Visit here for our full Microsoft MD-102 exam dumps and practice test questions.
Question 141:
You manage Windows 11 devices using Microsoft Intune. You need to prevent users from installing unsigned drivers. What should you configure?
A) Settings Catalog with driver installation restriction policies
B) Device restrictions profile blocking unsigned driver installation
C) Windows Defender Application Control policy requiring signed drivers
D) Endpoint protection policy with driver signing requirements
Answer: A
Explanation:
Driver installation security is critical for maintaining system integrity because malicious or poorly written drivers execute with kernel-level privileges and can compromise entire systems. Understanding how to configure driver signing requirements through appropriate policy mechanisms ensures only properly signed drivers from trusted sources can install on managed devices.
Settings Catalog in Microsoft Intune provides access to comprehensive Windows configuration settings including policies related to device installation and driver signing requirements. Within Settings Catalog, administrators can find policies that enforce driver signature verification, prevent installation of unsigned drivers, and control which certificate authorities are trusted for driver signing. These policies leverage Windows security features that validate driver signatures during installation attempts.
Driver signing verification ensures drivers come from known sources and haven’t been tampered with since signing. Windows includes built-in driver signature enforcement that can be configured through policies to require all drivers be digitally signed by trusted publishers. When unsigned drivers attempt installation, Windows blocks the installation and logs events indicating signature verification failure.
The relevant policies in Settings Catalog include settings under device installation categories that specify whether to allow installation of devices with drivers that Windows cannot verify as signed by trusted publishers. Configuring these policies to block unsigned driver installation creates strong protection against malware distributed through driver installation vectors or poorly tested drivers that could cause system instability.
Implementation involves creating a Settings Catalog policy, searching for device installation or driver signing related settings, configuring policies to require signed drivers or block unsigned drivers, and assigning the policy to device groups. The policy deploys to Windows devices where the operating system enforces driver signing requirements at driver installation time, preventing unsigned drivers from loading.
Device restrictions profiles provide simplified interfaces for common restrictions but typically don’t include the granular driver signing enforcement policies available in Settings Catalog. Settings Catalog provides more direct access to specific security policies needed for driver installation control.
A is correct because Settings Catalog provides access to Windows driver installation restriction policies that enforce driver signature requirements and prevent unsigned driver installation. B is incorrect because device restrictions profiles don’t typically include the specific driver signing enforcement policies—Settings Catalog provides more comprehensive access to driver installation security settings. C is incorrect because Windows Defender Application Control focuses on application execution control rather than driver installation restrictions, though WDAC can include driver rules in comprehensive application control policies. D is incorrect because endpoint protection policies focus on antivirus, firewall, and threat protection rather than driver installation restrictions—Settings Catalog provides driver installation security policies.
Question 142:
Your organization uses Microsoft Intune to manage iOS devices. You need to deploy a managed home screen layout that places specific corporate applications on the first home screen page. What should you create?
A) Device configuration profile with home screen layout specifying app positions
B) App deployment policy with home screen placement settings
C) Device restrictions profile organizing application icons
D) Supervised device configuration with mandatory app layout
Answer: A
Explanation:
iOS device management provides capabilities for controlling home screen organization through managed home screen layouts that define where application icons appear, how they’re organized into folders, and which applications must be present in specific locations. Understanding how to properly configure home screen layouts through device configuration profiles ensures consistent user experiences and easy access to corporate applications.
Device configuration profiles for iOS include device features templates that provide configuration for platform-specific capabilities including home screen layout management. Home screen layout configuration allows administrators to specify exactly which applications appear on each home screen page, their positions on those pages, folder organization with specific apps grouped together, page order and arrangement, and dock contents showing apps that remain accessible from all home screens.
The home screen layout configuration uses a hierarchical structure where administrators define pages containing either individual application icons or folders. Applications are identified by their bundle identifiers (such as com.microsoft.Office.Outlook for Outlook), ensuring correct application placement regardless of app display names or localization. Folders can contain multiple applications organized together for related functionality or departmental purposes.
Creating managed home screen layouts involves designing the desired organization structure determining which apps appear where, creating a device configuration profile with device features template, configuring home screen layout settings with pages, apps, and folders, specifying bundle identifiers for each application to be positioned, and assigning the profile to user or device groups containing corporate iOS devices requiring standardized home screens.
When profiles deploy to supervised iOS devices, the operating system enforces the home screen layout by arranging icons according to the configuration. Users can still add additional applications to pages not managed by the profile, but managed pages and positions remain fixed according to organizational configuration. This partial management allows user personalization while ensuring corporate applications remain accessible in expected locations.
Supervision is typically required for home screen layout management because this capability represents enhanced MDM control beyond standard user enrollment. Devices enrolled through Apple Business Manager and Automated Device Enrollment are automatically supervised, enabling home screen layout and other advanced management features.
A is correct because device configuration profiles with device features template and home screen layout settings provide the proper mechanism for deploying managed home screen organizations positioning corporate applications. B is incorrect because app deployment policies deploy applications to devices but don’t control home screen positioning—home screen layout is configured through device configuration profiles. C is incorrect because device restrictions profiles control feature availability and restrictions rather than organizing icon placement—device features profiles with home screen layout handle icon organization. D is incorrect because while supervision is required, “supervised device configuration” is not a distinct policy type—device configuration profiles with device features are the proper mechanism.
Question 143:
You are configuring Windows Update for Business in Microsoft Intune. You need to ensure devices install feature updates only after they have been available for 60 days. What should you configure?
A) Update ring with feature update deferral period set to 60 days
B) Feature update policy targeting specific version with 60-day delay
C) Update ring with quality update deferral of 60 days
D) Windows Update policy with 60-day feature update postponement
Answer: A
Explanation:
Windows Update for Business distinguishes between quality updates containing monthly security patches and bug fixes versus feature updates introducing major Windows version changes. Understanding how to properly configure deferral periods for each update type allows organizations to maintain security currency with rapid quality update deployment while carefully controlling feature update rollout with extended testing periods.
