MD-102 Endpoint Administrator exam dumps questions are the best material for

you to test all the related Microsoft exam topics. By using the MD-102 exam
dumps questions and practicing your skills, you can increase your confidence
and chances of passing the MD-102 exam.

Features of Dumpsinfo’s products

Instant Download
Free Update in 3 Months
Money back guarantee
PDF and Software
24/7 Customer Support

Besides, Dumpsinfo also provides unlimited access. You can get all
Dumpsinfo files at lowest price.

Endpoint Administrator MD-102 exam free dumps questions are available

below for you to study.

Full version: MD-102 Exam Dumps Questions

1.Your company uses Microsoft Intune to manage devices.

You need to ensure that only Android devices that use Android work profiles can enroll in Intune.
Which two configurations should you perform in the device enrollment restrictions? Each correct
answer presents part of the solution. NOTE: Each correct selection is worth one point.
A. From Platform Settings, set Android device administrator Personally Owned to Block.
B. From Platform Settings, set Android Enterprise (work profile) to Allow.
C. From Platform Settings, set Android device administrator Personally Owned to Allow.
D. From Platform Settings, set Android device administrator to Block.
Answer: BD
Explanation:
Set up enrollment of Android Enterprise personally-owned work profile devices
Set up enrollment for bring-your-own-device (BYOD) and personal device scenarios using the
Android Enterprise personally-owned work profile management solution. During enrollment, a work
profile is created on the device to house work apps and work data. The work profile can be managed
by Microsoft Intune policies. Personal apps and data stay separate in another part of the device and
remain unaffected by Intune.
Set up enrollment
Complete these steps to set up enrollment for Android Enterprise devices in BYOD scenarios.

2.You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to deploy and manage Windows devices.
You have 100 devices from users that left your company.
You need to repurpose the devices for new users by removing all the data and applications installed
by the previous users. The solution must minimize administrative effort.
What should you do?
A. Deploy a new configuration profile to the devices.
B. Perform a Windows Autopilot reset on the devices.
C. Perform an in-place upgrade on the devices.
D. Perform a clean installation of Windows 11 on the devices.
Answer: B
Explanation:
Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to
sign in and get productive quickly and simply.
Specifically, Windows Autopilot Reset:
Removes personal files, apps, and settings.
Reapplies a device's original settings.
Sets the region, language, and keyboard to the original values.
Maintains the device's identity connection to Azure AD.
Maintains the device's management connection to Intune.
The Windows Autopilot Reset process automatically keeps information from the existing device:
Wi-Fi connection details.
Provisioning packages previously applied to the device.
A provisioning package present on a USB drive when the reset process is started.
Azure Active Directory device membership and MDM enrollment information.
SCEP certificates.
Windows Autopilot Reset blocks the user from accessing the desktop until this information is restored,
including reapplying any provisioning packages. For devices enrolled in an MDM service, Windows
Autopilot Reset also blocks until an MDM sync is completed. When Autopilot reset is used on a
device, the device's primary user is removed. The next user who signs in after the reset will be set as
the primary user.
Reference: https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot-reset

3.You have a Microsoft Deployment Toolkit (MDT) deployment share.

You plan to deploy Windows 11 by using the Standard Client Task Sequence template.
You need to modify the task sequence to perform the following actions:
• Format disks to support Unified Extensible Firmware Interface (UEFl).
• Create a recovery partition.
Which phase of the task sequence should you modify?
A. Preinstall
B. PostInstall
C. Install
D. Initialization
Answer: A
Explanation:
Create Extra Partition in MDT
We will create a new task sequence for a machine that doesn’t have an extra partition.

4.HOTSPOT
You have a Microsoft 365 subscription.
You use Microsoft Intune Suite to manage devices.
You have the iOS app protection policy shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic. NOTE: Each correct selection is worth one point.
Answer:

Explanation:
iOS app protection policy settings
This applies to the app protection policy settings for iOS/iPadOS devices.
Box 1: PIN only
Timeout (minutes of inactivity) C here it is 30
Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override
the use of a fingerprint or face as method of access. This timeout value should be greater than the
value specified under 'Recheck the access requirements after (minutes of inactivity).
Note: PIN type
Set a requirement for either numeric or passcode type PINs before accessing an app that has app
protection policies applied. Numeric requirements involve only numbers, while a passcode can be
defined with at least 1 alphabetical letter or at least 1 special character.
Box 2: reset the Device PIN
Max PIN attempts. Here it is 5. Action: Reset PIN
App PIN when device PIN is set. Here it is Require
Note:
App PIN when device PIN is set
Select Disable to disable the app PIN when a device lock is detected on an enrolled device with
Company Portal configured.
Max PIN attempts
Specify the number of tries the user has to successfully enter their PIN before the configured action is
taken. If the user fails to successfully enter their PIN after the maximum PIN attempts, the user must
reset their pin after successfully logging into their account and completing a multi-factor authentication
(MFA) challenge if required. This policy setting format supports a positive whole number. Actions
include: Reset PIN - The user must reset their PIN.
Wipe data - The user account that is associated with the application is wiped from the device. Default
value = 5
Reference: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios

5.HOTSPOT
You have devices that are not rooted enrolled in Microsoft Intune as shown in the following table.

The devices are members of a group named Group1.

In Intune, you create a device compliance location that has the following configurations:
• Name: Network1
• IPv4 range: 192.168.0.0/16
In Intune. you create a device compliance policy for the Android platform.
The policy has the following configurations:
• Name: Policy1
• Device health: Rooted devices: Block
• Locations: Location: Network1
• Mark device noncompliant: Immediately
• Assigned: Group1
The Intune device compliance policy has the following configurations:
• Mark devices with no compliance policy assigned as: Compliant
• Enhanced jailbreak detection: Enabled
• Compliance status validity period (days): 20
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.
Answer:

Explanation:
Box 1: Yes
Device1 is running Windows at IP 192.168.10.35.
The device compliance location is named Network1, and has IPv4 range: 192.168.0.0/16.
The device compliance policy Policy1 applies to Android.
The Intune device compliance policy has the setting:
Mark devices with no compliance policy assigned as:
Compliant
Device1 will be marked as compliant.
Note: Compliance policy settings
Compliance policy settings are tenant-wide settings that determine how Intune’s compliance service
interacts with your devices. These settings are distinct from the settings you configure in a device
compliance policy.
Box 2: Yes
Device2 is running Android at IP 10.10.10.40.
Policy1 location does not match and will not be applied.
Device2 will be marked as compliant.
Box 3: No
Device3 is running Android at IP 192.168.10.10.
Policy1 location matches and Policy1 is applied.
Device3 will be marked as non-compliant.
Reference: https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started

6.You have a Microsoft 365 E5 subscription.

