MD-101 : Managing Modern Desktops : Part 11

MD-101 : Managing Modern Desktops : Part 11

1. HOTSPOT

   You have computers that run Windows 10 as shown in the following table.

   

   Computer2 and Computer3 are enrolled in Microsoft Intune.

   In a Group Policy object (GPO) linked to the domain, you enable the Computer Configuration/Administrative Templates/Windows Components/Search/Allow Cortana setting.

   In an Intune device configuration profile that is assigned to an Azure Active Directory group that includes Computer2 and Computer3, you configure the following:

   – Device/Vendor/MSFT/Policy/Config/Control Policy Conflict/MDM Wins Over GP to a value of 1
   – Experience/Allow Cortana to a value of 0.

   Each of the following statement, select Yes if the statement is true. Otherwise, select No.

   NOTE: Each correct selection is worth one point.

   

   

2. Your company plans to deploy Windows 10 to devices that will be configured for English use and other devices that will be configured for Korean use.

   You need to create a single multivariant provisioning package for the planned devices.

   You create the provisioning package.

   What should you do next to add the language settings to the package?

   • Modify the Customizations.xml file.
   • Create a file named Languages.xml that contains a header for Korean.
   • Modify the .ppkg file.
   • Create a file named Languages.xml that contains a header for English.
   Explanation:
   Follow these steps to create a provisioning package with multivariant capabilities.
   1. Build a provisioning package and configure the customizations you want to apply during certain conditions.
   2. After you’ve configured the settings, save the project.
   3. Open the project folder and copy the customizations.xml file to any local location.
   4. Use an XML or text editor to open the customizations.xml file.
   5. Edit the customizations.xml file to create a Targets section to describe the conditions that will handle your multivariant settings.
   6. In the customizations.xml file, create a Variant section for the settings you need to customize.
   7. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
   8. Use the Windows Configuration Designer command-line interface to create a provisioning package using the updated customizations.xml.

3. Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD).

   You have a Microsoft 365 subscription.

   You create a conditional access policy for Microsoft Exchange Online.

   You need to configure the policy to prevent access to Exchange Online unless a user is connecting from a device that is hybrid Azure AD-joined.

   Which settings should you configure?

   • Locations
   • Device platforms
   • Sign-in risk
   • Device state

4. You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.

   You redirect Windows known folders to Microsoft OneDrive for Business.

   Which folder will be included in the redirection?

   • Saved Games
   • Documents
   • Music
   • Downloads
   • Favorites
   • AppData
   • Videos

5. You have a Microsoft 365 subscription.

   You have a conditional access policy that requires multi-factor authentication (MFA) for users in a group name Sales when the users sign in from a trusted location. The policy is configured as shown in the exhibit. (Click the Exhibit tab.)

   

   You create a compliance policy.

   You need to ensure that the users are authenticated only if they are using a compliant device.

   What should you configure in the conditional access policy?

   • a condition
   • a session control
   • a cloud app
   • a grant control
   Explanation:

   The device state condition can be used to exclude devices that are hybrid Azure AD joined and/or devices marked as compliant with a Microsoft Intune compliance policy from an organization’s Conditional Access policies.

   Device state is located on the Condition tab

6. You have an Azure Active Directory (Azure AD) tenant that contains a user named User1. User1 has the device shown in the following table.

   

   Enterprise State Roaming is configured for User1.

   User1 signs in to Device4 and changes the desktop.

   You need to identify on which devices User1 will have a changed desktop.

   Which devices should you identify?

   • Device1, Device2, Device3, and Device4
   • Device4 only
   • Device2, Device3, and Device4 only
   • Device2 and Device4 only
   • Device3 and Device4 only
   Explanation:
   The requirements of Enterprise State Roaming are:
   – Windows 10, with the latest updates, and a minimum Version 1511 (OS Build 10586 or later) is installed on the device.
   – The device is Azure AD joined or hybrid Azure AD joined.
   – Ensure that Enterprise State Roaming is enabled for the tenant in Azure AD.
   – The user is assigned an Azure Active Directory Premium license.
   – The device must be restarted and the user must sign in again to access Enterprise State Roaming features.

