General

The Windows feature update device readiness report in Intune provides detailed information about which devices are ready for a specific Windows feature update, such as Windows 11. It highlights devices that do not meet the requirements, helping you quickly identify and address compatibility issues before deployment.

An update ring policy in Intune allows you to control how and when updates are delivered to Windows devices, including setting deadlines and deferral periods for feature updates. By configuring an update ring policy, you can specify that users are allowed to postpone the Windows 11 update for up to two weeks, ensuring compliance with your organization’s update schedule while providing flexibility for users.

To defer iOS updates and prevent users from manually installing updates during the deferral period, you should configure a device configuration profile in Intune. This profile allows you to set update deferral settings and restrict user actions related to updates on iOS devices, ensuring compliance with your organization’s update management policy. Update rings are used for Windows, not iOS.

Microsoft Intune update rings can only manage Windows 10/11 Pro, Enterprise, and Education editions. Windows Home edition (Device3) is not supported for update ring management in Intune. Therefore, only Device1 (Windows 10 Pro), Device2 (Windows 11 Pro), and Device4 (Windows 11 Enterprise) can be managed.

To configure Delivery Optimization settings for Windows updates, you must use a device configuration profile in Intune. This profile allows you to set policies that control how devices download updates, including enabling Delivery Optimization, which helps reduce bandwidth usage by allowing devices to share update files with each other. Update rings and update policies control the timing and type of updates, but not Delivery Optimization settings.

Microsoft Intune is the recommended tool for onboarding and managing iOS devices in a Microsoft 365 environment. It allows you to deploy Defender for Endpoint to all corporate iOS devices centrally, ensuring consistent security policies and streamlined device management. Group Policy and local scripts are not applicable for iOS, and JAMF Pro is typically used for macOS management, not for Microsoft Defender for Endpoint integration in a Microsoft 365 environment.

A Security Baseline in Intune provides a pre-configured set of recommended security settings, including granular controls for Microsoft Edge. Applying a security baseline ensures consistent and comprehensive security configurations across all devices with minimal administrative effort, as the baseline is maintained and updated by Microsoft.

Microsoft 365 Apps for enterprise security baselines in Intune are only supported on Windows devices. You cannot apply these baselines to Android or iOS devices, so Baseline1 can only be applied to Device1 (Windows 11).

Device Cleanup rules in Intune allow you to automatically remove devices that have been inactive for a specified period (such as 180 days). This helps keep your device inventory up to date by deleting old, unused device records and can also trigger actions like device wipe, ensuring that inactive devices are securely removed from management.

Endpoint Protection device configuration profile templates in Intune are available for Windows and macOS devices, but not for iPadOS. This means you can create and assign these profiles to Device1 (Windows 11) and Device2 (macOS), but not to Device3 (iPadOS).

The Enrollment status page (ESP) in Windows Autopilot allows you to control the user experience during device setup, including blocking restarts until deployment is complete, collecting logs, and displaying IT contact information. Modifying the ESP ensures users have the necessary support and prevents premature restarts that can cause deployment failures.

Creating a deployment profile is the first step in configuring Windows Autopilot. The deployment profile defines how devices are configured and provisioned during the Autopilot process, enabling quick and automated setup to a business-ready state. This minimizes manual intervention and speeds up the process of reverting devices for reuse or redeployment.

Windows Autopilot self-deploying mode is designed for scenarios where devices are set up for shared or kiosk use, such as in public locations. This mode allows devices to be deployed with minimal user interaction, making it ideal for customer-facing or public-use devices where no user-specific setup is required.

To register devices with Windows Autopilot, you must first upload the hardware ID (also known as the device hash) of each device to Microsoft Intune. This allows Autopilot to recognize and manage the devices during deployment. Device name, IP address, or MAC address are not sufficient for Autopilot registration.

Subscription activation is supported for Windows 10 and Windows 11 devices that are either Microsoft Entra joined or Microsoft Entra registered. It is not supported for iOS devices. Therefore, only Device1, Device2, and Device3 can be activated using subscription activation.

