Microsoft 365 Endpoint Administrator · Domain 3 · 18% of exam

Protect devices

Drill 20 practice questions focused entirely on Protect devices for the Microsoft MD-102 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

Your organization wants to allow only trusted applications to run on corporate Windows 11 devices managed by Intune. Security requires that apps deployed through Intune (via the Intune Management Extension) are automatically trusted and allowed to run, while other unapproved executables are blocked. You plan to create an App Control for Business policy. Which configuration lets Intune-deployed apps run without individually authoring rules for each one?

Reviewed for accuracy · Report an issue
Question 2 of 20

Your organization wants to deploy attack surface reduction (ASR) rules to Windows 11 devices via Intune endpoint security policy. A line-of-business application relies on Office macros that call child processes, and you are concerned that enabling ASR rules in enforce mode could break this application. You need to identify which ASR rules would impact the application without disrupting users before enforcing the rules. What should you do?

Reviewed for accuracy · Report an issue
Question 3 of 20

Your organization deploys corporate Windows 11 devices via Autopilot with Entra join. Security requires that the operating system drive be encrypted with BitLocker automatically during provisioning, with no interaction or prompts shown to end users, and recovery keys must be escrowed to Entra ID. All devices have a TPM 2.0 chip. Which combination of settings in the Intune disk encryption (endpoint security) policy achieves silent BitLocker enablement?

Reviewed for accuracy · Report an issue
Question 4 of 20

You have created an Intune endpoint detection and response (EDR) policy that references the Microsoft Defender for Endpoint connector and assigned it to a group of Windows 11 devices. In the Microsoft Defender portal, the affected devices show a Windows Defender Antivirus 'Sensor health status' of 'Inactive' and do not appear as onboarded. You confirm the Intune connector to Defender for Endpoint shows as 'Enabled' and the connection status is healthy. What is the most likely cause that must be corrected so the devices become onboarded?

Reviewed for accuracy · Report an issue
Question 5 of 20

Your organization has 300 Windows 11 devices in a single branch office that shares one metered WAN link to the internet. Users report the link becomes saturated whenever Windows quality updates roll out, because every device downloads update content directly from Microsoft. You want to minimize internet bandwidth for updates by having devices retrieve most content from other devices in the same office, while still allowing internet fallback if no peer has the content. Which Intune configuration should you deploy?

Reviewed for accuracy · Report an issue
Question 6 of 20

Your organization manages a fleet of Android Enterprise fully managed (COBO) devices used by warehouse staff. Management requires that operating system updates be installed automatically but only outside working hours (10:00 PM to 6:00 AM) to avoid disrupting scanning operations during shifts. Which Intune configuration should you use to meet this requirement?

Reviewed for accuracy · Report an issue
Question 7 of 20

Your organization wants to deploy App Control for Business (formerly WDAC) to a group of Windows 11 workstations using Intune. Security wants to ensure that only Windows components, Microsoft Store apps, and software installed by the Microsoft Configuration Manager and Intune managed installer are allowed to run. However, the desktop team is concerned that a full enforcement rollout could block business-critical line-of-business applications that have not yet been catalogued. What should you configure first to satisfy both requirements with the least risk of disruption?

Reviewed for accuracy · Report an issue
Question 8 of 20

Your organization has deployed an App Control for Business (WDAC) base policy in enforcement mode to a group of Windows 11 workstations. The base policy trusts apps installed by the Intune Management Extension as a managed installer. The finance team now needs to run a specialized line-of-business application that was installed manually by a technician using a USB drive, so it was not tracked by the managed installer. The app is being blocked. You must allow this specific app to run without weakening the base policy or re-enabling unmanaged installations broadly. What should you do?

Reviewed for accuracy · Report an issue
Question 9 of 20

Your organization has silently encrypted all corporate Windows 11 laptops with BitLocker using an Intune disk encryption policy, and recovery keys are escrowed to Microsoft Entra ID. A user working remotely is prompted for a BitLocker recovery key after a firmware change and cannot reach the helpdesk. You want to enable users to retrieve their own recovery keys without administrator involvement, while keeping helpdesk staff able to assist when needed. What should you do?

Reviewed for accuracy · Report an issue
Question 10 of 20

Your organization uses Intune with Microsoft Defender Antivirus managed through an Endpoint security Antivirus policy. Security operations reports that a subset of Windows 11 devices are not running a weekly full scan, even though the policy specifies one. Investigation shows these devices are frequently powered off during the scheduled scan window. You must ensure the full scan still runs reliably without requiring the device to be on at the exact scheduled time. Which Defender Antivirus setting should you configure in the policy?

