1) Enroll & Prepare (Identity, RBAC, Groups, Autopilot) — Q1–Q20
Q1. You need least-privilege to manage Intune device policies. Which built-in role?
A. Global Administrator
B. Intune Administrator
C. Policy and Profile Manager
D. Help Desk Operator
Q2. You must let junior admins view device inventory but not change it. Which role?
A. Read Only Operator
B. Endpoint Security Manager
C. Application Manager
D. School Administrator
Q3. A dynamic device group should include only Windows 11 24H2. Best rule?
A. (deviceOSType -eq "Windows")
B. (deviceOSVersion -ge "10.0.22000")
C. (operatingSystem -contains "Windows 11 24H2")
D. (deviceManufacturer -eq "Microsoft")
Q4. Device filters are evaluated at:
A. Group creation time
B. Policy assignment time
C. Device enrollment time
D. License assignment time
Q5. You need to block enrollment for personal Windows PCs. Where?
A. Enrollment device platform restrictions
B. Conditional Access
C. Device compliance policy
D. Update rings
Q6. Co-management requires:
A. Azure AD Joined only
B. SCCM client + Entra registration
C. GPO enrollment only
D. Cloud-only devices
Q7. A user cannot enroll due to exceeded device limit. Fix?
A. Grant Global Admin
B. Increase device limit per user
C. Reset device
D. Revoke user’s license
Q8. Autopilot needs which ID to register a device?
A. MAC address
B. SMBIOS/Hardware hash
C. TPM EKpub
D. Serial + model only
Q9. To force OOBE to enroll before desktop access:
A. ESP in blocking mode
B. Co-management
C. Company Portal required
D. Assigned access
Q10. Autopilot profile “User-driven Azure AD Join” does:
A. Hybrid join via VPN
B. Local account only
C. Entra join with user sign-in
D. Wipe and keep data
Q11. For Hybrid Azure AD Join with Autopilot you usually need:
A. Azure AD Connect or Cloud Trust
B. No line of sight to DCs
C. No network requirements
D. Always VPN off
Q12. To pre-assign apps and policies for a site rollout, use:
A. Policy Sets
B. Device Categories
C. Scope tags only
D. Filters only
Q13. Which scope limits what admins can see and target?
A. RBAC roles
B. Scope tags
C. Device categories
D. Filters
Q14. You must ensure devices enroll only if TPM 2.0 exists. Use:
A. Compliance policy
B. Device filter on assignment
C. Configuration profile
D. Update ring
Q15. Windows Autopilot Reset:
A. Preserves user data
B. Removes personal files and apps; keeps enrollment
C. Full wipe and unassign
D. Converts to kiosk
Q16. To collect Autopilot hashes at scale from running devices:
A. MDM diagnostics
B. Get-WindowsAutopilotInfo PowerShell
C. DISM /online
D. Sysprep /oobe
Q17. ESP hangs at “Account setup”. Likely blocker?
A. Missing Intune license
B. Required app install failure
C. Wrong time zone
D. Disabled TPM
Q18. AAD registration vs join: registered means:
A. Primary sign-in uses cloud account
B. Device identity only for MAM/APP
C. Device is domain joined
D. Always requires ESP
Q19. To stop BYOD Windows enrollment but allow MAM on mobile:
A. Block Windows enrollment; allow iOS/Android MAM
B. Block all platforms
C. Require DEP/ADE
D. Use Update rings
Q20. Windows Autopatch manages:
A. Defender signatures only
B. Microsoft 365 Apps only
C. Windows updates + M365 Apps servicing
D. Firmware only
2) Configure Devices (Profiles, Settings Catalog, Security Baselines) — Q21–Q40
Q21. For granular Windows settings with CSPs, use:
A. Templates only
B. Settings Catalog
C. Update rings
D. Compliance policy
Q22. To hide Settings → Accounts → Access work or school:
A. Administrative Templates
B. Settings Catalog
C. Custom OMA-URI
D. Any of the above
Q23. Security Baselines are:
A. Update channels
B. Recommended Microsoft configurations
C. Custom scripts
D. Conditional Access templates
Q24. Baseline conflict resolution uses:
A. Most restrictive always
B. Higher priority policy
C. Latest modified policy
D. Device name sort
Q25. To set a local admin on Entra-joined devices:
A. LAPS only
B. Endpoint Security → Account protection (Local user group)
C. Update rings
D. Compliance policy
Q26. To configure BitLocker with recovery key escrow:
A. Endpoint Security → Disk Encryption
B. Windows Update for Business
C. Microsoft Store app
D. Device cleanup rules
Q27. To lock a device to a single UWP app:
A. Assigned access (kiosk)
B. Delivery Optimization
C. AppLocker only
D. Windows Sandbox
Q28. To push a custom registry value via MDM:
A. LOB app
B. OMA-URI custom policy
C. Compliance policy
D. Autopatch
Q29. You need WDAC policy deployment. Where?
