Visit here for our full Microsoft MD-102 exam dumps and practice test questions.
Question 21:
You are configuring app protection policies in Microsoft Intune for iOS devices. You want to ensure that users can only copy data from managed apps to other managed apps, but not to unmanaged apps. What setting should you configure?
A) Send org data to other apps: Policy managed apps
B) Receive data from other apps: All apps
C) Save copies of org data: Block
D) Restrict cut, copy, and paste between apps: Policy managed apps with paste in
Answer: A
Explanation:
App protection policies in Microsoft Intune provide application-level data protection that functions independently of device enrollment, making them ideal for bring-your-own-device scenarios where organizations need to protect corporate data without managing the entire device. Understanding how to configure data transfer restrictions is essential for preventing corporate data leakage while maintaining productivity.
The “Send org data to other apps” setting is one of the most critical controls in app protection policies because it governs how data can be transferred out of protected applications. This setting has several options that provide different levels of restriction. When set to “Policy managed apps,” the setting allows users to transfer data such as copying text, sharing files, or using the iOS share sheet, but only to other applications that are also protected by Intune app protection policies.
A is correct because “Send org data to other apps: Policy managed apps” specifically restricts data transfer to only those applications protected by Intune app protection policies, preventing copying to unmanaged apps. B is incorrect because “Receive data from other apps” controls inbound data transfer into managed apps, not the outbound copying scenario described. C is incorrect because “Save copies of org data” controls whether users can save files using Save As or similar functions, not copy/paste between applications. D is incorrect because while this setting affects clipboard operations, “Policy managed apps with paste in” allows pasting into any app but with formatting restrictions, which doesn’t prevent data transfer to unmanaged apps as required.
Question 22:
Your organization has deployed Microsoft Defender for Endpoint to Windows 10 devices. You need to configure attack surface reduction rules to block credential stealing from the Windows local security authority subsystem (lsass.exe). What should you do?
A) Enable the “Block credential stealing from the Windows local security authority subsystem” ASR rule
B) Configure Credential Guard through device configuration policies
C) Enable tamper protection in Microsoft Defender Antivirus
D) Configure exploit protection settings for lsass.exe
Answer: A
Explanation:
Attack surface reduction rules in Microsoft Defender for Endpoint provide targeted protection against specific attack techniques commonly used by malware and attackers. Understanding the available rules and their specific security functions is essential for implementing defense-in-depth strategies that protect critical system components and processes.
The local security authority subsystem service (lsass.exe) is a critical Windows process responsible for enforcing security policy, handling user authentication, and managing credentials. Because lsass.exe holds sensitive credential information in memory, it is a frequent target for attackers using credential dumping tools like Mimikatz. When attackers gain code execution on a system, they often attempt to access lsass.exe memory to extract plaintext passwords, NTLM hashes, or Kerberos tickets that can be used for lateral movement within the network.
A is correct because there is a specific ASR rule designed to protect lsass.exe from credential stealing attacks, which directly addresses the requirement. B is incorrect because while Credential Guard provides additional credential protection through virtualization-based security, it is a different security feature than ASR rules and uses a different protection mechanism. C is incorrect because tamper protection prevents attackers from disabling security features but doesn’t specifically protect against lsass.exe credential stealing. D is incorrect because exploit protection provides memory corruption mitigations but ASR rules are the specific feature designed to block credential theft from lsass.exe.
Question 23:
You need to deploy a custom ADMX file for a line-of-business application to Windows 11 devices managed by Intune. The ADMX file contains policy definitions not available in Intune’s built-in Administrative Templates. What should you do?
A) Import the custom ADMX file into Intune and create an Administrative Templates profile
B) Create a custom OMA-URI profile with the registry settings from the ADMX file
C) Deploy the ADMX file to devices using a PowerShell script
D) Use Settings Catalog to configure the custom application settings
Answer: B
Explanation:
While Microsoft Intune includes extensive built-in Administrative Templates covering Windows settings and Microsoft applications like Edge and Office, organizations often need to manage settings for third-party or line-of-business applications that provide their own ADMX policy definitions. Understanding the limitations and workarounds for custom ADMX files in Intune is important for comprehensive application management.
Intune does not currently support importing custom ADMX files directly into the Administrative Templates interface. The Administrative Templates available in Intune are limited to those Microsoft has explicitly included in the service. This means that third-party application ADMX files cannot be uploaded to Intune to create policy profiles through the standard Administrative Templates workflow.
However, the settings defined in ADMX files ultimately translate to Windows registry values. ADMX files are XML definitions that describe policy settings, their registry locations, data types, and allowed values. When group policies apply ADMX-based settings in traditional Active Directory environments, they write specific registry keys and values to the computer or user registry hives. This registry-based implementation provides a workaround for Intune management.
A is incorrect because Intune does not support importing custom ADMX files—only Microsoft-provided Administrative Templates are available in the built-in interface. B is correct because custom OMA-URI profiles allow you to configure registry settings that ADMX files would typically manage, providing a workaround for custom policy definitions. C is incorrect because while PowerShell scripts could deploy ADMX files to the PolicyDefinitions folder, this doesn’t integrate with Intune’s policy management and doesn’t help apply the settings defined in those files. D is incorrect because Settings Catalog contains curated settings that Microsoft has exposed, and custom third-party ADMX definitions are not included in the catalog.
Question 24:
You manage iOS devices enrolled in Microsoft Intune. You need to deploy a managed app configuration that pre-configures email server settings for a third-party email application. What type of policy should you create?
