Microsoft 365 Endpoint Administrator Associate Practice Test (MD-102)
Use the form below to configure your Microsoft 365 Endpoint Administrator Associate Practice Test (MD-102). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
Microsoft 365 Endpoint Administrator Associate MD-102 Information
The Endpoint Administrator Associate Exam (MD-102)
The Microsoft 365 Endpoint Administrator Associate certification, obtained by passing the MD-102 exam, validates the skills required for deploying, configuring, protecting, managing, and monitoring devices and client applications in a Microsoft 365 environment. This certification has replaced the previous MD-100 and MD-101 exams, unifying the content into a single, comprehensive test that reflects the shift towards cloud-centric and hybrid endpoint management. The exam is intended for IT professionals, including system administrators and endpoint managers, who are responsible for managing identity, security, access, policies, updates, and apps for endpoints. Candidates should have subject matter expertise in Microsoft Intune, Windows 365, Windows Autopilot, Microsoft Defender for Endpoint, and Microsoft Entra ID.
The skills measured in the MD-102 exam are grouped into several key areas. A significant portion of the exam focuses on managing, maintaining, and protecting devices, which can account for 40-45% of the questions. Another major domain is the deployment of Windows clients, making up about 25-30% of the content. The remaining sections cover managing identity and compliance (15-20%) and managing applications (15-20%). This structure emphasizes the modern administrator's role in not just deploying operating systems but also ensuring that devices remain secure and compliant throughout their lifecycle using tools like Microsoft Intune.
The Value of Practice Exams for Success
To successfully pass the MD-102 exam, hands-on experience should be supplemented with thorough preparation, and practice exams are an invaluable tool in this process. Taking practice tests helps candidates assess their knowledge, identify areas of weakness, and become familiar with the format and types of questions they will encounter in the actual exam, which can include multiple-choice and scenario-based questions. These practice runs provide a realistic testing experience, allowing you to gauge your readiness and build confidence.
Many resources offer practice exams that cover all the domains of the official MD-102 syllabus and provide detailed explanations for both correct and incorrect answers. This feedback is crucial for understanding the underlying concepts and learning from mistakes. By simulating the exam environment, candidates can practice time management and reduce anxiety, which are key factors for success on exam day. Utilizing these tools allows you to focus your study efforts more effectively on the topics that require further attention, ultimately increasing your chances of earning the Microsoft 365 Certified: Endpoint Administrator Associate certification.
Free Microsoft 365 Endpoint Administrator Associate MD-102 Practice Test
- 20 Questions
- Unlimited time
- Prepare infrastructure for devicesManage and maintain devicesManage applicationsProtect devices
Your company supports bring-your-own iOS and Android devices. You create an Intune app protection policy that encrypts corporate data in Outlook. You must ensure users can sign in to Exchange Online only when the Outlook instance on the device has the app protection policy applied. In the Conditional Access policy for Exchange Online, which grant control should you enable to meet the requirement?
Require app protection policy
Require approved client app
Require device to be marked as compliant
Require multi-factor authentication
Answer Description
The Conditional Access grant control "Require app protection policy" allows access only from iOS and Android client apps that have an Intune app protection (MAM) policy assigned to the user. When this control is selected, sign-in attempts from apps without the required policy are blocked, preventing unmanaged copies of Outlook from connecting. "Require approved client app" merely checks that the app is on the approved list but does not verify that a protection policy applies. "Require device to be marked as compliant" applies to device-based MDM compliance, which the scenario does not mandate. Multifactor authentication increases sign-in security but does not enforce the presence of the Intune protection policy.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Intune app protection policy?
How does a Conditional Access policy enforce app protection policies?
What is the difference between 'Require app protection policy' and 'Require approved client app' in Conditional Access?
A Windows 11 laptop enrolled in Microsoft Intune is targeted by two update policies:
- A Windows Update ring that defers feature updates for 90 days.
