Visit here for our full Microsoft MD-102 exam dumps and practice test questions.
Question 61:
Your organization uses Microsoft Intune to manage devices. You need to configure a policy that prevents users from using USB storage devices on Windows 11 devices but allows USB keyboards and mice. What should you create?
A) Device configuration profile with device control settings restricting removable storage while allowing HID devices
B) Endpoint security policy blocking all USB devices
C) Compliance policy requiring USB storage to be disabled
D) BitLocker policy encrypting removable drives
Answer: A
Explanation:
USB device control is an important data loss prevention measure that prevents users from copying corporate data to unauthorized removable storage while maintaining usability by allowing legitimate peripheral devices like input devices and printers. Understanding how to configure granular USB device policies that distinguish between storage devices and other USB device classes requires knowledge of device configuration profiles and device class identification.
Device configuration profiles in Intune for Windows provide settings for controlling which types of devices can connect and operate on managed computers. These controls leverage Windows device installation policies that can allow or block devices based on device class identifiers, hardware IDs, or other attributes. Device classes are standardized categories defined by Microsoft that group devices by function, such as Human Interface Devices (keyboards, mice), storage devices (USB drives, external hard drives), imaging devices (cameras, scanners), and others.
The device control or device installation section of device configuration profiles allows administrators to create policies that permit or deny installation and use of devices based on these device classes. For the scenario described, you would configure a policy that blocks the storage device class while explicitly allowing or not restricting the HID (Human Interface Device) class and potentially other necessary device classes like printers.
Question 62:
You are configuring app protection policies for Android devices. You need to ensure that when users copy data from managed apps, the data is encrypted when pasted into other managed apps. What should you configure?
A) Data transfer settings: Encrypt org data – On
B) Data encryption: Required for all data transfers
C) Access requirements: Encrypt data in transit
D) Conditional launch: Require encryption for copy-paste operations
Answer: A
Explanation:
App protection policies provide multiple layers of data protection for corporate data within managed applications, including encryption of data during various operations. Understanding how data encryption works within the app protection framework, particularly for clipboard operations between applications, ensures corporate data remains protected even during legitimate business workflows that require copying information between applications.
The clipboard presents a particular data protection challenge on mobile devices because copied content is accessible system-wide by default, potentially allowing unmanaged applications to access corporate data that users copy from managed applications. App protection policies address this through several mechanisms including restricting which applications can receive copied data (through “Send org data to other apps” settings) and encrypting clipboard content when it contains corporate data.
The “Encrypt org data” setting within app protection policies controls whether corporate data is encrypted when stored in the clipboard during copy operations. When this setting is enabled, applications protected by the policy encrypt data before placing it on the clipboard. If users paste this encrypted clipboard content into another managed application that is also protected by app protection policies with the same organizational identity, the receiving application automatically decrypts the content and displays it normally.
Question 63:
You manage macOS devices using Microsoft Intune. You need to deploy a custom script that runs at login to configure application preferences for all users on shared devices. What should you use?
A) Shell script configured to run at every login in the user context
B) Device configuration profile with login items
C) Shell script configured to run once in the device context
D) Custom configuration profile with LaunchAgent plist
Answer: A
Explanation:
macOS management through Intune supports deploying and executing shell scripts on managed devices, providing flexibility for configuration tasks that aren’t available through standard device configuration profiles. Understanding how to properly configure script execution context, frequency, and timing ensures scripts achieve their intended purpose while minimizing performance impact and maintenance overhead.
Shell script deployment in Intune for macOS allows administrators to upload script files that will be executed on target devices according to specified parameters. These scripts can perform various management tasks including configuring system settings, installing software, modifying application preferences, collecting inventory data, or remediating configuration drift. Scripts provide escape hatches for managing aspects of macOS that don’t have dedicated configuration profile settings in Intune.
When configuring a shell script in Intune, several key parameters determine how and when the script executes. The execution context specifies whether the script runs as the logged-in user or as root (system), which affects what resources and settings the script can access. User context scripts have permissions equivalent to the current user, while system context scripts have elevated privileges to modify system-level settings. The script frequency determines whether the script runs once per device or every time a user logs in. The retry settings control whether Intune retries script execution if initial attempts fail.
Question 64:
Your organization uses Microsoft Intune and Conditional Access. You need to configure a policy that requires users to change their passwords every 90 days before they can access Office 365 applications. What should you configure?
