Microsoft 365 Endpoint Administrator Associate Practice Test (MD-102)
Use the form below to configure your Microsoft 365 Endpoint Administrator Associate Practice Test (MD-102). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
Microsoft 365 Endpoint Administrator Associate MD-102 Information
The Endpoint Administrator Associate Exam (MD-102)
The Microsoft 365 Endpoint Administrator Associate certification, obtained by passing the MD-102 exam, validates the skills required for deploying, configuring, protecting, managing, and monitoring devices and client applications in a Microsoft 365 environment. This certification has replaced the previous MD-100 and MD-101 exams, unifying the content into a single, comprehensive test that reflects the shift towards cloud-centric and hybrid endpoint management. The exam is intended for IT professionals, including system administrators and endpoint managers, who are responsible for managing identity, security, access, policies, updates, and apps for endpoints. Candidates should have subject matter expertise in Microsoft Intune, Windows 365, Windows Autopilot, Microsoft Defender for Endpoint, and Microsoft Entra ID.
The skills measured in the MD-102 exam are grouped into several key areas. A significant portion of the exam focuses on managing, maintaining, and protecting devices, which can account for 40-45% of the questions. Another major domain is the deployment of Windows clients, making up about 25-30% of the content. The remaining sections cover managing identity and compliance (15-20%) and managing applications (15-20%). This structure emphasizes the modern administrator's role in not just deploying operating systems but also ensuring that devices remain secure and compliant throughout their lifecycle using tools like Microsoft Intune.
The Value of Practice Exams for Success
To successfully pass the MD-102 exam, hands-on experience should be supplemented with thorough preparation, and practice exams are an invaluable tool in this process. Taking practice tests helps candidates assess their knowledge, identify areas of weakness, and become familiar with the format and types of questions they will encounter in the actual exam, which can include multiple-choice and scenario-based questions. These practice runs provide a realistic testing experience, allowing you to gauge your readiness and build confidence.
Many resources offer practice exams that cover all the domains of the official MD-102 syllabus and provide detailed explanations for both correct and incorrect answers. This feedback is crucial for understanding the underlying concepts and learning from mistakes. By simulating the exam environment, candidates can practice time management and reduce anxiety, which are key factors for success on exam day. Utilizing these tools allows you to focus your study efforts more effectively on the topics that require further attention, ultimately increasing your chances of earning the Microsoft 365 Certified: Endpoint Administrator Associate certification.
Free Microsoft 365 Endpoint Administrator Associate MD-102 Practice Test
- 20 Questions
- Unlimited
- Prepare infrastructure for devicesManage and maintain devicesManage applicationsProtect devices
You are an Intune administrator for Contoso. You plan to deploy an Endpoint security attack surface reduction (ASR) policy that targets the rule Block credential stealing from the Windows LSASS process. For the first 14 days you want to collect telemetry only and avoid disrupting any existing software. Which rule state should you configure for this ASR rule in the policy?
Disable
Block
Audit
Warn
Answer Description
Setting the rule state to Audit allows Microsoft Defender to generate event ID 1121 when a process attempts to read LSASS memory, but it does not stop or modify the process. Block would immediately prevent the action, Disable (or Not configured) turns the rule off and records no events, and Warn silently blocks actions and can still interfere with workflows. Therefore, Audit is the correct choice when you need to measure potential impact without enforcement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Endpoint Security Attack Surface Reduction (ASR)?
What is the LSASS process and why is it targeted for protection?
How does the Audit state work in ASR rules?
You manage Microsoft Intune for your organization. You must configure a Google Chrome Group Policy setting that is not available in either the Settings Catalog or the built-in Administrative Templates profile. You have downloaded the vendor-supplied Chrome.admx and Chrome.adml files. To ingest these files and then deploy the required policy to Windows 11 devices, which type of Intune configuration profile should you create first?
