Visit here for our full Microsoft MD-102 exam dumps and practice test questions.
Question 181:
You manage Android Enterprise devices using Microsoft Intune. You need to configure a policy that prevents users from enabling USB debugging. What should you configure?
A) Device restrictions profile with USB debugging blocked
B) Compliance policy requiring USB debugging to be disabled
C) System security settings preventing developer options access
D) Device configuration profile with developer mode restrictions
Answer: A
Explanation:
USB debugging represents a significant security risk on Android devices by enabling advanced device access through ADB connections that can install applications, extract data, or modify system settings. Understanding how to properly restrict USB debugging through device restrictions prevents this attack vector while maintaining appropriate device security posture.
Device restrictions profiles for Android Enterprise include settings controlling various device features and capabilities organized by category. Within developer-related settings, options exist for preventing USB debugging, blocking developer options entirely, or restricting specific developer features. The USB debugging restriction specifically prevents users from enabling USB debugging in Android developer options menu.
When USB debugging restrictions are enabled and deployed through Intune, Android enforces the restriction by making the USB debugging toggle unavailable, hidden, or disabled in developer options. Even if users enable developer options by tapping the build number repeatedly in About Phone, the USB debugging setting cannot be activated, preventing ADB connections for unauthorized device access or data extraction.
USB debugging security concerns include potential data exfiltration where attackers with physical device access could use ADB to extract data, unauthorized application installation bypassing enterprise app management controls, system modification allowing attackers to disable security features or install malware, and debugging access providing information useful for exploiting vulnerabilities.
Android Enterprise fully managed devices and corporate-owned work profile devices support comprehensive developer option restrictions. Work profile devices on personally owned hardware may have more limited restrictions on device-level settings outside the work profile, reflecting the balance between corporate control and user privacy on personal devices.
The enforcement prevents users from enabling USB debugging regardless of administrative privileges they might have on the device. The restriction operates through Android Enterprise management framework rather than being a configurable security setting users can override.
Compliance policies can check whether USB debugging is currently enabled and mark devices non-compliant if detected, but compliance checking provides reactive detection rather than proactive prevention. Device restrictions actively prevent users from enabling USB debugging, providing better security than detection-based compliance checking that identifies problems only after they occur.
Organizations deploying USB debugging restrictions should consider exceptions for specific IT personnel who may legitimately need debugging access for application development or troubleshooting. Exception policies can be created for specific device or user groups while maintaining restrictions for general device populations.
Question 182:
Your organization uses Microsoft Intune to manage Windows 11 devices. You need to prevent users from installing applications from the Microsoft Store. What should you configure?
A) Settings Catalog with Microsoft Store restrictions
B) Device restrictions profile blocking Microsoft Store
C) Windows Defender Application Control policy blocking Store apps
D) Endpoint protection policy with Microsoft Store restrictions
Answer: A
Explanation:
Microsoft Store provides a distribution channel for applications on Windows devices, but organizations may need to restrict Store access to prevent installation of unauthorized applications, maintain standardized software environments, or enforce application deployment exclusively through enterprise management channels. Understanding how to properly configure Store restrictions through Settings Catalog ensures comprehensive control over application sources.
Settings Catalog in Microsoft Intune provides access to comprehensive Windows configuration settings including policies related to Microsoft Store access and functionality. Within Settings Catalog, administrators can find policies controlling whether users can access Microsoft Store, whether Store applications can install or update, whether Store is visible in Start menu or taskbar, and whether enterprise deployment can utilize Store for business applications while blocking consumer Store access.
Microsoft Store restriction policies include options to block Microsoft Store application entirely preventing access to the Store interface, prevent application installations from Store while allowing already-installed Store apps to continue functioning, disable automatic app updates from Store, or require private Store for business while blocking public consumer Store. The specific restriction depends on organizational requirements.
Configuring Store restrictions involves creating a Settings Catalog policy, searching for Microsoft Store, Windows Store, or application installation related settings, configuring policies to block or restrict Store access according to requirements, optionally configuring exceptions for Store for Business if enterprise app deployment through Store is desired, and assigning the policy to device groups requiring Store restrictions.
When policies deploy to Windows devices, the operating system enforces Store restrictions through policy engine. Users attempting to access Microsoft Store find the application does not launch, is hidden from Start menu, or displays messages indicating Store access is blocked by organizational policy. Installation attempts from Store are prevented, ensuring application installations occur only through enterprise-approved channels like Intune Win32 app deployment.
Store restrictions are particularly important for maintaining standardized application environments, preventing installation of unsupported applications that could cause support burden, enforcing licensing compliance by controlling application sources, and ensuring security policies apply consistently across all installed applications.
Question 183:
You are configuring app protection policies for iOS devices. You need to ensure that corporate data in managed apps is encrypted when devices are locked. What should you configure?
