Visit here for our full Microsoft MD-102 exam dumps and practice test questions.
Question 1:
You are an administrator for a company that uses Microsoft Intune to manage Windows 11 devices. A user reports that their device is not receiving the latest compliance policy updates. You verify that the device is enrolled in Intune and has an active internet connection. What should you check first to troubleshoot this issue?
A) Verify the device’s last sync time in the Intune admin center
B) Restart the Microsoft Intune Management Extension service on the device
C) Re-enroll the device in Intune
D) Check if the user has local administrator rights on the device
Answer: A
Explanation:
When troubleshooting compliance policy delivery issues in Microsoft Intune, the most logical first step is to verify the device’s last sync time in the Intune admin center. This provides critical information about whether the device is successfully communicating with the Intune service and when it last checked in for policy updates.
Intune-managed devices sync with the service at regular intervals, typically every 8 hours for compliance policies and configuration profiles. However, users can manually trigger a sync from the Company Portal app or Settings. By checking the last sync time, you can determine if the device is checking in as expected. If the last sync time is recent but policies are still not applying, this indicates a different issue such as policy conflicts, targeting problems, or policy evaluation failures. If the last sync time is outdated, it suggests connectivity issues, certificate problems, or enrollment status issues.
The Intune admin center provides detailed information about each device’s sync status under Devices > All devices > [select device] > Hardware. Here you can see the last check-in time, compliance status, and whether any errors occurred during the last sync. This information helps you determine the next troubleshooting steps without making unnecessary changes to the device or user configuration.
A is correct because checking the last sync time is a non-invasive first step that provides valuable diagnostic information about device communication with Intune. B is incorrect because restarting services should be done after confirming basic connectivity and sync issues. C is incorrect because re-enrollment is a drastic step that should only be taken after exhausting other troubleshooting options. D is incorrect because local administrator rights are not required for devices to receive compliance policies from Intune.
Question 2:
Your organization wants to deploy a line-of-business (LOB) application to Windows 10 devices managed by Microsoft Intune. The application is packaged as an MSI file and requires specific command-line parameters during installation. What type of app should you add to Intune?
A) Microsoft Store app
B) Windows app (Win32)
C) Web link
D) Built-in app
Answer: B
Explanation:
When deploying line-of-business applications with specific installation requirements like custom command-line parameters, the Windows app (Win32) type is the appropriate choice in Microsoft Intune. This app type provides the most flexibility and control over application deployment, making it ideal for enterprise applications that require customized installation behavior.
Win32 apps in Intune are packaged using the Microsoft Win32 Content Prep Tool, which converts source files into the .intunewin format. This format allows you to package MSI files, EXE files, and their dependencies into a single package that Intune can manage. During the configuration process, you can specify custom installation and uninstallation commands, detection rules, return codes, and dependency relationships with other applications.
The Win32 app deployment method uses the Intune Management Extension, which must be installed on target devices. This extension runs as a service and handles the download, installation, and monitoring of Win32 applications. You can configure detailed detection rules using file existence, MSI product codes, registry keys, or custom PowerShell scripts to determine if the application is already installed. Additionally, Win32 apps support requirement rules based on operating system version, architecture, disk space, and other system attributes.
For MSI files specifically, you can leverage the built-in MSI metadata that Intune extracts, or you can override default installation commands with custom parameters. This is particularly useful when you need to perform silent installations with specific configurations, such as installing to custom directories, enabling specific features, or providing license keys through command-line switches.
A is incorrect because Microsoft Store apps are limited to applications available in the Microsoft Store and don’t support custom installation parameters. B is correct because Win32 apps provide full control over installation commands and parameters for MSI and EXE files. C is incorrect because web links simply provide shortcuts to web applications, not actual application installations. D is incorrect because built-in apps refer to native Windows applications that are already included with the operating system.
Question 3:
You need to configure Windows Update for Business policies using Microsoft Intune to ensure that quality updates are installed within 5 days of release, but feature updates are deferred for 60 days. Which update ring setting should you configure?
A) Quality update deferral period (days): 5, Feature update deferral period (days): 60
B) Quality update deferral period (days): 0, Feature update deferral period (days): 60, Quality update deadline (days): 5
C) Automatic update behavior: Auto install and restart at maintenance time
D) Feature update version: Select specific version with 60-day delay
Answer: B
Explanation:
Understanding the distinction between deferral periods and deadlines in Windows Update for Business is crucial for proper update management through Microsoft Intune. These settings work together to provide flexibility in how updates are deployed while ensuring compliance with organizational security requirements.
The deferral period specifies how long after Microsoft releases an update before it becomes available to your devices. When you set a quality update deferral period of 0 days, quality updates become available to devices immediately upon release from Microsoft. However, availability doesn’t mean immediate installation—it simply means the update is offered to the device.
The deadline setting determines how many days after an update becomes available that it must be installed on the device. By setting a quality update deadline of 5 days, you’re giving users a 5-day window from when the update becomes available to when it must be installed. If the update isn’t installed within this timeframe, Windows will force installation and restart, though you can configure additional grace periods for user convenience.
For feature updates, the 60-day deferral period means that feature updates won’t become available to your devices until 60 days after Microsoft releases them. This is a common practice that allows organizations to wait for early adopters to identify potential issues before widespread deployment. Feature updates represent major Windows version changes and typically require more extensive testing than quality updates.
This configuration balances security and stability: quality updates, which include security patches and bug fixes, are installed quickly to maintain security posture, while feature updates, which introduce new functionality and potential compatibility issues, are delayed to allow for proper testing and validation.