Update rings in Intune provide separate deferral configuration for quality updates and feature updates, recognizing that these update types have different impacts and require different deployment strategies. Feature update deferrals delay when new Windows versions become available to managed devices after Microsoft releases them publicly, providing organizations time to test compatibility with line-of-business applications, validate hardware driver support, prepare user training materials, and plan deployment schedules.
Setting feature update deferral to 60 days means devices will not see or receive feature updates until 60 days after Microsoft’s public release. During this deferral period, pilot groups or test devices with shorter deferrals can validate the feature update while production devices continue running previous Windows versions. After the 60-day deferral expires, feature updates become available to devices according to additional policy settings like deadlines or servicing channels.
The deferral mechanism works by having Windows check its configuration policies during update scans and comparing current date against feature update release dates from Microsoft. If a feature update was released fewer than 60 days ago, Windows excludes it from available updates even though Microsoft is distributing it. Once 60 days have elapsed, the feature update becomes available subject to other policy constraints.
Feature update deferrals can range from 0 days (immediate availability) to maximum deferral periods supported by Windows Update for Business (typically up to 365 days). Organizations commonly use 30-90 day deferrals to balance getting new features with adequate testing time. Longer deferrals might be used for highly stable environments or systems running critical workloads where extensive validation is required.
Quality update deferrals serve different purposes, delaying monthly security patches which should generally be deployed rapidly to maintain security posture. Using quality update deferrals for feature update control would be inappropriate as these are separate update categories with different deferral settings.
A is correct because update rings include feature update deferral period settings that delay when feature updates become available to devices, with 60 days providing the specified testing window. B is incorrect because feature update policies target deployment of specific Windows versions rather than configuring deferral periods—update rings control deferral timing. C is incorrect because quality update deferrals control monthly security updates rather than major feature updates—separate feature update deferral settings control feature update timing. D is incorrect because “Windows Update policy” is less specific than update rings, which are the specific policy type providing feature update deferral configuration.
Question 144:
You manage Android Enterprise devices using Microsoft Intune. You need to configure a device enrollment restriction that only allows enrollment of devices from specific manufacturers. What should you configure?
A) Device enrollment restrictions with device platform restrictions specifying allowed manufacturers
B) Compliance policy requiring specific device manufacturers
C) Device restrictions profile limiting enrollment to approved manufacturers
D) Conditional Access policy blocking enrollment from unauthorized manufacturers
Answer: A
Explanation:
Device enrollment restrictions in Microsoft Intune provide gatekeeping controls that determine which devices are permitted to enroll in management before enrollment occurs. Understanding how to properly configure enrollment restrictions based on device attributes like manufacturer helps organizations maintain standardized device fleets with known security characteristics and support profiles.
Device enrollment restrictions allow creating policies that permit or block enrollment based on various device characteristics including platform (Windows, iOS, Android, macOS), operating system version ranges, device manufacturer, personally owned versus corporate-owned designation, and other attributes. These restrictions are evaluated during enrollment attempts, blocking devices that don’t meet configured criteria before they complete enrollment and receive management policies.
For manufacturer-based restrictions, enrollment restriction policies include configuration options where administrators specify which device manufacturers are allowed or blocked. The configuration can use allowlist approaches permitting only explicitly approved manufacturers, blocklist approaches preventing specific manufacturers while allowing others, or combinations of both. Manufacturers are typically identified by standard manufacturer names as reported by devices during enrollment.
Android Enterprise enrollment restrictions can specify manufacturers like Samsung, Google (Pixel devices), Motorola, OnePlus, or other Android device makers. This manufacturer filtering helps organizations standardize on Android Enterprise Recommended devices or specific models known to receive timely security updates and support required business applications. Restricting enrollment to known manufacturers prevents users from enrolling unsupported or problematic devices.
When users attempt enrolling devices from unauthorized manufacturers, the enrollment process checks enrollment restrictions, identifies that the device manufacturer doesn’t meet policy requirements, blocks enrollment with error messages indicating the device is not permitted, and logs the attempted enrollment for administrative review. Users cannot bypass restrictions or complete enrollment with blocked devices.
Enrollment restrictions apply before devices are fully enrolled, making them more appropriate for manufacturer control than post-enrollment policies like compliance or device restrictions. Compliance policies could check manufacturer after enrollment and mark devices non-compliant, but enrollment restrictions prevent enrollment entirely, which is cleaner than allowing enrollment followed by immediate non-compliance.
A is correct because device enrollment restrictions include device platform restriction settings that can specify allowed device manufacturers, preventing enrollment of devices from unauthorized manufacturers. B is incorrect because compliance policies evaluate enrolled devices but don’t prevent enrollment—enrollment restrictions control enrollment eligibility before devices join management. C is incorrect because device restrictions profiles apply to enrolled devices controlling features and capabilities, not enrollment eligibility—enrollment restrictions control enrollment. D is incorrect because Conditional Access policies control access to cloud resources rather than device enrollment into Intune—enrollment restrictions control enrollment eligibility.
Question 145:
Your organization uses Microsoft Intune to manage devices. You need to create a report showing all devices that are non-compliant with their compliance status reason. What should you use?
A) Device compliance report with compliance status details
B) All devices report filtered by compliance state
C) Audit logs showing compliance evaluation events
D) Compliance policy assignment status report
Answer: A
Explanation:
Microsoft Intune provides specialized reporting capabilities for different management aspects, with compliance reporting specifically designed to track device compliance status, identify non-compliant devices, and provide detailed information about why devices fail compliance requirements. Understanding which reports provide specific information types ensures efficient access to needed data without manually filtering general-purpose reports.
Device compliance reports in Intune are purpose-built for tracking compliance policy evaluation results across the managed device fleet. These reports show comprehensive compliance information including which devices are compliant versus non-compliant, specific policies devices fail to meet, detailed compliance status reasons explaining why non-compliant devices don’t meet requirements, when compliance was last evaluated, and trends over time showing compliance improvement or degradation.
The compliance status reason details are particularly valuable for remediation because they indicate specific requirements devices fail to meet such as outdated operating system versions, missing encryption, BitLocker not enabled, jailbroken or rooted device detection, expired certificates, or password complexity requirements not met. This specificity allows IT teams to address root causes rather than generic “non-compliant” status.