A) Data protection settings with “Encrypt org data” enabled
B) Access requirements with lock screen encryption
C) iOS automatically encrypts data when devices are locked if device encryption is enabled
D) Conditional launch with encryption enforcement
Answer: C
Explanation:
iOS data protection architecture provides built-in encryption mechanisms that automatically protect application data when devices are locked, leveraging hardware-based security features. Understanding how iOS encryption works at the operating system level helps administrators recognize which security controls are inherent to the platform versus which require explicit policy configuration.
iOS devices include hardware-based encryption through the Secure Enclave processor that provides cryptographic operations and secure key storage. When devices are encrypted and screen lock passcodes are enabled, iOS automatically encrypts application data using keys derived from device hardware and user passcodes. This encryption applies to all application data including both personal and corporate applications.
The iOS data protection classes determine when encrypted data becomes accessible. Complete Protection class data is accessible only when devices are unlocked, while other protection classes allow access after first unlock or always with varying security characteristics. Applications specify data protection classes for files they create, and most applications use Complete Protection or Protected Until First User Authentication providing strong encryption.
When devices lock, iOS encryption keys for Complete Protection data become unavailable, rendering that data inaccessible until devices are unlocked with correct passcodes or biometric authentication. This automatic protection occurs at the operating system level without requiring application-specific encryption policies or MDM configuration.
Question 184:
You manage Windows 11 devices using Microsoft Intune. You need to configure a policy that prevents users from changing the device name. What should you configure?
A) Settings Catalog with device naming restrictions
B) Device restrictions profile blocking device name changes
C) Compliance policy requiring specific device names
D) Autopilot deployment profile with locked device naming
Answer: A
Explanation:
Device naming control on Windows systems helps maintain consistent naming conventions and prevents users from arbitrarily changing device names that might be used for identification, inventory management, or network organization. Understanding how to properly restrict device name modifications through Settings Catalog ensures naming standards remain consistent across managed devices.
Settings Catalog in Microsoft Intune provides comprehensive access to Windows configuration settings including policies related to device naming and system identification. Within Settings Catalog, administrators can find policies that prevent users from modifying device names through System Properties or Settings interfaces, ensuring organizational naming conventions remain intact throughout device lifecycle.
Device naming restrictions prevent users from accessing device name modification interfaces or prevent changes from being saved when users attempt modifications. When these policies deploy to Windows devices, the operating system enforces naming restrictions by disabling device name fields in System Properties, blocking name changes through Settings app, preventing PowerShell or command-line name changes, and displaying messages indicating naming is managed by organizational policy when users attempt modifications.
The restriction is particularly important for organizations using device names for asset tracking, network identification, security policy application, or inventory management where consistent predictable naming supports administrative processes. Preventing user modifications ensures device names follow IT-established patterns rather than user preferences that might create naming conflicts or confusion.
Device restrictions profiles provide simplified interfaces for common restrictions but typically don’t include the specific device naming restriction policies available in Settings Catalog. Settings Catalog provides more direct access to system identification and naming policies controlling device name modification capabilities.
Compliance policies can verify device names match required patterns but don’t prevent users from changing names. Compliance checking occurs after changes and marks devices non-compliant rather than proactively preventing modifications. Configuration policies provide prevention while compliance policies provide detection.
Autopilot deployment profiles can establish initial device names through naming templates during deployment but don’t lock names against subsequent user modifications. Autopilot naming occurs during provisioning while ongoing name protection requires separate restriction policies preventing post-deployment name changes.
Organizations implementing naming restrictions should ensure device names are appropriately set during deployment through Autopilot templates or provisioning processes, then apply restriction policies maintaining those names throughout device lifecycle. Clear naming conventions support administrative efficiency while restrictions ensure conventions remain enforced.
Question 185:
Your organization uses Microsoft Intune to manage iOS devices. You need to configure a policy that requires users to use complex passcodes containing at least one special character. What should you configure?
A) Device restrictions profile with passcode complexity requiring special characters
B) Compliance policy requiring complex passcodes
C) App protection policy with passcode requirements
D) Device features profile with password policy settings
Answer: A
Explanation:
Passcode complexity requirements on iOS devices ensure strong authentication protecting device access and corporate data. Understanding how to configure specific character requirements through device restrictions profiles ensures passcodes meet organizational security standards while preventing weak authentication credentials.
Device restrictions profiles for iOS include comprehensive password and passcode settings controlling authentication security parameters. Within password settings, administrators configure minimum passcode length, required character types including letters, numbers, and special characters, simple passcode prevention blocking repeated or sequential characters, passcode expiration if periodic changes are required, and passcode history preventing reuse of recent passcodes.
Requiring special characters in passcodes significantly increases passcode complexity and entropy compared to alphanumeric-only passcodes. Special characters expand the possible character space from letters and numbers to include symbols like exclamation points, dollar signs, percent signs, and other non-alphanumeric characters. This expansion makes passcodes substantially more resistant to brute force guessing attacks.
Configuring the requirement involves creating device restrictions profile for iOS, navigating to password settings section, enabling required passcode option, configuring alphanumeric passcode to allow letters, numbers, and symbols, enabling required special characters option, setting minimum length such as 8 characters, and assigning the profile to device groups requiring complex passcode protection.