A. Endpoint Security → Attack surface reduction
B. Compliance
C. Update rings
D. Company Portal
Q30. Recommended way to set Edge homepage for all users:
A. GPO only
B. Settings Catalog / Administrative Templates (Edge)
C. Scripts only
D. Compliance
Q31. To allow Standard users to elevate specific apps on demand:
A. LAPS
B. Endpoint Privilege Management
C. UAC disabled
D. Run as different user
Q32. Intune Device Cleanup rule affects:
A. Unenrolled devices after N days
B. Deleted users
C. App updates
D. Compliance drift
Q33. Scope tags are assigned to:
A. Only groups
B. Objects (profiles, apps, etc.) and admins
C. Only devices
D. Only roles
Q34. To pause Config Refresh (Windows 11) briefly for troubleshooting:
A. Not possible
B. Device Restriction profile
C. Graph API pause
D. Delivery Optimization policy
Q35. To set PowerShell scripts to run in user context:
A. Device configuration only
B. Script settings → Run this script using the logged-on credentials
C. Impossible
D. Use Win32 app wrapper
Q36. To deploy a Wi-Fi profile using certificate auth (EAP-TLS):
A. Device restrictions
B. Wi-Fi profile + SCEP/PKCS cert profiles
C. Update rings
D. Compliance policy
Q37. Which profile controls Windows Hello for Business?
A. Compliance
B. Identity protection (Settings Catalog/Template)
C. Update ring
D. App configuration
Q38. To block Control Panel for students but allow admins:
A. Tag devices with scope tags
B. Use two policies with device filters by user group
C. Update rings
D. Compliance
Q39. Local Administrator Password Solution (Windows LAPS) stores passwords in:
A. Intune only
B. Entra ID
C. Azure Key Vault
D. MDE portal
Q40. Windows LAPS reset can be triggered from:
A. Intune device actions
B. Windows Update settings
C. Company Portal user action
D. Defender policy
3) Protect & Comply (Compliance, CA signals, MDE, DLP basics) — Q41–Q60
Q41. Compliance policies evaluate:
A. Required configuration state
B. Update deadlines
C. App installs
D. Enrollment restrictions
Q42. A device shows “Not compliant” for BitLocker. Fix first?
A. Reimage
B. Confirm policy target + TPM and encryption status
C. Remove user
D. Disable Secure Boot
Q43. Mark device noncompliant if antivirus real-time protection is off. Use:
A. Endpoint security AV policy
B. Compliance policy setting
C. Update ring
D. App configuration
Q44. Noncompliant → block access to M365. Where?