A is incorrect because setting quality update deferral to 5 days means updates won’t be available until 5 days after release, and there’s no enforcement mechanism to ensure installation. B is correct because it makes quality updates available immediately and enforces installation within 5 days, while deferring feature updates for 60 days. C is incorrect because it only controls installation behavior, not the timing of when updates are offered or must be installed. D is incorrect because version selection is different from deferral periods and doesn’t provide the flexible deadline approach.
Question 4:
Your organization uses Azure AD joined devices and wants to implement Windows Autopilot for new device deployments. Users should receive their devices pre-configured with corporate applications and settings without IT intervention. What is the first step you must complete?
A) Create an Autopilot deployment profile in Intune
B) Register device hardware IDs in the Autopilot service
C) Assign users to devices in Azure AD
D) Create a device configuration profile with corporate settings
Answer: B
Explanation:
Windows Autopilot deployment requires a specific sequence of configuration steps, and understanding this order is essential for successful implementation. The foundational requirement for any Autopilot deployment is registering device hardware identifiers in the Windows Autopilot deployment service, as this establishes which devices are eligible for automated provisioning.
Device hardware IDs consist of information that uniquely identifies each device, including the hardware hash, serial number, model, and manufacturer details. These identifiers can be obtained through several methods: directly from the OEM or reseller when purchasing devices, by using the Get-WindowsAutopilotInfo PowerShell script on existing devices, or through Microsoft Partner Center for organizations working with Cloud Solution Providers. Once collected, these hardware IDs are uploaded to the Autopilot service through the Intune admin center, PowerShell cmdlets, or Partner Center.
Registration creates the link between physical hardware and your organization’s tenant. Without this registration, when a device boots for the first time and connects to the internet during the out-of-box experience, it won’t recognize that it should follow your organization’s Autopilot deployment process. The device will proceed with the standard Windows setup experience instead of the customized Autopilot flow.
After hardware IDs are registered, you can then create Autopilot deployment profiles that define the configuration experience, assign these profiles to device groups, and configure additional elements like enrollment status pages, application assignments, and configuration policies. The registered devices automatically sync with Intune within 24 hours, though you can force immediate synchronization. Once devices appear in your Autopilot devices list, they’re ready to be deployed using your defined profiles.
A is incorrect because you cannot assign Autopilot profiles to devices that haven’t been registered yet—the profiles need target devices to apply to. B is correct because hardware ID registration is the prerequisite that enables all other Autopilot functionality. C is incorrect because user assignment is optional and comes after device registration, plus it’s often done through group-based assignment rather than individual assignment. D is incorrect because configuration profiles are applied after the Autopilot process begins, not before device registration.
Question 5:
You are configuring Conditional Access policies for your organization. You want to require multi-factor authentication (MFA) only when users access Microsoft 365 services from locations outside the corporate network. Which conditions should you configure in the policy?
A) Cloud apps: All cloud apps, Locations: Any location, Grant control: Require MFA
B) Cloud apps: Office 365, Locations: All trusted locations (excluded), Grant control: Require MFA
C) Cloud apps: Office 365, Device state: Compliant devices (excluded), Grant control: Require MFA
D) Cloud apps: Office 365, Sign-in risk: High, Grant control: Require MFA
Answer: B
Explanation:
Conditional Access policies in Azure AD provide granular control over how users access organizational resources based on various signals including user identity, location, device state, application, and risk level. Understanding how to properly combine conditions and controls is essential for implementing effective security policies without unnecessarily impacting user productivity.
The scenario requires MFA specifically for external access to Microsoft 365 services, which means you need to define both the target applications and the locations where the policy should apply. For cloud apps, selecting Office 365 ensures the policy applies to all Microsoft 365 services including Exchange Online, SharePoint Online, Teams, and other integrated applications. This is more precise than selecting “All cloud apps,” which would include non-Microsoft 365 applications and might have unintended consequences.
The key to this configuration is properly using location conditions with exclusions. First, you must define named locations in Azure AD that represent your corporate network—these could be specific IP address ranges or countries. These named locations should be marked as “trusted locations.” In your Conditional Access policy, you configure the location condition to target “Any location” but then exclude “All trusted locations.” This logical structure means the policy will only trigger when users access from locations that are NOT in your trusted list, which represents external or untrusted access.
This approach is more maintainable than trying to specify every possible external location, which would be impossible given the dynamic nature of internet access. By defining what you trust and excluding it, you effectively create a policy that catches everything else. When a user connects from within the corporate network (a trusted location), the policy doesn’t apply and they aren’t prompted for MFA. When they connect from home, a coffee shop, or while traveling, the policy triggers and requires MFA before granting access.
A is incorrect because targeting “Any location” without exclusions means MFA would be required even from trusted corporate networks, which doesn’t match the requirement. B is correct because it precisely targets Office 365 access from non-corporate locations by excluding trusted locations. C is incorrect because device compliance state is a different signal than location and doesn’t address the geographic access requirement. D is incorrect because sign-in risk is based on identity protection signals, not location, and would trigger based on suspicious behavior rather than geographic access patterns.
Question 6:
Your organization has deployed Microsoft Defender for Endpoint. You need to configure attack surface reduction (ASR) rules to block executable content from email clients and webmail. What should you do in the Microsoft Endpoint Manager admin center?
A) Create an Endpoint security policy for Attack surface reduction and select the appropriate rule
B) Create a Device configuration profile with Endpoint protection settings
C) Configure Windows Defender Antivirus policy with real-time protection enabled
D) Create a compliance policy that checks for ASR rule configuration
Answer: A
Explanation:
Attack surface reduction rules are a critical component of Microsoft Defender for Endpoint that help prevent common attack vectors used by malware and malicious applications. These rules are specifically designed to reduce the ways attackers can compromise devices by blocking behaviors commonly associated with malicious activity while minimizing impact on legitimate business operations.