When passcode complexity policies deploy to iOS devices, the operating system enforces requirements immediately. Users with existing passcodes not meeting new requirements receive prompts to change passcodes at next unlock. Users setting new passcodes must satisfy all complexity requirements with iOS rejecting non-compliant passcodes and providing feedback about unsatisfied requirements.
Organizations should balance passcode complexity with usability considering that overly complex requirements can lead to user frustration, increased forgotten passcode incidents requiring device recovery, users writing down passcodes potentially defeating security benefits, or resistance to device usage due to authentication difficulty. Requirements should provide adequate security without unnecessary burden.
Question 186:
You manage Android Enterprise devices using Microsoft Intune. You need to configure devices to require passwords for unlocking the work profile. What should you configure?
A) Device restrictions profile with work profile password requirements
B) Compliance policy requiring work profile passwords
C) Password policy for device-wide authentication
D) Work profile configuration with password enforcement
Answer: A
Explanation:
Android Enterprise work profile enrollment creates separate containers on personally owned devices for corporate applications and data, maintaining distinct security boundaries between work and personal contexts. Understanding how to configure work profile-specific password requirements ensures corporate data protection without unnecessarily restricting personal device usage.
Device restrictions profiles for Android Enterprise work profile devices include settings organized by scope distinguishing device-wide settings from work profile-specific settings. Within work profile settings categories, administrators find password configuration options specifically for work profile authentication including whether passwords are required for work profile access, minimum password length, password complexity requirements, password expiration periods, and failed attempt limits before work profile wipe.
Work profile password requirements create authentication separation where users unlock their devices with device-level authentication then separately authenticate to access work profile applications and data. This dual authentication provides enhanced security for corporate data while allowing simpler authentication for personal device usage if users prefer.
The work profile password operates independently from device password, potentially using different complexity requirements or authentication methods. Organizations can require strong complex passwords for work profile access protecting corporate data while users maintain simpler PINs or patterns for device unlock serving personal usage needs.
Configuring work profile password requirements involves creating device restrictions profile for Android Enterprise work profile platform, navigating to work profile password settings, enabling required password for work profile, configuring complexity requirements such as minimum length and character types, setting password expiration if periodic changes required, and assigning profile to user groups with work profile devices.
When policies deploy, Android enforces work profile password requirements by prompting users to set work profile passwords if not already configured and requiring work profile password entry when accessing work profile applications for the first time after device unlock or after configured timeout periods. The separate authentication boundary provides clear distinction between personal and work contexts.
Question 187:
You are configuring Microsoft Intune to deploy a VPN profile to macOS devices. The VPN should use certificate authentication with automatic reconnection if the connection drops. What should you configure?
A) VPN profile with IKEv2 protocol, certificate authentication, and on-demand VPN rules for automatic reconnection
B) Always-on VPN with certificate configuration
C) VPN profile with manual reconnection settings
D) Network extension VPN with certificate deployment
Answer: A
Explanation:
VPN connectivity for macOS devices through Intune provides secure network access to corporate resources with comprehensive configuration options including authentication methods, connection protocols, and automatic connection management. Understanding how to properly configure VPN profiles with certificate authentication and on-demand rules ensures reliable secure connectivity without manual user intervention.
VPN profiles for macOS in Intune include configuration for connection type selection such as IKEv2 which provides modern secure VPN protocol with strong encryption, authentication method specification including certificate-based authentication for strong security, server address and connection parameters, and importantly on-demand VPN rules controlling automatic connection behavior based on network conditions or access patterns.
Certificate authentication for VPN requires deploying certificates before VPN profile deployment. The sequence involves deploying trusted certificate profiles containing root CA certificates for server validation, deploying SCEP or PKCS certificate profiles providing client authentication certificates to devices, then deploying VPN profiles referencing the client certificates for authentication. This certificate infrastructure ensures mutual authentication where both VPN server and client prove identity cryptographically.
On-demand VPN rules in macOS VPN profiles define conditions triggering automatic VPN connection establishment or disconnection. Rules can evaluate domains being accessed, DNS responses, network SSIDs, or other criteria determining when VPN connectivity is necessary. For automatic reconnection if connections drop, on-demand rules can specify “Always connect” or “Connect if needed” actions ensuring VPN automatically re-establishes when disconnections occur.
The automatic reconnection functionality operates through macOS monitoring VPN connection status and applying on-demand rules when connections terminate. If connections drop due to network changes, timeout, or server issues, macOS evaluates on-demand rules and automatically initiates reconnection attempts without requiring user intervention. This seamless reconnection provides reliable secure connectivity even as network conditions change.
IKEv2 protocol specifically includes built-in mechanisms for connection mobility and automatic reconnection called MOBIKE (Mobility and Multihoming Protocol) allowing VPN connections to survive network interface changes such as switching between Wi-Fi and cellular or moving between different network locations. This protocol-level support complements on-demand VPN rules providing robust connection maintenance.