A) Conditional Access policy with password age session control for Office 365 cloud apps
B) Compliance policy with password expiration requirement
C) Azure AD password policy with 90-day expiration for all users
D) Device configuration profile with password expiration settings
Answer: C
Explanation:
Password expiration policies and access control requirements involve understanding the distinction between Azure AD password policies that govern identity credentials, device compliance policies that check device security configurations, and Conditional Access policies that control access to resources. While Conditional Access provides powerful access control capabilities, password expiration is fundamentally an identity policy managed through Azure AD rather than an access control condition.
Azure AD password policies control characteristics of user passwords including minimum length, complexity requirements, password history, and password expiration. These policies apply to cloud user identities and determine when users must change their passwords. For organizations using Azure AD as their identity provider for Office 365 and other cloud services, Azure AD password policies are the primary mechanism for enforcing password aging requirements.
Password expiration requirements specify how long passwords remain valid before users must create new passwords. The traditional security model encouraged regular password changes under the theory that limiting password lifespan reduced the window of exposure if passwords were compromised. However, modern security guidance from organizations like NIST (National Institute of Standards and Technology) and Microsoft has shifted away from mandatory periodic password changes for most scenarios, recognizing that forced password changes often lead to weak password patterns and user frustration without significantly improving security.
Question 65:
You are deploying Windows 11 devices using Windows Autopilot. During testing, you notice that some applications fail to install during the Enrollment Status Page. You need to identify which applications failed and why. Where should you check for detailed error information?
A) Intune Management Extension log on the device at C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
B) Event Viewer under Windows Logs > Application
C) Enrollment Status Page error details in the Intune portal
D) Windows Setup diagnostic logs
Answer: A
Explanation:
Troubleshooting Windows Autopilot application deployment failures requires understanding where detailed diagnostic information is logged and how to interpret those logs to identify root causes. The Intune Management Extension is the Windows service responsible for processing and executing Win32 app deployments, PowerShell scripts, and proactive remediations on Windows devices, making its logs the primary source of detailed application deployment diagnostics.
The Intune Management Extension (IME) is automatically installed on Windows devices during Intune enrollment when policies requiring it are assigned, such as Win32 app deployments or PowerShell scripts. Once installed, the IME service runs continuously in the background, checking for new policies, downloading application content, executing installation commands, evaluating detection rules, and reporting results back to Intune. All of these activities are logged in detailed text log files stored locally on devices.
Question 66:
Your organization uses Microsoft Intune to manage iOS devices. You need to configure a policy that requires users to unlock their devices with Face ID or Touch ID before accessing corporate email in the Outlook app. What should you create?
A) App protection policy with biometric authentication requirement for Outlook
B) Device compliance policy requiring biometric authentication
C) App configuration policy enabling biometric authentication in Outlook
D) Device restrictions profile requiring biometric unlock
Answer: A
Explanation:
Application-level security controls through app protection policies provide granular protection for corporate data within specific applications, allowing organizations to enforce security requirements like biometric authentication for accessing sensitive apps without requiring device-level controls that might interfere with personal device usage in BYOD scenarios. Understanding how app protection policies enforce authentication requirements specifically for managed applications is essential for implementing proportional security.
App protection policies include access requirements that control the conditions users must meet before accessing protected applications. These requirements can include PIN requirements, biometric authentication, corporate credentials, minimum OS version, jailbreak/root detection checks, and maximum offline time before reauthentication. These controls apply specifically to accessing protected applications rather than unlocking the device itself, creating an additional security layer beyond device-level authentication.
The biometric authentication requirement in app protection policies leverages the iOS biometric authentication capabilities including Face ID (facial recognition) and Touch ID (fingerprint recognition). When this requirement is enabled in a policy protecting the Outlook app, users must successfully authenticate with biometrics before Outlook displays corporate email data, even if they’ve already unlocked their device with a passcode or biometrics.
Question 67:
You manage Android Enterprise fully managed devices using Microsoft Intune. You need to configure devices to prevent users from factory resetting them through the Settings app. What should you configure?
A) Device restrictions profile with factory reset blocking enabled
B) Compliance policy requiring factory reset protection
C) Password policy with factory reset PIN requirement
D) Dedicated device configuration with factory reset disabled
Answer: A
Explanation:
Android Enterprise fully managed devices provide extensive management control over device functionality and features, including the ability to prevent users from performing certain administrative actions like factory resets that could remove organizational management and data. Understanding how to configure appropriate restrictions through device restrictions profiles ensures devices remain under management throughout their lifecycle.