A Settings Catalog profile
A Device restrictions template profile
An Administrative Templates profile
A Custom profile that uses OMA-URI settings
Answer Description
To load third-party ADMX templates by using the ADMXInstall configuration service provider (CSP), you start with a Custom profile for Windows 10 and later. Inside the profile you add a String OMA-URI setting whose path begins with ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall and whose value is the Base64-encoded content of the ADMX (and corresponding ADML) file. After the template is ingested you can create additional OMA-URI entries or use Administrative Templates to configure the Chrome policies. Device restrictions and Settings Catalog profiles cannot call the ADMXInstall CSP directly, so a Custom profile is required for the initial ingestion step.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OMA-URI in the context of Intune?
What is the ADMXInstall CSP, and why is it needed?
Why can't a Settings Catalog or Administrative Templates profile be used directly for this task?
You enable Microsoft Intune Remote Help in your tenant and deploy the Remote Help app to Windows 10/11 devices. For risk mitigation, support technicians must be able to view the user's screen but must never interact with the keyboard or mouse during a session. Which Intune action meets the requirement?
Deploy a script that sets the Remote Assistance registry value "fAllowFullControl" to 0 on managed devices.
Assign the technicians to the built-in Help Desk Operator role.
Create a custom Intune role that includes only the Remote help permission "View screen" and assign it to the technicians.
In Remote Help settings, set the session mode to Screen viewing only.
Answer Description
Remote Help permissions are controlled through Intune role-based access control. Two granular permissions exist: "View screen" and "Take full control". To allow screen viewing without the ability to control the device, you must give helpers a role that includes only the "View screen" permission. The built-in Help Desk Operator role includes "Take full control", Remote Help settings do not provide a toggle to restrict control, and registry changes for legacy Remote Assistance do not affect the cloud-based Remote Help app.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Intune Remote Help?
How do Intune role-based access controls work?
Why does the built-in Help Desk Operator role not meet the requirement?
In Microsoft Intune, you need to deploy several free public Android apps to corporate-owned Android Enterprise devices. You open the Intune admin center and select Apps > Android, but you cannot yet search Google Play from within Intune. Which prerequisite must you complete before you can add and assign the apps?
Upload the APK file for each app to Intune as an Android Line-of-business app and mark it as required.
Connect the Intune tenant to Managed Google Play with a Google account that will act as the Managed Google Play administrator.
Purchase app licenses in Apple Business Manager and synchronize the licenses with Intune.
Enable Windows Package Manager integration in Tenant administration and perform a Microsoft Store sync.
Answer Description
To make Google Play content available in Intune, the tenant must first be connected to Managed Google Play by signing in with a Google account and authorizing Intune. This registration creates the Managed Google Play enterprise and allows Intune administrators to browse, approve, and sync public store apps directly from the console. Uploading APKs is only required for custom or line-of-business apps, not for public store apps. Apple Business Manager is unrelated to Android deployment, and Windows Package Manager integration affects Windows Store apps, not Android.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Managed Google Play and why is it required for deploying Android apps in Intune?
How do you connect the Intune tenant to Managed Google Play?
Why is uploading APK files not a valid alternative for deploying public Android apps?
A company has 500 Windows 11 laptops that are currently joined to an on-premises Active Directory domain. Administrators intend to manage the devices with Microsoft Intune and apply Conditional Access policies that require a compliant device. Users must continue to sign in with their existing domain credentials and access on-premises file shares without changing their logon behavior. Which Microsoft Entra device join method should you use?
Hybrid Azure AD join
Azure AD join
Azure AD registered
Answer Description
Hybrid Azure AD join keeps each computer joined to the on-premises Active Directory while also registering the device in Microsoft Entra ID. Because the computer account remains in the domain, users authenticate with the same domain credentials and can reach on-premises resources exactly as before. The cloud registration lets Intune automatically enroll the device and evaluate compliance so Conditional Access can enforce policy.