Question 188:
You manage Windows 11 devices using Microsoft Intune. You need to configure Windows Defender Credential Guard to protect credentials from theft. What should you configure?
A) Account protection policy in Endpoint security enabling Credential Guard
B) Device restrictions profile with credential protection
C) Windows Defender Application Control policy
D) Compliance policy requiring Credential Guard
Answer: A
Explanation:
Windows Defender Credential Guard provides advanced credential protection using virtualization-based security to isolate credentials from the operating system, preventing credential theft attacks that target LSASS process memory. Understanding how to properly enable Credential Guard through Endpoint security policies ensures strong credential protection on managed Windows devices.
Account protection policies in Intune’s Endpoint security provide dedicated configuration interfaces for identity and authentication security features. Within account protection policies, administrators find Windows Defender Credential Guard settings controlling whether Credential Guard is enabled, enforcement level determining how strictly Credential Guard operates, and compatibility settings managing integration with system components.
Credential Guard leverages virtualization-based security creating isolated container called Virtual Secure Mode where NTLM password hashes, Kerberos ticket-granting tickets, and credentials stored by applications are protected from extraction. Even if malware gains kernel-level privileges compromising the operating system, credentials remain isolated in the secure container inaccessible to the compromised OS or malware.
The technology requires specific hardware capabilities including UEFI firmware version 2.3.1 or higher, Secure Boot to maintain platform integrity, TPM 2.0 for hardware-based security services, and virtualization extensions Intel VT-x or AMD-V for creating isolated containers. These hardware requirements mean Credential Guard is available only on relatively modern Windows systems meeting specifications.
Enabling Credential Guard involves creating account protection policy in Endpoint security, navigating to Credential Guard settings, selecting enable option with or without lock preventing future disablement, optionally configuring UEFI lock if additional protection against Credential Guard disablement is required, and assigning policy to device groups with compatible hardware.
Question 189:
Your organization uses Microsoft Intune to manage iOS devices. You need to deploy a configuration that prevents users from taking screenshots of specific managed applications. What should you configure?
A) App protection policy for specific applications with screenshot blocking
B) Device restrictions profile preventing screenshots system-wide
C) App configuration policy with screenshot prevention settings
D) Screenshot blocking is not available for specific applications on iOS
Answer: D
Explanation:
Understanding platform-specific capabilities and limitations of mobile device management helps administrators set realistic expectations about which controls are available on specific platforms. iOS screenshot blocking represents a capability that differs significantly from Android in terms of granular application-specific control available through MDM policies.
iOS app protection policies include numerous data loss prevention controls like restricting data transfer, requiring authentication, encrypting data, and controlling clipboard operations. However, application-specific screenshot blocking is not available as a control in iOS app protection policies. This limitation stems from iOS platform architecture where Apple provides limited APIs for applications to prevent screenshots at the application level.
Unlike Android where applications can set window security flags preventing system-level screenshot capture within specific applications, iOS doesn’t provide equivalent application-level screenshot prevention mechanisms through standard APIs available to MDM-integrated applications. This architectural difference means app protection policies cannot enforce screenshot blocking on iOS as they can on Android.
Organizations requiring screenshot prevention on iOS devices have limited options including deploying device restrictions blocking screenshots system-wide though this affects all applications not just managed apps, accepting the limitation and relying on other data loss prevention controls available for iOS, evaluating whether data sensitivity warrants requiring enrolled devices where device-wide restrictions are acceptable, or implementing applications with proprietary screenshot detection attempting to identify and respond to screenshot attempts though effectiveness is limited.
Question 190:
You are configuring Microsoft Intune to manage Windows 11 devices. You need to deploy a configuration that sets Microsoft Edge as the default PDF viewer. What should you configure?
A) Settings Catalog with default application association for PDF files to Microsoft Edge
B) Administrative Templates profile with Edge PDF settings
C) Device restrictions setting Edge as default applications
D) Edge browser policy with PDF handling configuration
Answer: A
Explanation:
Default application associations on Windows determine which applications open specific file types providing consistent user experiences where preferred applications handle relevant content without manual selection. Understanding how to configure default associations through Settings Catalog ensures Microsoft Edge becomes the default PDF viewer across managed devices.
Settings Catalog provides comprehensive access to Windows configuration settings including default application association policies. These policies specify which applications should handle specific file extensions like .pdf files or protocol schemes like http:// links. For PDF viewer configuration, policies specify that .pdf and potentially related extensions should associate with Microsoft Edge’s application identifier.
Default application associations override user preferences and previous default selections ensuring organizational standards apply consistently. When PDFs are opened through file explorer, email attachments, or web downloads, Windows launches Microsoft Edge as the configured default viewer rather than alternative PDF applications users might have installed.
Microsoft Edge includes built-in PDF viewing capabilities providing feature-rich PDF reading experience without requiring separate PDF viewer applications. Edge’s PDF viewer supports annotation, form filling, printing, and other common PDF operations while integrating with browser security features and enterprise management capabilities.
