Microsoft 365 Endpoint Administrator Associate Practice Test (MD-102)
Use the form below to configure your Microsoft 365 Endpoint Administrator Associate Practice Test (MD-102). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
Microsoft 365 Endpoint Administrator Associate MD-102 Information
The Endpoint Administrator Associate Exam (MD-102)
The Microsoft 365 Endpoint Administrator Associate certification, obtained by passing the MD-102 exam, validates the skills required for deploying, configuring, protecting, managing, and monitoring devices and client applications in a Microsoft 365 environment. This certification has replaced the previous MD-100 and MD-101 exams, unifying the content into a single, comprehensive test that reflects the shift towards cloud-centric and hybrid endpoint management. The exam is intended for IT professionals, including system administrators and endpoint managers, who are responsible for managing identity, security, access, policies, updates, and apps for endpoints. Candidates should have subject matter expertise in Microsoft Intune, Windows 365, Windows Autopilot, Microsoft Defender for Endpoint, and Microsoft Entra ID.
The skills measured in the MD-102 exam are grouped into several key areas. A significant portion of the exam focuses on managing, maintaining, and protecting devices, which can account for 40-45% of the questions. Another major domain is the deployment of Windows clients, making up about 25-30% of the content. The remaining sections cover managing identity and compliance (15-20%) and managing applications (15-20%). This structure emphasizes the modern administrator's role in not just deploying operating systems but also ensuring that devices remain secure and compliant throughout their lifecycle using tools like Microsoft Intune.
The Value of Practice Exams for Success
To successfully pass the MD-102 exam, hands-on experience should be supplemented with thorough preparation, and practice exams are an invaluable tool in this process. Taking practice tests helps candidates assess their knowledge, identify areas of weakness, and become familiar with the format and types of questions they will encounter in the actual exam, which can include multiple-choice and scenario-based questions. These practice runs provide a realistic testing experience, allowing you to gauge your readiness and build confidence.
Many resources offer practice exams that cover all the domains of the official MD-102 syllabus and provide detailed explanations for both correct and incorrect answers. This feedback is crucial for understanding the underlying concepts and learning from mistakes. By simulating the exam environment, candidates can practice time management and reduce anxiety, which are key factors for success on exam day. Utilizing these tools allows you to focus your study efforts more effectively on the topics that require further attention, ultimately increasing your chances of earning the Microsoft 365 Certified: Endpoint Administrator Associate certification.
Free Microsoft 365 Endpoint Administrator Associate MD-102 Practice Test
- 20 Questions
- Unlimited
- Prepare infrastructure for devicesManage and maintain devicesManage applicationsProtect devices
You will deploy 500 new Windows 11 laptops by using Windows Autopilot. Each computer is shipped directly from the OEM to employees working from home. During the first-run experience, users must enter only their corporate email address and password. The devices must automatically join Azure Active Directory, enroll in Microsoft Intune, and must not grant users local administrator rights. Which Autopilot deployment mode should you configure in the deployment profile to meet these requirements?
Pre-provisioning (formerly white-glove)
Self-deploying mode
User-driven mode (Azure AD join)
Autopilot for existing devices
Answer Description
User-driven mode is designed for scenarios where a device is shipped straight to the end user. During the out-of-box experience the user supplies their Azure AD credentials (typically email address and password). Windows then performs an Azure AD join, enrolls into Microsoft Intune, and applies policy- including the option to leave the user in the standard Users group instead of granting local administrator rights.
Self-deploying mode completes the entire setup without any user credentials, so it fails the requirement that the user must sign in. Pre-provisioning (formerly called white-glove) requires a technician or OEM to run the first phase before the device reaches the user, which is not guaranteed in this scenario and still involves a second user-driven phase. Autopilot for existing devices relies on a provisioning package applied to devices that are already in service and is not intended for brand-new laptops shipped from the factory. Therefore, user-driven mode is the only deployment mode that satisfies all stated requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Windows Autopilot and how does it work?
What is the difference between user-driven and self-deploying Autopilot modes?
Why doesn't pre-provisioning (formerly white-glove) work in this scenario?
Users in the AAD-Joiners security group attempt to join their personal Windows computers to Microsoft Entra ID from Settings > Accounts > Access work or school > Connect, but on some machines the Join this device to Azure Active Directory option is missing. You must identify why and make the option appear. Which requirement must those computers meet?
They must already be enrolled in Microsoft Intune.
