Exam4Training

Microsoft MD-102 Endpoint Administrator Online Training

Question #1

Topic 1, Case Study Contoso, Ltd.

Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Contoso has a Microsoft 365 E5 subscription.

Network Environment

The network contains an on-premises Active domain named Contoso.com.

The domain contains the servers shown in the following table.

Contoso has a hybrid Azure Active Directory (Azure AD) tenant named Contoso.com.

Contoso has a Microsoft Store for Business instance.

Users and Groups

The Contoso.com tenant contains the users shown in the following table.

All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.

Enterprise State Roaming is enabled for Group1 and GroupA.

Group and Group have a Membership type of Assign

Devices

Contoso has the Windows 10 devices shown in the following table.

The Windows 10 devices are joined to Azure AD and enrolled in Microsoft intune.

The Windows 10 devices are configured as shown in the following table.

All the Azure AD joined devices have an executable file named C:AppA.exe and a folder named D:Folder 1.

Microsoft Endpoint Manager Configuration

Microsoft Endpoint Manager has the compliance policies shown in the following table.

The Compliance policy settings are shown in the following exhibit.

The Automatic Enrolment settings have the following configurations:

• MDM user scope GroupA

• MAM user scope: GroupB

You have an Endpoint protection configuration profile that has the following Controlled folder access settings:

• Name: Protection1

• Folder protection: Enable

• List of apps that have access to protected folders: CVAppA.exe

• List of additional folders that need to be protected: D:Folderi1

• Assignments

Windows Autopilot Configuration

Currently, there are no devices deployed by using Window Autopilot

The Intune connector tor Active Directory is installed on Server 1.

Planned Changes

Contoso plans to implement the following changes:

• Purchase a new Windows 10 device named Device6 and enroll the device in Intune.

• New computers will be deployed by using Windows Autopilot and will be hybrid Azure AO joined.

• Deploy a network boundary configuration profile that will have the following settings:

• Name Boundary 1

• Network boundary 192.168.1.0/24

• Scope tags: Tag 1

• Assignments;

• included groups: Group 1. Group2

• Deploy two VPN configuration profiles named Connection! and Connection that will have the following settings:

• Name: Connection 1

• Connection name: VPNI

• Connection type: L2TP

• Assignments:

• Included groups: Group1. Group2, GroupA

• Excluded groups: ―

• Name: Connection

• Connection name: VPN2

• Connection type: IKEv2 i Assignments:

• included groups: GroupA

• Excluded groups: GroupB

• Purchase an app named App1 that is available in Microsoft Store for Business and to assign the app to all the users.

Technical Requirements

Contoso must meet the following technical requirements:

• Users in GroupA must be able to deploy new computers.

• Administrative effort must be minimized.

Which user can enroll Device6 in Intune?

  • A . User4 and User2 only
  • B . User4 and User 1 only
  • C . User1, User2, User3, and User4
  • D . User4. User Land User2 only

Reveal Solution Hide Solution

Correct Answer: C
Question #2

HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:

Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #3

Which users can purchase and assign App1?

  • A . User3 only
  • B . User1 and User3 only
  • C . User1, User2, User3, and User4
  • D . User1, User3, and User4 only
  • E . User3 and User4 only

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference:

https://docs.microsoft.com/en-us/microsoft-store/acquire-apps-microsoft-store-for-business

https://docs.microsoft.com/en-us/microsoft-store/assign-apps-to-employees

Question #4

HOTSPOT

You implement the planned changes for Connection1 and Connection2

How many VPN connections will there be for User1 when the user signs in to Device 1 and Devke2? To answer select the appropriate options in the answer area. NOTE; Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #5

HOTSPOT

User1 and User2 plan to use Sync your settings.

On which devices can the users use Sync your settings? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference: https://www.jeffgilb.com/managing-local-administrators-with-azure-ad-and-intune/


Question #6

You need to ensure that computer objects can be created as part of the Windows Autopilot deployment. The solution must meet the technical requirements.

To what should you grant the right to create the computer objects?

  • A . Server2
  • B . Server1
  • C . GroupA
  • D . DC1

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://blog.matrixpost.net/set-up-windows-autopilot-production-environment-part-2/

Question #7

HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #8

HOTSPOT

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #9

You implement Boundary1 based on the planned changes.

Which devices have a network boundary of 192.168.1.0/24 applied?

  • A . Device2 only
  • B . Device3 only
  • C . Device 1. Device2. and Device5 only
  • D . Device 1, Device2, Device3, and Device4 only

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/network-boundary-windows

Question #10

Which devices are registered by using the Windows Autopilot deployment service?

  • A . Device1 only
  • B . Device3 only
  • C . Device1 and Device3 only
  • D . Device1, Device2, and Device3

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Scenario: Windows Autopilot Configuration

Assignments

Included groups: Group1

Excluded groups: Group2

Device1 is member of Group1.

Device2 is member of Group1 and member of Group2.

Device3 is member of Group1.

Group1 and Group2 have a Membership type of Assigned.

Exclusion takes precedence over inclusion in the following same group type scenarios.

Reference: https://learn.microsoft.com/en-us/mem/intune/apps/apps-inc-exl-assignments

Question #11

Topic 2, Litware inc

Overview

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

Existing Environment

Current Business Model

The Los Angeles office has 500 developers. The developers work flexible hours ranging from 11:00 to 22:00. Litware has a Microsoft System Center 2012 R2 Configuration Manager deployment. During discovery, the company discovers a process where users are emailing bank account information of its customers to internal and external recipients.

Current Environment

The network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD). The functional level of the forest and the domain is Windows Server 2012 R2. All domain controllers run Windows Server 2012 R2.

Litware has the computers shown in the following table.

The development department uses projects in Azure DevOps to build applications.

Most of the employees in the sales department are contractors. Each contractor is assigned a computer that runs Windows 10. At the end of each contract, the computer is assigned to different contractor. Currently, the computers are re-provisioned manually by the IT department.

Problem Statements

Litware identifies the following issues on the network:

Employees in the Los Angeles office report slow Internet performance when updates are downloading. The employees also report that the updates frequently consume considerable resources when they are installed. The Update settings are configured as shown in the Updates exhibit. (Click the Updates button.)

Management suspects that the source code for the proprietary applications in Azure DevOps in being shared externally.

Re-provisioning the sales department computers is too time consuming.

Requirements

Business Goals

Litware plans to transition to co-management for all the company-owned Windows 10 computers.

Whenever possible, Litware wants to minimize hardware and software costs.

Device Management Requirements

Litware identifies the following device management requirements:

Prevent the sales department employees from forwarding email that contains bank account information.

Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.

Prevent employees in the research department from copying patented information from trusted applications to untrusted applications.

Technical Requirements

Litware identifies the following technical requirements for the planned deployment:

Re-provision the sales department computers by using Windows AutoPilot.

Ensure that the projects in Azure DevOps can be accessed from the corporate network only.

Ensure that users can sign in to the Azure AD-joined computers by using a PIN. The PIN must expire every 30 days.

Ensure that the company name and logo appears during the Out of Box Experience (OOBE) when using Windows AutoPilot.

Exhibits

You need to capture the required information for the sales department computers to meet the Technical requirements.

Which Windows PowerShell command should you run first?

  • A . Install-Module WindowsAutoPilotIntune
  • B . Install-Script Get-WindowsAutoPilotInfo
  • C . Import-AutoPilotCSV
  • D . Get-WindowsAutoPilotInfo

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices

"This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Windows 10 devices joined to either Azure Active Directory or Active Directory (Hybrid Azure AD Join) by using Windows Autopilot"

Question #12

HOTSPOT

You need to resolve the performance issues in the Los Angeles office.

How should you configure the update settings? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference:

https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization

https://2pintsoftware.com/delivery-optimization-dl-mode/


Question #13

What should you configure to meet the technical requirements for the Azure AD-joined computers?

  • A . Windows Hello for Business from the Microsoft Intune blade in the Azure portal.
  • B . The Accounts options in an endpoint protection profile.
  • C . The Password Policy settings in a Group Policy object (GPO).
  • D . A password policy from the Microsoft Office 365 portal.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-inorganization

Question #14

HOTSPOT

You need to meet the OOBE requirements for Windows AutoPilot.