Azure AD join would require disjoining the machine from the on-premises domain, breaking traditional sign-in and resource access. Azure AD registered only creates a per-user registration and would require separate user-initiated Intune enrollment; therefore it does not meet the requirement for a seamless, fully managed domain-credential experience across the fleet.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Hybrid Azure AD join?
How does Hybrid Azure AD join differ from Azure AD join?
Why is Hybrid Azure AD join suitable for Conditional Access policies?
You are planning to provision Windows 365 Cloud PCs that will be joined to your on-premises Active Directory and routed through your organization's own Azure virtual network. Before you can create the required provisioning policy in Microsoft Intune, which prerequisite must you complete so that the Cloud PCs can be deployed successfully?
Create and assign an Enrollment Status Page (ESP) to the Azure AD group that will receive the Cloud PCs.
Create an Azure network connection in Intune and verify that its health status is Ready.
Enable end-user self-service settings for Windows 365 in the Microsoft Intune admin center.
Upload a custom Windows 11 image to an Azure Compute Gallery.
Answer Description
A provisioning policy that uses an organization-owned network requires an Azure network connection (ANC). The ANC defines the target Azure virtual network, Active Directory join type, and connectivity settings. Intune validates the ANC and displays a status of Ready only after all connectivity and permissions checks pass. Provisioning policies that reference your network cannot be created-or will fail-until at least one ANC exists and is in the Ready state. Uploading a custom image, configuring self-service settings, or creating an Enrollment Status Page are optional tasks that do not satisfy this specific prerequisite.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Azure Network Connection (ANC) in Microsoft Intune?
How can I validate the health status of an Azure Network Connection?
Why is it necessary to have the ANC in a 'Ready' state before creating a provisioning policy?
You manage 5,000 Windows 10 devices that run Microsoft 365 Apps for enterprise. You need an automated way to ensure a pilot group of 200 devices always receives the newest Monthly Enterprise Channel build promptly after Microsoft releases it, and you must be able to roll back those devices to the previous build if problems occur. Which feature in the Microsoft 365 Apps admin center should you use?
Enable ProPlus Delivery Optimization for the tenant in the Microsoft 365 admin center.
Configure a Windows Update for Business ring that forces updates every two days.
Create a servicing profile and assign the pilot devices to it.
Define a macro security policy in the Office cloud policy service for the pilot group.
Answer Description
The servicing profile (now referred to as Cloud Update) in the Microsoft 365 Apps admin center is designed to automatically deliver the most recent Monthly Enterprise Channel build to a selected set of devices. You can scope the profile to a specific device group, configure an update deadline (for example, two days) to control how quickly devices must install the new build, and use the built-in rollback capability to revert the devices to one of the previous builds if issues are detected. Inventory filtering and health dashboards only report status, the Office cloud policy service manages application settings, and Windows Update for Business rings do not control Microsoft 365 Apps update delivery.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Servicing Profile in Microsoft 365 Apps?
How does the rollback feature in Servicing Profiles work?
Why not use Windows Update for Business rings for Microsoft 365 Apps updates?
You manage Microsoft Intune for a tenant that contains both corporate-owned and personally owned Windows 10 and Windows 11 laptops enrolled through Microsoft Entra ID. You will assign a PowerShell script by using a device configuration profile to All devices. The script must run only on corporate-owned devices. Which Intune filter rule should you configure?
(device.operatingSystemSKU -ne "Personal")
(device.enrollmentProfileName -eq "Corporate")
(device.trustType -eq "AzureAdJoin")
(device.deviceOwnership -eq "Company")
Answer Description
When Intune processes a policy assignment, it first evaluates group targeting and then applies any configured filters. The device.deviceOwnership property in Intune filters returns either "Company" for corporate-owned devices or "Personal" for bring-your-own devices. A filter rule that selects devices where device.deviceOwnership equals "Company" ensures that the script runs only on corporate-owned devices. The other properties shown do not reliably distinguish ownership: enrollmentProfileName can vary, trustType indicates Azure AD join state, and operatingSystemSKU identifies the Windows edition instead of ownership.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is device.deviceOwnership in Intune filters?
