Visit here for our full Microsoft MD-102 exam dumps and practice test questions.
Question 101:
You are configuring Microsoft Intune to deploy applications to Windows 11 devices. An application requires a specific registry key to be present before installation. How should you handle this prerequisite?
A) Configure dependency on a PowerShell script that creates the required registry key
B) Include registry key creation in the application installation command
C) Create a separate Win32 app for registry key creation and configure as dependency
D) Use device configuration profile with registry settings deployed before the application
Answer: C
Explanation:
Application dependency management in Intune Win32 app deployment provides systematic approaches for ensuring prerequisites are met before applications install. Understanding how to properly structure dependencies using Win32 app relationships rather than incorporating prerequisite logic into installation commands or relying on separate configuration profiles ensures reliable installation sequencing with proper tracking, reporting, and retry logic integrated into the application deployment framework.
The Win32 app dependency feature in Intune allows declaring relationships between applications where one application depends on another. When dependencies are configured, Intune automatically ensures dependent applications install before the primary application attempts installation. This orchestration happens transparently with Intune managing installation sequencing, checking detection rules for dependencies before proceeding with the primary application, and handling retries if dependency installation fails. The dependency framework provides reliability and visibility that manual sequencing or scripted approaches cannot match.
For registry key prerequisites specifically, the recommended approach is packaging the registry key creation as a standalone Win32 app with proper detection rules and installation logic. The Win32 app format, created using the Microsoft Win32 Content Prep Tool, can contain PowerShell scripts or batch files that create registry keys. The installation command executes the script to create the required registry key, and detection rules verify the registry key exists after installation. Once packaged as a Win32 app, it can be referenced as a dependency by the primary application.
Creating the registry prerequisite as a Win32 app provides several advantages over alternative approaches. Detection rules allow Intune to verify the prerequisite is present before attempting the primary application installation, avoiding installation failures due to missing prerequisites. The dependency relationship ensures correct installation sequencing across multiple policy sync cycles even if the applications are assigned at different times or to different groups. Intune’s application deployment reporting tracks dependency installation separately from the primary application, providing visibility into which component failed if issues occur. The modular approach allows reusing the prerequisite Win32 app across multiple applications that require the same registry key.
Question 102:
Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a kernel extension for a VPN application. What is required for the kernel extension to load successfully?
A) Kernel extension policy with team identifier and bundle identifier, and device must be supervised
B) System extension policy approving the VPN extension
C) Device restrictions profile allowing kernel extensions from any developer
D) User approval after installation prompting in System Preferences
Answer: A
Explanation:
macOS security architecture has evolved significantly regarding kernel extensions, with Apple implementing increasingly strict controls over code running in kernel space due to security and stability concerns. Understanding the requirements for deploying kernel extensions through MDM, including the necessity for both proper policy configuration and device supervision, ensures successful deployment while recognizing that Apple is transitioning away from kernel extensions toward more secure system extensions for new software development.
Kernel extensions (KEXTs) are loadable modules that extend macOS kernel functionality, providing applications with deep system integration capabilities necessary for VPN clients, security software, virtualization platforms, and certain hardware drivers. Because kernel extensions execute with kernel-level privileges and can compromise system security or stability if malicious or buggy, macOS implements security controls preventing unauthorized kernel code from loading. Starting with macOS High Sierra, user-approved kernel extension loading requires explicit approval before kernel extensions can load, with users navigating to System Preferences > Security & Privacy to approve blocked extensions.
For enterprise-managed macOS devices, MDM policies can pre-approve kernel extensions, eliminating user approval prompts and ensuring business-critical software functions immediately after installation. Kernel extension policies in Intune specify which kernel extensions are authorized to load by identifying both the developer team identifier (a 10-character string assigned by Apple identifying the organization or individual who signed the extension) and the extension bundle identifier (a reverse-DNS format string like com.company.vpn.kext uniquely identifying the specific extension). Both identifiers are required because team identifier establishes trust in the developer while bundle identifier specifies exactly which extension from that developer is approved.
Supervision is a device management state that enables enhanced MDM capabilities beyond those available on non-supervised devices. Supervised devices, typically enrolled through Apple Business Manager and Automated Device Enrollment, allow organizations to enforce more restrictive policies and access additional management features including kernel extension pre-approval without user interaction. For non-supervised devices, even when MDM policies attempt to approve kernel extensions, macOS may still require user approval in System Preferences, limiting the automation and user experience benefits of MDM management.
Question 103:
You are configuring app protection policies for iOS devices. You need to ensure that when users are working offline for more than 48 hours, they must re-authenticate before accessing managed applications. What should you configure?
A) Access requirements with offline interval set to 48 hours before re-checking access requirements
B) Conditional launch action requiring online check after 48 hours offline
C) Data transfer settings with offline timeout of 48 hours
D) Access requirements with PIN timeout of 48 hours
Answer: B
Explanation:
App protection policies provide multiple mechanisms for controlling access to managed applications based on various conditions including device state, security posture, and connectivity status. Understanding the distinction between access requirements that control initial access authentication and conditional launch settings that trigger actions based on ongoing conditions is essential for implementing policies that maintain security even when devices operate offline for extended periods without connectivity to management services.
Access requirements in app protection policies define the authentication conditions users must satisfy when launching protected applications, including PIN requirements specifying whether users must enter numeric PINs to access apps, biometric authentication allowing fingerprint or face recognition instead of or in addition to PINs, corporate credentials requiring Azure AD authentication, and recheck intervals determining how frequently users must re-authenticate after successful access. These requirements establish the baseline authentication security for application access but are primarily focused on the authentication method rather than connectivity-based conditions.
