Microsoft 365 Endpoint Administrator Associate Practice Test (MD-102)
Use the form below to configure your Microsoft 365 Endpoint Administrator Associate Practice Test (MD-102). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
Microsoft 365 Endpoint Administrator Associate MD-102 Information
The Endpoint Administrator Associate Exam (MD-102)
The Microsoft 365 Endpoint Administrator Associate certification, obtained by passing the MD-102 exam, validates the skills required for deploying, configuring, protecting, managing, and monitoring devices and client applications in a Microsoft 365 environment. This certification has replaced the previous MD-100 and MD-101 exams, unifying the content into a single, comprehensive test that reflects the shift towards cloud-centric and hybrid endpoint management. The exam is intended for IT professionals, including system administrators and endpoint managers, who are responsible for managing identity, security, access, policies, updates, and apps for endpoints. Candidates should have subject matter expertise in Microsoft Intune, Windows 365, Windows Autopilot, Microsoft Defender for Endpoint, and Microsoft Entra ID.
The skills measured in the MD-102 exam are grouped into several key areas. A significant portion of the exam focuses on managing, maintaining, and protecting devices, which can account for 40-45% of the questions. Another major domain is the deployment of Windows clients, making up about 25-30% of the content. The remaining sections cover managing identity and compliance (15-20%) and managing applications (15-20%). This structure emphasizes the modern administrator's role in not just deploying operating systems but also ensuring that devices remain secure and compliant throughout their lifecycle using tools like Microsoft Intune.
The Value of Practice Exams for Success
To successfully pass the MD-102 exam, hands-on experience should be supplemented with thorough preparation, and practice exams are an invaluable tool in this process. Taking practice tests helps candidates assess their knowledge, identify areas of weakness, and become familiar with the format and types of questions they will encounter in the actual exam, which can include multiple-choice and scenario-based questions. These practice runs provide a realistic testing experience, allowing you to gauge your readiness and build confidence.
Many resources offer practice exams that cover all the domains of the official MD-102 syllabus and provide detailed explanations for both correct and incorrect answers. This feedback is crucial for understanding the underlying concepts and learning from mistakes. By simulating the exam environment, candidates can practice time management and reduce anxiety, which are key factors for success on exam day. Utilizing these tools allows you to focus your study efforts more effectively on the topics that require further attention, ultimately increasing your chances of earning the Microsoft 365 Certified: Endpoint Administrator Associate certification.
Free Microsoft 365 Endpoint Administrator Associate MD-102 Practice Test
- 20 Questions
- Unlimited
- Prepare infrastructure for devicesManage and maintain devicesManage applicationsProtect devices
Free Preview
This test is a free preview, no account required.
Subscribe to unlock all content, keep track of your scores, and access AI features!
Your organization uses Microsoft Intune for device management. You must prevent employees from enrolling personally owned Windows 10 and Windows 11 devices while still permitting enrollment of corporate Windows devices and all mobile platforms. No other enrollment behavior should change. Which Intune capability should you configure first to meet the requirement?
Create a device enrollment platform restriction that blocks personally owned Windows devices and assign it to the target users.
Set the MDM authority for Windows enrollment to corporate-only in the Windows enrollment blade.
Require Windows devices to enroll exclusively through a Windows Autopilot self-deploying profile.
Enable enrollment verification in the Enrollment Status Page and disable user-driven enrollment.
Answer Description
Device enrollment platform restrictions let you block enrollment of personally owned devices on a per-platform basis. By creating a restriction that blocks the "Personally owned" category for Windows (MDM) and assigning it to the relevant user group, users can still enroll corporate-owned Windows devices, and enrollments for Android and iOS remain unaffected. The other options either do not exist in Intune or would not selectively block only personal Windows devices.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Intune Device Enrollment Platform Restrictions?
How can you differentiate between personal and corporate Windows devices in Intune?
What are the benefits of using Windows Autopilot for corporate devices?
You plan to deploy 100 Windows 11 laptops to a remote branch office that has no line-of-sight to an on-premises Active Directory domain. The devices are corporate-owned, will be used only by employees, must support Windows Hello for Business, and must enroll in Microsoft Intune automatically during first sign-in. You want to minimize dependence on on-premises infrastructure. Which Microsoft Entra device join method should you recommend?
