50 Microsoft 365 Certified: Endpoint Administrator Associate Practice Questions: Question Bank 2025

Your organization is rolling out Windows devices using Windows Autopilot. You want the device to be Azure AD joined and automatically enrolled in Microsoft Intune during the Out-of-Box Experience (OOBE). Which enrollment method should you configure?

You need to ensure that only compliant devices can access Microsoft 365 services. Users sign in with Azure AD accounts. Which feature should you implement?

A helpdesk engineer reports that a Windows 11 device is shown in Microsoft Intune but is not receiving configuration profiles. The user confirms the device is connected to the internet. What is the first thing you should verify in Intune?

You want to prevent users from copying corporate data from managed apps to personal apps on iOS and Android devices without enrolling the entire device. Which Intune capability should you use?

You need to deploy a line-of-business Win32 app to a set of Windows devices. Installation must occur in the system context and be able to detect whether the app is already installed. Which Intune app type should you choose?

You deploy a compliance policy requiring BitLocker on Windows devices and create a Conditional Access policy that requires compliant devices for Exchange Online. Some users are blocked even though BitLocker is enabled. In the Intune device compliance report, the devices show "Not evaluated". What is the most likely cause?

You manage iOS devices in Intune. You need to enable Supervised mode to enforce additional restrictions and silently install certain apps. Which approach should you use?

You need to grant a helpdesk team the ability to remotely wipe corporate data from Intune-enrolled devices but not allow them to change Intune tenant settings or manage compliance policies. What should you use?

Your company wants to deploy Windows feature updates in a controlled way. Requirements: ensure devices move to a specific target feature update version and stay on that version until you decide to change it; minimize user disruption. Which Intune approach best meets the requirement?

You need to harden Windows endpoints using a Microsoft-recommended baseline, but your security team also requires a small set of settings to be less restrictive for a subset of developer devices. You want to keep alignment with the baseline while managing exceptions cleanly. What should you do?

You need to enroll a set of Windows 11 corporate laptops into Microsoft Intune during initial setup without using traditional imaging. The laptops must be automatically configured as corporate devices and receive required apps and policies before the user reaches the desktop. What should you use?

A user reports that they cannot enroll their personally owned iPhone into Intune. In the Intune admin center, you see the enrollment error indicating the user is blocked by device type restrictions. What should you modify to allow iOS enrollment for this user group while keeping Android enrollment blocked for the same group?

You must ensure that only compliant devices can access Microsoft 365 resources such as Exchange Online and SharePoint Online. Which solution should you implement?

You need to allow users to reset their Windows sign-in password from the lock screen. The organization uses Entra ID and Windows devices are Entra ID joined and managed by Intune. What should you configure?

A security team requires that corporate Windows devices automatically encrypt the OS drive and store recovery keys in Entra ID. Users must not be able to opt out. Which Intune policy type should you deploy?

A Windows device shows as 'Not compliant' in Intune because the antivirus status is 'not healthy'. The device uses Microsoft Defender Antivirus. You want Intune to evaluate device risk from Microsoft Defender for Endpoint and use that signal in compliance. What should you do?

You deploy a configuration profile to disable USB removable storage on Windows devices. Several users report they can still use USB drives. In Intune, the device shows the profile as 'Succeeded'. What is the most likely reason the setting is not taking effect?

You need to deploy Microsoft 365 Apps to Windows devices. Devices must install 64-bit, exclude Access, and update from the Monthly Enterprise Channel. Which approach is recommended in Intune?

You need to deploy a critical Win32 line-of-business app to Windows devices. The app must install before the user can access the desktop to ensure it is present for first-run sign-in tasks. Which Intune capability should you use?

Your organization wants to enforce that corporate Windows devices can access Microsoft 365 only if they meet compliance requirements and are using phishing-resistant authentication. Users must authenticate with a method that resists MFA fatigue attacks. Which solution should you implement?

A company wants new Windows devices to automatically enroll in Microsoft Intune during first boot. The devices must be company-owned and should not require users to manually join the device to Microsoft Entra ID. Which solution should you use?

You need to prevent users from enrolling personal (BYOD) Windows devices into Intune, while still allowing company-owned Windows devices to enroll. Which Intune feature should you configure?

A security team wants to require multi-factor authentication (MFA) only when users access Microsoft 365 from unmanaged devices, but not when access is from compliant, Intune-managed devices. What should you configure?

A user reports that their Intune-managed Windows device shows as "Not compliant". The compliance policy requires BitLocker and a minimum OS version. BitLocker is enabled, and the device meets the OS requirement. In Intune, the device record shows "Compliance status: Not evaluated" for the policy. What is the most likely cause?

