Visit here for our full Microsoft MD-102 exam dumps and practice test questions.
Question 161:
You manage Windows 11 devices using Microsoft Intune. You need to configure a policy that blocks executable files downloaded from the internet from running for 30 days. What should you configure?
A) Attack surface reduction rule with executable blocking from downloads
B) Windows Defender SmartScreen settings with delay execution
C) Device restrictions profile preventing downloaded executable execution
D) This specific capability is not available in Intune policies
Answer: D
Explanation:
Understanding the capabilities and limitations of Windows security features helps administrators set realistic expectations about available controls. While Windows provides various mechanisms for controlling executable file execution and managing downloaded content, delaying execution of downloaded files for specific time periods represents a control that isn’t natively available through standard Windows security policies.
Attack surface reduction rules in Microsoft Defender for Endpoint provide protection against specific malware techniques and attack vectors including blocking executable content from email clients, preventing Office applications from creating child processes, blocking credential theft, and other behavior-based protections. However, ASR rules focus on preventing malicious behaviors at execution time rather than implementing time-based delays for downloaded executables. Rules either block or allow actions based on behavioral patterns rather than file age or download timing.
Windows Defender SmartScreen provides reputation-based protection that warns users about potentially malicious files, applications, or websites that have poor reputation or are known threats. SmartScreen checks downloaded files against Microsoft’s cloud-based reputation service and blocks or warns about files that appear dangerous. However, SmartScreen operates on reputation assessment rather than time-based execution delays. Files are either allowed based on good reputation, warned about based on unknown reputation, or blocked based on known threats.
Device restrictions profiles in Intune control various device features and capabilities but don’t include the granular file execution control needed for time-based downloaded file restrictions. Device restrictions typically focus on broader feature categories rather than specific file handling behaviors based on download timing.
The requirement to block downloaded executables for specific time periods would require custom solutions beyond standard Intune policies, such as third-party endpoint protection solutions with advanced file control capabilities, custom scripts monitoring and managing downloaded file execution based on file timestamps, file system permissions or attributes preventing execution with time-based automation, or organizational policies enforcing manual review periods before allowing downloaded executable execution.
Question 162:
Your organization uses Microsoft Intune to manage iOS devices. You need to prevent users from using Handoff to continue activities on other devices. What should you configure?
A) Device restrictions profile with Handoff blocked
B) iCloud restrictions preventing cross-device continuity
C) App protection policy blocking activity handoff
D) Device features profile with continuity settings disabled
Answer: A
Explanation:
Handoff is an Apple continuity feature that allows users to start activities on one Apple device and seamlessly continue them on another device signed into the same iCloud account. Understanding how to properly restrict Handoff through device restrictions prevents potential data leakage where corporate activities might transition to unmanaged personal devices outside organizational control.
Device restrictions profiles for iOS include comprehensive settings controlling various device features and capabilities. Within the general device settings or connected devices categories, administrators find restrictions specifically for Apple continuity features including Handoff, Universal Clipboard, AirDrop, and AirPlay. The Handoff restriction specifically prevents devices from participating in Handoff activity continuation with other Apple devices.
When the Handoff restriction is enabled and deployed through Intune, iOS disables Handoff functionality system-wide. Users cannot initiate Handoff from the managed device to other devices, and other devices cannot hand off activities to the managed device. The Handoff icon no longer appears in the app switcher or on the lock screen when nearby devices have compatible activities, and attempting to use Handoff features produces no results.
Handoff security concerns in enterprise environments include corporate data or activities transferring to personal devices outside management, work sessions continuing on unmanaged devices where corporate policies cannot protect data, confidential information appearing on personal devices through activity continuation, and difficulty tracking or auditing where corporate work occurs when activities span managed and unmanaged devices.
The restriction affects Handoff specifically without necessarily blocking other Apple continuity features unless additional restrictions are configured. Users can potentially continue using AirDrop for file sharing, Universal Clipboard for copy-paste between devices, or other continuity features if organizational policies permit. This selective restriction allows balancing security requirements around activity continuation with user flexibility for other cross-device features.
Supervision is typically required for many iOS restrictions including Handoff blocking, meaning devices must be enrolled through Apple Business Manager and Automated Device Enrollment. For corporate-owned devices where supervision is standard practice, Handoff restrictions integrate naturally into comprehensive device security configurations protecting corporate data from uncontrolled device transitions.
Question 163:
You are configuring Microsoft Intune to deploy a Win32 application that should only install if a specific registry key exists. What should you configure?
A) Requirements with registry key existence check
B) Detection rules checking for the registry key
C) Installation command with registry validation script
D) Supersedence relationship with registry prerequisite app
Answer: A
Explanation:
Win32 application deployment in Intune distinguishes between requirements that determine device applicability before installation attempts and detection rules that identify whether applications are already installed. Understanding this distinction ensures proper policy configuration where prerequisites are validated before installation rather than being confused with installation status detection.
Requirements in Win32 app configuration define conditions devices must meet before applications are considered applicable for installation. These requirements can check operating system version, processor architecture, disk space, memory, and importantly for this scenario, custom PowerShell scripts that can validate any device state including registry key existence. Requirements are evaluated before installation attempts and before application content is downloaded to devices.