Which two settings should you configure from the Azure Active Directory blade? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference:

https://blogs.msdn.microsoft.com/sgern/2018/10/11/intune-intune-and-autopilot-part-3-preparing-your-environment/

https://blogs.msdn.microsoft.com/sgern/2018/11/27/intune-intune-and-autopilot-part-4-enroll-your-first-device/


Question #15

What should you use to meet the technical requirements for Azure DevOps?

  • A . An app protection policy
  • B . Windows Information Protection (WIP)
  • C . Conditional access
  • D . A device configuration profile

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Reference: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/manage-conditional-access?view=azure-devops

Question #16

HOTSPOT

You need to recommend a solution to meet the device management requirements.

What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference:

https://github.com/MicrosoftDocs/IntuneDocs/blob/master/intune/app-protection-policy.md

https://docs.microsoft.com/en-us/azure/information-protection/configure-usage-rights#do-not-forward-option-for-emails


Question #17

HOTSPOT

You need to meet the technical requirements for Windows AutoPilot.

Which two settings should you configure from the Azure Active Directory blade? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-

reset


Question #18

What should you upgrade before you can configure the environment to support co-management?

  • A . the domain functional level
  • B . Configuration Manager
  • C . the domain controllers
  • D . Windows Server Update Services (WSUS)

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://docs.microsoft.com/en-us/sccm/comanage/tutorial-co-manage-clients

Question #19

You need to meet the device management requirements for the developers.

What should you implement?

  • A . folder redirection
  • B . Enterprise State Roaming
  • C . home folders
  • D . known folder redirection in Microsoft OneDrive

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Litware identifies the following device management requirements:

Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.

Enterprise State Roaming allows for the synchronization of Microsoft Edge browser setting, including favorites and reading list, across devices.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settings-reference

Question #20

Topic 3, Contoso Ltd, Case 2

Overview

Contoso, Ltd, is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.

Contoso has the users and computers shown in the following table.

The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN)

departments.

Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.

The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from home.

Existing Environment

The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active Directory (Azure AD).

All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.

The computers are managed by using Microsoft System Center Configuration Manager. The mobile devices are managed by using Microsoft Intune.

The naming convention for the computers is the department acronym, followed by a hyphen, and then four numbers, for example, FIN-6785. All the computers are joined to the on-premises Active Directory domain.

Each department has an organization unit (OU) that contains a child OU named Computers. Each computer account is in the Computers OU of its respective department.

Intune Configuration

Requirements

Planned Changes

Contoso plans to implement the following changes:

Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.

Start using a free Microsoft Store for Business app named App1.

Implement co-management for the computers.

Technical Requirements:

Contoso must meet the following technical requirements:

Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.

Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.

Monitor the computers in the LEG department by using Windows Analytics.

Create a provisioning package for new computers in the HR department.

Block iOS devices from sending diagnostic and usage telemetry data.

Use the principle of least privilege whenever possible.

Enable the users in the MKG department to use App1.

Pilot co-management for the IT department.

HOTSPOT

You need to meet the technical requirements for the new HR department computers.

How should you configure the provisioning package? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference: https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-accounts


Question #21

You need to meet the technical requirements for the iOS devices.

Which object should you create in Intune?

  • A . A compliance policy
  • B . An app protection policy
  • C . A Deployment profile
  • D . A device configuration profile

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Reference:

https://docs.microsoft.com/en-us/intune/device-restrictions-configure

https://docs.microsoft.com/en-us/intune/device-restrictions-ios

Question #22

HOTSPOT

To which devices do Policy1 and Policy2 apply? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference: https://docs.microsoft.com/en-us/intune/device-profile-assign


Question #23

HOTSPOT

What is the maximum number of devices that User1 and User2 can enroll in Intune? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #24

You need to meet the technical requirements for the IT department.

What should you do first?

  • A . From the Azure Active Directory blade in the Azure portal, enable Seamless single sign-on.
  • B . From the Configuration Manager console, add an Intune subscription.
  • C . From the Azure Active Directory blade in the Azure portal, configure the Mobility (MDM and MAM) settings.
  • D . From the Microsoft Intune blade in the Azure portal, configure the Windows enrollment settings.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Reference: https://docs.microsoft.com/en-us/sccm/comanage/tutorial-co-manage-clients

Question #25

DRAG DROP

You need to meet the technical requirements for the LEG department computers.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference: https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-azure-portal


Question #26

You need to prepare for the deployment of the Phoenix office computers.

What should you do first?

  • A . Extract the hardware ID information of each computer to a CSV file and upload the file from the Devices settings in Microsoft Store for Business.
  • B . Generalize the computers and configure the Mobility (MDM and MAM) settings from the Azure Active
    Directory blade in the Azure portal.
  • C . Generalize the computers and configure the Device settings from the Azure Active Directory blade in the Azure portal.
  • D . Extract the hardware ID information of each computer to an XLSX file and upload the file from the Devices settings in Microsoft Store for Business.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles

Question #27

HOTSPOT

You are evaluating which devices are compliant.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #28

You need to meet the requirements for the MKG department users.

What should you do?

  • A . Assign the MKG department users the Purchaser role in Microsoft Store for Business
  • B . Download the APPX file for App1 from Microsoft Store for Business
  • C . Add App1 to the private store
  • D . Assign the MKG department users the Basic Purchaser role in Microsoft Store for Business
  • E . Acquire App1 from Microsoft Store for Business

Reveal Solution Hide Solution

Correct Answer: E
E

Explanation:

Reference: https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-from-your-private-store

Enable the users in the MKG department to use App1.

The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.

Reference: https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-from-your-private-store

Question #29

HOTSPOT

You need a new conditional access policy that has an assignment for Office 365 Exchange Online.

You need to configure the policy to meet the technical requirements for Group4.

Which two settings should you configure in the policy? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

The policy needs to be applied to Group4 so we need to configure Users and Groups.

The Access controls are set to Block access

We therefore need to exclude compliant devices.

From the scenario:

Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.

Note: When a device enrolls in Intune, the device information is updated in Azure AD to include the device compliance status. This compliance status is used by conditional access policies to block or allow access to e-mail and other organization resources.

Reference:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions

https://docs.microsoft.com/en-us/intune/device-compliance-get-started


Question #30

You need to prepare for the deployment of the Phoenix office computers.

What should you do first?

  • A . Generalize the computers and configure the Mobility (MDM and MAM) settings from the Azure Active Directory admin center.
  • B . Extract the hardware ID information of each computer to a CSV file and upload the file from the Microsoft Intune blade in the Azure portal.
  • C . Extract the hardware ID information of each computer to an XML file and upload the file from the Devices settings in Microsoft Store for Business.
  • D . Extract the serial number information of each computer to a CSV file and upload the file from the Microsoft Intune blade in the Azure portal.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Reference: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices

Question #31

Topic 4, Mix Question

HOTSPOT

You have a Microsoft 365 subscription.

You use Microsoft Intune Suite to manage devices.

You have the iOS app protection policy shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point,

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1 = PIN only

Box 2 = reset the PIN app

iOS/iPadOS app protection policy settings – Microsoft Intune | Microsoft Learn

https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios


Question #32

DRAG DROP

You have a Microsoft 365 E5 subscription and a computer that runs Windows 11.

You need to create a customized installation of Microsoft 365 Apps for enterprise.

Which four actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.

Reveal Solution Hide Solution

Correct Answer:

Explanation:


Question #32

DRAG DROP

You have a Microsoft 365 E5 subscription and a computer that runs Windows 11.

You need to create a customized installation of Microsoft 365 Apps for enterprise.

Which four actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.

Reveal Solution Hide Solution

Correct Answer:

Explanation:


Question #32

DRAG DROP

You have a Microsoft 365 E5 subscription and a computer that runs Windows 11.

You need to create a customized installation of Microsoft 365 Apps for enterprise.

Which four actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.