You want to deploy Microsoft 365 Apps to Windows devices and ensure the app suite stays up to date without packaging a new installer each month. Which deployment approach is best practice in Intune?

You need to block copying corporate data from managed apps to personal apps on iOS/Android without enrolling the entire device. Which capability should you use?

A company uses Windows Update for Business (WUfB) via Intune update rings. A pilot group should receive feature updates earlier than broad production, but quality updates should be consistent across both groups. What is the best approach?

You are implementing Microsoft Defender for Endpoint (MDE) integration with Intune. Your goal is to use MDE risk signals to block access to Microsoft 365 on compromised devices. Which configuration is required to enforce this control?

Your organization is migrating from on-premises Group Policy to cloud management. You need to configure a Windows setting that is not available in Intune Settings catalog but is available as a traditional ADMX-backed policy. What should you do?

Users report that a required Win32 app deployed from Intune remains in an "install pending" state for hours. Other apps install successfully. You discover the app is configured with a requirement rule that checks for a specific OS architecture, and the affected devices are Windows 11 ARM. What is the most likely reason the app won’t install?

You need to ensure newly enrolled Windows 11 devices automatically use a corporate Wi-Fi network that requires WPA2-Enterprise (EAP-TLS). Certificates are issued from an internal CA and devices are Microsoft Entra joined. What should you deploy from Microsoft Intune?

After enabling Windows Hello for Business in Intune, several users report that PIN setup is blocked with a message indicating their organization requires additional security information. These users have not registered any authentication methods. What is the most likely requirement causing the block?

You want to restrict access to Microsoft 365 from Windows devices unless they are marked compliant in Intune. What should you configure?

A Windows device is shown as "Not compliant" in Intune because BitLocker is not enabled. The user says the device is already encrypted. What should you check first to validate the compliance evaluation?

You need to deploy an internal line-of-business (LOB) Windows app packaged as an .msix. Only devices in the "Finance" group should install it automatically. What is the best approach in Intune?

You want Windows 11 feature updates to be installed only after being deferred for 30 days, while still installing monthly quality updates promptly. Which Intune policy type should you use?

You must ensure that corporate data in Outlook mobile cannot be copied into personal apps on iOS devices. Devices are not enrolled in Intune, but users sign in with their work accounts. What should you use?

A Conditional Access policy requires "Require approved client app" for Exchange Online. Some users on Android report they can’t access email in the Gmail app, but Outlook works. Why does this occur?

You deploy a Win32 app as Required to all Windows devices. On several devices the app repeatedly reinstalls at every check-in even though it appears to install successfully. What is the most likely cause?

You are designing an Autopilot deployment for remote users. Requirement: devices must be provisioned with apps and security baselines before users can access the desktop, and the process must work over the internet without VPN. Which approach best meets the requirement?

You need to quickly allow a specific user to enroll a single Windows device into Intune, but you do not want to grant broad admin permissions. What is the best approach?

A user reports that Company Portal shows "No devices" even though their Windows device is enrolled and compliant. You want the simplest fix with minimal impact. What should you do first?

You need to require users to set a PIN to access corporate resources in Microsoft Edge on iOS, without affecting personal apps. Which Intune feature should you use?

You want to deploy Wi-Fi settings to Windows 11 devices so users automatically connect to the corporate SSID during first sign-in. The SSID uses WPA2-Enterprise with EAP-TLS certificates. What should you deploy?

Your security team wants to ensure that only devices marked as compliant can access Microsoft 365 services. Users should be blocked if their device falls out of compliance. Which solution should you implement?

You deploy a Win32 app to a device group as Required. On several devices, installation repeatedly fails with detection rule errors. The installer works when run manually. What is the most likely cause?

You need to ensure devices meet a security baseline and that noncompliant devices are automatically marked noncompliant if real-time protection is turned off in Microsoft Defender Antivirus. What should you use?

You want to gradually roll out a feature update to Windows 11, limiting the rollout to a pilot set first and expanding after validation, while keeping the target version consistent. Which Intune policy type best fits this requirement?

Your organization uses Windows Autopilot user-driven mode with pre-provisioning. Some devices fail during the Device Preparation phase because apps are taking too long. You want to improve reliability without reducing required security posture. What should you do?

You have a Conditional Access policy requiring compliant devices for SharePoint Online. Android users with personally owned devices must access SharePoint, but you are not allowed to require full device enrollment (MDM). You still need to prevent data exfiltration (copy/paste and save-as to personal locations). What should you implement?