Reviewed for accuracy · Report an issue
Question 11 of 20

Your organization uses Microsoft Intune with Microsoft Defender Antivirus on all Windows 11 devices. Recently, a help-desk technician discovered that malware on an infected device had disabled real-time protection and modified exclusion settings before it was detected. Security leadership wants to ensure that neither local users nor malicious processes can alter Defender Antivirus core settings, even if they have local administrator rights. Which configuration should you deploy through Intune endpoint security to meet this requirement?

Reviewed for accuracy · Report an issue
Question 12 of 20

Your organization has connected Microsoft Intune to Microsoft Defender for Endpoint. You need to onboard your Intune-managed Windows 11 devices to Defender for Endpoint so that they begin reporting endpoint detection and response (EDR) telemetry. You want the onboarding configuration to be applied automatically without manually downloading and distributing the onboarding package. What should you do?

Reviewed for accuracy · Report an issue
Question 13 of 20

Your organization has Microsoft 365 E5 licensing and manages Windows 11 devices with Microsoft Intune. You want to deploy an Intune endpoint detection and response (EDR) policy so that enrolled devices are automatically onboarded to Microsoft Defender for Endpoint without manually distributing an onboarding package. When you open the EDR policy template in Intune, the onboarding configuration package option is unavailable. What must you do first before the EDR policy can automatically onboard devices?

Reviewed for accuracy · Report an issue
Question 14 of 20

Your organization has a branch office with a metered internet connection. Users complain that Windows quality updates saturate the link during business hours, slowing down line-of-business applications. You want to use Intune to limit how much bandwidth Windows Update downloads consume specifically during working hours, while allowing full bandwidth outside those hours. Which Intune configuration should you deploy?

Reviewed for accuracy · Report an issue
Question 15 of 20

Your organization uses Intune to manage Windows 11 Enterprise devices. The security team wants to enforce the Microsoft Defender Firewall so that all inbound connections are blocked by default while still allowing outbound traffic, and they want this setting applied even when no other firewall rules match. They also want to ensure that if a user tampers with local firewall rules, the Intune-managed configuration remains authoritative. Which approach in Intune endpoint security firewall policy best meets these requirements?

Reviewed for accuracy · Report an issue
Question 16 of 20

Your organization uses Intune to manage Windows 11 devices. Security requires that the Microsoft Defender Firewall be enabled on the Domain, Private, and Public profiles, and that a specific legacy line-of-business application be blocked from receiving unsolicited inbound connections while still allowing its outbound traffic. You must deploy this using an Intune endpoint security firewall policy. Which combination correctly achieves the requirement?

Reviewed for accuracy · Report an issue
Question 17 of 20

Your organization manages a fleet of macOS devices enrolled in Intune via Apple automated device enrollment. Security requires that all Macs install the latest available minor OS update within 3 days of release, with a forced restart if users do not act. You want to enforce this using the Settings Catalog without relying on any third-party tools. Which configuration approach should you use?

Reviewed for accuracy · Report an issue
Question 18 of 20

Contoso wants to apply Microsoft's recommended hardening configuration for Microsoft Defender for Endpoint across all corporate Windows 11 devices with minimal manual effort. The security team wants a preconfigured template maintained by Microsoft that they can assign and later review as new versions are released. Which Intune capability should they use?

Reviewed for accuracy · Report an issue
Question 19 of 20

You deploy the Microsoft Defender for Endpoint security baseline and, separately, a device configuration profile to the same group of Windows 11 devices. The baseline sets a firewall setting to 'Enabled', while the configuration profile leaves the same firewall setting configured as 'Not configured' but sets a different value for the same underlying CSP setting to 'Disabled'. In the Intune admin center, the affected devices report a conflict for that setting. What is the resulting state applied to the devices, and how should you resolve it?

Reviewed for accuracy · Report an issue
Question 20 of 20

Your organization has enrolled all Windows 11 devices into Windows Autopatch. Management wants a small pilot population to receive quality updates first, with the bulk of devices receiving them roughly one week later, so that any problematic update can be caught before broad deployment. Which Autopatch capability should you use to meet this requirement with the least administrative effort?

Reviewed for accuracy · Report an issue

More MD-102 practice

Keep going with the other Microsoft 365 Endpoint Administrator domains, or take a full timed mock exam.

← Back to MD-102 overview