Free MD-102 Practice Questions with Detailed Explanations

Test your endpoint administrator readiness with 25 free practice questions covering Windows deployment, Microsoft Intune, and device security.

18 min read
Updated April 2026
MD-102 Associate

The MD-102 (Microsoft 365 Endpoint Administrator) exam tests your ability to deploy, configure, secure, manage, and monitor devices and applications in an enterprise Microsoft 365 environment. If you manage endpoints using Intune, Windows Autopilot, or Configuration Manager, this exam validates your skills.

These 25 questions mirror real exam scenarios — no trivial definitions, only applied knowledge. Want broader exam context? Check out our MD-102 study guide or visit the MD-102 certification page for full details.

What You'll Get:

  • 25 scenario-based questions across all exam domains
  • Detailed explanations for every answer option
  • Real exam format — same style as Microsoft questions
  • Scoring guide to assess your readiness

What These Questions Cover

8
Deploy Windows Client
Autopilot, deployment profiles, Windows update rings
8
Manage Identity & Compliance
Entra ID join, compliance policies, conditional access
9
Manage & Protect Devices
Intune configuration, app management, endpoint security

📝 Practice Test Instructions

  • • Each question has ONE correct answer
  • • Read each scenario carefully before selecting your answer
  • • Keep track of your answers before scrolling to the answer key
  • • Aim to complete all 25 questions in 25 minutes
💻

Deploy Windows Client

Questions 1–8

1

Windows Autopilot

Your organization is deploying 500 new laptops to remote employees. The devices will ship directly from the manufacturer. You want employees to self-provision their devices without IT involvement, with all apps and policies applied automatically upon first sign-in.

Which deployment method should you use?

A)Windows Autopilot user-driven mode
B)Windows Autopilot self-deploying mode
C)Windows Imaging and Configuration Designer (ICD)
D)Microsoft Deployment Toolkit (MDT)
2

Autopilot Deployment Profile

You are configuring a Windows Autopilot deployment profile. You need to ensure the device is joined to Microsoft Entra ID (formerly Azure AD) and enrolled in Intune during OOBE, but the user should NOT be prompted to set up a PIN during initial setup.

Which setting should you configure in the deployment profile?

A)Set Join to Azure AD as Hybrid Azure AD joined
B)Set Join to Azure AD as Entra ID joined and skip PIN setup in the enrollment status page
C)Configure the Autopilot profile to skip all OOBE pages including privacy settings
D)Enable self-deploying mode to bypass user authentication
3

Windows Update Rings

Your company wants to control how Windows feature updates are deployed to devices. The IT team should receive updates first (within 7 days), the general workforce after 21 days, and critical production systems after 45 days.

What should you configure in Microsoft Intune to achieve this staged rollout?

A)WSUS server groups with manual approval
B)A single update ring with a 45-day deferral for all devices
C)Windows Update for Business policies with different deferral periods per group
D)Configuration Manager software update groups
4

Enrollment Status Page

During Autopilot deployment, users are reporting they can reach the desktop before their required security apps finish installing. A user accidentally deleted a required app before it finished enrolling. You need to block access to the desktop until all required apps are installed.

What should you configure?

A)Configure a conditional access policy requiring app installation
B)Create a device compliance policy that marks devices non-compliant if apps are missing
C)Use a PowerShell script to delay desktop loading
D)Set the Enrollment Status Page to block device use until required apps are installed
5

Co-management

Your organization uses Configuration Manager for device management. You want to gradually move workloads to Microsoft Intune, starting with compliance policies, while keeping software distribution in Configuration Manager.

What should you enable to achieve this?

A)Co-management with a workload pilot for compliance policies moved to Intune
B)Microsoft Intune standalone enrollment for all devices
C)Configuration Manager cloud management gateway only
D)Hybrid Azure AD join without Intune enrollment
6

Autopilot Reset

An employee is leaving the company. Their device needs to be wiped and reconfigured for a new employee while retaining the device's Autopilot registration. The device is Entra ID joined and managed by Intune.

What is the MOST efficient approach?

A)Perform a factory reset from device settings
B)Use Windows Autopilot Reset from Intune
C)Re-image the device using MDT
D)Delete the device from Intune and re-enroll manually
7

Windows Subscription Activation

Your organization has Microsoft 365 E3 licenses. You want Windows 10 Pro devices to automatically upgrade to Windows 10 Enterprise when users sign in with their Microsoft 365 credentials, without any manual intervention.

Which feature enables this automatic upgrade?