Accessing device compliance reports typically involves navigating to Reports > Device compliance or Devices > Monitor > Compliance status in the Intune admin center. The compliance dashboard provides overview metrics showing overall fleet compliance percentage and non-compliant device counts, with drill-down capabilities to view device lists, filter by specific policies or compliance states, and export data for further analysis.
The report includes columns for device name, user, operating system, compliance status (compliant, non-compliant, not evaluated, grace period), specific compliance requirements failed, last check-in time, and assigned compliance policies. This comprehensive view provides complete context for understanding device compliance posture and planning remediation activities.
All devices reports provide general device inventory views showing all enrolled devices with various attributes, but compliance reports focus specifically on compliance evaluation results with richer detail about compliance status reasons. While you could filter all devices reports by compliance state, compliance-specific reports provide better default views and filtering options designed for compliance analysis.
A is correct because device compliance reports are specifically designed for tracking compliance status with detailed information about compliance status reasons for non-compliant devices. B is incorrect because while all devices reports can be filtered by compliance state, they don’t provide the compliance-focused details and compliance status reasons that dedicated compliance reports offer. C is incorrect because audit logs track administrative actions and system events rather than providing operational compliance status reporting—compliance reports are designed for compliance monitoring. D is incorrect because compliance policy assignment status shows which policies are assigned to devices but doesn’t provide the compliance evaluation results and status reasons that compliance status reports provide.
Question 146:
You are configuring Microsoft Intune to deploy certificates to iOS devices for email authentication. The certificate authority requires approval before issuing certificates. What certificate deployment method should you use?
A) PKCS certificate profile with certificate approval workflow
B) SCEP certificate profile with pending approval handling
C) Manual certificate deployment after approval process
D) Certificate deployment requiring approval is not supported; use automatic issuance
Answer: A
Explanation:
Certificate deployment methodologies differ in how they handle certificate issuance workflows, with some methods supporting automatic certificate issuance and others accommodating manual approval processes where certificate authorities require administrative review before issuing certificates. Understanding which deployment methods support approval workflows ensures proper integration with existing PKI infrastructure and security processes.
PKCS certificate profiles in Intune can integrate with certificate authorities through the Network Device Enrollment Service (NDES) connector and support certificate request workflows that include approval steps. When PKCS profiles are configured with certificate authorities requiring approval, the request process submits certificate signing requests to the CA, waits for administrator approval in the CA management interface, retrieves approved certificates after issuance, and deploys certificates to requesting devices.
The PKCS workflow accommodates approval-based certificate issuance by maintaining request state and periodically checking for certificate availability. After administrators review and approve pending certificate requests in the certificate authority management console, the NDES connector retrieves the issued certificates and Intune delivers them to requesting devices. This asynchronous workflow supports manual approval processes common in high-security environments.
Certificate authorities requiring approval typically implement this control for high-value certificates, certificates with extended validity periods, certificates with broad authorization scopes, or certificates issued to privileged users or sensitive systems. The approval step provides human oversight ensuring certificates are only issued for legitimate business purposes and to authorized requesters.
SCEP (Simple Certificate Enrollment Protocol) is designed for automated certificate enrollment and issuance without manual intervention. The SCEP protocol expects immediate certificate issuance upon valid request authentication, making it less suitable for environments requiring approval workflows. While SCEP provides excellent automation for high-volume certificate deployment, approval-based processes require the asynchronous capabilities that PKCS profiles provide.
Manual certificate deployment could theoretically accommodate approval workflows where administrators manually distribute approved certificates, but this approach eliminates the automation benefits of MDM certificate management, doesn’t scale for large device populations, lacks integration with Intune’s certificate lifecycle management, and creates operational burden tracking which devices need certificates and ensuring timely deployment.
A is correct because PKCS certificate profiles support integration with certificate authorities requiring approval workflows, accommodating manual approval steps in the certificate issuance process. B is incorrect because SCEP is designed for automated immediate certificate issuance without approval workflows—PKCS profiles better support approval-based certificate issuance. C is incorrect because manual certificate deployment eliminates MDM automation benefits and doesn’t scale effectively compared to PKCS profiles with approval workflow support. D is incorrect because certificate deployment with approval workflows is supported through PKCS certificate profiles with appropriate certificate authority integration.
Question 147:
You manage Windows 11 devices using Microsoft Intune. You need to configure a policy that requires devices to have TPM 2.0 before marking them as compliant. What should you configure?
A) Compliance policy with device health settings requiring TPM 2.0
B) Device restrictions profile requiring TPM for device security
C) BitLocker policy with TPM 2.0 requirement
D) Endpoint protection policy checking TPM availability
Answer: A
Explanation:
Trusted Platform Module (TPM) chips provide hardware-based security features including secure key storage, cryptographic operations, and hardware-rooted trust that significantly enhance device security posture. Understanding how to verify TPM presence and version through compliance policies ensures organizations can enforce minimum hardware security standards across their device fleets.
Compliance policies in Microsoft Intune evaluate device security state against defined requirements, checking whether devices meet organizational security standards for various attributes. Device health settings within compliance policies include checks for hardware-based security features including TPM presence, TPM version (1.2 versus 2.0), secure boot enablement, code integrity validation, and other firmware-level security capabilities that modern Windows devices provide.
Configuring compliance policy device health settings to require TPM 2.0 ensures devices without TPM chips or devices with older TPM 1.2 chips are marked non-compliant. Windows reports TPM information through device health attestation services that Intune queries during compliance evaluation. Devices report their TPM version, and Intune compares this against policy requirements, marking devices compliant when TPM 2.0 is present or non-compliant when TPM is absent or outdated.
TPM 2.0 requirements are particularly relevant for Windows 11, which mandates TPM 2.0 as a hardware requirement for operating system installation. Organizations enforcing Windows 11 deployment can use TPM 2.0 compliance requirements to validate devices meet Windows 11 hardware prerequisites, ensuring upgrade readiness and hardware security baseline compliance.
The compliance status resulting from TPM checks can be leveraged in Conditional Access policies requiring compliant devices for accessing corporate resources. This creates enforcement where devices lacking appropriate hardware security features cannot access sensitive data, encouraging hardware upgrades or device replacements to meet security standards.
