Which object should you create in Intune?

You need to meet the technical requirements for the iOS devices.

Which object should you create in Intune?
A . A compliance policy
B. An app protection policy
C. A Deployment profile
D. A device profile

Answer: D

Explanation:

References:

https://docs.microsoft.com/en-us/intune/device-restrictions-configure

https://docs.microsoft.com/en-us/intune/device-restrictions-ios

Which two settings should you configure in the policy?

HOTSPOT

You need a new conditional access policy that has an assignment for Office 365 Exchange Online.

You need to configure the policy to meet the technical requirements for Group4.

Which two settings should you configure in the policy? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.

Answer:

Explanation:

The policy needs to be applied to Group4 so we need to configure Users and Groups.

The Access controls are set to Block access

We therefore need to exclude compliant devices.

From the scenario:

✑ Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.

Note: When a device enrolls in Intune, the device information is updated in Azure AD to include the device compliance status. This compliance status is used by conditional access policies to block or allow access to e-mail and other organization resources.

References:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions

https://docs.microsoft.com/en-us/intune/device-compliance-get-started

What should you do first?

Topic 2, Contoso Ltd

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

Overview

Contoso, Ltd, is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.

Contoso has the users and computers shown in the following table.

The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.

Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.

The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from home.

Existing Environment

The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active Directory (Azure AD).

All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.

The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are managed by using Microsoft Intune.

The naming convention for the computers is the department acronym, followed by a hyphen, and then four numbers, for example, FIN-6785. All the computers are joined to the on-premises Active Directory domain.

Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer account is in the Computers OU of its respective department.

Intune Configuration

The domain has the users shown in the following table.

User2 is a device enrollment manager (DEM) in Intune.

The devices enrolled in Intune are shown in the following table.

The device compliance policies in Intune are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

The device limit restrictions in Intune are configured as shown in the following table.

Requirements

Planned Changes

Contoso plans to implement the following changes:

– Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.

– Start using a free Microsoft Store for Business app named App1.

– Implement co-management for the computers.

Technical Requirements :

Contoso must meet the following technical requirements:

– Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.

– Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.

– Monitor the computers in the LEG department by using Windows Analytics.

– Create a provisioning package for new computers in the HR department.

– Block iOS devices from sending diagnostic and usage telemetry data.

– Use the principle of least privilege whenever possible.

– Enable the users in the MKG department to use App1.

– Pilot co-management for the IT department.

You need to meet the technical requirements for the IT department.

What should you do first?
A . From the Azure Active Directory blade in the Azure portal, enable Seamless single sign-on.
B. From the Configuration Manager console, add an Intune subscription.
C. From the Azure Active Directory blade in the Azure portal, configure the Mobility (MDM and MAM) settings.
D. From the Microsoft Intune blade in the Azure portal, configure the Windows enrollment settings.

Answer: C

Explanation:

Reference: https://docs.microsoft.com/en-us/sccm/comanage/tutorial-co-manage-clients

What should you select in the Microsoft Endpoint Manager admin center?

You have a Microsoft 365 E5 subscription.

You need to download a report that lists all the devices that are NOT enrolled in Microsoft Intune and are assigned an app protection policy.

What should you select in the Microsoft Endpoint Manager admin center?
A . Apps. and then Monitor
B. Devices, and then Monitor
C. Reports, and the Device compliance

Answer: A

Explanation:

App report: You can search by platform and app, and then this report will provide two different app protection statuses that you can select before generating the report. The statuses can be Protected or Unprotected.

Reference: https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies-monitor

Which command should you run on the computer?

HOTSPOT

Your network contains an Active Directory domain named contoso.com. The domain contains 500 computers that run Windows 7. Some of the computers are used by multiple users.

You plan to refresh the operating system of the computers to Windows 10.

You need to retain the personalization settings to applications before you refresh the computers. The solution must minimize network bandwidth and network storage space.

Which command should you run on the computer? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:

Explanation:

References: https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-scanstate-syntax#how-to-use-ui-and-ue

On which devices can you apply app configuration policies?

You have devices enrolled in Microsoft Intune as shown in the following table.

On which devices can you apply app configuration policies?
A . Create an Azure Active Directory group that contains all users.
B. From the Intune portal, create a Microsoft Store app for the Remote Desktop modern app.
C. From the Intune portal assign the app to the Azure Active Directory group.
D. Create an Azure Active Directory group that contains the Windows 10 devices.
E. From the Microsoft Store for Business portal, assign a license for the app to all the users in the Azure Active Directory group.
F. For your organization, make the app available in the Microsoft Store for Business.