A)Windows Autopilot
B)Microsoft Deployment Toolkit
C)Windows Subscription Activation
D)Group Policy software installation
8

Delivery Optimization

Your organization has 1,000 devices in a branch office connected to HQ via a 50 Mbps WAN link. Windows updates are consuming the majority of this bandwidth during business hours. You want devices to share update content with each other locally rather than downloading from the internet individually.

Which feature should you configure?

A)BranchCache
B)WSUS downstream server
C)Connected Cache on a local server
D)Delivery Optimization with LAN peer-to-peer mode
🔐

Manage Identity & Compliance

Questions 9–16

9

Entra ID Join vs Hybrid Join

Your company is migrating from on-premises AD to a cloud-first model. New devices will never need to access on-premises resources directly. You need the simplest identity join option that allows Intune management and SSO to Microsoft 365.

Which join type should you use for new devices?

A)Microsoft Entra ID Join
B)Hybrid Azure AD Join
C)Domain join to on-premises Active Directory only
D)Workplace Join (registered only)
10

Intune Compliance Policies

You create a compliance policy in Intune requiring BitLocker encryption and a minimum OS version of Windows 11 22H2. A device fails compliance because BitLocker is not enabled. You want non-compliant devices to automatically lose access to Microsoft 365 after a 3-day grace period.

What must you configure in addition to the compliance policy?

A)A device configuration profile to enforce BitLocker
B)A conditional access policy that grants access only to compliant devices
C)An Intune remediation script to enable BitLocker automatically
D)A Windows Update ring to enforce the OS version
11

Conditional Access

Your security team wants to ensure that only devices enrolled in Intune and marked compliant can access Exchange Online. BYOD devices that are not enrolled should be blocked.

What is the correct configuration?

A)Create an Intune app protection policy for Exchange Online
B)Enable multi-factor authentication for all Exchange Online users
C)Create a conditional access policy requiring a compliant device as a grant control, targeting Exchange Online
D)Create a device enrollment restriction to block personal devices
12

App Protection Policies

Your organization allows employees to use personal iOS devices to access corporate email via the Outlook app. You do NOT want to enroll these personal devices in Intune. You need to prevent users from copying corporate data from Outlook to personal apps.

What should you configure?

A)Intune device compliance policy for iOS
B)Conditional access policy requiring Intune enrollment
C)Device enrollment profile for personal iOS devices
D)Intune app protection policy (MAM without enrollment)
13

Enrollment Restrictions

Your company wants to prevent Android devices with OS versions below Android 10 from enrolling in Intune. Existing enrolled devices that are below this version should remain enrolled but new enrollments must be blocked.

What should you configure?

A)A device enrollment restriction with minimum OS version set to Android 10
B)A device compliance policy with minimum OS version requirement
C)A conditional access policy blocking Android devices below version 10
D)An Intune configuration profile blocking older Android versions
14

BitLocker Management

You need to deploy BitLocker encryption to all company Windows 11 devices using Intune. Recovery keys must be automatically backed up to Microsoft Entra ID so IT can retrieve them if needed.

Which Intune policy type should you create?

A)Device compliance policy with BitLocker requirement
B)Endpoint security — Disk Encryption policy with BitLocker settings and recovery key backup to Azure AD
C)Device configuration profile — Administrative Templates — BitLocker
D)Intune remediation script to enable BitLocker
15

Microsoft Defender for Endpoint Integration

You want to use the device risk level from Microsoft Defender for Endpoint in Intune compliance policies. Devices with high risk scores should automatically be marked non-compliant.

What must you configure first before using risk scores in compliance policies?

A)Enable co-management in Configuration Manager
B)Assign a Microsoft Defender for Endpoint P2 license to each device
C)Create a service-to-service connection between Intune and Microsoft Defender for Endpoint
D)Configure Microsoft Sentinel to ingest Defender for Endpoint alerts
16

Windows Hello for Business

Your organization wants to eliminate password-based sign-in on all Intune-managed Windows 11 devices. Users should authenticate using a PIN or biometrics that is tied to the device and backed by TPM. Entra ID is used as the identity provider.

What should you configure?

A)Azure AD Self-Service Password Reset
B)Microsoft Authenticator passwordless phone sign-in
C)FIDO2 security key enforcement via conditional access
D)Windows Hello for Business via Intune identity protection profile
🛡️

Manage, Maintain & Protect Devices

Questions 17–25

17

Intune Device Configuration Profiles

You need to configure all Windows 11 devices to disable USB storage devices, enforce a screensaver after 5 minutes of inactivity, and configure Windows Firewall settings. All settings must be centrally managed through Intune.

What should you create?