Device restrictions profiles control feature availability and user actions but don’t evaluate hardware characteristics or mark devices compliant or non-compliant. Compliance policies are the appropriate mechanism for evaluating and reporting hardware security capabilities like TPM presence.
A is correct because compliance policies include device health settings that can require TPM 2.0 presence, marking devices without appropriate TPM as non-compliant. B is incorrect because device restrictions profiles control feature availability but don’t evaluate hardware characteristics like TPM presence—compliance policies evaluate device state. C is incorrect because BitLocker policies configure encryption but don’t evaluate TPM presence for compliance—while BitLocker can require TPM, compliance policies mark devices compliant or non-compliant based on TPM presence. D is incorrect because endpoint protection policies focus on security features like antivirus and firewall but don’t evaluate device health characteristics like TPM for compliance marking—compliance policies evaluate device health.
Question 148:
Your organization uses Microsoft Intune to manage iOS devices. You need to prevent users from using FaceTime while devices are locked. What should you configure?
A) Device restrictions profile with “Block FaceTime while device is locked” setting enabled
B) App restrictions profile preventing FaceTime lock screen access
C) Lock screen restrictions through device features profile
D) Compliance policy requiring FaceTime lock screen access disabled
Answer: A
Explanation:
iOS lock screen security controls prevent unauthorized access to device features and information when devices are locked, protecting corporate data and personal information from physical access threats. Understanding how to properly restrict specific application access from lock screens through device restrictions ensures sensitive features like video calling require full device authentication before use.
Device restrictions profiles for iOS include comprehensive settings controlling lock screen experience and feature availability. Within lock screen-related settings, administrators find options to control what features and applications can be accessed when devices are locked, including restrictions on Siri, Control Center, Today View, notifications, Wallet, and specific applications like FaceTime. These restrictions ensure devices require unlock authentication before accessing potentially sensitive features.
The FaceTime lock screen restriction specifically prevents users or others with physical device access from initiating or accepting FaceTime calls when devices are locked. When this restriction is enabled and deployed to iOS devices, attempting to answer incoming FaceTime calls or use FaceTime functionality from the lock screen requires first unlocking the device with passcode or biometric authentication. This prevents unauthorized individuals from making video calls that could compromise privacy or security.
Lock screen security restrictions are particularly important for corporate devices that may be temporarily left unattended or for devices containing sensitive information where even brief unauthorized access could result in data disclosure or inappropriate actions. Requiring full device unlock before accessing communication features like FaceTime provides additional security layers beyond basic device lock screens.
The restriction affects only lock screen access to FaceTime while preserving full FaceTime functionality once devices are unlocked. Users who properly authenticate with passcodes or biometrics can use FaceTime normally for video calls, maintaining productivity and communication capabilities while preventing unauthorized access from locked states.
Device restrictions profiles are the proper mechanism for controlling lock screen feature access, providing granular controls over numerous lock screen capabilities through dedicated restriction settings. Device features profiles focus on deploying functionality configurations rather than restricting access, and compliance policies evaluate state rather than enforce restrictions.
A is correct because device restrictions profiles include specific settings to block FaceTime access while devices are locked, preventing unauthorized use from lock screens. B is incorrect because “app restrictions profile” is not a distinct policy type for controlling lock screen access—device restrictions profiles provide lock screen restriction settings. C is incorrect because device features profiles deploy functionality configurations rather than restricting lock screen access—device restrictions provide restriction settings. D is incorrect because compliance policies evaluate device state but don’t actively prevent or restrict features like lock screen FaceTime access—device restrictions enforce prevention.
Question 149:
You are configuring app protection policies for Android devices. You need to ensure that when users switch away from managed apps, the apps require re-authentication if more than 15 minutes pass before returning. What should you configure?
A) Access requirements with PIN timeout set to 15 minutes
B) Conditional launch with app session timeout of 15 minutes
C) Access requirements with recheck interval of 15 minutes
D) Data transfer settings with 15-minute activity timeout
Answer: A
Explanation:
App protection policies provide multiple authentication timing controls that balance security with user experience, managing when users must re-authenticate during application usage and after applications move to background. Understanding the distinction between various timeout and recheck settings ensures appropriate security controls that protect data without unnecessarily disrupting workflows.
PIN timeout settings in app protection policy access requirements control session-level authentication specifically for background timeout scenarios. The PIN timeout determines how long applications can remain in the background before requiring fresh authentication when users return to the application. Setting PIN timeout to 15 minutes means users switching from managed applications to other activities can return within 15 minutes without re-authenticating, but returning after 15 minutes requires entering PIN, biometric authentication, or corporate credentials.
The background timeout mechanism tracks elapsed time since applications moved to background when users switch to other apps, answer phone calls, check messages, or perform other tasks. The timer measures actual background time rather than device usage time, so even if users are actively using other applications, the timer continues counting. When users return to managed applications, the time elapsed since backgrounding is compared against configured timeout, with re-authentication required if the timeout has expired.
This timeout provides security against scenarios where users leave applications open but unattended for extended periods, ensuring that even if devices are unlocked, applications containing corporate data require periodic re-authentication. The 15-minute window balances security with usability, allowing reasonable multitasking for quick context switches without constant authentication challenges.
Recheck access requirements intervals serve different purposes, controlling how frequently users must re-authenticate during continuous active application usage rather than after background periods. A 15-minute recheck interval would require authentication every 15 minutes during active usage, which is typically more disruptive than necessary and addresses different security scenarios than background timeout.
Conditional launch settings trigger actions based on various conditions like offline intervals, OS version, or device state, but don’t specifically control background timeout periods for authentication. The access requirements section contains authentication timing controls including PIN timeout for background sessions.
A is correct because PIN timeout in access requirements controls background session duration, requiring re-authentication after applications remain in background beyond configured periods like 15 minutes. B is incorrect because conditional launch focuses on different conditions like offline intervals or compliance states rather than background session timeout—access requirements contain session timeout controls. C is incorrect because recheck intervals control authentication frequency during active usage rather than background timeout—PIN timeout handles background session expiration. D is incorrect because data transfer settings control how corporate data moves between applications rather than authentication timing—access requirements handle authentication timing.