A. Conditional Access with “Require compliant device”
B. Update rings
C. App Protection Policy
D. Defender Firewall
Q45. To delay marking noncompliance for 3 days:
A. Grace period in compliance policy
B. Update deferral
C. Device cleanup
D. Enrollment restriction
Q46. Defender for Endpoint integration with Intune enables:
A. Risk-based compliance + Security tasks
B. Only AV scans
C. Autopatch
D. Windows Hello
Q47. MDE exposes device risk level. Intune can:
A. Ignore it
B. Use risk as compliance condition
C. Turn off telemetry
D. Replace BitLocker
Q48. App Protection Policies (MAM) apply to:
A. Enrolled devices only
B. Unmanaged and managed apps with SDK/broker
C. Only Windows
D. Only iOS
Q49. For Windows information protection on corporate devices now:
A. Use legacy WIP
B. Use MAM for Windows
C. Use Endpoint DLP/Purview
D. Not supported
Q50. To auto-remediate missing Defender updates:
A. Compliance only
B. Proactive remediations or Endpoint security policy
C. Store app
D. Update rings
Q51. To restrict copy/paste between work and personal apps (mobile):
A. App configuration
B. App Protection Policy
C. Compliance
D. Update rings
Q52. Which is not a compliance action?
A. Send email to user
B. Mark device noncompliant
C. Remote wipe
D. Send push notification
Q53. To collect Defender Antivirus logs at scale for analysis:
A. Intune Data Warehouse
B. MDE advanced hunting / device timeline
C. Windows Update logs
D. Endpoint Analytics only
Q54. Endpoint Security → Firewall policies manage:
A. Only domain profile
B. All firewall profiles and rules
C. Only private profile
D. None
Q55. Attack Surface Reduction rules deploy via:
A. Update rings
B. Endpoint Security policies
C. Compliance
D. Store app
Q56. You need App Control for Business (WDAC) allow-list. Where to monitor blocks?
A. MDE security recommendations
B. Event Viewer only
C. Windows Update
D. Company Portal
Q57. Conditional Access needs device state. Intune provides:
A. Device compliance signal
B. Device filter
C. Scope tag
D. Management certificate
Q58. To ensure devices report health regularly:
A. Co-management baseline
B. MDM check-in occurs automatically; monitor last check-in
C. User runs Company Portal
D. Update rings daily
Q59. Device shows “Not evaluated.” Reason?
A. Device asleep/offline
B. Wrong scope tag
C. License exceeded
D. Duplicate GUIDs
Q60. Best practice for production rollout of security policies:
A. Assign to all devices immediately
B. Pilot ring → expand
C. Exclude all admins
D. Rely on defaults
4) Manage Apps (Win32/MSI/Store, EAM, Config, Updates) — Q61–Q80
Q61. Win32 app deployment requires:
A. MSI only
B. .intunewin packaging and detection rules
C. Appx only
D. EXE only
Q62. To install a dependency before main app:
A. Use app supersedence
B. Use app dependencies
C. Use update rings
D. Use compliance policy
Q63. To upgrade v1 to v2 and uninstall v1:
A. Detection only
B. Supersedence with uninstall
C. Require reboot
D. ESP only
Q64. Company Portal lists:
A. Required apps only
B. Available apps and features
C. Only Store apps
D. Only Win32
Q65. Microsoft Store (new) app type in Intune supports:
A. Winget-powered deployment
B. Legacy business store only
C. Sideloading only
D. No updates
Q66. App configuration policy for Win32 app:
A. Not supported
B. Use registry/OMA-URI or vendor method
C. Only mobile
D. Only Store apps
Q67. Enterprise App Management (Intune Suite) adds:
A. Auto-packaging, update, catalog apps
B. Only reporting
C. Only macOS
D. Only iOS
Q68. To stage a large app during ESP before desktop:
A. Make it Required and block on ESP
B. Make it Available
C. Use compliance
D. Use DO only
Q69. Install order for multiple required Win32 apps at ESP:
A. Random
B. By dependency chain and blocking settings
C. Alphabetical
D. By upload date
Q70. App failed due to detection rule mismatch. Fix:
A. Change install context
B. Correct detection logic (file/registry/product code)
C. Reboot
D. Add scope tag
Q71. To deploy a private line-of-business MSIX:
A. Store only
B. Line-of-business app (MSIX)
C. Win32 wrapper
D. MSI only
Q72. For shared devices, auto-install apps per device not per user:
A. Assign to device group
B. Assign to user group
C. Available only
D. Use filter by user
Q73. To configure Outlook with specific mail profile at first run (Windows):
A. App configuration for Win32
B. Use Office cloud policy service / GPO / OMA-URI
C. Compliance
D. Update rings
Q74. Microsoft 365 Apps deployment channel choice is set in:
A. Update rings
B. Microsoft 365 Apps profile (Intune)
C. Compliance
D. Store app
Q75. To monitor app install failures quickly:
A. Devices → Troubleshoot
B. Apps → Monitor → Installation status
C. Endpoint Analytics
D. Data Warehouse
Q76. To prevent user uninstallation:
A. Required assignment; hide uninstall
B. Available install
C. Store only
D. Detection rule
Q77. Win32 app installs in user context. What must be true?