Conditional launch settings in app protection policies define conditions that trigger specific actions when certain thresholds are exceeded or requirements aren’t met. These conditions include offline grace period specifying how long devices can remain offline before requiring online connectivity, max OS version and min OS version defining acceptable operating system version ranges, max PIN attempts before account is wiped, jailbroken/rooted device detection, disabled account detection, and many other device state and security conditions. For each condition, administrators configure both the threshold value and the action taken when the threshold is exceeded, such as blocking access, wiping data, or warning users.
Question 104:
You manage Windows 11 devices using Microsoft Intune. You need to deploy a line-of-business application that should automatically uninstall when devices are no longer in a specific Azure AD group. What should you configure?
A) Deploy the application as Available assignment to the group and enable automatic uninstall
B) Deploy the application as Required assignment to the group with uninstall on membership removal
C) Create a PowerShell script to uninstall the application triggered by group membership changes
D) This behavior is not directly supported; application uninstall requires manual removal or separate uninstall deployment
Answer: D
Explanation:
Understanding the capabilities and limitations of Intune application deployment, particularly regarding automatic uninstallation based on assignment changes, helps administrators design appropriate application lifecycle management strategies and avoid implementing solutions based on incorrect assumptions about platform behavior. While Intune provides comprehensive application deployment and management capabilities, certain specific behaviors like automatic uninstallation when devices leave assigned groups are not built-in features of the platform.
Application assignments in Intune determine which users or devices receive applications and whether installations are required, available, or should be uninstalled. Required assignments automatically install applications to all members of assigned groups, with installations occurring during policy sync cycles without user intervention. Available assignments make applications visible in Company Portal for users to install on-demand. Uninstall assignments remove applications from devices in assigned groups. These assignment types provide control over application distribution but operate independently—changing a required assignment doesn’t automatically create an uninstall assignment for devices no longer in scope.
When applications are deployed with required assignments to Azure AD groups and devices are subsequently removed from those groups, Intune does not automatically uninstall the applications from those devices. The application remains installed because the original required assignment triggered installation and removal from the group simply means the device is no longer in scope for that assignment. Intune’s application management model treats installation and uninstallation as separate intentional actions rather than automatic opposites of assignment scope changes.
This behavior reflects a design philosophy where application state persists based on past management actions rather than continuously reverting when policy scopes change. The alternative behavior where applications automatically uninstall when devices leave groups could cause problems in scenarios where group membership changes are temporary or accidental, devices move between groups for organizational reasons while the same applications should remain installed, or group membership reflects attributes other than application requirements. Requiring explicit uninstall assignments provides administrators with clear control over when applications are removed.
To achieve the desired behavior of removing applications when devices leave specific groups, administrators must implement additional logic and processes beyond basic assignment configuration. One approach involves creating dynamic device groups representing devices that should NOT have the application, such as “All devices except members of Group X,” and assigning uninstall deployments to those negative groups. This requires maintaining paired positive and negative groups with opposing application assignments, which adds complexity but achieves the removal behavior.
Question 105:
Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to configure email profiles for the native Gmail app with corporate Exchange Online accounts. What should you do?
A) Deploy app configuration policy for Gmail with Exchange settings
B) Create device configuration email profile for Android Enterprise
C) Gmail doesn’t support managed email configuration for Exchange; use Outlook instead
D) Deploy managed Google Play Gmail app with embedded email configuration
Answer: C
Explanation:
Understanding which applications support specific enterprise configurations and which scenarios require alternative approaches helps administrators design effective solutions that align with application capabilities and vendor support models. While many enterprise mobility management scenarios offer multiple paths to achieve goals, certain combinations of applications and configurations aren’t supported by vendors, requiring different application choices or workarounds.
Gmail is Google’s consumer and enterprise email application available on Android devices, supporting Google Workspace (formerly G Suite) accounts natively and providing full integration with Google’s email infrastructure. However, Gmail’s support for non-Google email protocols like Exchange ActiveSync for Microsoft Exchange connectivity is limited. While Gmail can add Exchange accounts on Android devices through manual user configuration in some versions, managed configuration through MDM for Exchange connectivity in Gmail isn’t comprehensively supported in the way Microsoft Outlook or other Exchange-focused email clients support managed email profiles.
App configuration policies for Android Enterprise allow delivering configuration settings to managed applications that support the AppConfig standard or Google’s managed configuration framework. These policies can pre-configure application settings including server addresses, authentication parameters, feature toggles, and other application-specific options. However, the specific configuration options available in app configuration policies depend entirely on what the application vendor has exposed through their managed configuration schema. If Gmail’s managed configuration schema doesn’t include Exchange server configuration parameters, those settings cannot be configured through app configuration policies regardless of MDM platform capabilities.
Device configuration email profiles in Intune provide managed email setup for native email applications on various platforms. On iOS, email profiles configure the native Mail app with Exchange or other email protocols. On Android, the situation is more complex because Android doesn’t have a single “native email app” in the same way iOS does. Different Android manufacturers include different email applications, and Android Enterprise management focuses on managed Google Play applications rather than pre-installed manufacturer applications. Email profiles for Android typically target specific email applications like Samsung Email on Samsung devices, but broad “Android Enterprise email profile” support across all Android devices for Gmail specifically isn’t a standard feature.
Question 106:
You manage Windows 11 devices using Microsoft Intune. You need to configure Windows Hello for Business to require a minimum PIN length of 8 digits. What should you configure?
A) Identity protection profile with PIN complexity requirements
B) Device restrictions profile with password settings
C) Account protection policy in Endpoint security with Windows Hello for Business settings
D) Compliance policy requiring 8-digit PIN
Answer: C
Explanation:
Windows Hello for Business is Microsoft’s enterprise implementation of passwordless authentication that replaces traditional passwords with strong two-factor authentication using biometric identification or device-specific PINs. Proper configuration of Windows Hello for Business policies through Intune ensures consistent security standards across the organization while maintaining the user experience benefits of biometric authentication. Understanding where Windows Hello for Business settings are located within Intune’s policy structure is essential for successful deployment.