They must be connected to the corporate network through a VPN tunnel.
They must have TPM 2.0 enabled and BitLocker drive encryption turned on.
They must be running Windows 10/11 Pro, Enterprise, or Education editions instead of Windows Home.
Answer Description
The interactive Azure AD (Microsoft Entra ID) join workflow in Settings only exists on Windows 10/11 Pro, Enterprise, and Education editions. Windows Home editions support adding a work or school account for resource access but cannot perform a full Azure AD join, so the Join option is hidden. Intune enrollment, VPN connectivity, or hardware security features such as TPM 2.0 and BitLocker do not influence whether the option is displayed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is Azure AD join not supported on Windows Home editions?
What is the difference between adding a work or school account and an Azure AD join?
How can an organization ensure their users can perform an Azure AD join?
A user emailed their BitLocker recovery key for a corporate Windows 11 laptop to an external recipient. You open the device record in Microsoft Intune and select the Rotate BitLocker keys remote action. After the action successfully completes, which outcome should you expect on the device?
BitLocker protection is suspended and then resumed, continuing to use the original recovery password.
The existing recovery password is pushed again to Azure AD and marked as the active key without changing it on the device.
The entire volume is decrypted and then re-encrypted to generate a new full-volume encryption key.
The device creates a new BitLocker recovery password, uploads it to Intune, and invalidates the previously stored password.
Answer Description
The Rotate BitLocker keys remote action tells the Windows client to generate a brand-new BitLocker recovery password for every protected volume. The new recovery password is automatically escrowed to Azure AD/Intune, replacing the previous password, which is rendered invalid. BitLocker protection itself remains enabled and the drive is neither decrypted nor re-encrypted, nor is protection suspended. Other actions such as Sync or Wipe do not generate a new recovery key.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is BitLocker and how does it function on Windows devices?
What happens when the Rotate BitLocker keys action is used in Intune?
Why is escrowing the BitLocker recovery password to Intune or Azure AD important?
Contoso plans to deploy Microsoft Intune for Windows 11 devices. The administrators must ensure that only members of a Microsoft Entra security group named Corporate Users can automatically enroll their Azure AD-joined devices into Intune. All other users must be prevented from enrollment. In the Microsoft Intune admin center, which enrollment setting should you configure?
Reduce the per-user device limit to 0 for all users except the Corporate Users group.
Set the MDM user scope to Some and assign the Corporate Users group.
Create a Windows enrollment device platform restriction that blocks personal devices for all other users.
Set the MAM user scope to Some and assign the Corporate Users group.
Answer Description
Automatic enrollment of Azure AD-joined Windows devices is controlled by the MDM user scope that you configure under Mobility (MDM and MAM) > Microsoft Intune. Setting the scope to Some and then selecting a security group limits enrollment to that group. The MAM scope affects application management only, platform restrictions control device characteristics rather than user eligibility, and lowering the device limit does not block the first device from enrolling. Therefore, configuring the MDM user scope for the Corporate Users group meets the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the MDM user scope in Microsoft Intune?
How does the MAM user scope differ from the MDM user scope?
Why can’t device limits or platform restrictions prevent enrollment into Intune?
You open the Device queries (preview) pane in Intune and need to return every Windows client whose build number is 22621 or later (Windows 11 22H2 or newer). Which KQL statement accomplishes this goal without including older Windows 11 or Windows 10 builds?
DeviceInfo | where operatingSystem == "Windows" | where toint(split(osBuildVersion, ".")) >= 22621 | project deviceName, osBuildVersion
DeviceInfo | where operatingSystem == "Windows" | extend build = toint(split(osBuildVersion, ".")) | where build >= 22621 | project deviceName, osBuildVersion
DeviceInfo | where operatingSystem contains "Windows 11" | where osBuildVersion >= "22621" | project deviceName, osBuildVersion
DeviceInfo | where osBuildVersion > "22620" | project deviceName, osBuildVersion
Answer Description
The query first filters the Windows platform. It then uses split() to break the osBuildVersion string (for example, "10.0.22621") into an array and converts the third element (index 2), which holds the build number, to an integer with toint(). Because build is now numeric, the >= operator accurately keeps devices running build 22621 or later. The other queries either compare strings lexicographically, reference the wrong array element, or omit the Windows filter, so they can return unwanted devices.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is KQL, and why is it used in Intune?
Why is the `split` function used in this KQL statement?