A) App configuration policy for managed devices
B) App protection policy with app configuration settings
C) Device configuration profile with email settings
D) App configuration policy for managed apps
Answer: A
Explanation:
App configuration policies in Microsoft Intune enable administrators to pre-configure application settings, providing a seamless user experience where applications are ready to use immediately after installation without requiring users to manually enter configuration details. Understanding the distinction between configuration policies for managed devices versus managed apps is crucial for selecting the appropriate policy type based on enrollment status and management requirements.
Intune offers two types of app configuration policies: configuration policies for managed devices and configuration policies for managed apps. The key distinction lies in whether the target devices are enrolled in Intune MDM. Configuration policies for managed devices require full device enrollment in Intune and leverage the MDM channel to deliver configuration settings to applications. This is the appropriate choice when devices are corporate-owned or otherwise enrolled in full MDM management.
For iOS devices enrolled in Intune, app configuration policies for managed devices use Apple’s MDM protocol to deliver configuration dictionaries to applications. When you deploy a managed app like a third-party email client from the App Store or as a line-of-business app, you can create a configuration policy that defines key-value pairs corresponding to the application’s configurable settings. These might include email server addresses, port numbers, authentication methods, encryption requirements, or application-specific feature toggles.
A is correct because app configuration policies for managed devices are the appropriate method to pre-configure application settings on enrolled iOS devices through the MDM channel. B is incorrect because app protection policies focus on data protection and security controls rather than application configuration, and while they may include some app configuration for MAM scenarios, they don’t provide the MDM-based configuration appropriate for enrolled devices. C is incorrect because device configuration profiles with email settings configure the native iOS Mail app or Exchange ActiveSync settings, not third-party email applications. D is incorrect because app configuration policies for managed apps are used for unenrolled devices in MAM-only scenarios, whereas this scenario involves enrolled managed devices where MDM-based configuration is more appropriate.
Question 25:
Your organization uses Windows Autopilot for device deployment. During deployment, you notice that some devices are not downloading assigned applications before users reach the desktop. You want to ensure all required applications are installed before users can access the desktop. What should you configure?
A) Enable the Enrollment Status Page (ESP) and configure app tracking settings
B) Set applications as required and assign to device groups
C) Configure Windows Autopilot deployment profile with “Skip installation of Office apps”
D) Create a provisioning package with application installations
Answer: A
Explanation:
The Enrollment Status Page is a critical component of Windows Autopilot deployments that provides visibility into the provisioning process and ensures devices are fully configured before users can access them. Understanding how to configure ESP to track application installations and enforce completion requirements is essential for delivering reliable, zero-touch deployment experiences.
The Enrollment Status Page appears during the Autopilot provisioning process and displays progress through three distinct phases: Device preparation, Device setup, and Account setup. Each phase tracks specific configuration activities, and ESP can be configured to block user access until selected activities complete successfully. Without ESP properly configured, users might reach the desktop while policies and applications are still being applied in the background, leading to incomplete configurations and support issues.
In the Device setup phase, ESP can track installation of applications assigned as required to device groups. To ensure applications install before users access the desktop, you must enable ESP and configure it to block access until device setup completes. Within ESP configuration, you can specify which applications are considered blocking apps—applications that must successfully install before ESP allows the user to proceed. If you select “All” for blocking apps, ESP will wait for every required application assigned to the device to complete installation.
A is correct because enabling and properly configuring the Enrollment Status Page with app tracking is specifically designed to ensure applications install before users access the desktop during Autopilot deployment. B is incorrect because while assigning applications as required to device groups is necessary for ESP tracking, this alone doesn’t block desktop access until installation completes—ESP must be configured to enforce this. C is incorrect because the “Skip installation of Office apps” setting relates to Microsoft 365 Apps deployment and doesn’t ensure other applications install before desktop access. D is incorrect because provisioning packages are a different deployment method not directly related to Autopilot or controlling when users access the desktop during enrollment.
Question 26:
You are configuring Conditional Access in Azure AD. You want to require compliant devices for accessing Microsoft 365 services, but you need to exclude emergency access accounts from this requirement. What should you configure in the Conditional Access policy?
A) Add emergency access accounts to the Exclude users section under Assignments
B) Create a separate Conditional Access policy for emergency accounts with lower priority
C) Configure emergency access accounts with permanent MFA registration
D) Add emergency access accounts to a group excluded from compliance requirements
Answer: A
Explanation:
Conditional Access policies in Azure AD provide powerful access control mechanisms, but they can inadvertently lock administrators out of the tenant if not properly configured with emergency access provisions. Understanding how to properly exclude emergency access accounts while maintaining security for regular users is a critical best practice for preventing tenant lockout scenarios.
Emergency access accounts, sometimes called “break-glass” accounts, are highly privileged accounts maintained specifically for scenarios where normal administrative access fails, such as when a misconfigured Conditional Access policy blocks all administrators, when MFA services are unavailable, or when identity provider failures prevent authentication. These accounts typically have permanent global administrator privileges, are cloud-only accounts not synchronized from on-premises directories, and use long, complex passwords stored securely offline.
When configuring Conditional Access policies, every policy that could potentially block access should explicitly exclude emergency access accounts. This is accomplished in the Assignments section of the Conditional Access policy under the Users section. While you configure the policy to apply to “All users” or specific groups, you must then add exclusions for the emergency access accounts or a group containing these accounts. This exclusion ensures that even if the Conditional Access policy blocks everyone else, emergency access accounts can still authenticate and access the tenant to resolve issues.
