Free Sample — 15 Practice Questions
Preview 15 of 373 real practice questions from the Microsoft MD-102 study guide.
Question 9
You have a Microsoft 365 subscription that contains a user named User1 and 500 Windows devices enrolled in Microsoft Intune.
You configure an attack surface reduction (ASR) rule and enable the rule in Warn mode.
User1 downloads a file named file1.exe. When User1 attempts to run file1.exe he receives a prompt that the content has been blocked. The user unblocks the content.
How much time will pass until the user is prompted next to unblock the content?
A. 10 minutes
B. one hour
C. 24 hours
D. one week
Show Answer
Correct Answer: C
Explanation:
In Microsoft Defender Attack Surface Reduction rules configured in Warn mode, when a user chooses to bypass (unblock) the warning, the bypass is cached for 24 hours. During this period, the user will not be prompted again for the same action. After 24 hours, the warning prompt will reappear if the action is attempted again.
Question 42
You use Microsoft Defender for Office 365.
You plan to automate an attack simulation campaign.
Any users that fail the simulation must take additional training based on the simulation results.
What is the maximum number of days the training will be available to the users after the simulation?
Show Answer
Correct Answer: C
Explanation:
In Microsoft Defender for Office 365 attack simulation training, the training due date options are 7, 15, or 30 days after the simulation ends. Since the question asks for the maximum number of days the training will be available, the correct answer is 30 days.
Question 37
You have a Microsoft 365 E5 subscription that contains Windows 11 devices.
All the devices are onboarded to Microsoft Defender for Endpoint.
You need to compare the configuration of the devices against industry standard benchmarks.
What should you use?
A. Attack surface map
B. Events
C. Security baselines assessment
D. Initiatives
Show Answer
Correct Answer: C
Explanation:
To compare Windows 11 devices onboarded to Microsoft Defender for Endpoint against industry-standard benchmarks, you use Security baselines assessment. Defender Vulnerability Management security baselines allow you to assess and monitor device configurations against recognized benchmarks (such as Microsoft security baselines), highlighting deviations and compliance status. The other options do not provide benchmark-based configuration comparison.
Question 48
You have a Microsoft 365 E5 subscription that contains the following types of devices:
• Windows 11
• Android
• iOS
All the devices are enrolled in Microsoft Intune.
You need to use Intune to deploy apps from the Enterprise App Catalog.
To which device types can you deploy the apps?
A. Windows 11 only
B. Windows 11 and Android only
C. Windows 11 and is only
D. Android and iOS only
E. Windows 11, Android, and iOS
Show Answer
Correct Answer: A
Explanation:
The Intune Enterprise App Catalog (Enterprise App Management) provides prepackaged Win32 applications that are supported only on managed Windows devices. It does not support Android or iOS app deployment, which use Managed Google Play and Apple App Store/VPP respectively. Therefore, apps from the Enterprise App Catalog can be deployed to Windows 11 devices only.
Question 4
You have an Android Enterprise fully managed device named Device1 that is enrolled in Microsoft Intune. Devicel is assigned a device profile.
You plan to manage software updates for Device1 by using Android firmware over-the-air (FOTA). You discover that FOTA is unavailable for Device1.
You need to manage software updates for Device1 by using Intune instead.
What should you use?
A. an app configuration policy
B. an update ring
C. a device configuration profile
D. a device compliance policy
Show Answer
Correct Answer: C
Explanation:
When Android firmware over-the-air (FOTA) is unavailable on a fully managed Android Enterprise device, Intune can manage OS update behavior through Android device configuration profiles (specifically device restrictions). Update rings apply to Windows, compliance policies only evaluate settings, and app configuration policies do not control OS updates. Therefore, a device configuration profile is the correct choice.
Question 7
You have a Microsoft 365 subscription that uses Microsoft Intune.
You have a Google account.
You plan to enroll Android devices in Intune.
You need to configure Intune to apply a work profile to Android fully managed and corporate-owned devices. The solution must NOT affect personal Android devices enrolled in Intune.