Question 150:
You manage Windows 11 devices using Microsoft Intune. You need to deploy a PowerShell script that creates a scheduled task running daily at 3 AM. What should you configure in the script deployment?
A) PowerShell script with “Run script in system context” to ensure administrative privileges for task creation
B) PowerShell script with “Run at every login” to create scheduled task each login
C) Proactive remediation with detection script checking for scheduled task
D) PowerShell script with “Run once” in user context for task creation
Answer: A
Explanation:
PowerShell script deployment through Intune provides automation capabilities for configuration tasks, remediation activities, and administrative operations that aren’t available through standard configuration policies. Understanding proper execution context for scripts ensures they have necessary privileges to perform intended operations while following security best practices.
Scheduled task creation requires administrative privileges to register tasks in the Windows Task Scheduler, configure task triggers and actions, set task permissions, and define execution contexts. Scripts running in user context lack the necessary privileges to create system-level scheduled tasks or tasks running with SYSTEM or administrative permissions, causing task creation operations to fail with access denied errors.
Configuring PowerShell scripts to run in system context provides the elevated privileges necessary for administrative operations like scheduled task creation. System context execution means scripts run with SYSTEM account privileges, providing full administrative access to device configuration, registry, system directories, and scheduled task management interfaces. This elevated context enables scripts to successfully create, modify, or remove scheduled tasks regardless of which user is logged in.
The script deployment configuration in Intune includes options specifying execution context (user or system), execution frequency (once or on schedule), script signing requirements, and whether to enforce script signature validation. For scheduled task creation scenarios, selecting system context ensures scripts have necessary privileges, while execution frequency can typically be “once” since scheduled task creation only needs to occur during initial deployment.
The actual PowerShell script would use Task Scheduler cmdlets or COM objects to define the scheduled task including task name, trigger configuration (daily at 3 AM), action to perform, execution context for the task itself, and other task properties. Once the script creates the task during initial Intune script deployment, the scheduled task exists persistently and executes according to its defined schedule without requiring repeated script execution.
Running scripts at every login would create unnecessary overhead and might result in attempts to recreate existing scheduled tasks on each login, potentially causing errors or conflicts. Once the scheduled task is created, it persists independently and doesn’t require recreating at each login.
A is correct because configuring scripts to run in system context provides the administrative privileges necessary to create scheduled tasks that run with appropriate permissions. B is incorrect because running scripts at every login creates unnecessary overhead for one-time task creation and might cause errors attempting to recreate existing tasks. C is incorrect because while proactive remediations could verify task existence, the question asks about deploying a script to create the task, which requires appropriate execution context more than detection/remediation framework. D is incorrect because running once is appropriate for one-time task creation, but user context lacks administrative privileges needed for scheduled task creation—system context is required.
Question 151:
Your organization uses Microsoft Intune to manage iOS devices. You need to configure a policy that prevents users from modifying Touch ID or Face ID settings. What should you configure?
A) Device restrictions profile blocking biometric authentication modifications
B) Compliance policy requiring specific biometric configuration
C) Access requirements preventing biometric setting changes
D) This capability is not available; users control biometric enrollment on iOS
Answer: D
Explanation:
Understanding platform-specific capabilities and limitations of mobile device management helps administrators set realistic expectations about which device features can be controlled through policies versus which remain under user control due to operating system architecture and privacy design decisions. iOS biometric authentication enrollment represents a feature where Apple maintains user autonomy even on managed devices.
iOS device management through MDM provides extensive controls over biometric authentication usage including whether biometric authentication can be used instead of passcodes for device unlock, whether applications can request biometric authentication through APIs, timeout periods after which biometric authentication expires requiring passcode entry, and whether biometric authentication is acceptable for accessing managed features. However, these controls focus on biometric authentication usage rather than enrollment or modification.
The ability to add, remove, or modify enrolled fingerprints in Touch ID or facial scans in Face ID remains under user control even on supervised iOS devices enrolled through corporate MDM. Apple’s design philosophy maintains user control over biometric data enrollment as a privacy principle, ensuring users control which biometric identifiers are registered on their personal or corporate devices. MDM policies cannot prevent users from adding new fingerprints, removing existing fingerprints, or re-enrolling Face ID facial scans.
This limitation reflects broader iOS privacy architecture where certain personal data and security settings remain under user control regardless of device management status. Other examples include passcode values themselves (MDM can require passcodes but cannot know or control what passcodes users choose), personal Apple ID management, and personal data stored in user accounts.
Organizations concerned about biometric authentication security on iOS devices have alternative controls available including requiring passcodes in addition to biometrics ensuring fallback authentication remains strong, configuring biometric authentication timeout periods requiring periodic passcode entry, using app protection policies to require specific authentication methods for sensitive applications, and implementing Conditional Access policies requiring compliant devices or multi-factor authentication for accessing corporate resources. These complementary controls provide layered security even without direct control over biometric enrollment.
Device restrictions profiles include numerous biometric-related settings but focus on usage permissions rather than enrollment control. Compliance policies can verify biometric authentication is configured but cannot prevent users from modifying enrolled biometrics. Access requirements in app protection policies control when authentication is required but not biometric enrollment management.
D is correct because iOS architecture maintains user control over Touch ID and Face ID enrollment and modification regardless of MDM configuration—these settings remain under user control even on managed devices. A is incorrect because while device restrictions include biometric-related settings, they control usage permissions rather than preventing users from modifying enrolled biometrics—user enrollment control is not available. B is incorrect because compliance policies can verify biometric authentication exists but cannot prevent users from modifying enrolled fingerprints or facial scans—enrollment modification remains under user control. C is incorrect because access requirements control when authentication is required but not user ability to modify enrolled biometric data—enrollment modification control is not available through MDM.
Question 152:
You are configuring Microsoft Intune to deploy a line-of-business application to Windows 11 devices. The application requires .NET Framework 3.5 which is not installed by default. How should you ensure .NET Framework 3.5 is available?
