MD-101 : Managing Modern Desktops : Part 09

MD-101 : Managing Modern Desktops : Part 09

1. HOTSPOT

   Your company has computers that run Windows 10. The employees at the company use the computers.

   You plan to monitor the computers by using the Update Compliance solution.

   You create the required resources in Azure.

   You need to configure the computers to send enhanced Update Compliance data.

   Which two Group Policy settings should you configure? To answer, select the appropriate settings in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

2. HOTSPOT

   You are licensed for Microsoft Endpoint Manager.

   You use Microsoft Endpoint Configuration Manager and Microsoft Intune.

   You have devices enrolled in Configuration Manager as shown in the following table.

   

   In Configuration Manager, you enable co-management and configure the following settings:

   – Automatic enrolment in Intune: Pilot
   – Intune Auto Enrollment: Collection1

   In Configuration Manager, you configure co-management staging to have the following settings:

   – Compliance policies: Collection2
   – Device Configuration: Collection1

   In Configuration Manager, you configure co-management workloads as shown in the following exhibit.

   

   For each of the following statements, select Yes if the statement is true. Otherwise, select No.

   

   

3. You have an Azure Active Directory group named Group1. Group1 contains two Windows 10 Enterprise devices named Device1 and Device2.

   You create a device configuration profile named Profile1. You assign Profile1 to Group1.

   You need to ensure that Profile1 applies to Device1 only.

   What should you modify in Profile1?

   • Scope (Tags)
   • Settings
   • Applicability Rules
   • Assignments

4. Your network contains an on-premises Active Directory domain and an Azure Active Directory (Azure AD) tenant.

   The Default Domain Policy Group Policy Object (GPO) contains the settings shown in the following table.

   

   You need to migrate the existing Default Domain Policy GPO settings to a device configuration profile.

   Which type of device configuration profile should you create?

   • Custom
   • Endpoint protection
   • Administrative Templates
   • Device restrictions

5. Your company plans to deploy tablets to 50 meeting rooms.

   The tablets run Windows 10 and are managed by using Microsoft Intune. The tablets have an application named App1.

   You need to configure the tablets so that any user can use App1 without having to sign in. Users must be prevented from using other applications on the tablets.

   Which device configuration profile type should you use?

   • Kiosk
   • Endpoint protection
   • Identity protection
   • Device restrictions

6. HOTSPOT

   Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD). The domain contains computers that run Windows 10. The computers are configured as shown in the following table.

   

   All the computers are enrolled in Microsoft Intune.

   You configure the following Maintenance Scheduler settings in the Default Domain Policy:

   – Turn off auto-restart for updates during active hours: Enabled
   – Active hours start: 08:00
   – Active hours end: 22:00

   In Intune, you create a device configuration profile named Profile1 that has the following OMA-URI settings:

   – ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP set to value 1
   – ./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursStart set to value 9
   – ./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursEnd set to value 21

   You assign Profile to Group1.

   How are the active hours configured on Computer1 and Computer2? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

7. HOTSPOT

   You have a Microsoft 365 subscription.

   You have 25 Microsoft Surface Hub devices that you plan to manage by using Microsoft Endpoint Manager.

   You need to configure the devices to meet the following requirements:

   – Enable Windows Hello for Business.
   – Configure Microsoft Defender SmartScreen to block users from running unverified files.

   Which profile types should you configure? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

8. DRAG DROP

   Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD). All computers are joined to the domain and registered to Azure AD.

   The network contains a Microsoft Endpoint Configuration Manager deployment that is configured for co-management with Microsoft Intune.

   All the computers in the finance department are managed by using Endpoint Configuration Manager. All the computers in the marketing department are managed by using Intune.

   You install new computers for the users in the marketing department by using the Microsoft Deployment Toolkit (MDT).

   You purchase an application named App1 that uses an MSI package.

   You need to install App1 on the finance department computers and the marketing department computers.

   How should you deploy App1 to each department? To answer, drag the appropriate deployment methods to the correct departments. Each deployment method may be used once, more than once, or not at all. You may need to drag the split bat between panes or scroll to view content.

   NOTE: Each correct selection is worth one point.

   

   

9. Your company has a Microsoft 365 subscription.

   The company uses Microsoft Intune to manage all devices.

   The company uses conditional access to restrict access to Microsoft 365 services for devices that do not comply with the company’s security policies.

   You need to identify which devices will be prevented from accessing Microsoft 365 services.

   What should you use?

   • The Device tab in Desktop Analytics.
   • Microsoft Defender Security Center.
   • The Device compliance blade in the Microsoft Endpoint Manager admin center.
   • The Conditional access blade in the Azure Active Directory admin center.

10. HOTSPOT

    You have 200 computers that run Windows 10.