- A Feature update policy that pins the device to Windows 11 version 22H2. The device is currently running Windows 11 version 21H2. What happens when both policies are applied to the laptop?
The laptop remains on Windows 11 version 21H2 until the 90-day deferral period ends, then upgrades.
Intune detects a conflict between the two policies and reports a policy error. No upgrade occurs.
The laptop upgrades to Windows 11 version 22H2 immediately, ignoring the 90-day deferral.
The laptop installs only quality updates and blocks all feature updates, including 22H2.
Answer Description
When multiple Windows update policies apply to the same device, Intune follows a fixed precedence order. An Expedite update policy has the highest precedence, followed by a Feature update policy, and lastly settings in a Windows Update ring. Because the Feature update policy ranks higher than the deferral settings in the Update ring, the device will ignore the 90-day deferral and upgrade to the version specified in the Feature update policy (Windows 11 22H2). There is no policy conflict error, and quality updates continue to install as usual after the upgrade.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Windows Update ring in Intune?
How does a Feature update policy work in Intune?
What is policy precedence in Microsoft Intune updates?
You have imported a third-party ADMX/ADML pair into Microsoft Intune. The affected devices belong to an Azure AD group that contains both Windows 10 and Windows 11 computers. Only Windows 11 devices must receive the new settings, including future builds. What should you do next in Intune?
Create a Settings catalog profile, configure the imported settings, assign it to the Azure AD group, and include a filter where operatingSystemVersion ≥ 10.0.22000.
Use a Custom (OMA-URI) profile to upload the ADMX as an ADMXInstall policy and exclude Windows 10 devices in the assignment.
Move the Windows 11 devices into a separate dynamic Azure AD group and assign the imported settings to that group only.
Create a profile that uses the Imported Administrative Templates template and assign it without any additional filters.
Answer Description
Create a configuration profile that uses the Settings catalog. In the profile, configure the imported ADMX settings, assign the profile to the existing Azure AD group, and add an Include filter that targets devices whose operatingSystemVersion is greater than or equal to 10.0.22000. Because Windows 10 builds are lower than 22000, they are excluded automatically, and future Windows 11 builds continue to match the rule. The other options either use the wrong profile type, rely on manual OMA-URI entries, or require changing group membership, none of which is necessary.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of ADMX/ADML files in Intune?
What is a Settings catalog in Intune?
How do filters work in Intune?
Your company is deploying new Windows 11 devices by using Windows Autopilot. You need every computer name to start with EMP- and end with a unique, randomly generated string that contains exactly five alphanumeric characters. The complete name must always stay within the 15-character NetBIOS limit. Which device name template should you configure in the Autopilot deployment profile?
EMP-%RAND:5%
EMP-%RAND%
EMP-%RAND:12%
EMP-%SERIAL%
Answer Description
Using the %RAND:x% variable lets Intune append a random alphanumeric string whose exact length is defined by the value of x. A prefix of EMP- is four characters long, so specifying %RAND:5% produces names that are 4 (prefix) + 5 (random string) = 9 characters, well under the 15-character limit and meeting the requirement for a five-character suffix. The plain %RAND% variable defaults to six characters, which would not meet the exact-length requirement. %SERIAL% substitutes the full hardware serial number, which can easily push the name past 15 characters. %RAND:12% would exceed the limit because the total length would be 4 + 12 = 16 characters.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Windows Autopilot?
What does the %RAND:x% variable do in Autopilot?
What is the NetBIOS naming limit and why is it important?
You manage Intune for an organization whose Windows 10 and 11 devices are Azure AD-joined and already enrolled. After purchasing Microsoft Defender for Endpoint (MDE), you finished service setup in the Microsoft 365 Defender portal. You must onboard all existing Windows devices to MDE with minimal administrative effort and without user interaction or local scripts. In Intune, what should you do next?
Enable Device Health Attestation policies and assign them to every Windows device.
Deploy a PowerShell script that runs the MDE onboarding command on each computer.
Package the Windows onboarding script as a Win32 application and deploy the app to all managed devices.