Account protection policies in Endpoint security provide dedicated configuration interfaces for identity and authentication security features including Windows Hello for Business, Credential Guard, and Windows Defender Credential Guard. These specialized security policies consolidate authentication-related settings in a focused interface designed specifically for identity protection scenarios. The account protection policy type is the appropriate location for comprehensive Windows Hello for Business configuration including PIN complexity requirements, biometric settings, and enrollment parameters.
Within an account protection policy, Windows Hello for Business settings include extensive configuration options controlling PIN requirements such as minimum PIN length, maximum PIN length, whether lowercase letters are required or allowed, whether uppercase letters are required or allowed, whether special characters are required or allowed, PIN expiration periods, and PIN history preventing reuse. Setting minimum PIN length to 8 ensures users create PINs with at least 8 digits, providing stronger security than shorter PINs while remaining user-friendly compared to complex password requirements.
PIN complexity requirements in Windows Hello for Business serve multiple security purposes. Longer PINs increase the computational difficulty of brute force attacks where attackers attempt to guess PINs through systematic trying of all possible combinations. The PIN is protected by the device’s Trusted Platform Module which implements anti-hammering protection limiting PIN guess attempts, but longer PINs provide defense-in-depth even if anti-hammering protections are bypassed. Additionally, longer PINs reduce the likelihood of observers guessing PINs through shoulder surfing or social engineering compared to shorter 4-6 digit PINs.
Question 107:
You are configuring Microsoft Intune to manage iOS devices. You need to deploy certificates for Wi-Fi authentication that automatically renew before expiration. What certificate deployment method should you use?
A) SCEP certificate profile with renewal settings configured
B) PKCS certificate profile with automatic renewal
C) Manual certificate deployment with renewal reminders
D) Trusted certificate profile with certificate lifecycle management
Answer: A
Explanation:
Certificate lifecycle management is a critical aspect of enterprise mobility deployments, particularly for certificates used in authentication scenarios like Wi-Fi access where expired certificates cause immediate connectivity failures and user disruption. Understanding which certificate deployment methods support automatic renewal capabilities ensures continuous authentication without manual intervention or service interruptions when certificates approach expiration dates.
SCEP (Simple Certificate Enrollment Protocol) is an industry-standard protocol that enables automated certificate enrollment and management between devices and certificate authorities. SCEP certificate profiles in Intune leverage this protocol to automate not only initial certificate deployment but also certificate renewal throughout the certificate lifecycle. When SCEP profiles are configured with appropriate renewal settings, Intune automatically manages certificate renewal by requesting new certificates from the certificate authority before existing certificates expire, typically when certificates reach 80% of their validity period.
The SCEP renewal process operates transparently to users and applications. As certificates approach expiration, the Intune Management Extension on devices monitors certificate validity periods and initiates renewal requests to the SCEP server (typically NDES – Network Device Enrollment Service in Microsoft environments). The certificate authority issues renewed certificates with extended validity periods, Intune deploys the renewed certificates to devices, and the old certificates are replaced. Wi-Fi profiles and other configurations referencing the certificates automatically use the renewed certificates, maintaining uninterrupted connectivity without user awareness or IT intervention.
SCEP certificate profiles include configuration options specifically for renewal behavior including the renewal threshold percentage determining when renewal begins (typically 80% meaning renewal starts when 20% of certificate lifetime remains), retry intervals if renewal attempts fail, and whether to maintain the same key pair or generate new keys during renewal. These settings provide flexibility for organizations to balance security requirements with operational reliability, as more frequent renewals increase security currency but also increase certificate authority load and potential renewal failure opportunities.
PKCS certificate profiles in Intune deliver certificates from certificate authorities through the NDES connector or by directly importing certificate files. While PKCS profiles provide certificate deployment capabilities, they do not include the same automatic renewal mechanisms that SCEP provides. PKCS deployments typically treat certificates as static artifacts deployed once, and renewal requires redeploying updated certificates through new profile updates or manual certificate replacement processes. This limitation makes PKCS less suitable for scenarios requiring automatic certificate lifecycle management.
Manual certificate deployment through methods like email attachments, web downloads, or device-to-device transfer provides no automated renewal capabilities whatsoever. Manual renewal would require distributing new certificates to all devices before old certificates expire, tracking which devices received renewals, and coordinating with users to install renewed certificates. This operational burden becomes impractical for large device populations and introduces significant risk of service disruptions when certificates expire before manual renewal completes.
Trusted certificate profiles deploy root and intermediate certificate authority certificates to device certificate stores, establishing trust chains for validating other certificates. While trusted certificates themselves may have expiration dates and require updates periodically, trusted certificate profiles don’t include renewal automation—they simply deploy static certificate files. Additionally, trusted certificates are typically long-lived (often 10-20 years) and represent infrastructure rather than client authentication credentials, so frequent renewal is less critical than for client authentication certificates.
The integration between SCEP certificate profiles and Wi-Fi profiles creates seamless certificate-based authentication with automatic renewal. Wi-Fi profiles reference SCEP certificate profiles rather than specific certificate instances, so when SCEP renewal replaces certificates, Wi-Fi authentication automatically uses the renewed certificates without requiring Wi-Fi profile updates. This reference-based approach ensures Wi-Fi connectivity remains uninterrupted through certificate renewal cycles.
Organizations deploying SCEP certificates should ensure certificate authority infrastructure is properly configured to support SCEP protocol including NDES server deployment and configuration, certificate templates with appropriate validity periods and renewal settings, network connectivity from managed devices to NDES infrastructure, and monitoring of certificate issuance and renewal success rates. Infrastructure reliability directly impacts certificate renewal success, and renewal failures can cause widespread authentication issues as certificates expire.
