You have a Microsoft 365 E5 subscription.

You need to ensure that when a Windows device is joined to the Microsoft Entra tenant, the device is enrolled automatically in Microsoft Intune.

What should you configure?

Reveal Solution Hide Solution

Manage identity and compliance

Testlet 1

Case study

Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.

Contoso has the users and computers shown in the following table.

The company has IT, human resources (HR), legal (LEG), marketing (MKG), and finance (FIN) departments.

Contoso recently purchased a Microsoft 365 subscription.

The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from home.

Existing Environment

The network contains an Active Directory domain named contoso.com that is synced to Azure AD.

All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.

The computers are managed by using Microsoft Configuration Manager. The mobile devices are managed by using Microsoft Intune.

The naming convention for the computers is the department acronym, followed by a hyphen, and then four numbers, for example FIN-6785. All the computers are joined to the on-premises Active Directory domain.

Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer account is in the Computers OU of its respective department.

Intune Configuration

The domain has the users shown in the following table.

User2 is a device enrollment manager (DEM) in Intune.

The devices enrolled in Intune are shown in the following table.

The device compliance policies in Intune are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

The device limit restrictions in Intune are configured as shown in the following table.

Requirements

Planned changes

Contoso plans to implement the following changes:

• Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.

• Implement co-management for the computers.

Technical Requirements

Contoso must meet the following technical requirements:

• Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.

• Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.

• Create a provisioning package for new computers in the HR department.

• Block iOS devices from sending diagnostic and usage telemetry data.

• Use the principle of least privilege whenever possible.

• Enable the users in the MKG department to use App1.

• Pilot co-management for the IT department.

HOTSPOT

You are evaluating which devices are compliant.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: No

Policy3, which requires encryption, applies to Device1.

Box 2: Yes

Policy1, which has no encryption requirement, applies to Device3.

Box 3: Yes

Policy2, which has no encryption requirement, applies to Device4.

Manage identity and compliance

Testlet 2

Case study

Overview

ADatum Corporation is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

ADatum has a Microsoft 365 E5 subscription.

Environment

Network Environment

The network contains an on-premises Active Directory domain named adatum.com.

The domain contains the servers shown in the following table.

ADatum has a hybrid Azure AD tenant named adatum.com.

Users and Groups

The adatum.com tenant contains the users shown in the following table.

All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.

Enterprise State Roaming is enabled for Group1 and GroupA.

Group1 and Group2 have a Membership type of Assigned.

Devices

ADatum has the Windows 10 devices shown in the following table.

The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.

The Windows 10 devices are configured as shown in the following table.

All the Azure AD joined devices have an executable file named C:AppA.exe and a folder named D:

Folder1.

Microsoft Intune Configuration

Microsoft Intune has the compliance policies shown in the following table.

The Automatic Enrolment settings have the following configurations:

• MDM user scope GroupA

• MAM user scope: GroupB

You have an Endpoint protection configuration profile that has the following Controlled folder access settings:

• Name: Protection1

• Folder protection: Enable

• List of apps that have access to protected folders: CVAppA.exe

• List of additional folders that need to be protected: D:Folderi1

• Assignments – Included groups: Group2, GroupB

Windows Autopilot Configuration

ADatum has a Windows Autopilot deployment profile configured as shown in the following exhibit.

Currently, there are no devices deployed by using Windows Autopilot.

The Intune connector for Active Directory is installed on Server1.

Requirements

Planned Changes

ADatum plans to implement the following changes:

• Purchase a new Windows 10 device named Device6 and enroll the device in Intune

• New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.

• Deployed a network boundary configuration profile that will have the following settings:

– Name: Boundary1

– Network boundary: 192.168.1.0/24

– Scope tags: Tag1

– Assignments:

* Included groups: Group1, Group2

• Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following settings:

– Name: Connection1

– Connection name: VPN1

– Connection type: L2TP

– Assignments:

* Included groups: Group1, Group2, GroupA

* Excluded groups: —

– Name: Connection2

– Connection name: VPN2

– Connection type: IKEv2

– Assignments:

* Included groups: GroupA

* Excluded groups: GroupB

Technical Requirements

ADatum must meet the following technical requirements:

• Users in GroupA must be able to deploy new computers.

• Administrative effort must be minimized.

Which devices are registered by using the Windows Autopilot deployment service?