A)Three separate device configuration profiles (Device Restrictions, Endpoint Protection, Administrative Templates)
B)A device compliance policy covering all three requirements
C)A single PowerShell remediation script applying all settings
D)A Group Policy Object synced to Intune
18

Intune App Deployment

You need to deploy Microsoft Teams to all enrolled Windows devices silently in the background without user interaction. If the deployment fails on any device, you want to be notified.

What app assignment type should you use in Intune?

A)Available for enrolled devices
B)Required
C)Uninstall
D)Available without enrollment
19

Remote Actions

An employee reports their laptop was stolen. You need to immediately prevent anyone from accessing company data on the device, but the device has not checked in to Intune in 48 hours. You want to take the MOST immediate action available.

What remote action should you initiate from Intune?

A)Retire
B)Lock
C)Wipe (factory reset)
D)Delete device from Intune
20

Intune Filters

You have a single device configuration profile that should only apply to Windows 11 devices running version 22H2 or later. You do not want to create separate groups for these devices.

What Intune feature allows you to scope a policy to devices matching specific properties without creating new device groups?

A)Device categories
B)Scope tags
C)Compliance policies with OS version requirements
D)Assignment filters
21

Windows Defender Antivirus

You need to configure Microsoft Defender Antivirus scan schedules, exclusion paths, and real-time protection settings for all Intune-managed Windows devices through a single policy.

Where in Intune should you configure these Defender Antivirus settings?

A)Endpoint security — Antivirus — Windows Defender Antivirus policy
B)Device compliance — Microsoft Defender Antivirus
C)Device configuration — Administrative Templates
D)Endpoint security — Endpoint detection and response
22

Attack Surface Reduction Rules

Your security team wants to prevent Office applications from spawning child processes, block executable content in email, and prevent credential theft from the Windows local security authority (LSA). These rules should be enforced (not just audited).

Where should you configure Attack Surface Reduction rules in Intune?

A)Device configuration — Endpoint protection profile
B)Endpoint security — Attack surface reduction policy
C)Device compliance — Windows Security settings
D)Security baselines — Microsoft Defender for Endpoint baseline
23

Intune Reporting

Your management team wants a weekly report showing how many devices are compliant vs. non-compliant broken down by OS version and assignment group. They want to receive this report by email automatically.

What is the BEST way to deliver this in Intune?

A)Use the built-in Intune compliance report and export to CSV manually
B)Create a custom Azure Monitor workbook
C)Configure a scheduled report in the Intune Reports section with email delivery
D)Export compliance data via Microsoft Graph API to Power BI
24

Windows Information Protection

Your organization needs to prevent users from copying work data from managed apps to personal apps on corporate Windows devices enrolled in Intune, without encrypting personal data on the device.

Which feature provides this separation between work and personal app data?

A)Intune app protection policies (MAM)
B)Conditional access app enforced restrictions
C)BitLocker with TPM
D)Windows Information Protection (WIP) with Intune
25

Endpoint Analytics

Your help desk reports that many users experience slow boot times and application startup delays. You want to proactively identify devices with poor performance scores and understand which startup processes are causing the delays, without running scripts on each device.

Which Microsoft Endpoint Manager feature provides these startup performance insights?

A)Endpoint Analytics — Startup performance
B)Microsoft Intune device diagnostics
C)Microsoft Defender for Endpoint device health
D)Azure Monitor for VMs

✋ Stop Here Before Scrolling!

Have you answered all 25 questions? Complete the test before checking the answers below.

Pro tip: Write down your answers (1–25)

Track which topics you struggled with for focused study

📝 Answer Key with Detailed Explanations

Review each explanation carefully, even for questions you answered correctly

Quick Answer Reference

Q1
A
Q2
B
Q3
C
Q4
D
Q5
A
Q6
B
Q7
C
Q8
D
Q9
A
Q10
B
Q11
C
Q12
D
Q13
A
Q14
B
Q15
C
Q16
D
Q17
A
Q18
B
Q19
C
Q20
D
Q21
A
Q22
B
Q23
C
Q24
D
Q25
A
1

Question 1: Windows Autopilot

✓ Correct Answer: A) Windows Autopilot user-driven mode

Why this is correct:

User-driven mode is designed for scenarios where devices ship directly to end users. The user signs in with their corporate credentials and the device joins Entra ID, enrolls in Intune, and receives all assigned apps and policies automatically — no IT intervention needed at the device.

Why other answers are incorrect:

B: Self-deploying mode is for kiosk/shared devices with no user affinity — it uses device certificates, not user credentials. Not appropriate for personal employee laptops.
C: ICD is used to create provisioning packages, not for large-scale cloud-driven deployment directly from manufacturer.
D: MDT requires on-premises infrastructure and IT involvement — not suitable for direct-ship remote deployment.