Factory reset is an Android feature that returns devices to out-of-box state by erasing all data, removing all applications, and clearing all settings. On consumer devices, factory reset is a useful troubleshooting and device preparation tool. However, on corporate-owned fully managed devices, allowing users to factory reset devices presents several risks: users could remove organizational management and data, potentially sensitive corporate information could be lost before proper decommissioning, devices could be stolen and reset to remove tracking capabilities, and users could circumvent management policies by resetting and failing to re-enroll.
Device restrictions profiles for Android Enterprise include settings that control which device features and capabilities are available to users. Within these restrictions, you’ll find options related to factory reset under various categories depending on the Intune interface version, typically in sections like “General” or “Device settings.” The factory reset blocking setting prevents users from accessing the factory reset option in the Settings app.
Question 68:
Your organization uses Windows Autopilot for device deployment. You need to configure pre-provisioning (white glove) to allow IT staff to prepare devices before shipping them to users. What must be configured in the Autopilot deployment profile?
A) Deployment mode set to Self-Deploying and Enable pre-provisioning option selected
B) Deployment mode set to User-driven and Allow pre-provisioned deployment option enabled
C) Hybrid Azure AD join with pre-provisioning enabled
D) Device naming template with pre-provisioning flag
Answer: B
Explanation:
Windows Autopilot pre-provisioning, also known as white glove deployment, allows organizations to have IT staff or partners partially complete device setup before devices reach end users. This approach combines the benefits of automated Autopilot deployment with the ability to pre-install applications and configurations, ensuring devices are fully ready when users receive them. Understanding how to properly configure Autopilot profiles for pre-provisioning requires knowledge of deployment mode requirements and profile settings.
Pre-provisioning extends the standard Autopilot user-driven deployment mode by adding a technician phase that occurs before the user phase. During the technician phase, IT staff boot the device, initiate pre-provisioning through a special keyboard shortcut (Windows key + Ctrl + Shift + F3 or through the white glove option in OOBE), authenticate with administrative credentials, and allow the device to complete device setup phase activities including Azure AD join, policy application, and required application installation. After the technician phase completes, devices can be sealed and shipped to users.
When users receive pre-provisioned devices and power them on, they proceed directly to the user phase of OOBE where they authenticate with their own credentials. Because the device setup phase already completed during pre-provisioning, users skip directly to account setup with policies and applications already in place. This dramatically reduces the time users spend in ESP (Enrollment Status Page) and provides an immediately productive device experience.
Question 69:
You manage iOS devices using Microsoft Intune. You need to prevent users from using Siri while devices are locked. What should you configure?
A) Device restrictions profile with “Block Siri while device is locked” setting enabled
B) App configuration policy for Siri with lock screen restrictions
C) Compliance policy requiring Siri to be disabled on lock screen
D) Device features profile with Siri lock screen settings
Answer: A
Explanation:
iOS device restrictions in Intune provide granular control over built-in iOS features and capabilities, allowing organizations to balance functionality with security by enabling features that enhance productivity while disabling features that present privacy or security risks. Understanding how to configure appropriate restrictions for voice assistants like Siri helps prevent information leakage through lock screen interactions.
Siri is Apple’s intelligent voice assistant that can perform various tasks including reading notifications, sending messages, accessing calendars, making phone calls, providing information, and controlling device features. While Siri provides significant convenience, allowing Siri access from the lock screen presents security concerns because anyone with physical access to a locked device could potentially use Siri to access information or perform actions without authenticating.
For example, without restrictions, someone who finds or steals a locked device could ask Siri to read recent messages, view calendar appointments, retrieve contact information, or even send messages on behalf of the device owner. These actions can occur without entering the device passcode or using biometric authentication, representing a significant information security risk for devices containing sensitive corporate data or communications.
A is correct because device restrictions profiles include specific settings to block Siri functionality while devices are locked, preventing lock screen information access. B is incorrect because app configuration policies configure application behavior and settings, but Siri is a built-in iOS system feature, not a configurable app, and its restrictions are managed through device restrictions rather than app configuration. C is incorrect because compliance policies check and report device state but don’t actively prevent or restrict features like lock screen Siri access—they evaluate compliance rather than configure restrictions. D is incorrect because device features profiles deploy features like web clips, fonts, and AirPrint configurations but don’t provide security restrictions for built-in functionality like Siri—device restrictions profiles are the appropriate location for such controls.