Enable the Microsoft Defender for Endpoint connector, then create and assign an Endpoint detection and response device configuration profile.
Answer Description
After the MDE connector is enabled, Intune can automatically onboard Windows 10/11 devices by deploying an Endpoint detection and response (EDR) configuration profile. Creating and assigning this profile pushes the built-in MDE onboarding policy through the MDM channel, requiring no scripts, packaging, or user prompts. Packaging the onboarding script as a Win32 app or running it through a PowerShell script would work but adds unnecessary steps. A settings catalog profile that only changes unrelated Defender settings or enabling Device Health Attestation does not perform the onboarding action.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does the Microsoft Defender for Endpoint connector work in Intune?
What is an Endpoint Detection and Response (EDR) profile in Intune?
How does Intune manage device onboarding compared to using scripts?
Your company recently added the Microsoft Intune Suite add-on license and wants to streamline deployment of common third-party Windows desktop applications. You are asked to publish 7-Zip to managed devices without having to prepare a .intunewin package or manually configure detection rules. In the Intune admin center, you open Apps but are unsure which workflow provides the least administrative effort.
Which action should you perform first?
Select Apps > All apps > Add and choose App type: Microsoft Store app (new).
Select Apps > All apps > Add and choose App type: Windows app (Win32).
Select Apps > Catalog and choose Add app from catalog.
Select Apps > All apps > Add and choose App type: Line-of-business app.
Answer Description
Choosing Apps > Catalog and then Add app from catalog launches the Enterprise App Catalog workflow, which contains a curated list of roughly 450 pre-packaged Win32 applications, including 7-Zip. When you add an app from the catalog, Intune imports predefined install and detection settings so you do not need to supply your own package or rules. Although the Enterprise App Management license surfaces new versions in the Updates for Windows (Win32) catalog apps blade, administrators still decide when to add updated versions. The Windows app (Win32), Microsoft Store app (new), and Line-of-business workflows all require either custom packaging or are limited to Store offerings, therefore involve more manual effort in this scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Enterprise App Catalog in Microsoft Intune?
How does the Enterprise App Management license support app updates?
Why are Windows app (Win32), Microsoft Store app (new), and Line-of-business workflows not ideal in this scenario?
Your company has an Intune-managed tenant that includes Windows 11 Enterprise devices. You purchased Microsoft Defender for Endpoint P2 licenses and, in the Microsoft 365 Defender portal, turned on the Microsoft Intune connection. You need the devices to start reporting to Defender for Endpoint without running onboarding scripts. Which additional step must you perform?
Install the Microsoft Monitoring Agent on each device by using an Intune Win32 app.
Turn on automatic collection of diagnostic data in Windows telemetry settings.
Enable the Microsoft Defender for Endpoint connector in Intune under Tenant administration > Connectors and tokens.
Deploy the Microsoft Defender Antivirus security baseline to all Windows 11 devices.
Answer Description
For automatic onboarding, the Defender for Endpoint connection has to be enabled in both services. Turning on the Microsoft Intune connection in the Microsoft 365 Defender portal completes only half of the integration. You must also enable the Microsoft Defender for Endpoint connector in the Intune admin center (Tenant administration > Connectors and tokens > Microsoft Defender for Endpoint). When that connector is set to On and saved, enrolled Windows 10/11 devices automatically onboard to Microsoft Defender for Endpoint. Deploying security baselines, changing telemetry, or installing the legacy Microsoft Monitoring Agent are not prerequisites for this integration and will not by themselves trigger device onboarding.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Microsoft Defender for Endpoint connector in Intune?
Why is onboarding a device to Microsoft Defender for Endpoint important?
What is the difference between the Microsoft Intune and Microsoft Monitoring Agent methods for onboarding?
You are creating a Windows 10/11 update ring in Microsoft Intune for the Broad deployment group. The ring must meet these requirements:
- Postpone installation of feature updates for 120 days after Microsoft releases them.