💡 Key Concept:

User-driven = employee signs in themselves. Self-deploying = no user, uses device identity (TPM). Pre-provisioned = IT does partial setup then ships.

2

Question 2: Autopilot Deployment Profile

✓ Correct Answer: B) Set Join to Azure AD as Entra ID joined and skip PIN setup in the enrollment status page

Why this is correct:

The Autopilot deployment profile controls the join type (Entra ID vs Hybrid). PIN setup is controlled through the ESP (Enrollment Status Page) or Windows Hello for Business policy — you can skip specific OOBE pages in the profile settings.

Why other answers are incorrect:

A: Hybrid join requires line-of-sight to a domain controller and is for orgs still using on-premises AD. Not the cloud-first approach described.
C: Skipping all OOBE pages is available but doesn't specifically address the PIN requirement and may skip required consent pages.
D: Self-deploying mode is for shared/kiosk devices, not personal employee devices.

💡 Key Concept:

In Autopilot profiles you can hide specific OOBE screens: privacy settings, EULA, keyboard, account type. Windows Hello PIN skip is a separate setting.

3

Question 3: Windows Update Rings

✓ Correct Answer: C) Windows Update for Business policies with different deferral periods per group

Why this is correct:

Windows Update for Business (configured in Intune as Update Rings) allows you to set deferral periods for feature and quality updates. By assigning different rings with 7, 21, and 45-day deferrals to different device groups, you achieve staged rollout without on-premises infrastructure.

Why other answers are incorrect:

A: WSUS requires on-premises infrastructure and manual management — not cloud-native.
B: A single ring with 45 days applies the same delay to all devices — no staged rollout.
D: Configuration Manager is not being used exclusively here; the question implies Intune-managed devices.

💡 Key Concept:

Update Ring deferral: 0 days = gets update immediately after release. 7 days = 7 days after release. Rings should be assigned to AAD groups (pilot, broad, critical).

4

Question 4: Enrollment Status Page

✓ Correct Answer: D) Set the Enrollment Status Page to block device use until required apps are installed

Why this is correct:

The ESP (Enrollment Status Page) has a setting "Block device use until all apps and profiles are installed." When enabled, users cannot access the desktop until all required apps finish installing. This is specifically designed to prevent users from using a partially configured device.

Why other answers are incorrect:

A: Conditional access blocks app access but doesn't block the desktop experience during OOBE.
B: Compliance policies mark devices non-compliant after the fact — they don't prevent desktop access during initial setup.
C: PowerShell scripts are not the right mechanism and can be unreliable.

💡 Key Concept:

ESP applies during Autopilot enrollment AND regular Intune enrollment. You can target specific apps as "blocking apps" in the ESP profile.

5

Question 5: Co-management

✓ Correct Answer: A) Co-management with a workload pilot for compliance policies moved to Intune

Why this is correct:

Co-management allows organizations running Configuration Manager to simultaneously manage devices with Intune. Individual workloads (compliance, device configuration, resource access, etc.) can be moved to Intune independently using pilot collections, enabling a gradual migration.

Why other answers are incorrect:

B: Intune standalone enrollment would remove devices from Configuration Manager management entirely — not a gradual migration.
C: CMG extends ConfigMgr to internet-connected devices but doesn't move workloads to Intune.
D: Hybrid join enables device identity but doesn't address management workload distribution.

💡 Key Concept:

Co-management workloads (7 total): Compliance, Device Configuration, Resource Access Policies, Endpoint Protection, Windows Update for Business, Client Apps, and Office Click-to-Run.

6

Question 6: Autopilot Reset

✓ Correct Answer: B) Use Windows Autopilot Reset from Intune

Why this is correct:

Windows Autopilot Reset removes user data and resets the device to a ready-to-deploy state while preserving the device's Autopilot registration, Entra ID join, and Intune enrollment. The next user can sign in and receive their profile automatically. It's faster than re-imaging and doesn't lose the device registration.

Why other answers are incorrect:

A: Factory reset removes the Autopilot registration from the device's BIOS/UEFI — the device may not automatically re-enter Autopilot provisioning.
C: MDT re-imaging is more complex, requires more time, and loses the Autopilot benefits.
D: Deleting from Intune then re-enrolling manually defeats the purpose of Autopilot.

💡 Key Concept:

Autopilot Reset vs Wipe vs Retire: Reset = reconfigure for new user, keeps Autopilot. Wipe = factory reset, may remove Autopilot. Retire = removes corporate data, leaves personal data.