Question 70:
Your organization uses Microsoft Intune to manage devices. You need to create a report showing all devices that have not checked in with Intune in the last 30 days. What should you use?
A) Device compliance report filtered by last check-in date
B) All devices report with custom date filter for last contact
C) Enrollment report with inactive device filter
D) Audit logs filtered for device check-in activities
Answer: B
Explanation:
Microsoft Intune provides comprehensive reporting capabilities that help administrators monitor device inventory, compliance status, policy deployment, and device health. Understanding which reports provide specific types of information and how to filter and customize those reports is essential for effective device management and identifying devices that may require attention due to inactivity.
Device check-in is the process where managed devices periodically contact the Intune service to check for new policies, report their current status, receive new configurations or applications, and maintain their management relationship. Devices typically check in every 8 hours by default, though the exact frequency can vary based on device type and platform. When devices stop checking in, it may indicate they are powered off for extended periods, have connectivity issues, have been wiped or factory reset, were lost or stolen, or have been decommissioned without proper retirement from Intune.
The “All devices” report in Intune provides a comprehensive inventory of all enrolled devices with detailed information about each device including device name, user, operating system, compliance status, enrollment date, manufacturer, model, serial number, and critically, the last check-in date (sometimes labeled as “Last contact” or “Last sync”). This report serves as the primary source for device inventory information and can be filtered and exported for analysis.
To identify devices that haven’t checked in recently, you would access the All devices report from the Devices section of the Intune admin center. The report interface provides filtering capabilities where you can add custom filters based on any of the displayed columns. Adding a filter for the last check-in date column allows you to specify date ranges, such as devices where last check-in is older than 30 days ago. The filtered results show only devices meeting this criteria, providing a list of potentially inactive devices requiring investigation.
Question 71:
You are configuring Microsoft Intune to manage Windows 11 devices. You need to deploy a certificate to devices for Wi-Fi authentication using your organization’s internal Certificate Authority. What should you create first?
A) Trusted certificate profile with root CA certificate
B) SCEP certificate profile with CA server URL
C) Wi-Fi profile with certificate authentication
D) PKCS certificate profile with client certificate template
Answer: A
Explanation:
Certificate-based authentication in enterprise environments requires establishing a chain of trust where devices can validate certificates presented during authentication exchanges. Before deploying client authentication certificates or configuring services that rely on certificates, devices must trust the root Certificate Authority that issued those certificates. Understanding the proper sequence for certificate deployment ensures authentication mechanisms function correctly and securely.
Public Key Infrastructure operates on a hierarchical trust model where root Certificate Authorities sit at the top of the trust chain, intermediate CAs operate in the middle, and end-entity certificates like client authentication certificates or server certificates exist at the bottom. For a device to trust any certificate in this chain, it must have the root CA certificate installed in its trusted certificate store. Without the root CA certificate, devices cannot validate the certificate chain and will reject certificates as untrusted, causing authentication failures.
A is correct because deploying the trusted root CA certificate profile first establishes the trust foundation necessary for all subsequent certificate operations including client certificate deployment and Wi-Fi authentication. B is incorrect because SCEP certificate profiles deploy client certificates but require root CA certificates to be already trusted for proper certificate chain validation. C is incorrect because Wi-Fi profiles that use certificate authentication require both root CA certificates and client certificates to be deployed before Wi-Fi authentication can succeed. D is incorrect because PKCS certificate profiles deploy client certificates but like SCEP profiles, they depend on root CA trust being established first.
Question 72:
You manage Android Enterprise devices using Microsoft Intune. You need to ensure that users cannot disable location services on their devices. What enrollment type supports enforcing this requirement?
A) Android Enterprise fully managed
B) Android Enterprise work profile
C) Android Enterprise corporate-owned work profile (COPE)
D) Android device administrator
Answer: A
Explanation:
Android Enterprise enrollment types provide different levels of management control based on device ownership models and the balance between corporate control and user privacy. Understanding the capabilities and limitations of each enrollment type is essential for selecting the appropriate management approach that can enforce required security policies while respecting device ownership boundaries.
Android Enterprise work profile enrollment creates a separate managed container on personally owned devices where corporate applications and data exist independently from personal applications and data. This separation is fundamental to the work profile model and provides strong privacy protection for users by ensuring IT cannot manage or see personal applications, data, or device settings outside the work profile. Device-level settings like location services, which operate system-wide rather than within the work profile container, remain under user control in work profile enrollment scenarios.