The scenario specifically requires blocking executable content from email clients and webmail, which is one of the predefined ASR rules available in Microsoft Defender for Endpoint. This rule prevents Outlook, webmail providers, and other email applications from executing or launching executable files, scripts, and other potentially dangerous content. This is particularly important because email remains one of the most common attack vectors, with attackers frequently using email attachments or embedded links to deliver malware.
In the Microsoft Endpoint Manager admin center, ASR rules are configured through Endpoint security policies rather than traditional device configuration profiles. While both policy types can configure security settings, Endpoint security policies provide a more streamlined, security-focused interface specifically designed for security administrators. The Attack surface reduction policy type contains all available ASR rules with clear descriptions and configuration options.
When creating an Attack surface reduction policy, you’ll find rules organized by category. Each rule can be configured with different modes: Not configured (default), Block (prevents the action), Audit (logs the action but doesn’t prevent it), Warn (prompts the user), or Disable (turns off the rule). For production deployment, it’s recommended to first deploy rules in Audit mode to understand potential impact on legitimate business processes, then move to Block mode after validating that business workflows won’t be disrupted.
The specific rule for this scenario is “Block executable content from email client and webmail.” Once configured and assigned to device groups, this rule will be enforced by Microsoft Defender for Endpoint on all targeted devices, providing consistent protection across the organization.
A is correct because Endpoint security policies for Attack surface reduction are the dedicated method for configuring ASR rules with the most straightforward interface. B is incorrect because while Device configuration profiles can configure some security settings, ASR rules are better managed through Endpoint security policies. C is incorrect because Windows Defender Antivirus policy controls malware scanning and real-time protection, not ASR rules. D is incorrect because compliance policies check device state but don’t actually configure ASR rules.
Question 7:
You manage Windows 11 devices using Microsoft Intune. A department requires access to a legacy application that only runs on Windows 10. You need to provide this access while maintaining security and management. What solution should you implement?
A) Downgrade the Windows 11 devices to Windows 10
B) Deploy Windows 365 Cloud PCs with Windows 10 to the department
C) Use application compatibility mode on Windows 11
D) Create a separate Intune tenant for Windows 10 devices
Answer: B
Explanation:
When organizations face application compatibility challenges between different Windows versions, they need solutions that provide access to required applications without compromising security, management, or user experience. Windows 365 Cloud PCs offer an ideal solution for scenarios where specific users need access to different Windows versions or configurations while maintaining centralized management and security.
Windows 365 is Microsoft’s cloud-based service that provides dedicated Cloud PCs to users, delivering a full Windows desktop experience through any device with internet connectivity. Each Cloud PC is a personal virtual machine running in Microsoft’s cloud infrastructure, providing consistent performance and access to Windows applications regardless of the endpoint device being used. For this scenario, you can provision Windows 10 Cloud PCs specifically for the department that requires the legacy application.
This approach offers several advantages over other solutions. First, it allows the organization to maintain Windows 11 as the standard physical desktop operating system while providing Windows 10 access only where needed. Second, Cloud PCs are fully manageable through Microsoft Endpoint Manager just like physical devices, meaning you can apply the same security policies, compliance requirements, and application deployments. Third, users can access their Cloud PC from any device including their existing Windows 11 computers, tablets, or even personal devices, providing flexibility without sacrificing security.
Windows 365 Cloud PCs are provisioned based on licensing and can be sized appropriately for the workload requirements. They support integration with Azure AD, on-premises Active Directory through Azure AD Connect, and can access network resources through Azure networking or Windows 365 Gateway. The service includes automatic updates, backups, and disaster recovery capabilities, reducing the management burden on IT teams.
For legacy application scenarios specifically, Cloud PCs eliminate the need to maintain outdated operating systems on physical hardware, which can pose security risks and complicate patch management. Instead, you can maintain a secure, updated Windows 10 environment in the cloud specifically for legacy application access while continuing to modernize physical endpoints.
A is incorrect because downgrading Windows 11 to Windows 10 is complex, unsupported, and moves backward on the modernization path without addressing future scalability. B is correct because Windows 365 Cloud PCs provide a managed, secure solution for running Windows 10 applications without impacting the primary Windows 11 deployment. C is incorrect because compatibility mode has limited effectiveness and won’t resolve all application compatibility issues, especially for applications with kernel-mode components or strict OS version checks. D is incorrect because creating separate tenants introduces management complexity, licensing issues, and doesn’t solve the fundamental compatibility problem.
Question 8:
You are implementing co-management for Configuration Manager-managed devices. You want to move the Compliance policies workload to Intune while keeping other workloads with Configuration Manager. What should you configure in the Configuration Manager console?
A) Enable co-management and move the Compliance policies slider to Intune
B) Create a new collection and deploy Intune policies to it
C) Configure cloud attach and enable co-management tenant attach
D) Deploy the Configuration Manager client with Intune enrollment parameters
Answer: A
Explanation:
Co-management enables organizations to simultaneously manage Windows devices using both Configuration Manager and Microsoft Intune, providing a gradual transition path from traditional on-premises management to modern cloud-based management. Understanding how to configure and adjust co-management workload sliders is essential for administrators managing hybrid environments.
Co-management supports eight distinct workloads that can be controlled independently: Compliance policies, Device configuration, Endpoint Protection, Resource access policies, Client apps, Office Click-to-Run apps, Windows Update policies, and Defender for Endpoint. Each workload has a slider control in the Configuration Manager console that determines which management system has authority for that particular area. The slider has three positions: Configuration Manager (workload remains on-premises), Pilot Intune (workload moves to Intune for a specific pilot collection), and Intune (workload moves to Intune for all co-managed devices).
