana is enabled.
AnswerB

AllowTelemetry value 2 corresponds to enhanced.

Why this answer

Option A is correct. The OMA-URI for AllowTelemetry set to 2 enables diagnostic data at the enhanced level. Option B is wrong because Cortana is disabled (value 0).

Option C is wrong because neither setting relates to Windows Update. Option D is wrong because the policy does not disable Windows Defender.

58
MCQmedium

Your organization uses Microsoft Intune to manage Windows 10 devices. You need to ensure that devices are compliant with a new security policy that requires Windows Defender Antivirus to be enabled and up-to-date. You create a device compliance policy with the setting 'Require' for Windows Defender Antivirus. After assigning the policy, you see that 90% of devices are compliant. The remaining 10% show 'Not evaluated'. You check the devices and find that they are online, enrolled, and have Windows Defender Antivirus enabled. What is the most likely reason for the 'Not evaluated' status?

A.The devices have not checked in with Intune since the policy was assigned
B.The devices are offline
C.The policy is not assigned to the devices
D.Windows Defender Antivirus is disabled
AnswerA

Compliance status requires a check-in; 'Not evaluated' means no evaluation has occurred yet.

Why this answer

Option C is correct because compliance policy evaluation requires the device to be in a compliant state after enrollment; if the device was enrolled but not yet checked in, it shows 'Not evaluated'. Option A is incorrect because the devices have Windows Defender Antivirus enabled. Option B is incorrect because the devices are online.

Option D is incorrect because the compliance policy is assigned to the device group.

59
MCQeasy

You configure Windows Update for Business policies in Intune. Users report that updates are not installing during configured active hours. You verify that the policy is applied. What is the most likely cause?

A.Update notification level is set to 'Disable all notifications' and 'Automatic Updates behavior' is set to 'Notify download'.
B.Deadline for feature updates is set to 7 days.
C.Quality update deferral period is set to 0 days.
D.Active hours start is set to 8:00 AM and end to 5:00 PM.
AnswerA

'Notify download' means updates are not automatically downloaded; they must be manually initiated, so they won't install automatically during active hours.

Why this answer

Option D is correct because the 'Update notification level' set to 'Disable all notifications' can prevent users from seeing restart prompts, but updates still install during active hours. However, if 'Automatic Updates behavior' is set to 'Notify download', updates are not automatically downloaded, causing the issue. Option A is wrong because 'Deadline for feature updates' does not affect active hours.

Option B is wrong because 'Active hours start/end' is configured correctly. Option C is wrong because 'Quality update deferral period' does not prevent installation during active hours.

60
MCQhard

You configure a Windows 10 device compliance policy in Intune that requires 'Firewall' to be enabled. The device has Windows Defender Firewall enabled, but the device reports as non-compliant. You verify that the firewall is active. What is the most likely cause?

A.The firewall is configured to allow all inbound connections
B.The device uses a third-party firewall that Intune does not recognize
C.The firewall is enabled only on the Domain profile but not on Public or Private profiles
D.The device has multiple network adapters and the firewall is disabled on one
AnswerC

Compliance policy may require firewall on all profiles.

Why this answer

Option D is correct. The compliance policy may be checking for the firewall profile to be enabled on all network profiles. Option A is not relevant.

Option B is about third-party firewall. Option C is about logging.

61
Multi-Selectmedium

Which THREE of the following are prerequisites for deploying Microsoft Defender for Endpoint on Windows 10 devices via Microsoft Intune? (Select THREE.)

Select 3 answers
A.Devices must be enrolled in Microsoft Intune.
B.The Microsoft Defender for Endpoint client must be separately downloaded from the Microsoft 365 admin center.
C.Devices must have Microsoft 365 Apps for enterprise installed.
D.Users must be assigned a Microsoft Defender for Endpoint license.
E.Devices must run a supported version of Windows 10.
AnswersA, D, E

Intune is the management platform for deployment.