Because work profiles respect user autonomy over device-level settings, restrictions on system features like location services cannot be enforced through work profile management. Users retain the ability to enable or disable location services for the entire device through Android settings, and IT policies cannot override this user control. This limitation is intentional and reflects the privacy-focused design of work profile enrollment for personal devices.
For organizations requiring strict control over device settings including system features like location services, Android Enterprise fully managed enrollment is the appropriate choice. This enrollment type should be reserved for corporate-owned devices where such control is justified by business requirements and device ownership. For personal devices, organizations must accept the limitations of work profile enrollment or consider whether device management is appropriate at all versus application-level management through app protection policies.
A is correct because Android Enterprise fully managed enrollment provides device-level management authority that can enforce system settings like preventing users from disabling location services. B is incorrect because Android Enterprise work profile maintains user control over device-level system settings including location services, as work profile management focuses on the work container rather than device-wide settings. C is incorrect because corporate-owned work profile, despite being corporate-owned, maintains the work profile separation model and generally preserves user control over system-level settings like location services. D is incorrect because Android device administrator is deprecated and lacks the comprehensive management capabilities of Android Enterprise, and should not be used for new deployments.
Question 73:
Your organization uses Microsoft Intune and Windows Autopilot. You need to ensure that when devices are reset, they automatically re-enroll through Autopilot without requiring IT intervention. What should you configure?
A) Enable Automatic re-enrollment in Azure AD and register devices in Windows Autopilot
B) Configure device enrollment restrictions allowing automatic re-enrollment
C) Deploy a provisioning package with Autopilot registration information
D) Create a device configuration profile with automatic enrollment settings
Answer: A
Explanation:
Windows Autopilot provides a cloud-based device deployment solution that transforms new or reset devices into business-ready endpoints without traditional imaging. One of Autopilot’s key benefits is its ability to maintain management relationships even after device resets, ensuring devices automatically return to managed state without requiring manual re-enrollment or IT intervention. Understanding how Autopilot registration and automatic re-enrollment work together ensures devices remain under management throughout their lifecycle including after reset scenarios.
When devices are registered in Windows Autopilot, their hardware identifiers (hardware hash, serial number, model) are stored in Microsoft’s cloud service and associated with your organization’s tenant. This cloud-based registration creates a permanent link between the physical hardware and your organization that persists regardless of the device’s local state. When registered devices boot for the first time or after factory reset and connect to the internet during Windows setup, they contact the Autopilot service with their hardware identifiers.
The Autopilot service recognizes the hardware identifiers as belonging to your organization and automatically delivers the appropriate Autopilot deployment profile to the device. This profile includes configuration information like Azure AD join settings, device naming templates, enrollment status page configuration, and user assignment information. The device automatically proceeds through the Autopilot provisioning flow without requiring manual configuration or IT intervention.
A is correct because enabling automatic re-enrollment in Azure AD and registering devices in Windows Autopilot together ensure devices automatically re-enroll through Autopilot after reset without IT intervention. B is incorrect because device enrollment restrictions control which device types or platforms can enroll but don’t provide the automatic post-reset re-enrollment capability that Autopilot registration provides. C is incorrect because provisioning packages are used for deploying configuration settings to devices but don’t provide the cloud-based persistent registration that enables automatic Autopilot re-enrollment after factory reset. D is incorrect because device configuration profiles deploy settings to already-enrolled devices but don’t enable automatic enrollment or create the persistent hardware registration necessary for post-reset Autopilot deployment.
Question 74:
You are configuring app protection policies for iOS devices. You need to ensure that when users copy data from the Outlook app to the Notes app, the Notes app receives only plain text without formatting. What should you configure?
A) Data transfer settings: “Send org data to other apps” set to “Policy managed apps with OS sharing” and “Allow users to open data from selected services” configured
B) Data transfer settings: “Restrict cut, copy, and paste between other apps” set to “Policy managed apps with paste in”
C) Data protection settings: “Prevent data transfer to unmanaged apps”
D) Access requirements: “Restrict data transfer with formatting”
Answer: B
Explanation:
App protection policies provide granular control over data transfer operations between applications including not just whether data can be transferred but also what form the data takes during transfer. Understanding how clipboard and data transfer restrictions control formatting preservation versus plain text conversion is important for balancing data protection with user productivity needs.