A. Use system context
B. Set install behavior = User
C. ESP needed
D. MSI only
Q78. Deliver JSON settings file with the app:
A. Include in package and script copy
B. Use compliance
C. Use DO policies
D. Use Update rings
Q79. Replace TeamViewer with Remote Help:
A. Remove TeamViewer app; deploy Remote Help app; ensure licensing and RBAC
B. Use WDAC
C. Use Update rings
D. Use Compliance only
Q80. App supersedence supports:
A. Side-by-side versions
B. Upgrade/replace and optional uninstall
C. Driver updates
D. Store apps only
5) Update & Support (WUfB, Autopatch, Feature/Quality, DO, Servicing) — Q81–Q90
Q81. WUfB Feature update policy pins:
A. Specific version (e.g., 23H2/24H2)
B. Only channel
C. Only defer days
D. Servicing stack only
Q82. Quality update ring “Deadline” does:
A. Blocks all installs
B. Forces install and restart by deadline
C. Only notifies
D. Defers to user
Q83. “Grace period” after deadline means:
A. Extra deferral time post-deadline before forced reboot
B. Suspend updates
C. Wipe device
D. Disable DO
Q84. Delivery Optimization goal:
A. Firmware updates
B. Peer-to-peer content sharing to save bandwidth
C. Replace WSUS
D. Disable Windows Update
Q85. You must pause quality updates for 7 days. Where?
A. Feature update policy
B. Update ring → Pause
C. Compliance
D. App policy
Q86. Autopatch ring phases are managed by:
A. Microsoft; you manage exclusions
B. Only tenant admin
C. WSUS
D. Company Portal
Q87. To keep devices on 23H2 until testing 24H2 completes:
A. Defer days 365
B. Feature update policy set to 23H2
C. Pause quality updates
D. Disable WU
Q88. To speed content over VPN sites:
A. DO Group IDs per site + caching server
B. Pause updates
C. Turn off DO
D. All apps available
Q89. Update reporting for compliance % and errors:
A. Windows Update for Business reports (Azure portal)
B. Only Intune device list
C. Event Viewer only
D. Company Portal
Q90. Feature Update “Safeguard holds” are:
A. Your GPOs
B. Microsoft blocks for known issues
C. License limits
D. WDAC rules
6) Troubleshoot & Remediate (Support, Scripts, Analytics, Wipe/Retire) — Q91–Q100
Q91. A user sees “This device hasn’t checked in.” First step:
A. Remote wipe
B. Confirm internet, MDM enrollment, and time
C. Reimage
D. Remove user
Q92. To push a quick fix to many devices (e.g., clear cache) on schedule:
A. Compliance
B. Proactive remediations (detection + remediation scripts)
C. Update ring
D. MDE only
Q93. Remote Help requires:
A. Only M365 E3
B. Intune Suite or Remote Help add-on + RBAC permissions
C. Windows Pro only
D. No licensing
Q94. “Retire” vs “Wipe”:
A. Retire removes corporate data; keeps personal data
B. Retire factory resets
C. Wipe keeps data
D. Both same
Q95. To recover BitLocker key:
A. Event Viewer
B. Intune device → Recovery keys (if escrowed)
C. Company Portal only
D. Windows Update
Q96. ESP error shows required app failed. To continue without blocking:
A. Remove ESP
B. Move the app to “Not blocking” or exclude from ESP
C. Disable encryption
D. Disable DO
Q97. User-based policy not applying to device group. Likely reason:
A. Scope tags
B. Targeting wrong assignment type (user vs device)
C. Update ring
D. Store cache