A) Configure the application with dependency on a Win32 app package that enables Windows optional feature for .NET Framework 3.5
B) Include .NET Framework 3.5 installation in the application’s installation command
C) Deploy .NET Framework 3.5 using Windows Features configuration profile
D) Use DISM command in pre-installation script to enable .NET Framework 3.5
Answer: A
Explanation:
Windows optional features like .NET Framework 3.5 represent components included with Windows but not enabled by default. Understanding how to properly enable optional features through Win32 app dependencies ensures prerequisites are available before applications requiring them attempt installation, leveraging Intune’s native dependency management for reliable installation sequencing.
.NET Framework 3.5 is a Windows optional feature rather than a separate installable component, meaning it’s already present on Windows systems but requires enablement through Windows Features or DISM (Deployment Image Servicing and Management) commands. Enabling optional features requires administrative privileges and system-level access that Win32 app installation commands executed in system context provide.
The recommended approach involves packaging the .NET Framework 3.5 enablement process as a standalone Win32 app with installation command using DISM or PowerShell to enable the optional feature (such as “DISM /Online /Enable-Feature /FeatureName:NetFx3 /All”), detection rules checking whether .NET Framework 3.5 is enabled (such as checking registry keys or using DISM query commands), and appropriate success/failure return code handling. This Win32 app becomes a reusable dependency that multiple applications can reference.
After packaging the .NET Framework 3.5 enablement as a Win32 app, the line-of-business application is configured with a dependency relationship referencing the framework enablement app. During deployment, Intune automatically checks whether .NET Framework 3.5 is enabled by evaluating the dependency’s detection rules. If not enabled, Intune runs the dependency app to enable the feature before proceeding with the primary application installation.
This dependency approach provides several advantages including automatic prerequisite verification and enablement without manual intervention, reusability where the .NET Framework 3.5 dependency can be referenced by any application requiring it, integrated detection avoiding redundant enablement attempts if the feature is already available, and comprehensive reporting showing which component failed if installation issues occur. The modular dependency structure is cleaner than embedding prerequisite enablement in each application’s installation command.
Including framework enablement in the application’s installation command creates monolithic installers that are harder to troubleshoot and maintain, cannot be reused across applications with the same prerequisite, don’t benefit from Intune’s dependency detection and sequencing, and require updating every application package if prerequisite installation logic needs modification. Separate dependency packaging provides better maintainability.
A is correct because configuring Win32 app dependency on a package that enables .NET Framework 3.5 as a Windows optional feature leverages Intune’s native dependency management for reliable prerequisite handling. B is incorrect because including framework enablement in the application command creates monolithic packages without the reusability and detection benefits of dependency relationships. C is incorrect because Intune doesn’t provide a standard “Windows Features configuration profile” for enabling optional features—this requires Win32 app deployment or scripting. D is incorrect because while DISM commands can enable features, executing them in pre-installation scripts doesn’t integrate with Win32 app dependency management—proper dependency configuration provides better integration.
Question 153:
You manage Android Enterprise devices using Microsoft Intune. You need to configure devices to allow only specific websites in the Chrome browser. What should you configure?
A) App configuration policy for Chrome with URL allowlist settings
B) Device restrictions profile with website filtering configuration
C) Compliance policy requiring approved website access only
D) Managed Google Play app configuration with website restrictions
Answer: A
Explanation:
Browser management on Android Enterprise devices requires understanding application-specific configuration mechanisms rather than device-wide restriction policies. Google Chrome for Android supports extensive managed configuration capabilities allowing organizations to control browser behavior including site access restrictions, security policies, and feature availability through app configuration policies.
App configuration policies for managed devices deliver configuration settings to applications supporting managed configuration frameworks. Chrome for Android supports comprehensive managed configuration allowing IT administrators to pre-configure numerous browser settings including homepage URLs, bookmark lists, proxy configurations, security policies, extension management, and critically for this scenario, website access controls through URL allowlists and blocklists.
Creating an app configuration policy for Chrome involves selecting Chrome as the target application in Intune, defining configuration key-value pairs using either Chrome’s configuration designer (if Intune provides one) or custom JSON configuration data following Chrome’s managed configuration schema, specifying URL patterns for allowed websites using appropriate configuration keys, and assigning the policy to user or device groups. The configuration keys for URL filtering typically include allowlist parameters accepting URL patterns or domain names.
When Chrome receives managed configuration from Intune, it enforces the URL restrictions by allowing access only to websites matching allowlist patterns and blocking all other sites. Users attempting to navigate to blocked websites see error messages indicating site access is restricted by organizational policy. The browser-level enforcement provides comprehensive protection preventing access through direct URL entry, bookmarks, search results, or links.
URL pattern syntax in Chrome’s managed configuration supports various specificity levels including exact domain matches (example.com), subdomain wildcards (*.example.com allowing all subdomains), path specifications (example.com/path allowing specific paths), and protocol restrictions enforcing secure connections). This flexibility allows precise control over which resources are accessible.
Device restrictions profiles for Android Enterprise control device-level features and capabilities but don’t provide browser-specific content filtering. Web filtering requires application-level controls through browser management rather than operating system restrictions. Compliance policies evaluate device state but don’t enforce browser behavior or website access controls.
A is correct because app configuration policies for Chrome provide managed configuration capabilities including URL allowlist settings that restrict browser access to approved websites. B is incorrect because device restrictions profiles control device features but don’t provide browser-specific website filtering—browser management requires app configuration policies. C is incorrect because compliance policies evaluate device state but don’t enforce browser behavior or restrict website access—app configuration provides browser control. D is incorrect because “managed Google Play app configuration” is not the proper mechanism—app configuration policies in Intune target specific applications like Chrome with configuration settings.
Question 154:
Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a configuration that disables the built-in guest user account. What should you create?
A) Custom configuration profile with preference domain plist for guest account settings
B) Device restrictions profile disabling guest account access
C) User configuration policy preventing guest login
D) Login window configuration through device features profile
Answer: A
Explanation:
macOS guest account functionality allows temporary device access without creating permanent user accounts, useful for consumer scenarios but potentially problematic in enterprise environments where all device access should be authenticated and auditable. Understanding how to disable guest accounts through custom configuration profiles ensures corporate devices don’t provide unauthorized access vectors.
