Visit here for our full Microsoft MD-102 exam dumps and practice test questions.
Question 41:
You are deploying Windows 11 devices using Windows Autopilot in user-driven mode. Users report that the setup takes a long time because multiple applications are being installed. You want to reduce the setup time by deploying only critical applications during Autopilot and making other applications available for users to install later. What should you do?
A) Change non-critical applications from Required to Available assignment and ensure ESP only tracks Required apps
B) Configure all applications as Available and disable Enrollment Status Page
C) Create a separate deployment profile for non-critical applications targeting users after initial setup
D) Use Autopilot for pre-provisioned deployment to install all apps before shipping devices
Answer: A
Explanation:
Windows Autopilot deployment time is directly impacted by the number and size of applications configured as Required during the provisioning process. Understanding how application assignment types interact with the Enrollment Status Page and how to balance comprehensive deployment with user experience is essential for optimizing Autopilot implementations.
Application assignment types in Intune determine when and how applications are deployed to devices. Required assignments mandate that applications install automatically without user intervention, and these installations occur during device provisioning for Autopilot-enrolled devices. Available assignments make applications visible in the Company Portal app where users can choose to install them on demand, but they do not install automatically during initial provisioning.
A is correct because changing non-critical applications to Available assignment removes them from automatic ESP-tracked installation during Autopilot, reducing provisioning time while still making apps accessible through Company Portal. B is incorrect because disabling ESP removes the protection that ensures critical security configurations complete before user access, which compromises security assurance. C is incorrect because creating separate deployment profiles doesn’t change when applications install—Required applications will still install during initial setup regardless of which profile deploys them. D is incorrect because Autopilot for pre-provisioned deployment (white glove) still requires all applications to install at some point and is more about where provisioning happens (at IT or staging facility) rather than reducing the total provisioning time.
Question 42:
Your organization uses Microsoft Intune to manage macOS devices. You need to deploy a custom configuration that modifies system preferences not available through standard Intune device configuration profiles. What should you create?
A) Custom configuration profile with preference domain plist file
B) Device restrictions profile with custom settings
C) Shell script that modifies preferences using defaults command
D) Administrative template profile for macOS
Answer: A
Explanation:
macOS device management through Intune leverages Apple’s Mobile Device Management protocol, which uses property list (plist) files to configure system preferences and application settings. Understanding how to deploy custom configurations through plist files is essential for managing macOS settings that aren’t exposed through Intune’s built-in configuration profile options.
Intune provides several predefined macOS device configuration profile types including device restrictions, device features, endpoint protection, and extensions. These profiles expose commonly managed settings through user-friendly interfaces where administrators select options without needing to understand the underlying technical implementation. However, macOS includes hundreds of additional configurable preferences that aren’t included in these predefined profile types.
Custom configuration profiles require technical knowledge of macOS preference domains and proper plist syntax. Incorrectly formatted plist files may fail to deploy or could cause unexpected system behavior. Testing custom configurations in non-production environments before broad deployment is strongly recommended. You can verify applied preferences on managed devices using the profiles command-line utility or by checking System Preferences for managed settings indicators.
A is correct because custom configuration profiles with preference domain plist files are the proper method for deploying macOS settings not available in standard Intune configuration profiles. B is incorrect because device restrictions profiles only expose predefined settings that Intune has built into the UI—you cannot add custom settings to these profiles. C is incorrect because while shell scripts can modify preferences using the defaults command, this is less manageable than configuration profiles, doesn’t integrate with Intune’s configuration tracking and reporting, and may be reverted by managed configuration profiles. D is incorrect because Administrative Templates are a Windows-specific management technology based on ADMX files and are not used for macOS management.
Question 43:
You manage iOS devices with Microsoft Intune. You need to configure supervised iOS devices to operate in kiosk mode, allowing users to access only a single application. What type of configuration should you deploy?
A) Device restrictions profile with Single App Mode enabled and specify the application
B) App configuration policy for the kiosk application
C) Home screen layout profile showing only one application
D) Compliance policy requiring only one application be installed
Answer: A
Explanation:
iOS device supervision provides advanced management capabilities beyond those available on standard user-enrolled devices, including the ability to configure restrictive modes for specialized use cases like kiosk deployments, digital signage, or dedicated-purpose devices. Understanding how to configure Single App Mode (sometimes called App Lock or Kiosk Mode) requires knowledge of supervised device capabilities and appropriate Intune profile configurations.
Single App Mode is an iOS feature available on supervised devices that restricts the device to running only one application, preventing users from accessing other apps, the home screen, or device controls. This is ideal for scenarios like point-of-sale terminals, digital signage displays, patient check-in kiosks, warehouse inventory scanners, or any situation where devices serve a single dedicated purpose and users should not be able to access other functionality.
A is correct because device restrictions profiles with Single App Mode enabled and application specified provide the proper configuration for iOS kiosk functionality on supervised devices. B is incorrect because app configuration policies configure settings within applications but don’t restrict the device to running only that application or prevent access to other device features. C is incorrect because home screen layout profiles organize app icon placement but don’t prevent users from accessing multiple applications or exiting to the home screen. D is incorrect because compliance policies check device state but don’t configure operational restrictions like Single App Mode.