Certificate validity periods should be chosen carefully balancing security and operational overhead. Shorter validity periods (like 6 months) require more frequent renewals increasing certificate authority load and renewal failure opportunities, while longer periods (like 2-3 years) reduce renewal frequency but increase the window of exposure if certificates are compromised. Industry best practices typically recommend 1-2 year validity periods for client authentication certificates as a reasonable balance.
Monitoring certificate expiration and renewal success is essential for preventing authentication failures. Intune provides reporting on certificate deployment status, and organizations should implement additional monitoring through certificate authority logs, NDES server monitoring, and proactive alerting when certificates approach expiration without successful renewal. Early warning of renewal failures allows IT to intervene before widespread certificate expiration impacts users.
A is correct because SCEP certificate profiles include built-in renewal capabilities that automatically request and deploy renewed certificates before expiration, providing seamless certificate lifecycle management for Wi-Fi authentication. B is incorrect because PKCS certificate profiles do not include automatic renewal mechanisms—they deploy certificates as static artifacts requiring manual update processes for renewal. C is incorrect because manual certificate deployment provides no automation for renewal and would require operational processes to track expiration and manually deploy renewed certificates to all devices. D is incorrect because trusted certificate profiles deploy root CA certificates for establishing trust chains rather than client authentication certificates, and they don’t include renewal automation—they deploy static certificate files.
Question 108:
Your organization uses Microsoft Intune to manage devices. You need to ensure that when users change their Azure AD passwords, they must also update their device PINs or biometric credentials. What should you configure?
A) Conditional Access policy requiring credential update after password changes
B) Compliance policy checking password and PIN synchronization
C) This behavior is not directly configurable; passwords and device credentials are independent
D) Identity protection policy synchronizing passwords with device credentials
Answer: C
Explanation:
Understanding the relationship between different authentication mechanisms and their independence or interdependence helps administrators set realistic expectations about authentication management capabilities and design appropriate security policies that work within platform constraints. While various authentication methods can work together in security frameworks, certain specific synchronization behaviors may not be available as direct configuration options.
Azure AD passwords are cloud-based identity credentials used for authenticating to Azure AD and accessing cloud resources including Microsoft 365, Azure services, and federated applications. These passwords are managed through Azure AD password policies, can be changed by users through self-service password reset, are subject to expiration policies if configured, and represent the user’s identity credential independent of any specific device.
C is correct because Azure AD passwords and device PINs/biometric credentials are independent authentication mechanisms serving different purposes, and automatic synchronization requiring device credential updates when passwords change is not a directly configurable feature in standard identity and device management platforms. A is incorrect because Conditional Access policies control access to cloud resources based on authentication signals but do not include capabilities to detect password changes and enforce corresponding device credential updates. B is incorrect because compliance policies evaluate whether devices meet security requirements but do not check for synchronization between Azure AD passwords and device credentials or enforce credential updates based on password changes. D is incorrect because identity protection policies focus on detecting risky authentication and compromised identities but do not include features for synchronizing Azure AD passwords with device-local credentials.
Question 109:
You manage Android Enterprise devices using Microsoft Intune. You need to configure a policy that automatically installs available system updates during a maintenance window between 2 AM and 4 AM. What should you configure?
A) Device configuration profile with system update policy specifying the installation window
B) Compliance policy requiring latest Android version with scheduled enforcement
C) Android Enterprise system update settings in device restrictions
D) App configuration policy for system updates with maintenance window settings
Answer: A
Explanation:
Android Enterprise device management provides organizations with control over system update deployment through policies that determine when updates are applied, whether user intervention is required, and how update installations are scheduled to minimize disruption. Understanding how to properly configure system update policies ensures devices remain secure with current patches while respecting user productivity by scheduling disruptive update installations during appropriate time windows.
Device configuration profiles for Android Enterprise include system update policy settings that provide comprehensive control over how devices handle Android system updates from Google or device manufacturers. These settings allow administrators to specify update behaviors ranging from automatic installation without user control to user-controlled installation with various options in between. For enterprise deployments requiring predictable update timing that avoids business hours disruption, scheduled automatic installation within defined maintenance windows provides the optimal balance of security currency and user experience.
The system update policy configuration includes multiple update type options: automatic installation installing updates as soon as they become available without user interaction or control over timing; windowed installation allowing organizations to define time windows during which automatic installation can occur; postponed installation deferring updates for specified periods allowing testing before deployment; and user choice allowing users to control when updates install. For the scenario described requiring automatic installation during 2 AM to 4 AM, windowed installation with appropriate window configuration provides the necessary control.
When configuring windowed installation, administrators specify the start and end times for the installation window using 24-hour time format. Setting a window from 2 AM (02:00) to 4 AM (04:00) instructs Android devices to automatically install pending system updates only during this two-hour period. Devices monitor for pending updates and when updates are available, wait until the specified window begins before initiating installation. The update process includes downloading update packages, applying updates, and rebooting devices to complete installation, all occurring within the defined window.
A is correct because device configuration profiles include system update policy settings that allow specifying installation windows for automatic update deployment during defined time periods like 2 AM to 4 AM maintenance windows. B is incorrect because compliance policies evaluate whether devices meet requirements like minimum OS versions but do not configure system update installation behavior or scheduling—they check state rather than automate updates. C is incorrect because while device restrictions may include some update-related settings, the granular scheduling of automatic update installation within maintenance windows requires dedicated system update policy configuration in device configuration profiles. D is incorrect because app configuration policies configure application-specific settings rather than system-level behaviors like Android update installation, which is managed through device configuration profiles.
Question 110:
You are configuring Microsoft Intune to deploy a Win32 application that has multiple language versions. Users should automatically receive the version matching their Windows display language. How should you handle this requirement?