The “Restrict cut, copy, and paste between other apps” setting in app protection policies offers several options that control clipboard operations with varying levels of restriction and formatting control. These options determine whether data can be copied between apps, whether it can include formatting, and how the clipboard content is processed during transfer.
When set to “Policy managed apps with paste in,” this setting allows users to copy data from policy-protected applications (like Outlook) and paste it into any application, including both other policy-managed apps and unmanaged apps. However, the critical feature of this setting is that when data is pasted into unmanaged applications or applications that are policy-managed but not marked as “exempt” from formatting restrictions, the formatting is stripped and only plain text is transferred. This provides a compromise between complete data blocking and unrestricted data transfer.
B is correct because the “Restrict cut, copy, and paste between other apps” setting with “Policy managed apps with paste in” option specifically controls clipboard operations and strips formatting when pasting into unmanaged apps, allowing only plain text transfer. A is incorrect because “Send org data to other apps” with OS sharing controls which apps can receive data through sharing interfaces but doesn’t specifically control formatting preservation during clipboard operations. C is incorrect because while preventing data transfer to unmanaged apps would solve the problem, it’s overly restrictive compared to allowing plain text transfer, and doesn’t match the specific requirement of allowing transfer with formatting removal. D is incorrect because “Restrict data transfer with formatting” is not a standard setting name in app protection policies—the clipboard restriction setting is the correct location for this control.
Question 75:
You manage macOS devices using Microsoft Intune with Automated Device Enrollment. You need to deploy a kernel extension for a security application. What must you configure?
A) System extensions policy approving the kernel extension’s team identifier
B) Kernel extension policy with the extension’s bundle identifier
C) Device restrictions profile allowing kernel extensions
D) Privacy preferences policy for kernel extension access
Answer: B
Explanation:
macOS security architecture distinguishes between older kernel extensions (KEXTs) that run in kernel space with high privileges and modern system extensions that run in user space with reduced privileges. Understanding how to properly approve and deploy kernel extensions through Intune is important for supporting applications that still rely on this older technology, though organizations should migrate toward system extensions when possible as Apple has deprecated kernel extensions in favor of the more secure system extension framework.
Kernel extensions are loadable modules that extend the macOS kernel’s functionality, allowing third-party software to interact deeply with system hardware and software at the kernel level. Security applications, virtualization software, networking tools, and storage management applications have historically relied on kernel extensions to provide their functionality. However, kernel extensions pose security and stability risks because bugs or vulnerabilities in kernel code can compromise the entire system.
B is correct because kernel extension policies in Intune require specifying the team identifier and bundle identifier to approve specific kernel extensions for loading on managed macOS devices. A is incorrect because system extensions policies are for modern system extensions that replaced kernel extensions, not for approving legacy kernel extensions. C is incorrect because device restrictions profiles can block or allow general categories of functionality but don’t provide the specific approval mechanism required for individual kernel extensions—kernel extension policies are the proper method. D is incorrect because privacy preferences policies control application access to privacy-sensitive data like contacts or location but don’t approve kernel extensions for loading.
Question 76:
You are configuring Microsoft Intune to manage Windows 11 devices. You need to deploy a PowerShell script that collects device information and uploads it to an Azure storage account. The script requires credentials to access the storage account. How should you handle the credentials?
A) Store credentials in Azure Key Vault and have the script retrieve them using managed identity
B) Hard-code credentials in the PowerShell script deployed through Intune
C) Prompt users to enter credentials when the script runs
D) Store credentials in a device configuration profile
Answer: A
Explanation:
Credential management in automated scripts is a critical security consideration that requires balancing functionality with security best practices. Hard-coding credentials in scripts creates significant security risks including credential exposure, difficulty rotating credentials, inability to audit credential usage, and potential credential compromise if scripts are accessed by unauthorized parties. Understanding how to properly secure credentials using modern secret management solutions ensures scripts can function without compromising security.
Azure Key Vault is Microsoft’s cloud-based secret management service designed specifically for storing and managing sensitive information like credentials, certificates, API keys, and encryption keys. Key Vault provides centralized secret storage with access control, auditing, automatic rotation capabilities, and integration with Azure services. Rather than embedding credentials directly in scripts, applications and scripts can retrieve credentials from Key Vault at runtime, ensuring credentials never exist in plaintext in script files.
Managed identities for Azure resources provide Azure services with automatically managed identities in Azure Active Directory that can authenticate to Azure services supporting Azure AD authentication without requiring credential storage. For Intune-managed devices running scripts that need to access Azure resources, you can leverage various authentication patterns including system-assigned managed identities if devices are Azure VMs, device-based authentication certificates, or service principals with certificate-based authentication.