Reveal Solution Hide Solution

Correct Answer:

Explanation:


Question #32

DRAG DROP

You have a Microsoft 365 E5 subscription and a computer that runs Windows 11.

You need to create a customized installation of Microsoft 365 Apps for enterprise.

Which four actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.

Reveal Solution Hide Solution

Correct Answer:

Explanation:


Question #32

DRAG DROP

You have a Microsoft 365 E5 subscription and a computer that runs Windows 11.

You need to create a customized installation of Microsoft 365 Apps for enterprise.

Which four actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.

Reveal Solution Hide Solution

Correct Answer:

Explanation:


Question #37

You have devices enrolled in Microsoft Intune as shown in the following table.

On which devices can you apply app configuration policies?

  • A . Device2 only
  • B . Device1 and Device2 only
  • C . Device3 and Device4 only
  • D . Device2, Device3, and Device4 only
  • E . Device1, Device2, Device B, and Device4

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The correct answer is D because app configuration policies can be applied to managed devices and managed apps1. Managed devices are enrolled and managed by Intune, while managed apps are integrated with Intune App SDK or wrapped using the Intune Wrapping Tool1. Device2, Device3, and Device4 are either enrolled in Intune or have managed apps installed, so they can receive app configuration policies2. Device1 is not enrolled in any MDM solution and does not have any managed apps installed, so it cannot receive app configuration policies2.

Reference:

1: App configuration policies for Microsoft Intune | Microsoft Learn https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview

2: Policy sets – Microsoft Intune | Microsoft Learn https://learn.microsoft.com/en-us/mem/intune/fundamentals/policy-sets

Question #38

HOTSPOT

You have an Azure AD tenant named contoso.com that contains the devices shown in the following table.

AH devices contain an app named App1 and are enrolled in Microsoft Intune.

You need to prevent users from copying data from App1 and pasting the data into other apps.

Which type of policy and how many policies should you create in Intune? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Policy type: App protection policy Minimum number of policies: 1 Comprehensive Explanation of Correct Answer Only: The correct answer is app protection policy because it allows you to customize the settings of apps for iOS/iPadOS or Android devices1. One of the settings you can configure is Restrict cut, copy, and paste between other apps, which lets you prevent users from copying data from App1 and pasting the data into other apps2. You only need one policy to apply this setting to all devices that have App1 installed1.

Reference:

1: App configuration policies for Microsoft Intune | Microsoft Learn https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview

2: Troubleshoot restricting cut, copy, and paste between applications – Intune | Microsoft Learn https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-protection-policies/troubleshoot-cut-copy-paste


Question #39

You have a Microsoft 365 subscription that uses Microsoft Intune Suite.

You use Microsoft Intune to manage devices.

You plan to deploy two apps named App1 and App2 to all Windows devices. App1 must be installed before App2.

From the Intune admin center, you create and deploy two Windows app (Win32) apps.

You need to ensure that App1 is installed before App2 on every device.

What should you configure?

  • A . the App1 deployment configurations
  • B . a dynamic device group
  • C . a detection rule
  • D . the App2 deployment configurations

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The correct answer is D because you can configure the dependencies for a Win32 app in the deployment configurations1. Dependencies are other Win32 apps that must be installed before your Win32 app can be installed1. You can add Win32 app dependencies only after your Win32 app has been added and uploaded to Intune2. In this case, you need to configure the App2 deployment configurations to add App1 as a dependency2.

Reference:

1: Microsoft Intune Win32 App Dependencies – MSEndpointMgr https://msendpointmgr.com/2019/06/03/new-intune-feature-win32-app-dependencies/

2: Add and assign Win32 apps to Microsoft Intune | Microsoft Learn https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-add

Question #40

You have a Microsoft Intune subscription.

You have devices enrolled in intune as shown in the following table.

An app named App1 is installed on each device.

What is the minimum number of app configuration policies required to manage Appl ?

  • A . 1
  • B . 2
  • C . 3
  • D . 4
  • E . 5

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The correct answer is B because you need to create two app configuration policies for managed devices, one for iOS/iPadOS devices and one for Android devices1. App configuration policies let you customize the settings of apps for iOS/iPadOS or Android devices1. The settings are assigned to user groups and applied when the app runs1. The app developer or supplier provides the configuration settings (keys and values) that are exposed to Intune1. You can’t use a single app configuration policy for both iOS/iPadOS and Android devices because they have different configuration settings2.

Reference:

1: App configuration policies for Microsoft Intune | Microsoft Learn https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview

2: Add app configuration policies for managed iOS/iPadOS devices | Microsoft Learn https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-ios

Question #41

You have a Microsoft 365 E5 subscription that contains 100 iOS devices enrolled in Microsoft Intune.

You need to deploy a custom line-of-business (LOB) app to the devices by using Intune.

Which extension should you select for the app package file?

  • A . .intunemac
  • B . apk
  • C . jpa
  • D . .appx

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

iOS/iPadOS LOB apps: Select Line-of-business app as the app type, select the App package file, and then enter an iOS/iPadOS installation file with the extension .ipa.

Reference: https://docs.microsoft.com/en-us/mem/intune/apps/apps-add

Question #42

You have a Microsoft 365 E5 subscription that contains a user named User! and a web app named Appl.

App1 must only accept modern authentication requests.

You plan to create a Conditional Access policy named CAPolicy1 that will have the following settings:

• Assignments

° Users or workload identities: User1

° Cloud apps or actions: App1

• Access controls

° Grant: Block access

You need to block only legacy authentication requests to Appl.

Which condition should you add to CAPolicy1?

  • A . Filter for devices
  • B . Device platforms
  • C . User risk
  • D . Sign-in risk
  • E . Client apps

Reveal Solution Hide Solution

Correct Answer: E
E

Explanation:

you can use the client apps condition to block legacy authentication requests to App11. Legacy authentication is a term that refers to authentication protocols that do not support modern authentication features such as multi-factor authentication or conditional access2. Examples of legacy authentication protocols include Basic Authentication, Digest Authentication, NTLM, and Kerberos2. To block legacy authentication requests, you need to configure the client apps condition to include Other clients, which covers any client that uses legacy authentication protocols13.

Reference:

1: Conditional Access: Block legacy authentication | Microsoft Learn https://learn.microsoft.com/en-us/mem/identity-protection/conditional-access/block-legacy-authentication 2: What is legacy authentication? | Microsoft Learn https://learn.microsoft.com/en-us/mem/identity-protection/conditional-access/legacy-authentication 3: Client apps condition in Azure Active Directory Conditional Access | Microsoft Learn https://learn.microsoft.com/en-us/mem/identity-protection/conditional-access/client-apps-condition

Question #43

HOTSPOT

You have a Microsoft 365 subscription.

All users have Microsoft 365 apps deployed.

You need to configure Microsoft 365 apps to meet the following requirements:

• Enable the automatic installation of WebView2 Runtime.

• Prevent users from submitting feedback.

Which two settings should you configure in the Microsoft 365 Apps admin center? To answer, select

the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #44

You have a Microsoft 365 subscription.

You have 10 computers that run Windows 10 and are enrolled in mobile device management (MDM).

You need to deploy the Microsoft 36S Apps for enterprise suite to all the computers.

What should you do?

  • A . From the Microsoft Intune admin center, create a Windows 10 device profile.
  • B . From Azure AD, add an app registration.
  • C . From Azure AD. add an enterprise application.
  • D . From the Microsoft Intune admin center, add an app.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

To deploy Microsoft 365 Apps for enterprise to Windows 10 devices that are enrolled in Intune, you need to add an app of type “Windows 10 app (Win32)” in the Microsoft Intune admin center and configure the app settings. You can then assign the app to groups of users or devices.

Reference: https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-app-management

Question #45

You have a Microsoft 365 subscription that uses Microsoft Intune Suite.

You use Microsoft Intune to manage devices.

You have a Windows 11 device named Device1 that is enrolled in Intune. Device1 has been offline for 30 days.

You need to remove Device1 from Intune immediately. The solution must ensure that if the device checks in again, any apps and data provisioned by Intune are removed. User-installed apps, personal data, and OEM-installed apps must be retained.