Intune App Protection Policies (APP) allow you to protect corporate data at the application level, regardless of whether the device is managed or unmanaged. This means you can secure company data within specific apps (like Microsoft 365 apps) without requiring full device management, ensuring personal data and apps remain unaffected. This is ideal for BYOD scenarios where users use their own devices for both work and personal tasks.

The “Data Protection” settings in an Intune app protection policy allow you to control actions such as saving, copying, and printing corporate data from managed apps. To prevent users from printing Microsoft Word documents from their mobile devices, you would configure the relevant restrictions under Data Protection. This ensures sensitive information cannot be printed or shared outside of managed applications.

An App Protection policy allows you to protect corporate data at the app level, even on devices that are not enrolled in Intune. With this policy, you can restrict actions like copying and pasting data from Microsoft 365 apps to personal apps, which is ideal for BYOD scenarios where you do not want to require full device enrollment. This ensures data security while supporting user privacy on personal devices.

The setting “Allow user to save copies to selected services” currently allows users to save data to OneDrive for Business, which may also permit saving to local devices depending on how the app handles file storage. To fully prevent users from saving data to their local devices, you should modify this setting to remove all selected services, ensuring that saving is completely blocked and data cannot be stored locally. This enforces stricter data protection and prevents data leakage.

An App Configuration policy in Intune allows you to configure and deploy specific app settings, such as bookmarks, to managed apps like Microsoft Edge on Android devices. This is the recommended way to centrally manage and push configuration settings to apps, even on personal (BYOD) devices. Compliance policies and protection policies do not configure app-specific settings, and configuration profiles are used for device settings, not app settings.

App configuration policies in Intune can be applied to both enrolled and unenrolled Android and iOS devices (using app protection and configuration policies for managed apps). However, they cannot be applied to Windows devices. Therefore, you can apply an app configuration policy to Device2 (enrolled Android), Device3 (unenrolled Android), and Device4 (unenrolled iOS).

App configuration policies in Intune are designed for mobile platforms, specifically Android and iOS devices, to manage app settings and configurations. These policies cannot be applied to Windows devices, so Config1 can only be applied to Device2 (Android) and Device3 (iOS).

The Intune Management Extension allows you to deploy and manage Win32 apps on both Windows 10 and Windows 11 devices. By configuring the app as “required” for the Sales department group, Intune will automatically install and keep the app up to date on all targeted devices, ensuring compliance and reducing manual effort. This is the recommended and most efficient method for deploying and maintaining Win32 line-of-business apps in a modern managed environment.

To avoid conflicts and ensure a seamless deployment, you should use only one management tool (Intune or Group Policy) to configure Windows Hello for Business settings. If you choose Intune, make sure there are no overlapping or conflicting settings in Group Policy. This prevents policy conflicts and ensures consistent configuration across all devices in the hybrid environment.

When deploying Microsoft 365 Apps with Intune, you can enable the ‘Remove MSI from end-user devices’ option in the app suite configuration. This ensures that any existing MSI-based Office installations are automatically detected and removed during the deployment process, preventing conflicts and streamlining the upgrade to Microsoft 365 Apps. This is the recommended and most efficient method.

To add Managed Google Play apps in Intune, you must first connect Intune to an Android Enterprise account. This integration is required to manage and deploy Managed Google Play apps to Android devices.

To limit the diagnostic data sent to Microsoft for Microsoft 365 Apps, you should create and configure an Office Apps policy in Intune.

To ensure an app is automatically installed for all users, you must configure the application assignments in Intune and set the app as “Required” for the target group.

Since Device1 is a member of Group1 (which has the app as Required), the app will be installed on Device1. Required apps are installed automatically and do not appear in the Company Portal for users to install manually. The uninstall assignment for Group2 does not apply to Device1, as it is not a member of Group2.

After entering the app details, you must upload the APK file directly to the Microsoft Intune admin center to deploy the app to managed Android devices.

To ensure Microsoft Visio is included in the deployment, you should first create a device configuration from the Microsoft 365 Apps admin center, where you can customize the Office installation to include Visio.