Why isn't the third KQL query correct if it uses `toint` and `split`?
You plan to roll out 500 corporate-owned Windows 11 Enterprise laptops. Company policy requires that the operating system volume is automatically encrypted with BitLocker during Autopilot enrollment, that recovery keys are stored in Azure AD, and that users cannot disable BitLocker. In Microsoft Intune, which type of policy should you create to meet these requirements while adhering to Microsoft best practice?
Create a Device configuration profile that uses the Identity protection template.
Create an Endpoint security Antivirus policy and enable drive encryption settings.
Create a Device compliance policy that marks devices noncompliant if BitLocker is disabled.
Create an Endpoint security Disk encryption policy that uses the Windows 10 and later BitLocker profile.
Answer Description
Endpoint security Disk encryption policies are designed specifically for managing BitLocker and FileVault settings. A Windows (BitLocker) profile automatically enables BitLocker during provisioning, escrows the recovery key to Azure AD, and exposes settings that prevent users from turning BitLocker off. A Device configuration profile created from the Identity protection template can also configure BitLocker, but Microsoft recommends using the more focused Endpoint security policy for new deployments. A Device compliance policy can only report and enforce compliance; it does not configure BitLocker. An Endpoint security Antivirus policy contains antivirus-related settings and cannot manage drive encryption.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is BitLocker and why is it important for security?
What is Microsoft Intune and how does it help in deploying security policies?
What is Autopilot enrollment and how does it streamline device provisioning?
You have assigned several Windows 11 update rings in Microsoft Intune. After the first deployment cycle, you need to determine which devices still require a restart to finish installing the latest quality updates. In the Intune admin center, which built-in report should you review to locate those devices without running additional filters or exporting data?
Windows update ring device status
Windows expedited update status
Windows feature update deployment status
Update compliance workbook in Azure Monitor
Answer Description
The Windows update ring device status report shows, for every device targeted by any update ring, the current result of the most recent scan. Devices that have downloaded and installed the quality update but have not yet restarted are listed with the state "Restart pending", allowing you to quickly identify systems that still need a reboot. The feature update deployment status report is limited to feature updates only, the Windows Expedited update status report tracks expedited deployments, and the Update compliance workbook is part of Azure Monitor rather than a native Intune report.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Windows Update Ring in Microsoft Intune?
What does 'Restart Pending' mean in the Windows Update Ring Device Status report?
What is the difference between quality updates and feature updates?
Your company purchased 200 Android tablets that will be permanently mounted in meeting rooms to display a room-scheduling application. Users must be prevented from accessing system settings or adding personal Google accounts. You will enroll the tablets in Microsoft Intune by providing an enrollment token (for example, by scanning a QR code) during initial device setup after a factory reset. Which Android Enterprise enrollment profile should you configure to meet the requirements?
Android Enterprise personally-owned work profile enrollment profile
Android Enterprise dedicated device enrollment profile
Android Enterprise corporate-owned work profile enrollment profile
Android Enterprise fully managed device enrollment profile
Answer Description
Android Enterprise dedicated device enrollment is designed for corporate-owned devices that serve a single purpose, such as kiosks or room-scheduling panels. Enrollment is performed with an Intune-generated token delivered through methods like QR code, NFC, or manual entry, rather than by importing hardware identifiers. Dedicated device enrollment automatically locks down system UI access and can block personal Google accounts, meeting all stated requirements. Fully managed enrollment gives each user full device control, corporate-owned work profile maintains a separate personal profile, and personally-owned work profile is BYOD-focused and user-initiated, so none of those meet the scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Android Enterprise dedicated device enrollment?
How does an Intune-generated token work for device enrollment?
Why doesn’t the fully managed device enrollment profile meet the requirements?
Your company has a folder named C:\Packages\FinanceApp that contains FinanceAppSetup.exe and several required DLL files. You need to deploy the application to Windows 10 and Windows 11 devices as a Win32 app by using Microsoft Intune. Before you upload the app in the Intune admin center, which action should you perform on the folder, and what output file will be produced?
Compress the folder into a .zip file and upload the archive directly to Intune.
Use the Office Deployment Tool to convert the executable and create a .cab package.
Package the installer with the App-V Sequencer to produce a .appv file.
Run IntuneWinAppUtil.exe against the folder to generate a FinanceAppSetup.intunewin file.