- Download quality updates as soon as they are published, but force devices to finish installing those updates no later than three days after they become available.
- Ensure that devices automatically restart outside active hours when the installation deadline is reached.
Which policy configuration meets all the requirements?
Feature update deferral period: 120 days; Quality update deferral period: 3 days; Deadline for quality updates: 0 days; Auto reboot before deadline: Disabled
Feature update deferral period: 0 days; Quality update deferral period: 120 days; Deadline for quality updates: 3 days; Auto reboot before deadline: Enabled
Feature update deferral period: 90 days; Quality update deferral period: 0 days; Deadline for quality updates: 7 days; Auto reboot before deadline: Disabled
Feature update deferral period: 120 days; Quality update deferral period: 0 days; Deadline for quality updates: 3 days; Auto reboot before deadline: Enabled
Answer Description
The Feature update deferral period (days) setting controls how long Windows waits before offering a new feature update. Setting it to 120 postpones feature updates for four months. Leaving Quality update deferral period (days) at 0 lets quality updates download as soon as they are released. The Deadline for quality updates (days) forces installation to complete within a specified number of days-setting it to 3 satisfies the three-day requirement. Enabling Auto reboot before deadline allows Windows to restart automatically outside active hours once the deadline is reached, guaranteeing that the update cycle completes even if users postpone the restart. The other answer choices either defer quality updates, give users control over restarts, or omit the automatic-restart requirement and therefore do not fulfil all stated goals.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are feature updates and quality updates in Windows 10/11?
What does 'Auto reboot before deadline' in Microsoft Intune do?
How does the deadline for quality updates work in Microsoft Intune?
You manage Windows 10 and Windows 11 devices that are enrolled in Microsoft Intune and onboarded to Microsoft Defender for Endpoint. A third-party antivirus product will be deployed to all devices, but you must still collect endpoint detection and response (EDR) telemetry through Microsoft Defender for Endpoint. You need to create an Endpoint security > Antivirus policy that meets the requirement and prevents two antivirus engines from running simultaneously. Which setting should you configure in the Intune policy?
Enable Windows Defender periodic scanning so it runs only when the third-party product is idle.
Enable Passive mode in the Microsoft Defender Antivirus policy.
Configure the "Turn off Microsoft Defender Antivirus" setting in the current security baseline.
Disable Real-time protection in the Microsoft Defender Antivirus policy.
Answer Description
When the third-party antivirus product is installed, Microsoft Defender Antivirus must stop active protection yet continue to act as the EDR sensor for Microsoft Defender for Endpoint. This behavior is achieved by enabling Passive mode in a Microsoft Defender Antivirus profile. In passive mode, the Defender engine turns off real-time, scheduled, and on-demand scanning, avoiding conflicts with another antivirus solution, but it still sends telemetry to Defender for Endpoint. Disabling real-time protection or turning off Microsoft Defender Antivirus would either violate platform protection requirements or completely remove the EDR sensor. Periodic scanning keeps Defender active and would cause two engines to run side by side rather than disabling one of them.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Passive mode in Microsoft Defender Antivirus?
Why is telemetry essential for Microsoft Defender for Endpoint?
What would happen if you disable real-time protection instead of enabling Passive mode?
You are creating an Enrollment Status Page (ESP) profile for Windows Autopilot user-driven deployments. Support requires that users must be unable to reach the Windows desktop until every app and configuration profile that has been assigned to the user or the device as Required has completed installation. Which ESP setting should you configure to Yes to meet this requirement?
Show app and profile installation progress
Block device use until all apps and profiles are installed
Assign the ESP profile to the All Devices group
Allow users to reset the device if installation error occurs
Answer Description
Set "Block device use until all apps and profiles are installed" to Yes. This option holds the device at the ESP screen during setup and prevents access to the Windows desktop until Intune has finished installing all Required apps and configuration profiles assigned to the user or the device. The other options do not enforce this block: showing installation progress is cosmetic only, allowing users to reset the device offers a recovery path after failures, and merely targeting the ESP profile to All Devices does not impose any blocking behavior by itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Enrollment Status Page (ESP) in Windows Autopilot?