Reveal Solution Hide Solution

HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: No

Device1 has BitLocker: Yes, Secure Boot: No.

Device1 is member of Group1.

Group1 is assigned Policy1 and Policy2.

Policy1 is require Bitlocker only. OK.

Policy2 is require Secure Boot only. Not OK.

Box 2: No

Device4 has BitLocker: No, Secure Boot: Yes.

Device4 is member of Group2.

Group2 is assigned Policy3.

Policy3 is require Bitlocker and Secure Boot. Not OK.

Box 3: Yes

Device5 has BitLocker: Yes, Secure Boot: No.

Device5 is member of Group3.

Group3 is assigned not assigned any policies.

Manage identity and compliance

Question Set 3

HOTSPOT

You have a Microsoft 365 subscription.

You use Microsoft Intune Suite to manage devices.

You have the iOS app protection policy shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

iOS app protection policy settings

This applies to the app protection policy settings for iOS/iPadOS devices.

Box 1: PIN only

Timeout (minutes of inactivity) C here it is 30

Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a fingerprint or face as method of access. This timeout value should be greater than the value specified under ‘Recheck the access requirements after (minutes of inactivity).

Note: PIN type

Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. Numeric requirements involve only numbers, while a passcode can be defined with at least 1 alphabetical letter or at least 1 special character.

Box 2: reset the Device PIN

Max PIN attempts. Here it is 5. Action: Reset PIN

App PIN when device PIN is set. Here it is Require

Note:

App PIN when device PIN is set

Select Disable to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured.

Max PIN attempts

Specify the number of tries the user has to successfully enter their PIN before the configured action is taken. If the user fails to successfully enter their PIN after the maximum PIN attempts, the user must reset their pin after successfully logging into their account and completing a multi-factor authentication (MFA) challenge if required. This policy setting format supports a positive whole number. Actions include: Reset PIN – The user must reset their PIN.

Wipe data – The user account that is associated with the application is wiped from the device. Default value = 5

Reference: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios

DRAG DROP

You have a Microsoft 365 subscription that includes Microsoft Intune.

You need to implement a Microsoft Defender for Endpoint solution that meets the following requirements:

• Enforces compliance for Defender for Endpoint by using Conditional Access

• Prevents suspicious scripts from running on devices

What should you configure? To answer, drag the appropriate features to the correct requirements. Each feature may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: An Intune connection

Enforces compliance for Defender for Endpoint by using Conditional Access

Configure Conditional Access in Microsoft Defender for Endpoint Take the following steps to enable Conditional Access:

Step 1: Turn on the Microsoft Intune connection from Microsoft 365 Defender

Step 2: Turn on the Defender for Endpoint integration in Intune

Step 3: Create the compliance policy in Intune

Step 4: Assign the policy

Step 5: Create an Azure AD Conditional Access policy

Box 2: An Attack surface reduction (ASR) policy rule

Prevents suspicious scripts from running on devices

Attack surface reduction policy for endpoint security in Intune

When Defender antivirus is in use on your Windows 10/11 devices, you can use Intune endpoint security policies for Attack surface reduction to manage those settings for your devices.

Attack surface reduction policies help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks.

In particular:

Attack Surface Reduction Rules C Configure settings for attack surface reduction rules that target behaviors that malware and malicious apps typically use to infect computers, including:

Executable files and scripts used in Office apps or web mail that attempt to download or run files Obfuscated or otherwise suspicious scripts

Behaviors that apps don’t usually start during normal day-to-day work Reducing your attack surface means offering attackers fewer ways to perform attacks.

Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-conditional-access

https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy

Your network contains an on-premises Active Directory domain and an Azure AD tenant.

The Default Domain Policy Group Policy Object (GPO) contains the settings shown in the following table.

You need to migrate the existing Default Domain Policy GPO settings to a device configuration profile.

Which device configuration profile type template should you use?

Reveal Solution Hide Solution

You have 100 computers that run Windows 10 and connect to an Azure Log Analytics workspace.

Which three types of data can you collect from the computers by using Log Analytics? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

You use Microsoft Intune and Intune Data Warehouse.

You need to create a device inventory report that includes the data stored in the data warehouse.

What should you use to create the report?

Reveal Solution Hide Solution

Your network contains an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows 10.

You have the groups shown in the following table.

Which groups can you add to Group4?

Reveal Solution Hide Solution