Configuring requirements with custom PowerShell script allows administrators to write scripts that check for specific prerequisites like registry key existence, particular software versions, specific file presence, or any other condition that can be programmatically validated. The script returns exit code 0 if requirements are met or non-zero codes if requirements aren’t satisfied. Intune evaluates the script, and only when it returns success does the application become applicable for installation.
For registry key existence validation, the PowerShell requirement script would check the specified registry path and key, return exit code 0 if the key exists, and return exit code 1 if the key is missing. This requirement evaluation ensures applications only attempt installation on devices meeting prerequisites, preventing installation failures and providing clear applicability status reporting.
Detection rules serve fundamentally different purposes, determining whether applications are already installed rather than whether devices can support applications. Detection rules evaluate after installation commands execute to verify success, checking for files, registry keys, MSI product codes, or script results indicating successful installation. Using detection rules for prerequisite validation would be inappropriate because detection rules don’t prevent installation attempts on devices lacking prerequisites.
Question 164:
You manage Android Enterprise devices using Microsoft Intune. You need to configure a policy that requires devices to have encrypted storage before marking them compliant. What should you configure?
A) Compliance policy with device encryption requirement
B) Device restrictions profile enforcing encryption
C) System security settings requiring storage encryption
D) Android encryption profile with storage protection
Answer: A
Explanation:
Device encryption on Android protects data at rest by encrypting the device’s storage, preventing unauthorized access to data if devices are lost, stolen, or physically compromised. Understanding how to verify encryption status through compliance policies ensures organizations can enforce encryption requirements and restrict access for devices not meeting encryption standards.
Compliance policies in Microsoft Intune evaluate device security state against defined requirements, checking whether devices meet organizational security standards for various attributes. For Android Enterprise devices, compliance policy settings include device security checks that can verify whether device storage is encrypted. The encryption requirement checks Android’s encryption status through device health reporting.
When compliance policies are configured to require device encryption and deployed to Android Enterprise device groups, Intune queries devices for their encryption status during regular compliance evaluation cycles. Android reports whether storage encryption is enabled, and Intune compares this state against policy requirements. Devices with encryption enabled are marked compliant, while devices without encryption are marked non-compliant regardless of whether they meet other compliance requirements.
The compliance status resulting from encryption checks integrates with Conditional Access policies requiring compliant devices for accessing corporate resources. This enforcement framework ensures devices lacking encryption cannot access sensitive corporate data like email, SharePoint, or other protected resources until encryption is enabled. Users receive notifications that their devices are non-compliant due to missing encryption with instructions for enabling device encryption through Android settings.
Android Enterprise fully managed devices and corporate-owned work profile devices support comprehensive encryption requirements. Modern Android versions typically enable encryption by default during initial setup, but compliance policies provide verification ensuring encryption remains enabled and devices haven’t been tampered with to disable security features.
Device restrictions profiles configure device features and capabilities but don’t evaluate whether encryption is enabled or mark devices compliant or non-compliant. Device restrictions might include settings related to security features, but compliance evaluation requires dedicated compliance policies that check device state and report compliance status.
Question 165:
Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a certificate for Wi-Fi authentication that automatically renews 30 days before expiration. What should you configure?
A) SCEP certificate profile with renewal threshold set to 30 days before expiration
B) PKCS certificate profile with 30-day renewal period
C) Trusted certificate profile with automatic renewal enabled
D) Certificate deployment with manual renewal notifications
Answer: A
Explanation:
Certificate lifecycle management ensures authentication certificates remain valid and automatically renew before expiration, preventing connectivity failures when certificates expire. Understanding how to configure automatic renewal through SCEP certificate profiles with appropriate renewal thresholds provides seamless certificate management without service disruptions or manual intervention requirements.
SCEP certificate profiles in Intune support automated certificate renewal throughout the certificate lifecycle. The renewal threshold setting determines when renewal processes begin, typically specified as a percentage of certificate lifetime or number of days before expiration. Setting renewal threshold to begin 30 days before expiration ensures certificates renew with adequate time buffer before expiration, accommodating potential renewal failures or delays.
When SCEP profiles are configured with renewal settings, Intune automatically manages certificate renewal by monitoring certificate expiration dates through the Intune Management Extension on devices. As certificates approach expiration based on configured renewal threshold, Intune initiates renewal requests to the SCEP server, typically NDES in Microsoft environments. The certificate authority issues renewed certificates with extended validity periods, Intune deploys renewed certificates to devices replacing expiring certificates, and Wi-Fi profiles automatically use renewed certificates maintaining uninterrupted connectivity.
The automatic renewal process operates transparently to users and applications. Wi-Fi authentication continues functioning normally as certificates transition from expiring certificates to renewed certificates. The renewal threshold provides safety margin ensuring renewals complete before certificates expire even if initial renewal attempts experience delays or temporary failures.
Certificate renewal threshold configuration typically uses percentage values like 80 percent, meaning renewal begins when 20 percent of certificate lifetime remains. For certificates with one-year validity, 80 percent threshold translates to renewal beginning approximately 73 days before expiration. Organizations can adjust thresholds balancing early renewal providing maximum safety margin against renewal frequency increasing certificate authority load.