For the scenario described, you need to enable co-management first if it isn’t already enabled, which involves configuring the connection to your Intune tenant, defining which devices should be co-managed, and enabling automatic enrollment into Intune for Configuration Manager clients. Once co-management is enabled, devices appear in both the Configuration Manager console and the Intune admin center.
After enabling co-management, you access the workload sliders through the Co-management properties in the Configuration Manager console under Administration > Cloud Services > Co-management. For the Compliance policies workload specifically, moving the slider from Configuration Manager to Intune transfers authority for defining and evaluating device compliance. This means compliance policies configured in Intune will be applied to co-managed devices, while Configuration Manager compliance baselines will no longer apply. Other workloads remain under Configuration Manager control unless you explicitly move their sliders.
This granular control allows organizations to adopt cloud management capabilities progressively, moving workloads to Intune as they develop the necessary policies and configurations, without requiring a complete cutover. You can test each workload with pilot collections before moving them to production for all devices.
A is correct because using the co-management workload slider is the proper method to transfer the Compliance policies workload to Intune while maintaining other workloads in Configuration Manager. B is incorrect because collections are used for targeting but don’t themselves enable co-management or move workloads between management systems. C is incorrect because tenant attach is a different feature that extends Configuration Manager with cloud capabilities but doesn’t move workloads to Intune. D is incorrect because client deployment is part of enabling co-management initially but doesn’t control workload authority.
Question 9:
Your organization requires that all Windows 10 devices must have BitLocker encryption enabled before they are marked as compliant in Intune. How should you configure this requirement?
A) Create a device compliance policy with BitLocker encryption required setting enabled
B) Create a device configuration profile with Endpoint protection template and enable BitLocker
C) Deploy a PowerShell script that enables BitLocker on all devices
D) Create a Windows Update for Business policy with security settings
Answer: A
Explanation:
Understanding the distinction between compliance policies and configuration policies in Microsoft Intune is fundamental to proper device management and security enforcement. Compliance policies define the requirements that devices must meet to be considered compliant with organizational standards, while configuration policies actually apply settings to devices to bring them into the desired state.
For the scenario described, the requirement is to mark devices as non-compliant if BitLocker encryption is not enabled. This is precisely what compliance policies are designed to do—they evaluate device state against defined requirements and report compliance status to Intune and Azure AD. A device compliance policy can check for numerous security settings including BitLocker encryption, password requirements, antivirus status, operating system versions, and more.
When you create a compliance policy in Intune and enable the “Require BitLocker” setting under the System Security section, Intune will evaluate each device to determine if BitLocker is enabled on the system drive. If BitLocker is not enabled, the device will be marked as non-compliant. This compliance status can then be used in several ways: generating compliance reports, sending notifications to users, triggering automated remediation actions, or enforcing access restrictions through Conditional Access policies that require compliant devices.
Compliance policies don’t actually enable BitLocker themselves—they only check if it’s enabled. If you also want Intune to automatically enable BitLocker on devices, you would deploy both a compliance policy to check for BitLocker and a configuration policy to enable it. However, the question specifically asks about the requirement that devices “must have” BitLocker enabled to be compliant, which is a compliance checking function, not a configuration function.
Device compliance status integrates with Conditional Access, allowing you to create policies that block access to corporate resources from non-compliant devices. This creates a powerful security framework where devices must meet your encryption requirements before users can access sensitive data like email, SharePoint, or other cloud applications.
A is correct because device compliance policies are specifically designed to evaluate and report on whether devices meet security requirements like BitLocker encryption. B is incorrect because while configuration profiles can enable BitLocker, they don’t mark devices as compliant or non-compliant based on encryption status. C is incorrect because PowerShell scripts can enable BitLocker but don’t integrate with Intune’s compliance framework or reporting. D is incorrect because Windows Update policies manage update deployment, not encryption requirements or compliance evaluation.
Question 10:
You need to configure Microsoft Intune to automatically enroll Windows 11 devices when users join them to Azure AD. The devices should receive corporate policies immediately after enrollment. What should you configure?
A) Enable MDM auto-enrollment in Azure AD for All or selected user groups
B) Create a device enrollment manager (DEM) account
C) Configure Windows Autopilot deployment profiles
D) Enable MAM auto-enrollment for user devices
Answer: A
Explanation:
Automatic enrollment in Microsoft Intune provides a seamless experience where devices are enrolled in mobile device management immediately when users join them to Azure AD, without requiring separate enrollment steps. This integration between Azure AD and Intune creates an efficient onboarding process that ensures devices are managed and protected from the moment they join the organization’s directory.
MDM auto-enrollment is configured in the Azure AD portal under Mobility (MDM and MAM) settings, where you can connect Azure AD to your Microsoft Intune tenant. Once configured, you have three scope options for auto-enrollment: None (disables auto-enrollment), Some (applies to specific Azure AD groups), or All (applies to all users). When auto-enrollment is enabled for a user, any device they Azure AD join will automatically trigger enrollment into Intune.
The enrollment process happens automatically in the background during the Azure AD join operation. When a user performs an Azure AD join—whether during the out-of-box experience on a new device, through Settings on an existing device, or as part of an Autopilot deployment—the system checks if MDM auto-enrollment is enabled for that user. If it is, the device immediately enrolls in Intune and begins receiving policies, applications, and configurations assigned to the device or user.