A) Create separate Win32 apps for each language version and use requirement rules with PowerShell script detecting display language
B) Create a single Win32 app with installation command that detects language and installs appropriate version
C) Use app configuration policy to specify language preferences before installation
D) Deploy all language versions and let users select preferred language after installation
Answer: B
Explanation:
Application deployment scenarios involving multiple configurations, versions, or languages require careful design to ensure users receive appropriate installations without manual selection or complex assignment logic. Understanding how to leverage intelligent installation logic within Win32 app deployment versus managing deployment complexity through multiple app packages and detection rules helps administrators create maintainable, scalable deployment solutions that provide appropriate user experiences.
The Win32 app packaging and deployment model in Intune provides flexibility through customizable installation commands that can execute complex logic during installation. Rather than treating installation as a simple command execution, Win32 apps can use batch scripts, PowerShell scripts, or executable wrappers that make runtime decisions about installation behavior based on device state, user preferences, or environmental conditions. For multi-language applications, embedding language detection within the installation command creates dynamic installations that automatically adapt to device configuration.
The installation command approach involves packaging all language versions of the application into the Win32 app package created by the Microsoft Win32 Content Prep Tool, creating an installation script (PowerShell or batch) that detects the Windows display language using built-in operating system functions, selecting the appropriate language-specific installer or installation parameters based on detected language, executing the installation with language-appropriate settings, and reporting success or failure through appropriate exit codes. This self-contained approach keeps all language versions within a single manageable application package.
PowerShell provides straightforward methods for detecting Windows display language through .NET Framework classes or Windows Management Instrumentation queries. A simple PowerShell script can query the current display language code (like “en-US”, “fr-FR”, “de-DE”), use conditional logic to map language codes to appropriate installer files or command-line parameters, and execute the correct installation. For example, the script might check if the display language is French and execute “setup.exe /lang:fr /silent”, or if English execute “setup.exe /lang:en /silent”.
B is correct because creating a single Win32 app with intelligent installation command that detects Windows display language and installs the appropriate language version provides the most maintainable and user-friendly solution, keeping all language versions in one manageable package. A is incorrect because while creating separate Win32 apps with requirement rules would work functionally, it creates significant management complexity requiring multiple app objects, complex requirement scripts, and multiplied maintenance effort compared to the single-app approach. C is incorrect because app configuration policies configure application behavior after installation rather than controlling which installation version or language to deploy—language selection occurs during installation, not post-installation configuration. D is incorrect because deploying all language versions and requiring users to manually select languages provides poor user experience and unnecessary complexity compared to automatic language detection during installation.
Question 111:
You manage Windows 11 devices using Microsoft Intune. You need to configure a policy that prevents users from accessing the Registry Editor (regedit.exe). What should you configure?
A) Device restrictions profile blocking Registry Editor access
B) Windows Defender Application Control policy preventing regedit.exe execution
C) Settings Catalog with policy preventing Registry Editor execution
D) Endpoint protection policy with Registry Editor restrictions
Answer: C
Explanation:
Windows provides various mechanisms for controlling application execution and system tool access, each designed for different security scenarios and administrative control requirements. Understanding which policy types and configuration methods apply to specific restrictions like preventing Registry Editor access ensures administrators select appropriate tools that achieve security objectives while maintaining system functionality and supportability.
Settings Catalog in Microsoft Intune provides comprehensive access to thousands of Windows configuration settings including granular controls over system tool access. Among these settings are Administrative Templates policies that correspond to traditional Group Policy settings, providing familiar controls for IT professionals transitioning from on-premises Group Policy management to cloud-based Intune management. Within Settings Catalog, specific policies exist for preventing access to registry editing tools including Registry Editor (regedit.exe) and Registry Editor (regedt32.exe on older systems).
The “Prevent access to registry editing tools” policy in Settings Catalog, when enabled, blocks users from launching Registry Editor through any method including running regedit.exe directly, launching through Run dialog, accessing through search, or invoking through command-line interfaces. When users attempt to launch blocked registry editing tools, Windows displays an error message indicating that the tool has been disabled by the administrator. This system-level enforcement prevents registry modification through standard Windows tools regardless of user privileges.
C is correct because Settings Catalog provides access to specific Windows policy settings including “Prevent access to registry editing tools” that directly blocks Registry Editor execution through system-level enforcement. A is incorrect because device restrictions profiles typically focus on broader feature categories rather than granular controls over specific system utilities like Registry Editor—this specific control is found in Settings Catalog. B is incorrect because Windows Defender Application Control is designed for comprehensive application whitelisting scenarios rather than selectively blocking individual system tools, making it overly complex for simply preventing Registry Editor access. D is incorrect because endpoint protection policies focus on security features like antivirus, firewall, and threat protection rather than controlling access to administrative system tools like Registry Editor.
Question 112:
Your organization uses Microsoft Intune to manage iOS devices. You need to configure a policy that prevents users from using Siri to access content when devices are locked. What should you configure?
A) Device restrictions profile with “Block Siri while device is locked” setting enabled
B) Device features profile with Siri lock screen access settings
C) App protection policy preventing Siri access to managed apps
D) Compliance policy requiring Siri lock screen access disabled
Answer: A
Explanation:
iOS device management through Intune provides extensive controls over built-in features and capabilities including voice assistants like Siri, which present both convenience and security considerations. Understanding how to properly restrict Siri access from lock screens prevents potential information disclosure or unauthorized actions while maintaining Siri functionality during normal authenticated device usage, balancing security requirements with user experience expectations.
Device restrictions profiles for iOS include comprehensive settings organized by category that control various device features and capabilities. Within the Built-in Apps category or Lock Screen Experience category depending on interface organization, administrators find settings specifically controlling Siri behavior including whether Siri is allowed at all on managed devices, whether Siri can access content while devices are locked, whether Siri can search user-generated content, and whether profanity filtering applies to Siri interactions. These granular controls allow organizations to tailor Siri restrictions to specific security policies.