Answer Description
To deploy a classic Win32 application through Intune, the installation source files must first be converted to the Intune-specific .intunewin format. This is done with the Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe). The utility is pointed at the folder that contains the installer and any supporting files, along with an output location. After the tool runs, it produces a single .intunewin file that can be uploaded to Intune. Neither the Office Deployment Tool, App-V Sequencer, nor a simple .zip archive produces a package that Intune will accept for Win32 app deployment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IntuneWinAppUtil.exe?
Why does Intune require the .intunewin format for Win32 apps?
How does Intune handle the deployment of Win32 apps after packaging them?
Your company uses Microsoft Intune as the MDM authority and has Microsoft Entra ID Premium P1 licenses. All Windows 11 laptops are already joined to Microsoft Entra ID. You need to ensure that devices automatically enroll in Intune when users sign in, but only for users who are members of the Sales Azure AD group. What should you configure?
Set the MDM user scope to Some and assign the Sales Azure AD group.
Remove Intune licenses from all users except those in the Sales group.
Create a Conditional Access policy that requires compliant devices for the Sales group.
Create a device configuration profile for Windows and target it to the Sales group.
Answer Description
Automatic enrollment for Windows devices is controlled by the MDM user scope setting in the Microsoft Entra admin center (formerly Azure AD portal). Set the scope to Some and select the Sales Azure AD group so that only users in that group trigger Intune automatic enrollment at sign-in. Device configuration profiles, license assignment, and Conditional Access policies do not initiate the enrollment process.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the MDM user scope in Microsoft Intune?
What is automatic device enrollment in Intune?
Why is the Sales Azure AD group used for targeting Intune enrollment?
You administer Microsoft Intune for Contoso. A corporate-owned Windows 11 laptop has been permanently lost. You must immediately remove all Intune-managed apps, configuration profiles, and company data from the device so that it can no longer access organizational resources. Local user data on the device must remain intact. Which Intune remote action should you perform?
Delete
Retire
Wipe
Fresh Start
Answer Description
The Retire remote action tells Intune to remove the management profile, corporate configuration settings, and any apps and data that were deployed through Intune. It does not factory-reset the operating system, so personal files that were created outside of Intune remain on the disk. Wipe would restore the device to factory defaults and erase local user content, Delete only removes the Intune object without contacting the device, and Fresh Start reinstalls Windows while leaving the device enrolled, which does not meet the requirement to remove corporate management.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between the Intune Retire and Wipe actions?
How does the Delete action differ from Retire in Intune?
When should the Fresh Start remote action be used?
You manage 5,000 Windows 10 devices that run Microsoft 365 Apps for enterprise. You need an automated way to ensure a pilot group of 200 devices always receives the newest Monthly Enterprise Channel build promptly after Microsoft releases it, and you must be able to roll back those devices to the previous build if problems occur. Which feature in the Microsoft 365 Apps admin center should you use?
Enable ProPlus Delivery Optimization for the tenant in the Microsoft 365 admin center.
Configure a Windows Update for Business ring that forces updates every two days.
Define a macro security policy in the Office cloud policy service for the pilot group.
Create a servicing profile and assign the pilot devices to it.
Answer Description
The servicing profile (now referred to as Cloud Update) in the Microsoft 365 Apps admin center is designed to automatically deliver the most recent Monthly Enterprise Channel build to a selected set of devices. You can scope the profile to a specific device group, configure an update deadline (for example, two days) to control how quickly devices must install the new build, and use the built-in rollback capability to revert the devices to one of the previous builds if issues are detected. Inventory filtering and health dashboards only report status, the Office cloud policy service manages application settings, and Windows Update for Business rings do not control Microsoft 365 Apps update delivery.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Servicing Profile in Microsoft 365 Apps?
How does the rollback feature in Servicing Profiles work?
Why not use Windows Update for Business rings for Microsoft 365 Apps updates?
You are creating an Endpoint security Attack surface reduction rules profile in Microsoft Intune for Windows 11 devices. The rule "Block Office applications from creating child processes" must remain in Block mode. However, an internally developed tool named ContosoApp.exe has to keep launching child processes from Microsoft Word, no matter where ContosoApp.exe is located on disk. You plan to use the rule's exclusion list. Which single value should you add to the exclusion list to meet the requirement?