Why is 'Block device use until all apps and profiles are installed' important in ESP?
Can users bypass the Enrollment Status Page if an error occurs?
You manage Windows 11 devices that are enrolled in Microsoft Intune. Administrators sometimes disable Microsoft Defender Antivirus real-time protection while troubleshooting and then forget to turn it back on. You must create an Endpoint security Antivirus policy that blocks any local user, including administrators, from switching real-time protection off, while still keeping the feature enabled. Which policy setting should you configure, and how?
Disable user access to the Microsoft Defender Antivirus interface.
Enable the setting "Turn off real-time protection".
Enable the "Intrusion prevention system" option in the firewall policy.
Configure the setting "Allow users to pause real-time protection" and set it to Disabled.
Answer Description
In an Endpoint security Antivirus policy for Windows 10 and later, the setting that controls whether users can turn off Microsoft Defender Antivirus real-time protection is Allow users to pause real-time protection. Setting this value to Disabled (sometimes shown as No) keeps real-time protection enabled and prevents all local users, including administrators, from pausing or turning it off. The other options are incorrect:
- Turning on the setting Turn off real-time protection disables the feature completely, which does not meet the requirement.
- Enable intrusion prevention system is an unrelated setting found in firewall, not antivirus, policies.
- Blocking user interface access removes the Microsoft Defender UI but does not stop a local administrator from disabling the service through PowerShell or other tools.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender Antivirus real-time protection, and why is it important?
What does the 'Allow users to pause real-time protection' setting do?
How does Intune enforce antivirus policies on Windows devices?
You are preparing 300 rugged laptops for warehouse workers. A technician in the staging facility must turn on each device once, allow all apps and policies to install, then reseal the device. When workers unbox the laptops, they should only sign in and immediately start using Windows. Which Windows Autopilot deployment mode meets the requirement?
Self-deploying mode
User-driven mode with Azure AD join
Pre-provisioned deployment
User-driven mode with Hybrid Azure AD join
Answer Description
Pre-provisioned deployment (previously called White Glove) lets an IT technician complete device setup, app installation, and policy assignment before the computer is delivered. The device is then resealed so that the end user experiences only a brief sign-in during OOBE. Self-deploying mode is intended for kiosk-style devices with no user sign-in. The two user-driven modes require the full OOBE and install configuration after the user first powers on the device, which does not satisfy the requirement for advance staging.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Windows Autopilot Pre-provisioned Deployment?
How does Pre-provisioned Deployment differ from User-driven Modes?
What does OOBE mean in Windows Autopilot?
You administer a Microsoft Intune tenant that manages all Windows 10 21H2 devices. You need to onboard the devices into Microsoft Defender for Endpoint automatically and ensure any newly enrolled Windows devices are also onboarded. You have already turned on the Microsoft Defender for Endpoint connector in Intune. Which Intune policy should you deploy?
Deploy the Windows Defender for Endpoint onboarding package as a PowerShell script.
Create a settings catalog profile that enables the MDE-Management CSP.
Create and assign an Endpoint security - Endpoint detection and response profile.
Install the Microsoft Monitoring Agent (MMA) by deploying its MSI as a Win32 app.
Answer Description
When the Intune connector for Microsoft Defender for Endpoint is enabled, Windows clients can be onboarded by assigning an Endpoint security "Endpoint detection and response" (EDR) profile. The EDR profile delivers the onboarding configuration through the MDM channel and continues to apply to any future devices in the targeted groups. Running a standalone PowerShell onboarding script or deploying the Microsoft Monitoring Agent are alternative onboarding methods when Intune is not used. A settings catalog profile that only enables MDE-Management does not perform the initial onboarding.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Endpoint security EDR profiles?
Why is the Microsoft Defender for Endpoint connector necessary with Intune?
What does MDE-Management CSP do?