A is correct because device restrictions profiles include specific settings to block Siri functionality while devices are locked, preventing lock screen information access while maintaining Siri availability during authenticated device usage. B is incorrect because device features profiles configure functionality deployments like home screen layouts and web clips rather than security restrictions like blocking lock screen Siri access—restrictions are configured in device restrictions profiles. C is incorrect because app protection policies provide application-level data protection rather than controlling system-level features like Siri lock screen access, which operates at the device level through MDM restrictions. D is incorrect because compliance policies evaluate device state and check whether requirements are met but do not actively prevent or restrict features like Siri lock screen access—they verify state rather than enforce restrictions.
Question 113:
You are configuring Windows Update for Business in Microsoft Intune. You need to ensure that devices install quality updates within 7 days of release but never automatically restart during business hours (8 AM to 6 PM). What should you configure?
A) Update ring with quality update deadline of 7 days and active hours set to 8 AM – 6 PM
B) Update ring with quality update deferral of 7 days and restart restrictions
C) Feature update policy with 7-day installation requirement and business hours protection
D) Windows Update policy with automatic installation and manual restart
Answer: A
Explanation:
Windows Update for Business provides comprehensive control over update deployment timing and restart behavior through update rings that balance security currency with user productivity. Understanding the distinction between deferral periods that delay when updates become available versus deadlines that enforce when available updates must install, combined with active hours configuration that protects user productivity time from forced restarts, enables administrators to design update policies that maintain security posture while respecting business operations.
Update rings in Intune for Windows Update for Business include separate controls for quality updates and feature updates, each with configurable deferral periods and deadlines. Deferral periods specify how many days after Microsoft releases updates before they become available to managed devices, providing organizations time to test updates before broad deployment or simply delaying deployment for operational reasons. Deadlines specify how many days after updates become available that devices must install them, creating enforcement windows that ensure updates don’t remain uninstalled indefinitely due to user postponement.
For the scenario requiring installation within 7 days of release, setting the quality update deadline to 7 days while keeping deferral at 0 days achieves the objective. With 0-day deferral, quality updates become available to devices immediately upon release from Microsoft. The 7-day deadline means that once updates are available, devices have 7 days to install them before Windows enforces installation. This configuration ensures updates install within 7 days from release (0 days deferral + 7 days deadline = 7 days maximum) while allowing flexible installation timing within that window.
A is correct because configuring update ring with quality update deadline of 7 days (with 0 deferral) ensures installation within 7 days of release, while active hours set to 8 AM – 6 PM prevents automatic restarts during business hours, balancing security enforcement with productivity protection. B is incorrect because quality update deferral of 7 days delays when updates become available rather than enforcing installation within 7 days of release, and doesn’t specify the deadline enforcement that ensures installation occurs within the required timeframe. C is incorrect because feature update policies control major Windows version updates rather than quality updates containing security patches, making them inappropriate for the scenario requiring quality update management with business hours restart protection. D is incorrect because generic “Windows Update policy with automatic installation and manual restart” doesn’t provide the specific deadline enforcement and active hours protection that update rings offer—update rings provide the granular control needed for this requirement.
Question 114:
Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom screen saver configuration that activates after 10 minutes of inactivity and requires password entry to wake. What should you create?
A) Custom configuration profile with preference domain plist for screen saver settings
B) Device restrictions profile with screen saver timeout and password requirements
C) Endpoint protection profile with screen lock settings
D) Device features profile with display and security settings
Answer: A
Explanation:
macOS device management through Intune leverages Apple’s MDM protocol which uses property list (plist) files to configure system preferences and application settings. Understanding when to use custom configuration profiles with plist files versus built-in profile templates requires knowledge of which settings Intune exposes through simplified interfaces versus which require direct plist configuration. Screen saver configuration represents settings that typically require custom plist deployment rather than being available through standard profile templates.
Custom configuration profiles in Intune allow deploying preference domain plist files that configure specific macOS settings by directly specifying configuration keys and values in XML format. These profiles provide access to the full breadth of macOS configuration options including settings not exposed through Intune’s built-in profile templates. For screen saver configuration specifically, the com.apple.screensaver preference domain controls screen saver behavior including idle time before activation, which screen saver module displays, and whether password entry is required to wake from screen saver.
A is correct because custom configuration profiles with preference domain plist files provide the mechanism for deploying specific macOS screen saver settings including timeout durations and password requirements that aren’t available through standard Intune profile templates. B is incorrect because device restrictions profiles for macOS typically focus on blocking or allowing features rather than providing the granular screen saver configuration with specific timeout values and security requirements—custom configuration profiles handle detailed preference settings. C is incorrect because endpoint protection profiles focus on security features like FileVault and firewall rather than screen saver configuration, which is managed through system preferences and custom configuration profiles. D is incorrect because device features profiles deploy functionality like AirPrint and login items rather than configuring security-focused settings like screen saver timeout and password requirements—custom configuration profiles are appropriate for screen saver security settings.
Question 115:
You are configuring app protection policies for Android devices. You need to ensure that managed applications automatically wipe their data if devices are offline for more than 90 days. What should you configure?
A) Conditional launch setting with offline interval of 90 days and wipe data action
B) Access requirements with 90-day re-authentication period triggering data wipe
C) Data transfer settings with 90-day offline timeout and automatic data removal
D) Compliance policy with offline device detection and automated wipe command
Answer: A
Explanation:
App protection policies provide comprehensive data protection controls that function even when devices are not enrolled in full device management, making them ideal for bring-your-own-device scenarios where organizations need to protect corporate data without managing entire devices. Understanding the conditional launch framework within app protection policies enables administrators to configure automated responses to security conditions including extended offline periods that might indicate lost, stolen, or abandoned devices containing corporate data.