A is correct because explicitly excluding emergency access accounts from Conditional Access policies in the Users exclusion section is the proper method to ensure these accounts can always access the tenant regardless of policy requirements. B is incorrect because Conditional Access policies don’t have priority rankings—all applicable policies must be satisfied, and creating separate policies doesn’t effectively exclude accounts from existing policies. C is incorrect because while MFA registration is important, it doesn’t address the need to exclude these accounts from device compliance requirements or other Conditional Access controls. D is incorrect because while using a group for exclusion is a valid implementation detail, the answer doesn’t specify that the group should be excluded from the Conditional Access policy itself, making it incomplete compared to option A.
Question 27:
You manage Android Enterprise devices with Microsoft Intune. You need to deploy a custom line-of-business Android application that requires specific permissions not typically granted by default. What type of app should you add to Intune?
A) Managed Google Play app using private app publishing
B) Line-of-business app with APK file upload
C) Web link to download the APK file
D) Android device administrator app
Answer: A
Explanation:
Android Enterprise provides multiple methods for distributing applications to managed devices, each with different capabilities, security characteristics, and management features. Understanding the proper method for deploying custom line-of-business applications while maintaining Android Enterprise security standards is essential for successful Android device management.
Managed Google Play is the primary distribution channel for applications in Android Enterprise environments. While most administrators associate Managed Google Play with public applications from the Google Play Store, it also supports private app publishing where organizations can distribute custom line-of-business applications exclusively to their managed devices. This approach provides significant advantages over traditional APK sideloading while maintaining Android Enterprise’s security model.
When using private app publishing, you upload your custom APK file to the Managed Google Play private app section through the Play Console. The application becomes available only to your organization and does not appear in the public Play Store. From Intune, you approve this private app through the Managed Google Play integration, making it available for deployment to your Android Enterprise devices. The application benefits from Google Play’s distribution infrastructure, automatic update mechanisms, and integration with Android’s permission system.
A is correct because private app publishing through Managed Google Play is the recommended and most secure method for deploying custom line-of-business Android applications in Android Enterprise environments, providing proper permission handling and integration with management features. B is incorrect because directly uploading APK files bypasses Android Enterprise’s security model and is not supported for Android Enterprise enrolled devices—Intune requires using Managed Google Play for Android Enterprise app distribution. C is incorrect because web links for APK downloads require enabling installation from unknown sources, which violates Android Enterprise security principles and is typically blocked on managed devices. D is incorrect because Android device administrator is a deprecated enrollment method that should not be used for new deployments, and the enrollment method is separate from the app distribution method.
Question 28:
Your organization uses Microsoft Intune and Azure AD. You need to configure dynamic device groups that automatically include all Windows 11 devices that are Azure AD joined and located in the Sales department. What should you configure?
A) Dynamic device group with rule based on device.deviceOSType and device.departmentName
B) Assigned device group and manually add Sales department devices
C) Dynamic user group with rule based on user.department
D) Device filter targeting Windows 11 devices in the Sales department
Answer: A
Explanation:
Dynamic groups in Azure AD provide automated group membership management based on device or user attributes, eliminating the need for manual group maintenance and ensuring groups always contain the correct members based on current attribute values. Understanding how to construct dynamic group rules using device properties is essential for scalable device management in enterprise environments.
Dynamic device groups use membership rules that are evaluated continuously by Azure AD. When device attributes change, Azure AD automatically recalculates group membership and adds or removes devices accordingly. This automation is particularly valuable in large environments where manual group management would be error-prone and time-consuming. For the scenario described, you need to create a rule that identifies devices based on both their operating system and their associated department.
A is correct because dynamic device groups with rules based on device properties like OS type and department name provide automated membership management for devices matching specified criteria. B is incorrect because assigned groups require manual membership management, which doesn’t provide the automation requested and becomes difficult to maintain as devices are added or departments change. C is incorrect because dynamic user groups contain users rather than devices and cannot be used for device-targeted Intune policies. D is incorrect because while device filters can target policies based on device properties, they don’t create groups and don’t provide the group-based management capabilities requested in the scenario.
Question 29:
You are implementing Microsoft Tunnel VPN gateway for Android and iOS devices managed by Intune. Users need to access on-premises resources that are not published through Azure AD Application Proxy. What must you install to support Microsoft Tunnel?
A) Microsoft Tunnel Gateway server on a Windows or Linux server in your on-premises network
B) Azure VPN Gateway in your Azure subscription
C) Network Policy Server with RADIUS authentication
D) Azure AD Connect with pass-through authentication
Answer: A
Explanation:
Microsoft Tunnel is a VPN gateway solution that enables mobile devices managed by Microsoft Intune to securely access on-premises resources without requiring traditional VPN infrastructure. Understanding the architecture and deployment requirements of Microsoft Tunnel is essential for providing mobile users with secure access to corporate resources while maintaining modern management approaches.
Microsoft Tunnel consists of gateway servers that you install on Linux or Windows servers within your on-premises network or in cloud infrastructure. These gateway servers create secure VPN tunnels between Intune-managed mobile devices and your internal network, providing access to on-premises applications, file shares, and other resources that are not internet-accessible. The gateway servers integrate with Intune through the Intune Connector for Microsoft Tunnel, which registers the servers with your Intune tenant and enables centralized management and monitoring.
The architecture involves deploying one or more Microsoft Tunnel Gateway servers in your environment based on capacity requirements and high availability needs. Each gateway server handles VPN connections from mobile devices, authenticating users and devices through Azure AD and Intune compliance checks before granting access. The gateway uses modern VPN protocols and integrates with your existing network infrastructure to route traffic to on-premises resources.