Answer: B,C,D

Explanation:

Reference:

https://docs.microsoft.com/en-us/mem/intune/apps/apps-add

https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy

https://docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business

What should you do?

You have 100 devices that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).

You need to prevent users from joining their home computer to Azure AD.

What should you do?
A . From the Device enrollment blade in the Intune admin center, modify the Enrollment restriction settings.
B. From the Devices blade in the Azure Active Directory admin center, modify the Device settings.
C. From the Device enrollment blade in the Intune admin center, modify the Device enrollment manages settings.
D. From the Mobility (MDM and MAM) blade in the Azure Active Directory admin center, modify the Microsoft Intune enrollment settings.

Answer: B

Explanation:

References: https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set

To which objects can you assign App1?

You have a Microsoft 365 tenant that contains the objects shown in the following table.

In the Microsoft Endpoint Manager admin center, you are creating a Microsoft 365 Apps app named App1.

To which objects can you assign App1?
A . Admin1, Group3. and Group4 only
B. Group1, Group2. Group3. and Group4 only
C. Admin1, Group1, Group2. Group3, and Group4
D. Group1, Group3, and Group4 only
E. Group3 and Group4 only

Answer: D

Explanation:

Reference:

https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy

https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide

What should you do?

You have a Microsoft 365 subscription.

You are assigned the User administrator role.

An Azure AD security group named Group1 was deleted five days ago.

You need to restore Group1.

What should you do?
A . Modify the group expiration policy.
B. From Deleted groups, restore Group1.
C. Manually recreate Group1.
D. Ask a global administrator to restore Group1.

Answer: B

Which user can enroll Device6 in Intune?

Topic 3, Contoso, Ltd. (NEW)

Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

Overview

Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.

Contoso has a Microsoft 365 E5 subscription.

Network Environment

The network contains an on-premises Active domain named Contoso.com.

The domain contains the servers shown in the following table.

Contoso has a hybrid Azure Active Directory (Azure AD) tenant named Contoso.com.

Contoso has a Microsoft Store for Business instance.

Users and Groups

The Contoso.com tenant contains the users shown in the following table.

All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.

Enterprise State Roaming is enabled for Group1 and GroupA.

Group and Group have a Membership type of Assign

Devices

Contoso has the Windows 10 devices shown in the following table.

The Windows 10 devices are joined to Azure AD and enrolled in Microsoft intune.

The Windows 10 devices are configured as shown in the following table.

All the Azure AD joined devices have an executable file named C:AppA.exe and a folder named D:Folder 1.

Microsoft Endpoint Manager Configuration

Microsoft Endpoint Manager has the compliance policies shown in the following table.

The Compliance policy settings are shown in the following exhibit.

The Automatic Enrolment settings have the following configurations:

• MDM user scope GroupA

• MAM user scope: GroupB

You have an Endpoint protection configuration profile that has the following Controlled folder access settings:

• Name: Protection1

• Folder protection: Enable

• List of apps that have access to protected folders: CVAppA.exe

• List of additional folders that need to be protected: D:Folderi1

• Assignments

Windows Autopilot Configuration

Currently, there are no devices deployed by using Window Autopilot

The Intune connector tor Active Directory is installed on Server 1.

Planned Changes

Contoso plans to implement the following changes:

• Purchase a new Windows 10 device named Device6 and enroll the device in Intune.

• New computers will be deployed by using Windows Autopilot and will be hybrid Azure AO joined.

• Deploy a network boundary configuration profile that will have the following settings:

• Name Boundary 1

• Network boundary 192.168.1.0/24

• Scope tags: Tag 1

• Assignments;

• included groups: Group 1. Group2

• Deploy two VPN configuration profiles named Connection! and Connection that will have the following settings:

• Name: Connection 1

• Connection name: VPNI

• Connection type: L2TP

• Assignments:

• Included groups: Group1. Group2, GroupA

• Excluded groups: ―

• Name: Connection

• Connection name: VPN2

• Connection type: IKEv2 i Assignments:

• included groups: GroupA

• Excluded groups: GroupB

• Purchase an app named App1 that is available in Microsoft Store for Business and to assign the app to all the users.

Technical Requirements

Contoso must meet the following technical requirements:

• Users in GroupA must be able to deploy new computers.

• Administrative effort must be minimized.

Which user can enroll Device6 in Intune?

A. User4 and User2 only

B. User4 and User 1 only

C. User1, User2, User3, and User4

D. User4. User Land User2 only

Answer: B