Why this answer

Option A, Option B, and Option C are correct. Devices must be managed by Intune, run a supported Windows 10 version, and have the Microsoft Defender for Endpoint license assigned. Option D is wrong because Microsoft 365 Apps for enterprise is not a prerequisite.

Option E is wrong because the Microsoft Defender for Endpoint client is already part of Windows 10; no separate client download is needed.

62
MCQhard

Refer to the exhibit. The JSON shows a compliance policy for Windows 10 devices. Devices that do not meet the policy are marked as non-compliant. Which diagnostic step would you take to identify why a specific device is non-compliant despite having BitLocker enabled?

A.Verify the compliance policy is assigned to the device's group.
B.Check the device's compliance status in Intune for details.
C.Review the device's hardware security features: Secure Boot and Code Integrity.
D.Modify the policy to remove the requireSecureBoot and requireCodeIntegrity settings.
AnswerC

These are additional requirements beyond encryption.

Why this answer

Option B is correct because the policy requires Secure Boot and Code Integrity, which might not be enabled even if BitLocker is on. Option A is wrong because the device compliance status is correct. Option C is wrong because the policy is already assigned.

Option D is wrong because the policy settings are as shown.

63
MCQmedium

You are configuring an app protection policy (MAM) in Intune for iOS and Android devices. The policy should prevent users from copying corporate data to personal apps. Which setting should you configure?

A.Restrict cut, copy, and paste between apps.
B.Allow app to transfer data to other apps.
C.Save copies of org data.
D.Require PIN for access.
AnswerC

This setting prevents saving to personal locations.

Why this answer

Option D is correct because 'Save copies of org data' controls save actions. Option A is wrong because it controls app access. Option B is wrong because it controls data transfer from other apps.

Option C is wrong because it controls clipboards, not save.

64
MCQhard

Your organization uses Microsoft Intune to manage devices. You have a Windows 10 device that is co-managed with Configuration Manager. You need to configure a policy that requires BitLocker encryption. You create a BitLocker policy in Intune and assign it to the device. After 24 hours, BitLocker is not enabled on the device. You verify that the device is online and the policy is assigned. What is the most likely cause?

A.The device is not online.
B.The encryption workload is set to Configuration Manager.
C.The device is not enrolled in Intune.
D.The BitLocker policy is not assigned to the correct group.
AnswerB

Configuration Manager manages encryption, not Intune.

Why this answer

In a co-managed environment, workload control determines which management authority (Configuration Manager or Intune) handles specific policies. If the encryption workload is set to Configuration Manager, Intune's BitLocker policy will be ignored, even if assigned and the device is online. This is the most likely reason the policy did not take effect after 24 hours.

Exam trap

The trap here is that candidates assume Intune policy always applies to enrolled devices, overlooking the co-management workload slider that can block Intune from managing specific workloads like encryption.

How to eliminate wrong answers

Option A is wrong because the device is verified as online, so connectivity is not the issue. Option C is wrong because the device is co-managed, meaning it is enrolled in both Configuration Manager and Intune; the policy assignment confirms enrollment. Option D is wrong because the policy is assigned to the device and verified, so group assignment is not the problem; the issue is workload control overriding Intune's authority.

65
MCQeasy

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to ensure that corporate data is separated from personal data on the device. Which management approach should you use?

A.Android Enterprise kiosk mode
B.Android Enterprise fully managed
C.Android Enterprise work profile
D.Android device administrator
AnswerC

Work profile separates corporate and personal data.

Why this answer

Option A is correct because Android Enterprise work profile provides a separate container for corporate data. Option B is wrong because device administrator is legacy and does not separate data. Option C is wrong because fully managed devices do not have personal space.

Option D is wrong because kiosk mode is for single-app use.

66
MCQhard

Refer to the exhibit. You deploy this compliance policy to Windows 10 devices. A device reports as compliant, but you suspect it may have a weak password policy because the password type is 'deviceDefault'. What is the effect of 'deviceDefault' on the password requirement?