Microsoft Intune has a maximum IntuneWin file size limit of 8GB. Since the current file is 9GB, you must reduce the file size before deployment.

In a Conditional Access policy, you use Grant Controls to enforce requirements such as “Require device to be marked as compliant.” This ensures that only compliant devices can access Microsoft 365 services, blocking access from non-compliant devices and helping maintain your organization’s security standards.

The correct answer is D. Device experience because this section of the Device restrictions profile in Microsoft Intune for Android Enterprise corporate-owned work profile devices includes the configuration for kiosk mode settings. Kiosk mode allows administrators to lock down a device to a single app or a set of apps, ensuring the device is used only for its intended purpose?such as a point-of-sale terminal, digital sign, or dedicated business tool. The Device experience category provides options to configure this behavior, including selecting the kiosk app and enforcing restrictions that prevent users from exiting the app. The other settings?Users and Accounts, General, and System security?manage user permissions, baseline restrictions, and security configurations but do not control kiosk mode behavior, making Device experience the correct and most relevant option.

The correct answer is D. 1, 2, and 4 only because the Azure Log Analytics workspace is configured to collect all available events from the Application and System logs by default, which includes events such as Success, Information, and Error types. However, Security logs, like Event 3 with type Audit Success, require additional configuration and permissions to be collected, which is not stated in the scenario. Therefore, only the events from the Application and System logs?Event IDs 1, 2, and 4?are collected by default, making D the correct choice.

The correct answer is D. Endpoint analytics because it is specifically designed to provide insights into device performance and user experience, including metrics such as startup times, restart frequencies, and application reliability. Endpoint analytics is part of Microsoft Intune and is integrated into the Microsoft Endpoint Manager admin center. It helps IT administrators proactively identify and remediate performance issues across managed Windows devices. Unlike Azure Monitor (which focuses on infrastructure and application telemetry), Intune Data Warehouse (which is used for custom reporting and historical data analysis), or Microsoft Defender for Endpoint (which focuses on security and threat protection), Endpoint analytics is tailored to optimize end-user productivity and device health, making it the right tool for reviewing startup and restart metrics.

The correct answer is A. a Delete action because the goal is to immediately remove Device1 from Intune, even though the device has been offline for 30 days. The Delete action in Microsoft Intune removes the device record from Intune and flags it for removal. When the device next checks in, Intune will recognize that it was deleted and will automatically unenroll it, triggering the removal of all Intune-managed apps, settings, and data. Importantly, this action does not wipe user-installed apps, personal files, or OEM preinstalled software, which meets the requirement of retaining those elements. In contrast, the Retire action waits for the device to check in and cannot be initiated immediately for offline devices. Fresh Start and Autopilot Reset are used for resetting the OS and user state, which would remove personal data?therefore, they do not meet the requirement.

The correct answer is D. From the Microsoft Intune admin center, add an app because deploying Microsoft 365 Apps for enterprise to managed Windows 10 devices is done by adding the suite as an app deployment within Intune. Since the devices are already enrolled in MDM, Intune can push applications directly to them. The admin can go to the Apps section in the Microsoft Intune admin center, choose to add an app, select Microsoft 365 Apps for Windows 10, and configure the deployment settings to install the suite on all targeted devices. This method ensures automated and centralized installation across all enrolled computers.

The correct settings to configure in the Microsoft 365 Apps admin center are Device Configuration and Policy Management because these sections allow administrators to centrally manage app behavior and deployment settings. Device Configuration is used to control the installation behavior of Microsoft 365 apps, including enabling the automatic installation of WebView2 Runtime, which is required for certain modern app features. Policy Management, on the other hand, is used to enforce user-specific settings such as disabling feedback submission, ensuring users cannot send feedback to Microsoft. Together, these two settings meet both requirements effectively through centralized policy enforcement.

The correct answer is E. Client apps because this condition allows you to distinguish between modern authentication (like OAuth 2.0) and legacy authentication (such as basic authentication protocols like POP, IMAP, and older Office clients). In Conditional Access policies, selecting the Client apps condition lets you specifically target legacy authentication clients and apply access controls such as blocking access, without affecting users who authenticate with secure, modern methods. This approach ensures that App1 only accepts modern authentication as required, while blocking legacy sign-in attempts for User1, making it the most precise and effective choice.