A is correct because Microsoft Tunnel requires deploying Microsoft Tunnel Gateway servers on Windows or Linux servers in your environment to provide the VPN endpoint for mobile device connections. B is incorrect because Azure VPN Gateway is a different service used for site-to-site or point-to-site VPN connections in Azure, not for Microsoft Tunnel mobile device VPN. C is incorrect because while Microsoft Tunnel can integrate with existing authentication infrastructure, it doesn’t require Network Policy Server—it uses Azure AD for authentication. D is incorrect because Azure AD Connect synchronizes on-premises identities to Azure AD but is not a requirement for Microsoft Tunnel, which can work with cloud-only identities and uses different mechanisms for authentication.
Question 30:
You manage Windows 10 devices using Microsoft Intune. You need to configure Windows Defender Firewall to block inbound connections on the Domain network profile but allow inbound connections for specific applications. What should you create?
A) Endpoint security Firewall policy with connection security rules and application rules
B) Device configuration profile with Windows Defender Firewall settings
C) Attack surface reduction policy with network protection enabled
D) Compliance policy with firewall requirements
Answer: A
Explanation:
Windows Defender Firewall management through Microsoft Intune provides comprehensive control over network-level security through multiple policy types and configuration methods. Understanding how to properly configure firewall rules with exceptions for specific applications requires knowledge of both Endpoint security policies and the different types of firewall rules available.
Endpoint security Firewall policies in Intune provide the most comprehensive interface for managing Windows Defender Firewall settings, including global firewall settings for different network profiles, firewall rules that allow or block specific traffic, and connection security rules that define IPsec requirements for specific connections. These specialized security policies offer better organization and clarity than general device configuration profiles when managing complex firewall configurations.
A is correct because Endpoint security Firewall policies provide the comprehensive firewall configuration capabilities needed to set default block behavior and create application-specific allow rules. B is incorrect because while device configuration profiles can configure some firewall settings, Endpoint security policies provide a more complete and appropriate interface for complex firewall configurations with custom rules. C is incorrect because Attack surface reduction policies focus on behavioral protections against malware techniques, and network protection is a related but different feature that filters malicious network connections rather than configuring firewall rules. D is incorrect because compliance policies check whether firewall is enabled but don’t configure firewall behavior or rules.
Question 31:
Your organization is deploying Windows 11 devices using Windows Autopilot. You need to ensure that devices are automatically assigned to a specific Autopilot deployment profile based on their device model. What should you configure?
A) Create a device group with dynamic membership based on device model and assign the Autopilot profile to that group
B) Configure Autopilot device attributes with the model name during hardware ID import
C) Create an Enrollment Status Page profile targeting specific device models
D) Use Windows Autopilot for existing devices with model-specific deployment packages
Answer: A
Explanation:
Windows Autopilot profile assignment determines which configuration experience devices receive during the out-of-box experience, making proper targeting essential for delivering appropriate configurations to different device types. Understanding how to leverage Azure AD dynamic groups for automatic profile assignment based on device attributes provides scalable management that adapts as new devices are added.
When devices are registered in Windows Autopilot, their hardware information is uploaded to the service, including attributes like manufacturer, model, serial number, and other hardware identifiers. These attributes are stored in Azure AD when devices register and can be used for dynamic group membership rules. By creating dynamic device groups with rules based on the device model attribute, you can automatically organize devices by their hardware type without manual group management.
For example, if your organization deploys different configurations for laptop versus desktop computers, or different settings for Surface devices versus other manufacturers, you would create separate dynamic groups for each scenario. A dynamic group rule might look like: device.deviceModel -eq “Surface Laptop 4” or device.deviceModel -contains “Latitude” for Dell Latitude models. Once these dynamic groups are created, devices with matching model attributes automatically become members when they register with Azure AD during Autopilot enrollment.
A is correct because creating dynamic device groups based on model attributes and assigning Autopilot profiles to those groups provides automatic, scalable profile assignment based on device hardware characteristics. B is incorrect because while device attributes are imported with hardware IDs, these attributes are used by dynamic groups for targeting rather than being configured to control profile assignment directly. C is incorrect because Enrollment Status Page profiles control the provisioning experience visibility and blocking behavior but don’t determine Autopilot profile assignment based on device models. D is incorrect because Autopilot for existing devices is a method for converting existing devices to Autopilot through reimaging, not a mechanism for assigning profiles based on device models.
Question 32:
You need to configure Microsoft Intune to prevent users from enrolling personal devices while allowing corporate-owned devices to enroll. All corporate devices are purchased through an authorized reseller who provides device serial numbers. What should you configure?
A) Create device enrollment restrictions that limit enrollment to corporate-owned devices only
B) Upload corporate device identifiers to Intune as corporate device identifiers
C) Configure Conditional Access policy requiring device compliance before enrollment
D) Enable Windows Autopilot pre-registration for all corporate devices
Answer: B
Explanation:
Microsoft Intune provides multiple mechanisms for distinguishing between corporate-owned and personally owned devices, each affecting device management capabilities, available policies, and enrollment permissions. Understanding how to use corporate device identifiers to establish device ownership before enrollment is essential for controlling which devices can join your management infrastructure.
Corporate device identifiers in Intune allow you to pre-register device serial numbers, IMEI numbers, or manufacturer-specific identifiers before devices are enrolled. When you upload these identifiers to Intune through the Devices > Enroll devices > Corporate device identifiers section, Intune marks devices with matching identifiers as corporate-owned during the enrollment process. This ownership classification affects numerous management capabilities and can be used to enforce enrollment restrictions.