A.It requires a password that meets the minimum length but no complexity
B.It uses the password type configured in the device's local policy
C.It does not require a password at all
D.It requires a password that contains at least one number and one letter
AnswerB

'deviceDefault' defers to the device's own settings.

Why this answer

Option C is correct. 'deviceDefault' means the device's own password settings are used, which may not enforce the Intune password requirements. Option A is wrong because it does not require a specific type. Option B is incorrect.

Option D is incorrect.

67
MCQhard

Your organization uses Windows Defender Application Control (WDAC) to allow only approved apps. After deploying a WDAC policy via Intune, some users report that a critical line-of-business app is blocked. How should you troubleshoot?

A.Review CodeIntegrity/Operational logs in Event Viewer
B.Check AppLocker logs in Event Viewer
C.Review Intune device management events for policy errors
D.Check Microsoft 365 Defender portal for WDAC alerts
AnswerA

WDAC blocks are logged in CodeIntegrity/Operational.

Why this answer

Option C is correct: WDAC policies generate block events in Event Viewer under Microsoft-Windows-CodeIntegrity/Operational. Option A (AppLocker) is a different technology. Option B (Device Management Events) may not contain WDAC details.

Option D (Microsoft 365 Defender portal) shows alerts but not per-app block details.

68
MCQhard

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Intune. You need to create a device group that dynamically includes all devices with a threat level of 'High' from MDE. You then plan to apply a compliance policy to force those devices to be non-compliant. Which method should you use to create the dynamic group?

A.Create a security group in Microsoft Entra ID and manually add devices with high threat
B.Create a dynamic device group in Microsoft Entra ID using a rule that includes device.securityTags with the tag 'HighThreat'
C.Create a device group in Microsoft Defender for Endpoint and assign it to a compliance policy
D.Create a dynamic device group in Microsoft Intune using a rule based on threat level
AnswerB

Microsoft Defender for Endpoint can tag devices with threat levels, and Entra ID dynamic groups can use these tags.

Why this answer

Option A is correct because dynamic device groups in Microsoft Entra ID can use rules based on device properties, including MDE threat level. Option B is wrong because MDE machine groups are not used for compliance policies. Option C is wrong because Intune groups cannot be dynamic based on MDE threat level.

Option D is wrong because security groups are static.

69
MCQmedium

Your company uses Microsoft Defender for Endpoint (Defender XDR). You need to configure an automated investigation and remediation (AIR) rule that automatically quarantines a file when a specific alert is triggered. Which action should you take?

A.Add an indicator of compromise for the file.
B.Configure a device control policy.
C.Create a new automation rule in the Microsoft 365 Defender portal.
D.Create an attack surface reduction rule.
AnswerC

Automation rules define automated actions based on alerts.

Why this answer

Option D is correct because automated investigation and remediation rules use conditions and actions. Option A is wrong because attack surface reduction rules reduce attack surface, not automate response. Option B is wrong because indicators are for block/allow, not automation.

Option C is wrong because device control policies restrict hardware.

70
MCQhard

Refer to the exhibit. You deploy this compliance policy to a Windows 11 device running build 10.0.22621.1000. The device has BitLocker enabled, Secure Boot enabled, and code integrity enabled. The device is compliant?

A.No, the device's OS version exceeds the maximum allowed.
B.No, the device does not have a password set.
C.Yes, the device meets all requirements.
D.Yes, but only if the device is Windows 10 Pro.
AnswerA

The policy restricts max version to 22621.0.

Why this answer

Option B is correct because the device's OS version (22621.1000) is higher than the maximum version (22621.0) specified in the policy, making it non-compliant. Option A is wrong because the device exceeds the max version. Option C is wrong because the device is non-compliant.

Option D is wrong because the policy does not require a specific edition.

71
MCQmedium

You need to deploy a line-of-business (LOB) iOS app to users in your organization. The app is signed with an enterprise certificate. How should you distribute the app to managed devices?