Question 44:
You are implementing Microsoft Defender for Endpoint integration with Microsoft Intune. You want to use the risk score from Defender for Endpoint to determine device compliance status. What should you configure?
A) Enable Microsoft Defender for Endpoint connector in Intune and create compliance policy with threat level requirement
B) Deploy Microsoft Defender for Endpoint through app deployment policies
C) Configure attack surface reduction rules in endpoint security policies
D) Enable Windows Defender Antivirus cloud-delivered protection
Answer: A
Explanation:
Microsoft Defender for Endpoint integration with Intune creates a powerful security framework where advanced threat detection and response capabilities inform device compliance decisions, which in turn control access to corporate resources through Conditional Access policies. Understanding how to properly configure this integration and leverage threat intelligence for compliance evaluation is essential for implementing risk-based access control.
Microsoft Defender for Endpoint is an enterprise endpoint security platform that provides preventive protection, post-breach detection, automated investigation, and response capabilities. It continuously monitors devices for security threats, malware, suspicious behaviors, vulnerabilities, and misconfigurations, assigning each device a risk score based on detected issues. This risk score reflects the security posture of individual devices, with higher scores indicating more serious security concerns.
To leverage Defender for Endpoint risk scores in Intune compliance decisions, you must first enable the Microsoft Defender for Endpoint connector in the Intune admin center. This connector establishes integration between the two services, allowing Intune to query Defender for Endpoint for device risk information and use that information in compliance evaluations. The connector configuration requires appropriate administrative permissions in both Intune and Defender for Endpoint.
A is correct because enabling the Defender for Endpoint connector in Intune and creating compliance policies with threat level requirements establishes the integration necessary to use Defender threat intelligence in compliance decisions. B is incorrect because while deploying Defender for Endpoint to devices is necessary for threat detection, deployment alone doesn’t integrate threat levels with compliance evaluation—you must enable the connector. C is incorrect because attack surface reduction rules provide preventive protection against malware behaviors but don’t integrate threat intelligence into compliance policies. D is incorrect because cloud-delivered protection enhances Windows Defender Antivirus with cloud-based threat intelligence but doesn’t integrate Defender for Endpoint risk scores with Intune compliance evaluation.
Question 45:
Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a Win32 application that requires uninstalling a previous version before installing the new version. What should you configure in the Win32 app deployment?
A) Configure detection rules to identify the old version and create supersedence relationship
B) Create a PowerShell script to uninstall the old version and deploy it before the new app
C) Configure the Win32 app with uninstall command for the previous version
D) Use app configuration policy to specify upgrade settings
Answer: A
Explanation:
Win32 application management in Microsoft Intune provides sophisticated deployment capabilities including detection rules that determine whether applications are installed and supersedence relationships that define upgrade paths between application versions. Understanding these features is essential for managing application lifecycles through version updates and ensuring clean upgrade experiences.
Detection rules are a fundamental component of Win32 app deployment that tell Intune how to determine whether an application is already installed on a device. These rules can check for file existence and versions, registry keys and values, MSI product codes, or custom PowerShell script results. Intune evaluates detection rules before and after installation attempts—before installation to determine if the app needs to be installed, and after installation to verify success.
Supersedence relationships define dependencies between different versions or different applications where one application supersedes (replaces or upgrades) another. When you configure a supersedence relationship, you specify that a new application version supersedes a previous version, and you indicate whether the previous version should be uninstalled before installing the new version. This creates an automated upgrade path where Intune handles the version transition without requiring separate uninstall deployments.
Supersedence also supports scenarios where entirely different applications replace older applications, not just version upgrades of the same app. For example, if your organization replaces one vendor’s software with another vendor’s alternative, you can configure the new vendor’s app to supersede and uninstall the old vendor’s app during deployment.
A is correct because configuring detection rules for the old version and creating supersedence relationships provides the proper mechanism for automated version upgrades with uninstallation of previous versions. B is incorrect because while PowerShell scripts could uninstall applications, this approach doesn’t integrate with Intune’s app deployment tracking, requires managing script deployment separately, and doesn’t leverage built-in supersedence capabilities. C is incorrect because the Win32 app’s uninstall command is used to uninstall that specific app, not previous versions—supersedence is the feature that coordinates uninstalling old versions during new version deployment. D is incorrect because app configuration policies configure settings within applications, not upgrade behavior or version replacement.
Question 46:
You manage Android Enterprise devices using Microsoft Intune. You need to configure devices to prevent users from adding personal Google accounts while still allowing them to use corporate Google accounts for managed apps. What enrollment type should you use?
A) Android Enterprise work profile with account restrictions configured
B) Android Enterprise fully managed devices with Google account restrictions
C) Android Enterprise corporate-owned work profile (COPE)
D) Android device administrator with email profile restrictions
Answer: A
Explanation:
Android Enterprise provides multiple enrollment scenarios designed to balance corporate data protection with user privacy, each offering different levels of control over device features and account management. Understanding how work profiles handle account separation and how to configure account restrictions is essential for managing corporate data access while respecting user autonomy on personal devices.