Question 77:
Your organization uses Microsoft Intune to manage iOS devices. You need to configure managed open-in rules that prevent users from opening corporate attachments in unmanaged applications. What should you configure?
A) App protection policy with “Receive data from other apps” set to “Policy managed apps”
B) Device configuration profile with managed open-in settings
C) App configuration policy with open-in restrictions
D) Compliance policy requiring managed apps only
Answer: A
Explanation:
iOS provides a feature called “Open In” that allows users to open files or data from one application in another application, typically accessed through share sheets or action extensions. For enterprise deployments, controlling which applications can receive corporate data through these mechanisms is essential for preventing data leakage. Understanding how app protection policies control data reception prevents scenarios where users inadvertently or intentionally transfer corporate data to unmanaged applications where organizational controls cannot protect it.
App protection policies include data transfer settings that govern how corporate data moves between applications. While the “Send org data to other apps” setting controls outbound data transfer from managed apps, the “Receive data from other apps” setting controls inbound data transfer into managed apps. However, the combination of these settings creates comprehensive control over data flow in both directions.
When “Receive data from other apps” is set to “Policy managed apps,” it restricts managed applications to only receiving data from other policy-managed applications. This setting works in conjunction with “Send org data to other apps” to create a protective boundary around corporate data. If both settings are configured to restrict data transfer to policy-managed apps only, corporate data can only move within the ecosystem of managed applications, effectively preventing users from opening corporate attachments or documents in unmanaged personal applications.
A is correct because app protection policies with “Receive data from other apps” set to “Policy managed apps” combined with similar send restrictions enforces managed Open In rules preventing corporate data from being opened in unmanaged applications. B is incorrect because device configuration profiles for iOS don’t provide managed Open In configuration—this is accomplished through app protection policies that control data transfer between applications. C is incorrect because app configuration policies configure application behavior and settings but don’t enforce data transfer restrictions between applications—app protection policies provide these security controls. D is incorrect because compliance policies check device state but don’t actively prevent functionality like opening documents in specific applications—they evaluate compliance rather than enforce data transfer restrictions.
Question 78:
You manage Windows 11 devices using Microsoft Intune. You need to configure devices to automatically encrypt all removable USB drives when they are connected. What should you create?
A) Endpoint security Disk encryption policy with removable drive encryption settings
B) Device configuration profile with BitLocker settings for removable drives
C) Compliance policy requiring removable drive encryption
D) Attack surface reduction rule blocking unencrypted removable drives
Answer: A
Explanation:
Removable drive encryption is an important data loss prevention measure that ensures data copied to USB drives, external hard drives, or other removable media remains protected if the physical media is lost or stolen. Windows BitLocker To Go provides this protection by encrypting removable drives and requiring authentication to access encrypted data. Understanding how to properly deploy BitLocker To Go policies through Intune ensures consistent removable media protection across managed devices.
Endpoint security policies in Microsoft Intune provide streamlined interfaces specifically designed for security configuration, consolidating related security settings into focused policy types. The Disk encryption policy type includes comprehensive BitLocker configuration for both fixed drives and removable drives, providing centralized encryption management. This specialized policy type is more appropriate than general device configuration profiles for encryption deployment because it focuses specifically on encryption scenarios and integrates with encryption reporting.
Within a Disk encryption policy, separate sections control fixed drive encryption (for operating system and data drives internal to computers) and removable drive encryption (for USB drives and external storage). The removable drive encryption settings allow administrators to require encryption of all removable drives, configure authentication methods (password or smart card), set password complexity requirements, enforce encryption when drives are first written to, and control whether users can suspend encryption.
The policy enforcement only applies to removable drives connected to managed Windows devices. When users connect drives to unmanaged computers or non-Windows systems, the policy cannot enforce encryption. However, drives already encrypted by managed devices remain encrypted and require passwords regardless of which computer they’re connected to, providing continued protection for data that was encrypted in the managed environment.
A is correct because Endpoint security Disk encryption policies provide specific controls for removable drive encryption including BitLocker To Go configuration. B is incorrect because while device configuration profiles can contain some BitLocker settings, Endpoint security policies provide the most focused and comprehensive interface for encryption configuration including removable drives. C is incorrect because compliance policies check whether encryption is enabled but don’t actively configure or enforce the encryption process—Disk encryption policies configure the encryption behavior. D is incorrect because attack surface reduction rules block specific attack techniques and behaviors but don’t configure BitLocker encryption for removable drives.
