Free Actual MS-102 Actual Exam Questions – Microsoft 365 Administrator - Question 14 Discussion
Case study
A company, Contoso Inc., has implemented Microsoft Intune and configured Conditional Access policies. The security team has defined a strict security requirement that all devices accessing corporate data must be fully compliant.
The team has created and assigned several device compliance policies to ensure that devices meet specific security standards, such as disk encryption and minimum OS versions. However, they discover a potential loophole: any device that is enrolled but not assigned a specific compliance policy is automatically considered "Compliant" by Intune by default. This could allow devices to access corporate data even without being checked for security compliance.
To meet the technical requirement that all devices must be proven compliant, the security team needs to configure Intune to automatically mark any device that lacks a compliance policy as "Not compliant."
You need to configure the compliance settings to meet the technical requirements. What should you do in the Microsoft Endpoint Manager admin center?
Is there an explicit toggle in compliance settings for unassigned devices, or do we need a new policy assigned?
I think D is the way to go because it directly lets you tweak how compliance is evaluated, including the default status for devices without policies. The other options don’t actually control the compliance state itself, so they won’t fix the loophole where unassigned devices show as compliant. So yeah, modifying Compliance policy settings makes the most sense here.
Maybe D. Changing the compliance policy settings makes the most sense because you need to adjust how Intune handles devices without assigned policies. The other options don’t really deal with compliance status directly—notifications and locations won’t affect whether devices are marked compliant or not. Retiring devices is more about removing access, but it doesn’t solve the root problem of unassigned devices being treated as compliant by default. So tweaking the compliance policy settings should be the way to fix this loophole.
D for sure. It's the only option that deals directly with compliance policy settings, which is what you need to change for marking unassigned devices as noncompliant. The others don't seem related to this issue at all.