All Windows devices are enrolled in Microsoft Intune.
You need to create an app protection policy named Policy1 and apply Policy1 to the devices.
What can you protect by using Policy1?
A. Microsoft Outlook
B. Microsoft OneDrive
C. Microsoft Teams
D. Microsoft Edge
Answer: D
Explanation:
Intune service, App protection policy settings for Windows
There are two categories of app protection policy settings for Windows:
• Data protection
• Health Checks
• Data protection
The Data protection settings impact the org data and context. As the admin, you can control the
movement of data into and out of the context of org protection. The org context is defined by
documents, services, and sites accessed by the specified org account. The following policy settings
help control external data received into the org context and org data sent out of the org context.
Data Transfer
Setting
* Receive data from
Select one of the following options to specify the sources org users can receive data from:
All sources: Org users can open data from any account, document, location, or application into the
org context.
No sources: Org users can't open data from external accounts, documents, locations, or applications
into the org context. NOTE: For *Microsoft Edge*, No sources controls file upload behavior either via
drag and drop or the file open dialog. Local file viewing and sharing files between sites/tabs will be
blocked.
* Send org data to
Select one of the following options to specify the destinations org users can send data to:
All destinations: Org users can send org data to any account, document, location, or application.
No destinations: Org users can't send org data to external accounts, documents, locations, or
applications
from the org context. NOTE: For *Microsoft Edge*, No destinations blocks file download. This means
sharing files between sites/tabs will be blocked.
* Etc.
Reference: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-
windows
7. Manage identity and compliance

Testlet 1
Case study
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in
Seattle and New York.

Contoso has the users and computers shown in the following table.

The company has IT, human resources (HR), legal (LEG), marketing (MKG), and finance (FIN)
departments.
Contoso recently purchased a Microsoft 365 subscription.
The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will
work from home.

Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Azure AD.
All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10
Enterprise.
The computers are managed by using Microsoft Configuration Manager. The mobile devices are
managed by using Microsoft Intune.
The naming convention for the computers is the department acronym, followed by a hyphen, and then
four numbers, for example FIN-6785. All the computers are joined to the on-premises Active Directory
domain.
Each department has an organizational unit (OU) that contains a child OU named Computers. Each
computer account is in the Computers OU of its respective department.

Intune Configuration
The domain has the users shown in the following table.

User2 is a device enrollment manager (DEM) in Intune.

The devices enrolled in Intune are shown in the following table.
The device compliance policies in Intune are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

The device limit restrictions in Intune are configured as shown in the following table.

Requirements
Planned changes
Contoso plans to implement the following changes:
• Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro
preinstalled and were purchased already.
• Implement co-management for the computers.

Technical Requirements
Contoso must meet the following technical requirements:
• Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from
devices that are enrolled in Intune.
• Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows
Autopilot.
• Create a provisioning package for new computers in the HR department.
• Block iOS devices from sending diagnostic and usage telemetry data.
• Use the principle of least privilege whenever possible.
• Enable the users in the MKG department to use App1.
• Pilot co-management for the IT department.

HOTSPOT
You are evaluating which devices are compliant.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.

Answer:
Explanation:
Box 1: No
Policy3, which requires encryption, applies to Device1.
Box 2: Yes
Policy1, which has no encryption requirement, applies to Device3.
Box 3: Yes
Policy2, which has no encryption requirement, applies to Device4.

8. Enter the following properties:

Platform:
Profile: Select PKCS certificate. Or, select Templates > PKCS certificate.
Select Create.

9.You have a Microsoft 365 E5 subscription.

You need to create a dynamic device group that will contain any device that has the word Marketing
in its name.
Which device membership rule should you use?
A. (device.displayName -in "Marketing")
B. (device.displayName -in "*Marketing*")
C. (device.displayName -contains "Marketing")
D. (device.displayName -contains "*Marketing*")
Answer: C
Explanation:
To create a dynamic device group that includes any device with the word "Marketing" in its name, you
should use the -contains operator. This operator ensures that the rule captures any device whose
display name contains the string "Marketing". Wildcards (such as *) are not required when using -
contains in dynamic group rules.
10. Choose Save.
If a removed device checks in before its device certification expires, it reappears in the admin center.
The device clean-up rule doesn't trigger a wipe or retire.
Reference: https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe

11.You have a Microsoft Entra tenant named contoso.com that contains a Windows 11 device named
Device1 and a user named User1.
User1 registers Device1 in contoso.com.
Which capability is available to Device1 after registering in contoso.com?
A. authenticating to cloud resources by using single sign-on (SSO)
B. enforcing compliance policies
C. enforcing software updates
D. enforcing hard drive encryption
Answer: A
Explanation:
When a device is Microsoft Entra registered, it gains the ability to authenticate to cloud resources
(such as Microsoft 365) using single sign-on (SSO). This allows the device and user to access cloud
apps without repeatedly signing in. However, the device is not fully managed, meaning it cannot
enforce compliance policies, software updates, or hard drive encryption (which are features
associated with Microsoft Entra joined or Intune-enrolled devices).

12.Which user can enroll Device6 in Intune?

A. User4 and User1 only
B. User4 and User2 only
C. User4, User1, and User2 only
D. User1, User2, User3, and User4
Answer: D
Explanation:
All the users can enroll devices to Intune.
Deploy Windows client

13.You have a Microsoft 365 subscription that contains Windows 11 devices enrolled in Microsoft
Intune.
You need to use Device query to identify whether a critical security patch was installed on a device.
Which table should you target?
A. WindowsQfe
B. WindowsRegistry
C. FileInfo
D. OsVersion
E. SystemInfo
Answer: A
Explanation:
The WindowsQfe (Quick Fix Engineering) table contains information about updates, hotfixes, and
security patches installed on a Windows device. To determine whether a critical security patch has
been installed, this is the appropriate table to query, as it provides details on all the installed updates.
14. Who initiated the WIPE action?

15. All remaining details can stay on the defaults. Click OK.
F: Now you must allow for inbound remote administration by updating the firewall rules. When you’re
done, there will be two rules enabled:
Windows Firewall: Allow inbound remote administration exception
Windows Firewall: Allow ICMP exception
Reference: https://support.auvik.com/hc/en-us/articles/204424994-How-to-enable-WinRM-with-
domain-controller-Group-Policy-for-WMI-monitoring

16. If the Allow connections only from computers running Remote Desktop with Network Level
Authentication check box is selected and is not enabled, the Require user authentication for remote
connections by using Network Level Authentication Group Policy setting has been enabled and has
been applied to the RD Session Host server.

17.You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Intune to manage all devise.
Users have iOS devices with Microsoft apps installed.
You need to prevent users from cutting, copying, and pasting data between Microsoft Excel and other
apps installed on the devices.
What should you configure?
A. an app protection policy
B. an app configuration policy
C. an iOS app provisioning profile
D. policies for Microsoft Office apps
Answer: A
Explanation:
Troubleshoot restricting cut, copy, and paste between applications
The cut, copy, and paste feature is commonly used to transfer data between applications (apps).
Restricting
this feature may not work as expected. To troubleshoot these issues, first ensure that the issues and
configurations discussed in the Troubleshooting data transfer between apps document are
addressed.
When reviewing Intune *app protection policy (APP)* settings in the Intune admin center, refer to the
following table to make sure the desired settings are applied.
* Restrict cut, copy, and paste between other apps Blocked
Block copy and paste function to and from all managed apps.
* Etc.
Reference: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-protection-
policies/troubleshoot-cut-copy-
paste

18.You have a Microsoft 365 E5 subscription that uses Microsoft Intune.