Question 79:
Your organization uses Microsoft Intune and Azure AD. You need to configure a policy that blocks access to Exchange Online from devices running iOS versions older than 15.0. What should you configure?
A) Compliance policy requiring iOS 15.0 minimum and Conditional Access policy requiring compliant devices for Exchange Online
B) Device restrictions profile blocking old iOS versions from accessing Exchange
C) App protection policy with minimum iOS version requirement for Outlook
D) Exchange ActiveSync policy with iOS version requirements
Answer: A
Explanation:
Enforcing minimum operating system versions is an important security practice that ensures devices accessing corporate resources have current security features, vulnerability patches, and compatibility with modern management capabilities. Operating systems that are no longer receiving security updates or lack modern security architectures present significant security risks. Implementing policies that prevent outdated devices from accessing corporate data requires combining Intune compliance evaluation with Conditional Access enforcement.
A is correct because combining a compliance policy that checks minimum iOS version with a Conditional Access policy requiring compliant devices for Exchange Online provides both the evaluation of OS version and the enforcement of access restrictions. B is incorrect because device restrictions profiles configure device features and capabilities but don’t check OS versions for compliance or enforce access restrictions to cloud services. C is incorrect because while app protection policies can include minimum OS version requirements, they apply to application-level protection rather than blocking access to Exchange Online itself, and don’t integrate with Conditional Access for access control. D is incorrect because Exchange ActiveSync policies are legacy device management policies that are being deprecated in favor of modern Intune compliance and Conditional Access, and don’t provide the comprehensive compliance evaluation needed.
Question 80:
You are deploying a line-of-business application to Windows 11 devices. The application requires .NET Framework 4.8 to be installed before the application can install successfully. How should you handle this dependency in Intune?
A) Configure the Win32 app with a dependency relationship requiring .NET Framework 4.8 app
B) Create a PowerShell script that installs .NET Framework before running the app installer
C) Use the application installer’s built-in prerequisite checking
D) Deploy .NET Framework and the application in a single installation package
Answer: A
Explanation:
Application dependency management is essential for ensuring applications install successfully by guaranteeing prerequisite software is present before installation attempts. Modern application deployment frameworks include built-in dependency management that handles prerequisite installation automatically, ensuring correct installation sequencing without requiring complex scripting or manual intervention. Understanding how to properly configure dependencies in Intune Win32 app deployment ensures reliable application delivery.
Win32 applications in Intune support dependency relationships where one application can declare dependencies on other applications. When you configure dependencies, Intune automatically ensures dependent applications are installed before attempting to install the dependent application. This orchestration happens transparently without requiring manual sequencing or scripting to handle prerequisite installation.
To configure dependencies for a Win32 app, you first ensure the prerequisite software (.NET Framework 4.8 in this scenario) is packaged and deployed as a Win32 app in Intune with appropriate detection rules. Then when configuring the line-of-business application, you add a dependency on the .NET Framework application. During dependency configuration, you specify which version of the dependent app is required and whether the dependency is required or optional.
When devices evaluate application assignments with dependencies, Intune checks detection rules for all dependencies before installing the primary application. If .NET Framework 4.8 is not detected, Intune automatically installs it first using the configured installation command and detection rules. After successful installation of all dependencies, Intune proceeds with installing the primary application. This ensures prerequisites are always in place before the application that requires them attempts installation.
The dependency feature provides several advantages over alternative approaches. It leverages Intune’s native capability without requiring custom scripting, provides clear visibility in the Intune portal about application relationships, handles installation sequencing automatically across policy sync cycles, works correctly even if prerequisites and applications are assigned to different groups or time periods, and provides detailed reporting about dependency installation success or failure.
Detection rules for dependent applications are critical for dependency management to function correctly. If .NET Framework 4.8’s detection rules don’t accurately identify when it’s installed, Intune may attempt to install it repeatedly or fail to recognize existing installations. Detection rules for .NET Framework typically check registry keys specific to the framework version or file existence of framework assemblies in system directories.
Dependency relationships support complex scenarios including multiple dependencies for a single application (such as requiring both .NET Framework and Visual C++ redistributables), dependency chains where dependencies themselves have dependencies, and optional versus required dependencies where optional dependencies enhance functionality but aren’t strictly necessary for application installation.