Corporate device identification also affects other Intune capabilities beyond enrollment restrictions. Corporate-owned devices receive additional management capabilities, can be subject to more restrictive policies without privacy concerns, and may have different retirement and wipe behaviors. For example, corporate device wipes can remove all data and return devices to factory settings, while personal device wipes typically remove only corporate data while preserving personal information.
A is incorrect because while enrollment restrictions are part of the solution, they alone cannot distinguish corporate from personal devices without a mechanism like corporate device identifiers to establish ownership. B is correct because uploading corporate device identifiers establishes device ownership before enrollment and enables enrollment restrictions based on that ownership classification. C is incorrect because Conditional Access policies control access to resources after authentication and enrollment, not whether devices can enroll in the first place. D is incorrect because Windows Autopilot pre-registration is specific to Windows devices and focuses on deployment configuration rather than controlling enrollment eligibility for all device types.
Question 33:
You manage iOS devices using Microsoft Intune with Apple Business Manager integration. You need to ensure that users cannot remove the Intune management profile from corporate-owned devices. What enrollment type should you use?
A) Automated Device Enrollment (ADE) with supervision enabled
B) Apple Configurator enrollment with manual supervision
C) User enrollment through Company Portal
D) Device enrollment with device enrollment manager account
Answer: A
Explanation:
iOS device management offers multiple enrollment methods, each providing different levels of management control and user flexibility. Understanding the capabilities and restrictions of each enrollment type is crucial for selecting the appropriate method based on device ownership models and organizational security requirements.
Automated Device Enrollment, previously called Device Enrollment Program (DEP), is Apple’s enterprise enrollment solution that integrates with Apple Business Manager and provides the highest level of management control for corporate-owned iOS devices. When devices are purchased through Apple or authorized resellers and assigned to your organization in Apple Business Manager, they can be enrolled through ADE, which links devices to your Intune tenant at the hardware level.
A is correct because Automated Device Enrollment with supervision and profile removal disabled provides the capability to prevent users from removing management profiles on corporate iOS devices. B is incorrect because while Apple Configurator can enable supervision, it requires physical device access and is more complex than ADE, and it doesn’t provide the same cloud-based re-enrollment capabilities if devices are reset. C is incorrect because user enrollment through Company Portal is designed for personal devices with user-removable management profiles to respect user privacy and control. D is incorrect because device enrollment manager accounts enable bulk enrollment but don’t prevent profile removal—the enrollment method determines profile removability, not the account type used for enrollment.
Question 34:
Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a PowerShell script that runs every 4 hours to check and remediate a specific registry setting. What should you do?
A) Deploy the PowerShell script through Intune with detection and remediation script configuration
B) Create a scheduled task using device configuration profile to run the script every 4 hours
C) Use proactive remediations to deploy detection and remediation scripts with a custom schedule
D) Deploy the script as a Win32 app with a recurring installation schedule
Answer: C
Explanation:
Microsoft Intune provides multiple mechanisms for deploying and executing PowerShell scripts on managed Windows devices, each designed for different use cases and execution patterns. Understanding the capabilities of proactive remediations, formerly called Endpoint analytics proactive remediations, is essential for implementing ongoing compliance checks and automated remediation of configuration drift.
Proactive remediations in Intune enable you to deploy paired detection and remediation scripts that run on scheduled intervals to identify and correct common configuration issues before users experience problems. This capability is ideal for scenarios where you need to continuously monitor and enforce specific system states that might drift over time due to application updates, user actions, or other system changes.
The proactive remediation framework consists of two script types: detection scripts that check whether a specific condition exists and return exit codes indicating compliant or non-compliant states, and remediation scripts that execute only when the detection script indicates non-compliance, implementing the necessary corrections to restore the desired state. This paired approach is more efficient than running full remediation scripts on every execution, as remediation only occurs when needed.
A is incorrect because while Intune can deploy PowerShell scripts with detection and remediation capabilities, standard script deployment doesn’t provide recurring execution schedules—scripts typically run once during deployment unless manually triggered. B is incorrect because Intune device configuration profiles don’t provide direct capabilities for creating scheduled tasks with PowerShell scripts, though you could theoretically create a custom OMA-URI profile to configure scheduled tasks, which is more complex than using proactive remediations. C is correct because proactive remediations are specifically designed for recurring detection and remediation script execution with customizable schedules. D is incorrect because Win32 apps are designed for application installation and don’t support recurring execution schedules—they install once and may have supersedence relationships but aren’t intended for ongoing script execution.
Question 35:
You are configuring Windows Information Protection (WIP) policies in Microsoft Intune. You need to ensure that users can copy data from Microsoft Word to Microsoft Excel, but not to unprotected applications like Notepad. What protection mode should you configure?
A) Block mode with allowed apps configured for Office applications
B) Allow overrides mode with corporate network locations defined
C) Silent mode to monitor but not prevent data transfer
D) Hide overrides mode with enlightened apps configured
Answer: A
Explanation:
Windows Information Protection is a data protection technology that helps prevent data leakage by controlling how corporate data can be accessed, shared, and protected on Windows devices. Understanding WIP protection modes and how to configure allowed applications is essential for implementing data loss prevention while maintaining user productivity with approved applications.
WIP operates by classifying data as either corporate or personal based on its origin, and then enforcing policies that control what actions users can take with corporate data. Applications can be WIP-aware (enlightened), which means they integrate with WIP APIs to handle corporate and personal data separately within the same application, or they can be WIP-allowed, meaning all data within the application is treated as corporate data. When you configure a WIP policy, you specify which applications are allowed to access corporate data.