Guest account settings on macOS are managed through system preference domains that control login window behavior and account availability. Specifically, the com.apple.loginwindow preference domain includes keys controlling whether guest accounts are enabled, whether guest users can access shared folders, and other guest account-related behaviors. Disabling the guest account requires setting appropriate keys in this preference domain to false values.
Custom configuration profiles in Intune allow deploying preference domain plist files containing specific configuration keys and values that macOS applies to system preferences. For guest account disablement, the custom profile would include a plist file targeting the com.apple.loginwindow preference domain with keys such as “GuestEnabled” set to false, “DisableGuestAccount” set to true, or similar keys depending on macOS version and exact configuration requirements.
Creating the custom configuration profile involves crafting or obtaining the appropriate plist file with correct XML structure and preference keys for guest account control, uploading the plist file to Intune during custom profile creation, specifying the preference domain name (com.apple.loginwindow), indicating whether the profile applies at system or user level (typically system for login window settings), and assigning the profile to device groups containing corporate macOS devices requiring guest account disablement.
When devices receive the custom configuration profile through MDM, macOS applies the preference settings to the login window configuration, disabling the guest account option. The guest account no longer appears as an option at the login screen, and attempts to access guest functionality are prevented by the system enforcing the managed preference.
Device restrictions profiles for macOS include numerous settings controlling device features, but built-in profiles typically don’t expose every possible system preference that can be managed. Guest account disablement represents a setting that often requires custom configuration profiles rather than being available through standard restriction templates. Device features profiles focus on deploying features like AirPrint printers and login items rather than security restrictions like guest account control.
A is correct because custom configuration profiles with preference domain plists provide the mechanism for deploying macOS system preference configurations like guest account disablement that aren’t available in standard profiles. B is incorrect because device restrictions profiles don’t typically include specific guest account disablement settings—this configuration requires custom preference domain profiles. C is incorrect because “user configuration policy” is not a distinct macOS policy type in Intune, and guest account control requires system-level configuration through custom profiles. D is incorrect because device features profiles deploy functionality like AirPrint and login items rather than security restrictions like guest account disablement—custom configuration profiles handle preference domain settings.
Question 155:
You are configuring Windows Hello for Business in Microsoft Intune. You need to ensure that PINs must contain at least one uppercase letter. What should you configure?
A) Account protection policy with PIN complexity requiring uppercase letters
B) Device restrictions profile with password complexity settings
C) Compliance policy requiring complex PINs with uppercase letters
D) Windows Hello for Business policy with alphanumeric PIN requirements
Answer: D
Explanation:
Windows Hello for Business PIN configuration provides extensive options for controlling PIN complexity including length requirements, character type requirements, and history settings. Understanding the distinction between simple numeric PINs and alphanumeric PINs with enhanced complexity requirements ensures organizations can configure appropriate PIN security levels matching their risk profiles.
Traditional Windows Hello for Business PINs are numeric-only by default, consisting of digits 0-9 without letters or special characters. This simplicity provides user-friendly authentication while maintaining security through hardware-backed key storage and anti-hammering protection. However, organizations requiring stronger PINs can enable alphanumeric PIN support allowing PINs to include letters (uppercase and lowercase) and special characters, significantly expanding the possible PIN space and increasing resistance to guessing attacks.
Device restrictions profiles include password-related settings but these typically apply to device passwords or local account passwords rather than Windows Hello for Business PINs, which are configured through dedicated Hello for Business policies. Compliance policies can verify PIN complexity meets requirements but don’t configure Hello for Business PIN policies.
D is correct because Windows Hello for Business policies include alphanumeric PIN configuration with specific character requirements including uppercase letter requirements for enhanced PIN complexity. A is incorrect because while account protection policies contain Windows Hello for Business settings, the specific terminology is “alphanumeric PIN requirements” rather than general “PIN complexity requiring uppercase letters”—alphanumeric enablement with character requirements is the proper configuration. B is incorrect because device restrictions profile password settings typically apply to device passwords rather than Windows Hello for Business PINs—dedicated Hello for Business policies configure PIN requirements. C is incorrect because compliance policies verify PIN requirements are met but don’t configure Windows Hello for Business PIN policies—account protection policies configure PIN requirements.
Question 156:
You manage iOS devices using Microsoft Intune. You need to prevent users from using iCloud Keychain on managed devices. What should you configure?
A) Device restrictions profile with iCloud Keychain blocked
B) App protection policy preventing iCloud Keychain synchronization
C) Device features profile disabling iCloud services
D) Compliance policy requiring iCloud Keychain to be disabled
Answer: A
Explanation:
iCloud Keychain provides password and credential synchronization across Apple devices using iCloud accounts, storing sensitive authentication credentials in Apple’s cloud infrastructure. Understanding how to restrict iCloud Keychain usage through device restrictions prevents potential credential exposure through personal iCloud accounts while maintaining corporate credential management through enterprise solutions.
A is correct because device restrictions profiles include specific settings to block iCloud Keychain, preventing credential synchronization through iCloud on managed iOS devices. B is incorrect because app protection policies provide data protection within applications but don’t control iOS system services like iCloud Keychain—device restrictions control system feature availability. C is incorrect because device features profiles deploy functionality configurations rather than disabling services—device restrictions provide restriction settings for iCloud services. D is incorrect because compliance policies verify device state but don’t actively prevent or disable features like iCloud Keychain—device restrictions enforce prevention.
Question 157:
Your organization uses Microsoft Intune to manage Windows 11 devices. You need to configure a policy that prevents users from installing fonts from untrusted sources. What should you configure?
A) Settings Catalog with font installation restriction policies
B) Device restrictions profile blocking font installation
C) Windows Defender Application Control policy restricting font installation
D) Endpoint protection policy with font security settings
Answer: A
Explanation:
Font installation security has become increasingly important as font parsing vulnerabilities have been exploited in various security incidents, making font installation a potential attack vector. Understanding how to control font installation through appropriate policy mechanisms ensures only trusted fonts from approved sources can be installed on managed devices.