Question 166:
You are configuring Microsoft Intune to manage macOS devices. You need to prevent users from disabling Gatekeeper security. What should you configure?
A) Device restrictions profile preventing Gatekeeper modification
B) Endpoint protection profile with Gatekeeper enforcement
C) System extension policy requiring Gatekeeper activation
D) Gatekeeper settings cannot be locked through MDM policies
Answer: A
Explanation:
Gatekeeper is macOS’s security technology that controls which applications can be installed and executed based on their origin and code signing status, providing critical protection against malware and untrusted software. Understanding how to prevent users from disabling Gatekeeper through device restrictions ensures this fundamental security control remains active on managed devices.
Device restrictions profiles for macOS include security-related settings controlling various system security features. Within security or general system settings categories, administrators find options for Gatekeeper configuration including whether Gatekeeper can be modified or disabled by users, what levels of Gatekeeper protection are enforced, and whether users can override Gatekeeper warnings through system preferences.
When Gatekeeper modification restrictions are enabled and deployed through Intune, macOS prevents users from accessing Gatekeeper settings in Security & Privacy preferences or prevents modification of Gatekeeper enforcement levels. Users attempting to change Gatekeeper settings find options disabled or unavailable with indications that settings are managed by organizational policy. This prevents users from weakening security by allowing applications from anywhere or disabling Gatekeeper protection entirely.
Gatekeeper security is fundamental to macOS application security architecture, preventing installation and execution of applications from untrusted sources or developers. Gatekeeper checks application signatures and origins, allowing applications from the Mac App Store and identified developers with valid Apple Developer certificates while blocking unsigned applications or applications from unknown sources unless explicitly permitted.
Preventing Gatekeeper modification ensures users cannot bypass security controls to install potentially malicious applications or unauthorized software. In enterprise environments, maintaining Gatekeeper protection reduces malware risks, ensures only IT-approved applications install on managed devices, protects against social engineering attacks tricking users into disabling security, and maintains consistent security posture across the device fleet.
Organizations should configure Gatekeeper to appropriate security levels through separate settings while also preventing users from modifying those configured levels. The combination of IT-configured Gatekeeper security levels with user modification prevention creates robust application security where appropriate software can install while untrusted software is blocked.
Endpoint protection profiles for macOS focus on features like FileVault encryption, firewall configuration, and system integrity protection rather than Gatekeeper modification prevention. While endpoint protection provides important security controls, Gatekeeper modification prevention is configured through device restrictions profiles.
Question 167:
You manage Windows 11 devices using Microsoft Intune. You need to configure a policy that automatically locks devices after 10 minutes of inactivity. What should you configure?
A) Settings Catalog with screen timeout and lock settings
B) Device restrictions profile with inactivity timeout configuration
C) Power management policy with screen lock timing
D) Endpoint protection profile with automatic lock settings
Answer: A
Explanation:
Automatic device locking after inactivity periods provides security protection when users step away from devices without manually locking them, preventing unauthorized access to unattended systems. Understanding how to properly configure inactivity timeouts through Settings Catalog ensures consistent security enforcement across managed Windows devices.
Settings Catalog in Microsoft Intune provides comprehensive access to Windows configuration settings including power management and security policies controlling screen timeouts, device locking, and inactivity responses. Within Settings Catalog, administrators can find policies related to maximum inactivity time before the device locks, screen saver activation and password protection, power button behavior, and lid close actions for laptops.
The relevant policies include settings that specify maximum inactivity periods before requiring user re-authentication, typically configured in minutes. Setting this to 10 minutes means devices automatically lock and require password or Windows Hello authentication after 10 minutes without user input including keyboard activity, mouse movement, or touch interaction. The automatic lock protects unattended devices from unauthorized access.
Configuring automatic lock policies involves creating a Settings Catalog policy, searching for lock screen, inactivity timeout, or screen saver related settings, specifying the timeout duration in minutes such as 10 minutes, optionally configuring related settings like whether lock screen notifications are visible, and assigning the policy to device or user groups requiring automatic lock enforcement.
When policies deploy to devices, Windows enforces inactivity timeout by monitoring user activity and locking devices when configured periods elapse without interaction. Users returning to locked devices must authenticate with passwords, PINs, or biometric authentication through Windows Hello before accessing desktop and applications. The forced authentication ensures only authorized users access devices even if they were left unlocked and unattended.
Question 168:
Your organization uses Microsoft Intune to manage iOS devices. You need to configure a policy that requires devices to have passcodes with at least 8 characters including letters and numbers. What should you configure?
A) Device restrictions profile with passcode complexity requirements
B) Compliance policy requiring complex passcodes
C) Access requirements for app protection policies
D) Device features profile with password policy settings
Answer: A
Explanation:
Passcode security on iOS devices provides fundamental authentication protection ensuring only authorized users can unlock devices and access corporate data. Understanding how to configure passcode complexity requirements through device restrictions ensures consistent password strength across managed devices while preventing weak passcodes that could be easily guessed or compromised.
Device restrictions profiles for iOS include comprehensive password and passcode settings controlling various authentication security parameters. Within the password section, administrators find options for minimum passcode length, required character types including letters and numbers, maximum passcode age, passcode history preventing reuse, maximum failed attempts before device wipe, and grace periods for passcode entry after device lock.