The WIP protection mode determines how strictly the policy is enforced and what happens when users attempt to transfer corporate data to applications not on the allowed list. There are four protection modes: Block mode prevents any data transfer from allowed apps to non-allowed apps and prevents unauthorized apps from accessing corporate network resources; Allow overrides mode warns users when they attempt risky actions but allows them to proceed and logs the action; Silent mode logs policy violations without blocking or warning users, useful for testing policies before enforcement; and Hide overrides mode blocks actions like Block mode but doesn’t show warnings to users, making enforcement invisible.
A is correct because Block mode with Office applications configured as allowed apps provides the necessary data transfer control, permitting movement between approved apps while blocking transfer to non-approved apps. B is incorrect because Allow overrides mode warns users but doesn’t prevent data transfer, which doesn’t meet the requirement to prevent copying to unprotected apps. C is incorrect because Silent mode only monitors and logs actions without preventing data transfer to unprotected applications. D is incorrect because while Hide overrides mode would block transfers, the answer doesn’t specify configuring Office apps as allowed, and “enlightened apps” refers to WIP-aware applications rather than a configuration setting.
Question 36:
You manage Android Enterprise fully managed devices using Microsoft Intune. You need to configure devices to automatically connect to corporate Wi-Fi networks using certificate-based authentication. What should you create?
A) Wi-Fi profile with certificate authentication and SCEP or PKCS certificate profile
B) Device configuration profile with network settings and pre-shared key
C) VPN profile with Wi-Fi trigger settings
D) Trusted certificate profile with corporate root CA certificate
Answer: A
Explanation:
Enterprise Wi-Fi configuration in mobile device management requires deploying not only network connection settings but also the authentication credentials and certificates necessary for secure network access. Understanding how to properly chain certificate deployment with Wi-Fi profile configuration ensures devices can automatically connect to corporate wireless networks without user intervention.
Certificate-based Wi-Fi authentication typically uses protocols like EAP-TLS (Extensible Authentication Protocol – Transport Layer Security), which provides strong mutual authentication between clients and network access points. Unlike password-based authentication methods that can be phished or shared, certificate-based authentication uses cryptographic keys that are unique to each device and protected from extraction. This makes certificate-based authentication significantly more secure for enterprise environments.
Configuring certificate-based Wi-Fi in Intune requires deploying multiple related profiles that work together. First, you must deploy certificates to devices through either SCEP (Simple Certificate Enrollment Protocol) or PKCS (Public Key Cryptography Standards) certificate profiles. SCEP profiles integrate with certificate authorities that support SCEP enrollment, while PKCS profiles deliver certificates directly from your PKI infrastructure. These profiles deploy client authentication certificates to devices, which contain the device’s public key and are signed by your trusted certificate authority.
The SCEP or PKCS certificate profile configuration includes the certificate authority URL, certificate template or profile to use, subject name format (which often includes device or user identifiers), key size and algorithm, certificate validity period, and renewal settings. When deployed to devices, these profiles trigger certificate enrollment or installation, placing client authentication certificates in the device’s certificate store.
After certificate deployment, you create a Wi-Fi profile that configures the network connection details including SSID (network name), security type (typically WPA2-Enterprise for certificate-based authentication), EAP type (such as EAP-TLS), and critically, the certificate to use for authentication. In the Wi-Fi profile’s authentication configuration, you reference the previously deployed SCEP or PKCS certificate profile. This creates a dependency relationship where Intune ensures the certificate deploys before attempting to configure Wi-Fi with that certificate.
You must also deploy the root and intermediate CA certificates that chain up to your client authentication certificates. This is accomplished through trusted certificate profiles that install CA certificates in the device’s trusted certificate store. Without these root certificates, devices cannot validate the authentication server’s certificate during the mutual authentication handshake, causing connection failures.
When all profiles are deployed and assigned to the same device groups, Intune orchestrates the deployment in the correct order: trusted root certificates first, then SCEP or PKCS client certificates, and finally the Wi-Fi profile. When devices come within range of the configured Wi-Fi network, they automatically attempt connection using the deployed certificate for authentication, providing seamless network access without requiring users to enter credentials or accept certificate prompts.
A is correct because properly configuring certificate-based Wi-Fi requires both a Wi-Fi profile that specifies certificate authentication and a certificate profile (SCEP or PKCS) that deploys the actual client authentication certificate. B is incorrect because pre-shared key authentication uses passwords rather than certificates and doesn’t provide the security or manageability of certificate-based authentication. C is incorrect because VPN profiles establish virtual private network connections and are separate from Wi-Fi connectivity, though VPN can be configured to trigger when connected to specific Wi-Fi networks. D is incorrect because while trusted certificate profiles are necessary to install root CA certificates, they alone don’t provide the Wi-Fi configuration or client authentication certificates needed for network access.
Question 37:
Your organization uses Microsoft Intune and requires all managed devices to have a minimum operating system version. You need to mark devices as non-compliant if they run older OS versions and block their access to corporate email until they update. What should you configure?
A) Compliance policy with OS version requirement and Conditional Access policy requiring compliant devices
B) Device configuration profile with update rings forcing immediate OS updates
C) App protection policy with OS version requirements
D) Device restrictions profile preventing access to email on outdated devices
Answer: A
Explanation:
Implementing security requirements that enforce minimum operating system versions requires combining Microsoft Intune compliance policies with Azure AD Conditional Access policies to create an automated enforcement mechanism that evaluates device state and controls resource access accordingly. Understanding how these two policy types work together is fundamental to modern identity-driven security.
