Exam MD-101 topic 1 question 20 discussion

In device compliance setting there is a option to select risk score. And on the status of compliance the actions are taken.

I think it's D, the blocking action is in conditional access policy not in the compliance policy. In the compliance policy I don't see if blah blah block

None of the answers are correct, the OS Version is configured under Device Restrictions.

I also think correct answer should be B. Nevertheless, A and D are needed to successfully configure B. Main question is, which will be correct in the exam? Anybody knows?

I really don't understand why 3 options are marked as correct answer.

Why all 3 selected when it doesn't say select all that apply

Just to be clear, B alone will not be suffice. Yes you can block devices if they are not compliant, but this is only mobile devices running android and iOS. If you want to block devices that are running windows (Computers in the question) then you will need a conditional access policy too,

Its surely B. https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance By default, each compliance policy includes the action for noncompliance of Mark device noncompliant with a schedule of zero days (0). The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device. just double checked it in a tenant

Answer seems to be correct according to this Microsoft Documentation. https://docs.microsoft.com/en-us/intune/compliance-policy-create-android

the correct answer to the multiple choice question is B: You should create a device compliance policy. This is because device compliance policies allow you to set rules for ensuring that devices meet certain compliance standards, including the level of Windows Defender ATP risk, and specify actions to take if a device is non-compliant, such as locking the device. Option A (creating a device configuration profile) is not directly related to locking devices with a high Windows Defender ATP risk score. Option C (creating a Windows AutoPilot deployment profile) is related to deploying and configuring devices, but it is not directly related to locking devices with a high Windows Defender ATP risk score. Option D (creating a conditional access policy) is related to controlling access to corporate resources based on various factors, but it is not directly related to locking devices with a high Windows Defender ATP risk score.

B is correct. Don't know why you put all the answers

I agree.

Answer B. Compliance and Conditional Policies are dependent on each other ("To use device compliance policies to block devices from corporate resources, Azure AD Conditional Access must be set up."- see link below) but you use compliance policy to retire noncompliant devices. https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance#:~:text=1%20Send%20email%20to%20end%20users%3A%20When%20the,device%20and%20remove%20the%20device%20from%20Intune%20management. CONTIDITONAL ACCESS: https://docs.microsoft.com/en-us/mem/intune/protect/conditional-access-intune-common-ways-use

Tested this, can confirm it is B. You create the compliance policy in the compliance settings you specify the risk level and in the next step (Actions for noncompliance) you can select remotely lock the noncompliant device.

Its surely B. https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance By default, each compliance policy includes the action for noncompliance of Mark device noncompliant with a schedule of zero days (0). The result of this default is when Intune detects a device isn't compliant, Intune immediately marks the device as noncompliant. After a device is marked as noncompliance, Azure Active Directory (AD) Conditional Access can block the device.

B. You should create a device compliance policy.

B is the only close enough as an answer. Remote Lock option is only present in Device Compliance. Although W 10 do not support Remote lock if the question is not worded differently its the only option to fulfil the question requirement.