Configuring passcode complexity requires enabling required passcode setting, then specifying complexity requirements including minimum length such as 8 characters, required character types selecting alphanumeric to require both letters and numbers, optionally requiring symbols for additional complexity, configuring whether simple passcodes like repeated characters or sequential numbers are blocked, and setting passcode expiration if periodic changes are required.
When passcode complexity policies deploy to iOS devices, the operating system enforces requirements immediately. Users with existing passcodes not meeting new requirements receive prompts to change passcodes to compliant values at next device unlock. Users setting new passcodes or changing existing passcodes must satisfy all complexity requirements, with iOS rejecting passcodes that don’t meet configured criteria.
Question 169:
You are configuring Microsoft Intune to deploy applications to Android Enterprise devices. An application requires Google Play Services to be installed and updated. How should you handle this prerequisite?
A) Google Play Services is automatically present on Android Enterprise devices; no action needed
B) Deploy Google Play Services as a managed Google Play app dependency
C) Configure device restrictions requiring Google Play Services
D) Use app configuration policy to install Google Play Services
Answer: A
Explanation:
Understanding Android Enterprise architecture and built-in components helps administrators avoid unnecessary configuration for prerequisites that are inherently present on managed devices. Google Play Services represents a fundamental Android component that exists on Android Enterprise devices by default, requiring no explicit deployment or management through MDM policies.
Google Play Services is a core Android system component that provides APIs and services for various Android functionality including authentication, location services, Google Maps integration, push notifications through Google Cloud Messaging, security services and SafetyNet attestation, and application APIs used by numerous Android applications. This component is fundamental to Android operation and is present on virtually all Android devices that include Google Mobile Services.
Android Enterprise devices enrolled through Intune automatically have Google Play Services installed and maintained through the device’s standard Android system update mechanisms. Google Play Services updates independently from the Android operating system through Google Play Store, ensuring the services component remains current without requiring MDM intervention or explicit management policies.
Applications requiring Google Play Services as a prerequisite can safely assume the component is available on Android Enterprise managed devices. Developers specify Google Play Services requirements in application manifests, and the Android operating system ensures appropriate versions are present before allowing application installation. This dependency management happens automatically without requiring IT administrators to explicitly deploy or manage Google Play Services.
Attempting to deploy Google Play Services as a managed Google Play app would be inappropriate because Google Play Services is not a deployable application but rather a system-level service component managed by the Android platform itself. The component appears in device system settings under Google Services but is not installed or managed like standard applications.
Question 170:
You manage Windows 11 devices using Microsoft Intune. You need to configure a policy that prevents users from using USB devices for data storage but allows USB keyboards and mice. What should you configure?
A) Settings Catalog with device installation policies blocking storage device class while allowing HID device class
B) Device restrictions profile blocking all USB devices
C) BitLocker policy encrypting removable drives
D) Windows Defender Application Control policy restricting USB storage
Answer: A
Explanation:
USB device control requires granular policies distinguishing between different device classes to maintain security without impacting usability. Understanding how to configure device installation restrictions through Settings Catalog allows blocking storage devices that pose data exfiltration risks while permitting input devices essential for computer operation.
Settings Catalog in Microsoft Intune provides access to comprehensive Windows settings including device installation policies controlling which hardware device classes can install and function on managed systems. These policies leverage Windows device installation restriction framework using device setup class identifiers that categorize devices by function including storage devices, human interface devices, imaging devices, and network devices.
Device installation policies can specify allowed or blocked device classes using globally unique identifiers representing each device category. Storage devices including USB flash drives, external hard drives, and similar removable storage use specific device class GUIDs, while human interface devices including keyboards, mice, and game controllers use different HID class GUIDs.
Configuring the policy involves creating a Settings Catalog policy, searching for device installation related settings, configuring policies to prevent installation of devices matching storage device class GUIDs, explicitly allowing or not restricting devices matching HID class GUIDs, and assigning the policy to device groups requiring USB storage restriction.
When policies deploy, Windows enforces device installation restrictions at driver installation time. USB storage devices attempting to connect are recognized by device class, checked against installation policies, and blocked from driver installation preventing device functionality. HID devices including keyboards and mice are recognized by their device class, verified as allowed by policy, and permitted to install and function normally.
The granular class-based control provides essential security blocking data exfiltration through removable storage while maintaining usability by allowing input devices users need for normal computer operation. Without HID device allowances, blocking all USB devices would render computers largely unusable as keyboards and mice would be non-functional.
Organizations should carefully plan device installation policies considering which device classes are essential for operations versus which pose security risks. Testing policies in pilot environments ensures legitimate devices function while blocked device classes are properly restricted without unintended impacts on necessary hardware.
Device restrictions profiles provide simplified interfaces but don’t typically include the granular device class installation control available through Settings Catalog. Settings Catalog provides more direct access to Windows device installation policy framework with specific device class configuration.
Question 171:
Your organization uses Microsoft Intune to manage iOS devices. You need to deploy a configuration that sets specific DNS servers for Wi-Fi connections. What should you configure?