Android Enterprise work profile enrollment creates a separate, encrypted container on personally owned devices specifically for corporate applications and data. This work profile operates independently from the personal profile, maintaining strict separation between corporate and personal data. Each profile can have different Google accounts, applications, and settings without interference. This architecture is specifically designed for bring-your-own-device scenarios where users own their devices and expect to maintain personal usage alongside corporate access.
Within the work profile context, you can configure policies that control what types of accounts users can add to the work profile specifically, without affecting their personal profile. Through Intune device restrictions policies for Android Enterprise work profile devices, you’ll find settings under the Work profile section that control account management, including options to prevent adding or removing accounts, restrict which account types can be added, or allow only specific Google accounts.
A is correct because Android Enterprise work profile provides account separation with policies to restrict personal Google accounts in the work profile while allowing corporate accounts. B is incorrect because fully managed devices provide device-wide control but don’t maintain personal and work profile separation—restricting Google accounts would affect the entire device, not just corporate usage. C is incorrect because while COPE (corporate-owned with work profile) maintains profile separation similar to work profile, the question doesn’t specify corporate-owned devices, and work profile is the appropriate answer for personal devices. D is incorrect because Android device administrator is a deprecated management method with limited security and no work profile capabilities.
Question 47:
You are configuring Microsoft Intune compliance policies for Windows 11 devices. You want devices to be marked non-compliant if Windows Defender Antivirus real-time protection is disabled. What section of the compliance policy should you configure?
A) System Security section with “Require Real-time protection” enabled
B) Microsoft Defender Antivirus section with malware protection settings
C) Device Health section with security agent status requirements
D) Device Properties section with antivirus requirements
Answer: A
Explanation:
Compliance policies in Microsoft Intune evaluate specific device configuration and security settings to determine whether devices meet organizational security standards. Understanding where different compliance requirements are configured within the policy structure and how these settings translate to actual device state checks is essential for creating effective compliance policies that accurately reflect security requirements.
Windows compliance policies in Intune are organized into several sections, each focusing on different aspects of device security and configuration: Device Health (checks for conditions like BitLocker encryption, code integrity, secure boot), Device Properties (checks OS version, device membership), System Security (checks password requirements, encryption, firewall status, antivirus protection), and Microsoft Defender for Endpoint (checks threat level based on Defender for Endpoint integration).
Windows Defender Antivirus real-time protection is a critical security feature that continuously monitors system activity for malware and suspicious behaviors, providing immediate threat detection and response. When real-time protection is disabled, devices lose this constant monitoring and become vulnerable to malware infections. Compliance policies should check for real-time protection status to ensure devices maintain active protection.
A is correct because the System Security section contains the “Require Real-time protection” setting that checks whether Windows Defender Antivirus real-time protection is enabled. B is incorrect because while there are antivirus-related settings in compliance policies, they are located in the System Security section rather than a separately named “Microsoft Defender Antivirus” section. C is incorrect because Device Health section focuses on hardware-based security features like TPM, secure boot, and BitLocker rather than antivirus real-time protection. D is incorrect because Device Properties section checks OS version, device type, and similar properties rather than security feature status like antivirus protection.
Question 48:
Your organization uses Windows Autopilot for device deployment. You need to configure the deployment profile so that users are not prompted to create a security question during the out-of-box experience. What setting should you configure?
A) Out-of-box experience (OOBE) settings: Hide security questions
B) User account settings: Skip security question configuration
C) Azure AD join settings: Disable security questions
D) Enrollment Status Page: Block security question prompts
Answer: A
Explanation:
Windows Autopilot deployment profiles provide granular control over which pages and prompts appear during the out-of-box experience, allowing organizations to customize the setup experience to match their security policies and user experience requirements. Understanding how to configure OOBE settings to skip or hide specific setup pages is essential for creating streamlined, consistent deployment experiences that don’t burden users with unnecessary configuration steps.
The out-of-box experience configuration section within Windows Autopilot deployment profiles includes numerous options for customizing which setup pages are displayed during device provisioning. These settings control the visibility of setup pages like privacy settings, license agreements, keyboard selection, network configuration, and user account setup prompts including security questions.
Security questions are a legacy Windows account recovery mechanism where users answer personal questions that can later be used to reset forgotten passwords. In enterprise environments managed through Azure AD, security questions are typically unnecessary because organizations use enterprise password reset capabilities like Azure AD Self-Service Password Reset (SSPR), which provides more secure recovery methods including authentication apps, SMS codes, or email verification.
A is correct because the OOBE settings section of Autopilot deployment profiles includes an option specifically to hide security questions during the setup experience. B is incorrect because there isn’t a separately named “User account settings” section within Autopilot profiles—OOBE settings is the correct location. C is incorrect because Azure AD join settings control how devices join Azure AD (authentication methods, user rights) but don’t control OOBE page visibility like security questions. D is incorrect because Enrollment Status Page controls what happens during provisioning (app tracking, timeout settings) but doesn’t control which OOBE pages are displayed.