What should you do first?
A. Link your Google account to Intune.
B. Create a device platform restriction for Android device administrator.
C. Configure a device enrollment manager (DEM) account.
D. Configure an enrollment profile in Intune.
Show Answer
Correct Answer: A
Explanation:
To manage Android Enterprise scenarios (work profiles, fully managed, and corporate-owned devices) in Intune, you must first establish the Android Enterprise connection by linking a Google account. Without linking a Google account, Intune cannot create or manage work profiles or fully managed Android Enterprise devices. This step does not affect personal devices by itself; it only enables Android Enterprise management capabilities.
Question 1
You have a Microsoft 365 subscription that uses Microsoft Intune and contains a group named Group1.
You have a line-of-business (LOB) app named App1 that supports in-app notifications. App1 is assigned to all the users in the subscription.
You need to ensure that the users in Group1 receive a custom notification when they launch App1.
What should you do?
A. Create an app configuration policy and assign the policy to Group1.
B. Edit the assignment for App1.
C. Create a device configuration profile and assign the profile to Group1.
D. Create an app protection policy and assign the policy to Group1.
Show Answer
Correct Answer: A
Explanation:
Custom or in-app notifications for a line-of-business app in Intune are delivered through app configuration policies. These policies allow you to define app-specific settings and behaviors, such as in-app messages, and target them to specific user groups like Group1. Editing the app assignment, using device configuration profiles, or app protection policies does not provide a mechanism to configure in-app notifications.
Question 5
Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have a Microsoft Entra tenant named contoso.com.
You purchase an Android device named Device1.
You need to register Device1 in contoso.com.
Solution: You use Microsoft Entra Connect Sync.
Does this meet the goal?
Show Answer
Correct Answer: B
Explanation:
Microsoft Entra Connect Sync is used to synchronize on‑premises Active Directory objects (users, groups, and Windows domain‑joined devices) to Microsoft Entra ID. It cannot be used to register an Android device directly in a cloud‑only Entra tenant. Android devices are registered or enrolled through Intune/Company Portal, not Entra Connect Sync.
Question 14
You have devices enrolled in Microsoft Intune as shown in the following table.
On which devices can you apply app configuration policies for the managed devices?
A. Device1 only
B. Device1 and Device2 only
C. Device1 and Device3 only
D. Device2 and Device3 only
E. Device1, Device2, and Device3
Show Answer
Correct Answer: D
Explanation:
App configuration policies for managed devices in Microsoft Intune are supported on iOS/iPadOS and Android Enterprise devices. They are not supported on Windows devices. Based on the table implied by the question, Device2 and Device3 correspond to iOS/iPadOS and Android Enterprise, so only those devices can have managed app configuration policies applied.
Question 46
HOTSPOT
-
You manage devices by using Microsoft Intune. Automatic Intune enrollment is disabled.
Users report that they must enter the mobile device management (MDM) server address during device enrollment.
To reduce user interaction during device enrollment, you plan to create the following CNAME DNS hostname records:
• EnterpriseEnrollment.contoso.com
• EnterpriseRegistration.contoso.com
You need to configure a fully qualified domain name (FQDN) for each CNAME record to redirect enrollment requests to the Intune servers.
How should you configure each FQDN? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Show Answer
Correct Answer: EnterpriseEnrollment.contoso.com → EnterpriseEnrollment-s.manage.microsoft.com
EnterpriseRegistration.contoso.com → EnterpriseRegistration.windows.net
Explanation:
Intune uses DNS-based auto-discovery for MDM enrollment. The EnterpriseEnrollment CNAME must point to the Intune enrollment service (manage.microsoft.com), while the EnterpriseRegistration CNAME must point to Azure AD device registration (windows.net) to avoid users manually entering the MDM server address.
Question 13
You have a Microsoft 365 E5 subscription and use the Microsoft Intune Suite. The subscription contains a Microsoft SharePoint Online site named Site1 and 500 Windows devices enrolled in Intune.