A) Wi-Fi profile with DNS server configuration
B) VPN profile with DNS settings
C) Device restrictions profile with network DNS settings
D) Network configuration profile with DNS specifications
Answer: A
Explanation:
Wi-Fi network configuration through MDM provides comprehensive control over wireless connectivity including network authentication, security settings, and network parameters like DNS server assignments. Understanding how to properly configure DNS settings within Wi-Fi profiles ensures devices use organizational DNS infrastructure for name resolution, supporting security policies, content filtering, or internal resource access.
Wi-Fi profiles in Intune deploy network configurations to iOS devices including network SSID, security type and authentication methods, certificates for authentication if applicable, proxy settings for web traffic, and DNS server addresses for domain name resolution. The DNS configuration specifies which DNS servers the device should use when connected to the configured Wi-Fi network.
Creating a Wi-Fi profile with DNS configuration involves selecting iOS as the platform, specifying Wi-Fi as the profile type, entering network SSID and security settings, navigating to advanced or network configuration sections, specifying DNS server IP addresses in the DNS servers field, optionally configuring DNS search domains if needed, and assigning the profile to user or device groups.
When Wi-Fi profiles deploy to iOS devices, the network configuration including DNS settings becomes available in device Wi-Fi settings. When devices connect to the configured network, iOS uses the specified DNS servers for domain name resolution for all network traffic while connected to that Wi-Fi network. Custom DNS servers enable organizations to direct DNS queries to internal DNS infrastructure, security filtering services, or specific DNS providers.
DNS server configuration is particularly important for organizations implementing content filtering through DNS-based filtering services, directing internal domain queries to internal DNS servers for split-brain DNS scenarios, implementing DNS-based security monitoring or threat intelligence, or ensuring DNS queries don’t leak to public DNS services from corporate networks.
Question 171:
Your organization uses Microsoft Intune to manage iOS devices. You need to deploy a configuration that sets specific DNS servers for Wi-Fi connections. What should you configure?
A) Wi-Fi profile with DNS server configuration
B) VPN profile with DNS settings
C) Device restrictions profile with network DNS settings
D) Network configuration profile with DNS specifications
Answer: A
Explanation:
Wi-Fi network configuration through MDM provides comprehensive control over wireless connectivity including network authentication, security settings, and network parameters like DNS server assignments. Understanding how to properly configure DNS settings within Wi-Fi profiles ensures devices use organizational DNS infrastructure for name resolution, supporting security policies, content filtering, or internal resource access.
Wi-Fi profiles in Intune deploy network configurations to iOS devices including network SSID, security type and authentication methods, certificates for authentication if applicable, proxy settings for web traffic, and DNS server addresses for domain name resolution. The DNS configuration specifies which DNS servers the device should use when connected to the configured Wi-Fi network.
Creating a Wi-Fi profile with DNS configuration involves selecting iOS as the platform, specifying Wi-Fi as the profile type, entering network SSID and security settings, navigating to advanced or network configuration sections, specifying DNS server IP addresses in the DNS servers field, optionally configuring DNS search domains if needed, and assigning the profile to user or device groups.
When Wi-Fi profiles deploy to iOS devices, the network configuration including DNS settings becomes available in device Wi-Fi settings. When devices connect to the configured network, iOS uses the specified DNS servers for domain name resolution for all network traffic while connected to that Wi-Fi network. Custom DNS servers enable organizations to direct DNS queries to internal DNS infrastructure, security filtering services, or specific DNS providers.
Question 172:
You manage Windows 11 devices using Microsoft Intune. You need to configure BitLocker to store recovery keys in Azure AD and automatically remove local copies. What should you configure?
A) Endpoint security Disk encryption policy with recovery key backup to Azure AD and remove local copies enabled
B) Device configuration profile with BitLocker settings
C) Compliance policy requiring recovery key backup
D) Settings Catalog with BitLocker recovery key configuration
Answer: A
Explanation:
BitLocker recovery key management is critical for ensuring business continuity when users forget passwords or authentication fails, while also maintaining security by preventing unauthorized recovery key access. Understanding how to configure recovery key backup to Azure AD with automatic local copy removal ensures keys are centrally available for legitimate recovery while eliminating local attack vectors.
Endpoint security Disk encryption policies in Microsoft Intune provide comprehensive BitLocker configuration including recovery key backup location, local recovery key handling, encryption methods, authentication requirements, and enforcement settings. These specialized security policies offer streamlined interfaces specifically designed for encryption management scenarios.
Within Disk encryption policies, recovery key backup settings specify where BitLocker recovery keys are stored. Configuring backup to Azure AD ensures recovery keys are securely transmitted to Azure AD during encryption enablement and stored encrypted in association with device objects. Authorized administrators can retrieve keys through the Intune admin center or Azure AD portal when users require recovery assistance.
The automatic removal of local recovery key copies is critical for security. When enabled, this setting instructs Windows to delete local recovery keys from device metadata after successful backup to Azure AD. Without local keys, attackers with physical device access cannot extract recovery keys to decrypt data even if they can sign into the operating system. The recovery keys remain accessible only through Azure AD where access is controlled and audited.