You configure Intune to send log data to Log Analytics.
You need to review events involving devices that fail to enroll in Intune.
What should you monitor?
A. operational logs
B. audit logs
C. the Intune Device log
D. device compliance organizational logs
Answer: A
Explanation:
Microsoft Intune and Azure Log Analytics
Microsoft has configured diagnostic settings in Intune in order to send data to a Log Analytics
workspace for our production Microsoft tenant. This new feature allows customers to add Audit Logs
and Operational Logs to a Log Analytics workspace, event hub or Azure storage account.
Operational Logs
Examining the operation of enrollment, here is a query that helps us understand the breakdown of
devices enrolling in our environment:
IntuneOperationalLogs
| where OperationName == "Enrollment"
//use extend to expand properties column so we can use this data in our query | extend
propertiesJson = todynamic(Properties) | extend OsType = tostring(propertiesJson ["Os"])
| project OsType
| summarize count() by OsType
| render piechart
We use the extend operator in the query to expand the properties column to additional columns. This
gives us the ability to then use the “Os ” column or any other column in the properties field, within our
query. When using extend, the fields will be a dynamic type, so we convert to a string so that we can
run the summarize operation. Finally, using render we see a piechart of enrollment attempts broken
down by OsType.
For broad analysis and troubleshooting we dig into trends and utilize the power of the Log Analytics
platform. The below is a query that we recently used in production to identify a trend that was due to a
code change.
We were investigating enrollment trends with the following:
Reference: https://techcommunity.microsoft.com/t5/device-management-in-microsoft/microsoft-intune-
and-azure-log-analytics/ba-p/463145

19.HOTSPOT
You have a hybrid Azure AD tenant.
You configure a Windows Autopilot deployment profile as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic. NOTE: Each correct selection is worth one point.

Answer:
Explanation:
Box 1: import a CSV file into Windows Autopilot
You can perform Windows Autopilot device registration within your organization by manually
collecting the hardware identity of devices (hardware hashes) and uploading this information in a
comma-separated-values (CSV) file.
Box 2: joined to Azure AD only
As per exhibit (Azure AD joined).
Reference:
https://docs.microsoft.com/en-us/mem/autopilot/add-devices
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid

20.You manage 1,000 computers that run Windows 10. All the computers are enrolled in Microsoft
Intune. You manage the servicing channel settings of the computers by using Intune.
You need to review the servicing status of a computer.
What should you do?
A. From Device configuration C Profiles, view the device status.
B. From Software updates, view the Per update ring deployment state.
C. From Software updates, view the audit logs.
D. From Device compliance, view the device compliance.
Answer: B
Explanation:
Reports for Update rings for Windows 10 and later policy.
Intune offers integrated report views for the Windows update ring policies you deploy. These views
display details about the update ring deployment and status:
1) Sign in to Microsoft Endpoint Manager admin center.
2) Select Devices > Monitor. Then under Software updates select Per update ring deployment state
and choose the deployment ring to review.
Note: Windows 10 and later update rings C Use a built-in report that's ready by default when you
deploy update rings to your devices.
Reference: https://docs.microsoft.com/en-us/intune/windows-update-compliance-reports

21. Create a role assignment for the Policy and Profile Manager role with:
Members (Groups) = A security group named Seattle IT admins. All admins in this group will have
permission to manage policies and profiles for users/devices in the Scope (Groups).
Scope (Groups) = A security group named Seattle users. All users/devices in this group can have
their profiles and policies managed by the admins in the Members (Groups).
Scope (Tags) = Seattle. Admins in the Member (Groups) can see Intune objects that also have the
Seattle scope tag.

22.You have a Microsoft 365 E5 subscription that contains 500 macOS devices enrolled in Microsoft
Intune.
You need to ensure that you can apply Microsoft Defender for Endpoint antivirus policies to the
macOS devices. The solution must minimize administrative effort.
What should you do?
A. Onboard the macOS devices to the Microsoft Purview compliance portal.
B. From the Microsoft Intune admin center, create a security baseline.
C. Install Defender for Endpoint on the macOS devices.
D. From the Microsoft Intune admin center, create a configuration profile.
Answer: C
Explanation:
Settings for Microsoft Defender for Endpoint for Mac in Microsoft Intune
View the Antivirus profile settings you can configure for Microsoft Defender for Endpoint for Mac in
Microsoft Intune.
Microsoft Defender for Endpoint
* Real-time protection
Require Defender on macOS devices to use the real-time Monitoring functionality. Real-time
monitoring locates and stops malware from installing or running on your device. You can turn off this
setting for a short time before it turns back on automatically.
- Cloud-delivered protection
- Etc.
Reference: https://learn.microsoft.com/en-us/mem/intune/protect/antivirus-microsoft-defender-settings-
macos

23.You have a Microsoft 365 subscription that contains 1,000 Android devices enrolled in Microsoft
Intune.
You create an app configuration policy that contains the following settings:
• Device enrollment type: Managed devices
• Profile Type: All Profile Types
• Platform: Android Enterprise
Which two types of apps can be associated with the policy? Each correct answer presents a complete
solution. NOTE: Each correct selection is worth one point.
A. Android Enterprise system app
B. Web link
C. Android store app
D. Managed Google Play store app
E. Built-in Android app
Answer: AD
Explanation:
A: Android Enterprise system apps
You can enable an Android Enterprise system app for Android Enterprise dedicated devices or fully
managed devices.
D: App configuration policies in Microsoft Intune supply settings to Managed Google Play apps on
managed Android Enterprise devices.
Reference:
https://learn.microsoft.com/en-us/mem/intune/apps/apps-add-android-for-work
https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-android

24.On the Baseline profile scope page set the profile settings such as software, base benchmark (CIS
or STIG), and the compliance level and select Next.

25.You have a Microsoft 365 Business Standard subscription and 100 Windows 10 Pro devices that
are joined to Microsoft Entra.
You purchase Microsoft 365 E5 licenses for all users.
You need to upgrade the Windows 10 Pro devices to Windows 10 Enterprise. The solution must
minimize administrative effort.
Which upgrade method should you use?
A. a Microsoft Deployment Toolkit (MDT) lite-touch deployment
B. Subscription Activation
C. an in-place upgrade by using Windows installation media
D. Windows Autopilot
Answer: B
Explanation:
Windows 10/11 Subscription Activation
Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from
Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise,
respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5.
Reference: https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation

26.You have a Microsoft 365 tenant that contains the objects shown in the following table.

You are creating a compliance policy named Compliance1.

Which objects can you specify in Compliance1 as additional recipients of noncompliance
notifications?
A. Group3 and Group4 only
B. Group3, Group4, and Admin1 only
C. Group1, Group2, and Group3 only
D. Group1, Group2, Group3, and Group4 only
E. Group1, Group2, Group3, Group4, and Admin1
Answer: C
Explanation:
Need email address to specify additional recipients of noncompliance notification.
Security groups have no email address.
Reference: https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups

27.HOTSPOT
You have an Azure AD tenant named contoso.com that contains the devices shown in the following
table.

All devices contain an app named App1 and are enrolled in Microsoft Intune.
You need to prevent users from copying data from App1 and pasting the data into other apps.
Which type of policy and how many policies should you create in Intune? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: App protection policy
Box 2: 3
One for Windows, one for Android, and one for iOS.
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies-configure-windows-10

28. On Basics, enter the following properties:

Name: Enter a descriptive name for the profile. Name profiles so you can easily identify them later.
Description: Enter a description for the profile. This setting is optional but recommended.

29. In the App package file pane, select the browse button. Then, select an Android installation file
with the extension .apk. The app details will be displayed.

30. Get configured as defined by the organization.

You can suppress any other prompts during the out-of-box experience (OOBE).
Reference:
https://learn.microsoft.com/en-us/windows/client-management/azure-ad-and-microsoft-intune-
automatic-mdm-enrollment-in-the-new-portal
https://learn.microsoft.com/en-us/autopilot/user-driven

31. Log in to the Azure portal and select Intune.

32.HOTSPOT
You have a Microsoft 365 E5 subscription that uses Microsoft Intune.
You need to ensure that users can only enroll devices that meet the following requirements:
• Android devices that support the use of work profiles.
• iOS devices that run iOS 11.0 or later.
Which two restrictions should you modify? To answer, select the restrictions in the answer area.
NOTE: Each correct selection is worth one point.