This automatic enrollment is particularly powerful because it ensures no managed devices exist without being properly configured and secured. Once enrolled, the device immediately receives any assigned compliance policies, configuration profiles, security baselines, and applications. The Enrollment Status Page can be configured to track this policy delivery and prevent users from accessing the desktop until critical policies and applications are installed, ensuring security is maintained from the first moment of device use.
Auto-enrollment works for both personal devices that users Azure AD join and corporate-owned devices. For corporate devices, this is often combined with Windows Autopilot for a complete zero-touch deployment experience where devices are shipped directly to users and automatically configure themselves without IT intervention.
A is correct because MDM auto-enrollment in Azure AD is the proper mechanism to automatically enroll devices in Intune when they are Azure AD joined. B is incorrect because Device Enrollment Manager accounts are used for bulk enrollment scenarios where one account enrolls many devices, not for automatic user-driven enrollment. C is incorrect because while Autopilot can include enrollment, it’s a broader deployment solution and isn’t required for basic auto-enrollment—you need to enable MDM auto-enrollment first regardless of whether you use Autopilot. D is incorrect because MAM (Mobile Application Management) auto-enrollment is for managing applications without full device management, not for enrolling devices into MDM.
I’ll continue with more questions. Would you like me to keep going with questions 11-200, or would you like me to focus on specific MD-102 exam topics (like specific areas of device management, security, deployment, etc.)?
Question 11:
You are deploying a Windows 11 feature update to managed devices using Windows Update for Business deployment service in Intune. You want to ensure that devices in the Sales department receive the update before other departments. What should you do?
A) Create a feature updates policy targeting the Sales group with an earlier start date
B) Configure a deployment ring with higher priority for Sales devices
C) Enable expedited updates for the Sales department
D) Set a shorter quality update deferral period for Sales devices
Answer: A
Explanation:
Windows Update for Business deployment service in Microsoft Intune provides granular control over feature update deployment through policy-based management. Understanding how to stage deployments across different organizational groups is essential for minimizing risk and ensuring smooth update rollouts while maintaining business continuity.
Feature updates policies in Intune allow administrators to specify which Windows version should be deployed to targeted devices and control the timing of that deployment. When you create a feature updates policy, you can specify the target Windows version, deployment start date, and assignment to specific Azure AD groups. By creating separate policies for different organizational groups with staggered start dates, you effectively create a phased deployment approach.
For this scenario, you would create a feature updates policy specifically targeting the Sales department group with an immediate or earlier start date. This policy ensures that Sales devices begin receiving and installing the feature update first. After allowing time for the Sales deployment to complete and verifying that no critical issues have emerged, you would then create additional feature updates policies targeting other departments with later start dates. This staged approach allows you to use the Sales department as an early validation group before broader organizational deployment.
The deployment service handles the actual delivery and installation scheduling, respecting maintenance windows and user settings while ensuring devices progress toward the target version. You can monitor deployment progress through the Windows feature update report in Intune, which shows how many devices have successfully updated, how many are in progress, and which devices have encountered errors.
This phased deployment strategy is particularly valuable for feature updates because they represent significant version changes that may impact line-of-business applications or workflows. By deploying to a subset of users first, you can identify and resolve compatibility issues before they affect the entire organization. If critical issues are discovered during the Sales deployment, you can pause or cancel the additional policies before rolling out more broadly.
A is correct because creating separate feature updates policies with different start dates for different groups provides precise control over phased deployment timing. B is incorrect because deployment rings are a Windows Update for Business concept related to automatic update channels, not the policy-based deployment service in Intune. C is incorrect because expedited updates are for critical out-of-band security updates, not standard feature update phasing. D is incorrect because quality update deferral periods control monthly security updates, not feature update deployment sequencing.
Question 12:
Your organization uses Microsoft Intune to manage iOS devices. Users report that they cannot install a required line-of-business iOS app from the Company Portal. The app was added to Intune as a required app for their user group. What is the most likely cause?
A) The iOS app provisioning profile has expired
B) The devices are not enrolled in Apple Business Manager
C) The Company Portal app needs to be updated
D) The devices do not have sufficient storage space
Answer: A
Explanation:
iOS line-of-business application deployment through Microsoft Intune requires proper code signing and provisioning profiles to ensure applications can be installed and executed on managed devices. Understanding the iOS app distribution mechanism and common failure points is critical for successful enterprise iOS app management.
iOS apps distributed outside the App Store must be code-signed with an Apple Developer certificate and include a provisioning profile that authorizes specific devices to run the application. The provisioning profile contains the App ID, authorized device identifiers or wildcards, entitlements the app is allowed to use, and an expiration date. When distributing enterprise apps through Intune, you upload both the IPA file and the associated provisioning profile.
Provisioning profiles have defined lifespans, typically one year for development profiles and up to three years for enterprise distribution profiles. When a provisioning profile expires, iOS devices will refuse to install the application because they cannot verify that the app is authorized to run on that device. This is a security measure Apple implements to ensure only properly authorized applications execute on iOS devices.
When users attempt to install an app with an expired provisioning profile, the installation fails, and they typically see generic error messages in the Company Portal indicating the app could not be installed. From Intune’s perspective, the deployment may show as failed or pending on affected devices. The resolution requires generating a new provisioning profile in the Apple Developer portal with an extended expiration date, then updating the app in Intune by uploading the new IPA file with the refreshed provisioning profile.
Organizations should implement processes to track provisioning profile expiration dates and proactively renew profiles before they expire to avoid service disruptions. Some organizations maintain spreadsheets of app provisioning profiles and expiration dates, while others use automated monitoring solutions that alert administrators when profiles are approaching expiration.