Question 49:
You manage iOS devices with Microsoft Intune. You need to configure devices so that users cannot install applications from the Apple App Store, but can still install managed applications deployed through Intune. What should you configure?
A) Device restrictions profile with App Store blocking enabled
B) App protection policy with app installation restrictions
C) Compliance policy requiring only managed applications
D) Home screen layout removing App Store icon
Answer: A
Explanation:
iOS device management through Intune provides extensive control over device capabilities and features through device restrictions profiles. Understanding how to properly restrict consumer app store access while maintaining enterprise app distribution is essential for controlling what software can be installed on managed devices while ensuring users can still access business-necessary applications.
Device restrictions profiles for iOS include a comprehensive set of settings organized into categories like App Store and iTunes, built-in apps, cloud and storage, connected devices, general, keyboard and dictionary, locked screen, password, restricted apps, Safari, shared devices, and wireless. These restrictions leverage Apple’s MDM framework to enable or disable specific iOS features and capabilities based on organizational security policies.
A is correct because device restrictions profiles with App Store blocking enabled prevents users from accessing the public App Store while still allowing MDM-deployed applications through Intune. B is incorrect because app protection policies protect data within applications and can restrict certain behaviors, but they don’t control whether users can access the App Store or install applications. C is incorrect because compliance policies check device state but don’t prevent users from installing applications—they can only mark devices non-compliant if unauthorized apps are detected. D is incorrect because removing the App Store icon from the home screen layout doesn’t prevent determined users from finding and launching the App Store through search or other methods—functional blocking requires device restrictions.
Question 50:
Your organization uses Microsoft Intune and Azure AD. You need to create a dynamic user group that includes all users from the Sales and Marketing departments. What membership rule should you configure?
A) (user.department -eq “Sales”) -or (user.department -eq “Marketing”)
B) (user.department -contains “Sales”) -and (user.department -contains “Marketing”)
C) (user.jobTitle -eq “Sales”) -or (user.jobTitle -eq “Marketing”)
D) (user.memberOf -eq “Sales”) -or (user.memberOf -eq “Marketing”)
Answer: A
Explanation:
AD use membership rules based on user or device attributes to automatically maintain group membership without manual administration. Understanding the proper syntax for dynamic group rules and how to construct logical expressions using user properties is essential for creating groups that accurately capture intended members while automatically adapting to attribute changes.
Dynamic membership rules use a specific syntax that evaluates user or device attributes against specified values using comparison operators. The basic structure consists of property references (like user.department), comparison operators (like -eq for equals, -ne for not equals, -contains for substring matching), logical operators (-and, -or, -not), and grouping with parentheses. These elements combine to create expressions that Azure AD evaluates to determine group membership.
The -and logical operator would be incorrect for this scenario because a user’s department attribute can only have one value at a time—no user can simultaneously be in both Sales and Marketing departments. Using -and would create a rule that matches zero users because the conditions are mutually exclusive. The -or operator is appropriate when you want to include users meeting any of several possible conditions.
Alternative approaches to this scenario might include creating separate dynamic groups for each department and then using nested group membership in policies, or using the -in operator if you’re matching against multiple values (though -in isn’t universally supported in all dynamic rule contexts). However, the simple -or expression provides the most straightforward solution for the stated requirement.
A is correct because using -or with exact department matching includes users from either Sales or Marketing department. B is incorrect because using -and requires both conditions to be true simultaneously, which is impossible since department is a single-value attribute—no users would match this rule. C is incorrect because user.jobTitle contains job titles (like “Manager” or “Representative”), not department names, so this wouldn’t match users based on their department. D is incorrect because user.memberOf checks group memberships, not department attributes, and requires full group distinguished names or object IDs rather than simple group names.
Question 51:
You are deploying Windows 11 using Windows Autopilot. You need to ensure that the device name follows a specific naming convention based on device serial number. What should you configure in the Autopilot deployment profile?
A) Device name template with %SERIAL% variable
B) Azure AD device naming policy
C) Computer account naming prefix in domain join settings
D) PowerShell script to rename devices after enrollment
Answer: A
Explanation:
Windows Autopilot deployment profiles include device naming template functionality that allows organizations to automatically name devices according to specific patterns during the provisioning process. Understanding how to use naming templates with variable substitution ensures devices receive consistent, meaningful names that align with organizational standards without requiring manual intervention or post-enrollment renaming.
Device naming is an important aspect of device management because consistent naming conventions help IT administrators quickly identify devices by location, type, user, or other characteristics when viewing device lists, troubleshooting issues, or managing policies. In traditional imaging scenarios, technicians manually entered device names during deployment. Autopilot automates this through naming templates configured in deployment profiles.
A is correct because Autopilot deployment profiles support device name templates with the %SERIAL% variable for automatic serial-based naming during provisioning. B is incorrect because Azure AD device naming policies apply to devices joined directly by users and don’t provide the template-based naming with variables available in Autopilot profiles. C is incorrect because computer account naming prefixes in domain join settings apply to hybrid Azure AD join scenarios and provide fixed prefixes, not dynamic templates with serial number substitution. D is incorrect because while PowerShell scripts could rename devices post-enrollment, this is more complex than using built-in Autopilot naming templates, may require additional syncing time for names to update across services, and doesn’t leverage Autopilot’s native capabilities.