How are filters applied during policy evaluation in Intune?
Why can't device.enrollmentProfileName or device.trustType be used to reliably distinguish ownership?
You manage devices with Microsoft Intune. You need to rotate the BitLocker recovery keys for 90 Windows 11 laptops at the same time. In the Microsoft Intune admin center, which navigation path should you use to launch the bulk action that lets you perform this task in a single operation?
Devices > All devices > Bulk device actions, choose Windows, and then select Rotate BitLocker key.
Devices > Configuration profiles, deploy a PowerShell script that rotates the keys.
Endpoint security > Disk encryption, open the BitLocker policy, and start a key rotation task.
Devices > Bulk device actions, choose Windows, and then select Rotate BitLocker key.
Answer Description
Bulk remote actions are initiated from the Bulk device actions wizard, which is accessed by navigating to Devices > All devices and then selecting Bulk device actions. From the wizard you choose Windows as the platform, select Rotate BitLocker key, and then pick the target devices or device groups. Selecting devices individually, using the Endpoint security console, or deploying a PowerShell script through a configuration profile will not start the bulk Rotate BitLocker key action in one step.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is BitLocker and why is it used?
How does the Rotate BitLocker Recovery Key action work in Intune?
What types of devices can be targeted for bulk actions in Microsoft Intune?
You manage Windows 11 devices with Microsoft Intune. You must stop computers from accepting SMB traffic over TCP port 445 when they are connected to private or public networks, but you must not affect the domain network profile. You decide to deploy a Microsoft Defender Firewall policy from Endpoint security. Which configuration of the inbound firewall rule meets the requirement?
Action: Block; Protocol: Any; Remote port: 445; Profile: Domain
Action: Block; Protocol: TCP; Local port: 445; Profile: Private, Public
Action: Allow; Protocol: Any; Local port: 445; Profile: Domain, Private, Public
Action: Block; Protocol: TCP; Local port: 445; Profile: Domain
Answer Description
An inbound rule that uses Action = Block prevents the computer from accepting matching traffic. Because SMB uses TCP port 445 on the destination computer, the rule must specify Local port 445 with Protocol = TCP. Applying the rule only to the Private and Public profiles ensures that traffic is still allowed when the device is on its Domain profile. The other options are incorrect because they either allow the traffic, target the wrong port field, or apply the rule to the Domain profile as well.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is SMB traffic and why is TCP port 445 used?
What are the differences between domain, private, and public network profiles in Windows Defender Firewall?
How does Microsoft Intune enforce firewall policies on managed devices?
Your company purchased 200 Android tablets that will be permanently mounted in meeting rooms to display a room-scheduling application. Users must be prevented from accessing system settings or adding personal Google accounts. You will enroll the tablets in Microsoft Intune by providing an enrollment token (for example, by scanning a QR code) during initial device setup after a factory reset. Which Android Enterprise enrollment profile should you configure to meet the requirements?
Android Enterprise personally-owned work profile enrollment profile
Android Enterprise dedicated device enrollment profile
Android Enterprise fully managed device enrollment profile
Android Enterprise corporate-owned work profile enrollment profile
Answer Description
Android Enterprise dedicated device enrollment is designed for corporate-owned devices that serve a single purpose, such as kiosks or room-scheduling panels. Enrollment is performed with an Intune-generated token delivered through methods like QR code, NFC, or manual entry, rather than by importing hardware identifiers. Dedicated device enrollment automatically locks down system UI access and can block personal Google accounts, meeting all stated requirements. Fully managed enrollment gives each user full device control, corporate-owned work profile maintains a separate personal profile, and personally-owned work profile is BYOD-focused and user-initiated, so none of those meet the scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Android Enterprise dedicated device enrollment?