A.Upload the app to Intune and provide a signing certificate.
B.Publish the app to the Apple App Store and assign it as a required app.
C.Add the app as an iOS/iPadOS line-of-business app in Microsoft Intune and assign it to users.
D.Use Apple Business Manager to assign the app to devices.
AnswerC

This is the correct method for enterprise-signed LOB apps.

Why this answer

Option D is correct because enterprise-signed LOB apps can be added as an iOS LOB app in Intune and deployed to devices. Option A is wrong because the App Store is for public apps. Option B is wrong because Apple Business Manager is for volume purchasing, not LOB distribution.

Option C is wrong because the app is already signed; a signing certificate is not needed.

72
MCQhard

Your organization uses Microsoft Intune to manage devices. You have a Windows 10 device that is Azure AD joined and enrolled in Intune. The device is compliant, but the user cannot access corporate resources due to a Conditional Access policy requiring a compliant device. The user can access other cloud apps that do not require compliance. You check the Conditional Access policy and find it is configured correctly. What is the most likely issue?

A.The Conditional Access policy is not applied to the user.
B.The device's certificate is expired or missing; re-register the device in Intune.
C.The device is not enrolled in Intune.
D.The user is not in the correct group.
AnswerB

Re-registration refreshes the certificate used for Conditional Access.

Why this answer

Option D is correct because if the device is compliant but Conditional Access still blocks, the device might not have the correct certificate, or the token might be stale. Re-registering the device with Intune refreshes the certificate. Option A is wrong because the policy is correct.

Option B is wrong because the device is compliant. Option C is wrong because the user is probably in the correct group.

73
MCQhard

Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to deploy a managed Google Play app to work profile devices. After deploying, users report that the app is not available in the work profile. What is the most likely cause?

A.The app has not been approved in the managed Google Play store.
B.The app is only available for corporate-owned devices.
C.Android Enterprise enrollment is not enabled in Intune.
D.The device does not have a work profile configured.
AnswerA

Apps must be approved by the admin in the managed Google Play console before they can be deployed.

Why this answer

Option A is correct because the app must be approved in the managed Google Play store. Option B is wrong because if it's a managed Google Play app, the work profile is required. Option C is wrong because device type (corporate vs personal) does not block the app if targeted correctly.

Option D is wrong because enablement status affects whether the work profile exists, but if it exists, the app should be available if approved.

74
Multi-Selecthard

Which THREE features are available in Microsoft Intune for managing Windows 10/11 device updates?

Select 3 answers
A.Windows Update for Business
B.Update rings for Windows 10 and later
C.Windows feature update policy
D.Windows Autopatch
E.Windows Server Update Services (WSUS)
AnswersB, C, D

Update rings manage deferral periods.

Why this answer

Options A, B, and D are correct. Intune supports Update rings, Feature update policies, and Windows Autopatch. Option C is wrong because Windows Update for Business is a service, not an Intune feature.

Option E is wrong because WSUS is on-premises, not Intune.

75
MCQhard

Your organization uses Microsoft Intune with co-management and Configuration Manager. Some Windows 10 devices are enrolled in Intune but also managed by Configuration Manager. You need to ensure that the Intune compliance policy is evaluated and enforced on these devices. What should you configure?

A.Configure the Configuration Manager client setting to enable compliance evaluation.
B.Assign the compliance policy to a device group that includes these devices.
C.Change the MDM authority to Intune.
D.Set the Device Compliance workload to Intune in co-management properties.
AnswerD

This ensures Intune evaluates compliance.

Why this answer

In co-management, you can set the workload for Device Compliance to 'Intune' or 'Configuration Manager'. Option D is correct because you need to move the compliance workload to Intune. Option A is incorrect because changing MDM authority is not recommended.

Option B is incorrect because the client setting does not control workload. Option C is incorrect because the compliance policy is already created; the issue is which management point evaluates it.

Page 1 of 3 · 163 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Protect Devices questions.