Question 52:
You manage macOS devices using Microsoft Intune with Apple Business Manager integration. You need to prevent users from disabling FileVault encryption on corporate-owned devices. What should you configure?
A) Endpoint protection profile with FileVault settings and “Allow user to disable encryption” set to No
B) Device restrictions profile blocking system preferences access
C) Compliance policy requiring FileVault encryption
D) Custom configuration profile with FileVault enforcement plist
Answer: A
Explanation:
FileVault is macOS’s built-in full disk encryption technology that protects data at rest by encrypting the entire system volume. For enterprise deployments, ensuring encryption remains enabled throughout the device lifecycle requires not only enabling FileVault initially but also preventing users from disabling it. Understanding how to properly configure FileVault through Intune with appropriate user restrictions is essential for maintaining consistent data protection.
Endpoint protection profiles in Intune for macOS include dedicated FileVault configuration sections that provide comprehensive control over FileVault deployment and management. These profiles leverage Apple’s MDM framework to configure FileVault settings, trigger encryption, manage recovery keys, and importantly, control whether users can modify encryption status.
FileVault encryption can take significant time to complete on devices with large amounts of data, particularly during initial enablement. The endpoint protection profile can be configured to defer encryption enablement until the next time users log out, allowing them to complete initial device setup and important work before the encryption process begins. Even during encryption, devices remain usable though performance may be impacted.
Recovery key escrow to Intune is essential for enterprise FileVault deployments. When users forget their passwords or devices require recovery, IT administrators can retrieve the FileVault recovery key from the Intune portal under the specific device’s encryption information. This centralized key management prevents data loss scenarios where encrypted devices become permanently inaccessible due to lost keys.
A is correct because endpoint protection profiles with FileVault configuration include settings to enable FileVault and prevent users from disabling it, providing the required protection. B is incorrect because while device restrictions could broadly limit System Preferences access, this would impact many legitimate settings beyond just FileVault and is overly restrictive—the endpoint protection profile provides targeted FileVault control. C is incorrect because compliance policies check whether FileVault is enabled and can mark devices non-compliant if it’s disabled, but they don’t prevent users from disabling it—they only detect and report the non-compliant state after the fact. D is incorrect because while custom configuration profiles with plist files can configure some FileVault settings, the endpoint protection profile provides a more user-friendly interface specifically designed for FileVault management with better integration into Intune’s reporting and management framework.
Question 53:
Your organization uses Microsoft Intune to manage devices. You need to deploy a VPN profile to Windows 11 devices that automatically connects when users access applications from a specific list. What VPN connection type should you configure?
A) Per-app VPN with app list and automatic connection trigger
B) Always-on VPN with trusted network detection
C) IKEv2 VPN with automatic connection script
D) L2TP VPN with connection trigger based on network detection
Answer: A
Explanation:
VPN connectivity options in modern device management have evolved beyond simple manually initiated connections to include intelligent, context-aware connection triggers that improve security while maintaining user experience. Per-app VPN technology provides application-specific VPN connectivity that automatically activates based on application usage, ensuring sensitive applications always operate through secure network connections without requiring constant VPN connectivity for all device traffic.
Per-app VPN is a mobile device management feature that associates specific applications with VPN profiles, creating rules that automatically establish VPN connections when designated applications launch and routing those applications’ network traffic through the VPN tunnel. Other applications on the device continue to use regular network connections without VPN overhead. This selective approach provides security where needed while minimizing impact on performance and battery life for applications that don’t require VPN access.
A is correct because per-app VPN with application list and automatic connection triggers provides the functionality described where VPN automatically connects when users access specific applications. B is incorrect because always-on VPN maintains constant VPN connectivity for all traffic with trusted network detection exempting certain networks, which is different from application-triggered connectivity. C is incorrect because while IKEv2 is a tunneling protocol that can be used with per-app VPN, the protocol itself doesn’t provide the application-triggered connection capability—per-app VPN configuration does. D is incorrect because L2TP is a tunneling protocol, and connection triggers based on network detection activate VPN when connecting to untrusted networks rather than when launching specific applications.
Question 54:
You manage iOS devices using Microsoft Intune. You need to deploy a custom font to managed devices for use in corporate applications. What should you create?
A) Device configuration profile with device features template and font payload
B) App configuration policy with font settings
C) Custom configuration profile with font installation plist
D) Resource file deployment through Company Portal
Answer: A
Explanation:
iOS device management through Intune supports deployment of various device-specific features and content including custom fonts, wallpapers, web clips, and AirPrint configurations. Understanding how to properly deploy fonts through device features profiles ensures corporate branding consistency and enables applications that require specific typography to function correctly.