7

Question 7: Windows Subscription Activation

✓ Correct Answer: C) Windows Subscription Activation

Why this is correct:

Windows Subscription Activation (formerly Windows 10/11 Enterprise E3/E5 via subscription) automatically upgrades Windows Pro to Enterprise when a user signs in with a Microsoft 365 license that includes Windows Enterprise rights. No imaging or manual upgrade required — the license does it automatically.

Why other answers are incorrect:

A: Autopilot handles deployment and configuration, not the Windows edition upgrade itself.
B: MDT can perform edition upgrades but requires manual processes and on-premises infrastructure.
D: GPO software installation deploys apps, not OS edition upgrades.

💡 Key Concept:

Subscription Activation requires: Windows Pro device + Microsoft 365 E3/E5 or Windows 10/11 Enterprise subscription + Entra ID user account. The upgrade happens transparently.

8

Question 8: Delivery Optimization

✓ Correct Answer: D) Delivery Optimization with LAN peer-to-peer mode

Why this is correct:

Delivery Optimization is a built-in Windows feature that enables peer-to-peer content sharing. In LAN mode, devices download updates once from the internet then share with other devices on the same local network, dramatically reducing WAN bandwidth consumption.

Why other answers are incorrect:

A: BranchCache also does peer caching but is older technology and requires more configuration; Delivery Optimization is the modern, cloud-integrated successor.
B: WSUS downstream server still downloads from the internet, just distributes internally — requires server infrastructure.
C: Connected Cache (Microsoft Connected Cache) is excellent but requires a dedicated server — LAN peer mode is simpler for many branch scenarios.

💡 Key Concept:

Delivery Optimization modes: HTTP only, LAN (P2P), Group (P2P across subnets/VLANs), Internet (P2P across internet), Simple (no P2P), Bypass. Configure via Intune Update Ring or DO policy.

9

Question 9: Entra ID Join vs Hybrid Join

✓ Correct Answer: A) Microsoft Entra ID Join

Why this is correct:

Entra ID Join (formerly Azure AD Join) is the cloud-native option — perfect for devices that only need access to cloud resources (Microsoft 365, Azure). It's simpler to configure than Hybrid Join, doesn't require domain controllers or line-of-sight to on-premises AD, and enables full Intune management.

Why other answers are incorrect:

B: Hybrid Azure AD Join requires on-premises AD infrastructure and is designed for devices that need access to both on-premises and cloud resources.
C: Domain join only gives no cloud identity benefits and requires on-premises infrastructure.
D: Workplace Join (registered) provides limited management capabilities — it's for BYOD, not corporate devices.

💡 Key Concept:

Decision tree: Need on-prem resources (file shares, printers via LDAP) → Hybrid Join. Cloud-only workloads → Entra ID Join. Personal BYOD → Register/Workplace Join.

10

Question 10: Intune Compliance Policies

✓ Correct Answer: B) A conditional access policy that grants access only to compliant devices

Why this is correct:

Compliance policies alone only mark devices as compliant or non-compliant — they don't enforce access restrictions by themselves. You must pair them with a Conditional Access policy that uses "Require device to be marked as compliant" as a grant control. The 3-day grace period is configured in the compliance policy itself.

Why other answers are incorrect:

A: Configuration profiles can enforce BitLocker but don't connect compliance to access control.
C: Remediation scripts can fix issues but can't enforce access restrictions directly.
D: Update rings manage Windows Update, not BitLocker or access control.

💡 Key Concept:

Compliance + Conditional Access = enforcement. Compliance alone = reporting/marking only. Always pair compliance policies with CA policies to block non-compliant access.

11

Question 11: Conditional Access

✓ Correct Answer: C) Create a conditional access policy requiring a compliant device as a grant control, targeting Exchange Online

Why this is correct:

Conditional Access with "Require device to be marked as compliant" grant control checks Intune compliance before granting access to the specified cloud app (Exchange Online). BYOD devices not enrolled in Intune can never be marked compliant, so they're effectively blocked.

Why other answers are incorrect:

A: App protection policies (MAM) protect data within apps but don't block unenrolled devices from accessing Exchange Online entirely.
B: MFA verifies the user but not the device state — a non-compliant device could still access Exchange after MFA.
D: Enrollment restrictions prevent enrollment but don't block existing personal devices from accessing Exchange.

💡 Key Concept:

Common CA grant controls: MFA, Compliant device, Hybrid AD joined, Approved client app, App protection policy. For full device blocking, use "Require compliant device."