Compliance policies in Intune define the security and configuration requirements that devices must meet to be considered compliant with organizational standards. These policies can check numerous device properties including operating system version, encryption status, password requirements, jailbreak or root status, device threat level, and configuration settings. For the scenario described, you would create a compliance policy that includes a minimum operating system version requirement, specifying the earliest acceptable version for each device platform you manage.
When you configure the OS version requirement in a compliance policy, you specify version numbers in platform-specific formats. For example, Windows might require version 10.0.19044 or later (representing specific Windows 10 or 11 builds), while iOS might require 15.0 or later. The compliance policy is assigned to device or user groups, and Intune evaluates each device against these requirements during regular check-ins, typically every 8 hours.
When Intune determines a device doesn’t meet compliance requirements, it marks the device as non-compliant in Azure AD. This compliance status change is where Conditional Access policies come into play. Compliance policies alone only evaluate and report device compliance status—they don’t actively block access to resources. To enforce access restrictions based on compliance, you must create Conditional Access policies that require compliant devices for accessing specific resources.
A Conditional Access policy for this scenario would target all users or specific groups, apply to the cloud apps you want to protect (such as Exchange Online for corporate email), and include a grant control requiring that devices be marked as compliant. When users attempt to access protected resources from non-compliant devices, Azure AD checks the device’s compliance status, sees it’s marked non-compliant due to the outdated OS version, and blocks access according to the Conditional Access policy. Users receive a message indicating their device doesn’t meet organizational requirements and directing them to update their device.
The combination of compliance policies and Conditional Access creates a powerful enforcement loop. Compliance policies continuously evaluate device state and update Azure AD with current compliance status. Conditional Access policies make real-time access decisions based on that compliance status every time users attempt to access protected resources. This ensures that only devices meeting your security requirements can access sensitive corporate data, while automatically restoring access once devices are brought into compliance.
You can enhance the user experience by configuring compliance policy actions that notify users when their devices become non-compliant, providing instructions for remediation, and setting grace periods that allow time for updates before access is blocked. This gives users opportunity to update devices before experiencing access restrictions, reducing support burden and user frustration.
A is correct because combining a compliance policy that checks OS version with a Conditional Access policy that requires compliant devices provides the evaluation and enforcement needed to block access based on OS version. B is incorrect because update rings configure Windows Update settings but don’t mark devices non-compliant or block access to resources based on OS version. C is incorrect because app protection policies protect data within applications and can check OS versions for MAM scenarios, but they don’t integrate with Conditional Access to block email access based on device compliance. D is incorrect because device restrictions profiles configure device features and capabilities but don’t evaluate compliance or integrate with Conditional Access for access control.
Question 38:
You are implementing Microsoft Intune app protection policies for iOS devices. You need to prevent users from backing up corporate data from managed apps to iCloud. What should you configure in the app protection policy?
A) Data transfer settings: Backup org data to cloud services – Block
B) Data storage settings: Allow users to save copies to selected services – Block
C) Access requirements: Disable app backup – Enabled
D) Conditional launch: Max OS version – Set to current iOS version
Answer: A
Explanation:
App protection policies in Microsoft Intune provide granular control over how corporate data is handled within managed applications, independent of device enrollment status. Understanding the data protection settings available in app protection policies, particularly those controlling cloud backup and storage, is essential for preventing corporate data leakage through consumer cloud services.
The data transfer and storage sections of app protection policies contain numerous settings that control how corporate data can be moved, saved, and backed up. These settings specifically target the risk of corporate data being copied to personal cloud storage services where organizational controls cannot protect it. For iOS devices, iCloud backup is a particular concern because iOS automatically backs up application data to iCloud when users enable iCloud backup on their devices, potentially including corporate data from managed applications.
The “Backup org data to cloud services” setting within the data transfer section specifically addresses this concern. When configured to “Block,” this setting instructs policy-managed applications to exclude corporate data from cloud backup services including iCloud backup. Applications that integrate with the Intune App SDK and are properly configured to respect app protection policies will mark corporate data with attributes that prevent iOS from including it in iCloud backups.
This protection operates at the application data level rather than the device level. Unlike device configuration policies that disable iCloud backup entirely on managed devices, app protection policies allow personal applications to continue backing up to iCloud while selectively preventing corporate data backup. This selective approach is particularly important for bring-your-own-device scenarios where users expect personal data backup functionality to remain available while corporate data receives appropriate protection.
The implementation requires that applications be Intune-MAM-enabled, meaning they either come from Microsoft and include built-in Intune integration (like Office mobile apps), or they’ve been wrapped with the Intune App Wrapping Tool, or they’ve integrated the Intune App SDK during development. When these applications receive the app protection policy, they understand the backup restriction and exclude corporate data from backup operations that would send data to cloud services.
From a user experience perspective, this setting is largely transparent. Users can continue using their devices normally, including having iCloud backup enabled, but corporate data within managed applications is automatically excluded from those backups. This provides strong data protection without requiring complex user actions or disruptive changes to device functionality.
A is correct because the “Backup org data to cloud services” setting in data transfer section specifically controls whether corporate data from managed apps can be backed up to cloud services like iCloud. B is incorrect because the “Allow users to save copies” setting controls Save As functionality to specific storage locations but doesn’t specifically address automated cloud backup functionality. C is incorrect because “Disable app backup” is not a standard setting name in Intune app protection policies—the actual setting uses different terminology. D is incorrect because conditional launch settings control when and how users can access applications based on conditions, not whether data can be backed up to cloud services.