Device restrictions profiles provide simplified interfaces for common restrictions but typically don’t include the specific font installation security policies available in Settings Catalog. Settings Catalog provides more comprehensive access to detailed security policies that standard restriction profiles don’t expose.
A is correct because Settings Catalog provides access to Windows security policies controlling font installation including restrictions preventing font installation from untrusted sources. B is incorrect because device restrictions profiles don’t typically include specific font installation security policies—Settings Catalog provides more comprehensive access to font-related security settings. C is incorrect because Windows Defender Application Control focuses on application execution control rather than font installation restrictions—Settings Catalog provides font-specific policies. D is incorrect because endpoint protection policies focus on antivirus, firewall, and threat protection rather than font installation security—Settings Catalog provides font installation restriction policies.
Question 158:
You are configuring app protection policies for iOS devices. You need to ensure that users can only print corporate documents to AirPrint printers approved by IT. What should you configure?
A) Data transfer settings with “Allow users to print org data” configured for managed printers
B) Access requirements restricting printing to approved devices
C) Printing restrictions are not available in app protection policies; use device configuration instead
D) Conditional launch with print destination validation
Answer: C
Explanation:
Understanding the scope and limitations of app protection policies versus device configuration profiles helps administrators select appropriate policy types for specific management scenarios. While app protection policies provide extensive data loss prevention controls for application-level data protection, certain device feature controls like printer management require device-level configuration rather than application-level protection policies.
App protection policies focus on protecting corporate data within managed applications through controls like preventing screenshots, restricting clipboard operations, controlling data transfer between applications, requiring authentication, encrypting data, and managing save operations. These policies operate at the application data layer providing security for corporate information regardless of device enrollment status.
Printer management including specifying approved AirPrint printers, deploying printer configurations, restricting printing to specific devices, or controlling printing functionality falls outside the scope of app protection policies. AirPrint printer configuration and printing restrictions are managed through device configuration profiles (specifically device features profiles for iOS) that deploy printer lists and configurations to enrolled devices rather than through application-level protection policies.
Device features profiles for iOS include AirPrint configuration sections where administrators can specify approved AirPrint printers by IP address or hostname, provide printer names and locations, configure default printer selections, and deploy printer lists that appear in printing interfaces across all applications on managed devices. This device-level configuration ensures consistent printer availability without requiring application-specific printer configuration.
Organizations requiring print restrictions for corporate data have limited options through app protection policies, which don’t include comprehensive printing controls. Alternative approaches include using device configuration profiles to deploy approved AirPrint printers on enrolled devices, implementing print management solutions that control print access at the network level, deploying managed email configurations that restrict printing from email applications, or accepting that printing control requires device enrollment rather than app-only management.
The limitation reflects the scope difference between app protection policies designed for MAM (Mobile Application Management) without device enrollment versus device configuration profiles designed for MDM (Mobile Device Management) with full device enrollment. Certain controls require device enrollment to implement effectively.
C is correct because app protection policies don’t include printing restrictions or printer management capabilities—these controls require device configuration profiles on enrolled devices. A is incorrect because while app protection policies may include some print-related settings, they don’t provide the approved printer list configuration needed to restrict printing to specific IT-approved AirPrint printers—this requires device configuration. B is incorrect because access requirements control authentication conditions rather than printing restrictions—printing control is not available through app protection policies. D is incorrect because conditional launch triggers actions based on conditions like offline intervals but doesn’t include print destination validation—printing restrictions are not available through app protection policies.
Question 159:
You manage Android Enterprise devices using Microsoft Intune. You need to configure a kiosk device that displays a web application in Chrome with no visible Chrome UI elements. What enrollment type and configuration should you use?
A) Android Enterprise dedicated devices with single-app kiosk mode running Chrome configured for kiosk mode
B) Android Enterprise fully managed with device restrictions hiding Chrome UI
C) Android Enterprise work profile with kiosk mode enabled
D) Android device administrator with kiosk configuration
Answer: A
Explanation:
Kiosk deployments requiring dedicated single-purpose device functionality leverage Android Enterprise dedicated devices enrollment type specifically designed for scenarios where devices serve focused business functions rather than general user computing. Understanding how to configure single-app kiosk mode with application-specific kiosk settings creates locked-down experiences appropriate for digital signage, information displays, or dedicated web application access.
Android Enterprise dedicated devices enrollment, formerly called Corporate-Owned Single Use (COSU), is designed for shared devices serving specific business purposes without primary user assignment. This enrollment type provides extensive kiosk configuration capabilities including single-app mode restricting devices to running only one application, multi-app mode allowing several applications within a managed launcher, and full device management preventing unauthorized usage.
A is correct because Android Enterprise dedicated devices with single-app kiosk mode running Chrome configured for kiosk mode provides the locked-down dedicated web application display experience required. B is incorrect because fully managed enrollment is for individual user devices rather than dedicated kiosk devices, and device restrictions don’t provide the single-app kiosk capabilities needed. C is incorrect because work profile enrollment is for personal devices with work/personal separation, completely inappropriate for dedicated single-purpose kiosk devices. D is incorrect because Android device administrator is deprecated and lacks modern kiosk capabilities of Android Enterprise dedicated devices.
Question 160:
Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a configuration that sets the default browser to Microsoft Edge for all users. What should you configure?
A) Settings Catalog with default application association policies
B) Device restrictions profile setting Edge as default browser
C) Windows configuration designer provisioning package
D) Administrative Templates profile with browser default settings
Answer: A
Explanation:
Default application associations on Windows determine which applications open specific file types and protocols, including which browser opens web links. Understanding how to configure default application associations through Intune ensures consistent user experiences where corporate-preferred applications handle relevant file types and protocols without requiring manual user configuration.
A is correct because Settings Catalog provides access to Windows default application association policies that can specify Microsoft Edge as the default browser for web protocols and HTML files. B is incorrect because device restrictions profiles don’t typically include default application association configuration—Settings Catalog provides more comprehensive access to default app policies. C is incorrect because provisioning packages are used during deployment rather than ongoing management through Intune policies—Settings Catalog policies provide manageable default app configuration. D is incorrect because while Administrative Templates include various policies, Settings Catalog provides more appropriate access to default application association settings for browser default configuration.