What should you use?

  • A . a Delete action
  • B . a Retire action
  • C . a Fresh Start action
  • D . an Autopilot Reset action

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

A retire action removes a device from Intune management and removes any apps and data provisioned by Intune. User-installed apps, personal data, and OEM-installed apps are retained. A retire action can be performed on devices that are offline for more than 30 days.

Reference: https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe

Question #46

You have a Microsoft 365 subscription that uses Microsoft Intune Suite. You use Microsoft Intune to manage devices.

You need to review the startup times and restart frequencies of the devices.

What should you use?

  • A . Azure Monitor
  • B . intune Data Warehouse
  • C . Microsoft Defender for Endpoint
  • D . Endpoint analytics

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Endpoint analytics is a feature of Microsoft Intune that provides insights into the performance and health of devices. You can use endpoint analytics to review the startup times and restart frequencies of the devices, as well as other metrics such as sign-in times, battery life, app reliability, and software inventory.

Reference: https://docs.microsoft.com/en-us/mem/analytics/overview

Question #47

HOTSPOT

You have a Microsoft 365 E5 subscription.

You create a new update rings policy named Policy1 as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point,

Reveal Solution Hide Solution

Correct Answer:


Question #48

You have computer that run Windows 10 and connect to an Azure Log Analytics workspace. The workspace is configured to collect all available events from Windows event logs.

The computers have the logged events shown in the following table.

Which events are collected in the Log Analytics workspace?

  • A . 1 only
  • B . 2 and 3 only
  • C . 1 and 3 only
  • D . 1, 2, and 4 on
  • E . 1, 2, 3, and 4

Reveal Solution Hide Solution

Correct Answer: E
E

Explanation:

All events from Windows event logs are collected in the Log Analytics workspace, regardless of the event level or source. Therefore, events 1, 2, 3, and 4 are all collected in the workspace.

Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events

Question #49

You have a Microsoft 365 E5 subscription that contains 10 Android Enterprise devices. Each device has a corporate-owned work profile and is enrolled in Microsoft Intune.

You need to configure the devices to run a single app in kiosk mode.

Which Configuration settings should you modify in the device restrictions profile?

  • A . General
  • B . Users and Accounts
  • C . System security
  • D . Device experience

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

To configure the devices to run a single app in kiosk mode, you need to modify the Device experience settings in the device restrictions profile. You can specify the app package name and activity name for the app that you want to run in kiosk mode.

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-android-for-work#device-experience

Question #50

You have a Microsoft 365 E5 subscription that contains 500 macOS devices enrolled in Microsoft Intune.

You need to ensure that you can apply Microsoft Defender for Endpoint antivirus policies to the macOS devices. The solution must minimize administrative effort.

What should you do?

  • A . Onboard the macOS devices to the Microsoft Purview compliance portal.
  • B . From the Microsoft Intune admin center, create a security baseline.
  • C . Install Defender for Endpoint on the macOS devices.
  • D . From the Microsoft Intune admin center, create a configuration profile.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To apply Microsoft Defender for Endpoint antivirus policies to the macOS devices, you need to install Defender for Endpoint on the devices. You can use Intune to deploy a script that installs Defender for Endpoint on macOS devices. After installation, you can use Intune to create and assign antivirus policies to the devices.

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune

Question #51

You have an Azure AD tenant and 100 Windows 10 devices that are Azure AD joined and managed by using Microsoft Intune.

You need to configure Microsoft Defender Firewall and Microsoft Defender Antivirus on the devices.

The solution must minimize administrative effort.

Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

  • A . To configure Microsoft Defender Antivirus, create a Group Policy Object (GPO) and configure the Windows Defender Antivirus settings.
  • B . To configure Microsoft Defender Firewall, create a device configuration profile and configure the Device restrictions settings.
  • C . To configure Microsoft Defender Antivirus, create a device configuration profile and configure the Endpoint protection settings.
  • D . To configure Microsoft Defender Antivirus, create a device configuration profile and configure the Device restrictions settings.
  • E . To configure Microsoft Defender Firewall, create a device configuration profile and configure the Endpoint protection settings.
  • F . To configure Microsoft Defender Firewall, create a Group Policy Object (GPO) and configure Windows Defender Firewall with Advanced Security.

Reveal Solution Hide Solution

Correct Answer: CE
CE

Explanation:

To configure Microsoft Defender Firewall and Microsoft Defender Antivirus on Azure AD joined devices that are managed by Intune, you need to create a device configuration profile and configure the Endpoint protection settings. You can use this profile to configure various settings for firewall and antivirus protection on the devices.

Reference: https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10

Question #52

You have an Azure AD group named Group1. Group! contains two Windows 10 Enterprise devices named Device1 and Device2. You create a device configuration profile named Profile1. You assign Profile! to Group1. You need to ensure that Profile! applies to Device1 only.

What should you modify in Profile 1?

  • A . Assignments
  • B . Settings
  • C . Scope (Tags)
  • D . Applicability Rules

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

To ensure that Profile1 applies to Device1 only, you need to modify the Applicability Rules in Profile1. You can use applicability rules to filter which devices receive a profile based on criteria such as device model, manufacturer, or operating system version. You can create an applicability rule that matches Device1’s properties and excludes Device2’s properties.

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-assign#applicability-rules

Question #53

DRAG DROP

You have a Microsoft 365 subscription that includes Microsoft Intune.

You need to implement a Microsoft Defender for Endpoint solution that meets the following requirements:

• Enforces compliance for Defender for Endpoint by using Conditional Access

• Prevents suspicious scripts from running on devices

What should you configure? To answer, drag the appropriate features to the correct requirements. Each feature may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

To enforce compliance for Defender for Endpoint by using Conditional Access, you need to configure an Intune connection in the Defender for Endpoint portal. This allows you to use Intune device compliance policies to evaluate the health and compliance status of devices that are enrolled in Defender for Endpoint. You can then use Conditional Access policies to block or allow access to cloud apps based on the device compliance status.

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/conditional-access

To prevent suspicious scripts from running on devices, you need to configure an attack surface reduction (ASR) rule in Intune. ASR rules are part of the endpoint protection settings that you can apply to devices by using device configuration profiles. You can use the ASR rule “Block Office applications from creating child processes” to prevent Office applications from launching child processes such as scripts or executables.

Reference: https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10#attack-surface-reduction-asr-rules


Question #54

Your network contains an on-premises Active Directory domain and an Azure AD tenant.

The Default Domain Policy Group Policy Object (GPO) contains the settings shown in the following

table.

Which device configuration profile type template should you use?

  • A . Administrative Templates
  • B . Endpoint protection
  • C . Device restrictions
  • D . Custom

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

To configure the settings shown in the table, you need to use the Administrative Templates device configuration profile type template. This template allows you to configure hundreds of settings that are also available in Group Policy. You can use this template to configure settings such as password policies, account lockout policies, and audit policies.

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/administrative-templates-windows

Question #55

You have 100 computers that run Windows 10 and connect to an Azure Log Analytics workspace.

Which three types of data can you collect from the computers by using Log Analytics? Each correct answer a complete solution. NOTE: Each correct selection is worth one point.

  • A . error events from the System log
  • B . failure events from the Security log
  • C . third-party application logs stored as text files
  • D . the list of processes and their execution times
  • E . the average processor utilization

Reveal Solution Hide Solution

Correct Answer: A, C, E
A, C, E

Explanation:

You can collect error events from the System log, third-party application logs stored as text files, and the average processor utilization from the computers by using Log Analytics. These are some of the types of data that you can collect by using data sources such as Windows event logs, custom logs, and performance counters. You cannot collect failure events from the Security log or the list of processes and their execution times by using Log Analytics.

Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-overview

Question #56

You have a Microsoft 365 E5 subscription. The subscription contains 25 computers that run Windows 11 and are enrolled in Microsoft Intune. You need to onboard the devices to Microsoft Defender for Endpoint.

What should you create in the Microsoft Intune admin center?