On-premises domain join with manual Intune enrollment
Azure AD join
Hybrid Azure AD join
Azure AD registration
Answer Description
Azure AD join (now called Microsoft Entra join) is designed for corporate-owned Windows devices that are not required to be domain-joined. During the out-of-box experience the device can join Microsoft Entra ID directly and, if automatic MDM enrollment is configured, it is simultaneously enrolled in Intune. Azure AD-joined devices fully support Windows Hello for Business and do not need persistent connectivity to an on-premises Active Directory.
Azure AD registration suits personally owned (BYOD) devices because only the user identity, not the device, is joined. Hybrid Azure AD join still relies on domain join and therefore requires network access to a domain controller during provisioning. A traditional on-premises domain join combined with Intune enrollment likewise mandates domain controller connectivity, which the branch office lacks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between Azure AD join and Hybrid Azure AD join?
How does Azure AD join work with Windows Hello for Business?
What are the advantages of using Intune with Azure AD join?
Your organization manages mobile devices with Microsoft Intune. You are asked to ensure that each user can enroll no more than five devices, while leaving all other enrollment behavior unchanged. Which Intune setting should you modify to meet the requirement?
Configure automatic MDM enrollment in Microsoft Entra ID and set the MDM user scope to Some.
Modify the Enrollment device platform restrictions policy and block personally owned devices.
Create a compliance policy that requires a device ownership tag of Corporate for enrollment.
Edit the existing Enrollment device limit restrictions policy and set the maximum devices per user to five.
Answer Description
The maximum number of devices that a user can enroll is controlled by the Enrollment device limit restrictions policy found under Devices > Enroll devices > Enrollment device limit restrictions. Editing (or creating) this policy and setting the limit to five enforces the per-user ceiling. Platform-based restriction policies, automatic enrollment settings in Microsoft Entra ID, or compliance policies do not cap the number of devices a user may bring under management.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Enrollment device limit restrictions policy in Intune?
How do Enrollment device platform restrictions work in Intune?
What is automatic MDM enrollment in Microsoft Entra ID?
You are configuring Windows Autopilot self-deploying mode for 30 new touchscreen kiosks that will run Windows 11 Enterprise and be shipped directly to retail stores. After the Out-of-box Experience (OOBE) finishes, the devices must automatically enroll in Microsoft Intune without requiring any user interaction. Which device identity state will each kiosk be in immediately after OOBE completes?
On-premises Active Directory joined only
Microsoft Entra registered
Microsoft Entra joined
Microsoft Entra hybrid joined
Answer Description
In Windows Autopilot self-deploying mode, the device performs a Microsoft Entra (Azure AD) join and is automatically enrolled in Intune without any user sign-in. Because no user account is involved, the device is not Microsoft Entra registered, and because it never contacts an on-premises domain controller it cannot be hybrid joined or domain-joined. Therefore, the resulting identity state is Microsoft Entra joined.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Windows Autopilot self-deploying mode?
How does Microsoft Entra (Azure AD) join differ from hybrid join?
What is the role of Microsoft Intune in this configuration?
You administer 400 Windows 11 laptops that are already joined to an on-premises Active Directory domain. You must give users seamless single sign-on to Microsoft 365, allow Microsoft Intune to evaluate compliance, and continue applying existing Group Policy objects from the domain. Which Microsoft Entra ID device join method should you configure for the laptops?
Microsoft Entra join (formerly Azure AD join)
Hybrid Microsoft Entra join (formerly Hybrid Azure AD Join)
Microsoft Entra registration (formerly Azure AD registration)
Configuration Manager co-management without Entra ID join
Answer Description
Hybrid Microsoft Entra join extends an already domain-joined Windows device into Microsoft Entra ID. The computer account remains in Active Directory, so existing Group Policy continues to apply, while the device also registers in Entra ID to provide cloud authentication and enable Intune compliance evaluation or MDM enrollment. A pure Microsoft Entra join requires the device to leave the on-prem domain, eliminating Group Policy processing. Microsoft Entra registration is intended for personal or workgroup-joined devices and does not give full device identity needed for SSO and compliance. Enrolling Configuration Manager co-management without a hybrid join does not itself create an Entra ID device identity, so it cannot satisfy the requirement for cloud SSO and conditional access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Hybrid Microsoft Entra join, and how does it differ from Microsoft Entra join?
Why is Microsoft Entra registration not suitable for enterprise devices requiring compliance evaluation?
What role does Intune play in device compliance for Hybrid Microsoft Entra joined devices?