Device configuration profiles for iOS include a “Device features” template specifically designed for deploying iOS-specific capabilities that don’t fit into other profile categories like device restrictions or email configuration. The device features template provides dedicated interfaces for configuring features like home screen layout, notification settings, AirPrint printers, web clips (shortcuts that appear as icons on the home screen), lock screen messages, and importantly, custom fonts.
Custom font deployment is particularly useful for organizations with specific branding requirements, applications that require proprietary fonts, accessibility needs that benefit from specialized fonts, or vertical market applications that rely on custom typography. Fonts deployed through MDM become available system-wide to all applications that access iOS font APIs, including Apple’s built-in apps and third-party applications.
A is correct because device configuration profiles with device features template provide the proper mechanism for deploying custom fonts to iOS devices through the fonts payload. B is incorrect because app configuration policies configure application behavior and settings, not system-level resources like fonts that applications consume. C is incorrect because while custom configuration profiles with plist files could theoretically deploy fonts, the device features template provides a more appropriate and user-friendly interface specifically designed for this purpose. D is incorrect because Company Portal doesn’t provide a mechanism for deploying system-level resources like fonts—it facilitates application installation and policy compliance but not resource file distribution.
Question 55:
You are configuring Windows Update for Business policies in Microsoft Intune. You want to ensure that drivers are not automatically installed with Windows Updates. What should you configure?
A) Update rings policy with “Windows drivers” setting configured to exclude
B) Feature updates policy blocking driver installation
C) Device configuration profile with driver installation restrictions
D) Quality updates policy with driver exclusions
Answer: A
Explanation:
Windows Update for Business provides granular control over how and when Windows updates are delivered to managed devices, including the ability to control whether driver updates are included with quality updates. Understanding how to configure driver update policies is important for organizations that need to carefully test driver updates before broad deployment to avoid compatibility issues or hardware problems.
Update rings in Windows Update for Business are policies that define update delivery schedules, deferral periods, and update behaviors for groups of devices. These policies allow organizations to create different update strategies for different device groups, such as pilot groups that receive updates quickly for testing and production groups that receive updates on more conservative schedules after validation.
Within update ring configuration, Intune provides settings that control automatic driver installation through Windows Update. The “Windows drivers” setting offers options to include or exclude drivers from automatic installation with quality updates. When set to “Exclude,” Windows Update delivers security updates and bug fixes but does not automatically install driver updates that Microsoft has published through Windows Update.
A is correct because update rings policies include specific settings to exclude Windows drivers from automatic installation with quality updates. B is incorrect because feature updates policies control deployment of major Windows version updates (like Windows 10 to Windows 11) and don’t provide settings for driver installation behavior. C is incorrect because general device configuration profiles don’t include Windows Update-specific settings like driver installation control—these settings are in update rings. D is incorrect because quality updates policies in the deployment service control deployment of specific quality update versions but don’t include driver exclusion settings—update rings control this behavior.
Question 56:
Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to configure a policy that prevents users from taking screenshots of sensitive data displayed in managed applications. What type of policy should you create?
A) App protection policy with “Block screen capture and Google Assistant” setting enabled
B) Device configuration profile with screen capture restrictions
C) Compliance policy requiring screenshot blocking
D) App configuration policy with screen capture settings
Answer: A
Explanation:
Data loss prevention for mobile applications requires controls that prevent users from capturing and exfiltrating sensitive information through various device features. Screenshot blocking is one such control that prevents users from using the operating system’s screenshot functionality to capture images of corporate data displayed in managed applications. Understanding how app protection policies provide application-level security controls independent of device enrollment is essential for protecting corporate data on both enrolled and unenrolled devices.
App protection policies in Microsoft Intune provide application-level data protection that functions without requiring full device enrollment, making them ideal for bring-your-own-device scenarios where users maintain personal device ownership but need access to corporate applications and data. These policies apply specifically to applications that integrate with the Intune App SDK or have been wrapped with the Intune App Wrapping Tool, creating a protected application ecosystem.
Within app protection policies, the “Block screen capture and Google Assistant” setting controls whether the Android operating system allows screenshot capture when protected applications are in the foreground. When enabled, this setting instructs Intune-protected applications to set the FLAG_SECURE window flag, which tells Android to prevent screen capture, screen recording, and viewing on non-secure displays for that application’s windows. Android enforces this flag by blocking the screenshot gesture and preventing third-party screen recording applications from capturing the protected application’s display.
A is correct because app protection policies include the “Block screen capture and Google Assistant” setting specifically designed to prevent screenshot capture in managed applications. B is incorrect because device configuration profiles can apply device-wide restrictions but don’t provide the application-specific screenshot blocking that app protection policies offer, and device-level blocking would prevent screenshots in all applications including personal ones. C is incorrect because compliance policies check device state but don’t actively prevent functionality like screenshot capture—they only detect and report compliance status. D is incorrect because app configuration policies configure application settings and behaviors but don’t provide security controls like screenshot blocking—app protection policies provide these data loss prevention features.
Question 57:
You manage Windows 11 devices using Microsoft Intune. You need to configure a policy that automatically installs security updates within 2 days of release but defers feature updates for 90 days. What should you create?