7. You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains two computers named Computer1 and Computer2. The computers run Windows 10 and are members of a group named GroupA.

   The tenant contains a user named User1 that is a member of a group named Group1.

   You need to ensure that if User1 changes the desktop background on Computer1, the new desktop background will appear when User1 signs in to Computer2.

   What should you do?

   • Create a device configuration profile for Windows 10 and configure the Shared multi-user device settings. Assign the profile to Group1.
   • Create a device configuration profile for Windows 10 and configure the Shared multi-user device settings. Assign the profile to GroupA.
   • From the Azure Active Directory admin center, enable Enterprise State Roaming for Group1.
   • From the Azure Active Directory admin center, enable Enterprise State Roaming for GroupA.

8. You have a Microsoft 365 tenant that contains the devices shown in the following table.

   

   You need to assign app protection settings to the devices.

   What is the minimum number of app protection policies required?

   • 1
   • 2
   • 3
   • 4
   • 5

9. You have following types of devices enrolled in Microsoft Intune:

   – Windows 10
   – Android
   – iOS

   For which types of devices can you create VPN profiles in Microsoft Endpoint Manager?

   • Windows 10 only
   • Windows 10 and Android only
   • Windows 10 and iOS only
   • Windows 10, Android, and iOS
   • Android and iOS only

10. HOTSPOT

    You have a Microsoft 365 tenant that uses Microsoft Intune to manage the devices shown in the following table.

    

    You need to deploy a compliance solution that meets the following requirements:

    – Marks the devices as Not Compliant if they do not meet compliance policies
    – Remotely locks noncompliant devices

    What is the minimum number of compliance policies required, and which devices support the remote lock action? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

11. You have a Microsoft 365 tenant that contains the devices shown in the following table.

    

    The devices are managed by using Microsoft Intune.

    You create a compliance policy named Policy1 and assign Policy1 to Group1. Policy1 is configured to mark a device as Compliant only if the device security settings match the settings specified in the policy.

    You discover that devices that are not members of Group1 are shown as Compliant.

    You need to ensure that only devices that are assigned a compliance policy can be shown as Compliant. All other devices must be shown as Not compliant.

    What should you do?

    • From Endpoint security, configure the Conditional access settings.
    • From Device compliance, configure the Compliance policy settings.
    • From Policy1, modify the actions for noncompliance.
    • From Tenant administration, modify the Diagnostic settings.

12. Your network contains an Active Directory domain. The domain contains 5,000 computers that run Windows 10.

    All users use Roaming User Profiles.

    Some users report that it takes a long time to sign in to the computers.

    You discover that the users have user profiles that are larger than 1 GB.

    You need to reduce the amount of time it takes for the users to sign in.

    What should you configure?

    • Folder Redirection by using a Group Policy Object (GPO)
    • Sync your settings in the Settings app
    • Delivery Optimization in the Settings app
    • Microsoft User Experience Virtualization (UE-V) by using PowerShell

13. You have a Microsoft 365 tenant that contains the objects shown in the following table.

    

    You are creating a compliance policy named Compliance1.

    Which objects can you specify in Compliance1 as additional recipients of noncompliance notifications?

    • Group1, Group2, Group3, Group4, and Admin1
    • Group1, Group2, Group3, and Group4 only
    • Group3, Group4, and Admin1 only
    • Group1, Group2, and Group3 only
    • Group3 and Group4 only
14. This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

    To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

    At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

    To start the case study
    To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.

    Overview

    Contoso, Ltd, is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.

    Contoso has the users and computers shown in the following table.

    

    The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.

    Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.

    The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from home.

    Existing Environment
    The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active Directory (Azure AD).

    All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.

    The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are managed by using Microsoft Intune.

    The naming convention for the computers is the department acronym, followed by a hyphen, and then four numbers, for example, FIN-6785. All the computers are joined to the on-premises Active Directory domain.

    Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer account is in the Computers OU of its respective department.

    Intune Configuration

    The domain has the users shown in the following table.

    

    User2 is a device enrollment manager (DEM) in Intune.

    The devices enrolled in Intune are shown in the following table.

    

    The device compliance policies in Intune are configured as shown in the following table.

    

    The device compliance policies have the assignments shown in the following table.

    

    The device limit restrictions in Intune are configured as shown in the following table.

    

    Requirements

    Planned Changes
    Contoso plans to implement the following changes:

    – Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.
    – Start using a free Microsoft Store for Business app named App1.
    – Implement co-management for the computers.

    Technical Requirements
    Contoso must meet the following technical requirements:

    – Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.
    – Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
    – Monitor the computers in the LEG department by using Windows Analytics.
    – Create a provisioning package for new computers in the HR department.
    – Block iOS devices from sending diagnostic and usage telemetry data.
    – Use the principle of least privilege whenever possible.
    – Enable the users in the MKG department to use App1.
    – Pilot co-management for the IT department.

    1. DRAG DROP

       You need to meet the technical requirements for the LEG department computers.

       Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

       

       

15. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

    After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

    Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several Windows 10 devices.

    When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.

    You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10 devices to contoso.com.

    Solution: From the Azure Active Directory admin center, you configure automatic mobile device management (MDM) enrollment. From the Endpoint Management admin center, you create and assign a device restrictions profile.

    Does this meet the goal?

    • Yes
    • No
    Explanation:
    Instead, from the Azure Active Directory admin center, you configure automatic mobile device management (MDM) enrollment. From the Endpoint Management admin center, you configure the Windows Hello for Business enrollment options.

16. Your company has a Microsoft Azure Active Directory (Azure AD) tenant. All users in the company are licensed for Microsoft Intune.

    You need to ensure that the users enroll their iOS device in Intune.

    What should you configure first?

    • A Device Enrollment Program (DEP) token.
    • An Intune device configuration profile.
    • A Device enrollment manager (DEM) account.
    • An Apple MDM Push certificate.
    Explanation:
    You need to create an Apple MDM push certificate and use it to manage Apple devices with Intune. The Apple MDM push certificate must be added to Endpoint Manager, and must be active.

17. You use Microsoft Defender for Endpoint to protect computers that run Windows 10.

    You need to assess the differences between the configuration of Microsoft Defender for Endpoint and the Microsoft-recommended configuration baseline.

    Which tool should you use?

    • Microsoft Defender Security Center
    • Desktop Analytics
    • Microsoft Defender for Endpoint Power BI app
    • Microsoft Secure Score

18. HOTSPOT

    A company named A.Datum Corporation uses Microsoft Endpoint Configuration Manager, Microsoft Intune, and Desktop Analytics.

    A.Datum purchases a company named Contoso, Ltd. Contoso has devices that run the following operating systems:

    – Windows 8.1
    – Windows 10
    – Android
    – iOS

    A.Datum plans to use Desktop Analytics to monitor the Contoso devices.

    You need to identify which devices can be monitored by using Desktop Analytics and how to add the devices to Desktop Analytics.

    What should you identify? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

19. Your company uses Microsoft Intune to manage devices. You need to ensure that only Android devices that use Android work profiles can enroll in Intune.

    Which two configurations should you perform in the device enrollment restrictions? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • From Select platforms, set Android work profile to Allow.
    • From Configure platforms, set Android Personally Owned to Block.
    • From Configure platforms, set Android Personally Owned to Allow.
    • From Select platforms, set Android to Block.

20. You have a Microsoft Azure Log Analytics workplace that collects all the event logs from the computers at your company.

    You have a computer named Computer1 than runs Windows 10. You need to view the events collected from Computer1.

    Which query should you run in Log Analytics?

    • Event
      | where Computer = = "Computer1"

    • ETWEvent
      
      | where SourceSystem = = "Computer1"

    • ETWEvent
      
      | where Computer = = "Computer1"

    • Event
      
      | where SourceSystem = = "Computer1"