How does an Intune-generated token work for device enrollment?
Why doesn’t the fully managed device enrollment profile meet the requirements?
You deploy Microsoft Tunnel Gateway on an Ubuntu server and enable Microsoft Tunnel for Mobile Application Management (MAM). You must allow Outlook on personal Android devices that are not enrolled in Intune to reach an on-premises web service through the tunnel. Which Intune item should you create and assign to the users so that Outlook is automatically given the information it needs to start the tunnel connection?
A device configuration VPN profile that targets Android Enterprise devices
An App configuration policy that targets managed apps
An App protection policy that adds a conditional launch rule
A compliance policy that requires a VPN connection
Answer Description
For apps on unenrolled (MAM-only) devices, Intune delivers the tunnel connection details through an App configuration policy that targets managed apps. When the policy is assigned to the users, Microsoft Defender for Endpoint (which hosts the Tunnel client on Android) receives the site ID and other connection settings. Outlook, as an Intune-managed app, detects these settings and automatically sends its traffic through Microsoft Tunnel. A device configuration VPN profile is used only for enrolled devices, and neither compliance policies nor app protection policies carry the tunnel connection metadata required by the client.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an App configuration policy in Intune?
How do managed apps in Intune differ from unmanaged apps?
What role does Microsoft Defender for Endpoint play in the Microsoft Tunnel configuration?
You plan to allow users with personal Android devices that are not enrolled in Intune to reach an on-premises web portal by using Microsoft Tunnel for Mobile Application Management (MAM). Before the devices can establish the tunnel, which app must each user install on their device?
Microsoft Authenticator
Microsoft Company Portal
Microsoft Defender for Endpoint
Microsoft Edge
Answer Description
For MAM-only scenarios, Microsoft Tunnel does not rely on the Company Portal or a dedicated Tunnel client. Instead, the Microsoft Defender for Endpoint (MDE) app contains an integrated VPN component that acts as the Tunnel client on both Android and iOS. Intune delivers an app configuration policy to the Defender app that supplies the connection settings, after which the protected apps can route traffic through the Tunnel. Company Portal is only required for device-enrollment scenarios, Microsoft Authenticator is unrelated to VPN connectivity, and Microsoft Edge alone cannot establish a Tunnel connection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Tunnel for Mobile Application Management (MAM)?
How does Intune deliver connection settings to the Microsoft Defender for Endpoint app?
Why is Microsoft Defender for Endpoint the correct app for creating the Tunnel client?
Your company manages Windows 11 Enterprise laptops with Microsoft Intune and Microsoft Entra ID only. There is no on-premises Active Directory or public key infrastructure, and you do not plan to deploy any additional on-premises servers. You need to enable Windows Hello for Business so that authentication keys are issued without introducing new infrastructure. Which Windows Hello for Business trust model and device join type should you implement to meet the requirement?
Configure Windows Hello for Business certificate trust on Microsoft Entra ID-joined devices and deploy Active Directory Certificate Services.
Configure Windows Hello for Business certificate trust on hybrid Microsoft Entra ID-joined devices.
Configure Windows Hello for Business key trust on Microsoft Entra ID-joined devices.
Configure Windows Hello for Business cloud Kerberos trust on Microsoft Entra ID-registered devices.
Answer Description
In a cloud-only environment, Windows Hello for Business uses key trust on Microsoft Entra-joined devices. The key pair created during provisioning is registered with Microsoft Entra ID, allowing the user to authenticate with the private key without relying on on-premises domain controllers or a certificate authority.
Certificate trust requires Active Directory Certificate Services, and cloud (Kerberos) trust requires hybrid identity with Windows Server domain controllers, so neither fits the scenario. Devices that are only Entra ID-registered are not eligible for Windows Hello for Business deployment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Windows Hello for Business key trust?
What is the difference between Microsoft Entra ID-joined devices and Entra ID-registered devices?