Answer:
Explanation:
Box 1: Android device administrator, Platform: Block
Restrict devices running on the following platforms:
• Android device administrator
• Android Enterprise work profile
• iOS/iPadOS
• macOS
• Windows
Note: If you allow both Android platforms for the same group, devices that support work profile will
enroll with a work profile. Devices that don't support it will enroll on the Android device administrator
platform. Neither work profile nor device administrator enrollment will work until you complete all
prerequisites for Android enrollment.
Box 2: iOS/PadOS, Allow min/max Range: Min
Reference: https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set

33. Make sure that Turn on log collection and diagnostics page for end users is selected to Yes.
Reference: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/device-enrollment/understand-
troubleshoot-esp

34.HOTSPOT
You have a Microsoft Entra tenant named contoso.com that contains the users shown in the following
table.
You have a computer named Computer1 that runs Windows 10.
Computer1 is in a workgroup and has the local users shown in the following table.

UserA joins Computer1 to Microsoft Entra ID by using user1@contoso.com.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.

Answer:
Explanation:
Box 1: No
Add computer to Azure AD step by step
The Azure administrator have to accept that users can join their devices to the Azure AD.
The device just needs to Azure AD registered.
Box 2: Yes
Security Administrator
Users with this role have permissions to manage security-related features in the Microsoft 365
Defender portal, Azure Active Directory Identity Protection, Azure Active Directory Authentication,
Azure Information Protection, and Microsoft Purview compliance portal.
In particular he can do:
* Microsoft Defender for Endpoint Assign roles
Manage machine groups
Configure endpoint threat detection and automated remediation
View, investigate, and respond to alerts
View machines/device inventory
Box 3: No
Cloud Device Administrator
Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10
BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any
other properties on the device.
Reference:
https://learn.microsoft.com/en-us/answers/questions/261596/add-computer-to-azure-ad-step-by-step
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference

35. On SRV1, open an elevated Windows PowerShell prompt and enter the following commands:
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\Bootstrap.ini"
C:\MDTProd\Control \Bootstrap.ini -Force
copy-item "C:\Program Files\Microsoft Deployment Toolkit\Templates\CustomSettings.ini"
C:\MDTProd \Control\CustomSettings.ini -Force
In the Deployment Workbench console on SRV1, right-click the MDT Production deployment share
and then select Properties.
Select the Rules tab and replace the rules with the following text (don't select OK yet):
[Settings]
Priority=Default
[Default]
_SMSTSORGNAME=Contoso
OSInstall=YES
UserDataLocation=AUTO
*Details omitted*
Incorrect:
* Bootstrap.ini
Bootstrap.ini is the file that controls access to the shared drive that stores the deployment repository.
Reference: https://learn.microsoft.com/en-us/windows/deployment/windows-10-poc-mdt#create-a-
deployment-share-and-reference-image
https://www.techrepublic.com/article/mdt-automating-deployments-using-customsettings-ini/

36. Create a provisioning policy.

Note: Create provisioning policies
Cloud PCs are created and assigned to users based on provisioning policies. These policies hold key
provisioning rules and settings that let the Windows 365 service set up and configure the right Cloud
PCs for your users. After provisioning policies are created and assigned to the Microsoft Entra user
security groups or Microsoft 365 Groups, the Windows 365 service:
Checks for appropriate licensing for each user.
Configures the Cloud PCs accordingly.
*.> Select an ANC
You must select an ANC for your provisioning policy if you selected either of these two options in the
previous section:
Join type = Hybrid Microsoft Entra Join
Join type = Microsoft Entra join and Network = Azure network connection
Reference:
https://learn.microsoft.com/en-us/windows-365/enterprise/deployment-overview
https://learn.microsoft.com/en-us/windows-365/enterprise/create-provisioning-policy

37.You have a computer named Computer1 that runs Windows 11.

A user named User1 plans to use Remote Desktop to connect to Computer1.
You need to ensure that the device of User1 is authenticated before the Remote Desktop connection
is established and the sign in page appears.
What should you do on Computer1?
A. Turn on Reputation-based protection
B. Enable Network Level Authentication (NLA)
C. Turn on Network Discovery
D. Configure the Remote Desktop Configuration service
Answer: B
Explanation:
What is Network Level Authentication?
Network level authentication is used for authenticating Remote Desktop services, such as Windows
RDP, and Remote Desktop Connection (RDP Client). You might also hear it called front
authentication.
What is Network Level Authentication (NLA) used for?
Before you can start a remote desktop session, the user will need to authenticate themselves C ie,
prove that they are who they say they are. Using network level authentication means that a false
connection can’t be made, which would use up CPU and cause a strain on the resources of the
network. This offers a level of security against some cyberattacks such as Denial of Service attacks,
where multiple requests are made all at once towards a network, overwhelming its ability to cope. To
combat this, you can turn on network level authentication to authenticate the user’s credentials
before starting a remote access session. If the user’s credentials aren’t authenticated, then the
connection is simply denied.
Reference: https://www.atera.com/blog/what-is-network-level-authenticatio

38. Select Windows 10 in the Microsoft 365 Apps section of the Select app type pane.

39.HOTSPOT
You have a Microsoft 365 E5 subscription.
You need to review and implement Microsoft 365 Defender device onboarding.
The solution must meet the following requirements:
• View onboarded devices that have the Chromium-based version of Microsoft Edge installed,
• Download an onboarding package for a Windows 11 device.
• Minimize administrative effort.
Which two settings should you use in the Microsoft 365 Defender portal? To answer, select the
appropriate settings in the answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Devices
View onboarded devices that have the Chromium-based version for Microsoft Edge installed.
View the list of onboarded devices

40.DRAG DROP
You have an on-premises Active Directory domain that syncs to a Microsoft Entra tenant.
The tenant contains computers that run Windows 10. The computers are hybrid Microsoft Entra joined
and enrolled in Microsoft Intune.
The Microsoft Office settings on the computers are configured by using a Group Policy Object (GPO).
You need to migrate the GPO to Intune.
Which three actions should you perform in sequence? To answer, move the appropriate actions from
the list of actions to the answer area and arrange them in the correct order.
Answer:

Explanation:
Step 1: Create a configuration profile
Create the template
1) Sign in to the Microsoft Endpoint Manager admin center.
2) Select Devices > Configuration profiles > Create profile.
3) Etc.
Step 2: Configure the Administrative Template settings.
Find some settings. There are thousands of settings available in these templates.
Step 3: Assign the profile.
The template is created, but may not be doing anything yet. Be sure to assign the template (also
called a profile) and monitor its status.
Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/administrative-templates-
windows
41. Under Conditions > Client apps, set Configure to Yes.

42. Sign in to Partner Center and select Customers.

43.DRAG DROP
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.
You plan to onboard the following types of devices to Defender for Endpoint:
• macOS
• Linux Server
What should you use to onboard each device? To answer, drag the appropriate tools to the correct
device types. Each tool may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Answer:

Explanation:
Box 1: Microsoft Intune
For macOS you can use the following methods:
• Local script
• Microsoft Intune
• JAMF Pro
• Mobile Device Management
Box 2: Ansible
You can deploy Microsoft Defender for Endpoint on Linux with Ansible.
Reference:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-with-ansible
44.You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group
Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE:
Each correct selection is worth one point.
A. Enable the Allow Remote Shell access setting.
B. Enable the Allow remote server management through WinRM setting.
C. Set the Startup Type of the Windows Remote Management (WS-Management) service to
Automatic.
D. Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
E. Set the Startup Type of the Remote Registry service to Automatic.
F. Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
Answer: BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to
create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three
WinRM service settings enabled:
B: Allow remote server management through WinRM

45.You have a Microsoft 365 Subscription that uses Microsoft Intune.