The workflow proceeds as BitLocker generates recovery keys during encryption setup, securely transmits keys to Azure AD with successful backup confirmation, automatically deletes local key copies from device storage, and maintains keys in Azure AD throughout device lifecycle. For recovery scenarios, authorized administrators retrieve keys from Azure AD, provide them to users for unlocking encrypted drives, and users set new passwords after recovery.
Recovery key rotation can be configured through policy settings triggering periodic key regeneration. When rotation occurs, new keys are generated, backed up to Azure AD replacing old keys, and old keys are invalidated. This practice limits exposure windows if keys are potentially compromised.
Question 173:
Your organization uses Microsoft Intune to manage Android Enterprise devices. You need to prevent users from factory resetting devices through the Settings app. What should you configure?
A) Device restrictions profile with factory reset blocking enabled
B) Compliance policy requiring factory reset protection
C) Password policy with factory reset PIN requirement
D) Dedicated device configuration with factory reset disabled
Answer: A
Explanation:
Factory reset prevention on Android Enterprise devices ensures devices remain under organizational management and control, preventing users from removing MDM enrollment and data through device reset operations. Understanding how to properly restrict factory reset access through device restrictions maintains management continuity and protects corporate data.
Device restrictions profiles for Android Enterprise include settings controlling various device features and capabilities. Within general device settings or administrative categories, administrators find options for factory reset prevention. The factory reset blocking setting prevents users from accessing software-based factory reset options in the Settings app.
When factory reset blocking is enabled and deployed to fully managed devices or corporate-owned work profile devices, the factory reset option is either removed from the Settings menu entirely or disabled and grayed out with indications that it is restricted by organizational policy. Users navigating to Settings cannot access factory reset functionality through normal device interfaces.
This restriction applies to software-based factory reset available through Settings. Hardware-based reset mechanisms like recovery mode boots or specific button combinations during device startup may still function depending on device manufacturer implementations. For comprehensive protection, organizations should combine factory reset blocking with other controls including zero-touch enrollment ensuring devices automatically re-enroll after reset, factory reset protection requiring Google account credentials after reset, and device loss procedures including remote wipe capabilities.
Factory reset blocking is particularly important for devices deployed to field workers, retail environments, healthcare settings, or scenarios where devices could be lost, stolen, or handled by users who might intentionally or accidentally factory reset them. Preventing software resets maintains management continuity and reduces risks of data loss or device loss.
The device restrictions profile can include numerous other restrictions alongside factory reset blocking such as preventing account modifications, disabling USB file transfer, blocking application installation from unknown sources, preventing screenshot capture, and restricting network settings changes. Combined restrictions create locked-down device environments appropriate for corporate-owned devices serving specific business purposes.
Question 174:
You are configuring Microsoft Intune to manage macOS devices. You need to deploy a kernel extension for a security application. What must you configure?
A) Kernel extension policy with team identifier and bundle identifier
B) System extensions policy approving the kernel extension
C) Device restrictions profile allowing kernel extensions
D) User approval after installation prompting in System Preferences
Answer: A
Explanation:
macOS security architecture implements strict controls over kernel extensions due to security and stability concerns, requiring explicit approval for kernel code execution. Understanding how to properly configure kernel extension policies through MDM with appropriate identifiers ensures business-critical software functions immediately while maintaining security oversight.
Kernel extension policies in Intune specify which kernel extensions are authorized to load by identifying both the developer team identifier and the extension bundle identifier. The team identifier is a ten-character string assigned by Apple identifying the organization or individual who signed the extension. The bundle identifier is a reverse-DNS format string like com.company.product.kext uniquely identifying the specific extension.
Both identifiers are required because team identifier establishes trust in the developer while bundle identifier specifies exactly which extension from that developer is approved. This dual identification provides security through explicit approval of specific trusted extensions rather than blanket permissions.
When kernel extension policies deploy to supervised macOS devices, macOS trusts the MDM approval and allows specified kernel extensions to load without user prompts. Security applications installing kernel extensions become immediately functional after installation without requiring users to navigate system settings or understand kernel extension approval processes.
Supervision is required for kernel extension pre-approval because this represents enhanced MDM capability beyond standard user enrollment. Devices enrolled through Apple Business Manager and Automated Device Enrollment are automatically supervised, enabling kernel extension management and other advanced features.
Question 175:
You manage Windows 11 devices using Microsoft Intune. You need to configure Windows Defender Firewall to block all inbound connections except for Remote Desktop. What should you configure?
A) Endpoint security Firewall policy with inbound connection blocking and Remote Desktop allow rule
B) Device configuration profile with Windows Defender Firewall settings
C) Attack surface reduction policy with network protection
D) Compliance policy requiring firewall configuration
Answer: A
Explanation:
Windows Defender Firewall provides network-level security controlling inbound and outbound network traffic based on rules defining allowed and blocked connections. Understanding how to configure comprehensive firewall policies with default blocking and specific exceptions ensures strong network security while maintaining necessary business connectivity.
Endpoint security Firewall policies in Intune provide dedicated interfaces for Windows Defender Firewall management including global firewall settings for different network profiles, firewall rules allowing or blocking specific traffic, and connection security rules defining IPsec requirements. These specialized security policies offer better organization for complex firewall configurations than general device configuration profiles.