You are rolling out Windows LAPS for Microsoft Entra ID-joined Windows 11 devices. You configure an Intune Account protection policy so that each device backs up its local administrator password to Azure AD.
Only Tier-2 help desk technicians should be able to view the stored passwords in both the Microsoft Intune admin center and the Microsoft Entra admin center. The technicians must not receive any broader tenant-wide privileges.
Which Microsoft Entra built-in role should you assign to the help desk technicians?
Intune Administrator
Cloud Device Administrator
Global Administrator
Security Reader
Answer Description
Windows LAPS stores the local administrator password on the Microsoft Entra device object when the backup directory is set to Azure AD. The ability to read that password requires the microsoft.directory/deviceLocalCredentials/password/read permission. Of the default roles, Cloud Device Administrator and Intune Administrator include this action, but Cloud Device Administrator is the more narrowly scoped, device-focused role. Assigning this role lets technicians retrieve LAPS passwords without the wide-ranging permissions of Intune Administrator or Global Administrator. Security Reader lacks the required permission, so it cannot show the passwords.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Windows LAPS?
What permissions does the Cloud Device Administrator role include?
How does Intune integrate with Windows LAPS?
You are rolling out the cloud-based Local Administrator Password Solution (LAPS) for 300 Windows 11 devices that are Microsoft Entra joined and managed by Intune. You have created an Intune Device configuration profile of type Local admin password and set Backup directory to Azure AD. When a help-desk technician attempts to view a device's rotated password in the Intune portal, the Password field is blank. Which action will allow the technician to retrieve the stored password without granting broad tenant privileges?
Recreate the Local admin password profile and redeploy it to the device group.
Assign the technician the Local administrator password reader Azure AD role.
Force an immediate password rotation on the affected devices from the Intune portal.
Add the technician to the Intune Help Desk Operator RBAC role.
Answer Description
The technician must be assigned an Azure AD role that grants permission to read the per-device password property that LAPS writes to Microsoft Entra ID. The purpose-built Local administrator password reader role provides exactly this permission and nothing more. Adding the role takes immediate effect and does not require a new password rotation on the device. Roles such as Intune Help Desk Operator lack the necessary directory permission, while forcing a rotation or recreating the profile will not change the technician's authorization to read the existing secret.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Local Administrator Password Solution (LAPS)?
What permissions does the Local administrator password reader role have?
How does Intune integrate with cloud-based LAPS?
You are deploying 300 company-owned Windows 11 Pro laptops. The organization does not have an on-premises Active Directory, and users must sign in only with their Microsoft Entra ID credentials. The devices must also be managed through Microsoft Intune. Which device join type meets the requirements?
Azure AD registered
Hybrid Azure AD join
Workgroup membership with automatic MDM enrollment only
Azure AD join
Answer Description
Azure AD join (now called Microsoft Entra join) is intended for organization-owned Windows devices when no on-premises Active Directory exists. It requires users to sign in with their Microsoft Entra ID accounts and, when automatic MDM enrollment is configured in Microsoft Entra ID, the join process can enroll the devices into Intune for management.
Azure AD registered targets personally owned (BYOD) devices where the primary sign-in is a local or personal Microsoft account, so it does not satisfy the requirement to restrict sign-in to corporate Entra ID accounts.
Hybrid Azure AD join relies on on-premises Active Directory domain-joined computers synchronizing to Entra ID; because the organization lacks an on-premises AD, it is not applicable.
Workgroup membership with only MDM enrollment would allow Intune management, but users would still sign in locally and not exclusively with Entra ID credentials, so it does not meet the single sign-on requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Entra ID, and how does it differ from on-premises Active Directory?
How does automatic MDM enrollment work in Microsoft Entra ID?
What are the key differences between Azure AD join and Azure AD registered devices?
You manage a Microsoft 365 tenant that uses Microsoft Intune to evaluate device compliance. You must create a Conditional Access policy that prevents users from accessing SharePoint Online when their device compliance state equals Not compliant but permits access without additional requirements when the state is Compliant. While configuring the policy's Grant controls, which single option should you enable to meet the requirement?
Require password change
Require hybrid Azure AD joined device
Require multi-factor authentication
Require device to be marked as compliant
Answer Description
The Grant control "Require device to be marked as compliant" checks the device state supplied by Intune. If the device is compliant, access is allowed; if the device is not compliant, access is denied. None of the other grant controls evaluate Intune compliance. "Require multi-factor authentication" enforces MFA but ignores compliance. "Require hybrid Azure AD joined device" validates join state, not compliance. "Require password change" forces a credential reset but likewise does not use compliance information.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Intune's role in device compliance?