A is correct because expired provisioning profiles are the most common cause of line-of-business iOS app installation failures when apps are properly assigned as required. B is incorrect because Apple Business Manager enrollment is not required for line-of-business app distribution through Intune, though it provides additional capabilities for App Store apps. C is incorrect because Company Portal updates don’t typically prevent app installation, and Intune manages app deployment independently of the Company Portal version. D is incorrect because while storage space can prevent installations, the question states this is affecting all users with the required app assignment, suggesting a systematic issue rather than individual device storage problems.
Question 13:
You manage Android Enterprise devices using Microsoft Intune. You need to prevent users from taking screenshots of corporate data in managed applications. What type of Android Enterprise enrollment should you use?
A) Android Enterprise work profile
B) Android Enterprise fully managed
C) Android Enterprise dedicated devices
D) Android device administrator
Answer: B
Explanation:
Android Enterprise provides multiple enrollment scenarios designed for different device ownership models and security requirements. Understanding the capabilities and limitations of each enrollment type is essential for selecting the appropriate management approach based on organizational security policies and user privacy considerations.
Android Enterprise fully managed enrollment is designed for corporate-owned devices where the organization requires complete control over the device. In this enrollment mode, the entire device is enrolled and managed by Intune, not just a separate work profile. This provides the highest level of management capability and security control, including the ability to enforce policies that apply system-wide across all applications and data on the device.
One of the key security capabilities available only in fully managed mode is the ability to prevent screenshots within managed applications or even across the entire device. This is accomplished through app configuration policies and app protection policies that set flags preventing the Android operating system from allowing screenshot capture. This capability is crucial for organizations handling sensitive information in industries like healthcare, finance, or legal services where data leakage through screenshots poses significant compliance and security risks.
In contrast, Android Enterprise work profile enrollment creates a separate, encrypted container on the device for corporate applications and data while leaving the personal portion of the device unmanaged. This profile separation provides user privacy by ensuring IT cannot control or see personal apps and data. However, this separation also limits IT’s ability to enforce device-wide policies like screenshot prevention. While you can prevent screenshots within the work profile, users can still take screenshots of personal apps, and the system-wide restrictions available in fully managed mode are not available.
The screenshot prevention policy works by setting the FLAG_SECURE window flag for managed applications, which instructs the Android operating system to prevent screen capture, recording, and viewing on non-secure displays. When users attempt to take a screenshot in a protected app, they see a message indicating that screenshots are not permitted by the organization.
A is incorrect because work profile enrollment cannot enforce device-wide screenshot prevention due to the separation between work and personal profiles, though it can prevent screenshots within work apps specifically. B is correct because fully managed enrollment provides the system-level control necessary to enforce screenshot prevention policies across managed applications. C is incorrect because dedicated devices are designed for single-purpose scenarios like kiosks or digital signage, not general user device management. D is incorrect because Android device administrator is a deprecated management method with limited security capabilities and should not be used for new deployments.
Question 14:
You need to deploy Microsoft Edge browser settings to Windows 10 devices managed by Intune. Users should not be able to modify the home page URL, which must be set to your organization’s intranet portal. What should you create in Intune?
A) Administrative Templates profile with Microsoft Edge settings configured
B) Device restrictions profile with browser settings
C) App configuration policy for Microsoft Edge
D) Custom OMA-URI profile with Edge registry settings
Answer: A
Explanation:
Microsoft Edge browser management through Intune leverages Administrative Templates, which provide access to hundreds of group policy settings that control browser behavior, security, and user experience. Understanding how to properly configure and deploy these settings is essential for maintaining consistent browser configurations across managed devices while enforcing organizational security policies.
Administrative Templates in Intune are based on ADMX files, which are XML files that define group policy settings. These templates include extensive settings for Microsoft Edge, covering features like homepage configuration, extension management, security policies, privacy controls, and authentication settings. When you create an Administrative Templates profile in Intune, you can browse through categorized settings or search for specific policies by name.
For the homepage scenario, you would create an Administrative Templates profile and navigate to the Microsoft Edge settings category. Within these settings, you would find policies like “Configure the home page URL” which allows you to specify the URL, and “Prevent changes to the home page” or similar enforcement settings that prevent users from modifying the configured homepage. By configuring both settings in the same profile, you ensure users see your organization’s intranet portal as their homepage and cannot change it.
Administrative Templates support different configuration states for each policy: Not configured (leaves the setting at default or previously configured value), Enabled (turns on the policy and allows configuration of policy parameters), and Disabled (explicitly turns off the policy). For enforcing settings like the homepage, you would enable the relevant policies and provide the required configuration values. The profile is then assigned to device or user groups, and settings are applied during the next device sync with Intune.
These settings are particularly powerful because they integrate with Microsoft Edge’s enterprise policy framework, which distinguishes between mandatory policies set by administrators and user preferences. When administrative policies are configured, the relevant settings appear grayed out or locked in the browser’s settings interface, clearly indicating to users that these settings are managed by their organization and cannot be changed.
A is correct because Administrative Templates provide the appropriate framework for configuring and enforcing Microsoft Edge browser settings including homepage configuration. B is incorrect because device restrictions profiles focus on device-level settings like camera access and Bluetooth rather than application-specific configuration like browser settings. C is incorrect because app configuration policies are primarily used for mobile apps and don’t provide the comprehensive Edge settings management available through Administrative Templates. D is incorrect because while custom OMA-URI profiles can configure some settings, Administrative Templates provide a more user-friendly interface with built-in validation for Edge settings without requiring knowledge of specific registry paths.
Question 15:
Your organization wants to implement passwordless authentication for Azure AD joined Windows 11 devices. Users should authenticate using biometrics or PIN without requiring a traditional password. What should you enable?
