This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Your organization purchases new corporate Windows laptops that must be joined to Microsoft Entra ID and automatically managed by Microsoft Intune during initial setup. Which provisioning approach meets this requirement with the least administrative overhead?
Use Microsoft Entra join with automatic MDM enrollment so devices join Microsoft Entra ID during setup and enroll in Intune automatically.
Use Microsoft Entra hybrid join and manual Intune enrollment after provisioning to keep devices domain-joined and managed.
Use Microsoft Entra ID registration (workplace join) and rely on users to install the Company Portal to enroll devices.
You run dsregcmd /status on a user's device and see: AzureAdJoined: YES, DomainJoined: NO, DeviceId: a GUID, and WorkplaceJoined: NO. The user can't access an internal app protected by a policy requiring Microsoft Entra hybrid joined devices. What is the most likely cause and next step?
The device is Microsoft Entra joined but not hybrid joined. Update the Conditional Access policy to accept Microsoft Entra joined devices.
The device isn't registered with Microsoft Entra ID. Run dsregcmd /join to register it immediately.
The device lacks the Company Portal and can't meet device compliance. Ask the user to install the app.
Several on-premises domain-joined laptops aren't appearing as Microsoft Entra hybrid joined after configuring hybrid join with Microsoft Entra Connect. Which configuration issue is most likely preventing hybrid registration?
The Microsoft Entra Connect service connection point (SCP) is missing or misconfigured in on-premises AD, so devices can't discover the hybrid join configuration.
Intune auto-enrollment is disabled in Microsoft Entra ID, preventing devices from becoming hybrid joined.
Users turned off Windows Hello for Business, which is required for hybrid registration.
A helpdesk receives a ticket: a user's device shows AzureAdPrt: NO in dsregcmd /status and the user can't access cloud resources using a primary refresh token (PRT). Which troubleshooting step is most appropriate to resolve device-based SSO?
Verify the device has valid time sync and connectivity to Microsoft Entra ID endpoints. If needed, re-run dsregcmd /join or re-register the device.
Immediately disable the user's account in Microsoft Entra ID and recreate it to force token issuance.
Uninstall the Company Portal to force a new enrollment, which recreates the PRT automatically.
You need to create a dynamic device group in Intune to target a compliance policy to only corporate-owned Windows 11 devices that are Microsoft Entra joined. Which combination of attributes should you use in the dynamic group query?
Filter by deviceOwnership equals 'Company', operatingSystem equals 'Windows', and trustType equals 'AzureAD'.
Filter by managedBy equals 'Intune' and deviceName contains 'WIN' to identify Windows devices.
Filter by isManaged equals 'true' and operatingSystemVersion contains '11' to target Windows 11 devices.
Your organization deploys Windows Hello for Business to 500 new Windows 11 laptops for remote workers. There's no on-premises Active Directory and the security team requires hardware-backed credential storage. Which configuration should you implement?
Deploy key trust with TPM 2.0 required. The cloud-only environment doesn't need certificate infrastructure and TPM provides hardware-backed key protection.
Deploy certificate trust with an on-premises certificate authority to issue device certificates for authentication.
Deploy key trust without TPM requirements since Windows 11 stores keys securely in software-based keystores.
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?