Configuring PDF associations involves creating Settings Catalog policy, searching for default application association or file association settings, specifying association mappings between .pdf extension and Microsoft Edge application identifier, optionally including related extensions like .xps or other document formats, and assigning policy to device groups requiring Edge as PDF viewer.
The policy deploys to Windows devices where operating system applies default application associations. Users opening PDF files find Microsoft Edge launches automatically displaying the document. If users attempt changing default PDF viewer through Windows Settings, managed associations may prevent changes or revert to policy-configured defaults depending on specific policy settings.
Question 191:
You manage Android Enterprise devices using Microsoft Intune. You need to configure devices to automatically connect to corporate Wi-Fi and prevent users from adding other Wi-Fi networks. What should you configure?
A) Wi-Fi profile with corporate network settings and device restrictions blocking user-configured Wi-Fi networks
B) Wi-Fi profile with exclusive network configuration
C) Network configuration profile restricting Wi-Fi options
D) Compliance policy requiring corporate Wi-Fi only
Answer: A
Explanation:
Android Enterprise device management provides separate controls for deploying network configurations versus restricting user ability to modify network settings. Understanding how to combine Wi-Fi profile deployment with device restrictions creates comprehensive network control where corporate networks are automatically available while preventing potentially insecure user-added networks.
Wi-Fi profiles in Intune deploy network configurations to Android Enterprise devices including network SSID identifying the wireless network, security type such as WPA2-Enterprise or WPA2-Personal, authentication methods and credentials, certificates for authentication if using certificate-based security, and proxy settings if required for network access.
When Wi-Fi profiles deploy, corporate networks appear in available networks list and devices can automatically connect using configured credentials without user intervention. The automatic connection provides seamless corporate network access immediately after device enrollment without requiring users to understand or manually configure network settings.
However, Wi-Fi profile deployment alone doesn’t prevent users from adding additional networks through Android settings. Users can still manually configure connections to home networks, public hotspots, or other networks not controlled by organizational policies. This flexibility might violate security requirements mandating exclusive corporate network usage.
Device restrictions profiles for Android Enterprise include settings controlling user ability to modify network configurations. The restriction blocking user-configured Wi-Fi networks prevents users from adding, modifying, or removing Wi-Fi networks through Settings. When this restriction is enabled, Wi-Fi settings show only MDM-deployed networks with options to add networks disabled or hidden.
The combination of Wi-Fi profile deployment and user configuration restriction creates locked network environment where corporate Wi-Fi automatically connects and users cannot add alternative networks. This ensures devices only connect to approved secure networks preventing data leakage through unencrypted public Wi-Fi or connection to potentially malicious rogue access points.
Question 192:
Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a configuration that requires devices to use specific DNS servers for all network connections. What should you configure?
A) Custom configuration profile with preference domain plist for DNS settings
B) Network configuration profile with DNS specifications
C) Device restrictions profile with network DNS settings
D) VPN profile with DNS configuration
Answer: A
Explanation:
DNS server configuration on macOS affects name resolution for network traffic impacting which DNS infrastructure handles domain queries. Understanding how to properly configure system-wide DNS settings through custom configuration profiles ensures devices use organizational DNS servers supporting security policies, content filtering, or network architecture requirements.
Custom configuration profiles in Intune allow deploying preference domain plist files containing specific macOS configuration settings. For DNS configuration, the relevant preference domain is typically network-related domain controlling DNS server assignments, search domains, and other name resolution parameters.
Creating custom DNS configuration involves crafting plist file with appropriate XML structure and preference keys, specifying DNS server IP addresses in correct plist key format, optionally including DNS search domains if needed, and configuring whether settings apply at system or network interface level.
The plist file is uploaded to Intune during custom profile creation along with preference domain name, system or user level specification determining setting scope, and profile assignment to device groups. When devices receive custom profiles through MDM, macOS applies preference settings to network configuration enforcing DNS server usage according to policy.
System-wide DNS configuration ensures all network traffic uses specified DNS servers regardless of network connection type. This provides consistent DNS policy enforcement whether devices connect via Wi-Fi, Ethernet, or VPN. Organizational DNS servers enable content filtering, threat intelligence, internal domain resolution, and DNS query logging supporting security monitoring.
Question 193:
You manage Windows 11 devices using Microsoft Intune. You need to configure a policy that prevents users from modifying Windows Defender Firewall settings. What should you configure?
A) Settings Catalog with firewall modification restriction policies
B) Device restrictions profile preventing firewall changes
C) Endpoint security Firewall policy with user modification prevention
D) Compliance policy requiring firewall configuration
Answer: A
Explanation:
Windows Defender Firewall provides critical network security, and preventing unauthorized user modifications ensures firewall protections remain active and properly configured. Understanding how to properly restrict firewall modification through Settings Catalog maintains consistent security configurations across managed devices.