  • A . an attack surface reduction (ASR) policy
  • B . a security baseline
  • C . an endpoint detection and response (EDR) policy
  • D . an account protection policy
  • E . an antivirus policy

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To onboard the devices to Microsoft Defender for Endpoint, you need to create an endpoint detection and response (EDR) policy in the Microsoft Intune admin center. This policy enables EDR capabilities on devices that are enrolled in Intune and allows you to configure various settings for EDR functionality. You can then assign the policy to groups of users or devices.

Reference: https://docs.microsoft.com/en-us/mem/intune/protect/edr-windows

Question #57

Your company uses Microsoft Intune to manage devices.

You need to ensure that only Android devices that use Android work profiles can enroll in intune.

Which two configurations should you perform in the device enrollment restrictions? Each correct answer presents part of the solution. NOTE Each correct selection is worth one point.

  • A . From Platform Settings, set Android device administrator Personally Owned to Block.
  • B . From Platform Settings, set Android Enterprise (work profile) to Allow.
  • C . From Platform Settings, set Android device administrator Personally Owned to Allow
  • D . From Platform Settings, set Android device administrator to Block.

Reveal Solution Hide Solution

Correct Answer: AB
AB

Explanation:

To ensure that only Android devices that use Android work profiles can enroll in Intune, you need to perform two configurations in the device enrollment restrictions. First, you need to set Android device administrator Personally Owned to Block. This prevents users from enrolling personal Android devices that use device administrator mode. Second, you need to set Android Enterprise (work profile) to Allow. This allows users to enroll corporate-owned or personal Android devices that use work profiles.

Reference: https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set

Question #58

HOTSPOT

You have the device configuration profile shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Users can only access URLs that start with https://contoso.com/

Windows 10 and later devices can have multiple Microsoft Edge instances that each has a single tab he device configuration profile shown in the exhibit is a kiosk browser profile that configures Microsoft Edge to run in kiosk mode. The profile has the following settings: Kiosk mode: Enabled

Kiosk type: Multi-app

Allowed URLs: https://contoso.com/*

Address bar: Disabled

These settings mean that users can only access URLs that start with https://contoso.com/ and cannot view the address bar in Microsoft Edge. The kiosk type of Multi-app allows users to open multiple instances of Microsoft Edge, but each instance can only have a single tab. Therefore, users cannot access any URL, cannot view the address bar in Microsoft Edge, and can have multiple Microsoft Edge instances that each has a single tab.

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/kiosk-settings#kiosk-browser-settings


Question #59

HOTSPOT

You have 100 Windows 10 devices enrolled in Microsoft Intune.

You need to configure the devices to retrieve Windows updates from the internet and from other computers on a local network.

Which Delivery Optimization setting should you configure, and which type of Intune object should you create? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Delivery Optimization setting:

B. Download mode

Intune object: A configuration profile

To configure the devices to retrieve Windows updates from the internet and from other computers on a local network, you need to configure the Download mode setting in a Delivery Optimization device configuration profile. This setting specifies how the devices use Delivery Optimization to download updates. You can choose from several options, such as HTTP only, LAN only, or Group. For example, you can set the Download mode to Group and specify a group ID for the devices to share updates among themselves and with other devices that have the same group ID. You can also set the Download mode to Internet to allow the devices to download updates from Microsoft or other devices on the internet that use Delivery Optimization.

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/delivery-optimization-windows


Question #60

HOTSPOT

You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

You have devices enrolled in Microsoft Intune as shown in the following table.

From Intune, you create and send a custom notification named Notification1 to Group1.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference: https://docs.microsoft.com/en-us/mem/intune/remote-actions/custom-notifications


Question #61

You use Microsoft Intune and Intune Data Warehouse.

You need to create a device inventory report that includes the data stored in the data warehouse.

What should you use to create the report?

  • A . the Azure portal app
  • B . Endpoint analytics
  • C . the Company Portal app
  • D . Microsoft Power Bl

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

You can use the Power BI Compliance app to load interactive, dynamically generated reports for your Intune tenant. Additionally, you can load your tenant data in Power BI using the OData link.

Intune provides connection settings to your tenant so that you can view the following sample reports and charts related to:

Devices

Enrollment

App protection policy

Compliance policy

Device configuration profiles

Software updates

Device inventory logs

Note: Load the data in Power BI using the OData link

With a client authenticated to Azure AD, the OData URL connects to the RESTful endpoint in the Data Warehouse API that exposes the data model to your reporting client. Follow these instructions to use Power BI Desktop to connect and create your own reports.

Sign in to the Microsoft Endpoint Manager admin center.

Select Reports > Intune Data warehouse > Data warehouse.

Retrieve the custom feed URL from the reporting blade, for example:

https://fef. {yourtenant}. manage.microsoft.com/ReportingService/DataWarehouseFEService/dates?a pi-version=v1.0

Open Power BI Desktop.

Choose File > Get Data. Select OData feed.

Choose Basic.

Type or paste the OData URL into the URL box.

Select OK.

If you have not authenticated to Azure AD for your tenant from the Power BI desktop client, type your credentials. To gain access to your data, you must authorize with Azure Active Directory (Azure AD) using OAuth 2.0.

Select Organizational account.

Type your username and password.

Select Sign In.

Select Connect.

Select Load.

Reference: https://docs.microsoft.com/en-us/mem/intune/developer/reports-proc-get-a-link-powerbi

Question #62

You have a Microsoft 365 E5 subscription and 25 Apple iPads.

You need to enroll the iPads in Microsoft Intune by using the Apple Configurator enrollment method.

What should you do first?

  • A . Upload a file that has the device identifiers for each iPad.
  • B . Modify the enrollment restrictions.
  • C . Configure an Apple MDM push certificate.
  • D . Add your user account as a device enrollment manager (DEM).

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Reference: https://www.manageengine.com/mobile-device-

management/help/enrollment/mdm_creating_apns_certificate.html

Prerequisites for iOS enrollment Before you can enable iOS devices, complete the following steps: Make sure your device is eligible for Apple device enrollment. Set up Intune – These steps set up your Intune infrastructure. In particular, device enrollment requires that you set your MDM authority. Get an Apple MDM Push certificate – Apple requires a certificate to enable management of iOS and macOS devices.

https://docs.microsoft.com/en-gb/intune/enrollment/apple-mdm-push-certificate-get

Question #63

HOTSPOT

You have 100 computers that run Windows 10. You have no servers. All the computers are joined to Microsoft Azure Active Directory (Azure AD).

The computers have different update settings, and some computers are configured for manual updates.

You need to configure Windows Update.

The solution must meet the following requirements:

– The configuration must be managed from a central location.

– Internet traffic must be minimized.

– Costs must be minimized.

How should you configure Windows Update? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Windows Server Update Services (WSUS)

Windows Server Update Services (WSUS) enables information technology administrators to deploy the latest Microsoft product updates. You can use WSUS to fully manage the distribution of updates that are released through Microsoft Update to computers on your network.

Windows Server Update Services is a built-in server role that includes the following enhancements:

Can be added and removed by using the Server Manager

Includes Windows PowerShell cmdlets to manage the most important administrative tasks in WSUS Etc.

Box 2: A Group Policy object

In an Active Directory environment, you can use Group Policy to define how computers and users can interact with Windows Update to obtain automatic updates from Windows Server Update Services (WSUS).

Box 3: BranchCache

BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.

Reference:

https://docs.microsoft.com/en-us/windows/deployment/update/waas-branchcache

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/4-configure-group-policy-settings-for-automatic-updates


Question #64

You have a Microsoft 365 E5 subscription that contains 150 hybrid Azure AD joined Windows devices. All the devices are enrolled in Microsoft Intune.

You need to configure Delivery Optimization on the devices to meet the following requirements:

• Allow downloads from the internet and from other computers on the local network.

• Limit the percentage of used bandwidth to 50.

What should you use?

  • A . a configuration profile
  • B . a Windows Update for Business Group Policy setting
  • C . a Microsoft Peer-to-Peer Networking Services Group Policy setting
  • D . an Update ring for Windows 10 and later profile

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

A configuration profile is the correct answer because it allows you to configure Delivery Optimization

settings for Windows devices in Intune. You can specify the download mode, bandwidth limit, caching options, and more. A configuration profile is a template that contains one or more settings that you can apply to groups of devices.