What is a Conditional Access policy and how does it work?
How does 'Require device to be marked as compliant' impact Conditional Access policies?
You have an internal 500-MB installer named ContosoApp.msi that must be deployed with a custom transform file (ContosoApp.mst). You will distribute the application to Windows 11 devices by using Microsoft Intune. When creating the application in the Intune admin center, which app type should you choose so that you can upload both the MSI and its transform file in a single package?
Microsoft Store app (new)
Web link
Line-of-business app
Windows app (Win32)
Answer Description
The classic line-of-business (LOB) MSI app type only allows a single MSI file and cannot accept additional files such as .mst transforms. By first running IntuneWinAppUtil.exe, you can wrap the MSI and the transform into a single .intunewin file. That package is then imported by choosing the Windows app (Win32) app type, which supports multiple installation files, custom command-line parameters, and larger package sizes. Store, web link, and LOB app types do not meet the requirement to include the transform file.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IntuneWinAppUtil.exe?
What is the difference between a Windows app (Win32) and a Line-of-business (LOB) app in Intune?
What is a transform file (.mst) and why is it needed for MSI installations?
Your organization uses Microsoft Intune. A Windows 10/11 device configuration profile named SecureBaseline is assigned to the Azure AD group All devices. You must ensure the profile is applied only to devices that run Windows 11 and whose model contains Surface, without changing the existing group assignment. What should you do?
Apply a custom scope tag to each Surface device and assign the profile to that scope tag.
Add a filter that matches Surface devices and select the Exclude option when applying it to the current assignment.
Create an Intune filter with a rule that matches Surface models running Windows 11 and select the Include option when attaching the filter to the existing assignment.
Create a dynamic Azure AD device group that contains Surface devices running Windows 11 and assign the profile to that group instead of All devices.
Answer Description
Filters let you refine an assignment to a subset of devices in the target group. Creating a filter with a rule such as (device.deviceModel -contains "Surface" and device.deviceOSVersion -ge "10.0.22000") and choosing the Include mode causes the profile to apply only to devices that match those properties. Dynamic groups or scope tags would require changing the assignment or rely on separate administration steps, and using the Exclude mode would remove Surface devices instead of targeting them.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Intune filters, and how do they work?
How do filters differ from dynamic Azure AD groups?
What is the difference between Include and Exclude modes in Intune filters?
Your company is deploying new Windows 11 devices by using Windows Autopilot. You need every computer name to start with EMP- and end with a unique, randomly generated string that contains exactly five alphanumeric characters. The complete name must always stay within the 15-character NetBIOS limit. Which device name template should you configure in the Autopilot deployment profile?
EMP-%RAND%
EMP-%RAND:5%
EMP-%SERIAL%
EMP-%RAND:12%
Answer Description
Using the %RAND:x% variable lets Intune append a random alphanumeric string whose exact length is defined by the value of x. A prefix of EMP- is four characters long, so specifying %RAND:5% produces names that are 4 (prefix) + 5 (random string) = 9 characters, well under the 15-character limit and meeting the requirement for a five-character suffix. The plain %RAND% variable defaults to six characters, which would not meet the exact-length requirement. %SERIAL% substitutes the full hardware serial number, which can easily push the name past 15 characters. %RAND:12% would exceed the limit because the total length would be 4 + 12 = 16 characters.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Windows Autopilot?
What does the %RAND:x% variable do in Autopilot?
What is the NetBIOS naming limit and why is it important?
You manage Windows 11 computers that are hybrid joined to Microsoft Entra ID and are enrolled in Intune. You must ensure the local Administrators group on every device contains only the built-in Administrator account and a cloud security group named HelpdeskAdmins. All other existing members must be removed automatically. Which Local Users and Groups action should you configure in a Settings catalog policy?
Add (Update)
Replace
Remove
Add followed by Remove
Answer Description
The Replace action overwrites the membership of the specified local group with the principals you define. When the policy is applied, any existing members that are not listed in the policy are removed and only the listed members remain. Add (Update) merely appends new members while keeping existing ones. Remove deletes only the accounts you specify but leaves any others intact. Sequencing an Add followed by a Remove would still leave accounts that were never targeted for removal. Therefore, configuring the Replace action meets the requirement that only the built-in Administrator and the HelpdeskAdmins group remain members of the local Administrators group.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Intune?