Configuring the solution involves setting global inbound connection behavior for relevant network profiles to block by default, then creating specific firewall rules allowing Remote Desktop connections as exceptions to the default block behavior. The default block stance ensures all unsolicited inbound traffic is denied unless explicitly permitted through firewall rules.
Firewall rules for Remote Desktop specify the application or service receiving inbound connections, direction as inbound, action as allow, network profiles where the rule applies, optionally protocol and port specifications for granularity, and IP address restrictions if needed. Remote Desktop typically uses TCP port 3389, so rules can specify this protocol and port for precise control.
The combination of default block with explicit allow rules creates whitelist firewall management where only specifically authorized services can receive inbound connections. This approach provides stronger protection than default allow configurations which permit many services unless explicitly blocked.
Firewall policies are assigned to device groups and apply during policy sync. Monitoring through Windows event logs and Microsoft Defender for Endpoint if deployed provides visibility into blocked connections and rule effectiveness. Identifying legitimate blocked connections enables creating appropriate allow rules while maintaining security.
Question 176:
Your organization uses Microsoft Intune to manage iOS devices. You need to configure devices to prevent app installation from the App Store but allow MDM-deployed apps. What should you configure?
A) Device restrictions profile with App Store blocked
B) App protection policy preventing app installation
C) Compliance policy requiring managed apps only
D) Home screen layout removing App Store icon
Answer: A
Explanation:
App Store restrictions on iOS devices provide organizations with control over application installations, ensuring only IT-approved applications are available while preventing users from installing potentially insecure or unauthorized applications from the public App Store. Understanding how to properly block App Store access while maintaining MDM app deployment capabilities creates secure managed environments.
Device restrictions profiles for iOS include comprehensive settings controlling various device features and capabilities. Within the App Store and iTunes category, administrators find settings controlling user interaction with the App Store application. The block App Store setting prevents users from launching the App Store app and blocks installation of new applications from the public App Store.
When this restriction is enabled and deployed to supervised iOS devices through Intune, the App Store icon may be hidden from the home screen or rendered non-functional if tapped. Users cannot browse the App Store, search for applications, or install applications from the public App Store through normal device interfaces.
Critically, blocking the App Store does not prevent installation of enterprise applications through Intune or managed app deployments. Enterprise app distribution uses MDM app installation commands that operate independently of the consumer App Store. When IT administrators deploy applications through Intune as required or available assignments, these apps install through the MDM channel without requiring App Store access.
This separation allows organizations to maintain strict control over software installations while ensuring business applications remain accessible. The Company Portal app serves as an enterprise app catalog where users can browse and install IT-approved applications even with the App Store blocked.
Device restrictions for App Store control extend beyond blocking the store itself. Additional settings prevent installation of apps using App Store credentials, require passwords for App Store purchases, block in-app purchases, and restrict specific apps by bundle identifier.
Question 177:
You are configuring app protection policies for Android devices. You need to ensure that users must re-authenticate if they have not used managed apps for 30 minutes. What should you configure?
A) Access requirements with recheck access requirements after 30 minutes
B) Conditional launch with 30-minute inactivity timeout
C) PIN timeout with 30-minute period
D) Data transfer settings with 30-minute session timeout
Answer: A
Explanation:
App protection policies provide multiple authentication timing controls balancing security with user experience, managing when users must re-authenticate during application usage. Understanding the distinction between recheck intervals during active usage versus timeout periods for backgrounded applications ensures appropriate security controls.
Access requirements in app protection policies include recheck access requirements settings controlling how frequently users must re-authenticate during continued application usage. This setting specifies time intervals in minutes determining how long users can actively use protected applications before requiring fresh authentication credentials.
Setting recheck access requirements to 30 minutes means users must re-enter PIN, provide biometric authentication, or complete corporate credential authentication every 30 minutes while actively using managed applications. This periodic re-authentication provides security against scenarios where users leave applications open and walk away, or where devices might be used by unauthorized persons after initial authentication.
The recheck interval mechanism tracks time since last successful authentication regardless of application state. When the configured interval elapses during active application usage, the next user interaction triggers authentication prompts requiring users to prove their identity before continuing work. This ongoing verification ensures continuous authentication validity rather than relying on single authentication at application launch.
Organizations should balance recheck intervals with user productivity considerations. Very short intervals like 5-10 minutes may frustrate users with constant authentication challenges during normal workflows. Longer intervals like 30-60 minutes reduce authentication frequency while still providing periodic verification preventing prolonged unauthorized access.
The recheck access requirements differ from PIN timeout settings which control background session duration. PIN timeout determines how long applications can remain in background before requiring re-authentication when users return, addressing scenarios where users switch between applications or step away temporarily. Recheck intervals address continuous usage scenarios ensuring even users actively working must periodically re-authenticate.
Conditional launch settings trigger actions based on various conditions like offline intervals, OS version, or device state, but do not specifically control authentication recheck timing during active usage. Access requirements section contains authentication timing controls including recheck intervals.
Question 178:
You manage macOS devices using Microsoft Intune. You need to deploy a configuration that requires administrator password for software updates. What should you configure?