You add apps to Intune as shown in the following table.

You need to create an app configuration policy named Policy1 for the Android Enterprise platform.
Which apps can you manage by using Policy1?
A. App2 only
B. App3 only
C. App1 and App3 only
D. App2 and App3 only
E. App1, App2, and App3
Answer: B
Explanation:
Add app configuration policies for managed Android Enterprise devices
App configuration policies in Microsoft Intune supply settings to Managed Google Play apps on
managed Android Enterprise devices. The app developer exposes Android-managed app
configuration settings. Intune uses these exposed setting to let the admin configure features for the
app. The app configuration policy is assigned to your user groups. The policy settings are used when
the app checks for them, typically the first time the app runs.
Not every app supports app configuration. Check with the app developer to see if their app supports
app configuration policies.
Use the configuration designer
You can use the configuration designer for Managed Google Play apps when the app is designed to
support configuration settings. Configuration applies to devices enrolled in Intune. The designer lets
you configure specific configuration values for the settings exposed by the app.
Reference: https://learn.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-use-
android¨

46. Create a scope tag called Seattle.

47.You have the Microsoft Deployment Toolkit (MDT) installed.

You install and customize Windows 11 on a reference computer.
You need to capture an image of the reference computer and ensure that the image can be deployed
to multiple computers.
Which command should you run before you capture the image?
A. dism
B. wpeinit
C. sysprep
D. bcdedit
Answer: C
Explanation:
Sysprep (System Preparation) prepares a Windows client or Windows Server installation for imaging.
Sysprep can remove PC-specific information from a Windows installation (generalizing) so it can be
installed on different PCs.
Reference: https://docs.microsoft.com/en-us/windows-
hardware/manufacture/desktop/sysprep--system-preparation--
overview

48.HOTSPOT
You have a Microsoft 365 tenant that uses Microsoft Intune to manage the devices shown in the
following table.

You need to deploy a compliance solution that meets the following requirements:
• Marks the devices as Not Compliant if they do not meet compliance policies
• Remotely locks noncompliant devices
What is the minimum number of compliance policies required, and which devices support the remote
lock action? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.
Answer:

Explanation:
Box 1: 4
Windows, Android Enterprise, Android, and one for iOS/iPAD.
Box 2: Device2, Device3, Device4, and Device5
Remote lock is supported for the following platforms:
Android
Android Enterprise kiosk devices
Android Enterprise work profile devices
Android Enterprise fully managed devices
Android Enterprise corporate-owned with work profile devices
iOS
macOS
Reference: https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-remote-lock

49. Who did Remote Lock?

Intune gives admins the ability to run device actions remotely. The Bulk Devices Actions gives you the
ability for the devices you manage and lets you activate remote tasks on those devices.
Reference: https://learn.microsoft.com/en-us/mem/intune/remote-actions/device-management

50.You have a Microsoft 365 subscription that includes Microsoft Intune.

You have an update ring named UpdateRing1 that contains the following settings:
• Automatic update behavior: Auto install and restart at a scheduled time
• Automatic behavior frequency: First week of the month
• Scheduled install day: Tuesday
• Scheduled install time: 3 AM
From the Microsoft Intune admin center, you select Uninstall for the feature updates of UpdateRing1.
When will devices start to remove the feature updates?
A. when a user approves the uninstall
B. as soon as the policy is received
C. next Tuesday
D. the first Tuesday of the next month
Answer: B
Explanation:
Update rings for Windows 10 and later policy in Intune Uninstall
An Intune administrator can use Uninstall to uninstall (roll back) the latest feature update or the latest
quality update for an active or paused update ring. After uninstalling one type, you can then uninstall
the other type.
Intune doesn't support or manage the ability of users to uninstall updates.
Important
When you use the Uninstall option, Intune passes the uninstall request to devices immediately.
Windows devices start removal of updates as soon as they receive the change in Intune policy.
Update removal isn't limited to maintenance schedules, even when they're configured as part of the
update ring.
If the update removal requires a device restart, the device restarts without offering device users an
option to delay.
Reference: https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-update-rings

51.You have a Microsoft 365 subscription that includes Microsoft Intune.

You create a new Android app protection policy named Policy1 that prevents screen captures in all
Microsoft apps.
You discover that an unmanaged email client installed on Android devices can still capture screens.
You need to ensure that users can only use Microsoft apps to access email.
What should you do?
A. Create a Conditional Access policy.
B. Create a compliance policy.
C. Modify the Data protection settings of Policy1.
D. Modify the assignments of Policy1.
Answer: D
Explanation:
Change the policy assignment from Microsoft Apps to All Apps. Intune service, How to create and
assign app protection policies
The Apps page allows you to choose which apps should be targeted by this policy. You must add at
least one app.
* Target policy to
In the Target policy to dropdown box, choose to target your app protection policy to All Apps,
Microsoft Apps, or Core Microsoft Apps.
->All Apps includes all Microsoft and partner apps that have integrated the Intune SDK.
Microsoft Apps includes all Microsoft apps that have integrated the Intune SDK.
Core Microsoft Apps includes the following apps: Microsoft Edge, Excel, Office, OneDrive, OneNote,
Outlook, PowerPoint, SharePoint, Teams, To Do, and Word.
Reference: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies

52.HOTSPOT
You have a Microsoft 365 E5 subscription.
You need to route Microsoft Intune logs to an Azure resource that supports the use of visuals,
monitoring, and alerting.
Which settings should you configure in Intune, and which resource should you use? To answer, select
the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:
Explanation:
Box 1: Diagnostics Settings
Settings
Microsoft Intune includes built-in logs that provide information about your environment.
These logs can also be sent to Azure Monitor services, including storage accounts, Event Hubs, and
Log Analytics.
These features are part of the Diagnostics Settings in Intune.
Box 2: A Log Analytics workspace
Resource
Send Intune logs to Log Analytics to enable rich visualizations, monitoring, and alerting on the
connected data.
Reference: https://learn.microsoft.com/en-us/mem/intune/fundamentals/review-logs-using-azure-
monitor

53.HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
You plan to create Windows 11 device builds for the marketing and research departments.
The solution must meet the requirements:
• Marketing department devices must support Windows Update for Business.
• Research department devices must have support for feature update versions for up to 36 months
from release.
What is the minimum Windows 11 edition required for each department? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:

Explanation:
Box 1: Windows 11 Enterprise
Marketing department devices must support Windows Update for Business.
Licensing
Windows Update for Business deployment service requires users of the devices to have one of the
following licenses:
Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) Windows 10/11
Education A3 or A5 (included in Microsoft 365 A3 or A5) Windows Virtual Desktop Access E3 or E5
Microsoft 365 Business Premium
Box 2: Windows 11 Enterprise
Research department devices must have support for feature update versions for up to 36 months
from release.
Feature updates for Windows 10 and later policy in Intune
In addition to a license for Intune, your organization must have one of the following subscriptions that
include a license for Windows Update for Business deployment service:
Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) Windows Virtual Desktop
Access E3 or E5 Microsoft 365 Business Premium
Reference: https://learn.microsoft.com/en-us/windows/deployment/update/deployment-service-
prerequisites
https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates

54.Note: This section contains one or more sets of questions with the same scenario and problem.
Each question presents a unique solution to the problem. You must determine whether the solution
meets the stated goals. More than one solution in the set might solve the problem. It is also possible
that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these
questions do not appear on the Review Screen.
You have a Microsoft Entra tenant named contoso.com.
You purchase an Android device named Device1.
You need to register Device1 in contoso.com.
Solution: You use the Microsoft Intune Company Portal app.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
The Microsoft Intune Company Portal app is the correct solution for registering an Android device in
the Microsoft Entra tenant. The Company Portal app is designed for users to enroll their devices into
Microsoft Intune, which will then register the device with the Microsoft Entra tenant. This app allows
users to manage their device registrations, access corporate resources, and apply policies.