Conditional launch settings in app protection policies define conditions that trigger specific actions when certain thresholds are exceeded or requirements aren’t met. These conditions monitor various device and application states including offline duration measuring time since devices last connected to app protection policy services, maximum OS version and minimum OS version ensuring devices run acceptable operating system releases, jailbroken or rooted device detection identifying compromised devices, maximum PIN attempts protecting against brute force PIN guessing, and disabled account detection identifying when user accounts are deactivated in Azure AD. For each condition, administrators configure both the threshold value and the action taken when exceeded.
A is correct because conditional launch settings in app protection policies include offline interval configuration that triggers specified actions like data wipe when devices remain offline beyond configured thresholds, providing automated corporate data protection for potentially lost or compromised devices. B is incorrect because access requirements control authentication frequency and methods but don’t include extended offline interval monitoring with automated data wipe capabilities—conditional launch settings handle time-based condition monitoring and automated responses. C is incorrect because data transfer settings control how corporate data moves between applications during active data transfer operations but don’t monitor offline duration or trigger automated data wipes based on connectivity status—conditional launch handles offline interval enforcement. D is incorrect because compliance policies apply to enrolled devices and check device security state but don’t manage app protection policy conditional launch behaviors or trigger selective data wipes from applications for unenrolled devices—app protection policy conditional launch provides this capability.
Question 116:
You manage Windows 11 devices using Microsoft Intune. You need to deploy a PowerShell script that runs every time a user logs in and completes before the desktop loads. What should you configure?
A) PowerShell script with “Run script in user context” and “Run script at every login” configured
B) Proactive remediation with detection script running at user login
C) PowerShell scripts cannot run before desktop loads; use scheduled tasks instead
D) PowerShell script with “Run in system context” and login trigger
Answer: C
Explanation:
Understanding the capabilities and limitations of different script deployment mechanisms in Intune helps administrators design appropriate solutions that work within platform constraints. PowerShell scripts deployed through Intune’s script deployment feature execute during policy sync cycles after devices are operational and users are logged in, rather than during early boot or login sequences before desktop presentation.
Intune PowerShell script deployment provides valuable automation for configuration tasks, compliance remediation, information gathering, and administrative operations. Scripts can execute in user or system context, run once or repeatedly on schedules, and report success or failure back to Intune for monitoring. However, these scripts execute through the Intune Management Extension service which operates after Windows has fully loaded, user profiles are initialized, and desktop environments are available. The timing doesn’t support pre-desktop execution requirements.
For scripts that must execute during user login before desktop loads, Windows scheduled tasks provide the appropriate mechanism. Scheduled tasks can be configured with “At log on” triggers that execute during the Windows logon sequence before explorer.exe launches and desktop appears. These tasks can run scripts, executables, or other programs synchronously, blocking login progression until completion if configured appropriately.
Deploying scheduled tasks through Intune requires using device configuration profiles with custom OMA-URI settings targeting the Task Scheduler CSP, or using PowerShell scripts that create scheduled tasks during their execution. The initial script deployment creates the scheduled task configuration, after which the scheduled task handles the actual login-time script execution with appropriate timing.
C is correct because Intune PowerShell scripts execute during policy sync after desktop loads rather than during login sequences, requiring scheduled tasks for pre-desktop execution. A is incorrect because while scripts can run at every login in user context, they execute after desktop loads through Intune Management Extension rather than during login sequence. B is incorrect because proactive remediations run on schedules during operational periods rather than specifically at login before desktop loads. D is incorrect because system context doesn’t change execution timing—scripts still run after desktop loads through Intune Management Extension.
Question 117:
Your organization uses Microsoft Intune to manage iOS devices. You need to prevent users from adding new email accounts to the native Mail app. What should you configure?
A) Device restrictions profile blocking mail account modification
B) Email profile with exclusive account settings
C) App configuration policy for Mail app restricting account additions
D) Compliance policy requiring single managed email account
Answer: A
Explanation:
iOS device restrictions provide granular control over built-in application features and system capabilities including email account management in the native Mail app. Understanding how to properly restrict email account modifications prevents users from adding personal email accounts that could be used to exfiltrate corporate data or receive unmanaged content while maintaining managed corporate email access.
Device restrictions profiles for iOS include settings organized by category that control various device and application features. Within the Built-in Apps category, restrictions exist for Mail app behavior including whether users can modify mail accounts, whether Mail app access is allowed at all, and whether specific mail-related features are restricted. The “Block modification of account settings” or similar setting prevents users from adding, removing, or modifying email accounts through iOS Settings.
This restriction is particularly important for data loss prevention because the native Mail app can be used to forward corporate emails to personal accounts, send corporate data to external addresses, or receive potentially malicious content from unmanaged sources. By restricting account modifications, organizations ensure that only IT-deployed managed email accounts exist in the Mail app, maintaining control over corporate communication channels.
The restriction works by making account management interfaces inaccessible or non-functional. When users navigate to Settings > Mail > Accounts, options to add accounts are disabled or hidden, existing account configurations cannot be modified, and removal options are unavailable for managed accounts. Corporate email accounts deployed through MDM email profiles remain functional while user-initiated account changes are prevented.
A is correct because device restrictions profiles include specific settings to block mail account modification, preventing users from adding new email accounts to native Mail app. B is incorrect because email profiles deploy managed email configurations but don’t prevent users from adding additional accounts—restrictions must explicitly block account modifications. C is incorrect because app configuration policies configure application settings rather than restricting iOS system-level account management capabilities. D is incorrect because compliance policies check device state but don’t prevent account additions—restrictions enforce prevention.
Question 118:
You are configuring Microsoft Intune to deploy certificates to Windows 11 devices for VPN authentication. The certificates must be stored in the Trusted Platform Module (TPM). What certificate deployment method should you use?
A) SCEP certificate profile with TPM key storage provider configured
B) PKCS certificate profile with hardware-based key protection
C) Certificate deployment through PowerShell with TPM commands
D) Manual certificate installation with TPM storage option
Answer: A
Explanation:
Certificate-based authentication security depends not only on certificate validity and proper issuance but also on protecting private keys from extraction or compromise. Storing private keys in hardware security modules like Trusted Platform Modules provides significantly stronger protection than software-based key storage because TPM-protected keys cannot be extracted from the hardware, preventing key theft even if operating systems are compromised.