Settings Catalog provides comprehensive access to Windows configuration settings including security policies controlling firewall management. Within firewall-related settings, administrators find policies preventing users from modifying firewall settings, disabling firewall, changing rules, or accessing firewall configuration interfaces. These policies ensure IT-configured firewall protections remain enforced without user intervention or circumvention.
Firewall modification restrictions prevent users from accessing firewall settings in Windows Security interface, disabling firewall through PowerShell or command-line tools, modifying firewall rules allowing or blocking traffic, changing firewall profiles or network location awareness settings, and bypassing firewall through system configuration changes.
The enforcement operates through Windows policy engine preventing firewall management actions when users lack appropriate permissions. Attempting to modify firewall settings produces error messages indicating settings are managed by administrator or organizational policy. Standard users and even users with local administrator rights cannot modify firewall when management policies enforce restrictions.
Preventing firewall modifications maintains security posture where IT-configured protections remain active. Users cannot accidentally or intentionally disable firewall exposing devices to network attacks, modify rules allowing inappropriate inbound connections, or weaken security through misconfiguration. The restriction ensures firewall remains configured according to organizational security standards.
Firewall modification prevention complements firewall configuration policies where IT configures appropriate firewall rules, connection restrictions, and security settings through separate policies then deploys restriction policies preventing users from undoing IT configurations. This layered approach establishes secure configurations and maintains them against user changes.
Question 194:
You are configuring app protection policies for iOS devices. You need to ensure that corporate data cannot be saved to personal cloud storage services like iCloud Drive or Dropbox. What should you configure?
A) Data transfer settings: “Save copies of org data” configured to block saving to unapproved services
B) Access requirements restricting cloud storage destinations
C) Conditional launch preventing unauthorized cloud access
D) Data encryption blocking cloud uploads
Answer: A
Explanation:
App protection policies provide granular control over where corporate data can be saved preventing data leakage to unauthorized storage locations while maintaining productivity through approved storage services. Understanding the “Save copies of org data” setting ensures corporate data flows only to IT-managed cloud services where organizational security and governance apply.
Data transfer settings in app protection policies include “Save copies of org data” controlling where users can save corporate documents and files from managed applications. This setting offers configuration options including blocking all save operations except approved locations, allowing saves to any location, or selectively allowing saves to specific cloud storage services through service exemptions or allowlists.
When configured to block or restrict saving, the setting prevents users from using Save As functionality, export features, or sharing interfaces to transfer corporate documents to unauthorized destinations. Attempts to save to blocked locations are prevented with notifications explaining organizational policy restricts the action.
For selective allowlisting, administrators specify approved cloud storage services such as OneDrive for Business which provides IT-managed secure storage where organizational security controls, compliance policies, and data governance apply. Personal cloud storage services like personal OneDrive accounts, Dropbox, Google Drive, or iCloud Drive can be blocked ensuring corporate data doesn’t flow to consumer storage outside IT control.
The implementation occurs through Intune-protected applications integrating with Intune App SDK. When users attempt saving documents, applications check destination services against policy allowlists. Saves to approved services like OneDrive for Business proceed normally while attempts to save to unapproved services are blocked with policy enforcement notifications.
This control is particularly important for preventing intentional or inadvertent data exfiltration where users might upload sensitive corporate documents to personal cloud accounts accessible from unmanaged devices or potentially shared with external parties. Restricting saves to approved corporate storage maintains data location control and access governance.
Question 195:
You manage Android Enterprise devices using Microsoft Intune. You need to configure devices to prevent data loss if devices are lost or stolen by automatically wiping after 10 failed unlock attempts. What should you configure?
A) Device restrictions profile with maximum failed attempts before device wipe
B) Compliance policy requiring wipe after failed attempts
C) Password policy with automatic wipe configuration
D) Conditional Access policy triggering wipe after authentication failures
Answer: A
Explanation:
Device wipe after failed authentication attempts provides automatic data protection when devices are lost or stolen, preventing unauthorized access through brute force password guessing while maintaining data security through automatic data destruction. Understanding how to properly configure failed attempt limits through device restrictions ensures lost devices don’t compromise corporate data.
Device restrictions profiles for Android Enterprise include comprehensive password and security settings controlling authentication parameters. Within password settings, administrators find options for maximum failed unlock attempts specifying how many incorrect password, PIN, or pattern entries are allowed before device automatically wipes all data. Setting this to 10 attempts provides balance between protecting against persistent attack attempts and avoiding accidental wipes from legitimate users who temporarily forget passwords.
When failed attempt limits are configured and deployed, Android enforces limits by counting consecutive failed authentication attempts. Each incorrect password entry increments the failure counter. After reaching the configured maximum of 10 attempts, Android automatically performs factory reset wiping all device data including corporate and personal content, removing all applications and accounts, and restoring device to out-of-box state.
The automatic wipe provides critical protection for lost or stolen devices where attackers might attempt brute force password guessing to gain access. Without automatic wipe, attackers have unlimited attempts to guess passwords potentially succeeding given sufficient time. The failed attempt limit creates finite attack window after which device automatically protects itself through data destruction.