You are configuring Intune to deploy Microsoft 365 Apps during Windows Autopilot provisioning. After building the installation package with the Office Deployment Tool, you add the package as a Win32 app in Intune. You need the installation to run and be tracked during the device setup phase of the Enrollment Status Page so that the user reaches the desktop only after Microsoft 365 Apps is in place. Which configuration meets this requirement?
Configure Install behavior as User and assign the app as Required to the device group that contains the Autopilot devices.
Configure Install behavior as User and assign the app as Available to a user group.
Configure Install behavior as System and assign the app as Required to a device group that contains the Autopilot devices.
Configure Install behavior as System and assign the app as Available to a user group.
Answer Description
During the device-setup phase of the Enrollment Status Page, Intune installs only apps that run in the system context and that are required for the device or a device-based group. Assigning the Win32 package to a device group that contains the Autopilot devices and choosing the System install behavior ensures the app is processed before the user sign-in screen appears. Apps set to User context or made merely Available are installed later in the user phase or only when the user requests them, so they are not tracked in the device-setup stage.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is meant by 'System context' vs 'User context' in Intune app installations?
What is the Enrollment Status Page in Autopilot provisioning?
How does assigning apps as 'Required' or 'Available' impact Intune deployment?
Your company purchased 200 Android tablets that will be permanently mounted in meeting rooms to display a room-scheduling application. Users must be prevented from accessing system settings or adding personal Google accounts. You will enroll the tablets in Microsoft Intune by providing an enrollment token (for example, by scanning a QR code) during initial device setup after a factory reset. Which Android Enterprise enrollment profile should you configure to meet the requirements?
Android Enterprise dedicated device enrollment profile
Android Enterprise corporate-owned work profile enrollment profile
Android Enterprise fully managed device enrollment profile
Android Enterprise personally-owned work profile enrollment profile
Answer Description
Android Enterprise dedicated device enrollment is designed for corporate-owned devices that serve a single purpose, such as kiosks or room-scheduling panels. Enrollment is performed with an Intune-generated token delivered through methods like QR code, NFC, or manual entry, rather than by importing hardware identifiers. Dedicated device enrollment automatically locks down system UI access and can block personal Google accounts, meeting all stated requirements. Fully managed enrollment gives each user full device control, corporate-owned work profile maintains a separate personal profile, and personally-owned work profile is BYOD-focused and user-initiated, so none of those meet the scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Android Enterprise dedicated device enrollment?
How does an Intune-generated token work for device enrollment?
Why doesn’t the fully managed device enrollment profile meet the requirements?
Your organization will deploy 300 new corporate-owned Android devices to be used as shared kiosks. You want the devices to enroll automatically in Microsoft Intune during the initial setup wizard without requiring technicians to interact with each handset. Which Intune enrollment approach should you implement to meet these requirements?
Android Enterprise fully managed enrollment by scanning a QR code generated in Intune during out-of-box setup
Apple Automated Device Enrollment (ADE) through Apple Business Manager
Android Enterprise dedicated device enrollment using a provisioning JSON assigned through the Google Zero-touch portal
Bulk enrollment with the Android device administrator profile and the Company Portal app
Answer Description
Zero-touch enrollment for Android Enterprise dedicated devices is designed for large-scale, hands-off deployments. In Intune you create a zero-touch configuration that generates a provisioning JSON file containing the enrollment token and DPC extras. This JSON is uploaded to the Google Zero-touch portal and assigned to the hardware so that, when each device is first powered on, it automatically contacts Google, receives the configuration, and enrolls in Intune as a dedicated device. A QR code deployment (option using a QR code) still requires a technician to scan the code on every device. Device administrator enrollment is legacy and discouraged for new deployments. Apple Automated Device Enrollment applies only to iOS and macOS devices, not Android.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Android Enterprise dedicated device enrollment?
What is a provisioning JSON file in Intune?
How does Google Zero-touch enrollment work?