Why can’t Windows Hello for Business certificate trust be used in a cloud-only environment?
You administer a Microsoft 365 environment with Azure AD Premium P1. All Windows 10 22H2 laptops are hybrid Azure AD joined, and the domain controllers run Windows Server 2019. Security mandates that you roll out Windows Hello for Business but avoid deploying any Public Key Infrastructure while ensuring the shortest possible user provisioning time. Which Windows Hello for Business trust model should you choose?
Deploy FIDO2 security keys only
Key trust
Cloud trust
Certificate trust
Answer Description
Cloud trust removes the need to issue user or device certificates, so no Public Key Infrastructure is required. It uses Kerberos Cloud Trust between Azure AD and Windows Server 2016 or later domain controllers, and Windows Hello for Business is available almost immediately after a user signs in.
Key trust does not use a certificate registration object, but it still relies on an enterprise PKI to issue Kerberos authentication certificates to domain controllers and can suffer provisioning delays while the msDS-KeyCredentialLink attribute synchronizes.
Certificate trust explicitly depends on PKI-issued authentication certificates for users.
Deploying only FIDO2 security keys is a separate passwordless sign-in method and not a Windows Hello for Business trust model.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Kerberos Cloud Trust in the context of Windows Hello for Business?
Why does Certificate Trust require PKI for Windows Hello for Business?
How does the Key Trust model differ from Cloud Trust in provisioning time and PKI reliance?
Your organization has an on-premises Active Directory domain and synchronizes identities to Microsoft Entra ID by using Azure AD Connect. You will deploy several new corporate Windows 11 laptops that must remain joined to the on-premises domain to continue receiving existing Group Policy settings, support Intune management, and deliver seamless single sign-on to Microsoft 365 resources from any network. Which device join method should you configure for the new laptops?
Workgroup join with later Microsoft Entra registration
Hybrid Microsoft Entra join (hybrid Azure AD join)
Microsoft Entra registration (Azure AD registered device)
Microsoft Entra join (cloud-only Azure AD join)
Answer Description
Hybrid Microsoft Entra join allows a Windows client to be joined to the on-premises Active Directory domain and automatically registered in Microsoft Entra ID. Because the computer account exists in both directories, users receive on-premises Group Policy processing while gaining cloud single sign-on and the ability to be enrolled in Intune for modern management. A cloud-only Microsoft Entra join removes the computer from the on-premises domain, so Group Policy would no longer apply. Microsoft Entra registration is intended for personally owned or workgroup devices and does not support domain Group Policy or full device management. A workgroup-joined computer, even if later registered, would still lack domain GPO processing. Therefore, hybrid join best meets all stated requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Hybrid Microsoft Entra join?
Why is Microsoft Entra join unsuitable for domain-joined devices?
What is the difference between Hybrid Microsoft Entra join and Microsoft Entra registration?
You set Microsoft Intune as the MDM authority and change the MDM user scope to All so that Windows 11 laptops that are joined to Microsoft Entra ID will be enrolled automatically. Before any laptop is enrolled, you discover that the Enrollment Status page in Intune shows zero automatically-enrolled Windows devices. Which prerequisite must be met before automatic enrollment for Windows devices starts to work?
Each targeted user must have a license that includes Microsoft Entra ID Premium (P1 or P2).
The device must be running Windows 11 Enterprise edition rather than Windows 11 Pro.
The user who signs in to the device must be assigned the Intune Administrator role.
You must create and assign a Windows bulk enrollment token in Intune.
Answer Description
Automatic MDM enrollment for Windows 10/11 relies on an Azure AD Premium capability. Each user whose device should be enrolled must have a license that includes Microsoft Entra ID Premium (P1 or P2). Without that license, a device that is Azure AD-joined will not trigger MDM auto-enrollment, even if the Intune service is set as the MDM authority and the MDM user scope is configured.