Question 196:
Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a configuration that automatically installs monthly Windows quality updates but prevents automatic restarts during business hours. What should you configure?
A) Update ring with quality update deadline and active hours configured
B) Windows Update policy with automatic installation and manual restart
C) Feature update policy with installation timing
D) Deployment ring with quality update schedule
Answer: A
Explanation:
Windows Update for Business provides comprehensive control over update deployment and restart behavior balancing security currency through timely updates with user productivity by preventing disruptive restarts during work hours. Understanding how to configure update rings with deadlines and active hours ensures updates install promptly while respecting business operations.
Update rings in Intune include separate controls for quality updates containing monthly security patches and bug fixes versus feature updates introducing major version changes. Quality update settings allow configuring deferral periods delaying when updates become available, deadlines enforcing when available updates must install, and restart behavior controlling when devices can automatically restart after update installation.
Quality update deadlines specify how many days after updates become available that devices must install them. Setting deadlines ensures updates don’t remain uninstalled indefinitely due to user postponement. Updates must install within deadline window even if users repeatedly defer installation, providing enforcement ensuring security currency.
Active hours configuration protects user productivity by preventing automatic restarts during specified time periods when users typically work. Setting active hours to business hours like 8 AM to 6 PM ensures Windows doesn’t force automatic restarts during productive work time even when updates requiring restarts are installed. Instead, Windows schedules restarts outside active hours or prompts users to manually initiate restarts if convenient.
The combination of quality update deadlines with active hours creates balanced update enforcement where updates must install within specified timeframes ensuring security, but restarts respect business hours ensuring users aren’t disrupted during critical work periods. Users working during business hours see update notifications and can manually restart at convenient times, while devices left running overnight automatically restart outside active hours.
Configuring the solution involves creating update ring, setting quality update deferral to 0 days if immediate availability is desired or configuring deferral for testing periods, setting quality update deadline enforcing installation within acceptable timeframe, configuring active hours protecting business hours from automatic restarts, and assigning policy to device groups requiring managed updates.
Question 197:
You manage Windows 11 devices using Microsoft Intune. You need to configure Windows Defender Firewall to block all inbound connections on public networks but allow inbound connections for Remote Desktop on domain networks. What should you configure?
A) Endpoint security Firewall policy with public network profile blocking inbound connections and domain network profile with Remote Desktop allow rule
B) Device configuration profile with Windows Defender Firewall settings for network profiles
C) Settings Catalog with firewall rules for different network locations
D) Network security policy with location-based firewall configuration
Answer: A
Explanation:
Windows Defender Firewall provides network-level security with different profiles for various network location types, allowing administrators to configure appropriate security levels based on network trust. Understanding how to configure profile-specific firewall policies ensures devices have strict protection on untrusted public networks while permitting necessary business connectivity on trusted corporate networks.
Endpoint security Firewall policies in Intune provide comprehensive firewall management including separate configuration for Domain, Private, and Public network profiles. Each profile can have distinct default behaviors and firewall rules appropriate for the trust level of that network type. This separation allows organizations to implement strict security on public networks while enabling business connectivity on corporate networks.
Public network profile represents untrusted networks like coffee shop Wi-Fi, hotel networks, or airport hotspots where devices should have maximum protection. Configuring the public profile to block all inbound connections prevents any external systems from initiating connections to the device, protecting against network-based attacks common in public environments. Only outbound connections initiated by the device are permitted, providing internet access while preventing external access attempts.
Domain network profile represents corporate domain networks where devices connect to trusted infrastructure. This profile can have more permissive settings allowing necessary business services. Creating a firewall rule specifically for the domain profile that allows Remote Desktop connections enables IT support and remote administration scenarios where administrators need RDP access to managed devices on corporate networks.
The rule configuration specifies Remote Desktop as the allowed service, inbound direction, allow action, domain network profile as the applicable scope, and optionally TCP port 3389 if using default RDP port. This targeted rule permits RDP only when devices connect to domain networks, maintaining security by not exposing RDP on public networks where it could be attacked.
Question 198:
You are configuring Microsoft Intune to manage iOS devices. You need to deploy a configuration that requires users to authenticate before AutoFill can populate passwords in Safari. What should you configure?
A) Device restrictions profile with AutoFill password authentication requirement
B) Device features profile with Safari AutoFill settings
C) Password policy requiring authentication for AutoFill access
D) This capability is controlled by iOS system settings, not MDM policies
Answer: D
Explanation:
Understanding the distinction between settings configurable through MDM policies versus settings controlled by operating system design helps administrators recognize which security controls are built into iOS versus which require explicit policy configuration. AutoFill authentication requirements in iOS Safari represent functionality controlled by iOS system behavior rather than MDM-configurable policies.
iOS includes built-in security controls for password AutoFill that require user authentication before passwords are populated into web forms or applications. This authentication uses Face ID, Touch ID, or device passcode depending on device capabilities and user configuration. The authentication requirement occurs automatically as part of iOS security architecture protecting stored credentials from unauthorized access.