12

Question 12: App Protection Policies

✓ Correct Answer: D) Intune app protection policy (MAM without enrollment)

Why this is correct:

Mobile Application Management (MAM) without enrollment (also called MAM-WE or MAM-only) allows Intune to manage apps on personal devices without enrolling the device. App protection policies can prevent copy/paste between managed and unmanaged apps, require PIN to open managed apps, and remotely wipe corporate data from the app only.

Why other answers are incorrect:

A: Device compliance policies require device enrollment — personal BYOD devices would need to enroll.
B: While you could create a BYOD enrollment profile or CA policy requiring enrollment, the scenario says no enrollment.
C: This would force personal device enrollment, which the question explicitly wants to avoid.

💡 Key Concept:

MAM-WE protects: Outlook, Teams, OneDrive, Edge, and other managed apps on unenrolled devices. It can enforce cut/copy restrictions, PIN, and selective wipe of corporate data only.

13

Question 13: Enrollment Restrictions

✓ Correct Answer: A) A device enrollment restriction with minimum OS version set to Android 10

Why this is correct:

Device enrollment restrictions in Intune allow you to control which devices can enroll based on platform, OS version, and whether they're personally owned. Setting a minimum Android version blocks new enrollments for older devices without affecting already-enrolled devices.

Why other answers are incorrect:

B: Compliance policies with OS version requirements mark enrolled devices as non-compliant but don't block them from enrolling in the first place.
C: Conditional access can block access for non-compliant devices but doesn't prevent enrollment.
D: Configuration profiles configure devices post-enrollment, not pre-enrollment.

💡 Key Concept:

Enrollment restrictions are evaluated BEFORE enrollment. Compliance policies are evaluated AFTER enrollment. Use restrictions to prevent old/unsupported devices from enrolling.

14

Question 14: BitLocker Management

✓ Correct Answer: B) Endpoint security — Disk Encryption policy with BitLocker settings and recovery key backup to Azure AD

Why this is correct:

The Endpoint Security > Disk Encryption policy in Intune is specifically designed for BitLocker and FileVault management. It includes settings for recovery key storage location (Azure AD is a supported option), encryption algorithms, and startup authentication. Recovery keys backed up to Entra ID can be retrieved by admins or self-served by users.

Why other answers are incorrect:

A: Compliance policies require BitLocker but don't configure or deploy it — they only check if it's present.
C: Administrative Templates can configure BitLocker via GPO-equivalent settings but it's more complex and doesn't have the built-in recovery key backup to Azure AD as a primary setting.
D: Remediation scripts can enable BitLocker but are less manageable and don't integrate with Intune's encryption reporting.

💡 Key Concept:

BitLocker recovery key backup: Intune Disk Encryption policy → Configure "Save BitLocker recovery information to Azure AD" = Required. Keys then appear in Entra ID device properties or Intune device details.

15

Question 15: Microsoft Defender for Endpoint Integration

✓ Correct Answer: C) Create a service-to-service connection between Intune and Microsoft Defender for Endpoint

Why this is correct:

To use MDE device risk levels in Intune compliance policies, you must first establish a service connection in the Intune admin center (Endpoint security > Microsoft Defender for Endpoint > Open the Microsoft Defender for Endpoint admin console). This connection allows Intune to receive device risk signals from MDE.

Why other answers are incorrect:

A: Co-management is for Configuration Manager integration — not required for MDE integration with Intune.
B: MDE P2 licenses are needed for some features but the connector setup is the prerequisite step, not the license assignment to devices.
D: Microsoft Sentinel is a SIEM/SOAR solution — it doesn't feed device risk into Intune compliance.

💡 Key Concept:

MDE-Intune integration steps: 1) Enable connection in Intune, 2) Enable connection in MDE, 3) Create a compliance policy using "Require the device to be at or under the machine risk score," 4) Assign CA policy.

16

Question 16: Windows Hello for Business

✓ Correct Answer: D) Windows Hello for Business via Intune identity protection profile

Why this is correct:

Windows Hello for Business (WHfB) replaces passwords with strong two-factor authentication using PIN or biometrics backed by TPM. Configured through Intune's Identity Protection profile (or Endpoint Security > Account Protection), it binds credentials to the device's TPM, making them non-exportable and phishing-resistant.

Why other answers are incorrect:

A: SSPR allows users to reset their passwords — it doesn't eliminate password sign-in.
B: Authenticator passwordless is phone-based — it doesn't use the device's TPM and requires the Authenticator app on a phone.
C: FIDO2 keys are physical hardware tokens — not the same as built-in PIN/biometric authentication.