55.You have a Microsoft 365 E5 subscription that contains the devices shown in the following table.

All devices have Microsoft Edge installed.

From the Microsoft Intune admin center, you create a Microsoft Edge Baseline profile named Edge1.
You need to apply Edge1 to all the supported devices.
To which devices should you apply Edge1?
A. Device1 only
B. Device1 and Device2 only
C. Device1, Device2, and Device3 only
D. Device1, Device2, and Device4 only
E. Device1, Device2, Device3, and Device4
Answer: B
Explanation:
Windows 10 and Windows 11 only.
Reference: https://learn.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-edge

56.HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
Microsoft Entra joined Windows devices enroll automatically in Intune.
You have the devices shown in the following table.

You are preparing to upgrade the devices to Windows11. All the devices are compatible with
Windows 11.
You need to evaluate Windows Autopilot and in-place upgrade as deployment methods to implement
Windows 11 Pro on the devices, while retaining all user settings and applications.
Which devices can be upgraded by using each method? To answer, select the appropriate options in
the answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Device1 only
Windows Autopilot
Only Device1 is Azure AD joined.
Note: In order for Windows Autopilot to work, users need to be allowed to join devices to Azure AD.
Box 2: Device1 and Device3 only
In-place upgrade
Incorrect:
* Not Device2
You can't directly upgrade from 32-bit Windows 10 to 64-bit Windows 11 since Windows 11 requires a
64-bit processor. You can perform a clean install of Windows 11 on your PC.
Note: A line-of-business (LOB) app is one that you add from an app installation file. This kind of app is
typically written in-house.
Reference:
https://learn.microsoft.com/en-us/mem/autopilot/tutorial/user-driven/azure-ad-join-allow-users-to-join
https://www.minitool.com/data-recovery/upgrade-from-32-bit-windows-10-to-windows-11.html

57.DRAG DROP
You have a Microsoft 365 subscription that contains the devices shown in the following table.

You need to ensure that only devices running trusted firmware or operating system builds can access
network resources.
Which compliance policy setting should you configure for each device? To answer, drag the
appropriate settings to the correct devices. Each setting may be used once, more than once, or not at
all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct
selection is worth one point.
Answer:

Explanation:
Box 1: Require Secure Boot to be enabled on the device Windows 10
Require Secure Boot to be enabled on the device:
Not configured (default) - This setting isn't evaluated for compliance or non-compliance. Require - The
system is forced to boot to a factory trusted state. The core components that are used to boot the
machine must have correct cryptographic signatures that are trusted by the organization that
manufactured the device. The UEFI firmware verifies the signature before it lets the machine start. If
any files are tampered with, which breaks their signature, the system doesn't boot.
Box 2: Prevent jailbroken devices from having corporate access.
iOS
Device Compliance settings for iOS/iPadOS in Intune
As part of your mobile device management (MDM) solution, use these settings to require an email,
mark rooted (jailbroken) devices as not compliant, set an allowed threat level, set passwords to
expire, and more.
This feature applies to:
iOS
iPadOS
Device Health
Jailbroken devices
Supported for iOS 8.0 and later
Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
Block - Mark rooted (jailbroken) devices as not compliant.
Box 3: Prevent rooted devices from having corporate access Android Enterprise
Device compliance settings for Android Enterprise in Intune
As part of your mobile device management (MDM) solution, use these settings to mark rooted
devices as not compliant, set an allowed threat level, enable Google Play Protect, and more.
This feature applies to:
Android Enterprise
Device Health
Jailbroken devices
Supported for iOS 8.0 and later
Not configured (default) - This setting isn't evaluated for compliance or non-compliance.
Block - Mark rooted (jailbroken) devices as not compliant.
Reference: https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-windows
https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-ios

58. Sign in to the Microsoft Endpoint Manager admin center.

59.You have a Microsoft 365 E5 subscription that contains 10 Android Enterprise devices. Each
device has a corporate-owned work profile and is enrolled in Microsoft Intune.
You need to configure the devices to run a single app in kiosk mode.
Which Configuration settings should you modify in the device restrictions profile?
A. Users and Accounts
B. General
C. System security
D. Device experience
Answer: D
Explanation:
Android Enterprise device settings list to allow or restrict features on corporate-owned devices using
Intune
Device experience
Use these settings to configure a kiosk -style experience on your dedicated devices, or to customize
the home screen experiences on your fully managed devices. You can configure devices to run one
app, or run many apps. When a device is set with kiosk mode, only the apps you add are available.
Note: You can control and restrict on Android Enterprise devices owned by your organization. As part
of your mobile device management (MDM) solution, use these settings to allow or disable features,
run apps on dedicated devices, control security, and more.
This feature applies to:
Android Enterprise corporate-owned work profile (COPE)
Android Enterprise corporate owned fully managed (COBO)
Android Enterprise corporate owned dedicated devices (COSU)
Reference: https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-android-for-
work

60. Sign in to the Microsoft Endpoint Manager admin center.

61.DRAG DROP
You have a Microsoft 365 subscription that uses Microsoft Intune.
You plan to use Windows Autopilot to provision 25 Windows 11 devices.
You need to meet the following requirements during device provisioning:
• Display the progress of app and profile deployments.
• Join the devices to Azure AD.
What should you configure to meet each requirement? To answer, drag the appropriate settings to
the correct requirements. Each setting may be used once, more than once, or not at all. You may
need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is
worth one point.

Answer:

Explanation:
Box 1: Enrollment Status Page
Display the progress of app and profile deployments.
Enrollment status page
Set up the Enrollment Status Page
The enrollment status page (ESP) displays the provisioning status to people enrolling Windows
devices and signing in for the first time. You can configure the ESP to block device use until all
required policies and applications are installed. Device users can look at the ESP to track how far
along their device is in the setup process.
To deploy the ESP to devices, you have to create an ESP profile in Microsoft Intune.
Within the profile, you can configure the ESP settings that control:
Visibility of installation progress indicators
Device access during provisioning
Time limits
Allowed troubleshooting operations
Create new profile

62. Under Cloud apps or actions, select All cloud apps.

63. Connect it to a wireless or wired network with internet access. If using wireless, first connect to
the wi-fi network.

64. Manage, maintain, and protect devices

Question Set 3

You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
You have a Windows 11 device named Device1 that is enrolled in Intune. Device1 has been offline for
30 days.
You need to remove Device1 from Intune immediately. The solution must ensure that if the device
checks in again, any apps and data provisioned by Intune are removed. User-installed apps, personal
data, and OEM-installed apps must be retained.
What should you use?

65.You have a Microsoft 365 E5 subscription that contains the users shown in the following table.