When users encounter password fields in Safari or other applications supporting password AutoFill, iOS prompts for biometric authentication or passcode entry before displaying available credentials or populating selected passwords. This behavior is inherent to iOS password management protecting keychain-stored credentials regardless of device management status.
MDM policies cannot modify this built-in authentication behavior because iOS maintains user control over password access security as a privacy and security principle. The authentication requirement protects both personal and corporate credentials stored in device keychains, ensuring only authenticated users can access stored passwords.
Device restrictions profiles for iOS include numerous settings controlling various features and capabilities, but AutoFill authentication requirements are not among configurable options. The authentication is fundamental to iOS credential management architecture rather than being an optional policy setting. MDM can control whether AutoFill is available but cannot modify the authentication requirements iOS enforces for credential access.
Organizations concerned about credential security on iOS devices benefit from the built-in authentication requirements without needing explicit policy configuration. The iOS-enforced authentication provides strong protection for stored credentials through hardware-backed biometric authentication or strong passcode requirements.
Question 199:
You manage Android Enterprise devices using Microsoft Intune. You need to configure a policy that requires devices to check in with Intune at least once every 24 hours or mark them non-compliant. What should you configure?
A) Compliance policy with device health check requiring regular check-in
B) Device check-in frequency is controlled by Android system behavior, not compliance policies
C) Device restrictions with mandatory sync interval
D) Conditional Access policy requiring daily device authentication
Answer: B
Explanation:
Understanding the distinction between device behaviors controlled by management platform architecture versus behaviors configurable through policies helps administrators recognize platform limitations and design realistic compliance strategies. Device check-in frequency with Intune represents platform behavior rather than user-configurable compliance requirements.
Android Enterprise devices enrolled in Intune check in with the management service at regular intervals determined by Android management framework and Intune service architecture. The check-in frequency typically occurs approximately every 8 hours for policy sync and compliance evaluation. This timing is designed by platform architecture to balance timely policy enforcement with device battery life and network resource consumption.
Compliance policies in Intune evaluate device security state against defined requirements including encryption status, operating system version, password complexity, threat level, and various security configurations. However, compliance policies cannot directly enforce device check-in frequency because the check-in timing is controlled by the management framework itself rather than being a configurable device attribute.
The platform-controlled check-in frequency ensures devices remain connected to management services without requiring explicit policy configuration. Devices automatically check in during regular intervals, receive updated policies, report compliance status, install assigned applications, and synchronize configurations. This automatic behavior maintains device management relationships without user or administrator intervention.
Organizations concerned about device connectivity can monitor last check-in times through Intune reporting rather than attempting to enforce check-in frequency through compliance policies. The device list in Intune shows last contact time for each device, allowing administrators to identify devices that haven’t checked in recently potentially indicating offline devices, connectivity issues, or devices removed from service.
Devices that remain offline or disconnected from Intune for extended periods eventually fall out of compliance evaluation, but this occurs due to inability to evaluate compliance rather than explicit check-in frequency requirements. Compliance evaluation requires device connectivity to report status, so prolonged disconnection results in stale compliance status.
Question 200:
Your organization uses Microsoft Intune to manage Windows 11 devices. You need to configure a policy that prevents BitLocker encryption keys from being stored locally on devices but requires backup to Azure AD. What should you configure?
A) Endpoint security Disk encryption policy with recovery key backup to Azure AD and automatic removal of local keys enabled
B) BitLocker policy requiring Azure AD backup only
C) Compliance policy verifying recovery key backup location
D) Device configuration profile with BitLocker recovery key settings
Answer: A
Explanation:
BitLocker recovery key management ensures business continuity when legitimate recovery is needed while preventing security compromises through unauthorized recovery key access. Understanding how to configure recovery key backup to Azure AD with automatic local key removal creates centralized secure key storage eliminating local attack vectors where physical device access could expose recovery keys.
Endpoint security Disk encryption policies in Microsoft Intune provide comprehensive BitLocker configuration including encryption methods, authentication requirements, and critically recovery key management settings. Within recovery key configuration, administrators specify where BitLocker recovery keys are backed up and whether local copies should remain on devices after successful backup.
Configuring recovery key backup to Azure AD ensures keys are securely transmitted to Azure AD during BitLocker enablement and stored encrypted in association with device objects. Authorized administrators can retrieve keys through the Intune admin center or Azure AD portal when users require recovery assistance after forgotten passwords or authentication failures.
The automatic removal of local recovery key copies is essential for security. When this setting is enabled, Windows deletes local recovery keys from device metadata after confirming successful backup to Azure AD. Without local keys, attackers with physical device access cannot extract recovery keys to decrypt data even if they gain operating system access. Recovery keys remain accessible only through Azure AD where access is controlled, audited, and restricted to authorized personnel.