ContosoApp.exe
The SHA-256 hash of ContosoApp.exe
The code-signing certificate thumbprint used to sign ContosoApp.exe
The folder path where ContosoApp.exe is currently stored
Answer Description
When configuring the exclusion list for an ASR rule in Intune, you can enter just an executable name. If only the file name (for example, ContosoApp.exe) is specified, the rule excludes that process wherever it resides on the device. Folder paths would work only for the specified location, a hash-based value is not supported for ASR exclusions in Intune, and using the code-signing certificate would exempt every file signed with that certificate, not just the required executable.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an ASR rule in Microsoft Intune?
How does an exclusion list work for ASR rules?
Why is the file name used for ASR exclusions instead of hash values or paths?
A company-owned Windows 11 laptop must be prepared for reassignment to a new employee. The device should be reset to factory defaults and all data from the previous user must be removed. However, the laptop must remain Azure AD-joined and stay enrolled in Microsoft Intune so that it continues to receive policies without requiring Windows Autopilot provisioning again. In the Microsoft Intune admin center, which remote action meets these requirements?
Autopilot Reset
Fresh Start
Wipe device, but keep enrollment state and associated user account
Retire
Answer Description
Autopilot Reset performs a full factory reset that removes user data, settings, and installed applications while preserving the device's Azure AD join and Intune enrollment. This makes the device ready for the next user without having to be re-enrolled. The Wipe action with the keep-enrollment option retains user data, Fresh Start only removes OEM and user-installed apps, and Retire simply removes the device from management without resetting Windows.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between Autopilot Reset and Fresh Start?
Why does Autopilot Reset preserve Azure AD and Intune enrollment?
What happens if 'Wipe device but keep enrollment state' is chosen instead?
You need to create a dynamic Microsoft Entra ID device group that will contain only the Windows computers that are hybrid Azure AD-joined. Which device attribute should you use in the membership rule to accurately target these devices?
deviceTrustType equals "ServerAd"
deviceEnrollmentType equals "WindowsAutopilot"
joinType equals "AAD"
deviceOwnership equals "Company"
Answer Description
In Microsoft Entra ID dynamic device rules, the deviceTrustType attribute identifies how a Windows device is joined.
- A value of ServerAd identifies a hybrid Azure AD-joined computer (joined to on-premises Active Directory and registered in Entra ID).
- AzureAd identifies purely Azure AD-joined devices, and Workplace identifies Azure AD-registered (personal) devices. Other attributes such as ownership, join type, or enrollment type do not reliably separate hybrid Azure AD-joined computers from other devices, so using them would include unwanted members or omit valid ones.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Entra ID?
What is hybrid Azure AD-joined?
How is the deviceTrustType attribute used in dynamic groups?
You need to retrieve each enrolled Windows 11 device's BIOS serial number by using the Device query (preview) remote action in Microsoft Intune instead of running a custom script. Which Kusto Query Language statement should you run so that every device returns only its own BIOS serial number?
Registry | where Key == "HKLM\HARDWARE\DESCRIPTION\System" | project DeviceName, Value
DeviceSystemInfo | project BiosSerialNumber
Bios | summarize arg_max(TimeGenerated, *) by DeviceName
Bios | project SerialNumber
Answer Description
The Bios table exposed by the Device query (preview) action contains BIOS hardware details, including the serial number. By projecting only the SerialNumber column, each device returns a single row with its individual BIOS serial number. Aggregating with summarize would collapse multiple devices into one row per device name, while the registry example requires specifying both a key path and a value name. The DeviceSystemInfo example is invalid because the Device query schema does not expose a BiosSerialNumber column in that table.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Device query (preview) remote action in Microsoft Intune?
What is the Kusto Query Language (KQL)?
Why is the Bios table preferred for retrieving a BIOS serial number?
You are preparing a Windows Autopilot user-driven deployment for 1,000 remote employees. Company policy states that users must be blocked from accessing the Windows desktop until every required Win32 application, baseline policy, and compliance policy is fully installed or applied. The solution must also display real-time provisioning progress to the user during the first run experience. Which Intune feature should you configure to meet these requirements?
Deploy the security baseline as a device configuration profile with the Highest priority.
Enable Windows Autopilot pre-provisioning (White Glove) on the deployment profile.
Create and assign an Enrollment Status Page profile that blocks device use until provisioning is complete.
Set a 0-hour installation deadline on all required Win32 applications.