Explanation: To deploy a custom Line-of-Business (LOB) app to iOS devices using Microsoft Intune, the app must be in the .ipa (iOS App Store Package) format. What is a .ipa file? .ipa stands for iOS App Store Package. It is the standard packaging format for iOS apps, whether published via the App Store or deployed internally via MDM solutions like Intune. For LOB deployment, the .ipa file must be signed with a valid enterprise distribution certificate (for internal use).

Explanation: App configuration policies in Microsoft Intune are platform-specific, not OS-version specific. In the table: Devices 1 and 2 run Android. Devices 3, 4, and 5 run iOS. Therefore, you only need: 1 policy for Android devices 1 policy for iOS devices

Device compliance policies in Intune can only be evaluated for devices that are enrolled in Intune. Enrolling devices is the first step to ensure that compliance policies are applied and that the device’s compliance status can be checked for Conditional Access. Without enrollment, Intune cannot manage or evaluate the device’s compliance.

In Microsoft Intune, when managing Win32 apps, you can define app dependencies. This means you can configure one app (e.g., App2) to depend on another app (e.g., App1) being installed first. ?? You configure app dependencies within the deployment configuration of the dependent app, which in this case is App2. When deploying App2, you specify that App1 is a required dependency. Intune will automatically install App1 first, and only after it is successfully installed, it will proceed to install App2.

Correct Answer: Policy type: App protection policy Minimum number of policies: 3 Scenario Recap: You have 5 devices with the following OS: Device1: Windows 10 Device2: Android 8.0 Device3: Android 9 Device4: iOS 11.0 Device5: iOS 11.4.1 All devices have App1 installed and are enrolled in Microsoft Intune. You want to prevent users from copying data from App1 to other apps, which is a data protection requirement. Why “App Protection Policy”? App Protection Policies (APP) are specifically designed to: Control data transfer between apps. Enforce copy/paste restrictions, encryption, PIN requirements, etc. These policies apply regardless of whether the device is enrolled or not (as long as it’s managed or has the supported app). This makes it the correct type of policy when you want to restrict data sharing or prevent copy-paste between managed and unmanaged apps. ? Why 3 Policies? App protection policies must be platform-specific, and in this case, you have three OS groups: Windows 10 (Device1) Android (Device2 and Device3) iOS (Device4 and Device5) Each platform requires its own App Protection Policy, so you need: 1 policy for Windows 1 policy for Android 1 policy for iOS Even though some OS versions are different (like Android 8 and 9), one policy can cover all supported versions of that platform. ? Conclusion: Use App Protection Policy to prevent data copying/pasting between apps. Create 3 separate policies, one each for Windows, Android, and iOS.

App configuration policies in Microsoft Intune are designed to manage settings inside mobile apps (like Outlook, Edge, or Teams) ? and are supported only on mobile platforms: Android (Device3) ? Supported iOS (Device4) ? Supported Windows devices (Device1: Windows 10 and Device2: Windows 11) ? do not support these app configuration policies in the same way. They use different configuration methods like device configuration profiles, not mobile app policies.

Windows Hello for Business provides a strong, passwordless authentication method using biometrics or PIN, combined with device-based two-factor authentication. Configuring it in the Account protection profile through Intune ensures all managed Windows 10 and 11 devices use this secure authentication method, replacing traditional passwords and enhancing security across the organization.

The rule device.deviceOSVersion -le ‘11.0’ will include all devices with an OS version less than or equal to 11.0, which matches the requirement to target devices running iOS 11 or older. This ensures that only the intended devices are included in the dynamic group for applying specific security policies.

The Android Enterprise work profile is specifically designed for BYOD scenarios. It creates a separate, secure container for work data and apps on the user’s personal device, ensuring that work and personal data remain isolated. This allows IT to manage only the work profile, protecting company data while respecting user privacy on their personal device.