You have the apps shown in the following table.
You need to deploy the apps to the devices by using Intune.
For which apps must you upload app package files before you can deploy them?
A. App1 only
B. App1 and App2 only
C. App1 and App4 only
D. App1, App2, and App4 only
E. App1, App2, App3, and App4
Show Answer
Correct Answer: A
Explanation:
In Intune, you must upload an app package only when the app is not hosted by Microsoft and is deployed as a Win32 app. Microsoft Store apps, Microsoft 365 apps, and apps available through built‑in Intune connectors do not require uploading installation files. Based on the table, only App1 is a Win32 app that is not Microsoft‑hosted, so its package must be uploaded before deployment.
Question 35
You have a Microsoft 365 E5 subscription and use Microsoft Defender for Cloud Apps.
You plan to perform a security audit of all the apps detected by Cloud Discovery.
You need to track which apps were audited. The solution must ensure that the list of audited apps can be displayed in the cloud app catalog.
What should you do?
A. Apply a custom app tag to each app.
B. Deploy Conditional Access App Control.
C. Define each app as a critical asset.
D. Generate a Cloud Discovery snapshot report.
E. Enable app governance.
Show Answer
Correct Answer: A
Explanation:
To track which discovered cloud apps have been audited and display that status in the Cloud App Catalog, you should apply a custom app tag to each audited app. Custom app tags are designed for labeling and tracking apps (for example, “Audited,” “Approved by Security”) and are visible and filterable in the Cloud App Catalog. The other options do not provide a persistent, visible audit-tracking label in the catalog.
Question 30
Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have a Microsoft 365 E5 subscription. The subscription contains devices that are Microsoft Entra joined and enrolled in Microsoft Intune.
You create a user named User1.
You need to ensure that User1 can rotate BitLocker recovery keys by using Intune.
Solution: From the Microsoft Entra admin center, you assign the Cloud Device Administrator role to User1.
Does this meet the goal?
Show Answer
Correct Answer: B
Explanation:
Assigning the Cloud Device Administrator role does not meet the goal. Cloud Device Administrator is a Microsoft Entra role that allows limited device management in Entra ID, but it does not grant the Intune permissions required to rotate BitLocker recovery keys. BitLocker key rotation via Intune requires an Intune role such as Intune Administrator, Endpoint Security Manager, Help Desk Operator, or a custom Intune role with BitLocker/endpoint security permissions.
Question 43
You have a Microsoft 365 E5 subscription.
You have a Microsoft Intune enrollment profile for Android Enterprise devices that has the following settings:
• Name: Profile1
• Token type: Corporate-owned, fully managed
You need to enroll a new Android device in Intune by using Profile1.
What should you use to enroll the device?
A. a QR code
B. the Company Portal app
C. the Microsoft Authenticator app
D. the Intune app
Show Answer
Correct Answer: A
Explanation:
For Android Enterprise devices enrolled as Corporate-owned, fully managed, Intune uses the Android Enterprise QR code enrollment method. During the device’s out-of-box setup after a factory reset, scanning the QR code from the Intune enrollment profile provisions the device and enrolls it into Intune. Apps like Company Portal or Authenticator are not used for this enrollment type.
Question 21
You have a Microsoft 365 E5 subscription.
You purchase the devices shown in the following table.
Which devices can be enrolled in Microsoft Intune by using automatic enrollment?
A. Device1 only
B. Device1 and Device2 only
C. Device1 and Device3 only
D. Device1, Device2, and Device3 only
E. Device1, Device2, Device3, and Device4
Show Answer
Correct Answer: A
Explanation:
Microsoft Intune automatic MDM enrollment (via the MDM user scope in Microsoft Entra ID) applies to Windows 10/11 devices when they are Azure AD joined or registered. Other platforms (iOS, Android, macOS) use different enrollment methods and are not covered by this specific automatic enrollment mechanism. Therefore, only the Windows device (Device1) qualifies.