Question 930 of 991
Manage and maintain deviceseasyMultiple ChoiceObjective-mapped

Quick Answer

The answer is to create a device configuration profile and assign it to a device group that includes all devices. This is the most efficient method because Intune’s device configuration profiles natively contain the Microsoft Defender Antivirus settings for real-time protection and Controlled Folder Access, and assigning the profile to a dynamic device group ensures that both existing and future Windows 10 devices automatically receive the configuration without manual intervention or scripting. On the MD-102 exam, this scenario tests your understanding of scalable deployment versus user-based targeting—a common trap is choosing a user group or a PowerShell script, which lacks the automatic enrollment for new devices. Remember the key distinction: device groups apply settings to machines regardless of who logs in, making them ideal for security baselines. Memory tip: “Profile to a group of devices, not users—future-proof your defenses.”

MD-102 Manage and maintain devices Practice Question

This MD-102 practice question tests your understanding of manage and maintain devices. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

You are a Microsoft 365 Endpoint Administrator for a medium-sized company that uses Microsoft Intune to manage its Windows 10 devices. The company recently experienced a ransomware attack that encrypted local files on several devices. To mitigate future attacks, management wants to ensure that all devices have real-time protection enabled in Microsoft Defender Antivirus and that Controlled Folder Access is turned on. You need to configure these settings via Intune. You decide to create a device configuration profile for Windows 10. What is the most efficient way to deploy these settings to all existing and future devices?

Question 1easymultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Create a device configuration profile and assign it to a device group that includes all devices.

Option A is correct because a device configuration profile in Intune can include Microsoft Defender Antivirus settings (such as real-time protection and Controlled Folder Access) and is assigned to a device group. This ensures that both existing and future devices that join the group automatically receive the settings, providing a scalable and efficient deployment method without requiring user interaction or additional scripts.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Create a device configuration profile and assign it to a device group that includes all devices.

    Why this is correct

    Assigning to a device group ensures all devices receive the settings regardless of user.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Use PowerShell scripts deployed via Intune to enable the settings on each device.

    Why it's wrong here

    Scripts are less efficient and harder to manage than configuration profiles.

  • Create a device configuration profile and assign it to a user group that includes all users.

    Why it's wrong here

    User group assignment may not cover devices not associated with users, e.g., shared devices.

  • Create a compliance policy that requires these settings and assign it to all devices.

    Why it's wrong here

    Compliance policies only mark devices as compliant/non-compliant; they do not enforce the settings.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse compliance policies with configuration profiles, thinking that compliance policies can enforce settings, when in reality they only evaluate and report on settings, requiring a separate configuration profile to actually apply the desired state.

Detailed technical explanation

How to think about this question

Device configuration profiles in Intune use the Windows 10/11 Settings Catalog or Administrative Templates to push CSP (Configuration Service Provider) policies, such as the Defender CSP (./Device/Vendor/MSFT/Defender) for real-time protection and the WindowsDefenderApplicationGuard CSP for Controlled Folder Access. When assigned to a device group, the policy is evaluated during the Intune management agent sync cycle (typically every 8 hours) and applies to all devices in the group, including newly enrolled devices that meet the group membership criteria. This approach leverages group-based targeting and avoids the overhead of per-user or per-script management.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A company's IT admin needs to give a contractor read-only access to production logs without sharing account credentials. Using role-based access control (RBAC) and temporary scoped permissions — not a permanent shared password — is the correct pattern. Questions like this test whether you can apply least-privilege access across cloud identity services.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related MD-102 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free MD-102 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this MD-102 question test?

Manage and maintain devices — This question tests Manage and maintain devices — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Create a device configuration profile and assign it to a device group that includes all devices. — Option A is correct because a device configuration profile in Intune can include Microsoft Defender Antivirus settings (such as real-time protection and Controlled Folder Access) and is assigned to a device group. This ensures that both existing and future devices that join the group automatically receive the settings, providing a scalable and efficient deployment method without requiring user interaction or additional scripts.

What should I do if I get this MD-102 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This MD-102 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the MD-102 exam.