SCEP certificate profiles in Intune support configuring the key storage provider that Windows uses when generating certificate key pairs during enrollment. The key storage provider determines where private keys are stored and how they’re protected. Options include software-based storage in the Windows certificate store or hardware-based storage in the TPM. Configuring “TPM” as the key storage provider instructs Windows to generate keys within the TPM and store private keys in TPM-protected storage.
When SCEP certificates are requested with TPM key storage, the enrollment process generates the key pair directly in the TPM chip rather than in software. The private key never exists outside the TPM, even temporarily during generation. All cryptographic operations using the private key occur within the TPM hardware, with the private key material never exposed to the operating system or applications. This hardware isolation provides strong protection against various key extraction attacks.
TPM key storage requirements mean devices must have TPM chips present and enabled. Modern Windows 11 devices include TPM 2.0 as a hardware requirement, ensuring TPM availability for certificate protection. SCEP profile configuration includes validation that TPM is available before attempting enrollment, preventing failures on devices without TPM capability.
A is correct because SCEP certificate profiles include key storage provider configuration that can specify TPM storage, ensuring private keys are generated and stored in hardware-protected TPM. B is incorrect because while PKCS profiles can deploy certificates, the key storage location for PKCS is determined when certificates are issued rather than configured in the profile, and standard PKCS doesn’t provide the TPM storage specification that SCEP offers. C is incorrect because PowerShell certificate deployment doesn’t integrate with Intune’s certificate lifecycle management and would require complex scripting to achieve TPM storage. D is incorrect because manual installation doesn’t provide the automated TPM storage configuration or management integration that SCEP profiles offer.
Question 119:
Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to configure a policy that prevents screenshots in managed applications containing customer data. What should you configure?
A) App protection policy with “Block screen capture and Google Assistant” enabled
B) Device restrictions profile blocking screenshots system-wide
C) App configuration policy for applications with screenshot prevention settings
D) Compliance policy requiring screenshot blocking for customer data apps
Answer: A
Explanation:
Data loss prevention for mobile applications requires controls preventing users from capturing and exfiltrating sensitive information through various device features. Screenshot blocking represents a critical control preventing visual data capture from applications displaying confidential information. App protection policies provide application-level screenshot blocking that functions independently of device enrollment, making them ideal for protecting corporate data in BYOD scenarios.
App protection policies include data protection settings that control various data leakage vectors including screenshot capture. The “Block screen capture and Google Assistant” setting prevents the Android operating system from allowing screenshot capture when protected applications are in the foreground. When enabled, applications integrated with the Intune App SDK set the FLAG_SECURE window flag instructing Android to prevent screen capture, screen recording, and viewing on non-secure displays.
A is correct because app protection policies include “Block screen capture and Google Assistant” setting specifically designed to prevent screenshots in managed applications, providing application-level data protection. B is incorrect because device restrictions blocking screenshots system-wide would prevent screenshots in all applications including personal apps, which is overly restrictive for BYOD devices—application-level blocking is more appropriate. C is incorrect because app configuration policies configure application settings rather than enforcing security controls like screenshot blocking—app protection policies provide data loss prevention features. D is incorrect because compliance policies check device state but don’t actively prevent functionality like screenshot capture—app protection policies enforce prevention.
Question 120:
You manage Windows 11 devices using Microsoft Intune. You need to configure Windows Hello for Business to allow biometric authentication but require PIN as a fallback if biometrics fail. What should you configure?
A) Account protection policy enabling Windows Hello for Business with both biometric and PIN authentication methods
B) Windows Hello for Business policy with biometric-only authentication
C) Device restrictions allowing biometric authentication with PIN backup
D) Compliance policy requiring both biometric and PIN configuration
Answer: A
Explanation:
Windows Hello for Business provides flexible authentication options supporting biometric authentication (fingerprint or facial recognition) and device-specific PINs as alternative or complementary authentication methods. Understanding how to configure both methods while establishing appropriate fallback relationships ensures users can always authenticate even when biometric systems temporarily fail or are unavailable.
Account protection policies in Endpoint security provide dedicated interfaces for Windows Hello for Business configuration including authentication method settings. The policy allows enabling both biometric authentication and PIN authentication simultaneously, creating a tiered authentication system where biometrics provide convenient primary authentication and PIN serves as reliable fallback when biometric authentication fails or is unavailable.
Windows Hello for Business authentication workflow attempts biometric authentication first when available. If biometric hardware exists and is functional, users authenticate using fingerprints or facial recognition. If biometric authentication fails due to hardware malfunction, environmental conditions affecting sensors, or repeated failed biometric attempts, Windows automatically offers PIN authentication as fallback. This graceful degradation ensures authentication remains possible even when preferred methods temporarily fail.
The dual-method configuration requires establishing PIN requirements including minimum PIN length, complexity requirements, and whether special characters are allowed. Even on devices with biometric capabilities, users must establish PINs during Windows Hello for Business enrollment to ensure fallback authentication is always available. The PIN creation occurs during initial setup or when Hello for Business enrollment is triggered after policy deployment.
A is correct because account protection policies support enabling both biometric and PIN authentication methods in Windows Hello for Business, providing biometric convenience with PIN fallback reliability. B is incorrect because biometric-only authentication eliminates fallback options when biometric systems fail, potentially locking users out when sensors malfunction. C is incorrect because device restrictions control feature availability rather than configuring authentication method relationships in Windows Hello for Business—account protection policies handle Hello configuration. D is incorrect because compliance policies check whether authentication methods are configured but don’t configure Windows Hello for Business itself—account protection policies configure the authentication system.