Reference: Windows 10 Delivery Optimization settings for Intune – Microsoft Intune | Microsoft Learn Delivery Optimization settings in Microsoft Intune

Question #65

Your network contains an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows 10.

You have the groups shown in the following table.

Which groups can you add to Group4?

  • A . Group2only
  • B . Group1 and Group2 only
  • C . Group2 and Group3 only
  • D . Group1, Group2, and Group3

Reveal Solution Hide Solution

Correct Answer: C
Question #66

DRAG DROP

You have a Microsoft 365 subscription. The subscription contains computers that run Windows 11 and are enrolled in Microsoft Intune.

You need to create a compliance policy that meets the following requirements:

• Requires BitLocker Drive Encryption (BitLocker) on each device

• Requires a minimum operating system version

Which setting of the compliance policy should you configure for each requirement? To answer, drag the appropriate settings to the correct requirements. Each setting may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point,

Reveal Solution Hide Solution

Correct Answer:


Question #67

HOTSPOT

You have a Microsoft 365 E5 subscription that uses Microsoft Intune.

You have the Windows 11 devices shown in the following table.

You deploy the device compliance policy shown in the exhibit. (Click the Exhibit tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #68

DRAG DROP

You have a Microsoft 365 subscription that contains the devices shown in the following table.

You need to ensure that only devices running trusted firmware or operating system build can access network resources.

Which compliance policy setting should you configure for each device? To answer, drag the appropriate settings to the correct devices. Each setting may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #69

DRAG DROP

You have a Microsoft 365 subscription that contains 1,000 Windows 11 devices enrolled in Microsoft Intune.

You plan to create and monitor the results of a compliance policy used to validate the BIOS version of the devices.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Reveal Solution Hide Solution

Correct Answer:


Question #70

DRAG DROP

You have a computer that runs Windows 10 and contains two local users named User! and User2.

You need to ensure that the users can perform the following anions:

• User 1 must be able to adjust the date and time.

• User2 must be able to clear Windows logs.

The solution must use the principle of least privilege.

To which group should you add each user? To answer, drag the appropriate groups to the correct users. Each group may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #71

HOTSPOT

You have an Azure AD tenant named contoso.com.

You have the devices shown in the following table.

Which devices can be Azure AD joined, and which devices can be registered in contoso.com? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #72

HOTSPOT

You have an Azure AD tenant named contoso.com that contains the users shown in the following table.

You have a computer named Computer1 that runs Windows 10.

Computer1 is in a workgroup and has the local users shown in the following table.

UserA joins Computer1 to Azure AD by using user1@contoso.com.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #73

Your network contains an Active Directory domain. The domain contains a user named Admin1. All computers run Windows 10.

You enable Windows PowerShell remoting on the computers.

You need to ensure that Admin1 can establish remote PowerShell connections to the computers. The solution must use the principle of least privilege.

To which group should you add Admin1?

  • A . Access Control Assistance Operators
  • B . Remote Desktop Users
  • C . Power Users
  • D . Remote Management Users

Reveal Solution Hide Solution

Correct Answer: B
Question #74

You have a Microsoft Intune subscription.

You are creating a Windows Autopilot deployment profile named Profile1 as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #75

HOTSPOT

You have a server named Server1 and computers that run Windows 8.1. Server1 has the Microsoft Deployment Toolkit (MDT) installed.

You plan to upgrade the Windows 8.1 computers to Windows 10 by using the MDT deployment wizard.

You need to create a deployment share on Server1.

What should you do on Server1, and what are the minimum components you should add to the MDT deployment share? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Install the Windows Deployment Services role.

Install and initialize Windows Deployment Services (WDS)

On the server:

Open an elevated Windows PowerShell prompt and enter the following command:

Install-WindowsFeature -Name WDS -IncludeManagementTools

WDSUTIL /Verbose /Progress /Initialize-Server /Server:MDT01 /RemInst:"D:RemoteInstall"

WDSUTIL /Set-Server /AnswerClients:All

Box 2: Windows 10 image and task sequence only

Create the reference image task sequence

In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence.

Reference:

https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt

https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image


Question #76

DRAG DROP

You have a Microsoft Deployment Toolkit (MDT) server named MDT1.

When computers start from the LiteTouchPE_x64.lso image and connect to MDT1. the welcome screen appears as shown In the following exhibit.

You need to prevent the welcome screen from appearing when the computers connect to MDT1.

Which three actions should you perform in sequence? To answer move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Modify the Bootstrap.ini file.

Add this to your bootstrap.ini file and then update the deployment share and use the new boot media created in that process:

SkipBDDWelcome=YES

Box 2: Modify the CustomSettings.ini file.

SkipBDDWelcome

Indicates whether the Welcome to Windows Deployment wizard page is skipped.

For this property to function properly it must be configured in both CustomSettings.ini and BootStrap.ini. BootStrap.ini is processed before a deployment share (which contains CustomSettings.ini) has been selected.

Box 3: Update the deployment share.

Reference: https://docs.microsoft.com/en-us/mem/configmgr/mdt/toolkit-reference#table-6-deployment-wizard-pages


Question #77

You use Windows Admin Center to remotely administer computers that run Windows 10.

When connecting to Windows Admin Center, you receive the message shown in the following exhibit.

You need to prevent the message from appearing when you connect to Windows Admin Center.

To which certificate store should you import the certificate?

  • A . Personal
  • B . Trusted Root Certification Authorities
  • C . Client Authentication Issuers

Reveal Solution Hide Solution

Correct Answer: B
Question #78

You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the devices shown in the following table.

Contoso.com contains the Azure Active Directory groups shown in the following table.

You add a Windows Autopilot deployment profile.

The profile is configured as shown in the following exhibit.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: No

Device1 has no Mobile device Management (MDM) configured.

Note: Device1 is running Windows 8.1, and is registered, but not joined.

Device1 is in Group1.

Profile1 is assigned to Group1.

Box 2: No

Device2 has no Mobile device Management (MDM) configured.

Note: Device2 is running Windows 10, and is joined.

Device2 is in Group2.

Group2 is in Group1.

Profile1 is assigned to Group1.

Box 3: Yes

Device3 has Mobile device Management (MDM) configured.

Device3 is running Windows 10, and is joined

Device1 is in Group1.

Profile1 is assigned to Group1.

Mobile device management (MDM) enrollment: Once your Windows 10 device joins Azure AD, Autopilot ensures your device is automatically enrolled with MDMs such as Microsoft Intune. This program can automatically push configurations, policies and settings to the device, and install Office 365 and other business apps without you having to get IT admins to manually sort the device. Intune can also apply the latest updates from Windows Update for Business.

Reference: https://xo.xello.com.au/blog/windows-autopilot


Question #79

HOTSPOT

Your network contains an Active Directory domain. The domain contains 1.000 computers that run Windows 11.

You need to configure the Remote Desktop settings of all the computers.

The solution must meet the following requirements:

• Prevent the sharing of clipboard contents.

• Ensure that users authenticate by using Network Level Authentication (NLA).

Which two nodes of the Group Policy Management Editor should you use? To answer, select the appropriate nodes in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #80

HOTSPOT

You have a Microsoft 365 subscription that uses Microsoft Intune Suite. You use Microsoft Intune to manage devices. Azure AD joined Windows devices enroll automatically in Intune.

You have the devices shown in the following table.

You are preparing to upgrade the devices to Windows 11. All the devices are compatible with Windows 11.

You need to evaluate Windows Autopilot and in-place upgrade as deployment methods to implement Windows 11 Pro on the devices, while retaining all user settings and applications.

Which devices can be upgraded by using each method? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #81

DRAG DROP

You have 100 computers that run Windows 10.

You plan to deploy Windows 11 to the computers by performing a wipe and load installation.

You need to recommend a method to retain the user settings and the user data.

Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Reveal Solution Hide Solution

Correct Answer:


Question #82

You have a Microsoft 365 subscription that uses Microsoft Intune Suite.