💡 Key Concept:

WHfB vs FIDO2: WHfB = built into Windows, uses device TPM, PIN+biometrics. FIDO2 = external hardware key or passkey. Both are passwordless but WHfB is the built-in Windows solution.

17

Question 17: Intune Device Configuration Profiles

✓ Correct Answer: A) Three separate device configuration profiles (Device Restrictions, Endpoint Protection, Administrative Templates)

Why this is correct:

In Intune, different settings categories are managed through different profile types. USB restrictions fall under Device Restrictions, firewall settings under Endpoint Protection, and screensaver under Administrative Templates (ADMX-backed policies). While you could use Settings Catalog to combine them, creating separate targeted profiles is best practice for manageability.

Why other answers are incorrect:

B: Compliance policies check if settings are present — they don't configure or enforce settings on the device.
C: PowerShell scripts work but are harder to manage, report on, and aren't idempotent by default.
D: GPOs are not synced to Intune; Intune uses its own policy engine that mirrors GPO capabilities.

💡 Key Concept:

Intune profile types: Device Restrictions (general limits), Endpoint Protection (Defender, firewall, BitLocker), Administrative Templates (ADMX policies), Settings Catalog (combines all settings in one place).

18

Question 18: Intune App Deployment

✓ Correct Answer: B) Required

Why this is correct:

"Required" assignment in Intune installs the app automatically on targeted devices/users without user interaction. The device will install the app silently in the background. Intune reports installation status per device, and you can view failed installations in the app deployment report.

Why other answers are incorrect:

A: "Available" adds the app to Company Portal for users to self-install — it does not push automatically.
C: "Uninstall" removes the app from devices.
D: "Available without enrollment" allows unenrolled devices to install via Company Portal — no silent push.

💡 Key Concept:

App assignment types: Required = force install, Available = self-service install via CP, Uninstall = force remove, Available without enrollment = BYOD self-service. Silent install requires Win32 app or MSI package with silent install switches.

19

Question 19: Remote Actions

✓ Correct Answer: C) Wipe (factory reset)

Why this is correct:

When a device is stolen, Wipe (factory reset) removes ALL data including corporate data and returns the device to factory state. Even though the device hasn't checked in, the wipe command is queued in Intune and will execute when the device next connects to the internet. This is the most complete data protection action.

Why other answers are incorrect:

A: Retire removes only corporate data but leaves personal apps/data — less secure for a confirmed stolen device.
B: Lock requires the device to be online to execute and only locks the screen — doesn't remove data.
D: Deleting from Intune removes it from management but doesn't wipe corporate data from the device.

💡 Key Concept:

Wipe vs Retire: Wipe = full factory reset (nuclear option). Retire = selective wipe of corporate data only (good for BYOD offboarding). Both queue and execute on next check-in.

20

Question 20: Intune Filters

✓ Correct Answer: D) Assignment filters

Why this is correct:

Assignment filters let you target policies to devices matching specific properties (OS version, device model, enrollment type) at assignment time, without creating separate device groups. They use managed device properties and evaluate dynamically when a device checks in.

Why other answers are incorrect:

A: Device categories allow devices to be placed in groups based on user selection during enrollment — they don't filter by OS version dynamically.
B: Scope tags control admin visibility (RBAC), not policy targeting.
C: Compliance policies assess whether a device meets requirements — they don't control which configuration profile is applied.

💡 Key Concept:

Filter syntax example: (osVersion -startsWith "10.0.19045") targets Windows 11 22H2. Filters can be used as Include or Exclude at the assignment level of any policy.

21

Question 21: Windows Defender Antivirus

✓ Correct Answer: A) Endpoint security — Antivirus — Windows Defender Antivirus policy

Why this is correct:

The Endpoint Security > Antivirus section in Intune is the dedicated area for configuring Microsoft Defender Antivirus settings. It provides a clean interface for scan schedules, exclusions, real-time protection, and cloud-delivered protection, with clear reporting on AV status per device.

Why other answers are incorrect:

B: Device compliance Defender settings only check if Defender is enabled (for compliance) — they don't configure it.
C: Administrative Templates can configure Defender via ADMX policies but the Endpoint Security AV profile is the modern, preferred approach.
D: EDR (Endpoint Detection and Response) configures MDE integration, not AV scan settings.

💡 Key Concept:

Endpoint Security in Intune has dedicated blades: Antivirus, Disk Encryption, Firewall, EDR, Attack Surface Reduction, and Account Protection — use the matching blade for each security domain.