In the Microsoft 365 Apps admin center, you create a Microsoft Office customization.
Which users can download the Office customization file from the admin center?
A. Admin3 only
B. Admin1 and Admin3 only
C. Admin3 and Admin4 only
D. Admin1, Admin2, and Admin3 only
E. Admin1, Admin2, Admin3, Admin4
Answer: D
Explanation:
* Admin1
An application admin has full access to enterprise applications, applications registrations, and
application proxy settings.
* Admin2
Mark your app as publisher verified.
In Azure AD this user must be a member of one of the following roles: Application Admin, Cloud
Application Admin, or Global Admin.
* Admin3
Office Apps admin - Assign the Office Apps admin role to users who need to do the following:
- Use the Office cloud policy service to create and manage cloud-based policies for Office
- Create and manage service requests
- Manage the What's New content that users see in their Office apps
- Monitor service health
Reference: Office Apps admin - Assign the Office Apps admin role to users who need to do the
following https://docs.microsoft.com/en-us/azure/active-directory/develop/mark-app-as-publisher-
verified

66. Launch the Remote Desktop Connection app (Start, type “rdp”, launch Remote Desktop
Connection).

67.You have a Microsoft Intune subscription.

You have devices enrolled in Intune as shown in the following table.

An app named App1 is installed on each device.

What is the minimum number of app configuration policies required to manage App1?
A. 1
B. 2
C. 3
D. 4
E. 5
Answer: B
Explanation:
One for Android, and one for iOS.
Reference: https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview
68. You have a Microsoft 365 subscription that has Windows 365 Enterprise licenses.
You plan to use a custom Windows 11 image as a template for Cloud PCs.
You have a Hyper-V virtual machine that runs Windows 11 and has the following configurations:
• Name: VM1
• Disk size: 64 GB
• Disk format: VHDX
• Disk type: Fixed size
• Generation: Generation 2
You need to ensure that you can use VM1 as a source for the custom image.
What should you do on VM1 first?
A. Change the disk type to Dynamically expanding.
B. Change the disk format to the VHD.
C. Change the generation to Generation 1.
D. Increase the disk size.
Answer: A
Explanation:
Windows 365 uses both default and custom operating system images to automatically create the
virtual Cloud PCs that you provide to your end users. The default images are available from the
gallery in Microsoft Intune as a part of creating your provisioning policy. You can also upload custom
images that you create.
Image requirements
Both marketplace and custom images must meet the following requirements:
* Windows 10 Enterprise version 21H2 or later.
* Windows 11 Enterprise 21H2 or later.
(not C) * Generation 2 images.
Note
We recently made the change to generation 2 (Gen2) virtual machine images. Newly created custom
images must be Gen2. Existing custom images uploaded based on generation 1 will remain active.
* Generalized VM image.
* Single Session VM images (multi-session isn’t supported).
* No recovery partition. For information about how to remove a recovery partition, see the Windows
Server command: delete partition.
(A) *-> Default 64-GB OS disk size. The OS disk size is automatically adjusted to the size specified in
SKU description of the Windows 365 license.
A custom image must also meet the following extra requirements:
Exist in an Azure subscription.
* Is stored as a managed image in Azure.
* Storing a managed image on Azure incurs storage costs. However, customers can delete the
managed image from Azure once they've successfully uploaded it as a Custom Image to Microsoft
Intune.
Reference: https://learn.microsoft.com/en-us/windows-365/enterprise/device-images

69.HOTSPOT
You have a Microsoft Entra tenant that contains the following:
• Windows 11 devices that are joined to Microsoft Entra
• A user that has a display name of User1 and a UPN of user1@contoso.com
You enable Remote Desktop on the Windows 11 devices.
You need to ensure that User1 can use Remote Desktop to connect to the devices.
How should you complete the command that must be run on each device? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Answer:

Explanation:
Box 1: "Remote Desktop Users"
Connect to remote Azure Active Directory joined device
Add users to Remote Desktop Users group
Remote Desktop Users group is used to grant users and groups permissions to remotely connect to
the device. Users can be added either manually or through MDM policies:
Adding users manually:
You can specify individual Azure AD accounts for remote connections by running the following
command, where <userUPN> is the UPN of the user, for example user@domain.com:
net localgroup "Remote Desktop Users" /add "AzureAD\<userUPN>"
Box 2: AzureAD\User1@Contoso.com
Reference: https://learn.microsoft.com/en-us/windows/client-management/client-tools/connect-to-
remote-aadj-pc

70. Click OK.

Reference:
https://www.anyviewer.com/how-to/disable-copy-and-paste-remote-desktop-win10-0007.html
https://social.technet.microsoft.com/wiki/contents/articles/5490.configure-network-level-authentication-
for-remote-desktop-services-connections.aspx

71. In the navigation pane, go to Assets > Devices.

Note: Navigate to the Device inventory page
Access the device inventory page by selecting Device inventory from the Endpoints navigation menu
in the Microsoft 365 Defender portal.
Device inventory overview
The device inventory opens on the Computers and Mobile tab. At a glance you'll see information such
as device name, domain, risk level, exposure level, OS platform, onboarding status, sensor health
state, and other details for easy identification of devices most at risk.
Use the Onboarding Status column to sort and filter by discovered devices, and those already
onboarded to Microsoft Defender for Endpoint.

Box 2: Settings
Download an onboarding package for a Windows 11 device.
Onboard devices to Microsoft Defender for Business, Windows 10 and 11
Choose one of the following options to onboard Windows client devices to Defender for Business:
*-> Local script (for onboarding devices manually in the Microsoft 365 Defender portal)
Group Policy (if you're already using Group Policy in your organization)
Microsoft Intune (if you're already using Intune)
Local script for Windows 10 and 11
You can use a local script to onboard Windows client devices.
Go to the Microsoft 365 Defender portal (https://security.microsoft.com), and sign in.
In the navigation pane, choose Settings > Endpoints, and then under Device management, choose
Onboarding (this is Settings below Cloud apps).

Select Windows 10 and 11, and then, in the Deployment method section, choose Local script.
Select Download onboarding package. We recommend that you save the onboarding package to a
removable drive.
On a Windows device, extract the contents of the configuration package to a location, such as the
Desktop folder. You should have a file named WindowsDefenderATPLocalOnboardingScript.cmd.
Open a command prompt as an administrator.
Type the location of the script file. For example, if you copied the file to the Desktop folder, you would
type %userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd, and then press the
Enter key (or select OK).
After the script runs, Run a detection test.
Reference:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-business/mdb-manage-devices
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machines-view-overview
https://learn.microsoft.com/en-us/microsoft-365/security/defender-business/mdb-onboard-devices

72.You use Windows Admin Center to remotely administer computers that run Windows 10.
When connecting to Windows Admin Center, you receive the message shown in the following exhibit.
You need to prevent the message from appearing when you connect to Windows Admin Center.
To which certificate store should you import the certificate?
A. Client Authentication Issuers
B. Personal
C. Trusted Root Certification Authorities
Answer: C
Explanation:
"Error Code: DLG_FLAGS_INVALID_CA" while login to Admin Console after enabling HTTPS in
PowerCenter.
Solution
To resolve this issue, add the CA-signed certificates to the "Trusted Root Certification Authorities" in
the browser. After adding the certificates, restart the browser.
Reference: https://knowledge.informatica.com/s/article/578585

73.You have a Microsoft 365 E5 subscription.