A) Windows Update for Business update ring with quality update deadline of 2 days and feature update deferral of 90 days
B) Two separate compliance policies for quality and feature updates
C) Deployment rings policy with separate schedules for updates
D) Windows Update policy with automatic installation enabled
Answer: A
Explanation:
Windows Update for Business provides comprehensive control over update delivery through update rings that can separately manage quality updates (monthly security and bug fix updates) and feature updates (major version releases). Understanding how to configure different policies for these two update types allows organizations to maintain security currency while controlling major version deployments based on validation and compatibility requirements.
Update rings in Intune are the primary mechanism for configuring Windows Update for Business policies. These policies define deferral periods, deadlines, service channels, and user experience settings that control how devices receive and install Windows updates. Each update ring can be assigned to different device groups, allowing organizations to create update strategies tailored to different device populations such as pilot groups, production users, or critical systems.
The distinction between quality updates and feature updates is fundamental to Windows servicing. Quality updates are cumulative monthly updates released on the second Tuesday of each month (Patch Tuesday) containing security fixes, reliability improvements, and bug corrections. These updates are essential for maintaining security posture and typically require rapid deployment. Feature updates are semi-annual releases that introduce new functionality, user interface changes, and major version increments (like Windows 10 21H2 or Windows 11 22H2). Feature updates require more extensive testing due to potential compatibility impacts.
A is correct because update rings provide separate controls for quality update deadlines and feature update deferrals, allowing the configured behavior of rapid security updates with deferred feature updates. B is incorrect because compliance policies check whether updates are installed but don’t control update delivery timing or enforce installation schedules—update rings manage update deployment. C is incorrect because “deployment rings” is terminology from Windows Update for Business Group Policy implementation, while Intune uses “update rings,” though the concepts are similar. D is incorrect because a generic Windows Update policy doesn’t provide the granular control over quality versus feature update timing that update rings offer.
Question 58:
Your organization uses Microsoft Intune and Azure AD Conditional Access. You need to ensure that users can only access corporate email from devices that are encrypted. What should you configure?
A) Compliance policy requiring encryption and Conditional Access policy requiring compliant devices for Exchange Online
B) Device configuration profile enabling BitLocker with Conditional Access for email
C) App protection policy with encryption requirements for Outlook
D) Exchange ActiveSync policy requiring encryption
Answer: A
Explanation:
Implementing access controls based on device security posture requires combining Intune compliance policies that evaluate device state with Conditional Access policies that enforce access decisions based on compliance status. Understanding this two-part approach of evaluation and enforcement is fundamental to implementing modern identity-driven security that adapts to device risk and configuration.
Device encryption is a critical security control that protects data at rest from unauthorized access if devices are lost, stolen, or improperly decommissioned. For Windows devices, BitLocker provides full disk encryption; for iOS and Android devices, the operating system includes built-in encryption that can be required through management policies; for macOS devices, FileVault provides encryption. Ensuring devices are encrypted before allowing access to corporate data prevents data breaches in device theft scenarios.
Compliance policies in Intune define the security requirements devices must meet to be considered compliant with organizational standards. For encryption specifically, compliance policies include settings that check whether devices have encryption enabled. For Windows, this checks BitLocker status; for iOS, it verifies that the device encryption is enabled; for Android, it checks device encryption status. These checks are performed during regular compliance evaluation cycles, typically every 8 hours as devices check in with Intune.
A is correct because combining a compliance policy that checks encryption with a Conditional Access policy requiring compliant devices for Exchange Online provides both the evaluation of encryption status and the enforcement of access restrictions. B is incorrect because device configuration profiles can enable BitLocker but don’t mark devices non-compliant if encryption is disabled, and Conditional Access requires compliance policy evaluation, not just configuration profiles. C is incorrect because app protection policies can provide some encryption-related protections for application data but don’t check or require full device encryption or integrate with Conditional Access for access control. D is incorrect because Exchange ActiveSync policies are legacy mobile device management policies that don’t integrate with modern Conditional Access and are being deprecated in favor of Intune compliance and Conditional Access.
Question 59:
You are deploying applications to Windows 11 devices using Microsoft Intune. A Win32 application you deployed shows as “Installed” in Intune but users report they cannot find the application. What is the most likely cause?
A) Detection rules are incorrectly configured and falsely report the application as installed
B) The application requires user interaction and did not complete installation
C) The device has not synchronized with Intune since installation
D) The application was installed in the system context and is not visible to users
Answer: A
Explanation:
Win32 application deployment in Microsoft Intune relies heavily on detection rules to determine installation status and report success or failure to the management service. Understanding how detection rules function and recognizing symptoms of misconfigured detection rules is essential for troubleshooting application deployment issues and ensuring reliable application delivery.
Detection rules are criteria that Intune evaluates to determine whether a Win32 application is installed on a device. Before attempting installation, Intune checks detection rules to see if the application is already present, avoiding unnecessary reinstallation. After installation executes, Intune checks detection rules again to verify that installation completed successfully. Only when detection rules indicate the application is present does Intune report the deployment as “Installed.”