You use Microsoft Intune to manage devices.

You use Windows Autopilot to deploy Windows 11 to devices.

A support engineer reports that when a deployment fails, they cannot collect deployment logs from failed device.

You need to ensure that when a deployment fails, the deployment logs can be collected.

What should you configure?

  • A . the automatic enrollment settings
  • B . the Windows Autopilot deployment profile
  • C . the enrollment status page (ESP) profile
  • D . the device configuration profile

Reveal Solution Hide Solution

Correct Answer: B
Question #83

You have a Microsoft 365 E5 subscription that contains a user named User1 and uses Microsoft Intune Suite.

You use Microsoft Intune to manage devices.

You have a device named Device1 that is enrolled in Intune.

You need to ensure that User1 can use Remote Help from the Intune admin center for Device1.

Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

  • A . Deploy the Remote Help app to Device1.
  • B . Assign the Help Desk Operator role to User1.
  • C . Assign the Intune Administrator role to User1.
  • D . Assign a Microsoft 365 E5 license to User1.
  • E . Rerun device onboarding on Device1.
  • F . Assign the Remote Help add-on license to User1.

Reveal Solution Hide Solution

Correct Answer: A, B, F
Question #84

You have a Windows 11 capable device named Device1 that runs the 64-bit version of Windows 10 Enterprise and has Microsoft Office 2019 installed.

You have the Windows 11 Enterprise images shown in the following table.

Which images can be used to perform an in-place upgrade of Device1?

  • A . image1 only
  • B . lmage2only
  • C . Image1 and Image2

Reveal Solution Hide Solution

Correct Answer: B
Question #85

HOTSPOT

Your network contains an on-premises Active Directory Domain Services {AD DS) domain that syncs with an Azure AD tenant by using Azure AD Connect.

You use Microsoft Intune and Configuration Manager to manage devices.

You need to recommend a deployment plan for new Windows 11 devices.

The solution must meet the following requirements:

• Devices for the marketing department must be joined to the AD DS domain only. The IT department will install complex applications on the devices at build time, before giving the devices to the marketing department users.

• Devices for The sales department must be Azure AD joined. The devices will be shipped directly from the manufacturer to The homes of the sales department users.

• Administrative effort must be minimized.

Which deployment method should you recommend for each department? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:


Question #86

You have a Microsoft Deployment Toolkit (MDT) deployment share named DS1.

in the Out-of-Box Drivers node, you create folders that contain drivers for different hardware models.

You need to configure the Inject Drivers MDT task to use PnP detection to install the drivers for one of the hardware models.

What should you do first?

  • A . Import an OS package.
  • B . Create a selection profile.
  • C . Add a Gather task to the task sequence.
  • D . Add a Validate task to the task sequence.

Reveal Solution Hide Solution

Correct Answer: B
Question #87

You have an on-premises server named Server! that hosts a Microsoft Deployment Toolkit (MDT) deployment share named MDT1. You need to ensure that MDT1 supports multicast deployments.

What should you install on Server1?

  • A . Multipath I/O (MPIO)
  • B . Multipoint Connector
  • C . Windows Deployment Services (WDS)
  • D . Windows Server Update Services (WSUS)

Reveal Solution Hide Solution

Correct Answer: C
Question #88

Your company standardizes on Windows 10 Enterprise for all users.

Some users purchase their own computer from a retail store. The computers run Windows 10 Pro.

You need to recommend a solution to upgrade the computers to Windows 10 Enterprise, join the computers to Azure AD, and install several Microsoft Store apps.

The solution must meet the following requirements:

• Ensure that any applications installed by the users are retained.

• Minimize user intervention.

What is the best recommendation to achieve the goal? More than one answer choice may achieve the goal. Select the BEST answer.

  • A . Windows Autopilot
  • B . Microsoft Deployment Toolkit (MDT)
  • C . a Windows Configuration Designer provisioning package
  • D . Windows Deployment Services (WDS)

Reveal Solution Hide Solution

Correct Answer: A
Question #89

Your company has an Azure AD tenant named contoso.com that contains several Windows 10 devices.

When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.

You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10 devices to contoso.com.

Solution: From the Microsoft Entra admin center, you modify the User settings and the Device settings.

Does this meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #90

Your company has an Azure AD tenant named contoso.com that contains several Windows 10 devices.

When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.

You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10 devices to contoso.com.

Solution: From the Microsoft Entra admin center, you configure automatic mobile device management (MDM) enrollment. From the Microsoft Intune admin center, you create and assign a device restrictions profile.

Does this meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B

Question #91

Your company has an Azure AD tenant named contoso.com that contains several Windows 10 devices.

When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.

You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10 devices to contoso.com.

Solution: From the Microsoft Entra admin center, you configure automatic mobile device management (MDM) enrollment. From the Microsoft Intune admin center, you configure the Windows Hello for Business enrollment options.

Does this meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #92

HOTSPOT

You have an Azure AD tenant that contains the users shown in the following table.

You have the devices shown in the following table.

You have a Conditional Access policy named CAPolicy1 that has the following settings:

• Assignments

o Users or workload identities: User 1. User1

o Cloud apps or actions: Office 365 Exchange Online o Conditions: Device platforms: Windows, iOS

• Access controls

o Grant Require multi-factor authentication

You have a Conditional Access policy named CAPolicy2 that has the following settings:

Assignments

o Users or workload identities: Used, User2

o Cloud apps or actions: Office 365 Exch

o Conditions

■ Device platforms: Android, iOS

■ Filter for devices

■ Device matching the rule: Exclude filtered devices from policy

■ Rule syntax: device. displayName- contains "1"

■ Access controls

■ Grant Block access

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Reveal Solution Hide Solution

Correct Answer:


Question #93

HOTSPOT

You have a Microsoft 365 subscription that contains the devices shown in the following table.

You plan to enroll the devices in Microsoft Intune.

How often will the compliance policy check-ins run after each device is enrolled in Intune? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Every three minutes for 15 minutes, then every 15 minutes for two hours, and then around every eight hours

If devices recently enroll, then the compliance, non-compliance, and configuration check-in runs more frequently. The check-ins are estimated at:

Windows 10: Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours

Box 2: Every 15 minutes for one hour, and then every eight hours

iOS/iPadOS: Every 15 minutes for 1 hour, and then around every 8 hours

Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot


Question #94

You have a Microsoft 365 E5 subscription that contains 500 macOS devices enrolled in Microsoft Intune.

You need to ensure that you can apply Microsoft Defender for Endpoint antivirus policies to the macOS devices. The solution must minimize administrative effort.

What should you do?

  • A . From the Microsoft Endpoint Manager admin center, create a configuration profile.
  • B . From the Microsoft Endpoint Manager admin center, create a security baseline.
  • C . Onboard the macOS devices to the Microsoft 365 compliance center.
  • D . Install Defender for Endpoint on the macOS devices.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Just install, and use Defender for Endpoint on Mac.

Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac

Question #95

HOTSPOT

You have the on-premises servers shown in the following table.

You have a Microsoft 365 E5 subscription that contains Android and iOS devices. All the devices are managed by using Microsoft Intune.

You need to implement Microsoft Tunnel for Intune. The solution must minimize the number of open firewall ports.

To which server can you deploy a Tunnel Gateway server, and which inbound ports should be allowed on the server to support Microsoft Tunnel connections? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Server4

Microsoft Tunnel is a VPN gateway solution for Microsoft Intune that runs in a container on Linux and allows access to on-premises resources from iOS/iPadOS and Android Enterprise devices using modern authentication and Conditional Access.

Box 2: TCP 443 and UDP 443 only

Some traffic goes to your public facing IP address for the Tunnel. The VPN channel will use TCP, TLS, UDP, and DTLS over port 443.

By default, port 443 is used for both TCP and UDP, but this can be customized via the Intune Saerver Configuration C Server port setting. If changing the default port (443) ensure your inbound firewall rules are adjusted to the custom port.

Incorrect:

TCP 1723 is not used.