Incorrect answers:
- An Intune Administrator role is not required for the end user; only appropriate licenses are needed.
- Having Windows 11 Enterprise does not influence automatic enrollment; Pro and Enterprise editions are both supported.
- A bulk enrollment token is used only for provisioning large numbers of iOS or Android devices, not for automatic enrollment of Windows devices that are being Azure AD-joined.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Entra ID Premium (P1 or P2) and why is it required for automatic MDM enrollment?
Can automatic enrollment work with Windows 11 Pro, or is Enterprise edition necessary?
What is a Windows bulk enrollment token, and why is it not required here?
You will hand out 50 new Windows 11 Pro laptops to temporary contractors. During the first-run experience (OOBE) each device must automatically join your Azure AD tenant and enroll in Microsoft Intune, without the users needing to enter any credentials. You decide to copy a provisioning package to a USB drive and apply it at the first "Hi there" screen. In Windows Configuration Designer, which wizard should you select to create a package that meets the requirements?
Security baseline wizard
Provision desktop devices wizard
Factory provisioning wizard
Advanced provisioning wizard
Answer Description
The Provision desktop devices wizard is designed for bulk setup of Windows PCs that are not yet managed. It exposes options to configure Azure AD join and automatic MDM enrollment so that, when the .ppkg file is applied during OOBE, the device joins the specified tenant and registers with Intune without user input. The Advanced provisioning wizard gives access to every runtime setting but lacks the streamlined Azure AD join/MDM pages; Factory provisioning is intended for OEM imaging, and there is no Security baseline wizard in Windows Configuration Designer. Therefore, using the Provision desktop devices wizard is the correct choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a provisioning package and how does it work during OOBE?
What is Azure AD join, and why is it used?
How does Microsoft Intune manage devices enrolled during OOBE?
You manage Intune for Contoso. Users have both company-owned iOS/iPadOS devices that are enrolled in Intune and personal iOS devices that are not enrolled but receive app protection policies. You must deploy Outlook S/MIME certificate hash settings only to the company-owned devices. Which type of Intune policy should you create?
An iOS/iPadOS app configuration policy for managed apps
An iOS/iPadOS app protection policy with data protection settings
An iOS/iPadOS app configuration policy for managed devices
A device restrictions policy that uses the Settings catalog
Answer Description
An iOS/iPadOS app configuration policy for managed devices is processed only on devices that are enrolled in Intune (managed devices). This lets you push granular app settings, such as the Outlook S/MIME certificate hash, exclusively to company-owned devices. A managed-apps policy would also reach personal, unenrolled devices that run Outlook under app protection, while a device restrictions policy cannot target per-app settings, and an app protection policy governs data protection rather than configuring application-level settings.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an iOS/iPadOS app configuration policy for managed devices?
How does an iOS/iPadOS app configuration policy for managed apps differ from one for managed devices?
What is Outlook S/MIME, and why is it used in app configuration policies?
You are preparing 300 rugged laptops for warehouse workers. A technician in the staging facility must turn on each device once, allow all apps and policies to install, then reseal the device. When workers unbox the laptops, they should only sign in and immediately start using Windows. Which Windows Autopilot deployment mode meets the requirement?
Pre-provisioned deployment
User-driven mode with Hybrid Azure AD join
Self-deploying mode
User-driven mode with Azure AD join
Answer Description
Pre-provisioned deployment (previously called White Glove) lets an IT technician complete device setup, app installation, and policy assignment before the computer is delivered. The device is then resealed so that the end user experiences only a brief sign-in during OOBE. Self-deploying mode is intended for kiosk-style devices with no user sign-in. The two user-driven modes require the full OOBE and install configuration after the user first powers on the device, which does not satisfy the requirement for advance staging.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Windows Autopilot Pre-provisioned Deployment?
How does Pre-provisioned Deployment differ from User-driven Modes?
What does OOBE mean in Windows Autopilot?
That's It!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.