You manage a Microsoft 365 tenant that uses Microsoft Intune to evaluate device compliance. You must create a Conditional Access policy that prevents users from accessing SharePoint Online when their device compliance state equals Not compliant but permits access without additional requirements when the state is Compliant. While configuring the policy's Grant controls, which single option should you enable to meet the requirement?
Require password change
Require device to be marked as compliant
Require multi-factor authentication
Require hybrid Azure AD joined device
Answer Description
The Grant control "Require device to be marked as compliant" checks the device state supplied by Intune. If the device is compliant, access is allowed; if the device is not compliant, access is denied. None of the other grant controls evaluate Intune compliance. "Require multi-factor authentication" enforces MFA but ignores compliance. "Require hybrid Azure AD joined device" validates join state, not compliance. "Require password change" forces a credential reset but likewise does not use compliance information.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Intune's role in device compliance?
What is a Conditional Access policy and how does it work?
How does 'Require device to be marked as compliant' impact Conditional Access policies?
You deploy a Windows 10 feature updates policy to 500 laptops by using Microsoft Intune. Several devices fail to install the targeted feature update. You need to obtain a report that lists every affected device together with the specific Windows Update error code returned during installation so that you can begin troubleshooting. Which Intune report should you generate?
Windows 10 and later feature updates
Windows 10 and later quality update failures
Windows 10 and later feature update failures
Windows 10/11 update ring deployment status for the policy
Answer Description
The Windows 10 and later feature update failures report is designed to help administrators troubleshoot feature update deployments. It lists each device that did not complete the installation and shows the returned Windows Update error code, allowing you to investigate root causes. The general feature updates report only shows high-level deployment state without per-device error codes. Quality update failures is limited to cumulative (quality) updates, not feature updates, while the update ring deployment status surfaces whether devices are up-to-date or pending but does not expose the detailed error information required.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the Windows 10 and later feature update failures report?
How does a feature update differ from a quality update in Windows?
What is the significance of Windows Update error codes?
You are deploying Microsoft Tunnel for Mobile Application Management (MAM) to provide per-app VPN access for unmanaged Android and iOS devices. You have already created a Tunnel site in Intune and prepared an Ubuntu Server that will host the containerized Tunnel gateway. Before you can run the installation script on the Linux server and register it with Intune, which piece of information must you obtain from the Intune admin center and supply to the script so the server can join the correct site?
The IP address pool reserved for VPN clients
The site token that Intune generated for the Tunnel site
The public DNS name that devices will use to reach the Tunnel gateway
The custom DNS suffix to assign to internal resources
Answer Description
When you create a Microsoft Tunnel site in Intune, the admin center generates a unique site token. The token is required only once, during initial server registration, and it binds the Tunnel gateway instance to the designated site. The installation script includes a parameter where you paste this token. Supplying the public IP, address pool, or DNS suffix is part of server or VPN configuration but is not required for the registration step, so those choices are incorrect.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a site token in Microsoft Tunnel?
How do you obtain the site token from Intune?
Why aren't the DNS name, IP address pool, or DNS suffix needed for initial Tunnel server registration?
You are creating a Windows 10 and later update ring in Microsoft Intune. The ring must install quality updates within two days of their release, but users should have an extra five days after that deadline before Windows automatically restarts to complete the installation. Which update ring setting should you configure to meet this requirement?
Display notifications to show a restart is required
Auto-install and restart at maintenance time
Quality update deferral period (days)
Grace period (days) for auto-restart
Answer Description
The Grace period (days) for auto-restart setting defines how many additional days users have after the quality-update deadline passes before Windows forces a restart. Adjusting this setting to five days provides the requested additional time. Deferral periods determine when the update is offered, notification settings control user prompts, and the maintenance time option only specifies when restarts occur, not how long they are postponed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Grace period (days) for auto-restart setting in Intune?
What is the Quality update deferral period (days) in Intune?
How does the Auto-install and restart at maintenance time differ from Grace period settings?
Woo!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.