Common detection rule types include file or folder existence checks (verifying that specific files or folders exist at specified paths), registry key or value checks (confirming specific registry entries exist with expected values), MSI product code checks (for MSI-based installers, checking if the product code is registered), and custom PowerShell script detection (running scripts that return exit codes indicating installation status). Each detection method has specific use cases and configuration requirements.
The scenario described—where Intune reports the application as installed but users cannot find it—is a classic symptom of detection rules that incorrectly evaluate to true (indicating installation) when the application is not actually installed. This can occur in several ways: detection rules checking for files or registry keys that exist as part of prerequisites or related software rather than the actual target application, detection rules with incorrect paths that happen to match unrelated files, detection rules with overly broad criteria that match multiple possible conditions, or detection rules that check installation components but not the application itself.
For example, if an application installer creates a registry key during the installation process but that key persists even if the installation fails or is canceled, a detection rule checking only for that registry key would report the application as installed when it actually is not. Similarly, if a detection rule checks for a file that is part of a prerequisite framework shared by multiple applications, the rule might detect the prerequisite but not confirm that the target application itself is installed.
When Intune evaluates detection rules and determines the application is installed, it reports this status to the management portal and considers the deployment successful. From Intune’s perspective, the application is present because detection rules indicated so. However, users experiencing reality find that the application is not actually available because the actual installation process never completed successfully or installed different software than intended.
Troubleshooting this scenario requires reviewing the detection rules in the Win32 app configuration. Check that file paths are correct and specific to the application, verify registry keys are unique to this application and not shared components, ensure MSI product codes match the actual application being deployed, and validate that custom PowerShell detection scripts accurately reflect application presence. You can test detection rules by manually checking devices for the specified conditions and comparing results to actual application availability.
Correcting detection rules typically requires modifying the Win32 app in Intune to use more accurate detection criteria. After updating detection rules, Intune will reevaluate devices, likely determine the application is not actually installed, and attempt installation again. This time with correct detection rules, successful installation will be accurately reported and verified.
Detection rule configuration is one of the most common sources of Win32 app deployment issues. Spending time to carefully configure and test detection rules during initial app packaging prevents frustrating scenarios where deployments appear successful in reporting but fail to deliver actual application functionality to users.
A is correct because incorrectly configured detection rules can falsely report applications as installed when they are not, matching the symptoms described where Intune shows installed status but users cannot access the application. B is incorrect because if installation required user interaction and didn’t complete, Intune would typically report the deployment as failed or pending rather than installed, since detection rules would not indicate successful installation. C is incorrect because even if devices haven’t synchronized recently, this wouldn’t cause the specific symptom of false installation reporting—lack of sync would show as outdated status or last check-in time, not successful installation when the app isn’t present. D is incorrect because applications installed in system context are still typically accessible to users through Start menu or installation directories—system context affects permissions during installation, not application visibility post-installation.
Question 60:
You manage iOS devices using Microsoft Intune. You need to deploy a web application as an icon on the home screen that opens a specific URL when tapped. What should you configure?
A) Device configuration profile with web clip payload
B) Web link app deployment from Intune
C) Safari bookmark configuration profile
D) Home screen layout profile with URL shortcut
Answer: A
Explanation:
iOS device management provides multiple methods for providing users with easy access to web-based applications and resources. Web clips are a specific iOS feature that creates icon-based shortcuts to URLs on the device home screen, appearing and functioning similarly to native applications while launching web content through Safari. Understanding how to properly deploy web clips through device configuration ensures consistent access to web applications across managed devices.
Web clips are essentially bookmarks that appear as home screen icons rather than within the Safari bookmarks interface. When users tap a web clip icon, iOS launches Safari (or another configured browser) and navigates directly to the specified URL. Web clips are ideal for providing quick access to frequently used web applications like intranet portals, help desk systems, time tracking applications, or any web-based service that doesn’t have a dedicated native iOS application.
To deploy web clips through Intune, you create a device configuration profile for iOS/iPadOS and select the “Device features” template. Within device features configuration, you’ll find the web clips section where you can add one or more web clips. Each web clip configuration includes the display name (label that appears under the icon), URL (destination web address), icon image (custom icon that appears on the home screen), whether the web clip can be removed by users, whether to display the web clip on the home screen, and whether the link should be precomposable for Messages app integration.
The custom icon capability allows organizations to brand web clips with application-specific or company-specific icons, making them visually distinctive and easily recognizable to users. Icons should be provided in PNG format at appropriate resolutions for Retina displays, typically 120×120 pixels or 180×180 pixels depending on device generation. If no custom icon is provided, iOS generates a generic icon using a thumbnail of the target webpage.
Web clips deployed through MDM appear on the home screen automatically when the device configuration profile is deployed. Users don’t need to take any action to create the shortcuts—they simply appear after the device receives and processes the profile. The icons are arranged on available home screen space, potentially creating new home screen pages if necessary.
For organizations transitioning from legacy systems to cloud-based web applications, web clips provide an effective migration path that maintains familiar access patterns for users. Instead of launching a native application, users tap a familiar-looking icon that accesses the modern web application. This visual continuity reduces change management complexity and user confusion during migrations.
