Microsoft 365 Endpoint Administrator · Difficulty

Hard MD-102 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 9 hard questions available — no sign-up, always free.

Question 1 of 9

Your organization wants to allow only trusted applications to run on corporate Windows 11 devices managed by Intune. Security requires that apps deployed through Intune (via the Intune Management Extension) are automatically trusted and allowed to run, while other unapproved executables are blocked. You plan to create an App Control for Business policy. Which configuration lets Intune-deployed apps run without individually authoring rules for each one?

Reviewed for accuracy · Report an issue
Question 2 of 9

Your organization has deployed an App Control for Business (WDAC) base policy in enforcement mode to a group of Windows 11 workstations. The base policy trusts apps installed by the Intune Management Extension as a managed installer. The finance team now needs to run a specialized line-of-business application that was installed manually by a technician using a USB drive, so it was not tracked by the managed installer. The app is being blocked. You must allow this specific app to run without weakening the base policy or re-enabling unmanaged installations broadly. What should you do?

Reviewed for accuracy · Report an issue
Question 3 of 9

Your organization requires a weekly automated report that lists every managed Windows device currently in a noncompliant state, along with the specific compliance policy settings each device failed. You need to build an unattended script that runs on a schedule and outputs the data to a CSV file. Which approach correctly retrieves the per-setting failure details programmatically?

Reviewed for accuracy · Report an issue
Question 4 of 9

Your organization requires a nightly, automated export of the full Intune managed device inventory (approximately 40,000 devices) into a data lake for a custom Power BI model. A scheduled service runs unattended using an app registration. The built-in reports in the Intune admin center cannot be scheduled, and manual CSV exports are capped and cannot be automated. Which approach should you implement to retrieve the complete dataset reliably each night?

Reviewed for accuracy · Report an issue
Question 5 of 9

You deploy the Microsoft Defender for Endpoint security baseline and, separately, a device configuration profile to the same group of Windows 11 devices. The baseline sets a firewall setting to 'Enabled', while the configuration profile leaves the same firewall setting configured as 'Not configured' but sets a different value for the same underlying CSP setting to 'Disabled'. In the Intune admin center, the affected devices report a conflict for that setting. What is the resulting state applied to the devices, and how should you resolve it?

Reviewed for accuracy · Report an issue
Question 6 of 9

Your organization is deploying Microsoft HoloLens 2 devices to a warehouse for guided maintenance work. Multiple technicians share each headset across shifts, and no single technician should be tied to a device. You need to configure the devices in Intune so that any authorized technician can sign in with their own Entra ID credentials and the device does not retain a primary user. Which device configuration approach should you use?

Reviewed for accuracy · Report an issue
Question 7 of 9

Contoso packages a Win32 line-of-business application as an .intunewin file and deploys it to a group of Windows 11 devices as Required. The application must install for all users on each device and must complete even if no user is currently signed in. During testing you notice the installation writes a per-user registry key under HKCU that the vendor requires for licensing. Which install behavior configuration should you choose for the Win32 app in Intune to satisfy both requirements?

Reviewed for accuracy · Report an issue
Question 8 of 9

Your organization uses Windows 365 Enterprise. A group of support staff must be able to restart, reprovision, and troubleshoot users' Cloud PCs, but they must NOT be able to create new provisioning policies or modify Azure network connections. You want to grant this access using the least-privileged approach with minimal administrative effort. What should you do?

Reviewed for accuracy · Report an issue
Question 9 of 9

Contoso has a hybrid Microsoft Entra environment with on-premises Active Directory synced to Entra ID. The security team wants users on Entra hybrid-joined Windows 11 devices to sign in with a PIN or biometric gesture instead of a password. They do NOT want to deploy an internal PKI or issue certificates to each device, but users must still be able to access on-premises file shares that require Kerberos authentication after signing in. Which Windows Hello for Business deployment model should you implement?

Reviewed for accuracy · Report an issue