Reference: https://docs.microsoft.com/en-us/mem/intune/protect/microsoft-tunnel-overview


Question #96

HOTSPOT

You have an Azure Active Directory Premium Plan 2 subscription that contains the users shown in the following table.

You purchase the devices shown in the following table.

You configure automatic mobile device management (MDM) and mobile application management (MAM) enrollment by using the following settings:

– MDM user scope: Group1

– MAM user scope: Group2

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Reference:

https://docs.microsoft.com/en-us/mem/intune/enrollment/android-enroll

https://powerautomate.microsoft.com/fr-fr/blog/mam-flow-mobile/


Question #97

Your company has devices enrolled in Microsoft Intune as shown in the following table.

In Microsoft Endpoint Manager, you define the company’s network as a location named Location1.

Which devices can use network location-based compliance policies?

  • A . Device2 and Device3 only
  • B . Device2 only
  • C . Device1 and Device2 only
  • D . Device1 only
  • E . Device1, Device2, and Device3

Reveal Solution Hide Solution

Correct Answer: E
E

Explanation:

Intune supported operating systems

Intune supports devices running the following operating systems (OS):

iOS

Android

Windows

macOS

Note: View the device compliance settings for the different device platforms:

Android device administrator

Android Enterprise

iOS

macOS

Windows Holographic for Business

Windows 8.1 and later

Windows 10/11

Reference:

https://docs.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers

https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started

Question #98

You use Microsoft Intune and Intune Data Warehouse.

You need to create a device inventory report that includes the data stored in the data warehouse.

What should you use to create the report?

  • A . the Azure portal app
  • B . Endpoint analytics
  • C . the Company Portal app
  • D . Microsoft Power Bl

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

You can use the Power BI Compliance app to load interactive, dynamically generated reports for your Intune tenant. Additionally, you can load your tenant data in Power BI using the OData link.

Intune provides connection settings to your tenant so that you can view the following sample reports and charts related to:

Devices

Enrollment

App protection policy

Compliance policy

Device configuration profiles

Software updates

Device inventory logs

Note: Load the data in Power BI using the OData link

With a client authenticated to Azure AD, the OData URL connects to the RESTful endpoint in the Data Warehouse API that exposes the data model to your reporting client. Follow these instructions to use Power BI Desktop to connect and create your own reports.

Sign in to the Microsoft Endpoint Manager admin center.

Select Reports > Intune Data warehouse > Data warehouse.

Retrieve the custom feed URL from the reporting blade, for example:

https://fef. {yourtenant}.manage.microsoft.com/ReportingService/DataWarehouseFEService/dates?a pi-version=v1.0

Open Power BI Desktop.

Choose File > Get Data. Select OData feed.

Choose Basic.

Type or paste the OData URL into the URL box.

Select OK.

If you have not authenticated to Azure AD for your tenant from the Power BI desktop client, type your credentials. To gain access to your data, you must authorize with Azure Active Directory (Azure AD) using OAuth 2.0.

Select Organizational account.

Type your username and password.

Select Sign In.

Select Connect.

Select Load.

Reference: https://docs.microsoft.com/en-us/mem/intune/developer/reports-proc-get-a-link-powerbi

Question #99

HOTSPOT

You have a Microsoft 365 tenant and an internal certification authority (CA).

You need to use Microsoft Intune to deploy the root CA certificate to managed devices.

Which type of Intune policy and profile should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Box 1: Configuration profile

Create a trusted certificate profile.

Box 2: Trusted certificate

When using Intune to provision devices with certificates to access your corporate resources and network, use a trusted certificate profile to deploy the trusted root certificate to those devices. Trusted root certificates establish a trust from the device to your root or intermediate (issuing) CA from which the other certificates are issued.

Reference: https://docs.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root


Question #100

You have a Microsoft 365 E5 subscription that contains the groups shown in the following table.

You create a Conditional Access policy named CAPolicy1 that will block access to Microsoft Exchange Online from iOS devices. You assign CAPolicy1 to Group1.

You discover that User1 can still connect to Exchange Online from an iOS device.

You need to ensure that CAPolicy1 is enforced.

What should you do?

  • A . Configure a new terms of use (TOU).
  • B . Assign CAPolicy1 to Group2.
  • C . Enable CAPolicy1
  • D . Add a condition in CAPolicy1 to filter for devices.

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Common signals that Conditional Access can take in to account when making a policy decision include the following signals:

* User or group membership

Policies can be targeted to specific users and groups giving administrators fine-grained control over

access.

* Device

Users with devices of specific platforms or marked with a specific state can be used when enforcing Conditional Access policies.

Use filters for devices to target policies to specific devices like privileged access workstations.

* Etc.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Question #101

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your network contains an Active Directory domain. The domain contains a computer named Computer1 that runs Windows 8.1.

Computer1 has apps that are compatible with Windows 10.

You need to perform a Windows 10 in-place upgrade on Computer1.

Solution: You copy the Windows 10 installation media to a Microsoft Deployment Toolkit (MDT) deployment share. You create a task sequence, and then you run the MDT deployment wizard on Computer1.

Does this meet the goal?

  • A . Yes
  • B . No

Reveal Solution Hide Solution

Correct Answer: B
Question #102

You have a Microsoft 365 E5 subscription that contains a group named Group1.

You create a Conditional Access policy named CAPolicy1 and assign CAPolicy1 to Group1.

You need to configure CAPolicy1 to require the members of Group1 to reauthenticate every eight hours when they connect to Microsoft Exchange Online.

What should you configure?

  • A . Session access controls
  • B . an assignment that uses a User risk condition
  • C . an assignment that uses a Sign-in risk condition
  • D . Grant access controls

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

User sign-in frequency

Sign-in frequency defines the time period before a user is asked to sign in again when attempting to access a resource.

The Azure Active Directory (Azure AD) default configuration for user sign-in frequency is a rolling window of 90 days.

Sign-in frequency control

Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.

Browse to Azure Active Directory > Security > Conditional Access.

Select New policy.

Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

Choose all required conditions for customer’s environment, including the target cloud apps.

Under Access controls > Session.

Select Sign-in frequency.

Choose Periodic reauthentication and enter a value of hours or days or select Every time.

Save your policy.

Reference: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime

Question #103

You have a Microsoft 365 E5 subscription that contains 100 iOS devices enrolled in Microsoft Intune.

You need to ensure that notifications of iOS updates are deferred for 30 days after the updates are released.

What should you create?

  • A . a device configuration profile based on the Device features template
  • B . a device configuration profile based on the Device restrictions template
  • C . an update policy for iOS/iPadOS
  • D . an iOS app provisioning profile

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Manage iOS/iPadOS software update policies in Intune, delay visibility of software updates. When you use update policies for iOS, you might have need to delay visibility of an iOS software update.

Reasons to delay visibility include:

Prevent users from updating the OS manually

To deploy an older update while preventing users from installing a more recent one

To delay visibility, deploy a device restriction template that configures the following settings:

Defer software updates = Yes

This doesn’t affect any scheduled updates. It represents days before software updates are visible to end users after release.

Delay default visibility of software updates = 1 to 90

90 days is the maximum delay that Apple supports.

Reference: https://docs.microsoft.com/en-us/mem/intune/protect/software-updates-ios

Question #104

You have a Microsoft 365 E5 subscription that contains 1,000 Windows 11 devices. All the devices are enrolled in Microsoft Intune.

You plan to integrate Intune with Microsoft Defender for Endpoint.

You need to establish a service-to-service connection between Intune and Defender for Endpoint.

Which settings should you configure in the Microsoft Endpoint Manager admin center?

  • A . Connectors and tokens
  • B . Premium add-ons
  • C . Microsoft Tunnel Gateway
  • D . Tenant enrollment

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

Microsoft Defender for Endpoint C Important Service and Endpoint Settings You Should Configure Right Now.

As a prerequisite, however, head to tenant administration > connectors and tokens > Microsoft Defender for Endpoint and confirm the connection is enabled. You previously set this up in the advanced settings of Microsoft 365 Defender.

Reference: https://petri.com/microsoft-defender-for-endpoint-which-settings-configure-right-now/

Exit mobile version