A) Windows Hello for Business
B) Microsoft Authenticator app passwordless authentication
C) FIDO2 security keys
D) Azure AD password protection
Answer: A
Explanation:
Windows Hello for Business is Microsoft’s enterprise implementation of passwordless authentication that replaces traditional passwords with strong two-factor authentication using biometric identification or PINs tied to specific devices. Understanding how Windows Hello for Business integrates with Azure AD and provides secure, convenient authentication is essential for modern identity management strategies.
Windows Hello for Business uses asymmetric cryptography to create a strong credential bound to the device and protected by biometric authentication or a device-specific PIN. During enrollment, Windows Hello creates a cryptographic key pair where the private key never leaves the device and is protected by the device’s Trusted Platform Module or software-based protection. The public key is registered with Azure AD and associated with the user’s account. When the user authenticates, they prove possession of the private key by signing a challenge from Azure AD, verified using the registered public key.
The biometric authentication component uses fingerprint readers, facial recognition cameras, or iris scanners to verify user identity before unlocking access to the private key. This provides convenience similar to consumer biometric authentication while maintaining enterprise security requirements. If biometric hardware is not available, users can authenticate using a PIN, which is more secure than traditional passwords because it is device-specific, protected by hardware, and includes anti-hammering protection that prevents brute force attacks.
Windows Hello for Business is configured through Intune policies that control enrollment requirements, PIN complexity, biometric settings, and whether users are required to use Windows Hello. The policy can be deployed to Azure AD joined or hybrid Azure AD joined devices. Once configured and enrolled, users sign into Windows using their biometric or PIN, which unlocks access to Azure AD resources without requiring a traditional password at any point in the authentication flow.
This passwordless approach provides significant security benefits over traditional passwords: credentials cannot be phished because they never leave the device, passwords cannot be reused across services, and the strong cryptographic authentication resistant to common attack methods like credential stuffing and password spray attacks. Additionally, users benefit from faster, more convenient authentication without needing to remember and regularly change complex passwords.
A is correct because Windows Hello for Business is the integrated passwordless authentication solution for Windows 11 devices that uses biometrics or PIN for local device authentication linked to Azure AD identity. B is incorrect because while Microsoft Authenticator supports passwordless phone sign-in, the scenario specifically asks about authentication on Windows 11 devices themselves, not using a phone as a secondary device. C is incorrect because while FIDO2 security keys provide passwordless authentication, they require separate physical security key hardware rather than integrated device biometrics. D is incorrect because Azure AD password protection strengthens password-based authentication but does not eliminate passwords or provide passwordless authentication.
Question 16:
You are configuring Microsoft Defender Application Guard for managed Windows 11 devices. You want users to be able to open untrusted websites in an isolated environment. What prerequisite must be met?
A) Devices must have virtualization capabilities and Hyper-V enabled
B) Devices must be Azure AD joined
C) Microsoft Defender for Endpoint must be deployed
D) Users must have local administrator rights
Answer: A
Explanation:
Microsoft Defender Application Guard is an enterprise security feature that uses hardware-based virtualization to isolate untrusted websites and Microsoft Office files in a separate container, protecting the host operating system from potential threats. Understanding the technical prerequisites and architecture of Application Guard is essential for successful deployment in enterprise environments.
A is correct because Application Guard fundamentally requires hardware virtualization capabilities and Hyper-V to create the isolated container environment. B is incorrect because while Azure AD join is common in managed environments, Application Guard can function on domain-joined or workgroup devices as long as virtualization requirements are met. C is incorrect because Application Guard is a separate feature from Defender for Endpoint and can be deployed independently, though they complement each other when used together. D is incorrect because users do not need administrative rights to use Application Guard once it’s configured by IT administrators through policy.
Question 17:
You need to configure Microsoft Intune to deploy a VPN profile to Android Enterprise work profile devices. The VPN should connect automatically when users access specific corporate applications. What should you include in the VPN profile configuration?
A) Per-app VPN settings with targeted applications specified
B) Always-on VPN with lockdown mode enabled
C) VPN server address and authentication credentials
D) DNS suffix search list for corporate domains
Answer: A
Explanation:
Per-app VPN is a mobile device management capability that provides application-specific VPN connectivity, allowing designated applications to automatically trigger and route their traffic through a VPN connection while other applications use the normal network connection. Understanding how to configure and deploy per-app VPN profiles is essential for providing secure access to corporate resources while minimizing unnecessary VPN usage and maintaining user experience.
In Android Enterprise work profile environments, per-app VPN provides an ideal solution for securing corporate application traffic without requiring a constantly active VPN connection. When you configure a VPN profile in Intune with per-app VPN settings enabled, you specify which managed applications should trigger the VPN connection. When users launch any of these designated applications, the VPN connection establishes automatically in the background, and all network traffic from those applications routes through the VPN tunnel. When users switch to non-designated applications, those applications use the regular network connection without VPN overhead.
A is correct because per-app VPN settings with targeted applications provide the specific capability described in the scenario of automatically connecting VPN when accessing designated corporate applications. B is incorrect because always-on VPN maintains a constant VPN connection for all traffic rather than application-specific connectivity, and lockdown mode prevents all network access when VPN is unavailable, which is more restrictive than required. C is incorrect because while VPN server address and authentication are necessary components of any VPN profile, they don’t provide the application-specific automatic connection capability. D is incorrect because DNS suffix search lists help with name resolution but don’t control VPN connection behavior or application-specific routing.
Question 18:
Your organization uses Microsoft Intune to manage iOS devices. You need to prevent managed iOS devices from backing up corporate data to iCloud. What type of policy should you create?