What is the Replace action in Local Users and Groups settings?
What is hybrid joined with Microsoft Entra ID?
Your organization will deploy 300 new corporate-owned Android devices to be used as shared kiosks. You want the devices to enroll automatically in Microsoft Intune during the initial setup wizard without requiring technicians to interact with each handset. Which Intune enrollment approach should you implement to meet these requirements?
Bulk enrollment with the Android device administrator profile and the Company Portal app
Android Enterprise fully managed enrollment by scanning a QR code generated in Intune during out-of-box setup
Android Enterprise dedicated device enrollment using a provisioning JSON assigned through the Google Zero-touch portal
Apple Automated Device Enrollment (ADE) through Apple Business Manager
Answer Description
Zero-touch enrollment for Android Enterprise dedicated devices is designed for large-scale, hands-off deployments. In Intune you create a zero-touch configuration that generates a provisioning JSON file containing the enrollment token and DPC extras. This JSON is uploaded to the Google Zero-touch portal and assigned to the hardware so that, when each device is first powered on, it automatically contacts Google, receives the configuration, and enrolls in Intune as a dedicated device. A QR code deployment (option using a QR code) still requires a technician to scan the code on every device. Device administrator enrollment is legacy and discouraged for new deployments. Apple Automated Device Enrollment applies only to iOS and macOS devices, not Android.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Android Enterprise dedicated device enrollment?
What is a provisioning JSON file in Intune?
How does Google Zero-touch enrollment work?
Contoso uses Microsoft Intune for device management. You must allow the service desk team to remotely wipe, retire, lock, and sync managed devices, but the team must be prevented from creating or editing device configuration or compliance policies. Which built-in Intune role should you assign to the service desk group?
Policy and Profile Manager
Endpoint Security Manager
Read Only Operator
Help Desk Operator
Answer Description
Help Desk Operator is designed for front-line support staff. The role grants remote device actions such as wipe, retire, sync, remote lock, passcode reset, and rename, but does not include permissions to create, update, or delete policies or profiles. Policy and Profile Manager and Endpoint Security Manager allow policy modifications, and Read Only Operator cannot perform remote actions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of Help Desk Operator in Microsoft Intune?
What permissions does Read Only Operator have in Microsoft Intune?
How do Policy and Profile Manager capabilities differ from Help Desk Operator?
Contoso has Windows 11 laptops that are managed by Microsoft Intune and are hybrid Microsoft Entra ID joined. The company wants to deploy Windows Hello for Business to replace passwords as soon as possible. They do not have Active Directory Certificate Services (AD CS) and do not plan to install it. All domain controllers run Windows Server 2016 with the latest cumulative updates. Which Windows Hello for Business trust model should you recommend to meet the requirements?
Virtual smart card
Key trust
Cloud Kerberos trust
Certificate trust
Answer Description
Because Contoso does not have AD CS and wants the fastest deployment path, they should use the cloud Kerberos trust model. Cloud Kerberos trust lets hybrid-joined devices authenticate to on-premises resources by retrieving a Kerberos ticket from a Windows Server 2016 (or later) domain controller after the user signs in with the Windows Hello for Business key that Azure AD validates. Certificate trust requires an AD CS public key infrastructure, and key trust needs a certificate registration authority, making both unsuitable given the constraints. Virtual smart cards are a different credential technology and are not a Windows Hello for Business trust model.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the cloud Kerberos trust model in Windows Hello for Business?
Why is Active Directory Certificate Services (AD CS) required for the certificate trust model?
What are hybrid Microsoft Entra ID-joined devices?
While configuring an Intune compliance policy for Windows 11 laptops, you must give users five days to correct any detected issues (for example, BitLocker not enabled) before the device is reported as non-compliant and blocked by Conditional Access. Which policy setting should you configure to meet this requirement?
Configure a five-day noncompliance grace period in the related Conditional Access policy.
Create an additional device restriction profile that delays enforcement for five days.
Add a Mark device noncompliant action under the policy's Actions for noncompliance and set its schedule to five days.
Change the policy's evaluation frequency to five days in Device compliance settings.