    You need to create a provisioning package to configure the following tasks:

    – Remove the Microsoft News and the Xbox Microsoft Store apps.
    – Add a VPN connection to the corporate network.

    Which two customizations should you configure? To answer, select the appropriate customizations in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

11. You have an Azure Active Directory (Azure AD) tenant named contoso.com.

    You create a terms of use (ToU) named Terms1 in contoso.com.

    You are creating a conditional access policy named Policy1 to assign a cloud app named App1 to the users in contoso.com.

    You need to configure Policy1 to require the users to accept Terms1.

    What should you configure in Policy1?

    • Grant in the Access controls section
    • Conditions in the Assignments section
    • Cloud apps or actions in the Assignments section
    • Session in the Access controls section

12. HOTSPOT

    You have devices enrolled in Microsoft Intune as shown in the following table.

    

    You create device configuration profiles in Intune as shown in the following table.

    

    You assign the device configuration profiles to groups as shown in the following table.

    

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

13. HOTSPOT

    You use Microsoft Endpoint Manager to manage Windows 10 devices.

    You are designing a reporting solution that will provide reports on the following:

    – Compliance policy trends
    – Trends in device and user enrolment
    – App and operating system version breakdowns of mobile devices

    You need to recommend a data source and a data visualization tool for the design.

    What should you recommend? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

14. HOTSPOT

    In Microsoft Intune, you have the device compliance policies shown in the following table.

    

    The Intune compliance policy settings are configured as shown in the following exhibit.

    

    On June 1, you enroll Windows 10 devices in Intune as shown in the following table.

    

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

15. HOTSPOT

    You have a Microsoft Intune subscription.

    You create the Windows Autopilot deployment profile-shown in the following exhibit.

    

    Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

    NOTE: Each correct selection is worth one point.

    

    

16. You need to assign the same deployment profile to all the computers that are configured by using Windows Autopilot.

    Which two actions should you perform? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • Join the computers to Microsoft Azure Active Directory (Azure AD)
    • Assign a Windows Autopilot deployment profile to a group
    • Join the computers to an on-premises Active Directory domain
    • Create a Microsoft Azure Active Directory (Azure AD) group that has dynamic membership rules and uses the operatingSystem tag
    • Create a Group Policy object (GPO) that is linked to a domain
    • Create a Microsoft Azure Active Directory (Azure AD) group that has dynamic membership rules and uses the ZTDID tag

17. Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All users have computers that run Windows 10. The computers are joined to Azure AD and managed by using Microsoft Intune.

    You need to ensure that you can centrally monitor the computers by using Windows Analytics.

    What should you create in Intune?

    • a device configuration profile
    • a conditional access policy
    • a device compliance policy
    • an update policy

18. HOTSPOT

    You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.

    You need to set a custom image as the wallpaper and sign-in screen.

    Which two settings should you configure in Device restrictions? To answer, select the appropriate settings in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Sign-in screen, or Locked screen, image is set under Locked screen experience

    Wallpaper image, or Desktop background picture, URL is set under Personalization.

19. Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All users have computers that run Windows 10. The computers are joined to Azure AD and managed by using Microsoft Intune.

    You need to ensure that you can centrally monitor the computers by using the Update Compliance solution.

    What should you create in Intune?

    • a device configuration profile
    • a conditional access policy
    • a device compliance policy
    • an update policy

20. HOTSPOT

    You have a Microsoft Intune subscription that has the following device compliance policy settings:

    Mark devices with no compliance policy assigned as: Compliant
    Compliance status validity period (days): 14

    On January 1, you enroll Windows 10 devices in Intune as shown in the following table.

    

    On January 4, you create the following two device compliance policies:

    – Name: Policy1
    – Platform: Windows 10 and later
    – Require BitLocker: Require
    – Mark device noncompliant: 5 days after noncompliance
    – Scope (Tags): Tag1

    – Name: Policy2
    – Platform: Windows 10 and later
    – Firewall: Require
    – Mark device noncompliant: Immediately
    – Scope (Tags): Tag2

    On January 5, you assign Policy1 and Policy2 to Group1.

    For each of the following statements, select Yes if the statement is true. Otherwise, select No.

    NOTE: Each correct selection is worth one point.

    

    

    Explanation:

    Box 1: No.
    Policy1 and Policy2 apply to Group1 which Device1 is a member of. Device1 does not meet the firewall requirement in Policy2 so the device will immediately be marked as non-compliant.

    Box 2: No
    For the same reason as Box1.

    Box 3: Yes
    Policy1 and Policy2 apply to Group1. Device2 is not a member of Group1 so the policies don’t apply.
    The Scope (tags) have nothing to do with whether the policy is applied or not. The tags are used in RBAC.