Q98. Device shows duplicate records. Best action:
A. Delete stale record; keep active based on last check-in
B. Wipe both
C. Ignore
D. Remove license
Q99. Endpoint Analytics can help you:
A. Only AV scans
B. Measure startup performance, app reliability, anomalies
C. Replace MDE
D. Do firmware updates
Q100. To capture logs during Autopilot OOBE:
A. Shift+F10 and run mdmdiagnosticstool or use ESP diagnostics
B. Only after enrollment
C. Company Portal
D. Windows Update logs only
Answer Key (with short reasons)
1 C — Least-privilege for profiles
2 A — View-only
3 C — Match Windows 11 24H2
4 B — At assignment time
5 A — Platform restrictions
6 B — SCCM client + registration
7 B — Raise limit
8 B — Hardware hash
9 A — ESP blocking
10 C — Entra join user-driven
11 A — AAD Connect/Cloud Trust
12 A — Bundle targeting
13 B — Scope tags control visibility
14 B — Filter on assignment
15 B — Resets but keeps MDM
16 B — PowerShell cmdlet
17 B — Required app failure
18 B — Registered = MAM identity
19 A — Block Win BYOD, allow mobile MAM
20 C — Autopatch covers both
21 B — Settings Catalog
22 D — Any (AT, Catalog, OMA)
23 B — Microsoft recommendations
24 B — Policy priority
25 B — Local user group policy
26 A — Disk Encryption profile
27 A — Kiosk
28 B — OMA-URI custom
29 A — Endpoint Security
30 B — Use AT/Catalog
31 B — EPM
32 A — Cleanup stale devices
33 B — Objects + admins
34 C — Graph pause (supported)
35 B — Run in user context
36 B — Wi-Fi + cert profiles
37 B — Identity protection/WHfB
38 B — Use filters by user group
39 B — Stored in Entra ID
40 A — Intune device action
41 A — Config compliance
42 B — Verify targeting + status
43 B — Compliance rule
44 A — CA require compliant
45 A — Compliance grace period
46 A — Risk + tasks
47 B — Use risk in compliance
48 B — MAM via broker/SDK
49 C — Use Purview DLP
50 B — Proactive remediations/ES policy
51 B — APP controls data flow
52 C — Wipe is not a compliance action
53 B — Use MDE hunting
54 B — All profiles/rules
55 B — ES policies
56 A — MDE shows blocks/recs
57 A — Compliance signal
58 B — Check last check-in
59 A — No evaluation if offline
60 B — Pilot first
61 B — Intunewin + detection
62 B — Dependencies
63 B — Supersedence uninstall
64 B — Available catalog
65 A — Winget backed
66 B — Use reg/OMA/vendor method
67 A — Auto-packaging/updates
68 A — Required & block
69 B — Dependencies + blocking
70 B — Fix detection
71 B — LOB MSIX
72 A — Per-device targeting
73 B — OCP/GPO/OMA (not Win32 config)
74 B — M365 Apps profile
75 B — Apps → Monitor
76 A — Required + no uninstall
77 B — Set user context
78 A — Include + script
79 A — Replace with Remote Help
80 B — Upgrade/replace
81 A — Pin version
82 B — Force by deadline
83 A — Time before reboot
84 B — DO peer caching
85 B — Pause in ring
86 A — Managed by Microsoft
87 B — Pin to 23H2
88 A — Group IDs + cache
89 A — WUfB reports
90 B — Known issue holds
91 B — Basics first
92 B — Proactive remediations
93 B — License + RBAC
94 A — Retire removes corp data
95 B — Intune recovery keys
96 B — Don’t block ESP
97 B — Wrong assignment type
98 A — Delete stale record
99 B — Performance and health
100 A — OOBE diagnostics