22

Question 22: Attack Surface Reduction Rules

✓ Correct Answer: B) Endpoint security — Attack surface reduction policy

Why this is correct:

Attack Surface Reduction (ASR) rules are configured in Intune under Endpoint Security > Attack surface reduction. You can set each rule to Audit (log only), Block (enforce), or Off. The three rules mentioned (Office child processes, executable email content, LSASS protection) are all standard ASR rules.

Why other answers are incorrect:

A: Endpoint protection profile has some Defender settings but ASR rules have their own dedicated Endpoint Security policy.
C: Compliance policies don't configure or enforce ASR rules.
D: MDE security baseline includes recommended settings but you should use the dedicated ASR policy for specific rule enforcement.

💡 Key Concept:

Common ASR rules to know for MD-102: Block Office apps from creating executable content, Block credential stealing from LSASS, Block untrusted/unsigned processes from USB, Block Office from creating child processes.

23

Question 23: Intune Reporting

✓ Correct Answer: C) Configure a scheduled report in the Intune Reports section with email delivery

Why this is correct:

Intune's built-in Reports section (Reports > Device compliance) supports scheduled reports that can be automatically emailed to specified recipients on a weekly basis. You can filter by OS, compliance state, and configure the exact columns needed.

Why other answers are incorrect:

A: Manual CSV exports require someone to log in and export — not automated.
B: Azure Monitor workbooks provide powerful visualization but don't have built-in email scheduling.
D: Power BI via Graph API is very powerful but complex to set up and maintain for a simple weekly report.

💡 Key Concept:

Intune scheduled reports: Reports > select a report > Configure schedule > set recurrence (daily/weekly/monthly) > add email recipients. Available for compliance, device configuration, and app reports.

24

Question 24: Windows Information Protection

✓ Correct Answer: D) Windows Information Protection (WIP) with Intune

Why this is correct:

Windows Information Protection (WIP) separates corporate and personal data on Windows devices. It tags corporate data and prevents it from moving to unmanaged apps (copy/paste, save as, share). It doesn't encrypt personal files — only corporate-tagged data is protected, avoiding user privacy concerns.

Why other answers are incorrect:

A: Intune app protection policies (MAM) work on mobile platforms (iOS/Android) primarily, or on managed apps only on Windows — WIP is specifically designed for Windows corporate/personal data separation.
B: CA app enforced restrictions control app access, not intra-device data flow between apps.
C: BitLocker encrypts the entire drive including personal data — not the targeted protection needed here.

💡 Key Concept:

WIP protection levels: Silent (log violations, allow override), Override (warn user), Block (prevent data movement). WIP is being deprecated in favor of Microsoft Purview Information Protection — know both for the exam.

25

Question 25: Endpoint Analytics

✓ Correct Answer: A) Endpoint Analytics — Startup performance

Why this is correct:

Endpoint Analytics collects telemetry from Intune-managed devices and provides insights including startup performance scores, boot time breakdowns by phase (BIOS/OS/login), and app reliability scores. It identifies devices with poor scores and drills into specific processes causing delays — no scripts needed.

Why other answers are incorrect:

B: Intune device diagnostics collects logs for troubleshooting individual devices — not a fleet-wide performance dashboard.
C: MDE device health shows security posture, not startup performance metrics.
D: Azure Monitor for VMs is for Azure-hosted VMs, not on-premises/physical endpoints.

💡 Key Concept:

Endpoint Analytics provides: Startup performance, App reliability, Work from anywhere score, Battery health, Resource performance. All derived from Intune telemetry — zero additional agents needed.

📊 How Did You Score?

23–25
Exam Ready
Excellent! Schedule your exam now.
19–22
Almost There
Review your weak areas and practice more.
14–18
Keep Studying
Focus on Intune policies and compliance.
0–13
More Study Needed
Work through the MD-102 study guide.

Ready for More MD-102 Practice?

These 25 questions are just a sample. The actual MD-102 exam has 40–60 questions.

MSCertQuiz MD-102 includes 500 questions covering:

  • ✓ Windows Autopilot all modes (user-driven, self-deploying, pre-provisioned)
  • ✓ Intune compliance, configuration, and app policies in depth
  • ✓ Endpoint security — Defender AV, ASR, EDR, firewall
  • ✓ Co-management and workload migration scenarios
  • ✓ All question formats: scenario, drag-and-drop, and ordering

$14.99 One-Time Payment

Lifetime access • No subscription • 500 questions

Try 40 Free QuestionsGet 500 Questions — $14.99

📚 Related MD-102 Resources

📖

MD-102 Study Guide

Complete guide covering all exam domains with study strategies

💡

Is MD-102 Worth It?

Career impact and ROI analysis for endpoint administrators