You need to configure the automated investigation and response (AIR) remediation level for a device
named Device1 to require approval for all folders.
What should you create?
A. a security group
B. a device group
C. an administrative unit
D. an action group
Answer: B
Explanation:
Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
If you're using Defender for Endpoint, you can specify an automation level so that when a threat is
detected on a device, the entity can be remediated automatically or only upon approval by your
security team. You can configure automated investigation and remediation with device groups.
Reference: https://learn.microsoft.com/en-us/defender-endpoint/configure-automated-investigations-
remediation

74.You have a Microsoft 365 E5 subscription.

You use Microsoft Intune to manage all Windows 11 devices.
You create an attack surface reduction (ASR) policy named Profile1 based on the Attack Surface
Reduction Rules profile and assign Profile1 to all the devices.
A user reports that an Adobe Reader plug-in is now blocked.
You need to ensure that the plug-in is unblocked.
What should you do?
A. Create an Endpoint Privilege Management policy and assign the policy to all the devices.
B. Add a scope tag to Profile1.
C. Configure ASR Only Per Rule Exclusions in Profile1.
D. Create a device compliance policy and assign the policy to all the devices.
Answer: C
Explanation:
Use Microsoft Intune policy to manage rules for attack surface reduction Individual settings: Use ASR
Only Per Rule Exclusions
When you set an applicable setting in an attack surface reduction rule profile to anything other than
Not configured, Intune presents the option to use ASR Only Per Rule Exclusions for that individual
setting. With this option, you can configure a file and folder exclusion that are isolated to individual
settings, which is in contrast to use of the global setting Attack Surface Reduction Only Exclusions
which applies its exclusions to all settings on the device.
Note:
You can use attack surface reduction (ASR) policies to reduce the attack surface of devices by
minimizing
the places where your organization is vulnerable to cyberthreats and attacks.
Intune ASR policies support the following profiles:
* Attack Surface Reduction Rules: Use this profile to target behaviors that malware and malicious
apps typically use to infect computers. Examples of these behaviors include use of executable files
and scripts in Office apps, web mail that attempts to download or run files, and obfuscated or
otherwise suspicious scripts behaviors that apps don't usually initiate during normal day-to-day work.
* Device Control
Reference: https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy

75.HOTSPOT
You have a Microsoft 365 E5 subscription and use Microsoft Intune.
You need to deploy new Android devices as shown in the following table.

Which enrollment profile should you use for each device? To answer, select the appropriate options in
the answer area. NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Device1: Corporate-owned dedicated devices
Device2: Corporate-owned, fully managed user devices
Device3: Personally-owned devices with work profile
Device1 (Must be shared by shift workers):
The correct profile is Corporate-owned dedicated devices. This is the ideal profile for shared devices
that are used by multiple users for specific tasks, such as warehouse inventory tracking.
Device2 (Must be assigned to a single user for work purposes only):
The correct profile is Corporate-owned, fully managed user devices. This profile is suitable for devices
that are strictly for work purposes and managed fully by the organization.
Device3 (Must support both work and personal use and enrollment by using a QR code):
The correct profile is Personally-owned devices with work profile. This allows a single device to be
used for both personal and work purposes, with separate profiles for each.

76.HOTSPOT
You have a Microsoft 365 subscription that contains 1,000 iOS devices.
The devices are enrolled in Microsoft Intune as follows:
• Two hundred devices are enrolled by using the Intune Company Portal.
• Eight hundred devices are enrolled by using Apple Automated Device Enrollment (ADE).
You create an iOS/iPadOS software updates policy named Policy 1 that is configured to install
iOS/iPadOS 15.5.
How many iOS devices will Policy1 update, and what should you configure to ensure that only
iOS/iPadOS 15.5 is installed? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.

Answer:
Explanation:
Box 1: 800
Manage iOS/iPadOS software update policies in Intune
You can use Microsoft Intune device configuration profiles to manage software updates for iOS/iPad
devices that enrolled as supervised devices.
Supervised devices are devices that enroll through one of Apple's Automated Device Enrollment
(ADE) options. Devices enrolled through ADE support management control through a mobile device
management solution like Intune.
Box 2: Device restriction policy
With policies for iOS software updates, you can:
* Choose to deploy the latest update that's available, or choose to deploy an older update, based on
the update version number.
* When deploying an older update, you must also deploy a device restrictions profile to restrict
visibility of software updates. This is because update profiles don't prevent users from updating the
OS manually. Users can be prevented from updating the OS manually with a device configuration
policy that restricts visibility of software updates.
Incorrect:
* Compliance policy Create compliance rules
Use compliance policies to define the rules and conditions that users and devices should meet to
access your organization's protected resources.
* Conditional Access policy
You can also create Conditional Access policies, which work alongside your device compliance
results to block access to resources from noncompliant devices.
Reference:
https://learn.microsoft.com/en-us/mem/intune/protect/software-updates-ios
https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-ios

77. Under Assignments, select Users or workload identities.

Under Include, select All users.
Under Exclude, select Users and groups and choose any accounts that must maintain the ability to
use legacy authentication. Exclude at least one account to prevent yourself from being locked out. If
you don't exclude any account, you won't be able to create this policy.

78.HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.

You have a Microsoft 365 E5 subscription.

You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE:
Each correct selection is worth one point.

Answer:
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector
server prerequisites
The Intune Connector for Active Directory must be installed on a computer that's running Windows
Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer's domain name for your domain.

79.You manage 1,000 devices by using Microsoft Intune.

You review the Device compliance trends report.
For how long will the report display trend data?
A. 30 days
B. 60 days
C. 90 days
D. 365 days
Answer: B

80.You have a Microsoft 365 E5 subscription.

You need to enroll Android Enterprise devices in Microsoft Intune by using zero-touch enrollment.
What should you do first?
A. From the Microsoft Intune admin center, configure enrollment restrictions.
B. From the Microsoft Intune admin center, create a zero-touch configuration.
C. From the Microsoft Intune admin center, link a Managed Google Play account.
D. From the zero-touch enrollment portal, create a zero-touch configuration.
Answer: C
Explanation:
Before you can enroll Android Enterprise devices using zero-touch enrollment in Microsoft Intune, the
first step is to link a Managed Google Play account to Microsoft Intune. This is necessary because
Android Enterprise management, including zero-touch enrollment, relies on the Managed Google Play
account to manage and deploy apps and policies to Android devices. After linking the account, you
can proceed with setting up the zero-touch configuration.
 81.You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
You use Windows Autopilot to deploy Windows 11 to devices.
A support engineer reports that when a deployment fails, they cannot collect deployment logs from
failed device.
You need to ensure that when a deployment fails, the deployment logs can be collected.
What should you configure?
A. the automatic enrollment settings
B. the Windows Autopilot deployment profile
C. the enrollment status page (ESP) profile
D. the device configuration profile
Answer: C
Explanation:
Troubleshooting the Enrollment Status Page
To troubleshoot ESP issues, it's important to get more information about the ESP settings that are
received by the device, and the applications and policies that are tracked at each stage. All ESP
settings and tracking information are logged in the device registry.
Collect logs
You can enable the ability for users to collect ESP logs in the ESP policy. When a timeout occurs in
the ESP, the user can select the option to Collect logs.
Note: Windows Autopilot diagnostics page
On Windows 11, you can open the Autopilot diagnostic page to view additional detailed
troubleshooting information about the Autopilot provisioning process. To enable the Autopilot
diagnostics page:

82. Provide your RD Gateway Server credentials, and after you get authenticated onto the Gateway
server, provide your credentials to get authenticated onto the Remote Desktop server.

Powered by TCPDF (www.tcpdf.org)