Answer Description
The grace period before a device is marked non-compliant is configured in the compliance policy itself. In the compliance policy wizard (or policy Properties), select Actions for noncompliance, add the action Mark device noncompliant, and set the schedule to five days. Evaluation frequency, Conditional Access settings, and device restriction profiles do not provide a per-policy grace-period timer, so they cannot deliver the required five-day remediation window.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Intune and its role in compliance policies?
What is Actions for noncompliance in Intune and how does it work?
How does Conditional Access interact with device compliance in Intune?
Your company is opening a small remote office that will not host any on-premises Active Directory infrastructure. All new Windows 11 laptops for that location are company-owned and will be managed with Microsoft Intune. Users must receive single sign-on (SSO) to Microsoft 365 resources from any network. Which device join method should you use for those laptops?
Register the devices with Azure AD while keeping them in a workgroup.
Perform a Hybrid Azure AD join of the devices.
Join the devices to an on-premises Active Directory domain and enroll them into Intune.
Join the devices directly to Azure AD.
Answer Description
Azure AD join is designed for organization-owned Windows devices when no on-premises Active Directory infrastructure is required. Devices join directly to Microsoft Entra ID, receive an Azure AD primary refresh token, and support SSO to Microsoft 365 cloud resources both on and off the corporate network. They can also be automatically enrolled into Intune for management.
Azure AD registered devices are primarily personal or BYOD scenarios and do not provide an Azure AD primary sign-in, so they lack seamless SSO for desktop sign-on. Hybrid Azure AD join requires the devices to be first joined to an on-premises AD domain, which the remote office will not have. Simply joining the devices to a local AD domain and then enrolling into Intune likewise depends on on-premises AD and therefore does not meet the stated constraints.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Azure AD Join?
How does Azure AD Join enable SSO?
Why wouldn't Hybrid Azure AD Join work in this scenario?
A security administrator needs to delegate Intune permissions so that Level 1 support technicians can do the following:
- View the inventory of Windows and iOS devices that are already enrolled.
- Remotely lock a lost or stolen device. The technicians must not be able to wipe, retire, or delete devices, and they must have no ability to create or edit compliance or configuration policies. Which built-in Intune role should you assign to the Level 1 support group to meet these requirements with the least privilege?
Read-Only Operator
Help Desk Operator
Policy and Profile Manager
Endpoint Security Manager
Answer Description
The Help Desk Operator role is designed for front-line support staff. It grants read-only access to device and user objects and allows a limited set of remote actions, including Remote lock and Passcode reset. It does not permit wiping, retiring, or deleting devices, nor does it provide permission to create or modify policies. Read-Only Operator cannot perform any remote actions, while Policy and Profile Manager and Endpoint Security Manager both allow creation or modification of policies, exceeding the required scope.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the specific capabilities of the Help Desk Operator role in Intune?
How does the Read-Only Operator role differ from the Help Desk Operator role?
Why is the Policy and Profile Manager role not suitable for the Level 1 support group in this scenario?
Your company manages Windows 11 Enterprise laptops with Microsoft Intune and Microsoft Entra ID only. There is no on-premises Active Directory or public key infrastructure, and you do not plan to deploy any additional on-premises servers. You need to enable Windows Hello for Business so that authentication keys are issued without introducing new infrastructure. Which Windows Hello for Business trust model and device join type should you implement to meet the requirement?
Configure Windows Hello for Business key trust on Microsoft Entra ID-joined devices.
Configure Windows Hello for Business certificate trust on Microsoft Entra ID-joined devices and deploy Active Directory Certificate Services.
Configure Windows Hello for Business cloud Kerberos trust on Microsoft Entra ID-registered devices.
Configure Windows Hello for Business certificate trust on hybrid Microsoft Entra ID-joined devices.
Answer Description
In a cloud-only environment, Windows Hello for Business uses key trust on Microsoft Entra-joined devices. The key pair created during provisioning is registered with Microsoft Entra ID, allowing the user to authenticate with the private key without relying on on-premises domain controllers or a certificate authority.
Certificate trust requires Active Directory Certificate Services, and cloud (Kerberos) trust requires hybrid identity with Windows Server domain controllers, so neither fits the scenario. Devices that are only Entra ID-registered are not eligible for Windows Hello for Business deployment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Windows Hello for Business key trust?
What is the difference between Microsoft Entra ID-joined devices and Entra ID-registered devices?
Why can’t Windows Hello for Business certificate trust be used in a cloud-only environment?
Gnarly!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.