Question 39:
You manage Windows 11 devices using Microsoft Intune. You need to deploy security baselines to ensure devices meet organizational security standards. After deploying the baseline, you need to identify devices that are not compliant with the baseline settings. What should you review?
A) Security baseline dashboard showing devices in conflict or error states
B) Device compliance policy report showing non-compliant devices
C) Configuration profile assignment status
D) Windows Update compliance report
Answer: A
Explanation:
Security baselines in Microsoft Intune are pre-configured groups of Windows security settings recommended by Microsoft security teams based on industry best practices and guidance from groups like CIS (Center for Internet Security), DISA (Defense Information Systems Agency), and Microsoft’s own security response teams. Understanding how to deploy security baselines and monitor their effectiveness is essential for maintaining consistent security posture across managed Windows devices.
Security baselines provide a comprehensive starting point for Windows security configuration, covering areas like BitLocker encryption, Windows Defender settings, Microsoft Edge security, network security, system services, user rights assignments, and numerous other security-relevant settings. Microsoft regularly updates these baselines as new threats emerge and security recommendations evolve, allowing organizations to benefit from Microsoft’s security expertise without manually researching and configuring hundreds of individual settings.
When you deploy a security baseline from the Endpoint security section of Intune, it creates a profile containing all the baseline’s settings with Microsoft-recommended values. You can customize these values before deployment if specific settings conflict with business requirements, though Microsoft recommends accepting baseline defaults when possible. The baseline is then assigned to device groups just like other configuration profiles.
After deployment, Intune provides a dedicated dashboard for monitoring security baseline compliance. This dashboard is accessible through Endpoint security > Security baselines > [select baseline] > Deployed profiles > [select profile instance]. The dashboard displays several key metrics: the number and percentage of devices successfully configured with all baseline settings, devices in conflict where multiple policies configure the same settings with different values, devices in error states where settings failed to apply, and devices not yet evaluated.
The security baseline dashboard provides more detailed compliance information than general configuration profile reports because it’s specifically designed to track security setting compliance across multiple related configuration areas. You can drill down into devices with conflicts or errors to see which specific settings failed to apply and why. This detailed visibility enables targeted remediation of security gaps.
Conflict states require particular attention because they indicate competing policies trying to configure the same settings differently. For security baselines, conflicts often occur when older configuration profiles or group policies still apply alongside the baseline. The dashboard helps identify these conflicts so you can resolve them by removing conflicting policies, adjusting baseline settings, or setting appropriate policy precedence.
The baseline dashboard also tracks baseline version currency, indicating if newer baseline versions are available. Microsoft periodically publishes updated baseline versions reflecting new security recommendations. The dashboard shows if deployed baselines are using current or outdated versions, helping security teams maintain current protections.
A is correct because the security baseline dashboard provides specific reporting for baseline deployment status, showing devices in conflict, error, or non-compliant states with baseline settings. B is incorrect because device compliance policy reports track compliance with compliance policies (which check device state) rather than configuration baselines (which apply settings). C is incorrect because general configuration profile status shows deployment success but doesn’t provide the security-focused reporting and conflict analysis available in the baseline dashboard. D is incorrect because Windows Update compliance reports track update installation status, not security baseline configuration compliance.
Question 40:
Your organization uses Microsoft Intune and Azure AD. You need to ensure that when users’ employment is terminated, their corporate data is removed from personal iOS devices while preserving their personal data. What should you do?
A) Issue a selective wipe command from the Intune admin center
B) Issue a full wipe command to factory reset the device
C) Remove the user’s account from Azure AD
D) Delete the device object from Intune
Answer: A
Explanation:
Mobile device management provides different data removal options designed for different scenarios and device ownership models. Understanding the distinction between selective wipe and full wipe, and knowing when to use each, is essential for properly managing the device lifecycle while respecting user privacy on personal devices.
Selective wipe, also called corporate wipe or unenroll, removes only corporate data and management profiles from devices while leaving personal data, applications, and settings intact. This is the appropriate action for personal devices enrolled in MDM or using app protection policies, as it removes the organization’s data and management capability without affecting the user’s personal information. Selective wipe is particularly important when employees leave the organization or when personal devices should no longer access corporate resources.
On iOS devices specifically, selective wipe removes managed apps deployed through Intune, app configuration policies, app protection policies, certificates deployed for corporate access, Wi-Fi and VPN profiles, email profiles and accounts configured through MDM, and the management profile itself. After selective wipe completes, the device is no longer managed by Intune and cannot access corporate resources protected by Conditional Access or app protection policies.
The selective wipe process is initiated from the Intune admin center by navigating to Devices > All devices, selecting the target device, and choosing the “Selective wipe” action. Intune queues the wipe command and delivers it to the device during its next check-in, typically within minutes if the device has network connectivity. The device processes the wipe by removing corporate data and profiles, then reports completion back to Intune.
Personal data preservation is a key benefit of selective wipe. Personal photos, messages, contacts, notes, and applications installed by the user remain untouched on the device. Only resources and data deployed by IT through Intune are removed. This respects user privacy while ensuring corporate data protection, making selective wipe appropriate for bring-your-own-device programs where users own their devices and should retain personal data after leaving the organization.
In contrast, full wipe performs a factory reset that returns devices to out-of-box state, erasing all data including personal information. Full wipe is appropriate for corporate-owned devices being repurposed or retired, lost or stolen devices where data protection requires complete erasure, or situations where selective wipe fails and more aggressive action is needed. Full wipe should not be used on personal devices unless absolutely necessary for security reasons.