A) Device restrictions profile requiring admin password for software updates
B) System extension policy with update authorization requirements
C) Software Update policy with authentication settings
D) This capability is controlled by user account type, not MDM policies
Answer: D
Explanation:
Understanding the distinction between settings configurable through MDM policies versus settings determined by operating system architecture helps administrators set realistic expectations and design appropriate security approaches. Whether users must provide administrator authentication for software updates depends on account type assignment rather than MDM policy configuration.
macOS user account types include administrator accounts with privileges to install software, modify system settings, and perform privileged operations, and standard user accounts with restricted privileges requiring administrator authentication for privileged operations. Whether users must provide administrator authentication for software updates depends on their account type rather than MDM policy configuration.
Standard user accounts on macOS automatically require administrator authentication for installing software updates, modifying system preferences, or performing other privileged operations. The operating system prompts for administrator credentials when standard users attempt these actions, enforcing security boundaries regardless of MDM policies.
MDM policies cannot make administrator accounts behave like standard accounts by requiring password prompts for updates. Account type determines privilege levels, and MDM policies work within those privilege boundaries rather than overriding fundamental account type behaviors. Organizations requiring administrator authentication for updates should assign standard user accounts rather than administrator accounts to users.
Device restrictions profiles for macOS include numerous settings controlling device features and capabilities, but requiring administrator authentication for updates is not among configurable options because this behavior is inherent to macOS account types. Restrictions can prevent certain actions entirely but cannot add authentication requirements to otherwise authorized actions.
Software Update policies in Intune for macOS control update deferral, automatic installation windows, and update enforcement but do not add administrator authentication requirements. These policies manage update deployment timing and automation within the privilege context of the logged-in user account type.
Question 179:
Your organization uses Microsoft Intune to manage Windows 11 devices. You need to deploy a script that runs before users can log in during device startup. What should you configure?
A) PowerShell script with “Run script at startup” before user login configured
B) Scripts cannot run before user login through Intune; use startup scripts in Group Policy or scheduled tasks
C) Proactive remediation with system context execution
D) PowerShell script with system context and startup trigger
Answer: B
Explanation:
Understanding the capabilities and execution timing of different script deployment mechanisms helps administrators design appropriate solutions that work within platform constraints. PowerShell scripts deployed through Intune execute during operational periods after system startup and user login rather than during early boot sequences.
Intune PowerShell script deployment provides valuable automation for configuration tasks, compliance remediation, and administrative operations. Scripts execute through the Intune Management Extension service which operates after Windows has fully loaded and devices are operational. The timing does not support pre-login execution during system startup before user authentication.
PowerShell scripts can be configured to run in user or system context and can execute once or repeatedly on schedules, but these options control privilege level and execution frequency rather than timing during boot sequences. Even scripts configured in system context execute after the Intune Management Extension service starts, which occurs after Windows loads and typically after user login.
For scripts requiring execution during system startup before user login, Windows mechanisms outside Intune script deployment must be used. Options include startup scripts configured through Group Policy for domain-joined devices, scheduled tasks with “At startup” triggers configured to run whether users are logged in or not, services or launch items configured through device provisioning, or provisioning packages applied during deployment.
Deploying startup scripts through Intune requires using device configuration profiles with custom configurations creating scheduled tasks or registry entries that trigger script execution at startup. The initial deployment uses Intune but the actual startup execution occurs through Windows Task Scheduler or similar mechanisms rather than direct Intune script execution.
Question 180:
You are configuring Microsoft Intune to manage iOS devices. You need to prevent users from using the native Mail app and require them to use Outlook for email. What should you configure?
A) Device restrictions profile blocking native Mail app and deploy Outlook as required app
B) App protection policy restricting Mail app usage
C) Email profile for Outlook with native Mail disabled
D) Compliance policy requiring Outlook installation
Answer: A
Explanation:
Controlling which email applications users can access on managed devices ensures consistent security policies, data protection, and user experience while preventing corporate data from being accessed through applications lacking appropriate security controls. Understanding how to properly restrict native applications while deploying preferred alternatives creates secure managed environments.
Device restrictions profiles for iOS include settings controlling access to built-in applications. Within the built-in apps category, administrators find restrictions for various native iOS applications including Mail, Safari, Camera, FaceTime, and others. The restriction for Mail app prevents users from launching or accessing the native iOS Mail application.
When the Mail app restriction is enabled and deployed through Intune, the Mail app icon may be hidden from the home screen or the app becomes non-functional if users attempt to launch it. Users cannot access email through the native Mail application, preventing corporate email access through an application that may lack enterprise security features or management capabilities that third-party enterprise email clients provide.
Simultaneously, deploying Microsoft Outlook as a required application ensures users have an approved email client available. Outlook for iOS provides comprehensive security integration with Intune including app protection policy support, conditional launch capabilities, data loss prevention features, and managed configuration options that native Mail does not fully support.
The combination of blocking native Mail and deploying Outlook creates controlled email access where corporate email is available exclusively through the managed enterprise client. This ensures consistent security policies apply to all corporate email access, all users have the same email client for simplified support, app protection policies can enforce data protection for email content, and email configurations can be centrally managed through app configuration policies.
App protection policies could provide some data protection for Mail app if it were allowed, but restricting the native app entirely provides cleaner control ensuring users do not have multiple email clients creating management complexity or data protection gaps. Standardizing on Outlook simplifies security policy enforcement.