Answer Description
An Enrollment Status Page (ESP) profile lets you decide whether the Out-of-box Experience should block access to the desktop until all required applications and policies have finished installing. When blocking is enabled, the ESP also shows the user a progress screen that lists each item as it completes. Neither pre-provisioning (formerly White Glove) nor simply marking apps as required prevents a user from reaching the desktop during first sign-in, and device configuration baselines alone do not provide a blocking or progress interface.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Enrollment Status Page (ESP) in Intune?
What is the difference between Windows Autopilot user-driven deployment and pre-provisioning?
Why doesn't setting a 0-hour installation deadline on required Win32 applications block desktop access?
You manage devices with Microsoft Intune. You need to rotate the BitLocker recovery keys for 90 Windows 11 laptops at the same time. In the Microsoft Intune admin center, which navigation path should you use to launch the bulk action that lets you perform this task in a single operation?
Devices > Bulk device actions, choose Windows, and then select Rotate BitLocker key.
Devices > Configuration profiles, deploy a PowerShell script that rotates the keys.
Devices > All devices > Bulk device actions, choose Windows, and then select Rotate BitLocker key.
Endpoint security > Disk encryption, open the BitLocker policy, and start a key rotation task.
Answer Description
Bulk remote actions are initiated from the Bulk device actions wizard, which is accessed by navigating to Devices > All devices and then selecting Bulk device actions. From the wizard you choose Windows as the platform, select Rotate BitLocker key, and then pick the target devices or device groups. Selecting devices individually, using the Endpoint security console, or deploying a PowerShell script through a configuration profile will not start the bulk Rotate BitLocker key action in one step.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is BitLocker and why is it used?
How does the Rotate BitLocker Recovery Key action work in Intune?
What types of devices can be targeted for bulk actions in Microsoft Intune?
You deploy Endpoint Privilege Management (EPM) and assign a settings policy to a group of Windows 11 devices. Help-desk staff ask that a line-of-business executable (C:\Apps\AcmeTool.exe) can be run with elevated rights by standard users for up to two hours, without requiring service-desk approval. What should you configure next in Microsoft Intune to meet the requirement?
Deploy the Windows security baseline and enable the policy setting 'Enable LAPS and Local Admin Password Rotation'.
Create an Endpoint Privilege Management Elevation rules policy, add an Automatic rule for C:\Apps\AcmeTool.exe, and set the maximum elevation duration to 120 minutes.
Assign the built-in Help Desk Operator Intune role to the users for two hours by using a Privileged Identity Management (PIM) activation.
Create a second Endpoint Privilege Management settings policy that enables User confirmed elevations and assign it to the same device group.
Answer Description
EPM elevation settings policies turn on the EPM agent, but elevation behaviour is defined in a separate Elevation rules policy. To allow users to elevate a specific executable automatically, add a rule that targets the file path, choose the Automatic approval mode, and set the Maximum elevation duration to the required value (120 minutes). Creating another settings policy only enables or disables EPM features; role assignments or security baselines do not grant just-in-time local administrator rights through the EPM agent.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Endpoint Privilege Management (EPM) in Microsoft Intune?
How does an Elevation rules policy differ from an EPM settings policy?
What does setting a 'Maximum elevation duration' in an Elevation rules policy accomplish?
Your organization manages supervised corporate-owned iPhones with Microsoft Intune. Administrators must hide new iOS versions from users for 30 days after Apple releases them. After the 30-day period, an existing update policy will install the update automatically. Which Intune profile type contains the setting you must configure to meet this requirement?
Create an iOS/iPadOS compliance policy that requires devices to run an OS version at least 30 days old.
Create and assign an iOS/iPadOS Device Restrictions profile that sets Delay visibility of software updates to 30 days.
Create a custom configuration profile that uses the com.apple.SoftwareUpdate payload to postpone updates for 30 days.
Create and deploy an iOS/iPadOS update policy profile that defers updates for 30 days.
Answer Description
The Delay visibility of software updates setting is part of the iOS/iPadOS Device Restrictions configuration profile. By creating a device-restrictions profile and setting the delay to 30 days, new iOS releases are hidden from supervised devices for that period. Update policies handle installation timing but do not include the visibility-delay setting. Compliance policies only report posture, and a custom OMA-URI profile is unnecessary because the native device-restrictions payload already supports this feature.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Intune Device Restriction profiles used for?
How does the 'Delay visibility of software updates' setting work in Intune?
What is the difference between a Device Restrictions profile and an Update Policy profile in Intune?
Gnarly!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.