A) Device restrictions profile with iCloud backup settings
B) App protection policy with data transfer restrictions
C) iOS app configuration policy
D) Compliance policy with cloud backup requirements
Answer: A
Explanation:
iOS device management through Microsoft Intune provides extensive control over device features and capabilities through device restriction policies. Understanding the difference between device-level restrictions and app-level protections is crucial for implementing appropriate security controls that prevent corporate data leakage while respecting user privacy on personally owned devices.
Device restrictions profiles in Intune allow administrators to enable or disable specific iOS features and capabilities at the operating system level. These restrictions are enforced through Apple’s Mobile Device Management protocol and apply to the entire device or, in work profile scenarios, to the managed portion of the device. When you create a device restrictions profile for iOS, you can control hundreds of settings across categories including cloud and storage, built-in apps, wireless settings, connected devices, and general device features.
A is correct because device restrictions profiles provide the device-level control necessary to block iCloud backup functionality for managed iOS devices. B is incorrect because while app protection policies can restrict data transfer between apps, they don’t control the iOS device backup mechanism which operates at the system level. C is incorrect because app configuration policies configure application settings and behavior but don’t control system-level features like iCloud backup. D is incorrect because compliance policies check device state and mark devices compliant or non-compliant but don’t actively prevent features like iCloud backup from being used.
Question 19:
You manage Windows 11 devices using Intune. You need to ensure that devices automatically delete local copies of BitLocker recovery keys after they are successfully backed up to Azure AD. What should you configure?
A) An Endpoint security Disk encryption policy with recovery key backup settings
B) A Device configuration profile with Administrative Templates
C) A PowerShell script to delete recovery keys
D) A compliance policy that checks for recovery key backup
Answer: A
Explanation:
BitLocker recovery key management is a critical aspect of disk encryption deployments, as these keys provide the only method to recover encrypted data when normal authentication methods fail. Understanding how to properly configure recovery key backup and local storage policies ensures business continuity while maintaining security best practices that prevent unauthorized access to recovery keys.
Endpoint security Disk encryption policies in Microsoft Intune provide comprehensive control over BitLocker configuration, including recovery key generation, backup location, and local storage management. These specialized security policies offer a streamlined interface focused specifically on encryption settings, making them more appropriate for BitLocker configuration than general device configuration profiles.
A is correct because Endpoint security Disk encryption policies provide the specific BitLocker settings needed to configure recovery key backup to Azure AD and automatic deletion of local copies. B is incorrect because while Administrative Templates can configure some BitLocker settings, Endpoint security policies provide a more focused and appropriate interface for encryption configuration. C is incorrect because using PowerShell scripts for recovery key deletion doesn’t integrate with the BitLocker enablement process and doesn’t ensure keys are backed up before deletion. D is incorrect because compliance policies check device state but don’t configure BitLocker behavior or recovery key management settings.
Question 20:
Your organization uses Microsoft Intune to manage devices. You need to configure a policy that requires users to enter a password after their device has been idle for 5 minutes. The policy should apply to both Windows 11 and iOS devices. What should you create?
A) Two separate device configuration profiles, one for Windows 11 and one for iOS
B) A single device restrictions profile targeting all platforms
C) A conditional access policy with session timeout settings
D) An app protection policy with screen lock requirements
Answer: A
Explanation:
Device configuration in Microsoft Intune is platform-specific because different operating systems have unique management frameworks, capabilities, and configuration mechanisms. Understanding this platform-specific nature and knowing when to create separate policies versus unified policies is essential for effective cross-platform device management.
Windows 11 and iOS devices use fundamentally different mobile device management protocols and have different security architectures. Windows devices are managed through the MDM protocol using OMA-DM standards and Configuration Service Providers, while iOS devices are managed through Apple’s MDM protocol. These differences extend to how security policies like screen lock timeouts are configured and enforced. As a result, Intune requires separate device configuration profiles for each platform.
For Windows 11 devices, you would create a device configuration profile with the platform set to “Windows 10 and later” and select an appropriate profile type such as “Device restrictions” or “Settings catalog.” Within this profile, you would navigate to the screen and timeout settings and configure the maximum inactivity time before the device locks. These settings translate to Windows Group Policy equivalents or registry settings that Windows devices understand and enforce.
For iOS devices, you would create a separate device configuration profile with the platform set to “iOS/iPadOS” and select “Device restrictions” as the profile type. Within the iOS-specific settings, you would find the “Maximum minutes of inactivity until screen locks” setting under the Password section. This setting is implemented through Apple’s MDM protocol and enforces screen lock requirements according to iOS security mechanisms.
Both profiles achieve the same security objective—requiring authentication after five minutes of inactivity—but they do so through platform-appropriate mechanisms. After creating both profiles, you would assign them to appropriate Azure AD groups that contain your Windows and iOS devices respectively, or you could use dynamic groups or filters to ensure each device type receives the appropriate policy.
This multi-platform approach is common in heterogeneous enterprise environments where organizations must maintain consistent security postures across different device types while respecting the unique characteristics of each platform. While it requires managing multiple policies, Intune’s group-based assignment and filtering capabilities help ensure the right policies reach the right devices without manual overhead.
A is correct because Windows 11 and iOS require platform-specific device configuration profiles to enforce screen lock timeout settings through their respective management frameworks. B is incorrect because Intune does not support single device restriction profiles that apply to multiple platforms—each platform requires its own policy. C is incorrect because Conditional Access policies control access to cloud applications based on conditions but don’t configure device-level settings like screen lock timeouts. D is incorrect because app protection policies protect data within applications but don’t enforce device-level screen lock requirements.
