MD-101 Cheat Sheet 2026
The 30 highest-yield MD-101 facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
60 questions
100 min time limit
70.00% to pass
- Which Azure AD Conditional Access signal can assess device risk using Microsoft Defender for Endpoint threat intelligence? → Device risk via Microsoft Defender for Endpoint integration
- Which Microsoft Defender for Endpoint capability scores and prioritizes device security misconfigurations and vulnerabilities? → Microsoft Defender Vulnerability Management (MDVM) with Secure Score for Devices
- Which component of the Enrollment Status Page (ESP) tracks app installation progress during Autopilot? → Device setup phase — App installations section
- What does Microsoft Defender for Endpoint's 'Endpoint Detection and Response (EDR)' capability primarily provide? → Post-breach detection, investigation, and response capabilities for advanced threats
- What must users do on an unenrolled iOS device before App Protection Policies take effect in apps like Outlook? → Sign in with their Azure AD corporate account within the Intune-managed app
- Which Intune App Protection Policy conditional launch setting blocks jailbroken or rooted devices from accessing corporate app data? → Jailbroken/rooted devices — Block access or Wipe data
- Which tool converts Win32 app installers into the .intunewin format required for Intune deployment? → Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe)
- Which Azure AD feature integrates with Intune compliance status to block non-compliant devices from accessing corporate resources? → Conditional Access requiring a compliant device
- What is the maximum number of devices a standard user can join to Azure AD by default, relevant to Autopilot user-driven deployments? → 10
- In a co-management scenario where both Configuration Manager and Intune apply settings to the same area, what determines which settings take effect? → The configured workload authority slider determines which platform's settings apply
- Which Azure AD Connect feature is required to enable Hybrid Azure AD Join for co-management scenarios? → Azure AD Connect with device writeback enabled
- An organization deploys Outlook with an App Protection Policy requiring PIN. A user says they are not prompted for a PIN. What is the most likely cause? → The App Protection Policy is not assigned to the user's Azure AD group
- Which compliance policy action sends an automatic notification email to users when their device becomes non-compliant? → Send email to end user — under Actions for noncompliance
- Which Intune integration enables security administrators to manage Microsoft Defender for Endpoint settings directly from the Intune admin center? → Microsoft Defender for Endpoint — Intune connector via security settings management
- Which App Protection Policy setting prevents users from saving corporate files to personal cloud storage like Google Drive? → Save copies of org data — restrict to approved locations only
- What happens to a device's Autopilot registration when it is deleted from Azure AD? → The device loses its Autopilot registration and must be re-registered
- What is the Windows Long-Term Servicing Channel (LTSC) primarily designed for? → Specialized devices (medical, industrial, kiosks) that require stability over new features
- Which setting in an Autopilot deployment profile controls whether users receive local administrator rights after OOBE? → Account type: Administrator or Standard User
- Which setting in Intune Update Rings controls whether users can see and dismiss Windows Update notifications? → User Update Notification — control update notifications displayed to user
- An Intune compliance policy sets minimum OS version to Windows 10 21H2. A device running 21H1 is enrolled. What is the device's compliance state? → Not compliant
- An organization onboards devices to Microsoft Defender for Endpoint. Which Intune policy type deploys the MDE onboarding configuration package? → Endpoint detection and response (EDR) policy under Endpoint security
- What tool is used to upload hardware hashes to Microsoft Intune for Autopilot registration? → Get-WindowsAutoPilotInfo PowerShell script
- Which setting in an Intune App Protection Policy requires users to authenticate with a PIN or biometric before accessing corporate apps? → Access requirements — PIN for access
- An administrator wants to pause Windows quality updates for devices in a pilot ring after detecting a problematic update. What is the maximum pause duration? → 35 days
- An Intune configuration profile shows a status of 'Not applicable' for several devices. What does this mean? → The profile settings do not apply to the OS version or device type
- A configuration profile assigned to a device group conflicts with a profile assigned to a user group. Which takes precedence by default? → Device group assignment always wins
- Which setting in a Device restrictions profile prevents users from resetting their device using the Settings app? → Block factory reset
- Which type of Intune app deployment installs the app silently without any user interaction on enrolled Windows devices? → Required deployment
- Which Intune feature allows an admin to configure an app before it is opened by the user, pushing settings like server URL or account information? → App configuration policy (managed devices or managed apps)
- Which Microsoft Defender for Endpoint feature provides network-level protection by blocking connections to malicious IPs and URLs? → Network Protection
Turn these facts into recall: