MD-101 : Managing Modern Desktops : Part 12
-
HOTSPOT
You have 1,000 computers that run Windows 10 and are members of an Active Directory domain.
You need to capture the event logs from the computers to Azure.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
-
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.
You need to ensure that only applications that you explicitly allow can run on the computers.
What should you use?
- Microsoft Defender Credential Guard
- Microsoft Defender Exploit Guard
- Microsoft Defender Application Guard
- Microsoft Defender Application Control
Explanation:
Application control can help mitigate these types of security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel). Application control policies can also block unsigned scripts and MSIs, and restrict Windows PowerShell to run in Constrained Language Mode. -
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has several Windows 10 devices that are enrolled in Microsoft Intune.
You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.
You need to enroll Computer1 in Intune.
Solution: From Computer1, you sign in to https://portal.manage.microsoft.com and use the Devices tab.
Does this meet the goal?
- Yes
- No
Explanation:
Use MDM enrolment.
MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined PC into Intune. Users enroll from Settings on the existing Windows PC. -
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has several Windows 10 devices that are enrolled in Microsoft Intune.
You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.
You need to enroll Computer1 in Intune.
Solution: You install the Company Portal app on Computer1 and use the Devices tab from the app.
Does this meet the goal?
- Yes
- No
Explanation:
Use MDM enrolment.
MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined PC into Intune. Users enroll from Settings on the existing Windows PC. -
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has several Windows 10 devices that are enrolled in Microsoft Intune.
You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.
You need to enroll Computer1 in Intune.
Solution: From the Settings app on Computer1, you use the Connect to work or school account settings.
Does this meet the goal?
- Yes
- No
Explanation:
Use MDM enrolment.
MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined PC into Intune. Users enroll from Settings on the existing Windows PC. -
HOTSPOT
You have a Microsoft 365 subscription.
You plan to enroll devices in Microsoft Endpoint Manager that have the platforms and versions shown in the following table.
You need to configure device enrollment to meet the following requirements:
– Ensure that only devices that have approved platforms and versions can enroll in Endpoint Manager.
– Ensure that devices are added to Microsoft Azure Active Directory (Azure AD) groups based on a selection made by users during the enrollment.Which device enrollment setting should you configure for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
-
HOTSPOT
Your company has 1,000 Windows 10 devices that are enrolled in Windows Analytics.
You need to view the following information:
– The number of devices that are vulnerable to Spectre and Meltdown vulnerabilities
– The number of devices that have Windows Defender real-time protection turned offWhich Windows Analytics solutions should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Explanation:Note: Windows Analytics is now known as Desktop Analytics and Windows Defender is now known as Microsoft Defender Antivirus
-
Your network contains an on-premises Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD).
You have the Windows 10 devices shown in the following table.
You need to ensure that you can use co-management to manage all the Windows 10 devices.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
- Join Device 1, Device2, and Device4 to Azure AD.
- Unjoin Device3, Device5, and Device6 from Azure AD, and then register the devices in Azure AD.
- Enroll Device4 and Device5 in Intune.
- Join Device2, Device3, and Device5 to the domain.
- Install the Endpoint Configuration Manager agent on Device1 and Device3.
Explanation:Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune.
Co-management requires Configuration Manager version 1710 or later and enrollment in Microsoft Intune.
Windows 10 devices must be hybrid Azure AD joined. -
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several Windows 10 devices.
When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.
You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10 devices to contoso.com.
Solution: From the Azure Active Directory admin center, you modify the User settings and the Device settings.
Does this meet the goal?
- Yes
- No
Explanation:
Instead, from the Azure Active Directory admin center, you configure automatic mobile device management (MDM) enrollment. From the Endpoint Management admin center, you configure the Windows Hello for Business enrollment options. -
Your network contains an Active Directory domain named contoso.com. The domain contains computers that run Windows 10 and are joined to the domain.
The domain is synced to Microsoft Azure Active Directory (Azure AD).
You create an Azure Log Analytics workspace and deploy the Device Health solution.
You need to enroll the computers in Windows Analytics.
Which Group Policy setting should you configure?
- Specify intranet Microsoft update service location
- Allow Telemetry
- Configure the Commercial ID
- Connected User Experiences and Telemetry
Explanation:
Microsoft uses a unique commercial ID to map information from user computers to your Azure workspace. Copy your commercial ID key from any of the Windows Analytics solutions you have added to your Windows Portal, and then deploy it to user computers. -
DRAG DROP
You use the Antimalware Assessment solution in Microsoft Azure Log Analytics.
From the Protection Status dashboard, you discover the computers shown in the following table.
You verify that both computers are connected to the network and running.
What is a possible cause of the issue on each computer? To answer, drag the appropriate causes to the correct computers. Each cause may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
-
You have a shared computer that runs Windows 10.
The computer is infected with a virus.
You discover that a malicious TTF font was used to compromise the computer.
You need to prevent this type of threat from affecting the computer in the future.
What should you use?
- Microsoft Defender Exploit Guard
- Microsoft Defender Application Guard
- Microsoft Defender Credential Guard
- Microsoft Defender System Guard
- Microsoft Defender SmartScreen
-
DRAG DROP
Your company has a Microsoft Azure Active Directory (Azure AD) tenant.
The company uses Microsoft Intune to manage iOS, Android, and Windows 10 devices.
The company plans to purchase 1,000 iOS devices. Each device will be assigned to a specific user.
You need to ensure that the new iOS devices are enrolled automatically in Intune when the assigned user signs in for the first time.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
-
Your network contains an Active Directory domain. The functional level of the forest and the domain is Windows Server 2012 R2.
The domain contains 500 computers that run Windows 10. All the computers are managed by using Microsoft System Center 2012 R2 Configuration Manager.
You need to enable co-management.
What should you do first?
- Deploy the Microsoft Intune client.
- Raise the forest functional level.
- Upgrade Configuration Manager to Current Branch.
- Raise the domain functional level.
Explanation:
Co-management requires Configuration Manager version 1710 or later. -
HOTSPOT
Your company uses Microsoft Intune to manage Windows 10, Android, and iOS devices.
Several users purchase new iPads and Android devices.
You need to tell the users how to enroll their device in Intune.
What should you instruct the users to use for each device? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Explanation:The Intune Company Portal app is used to enroll Android, iOS, macOS, and Windows devices
-
HOTSPOT
Your company has a Microsoft Azure Active Directory (Azure AD) tenant and computers that run Windows 10.
The company uses Microsoft Intune to manage the computers.
The Azure AD tenant has the users shown in the following table.
The device type restrictions in Intune are configured as shown in the following table:
User3 is a device enrollment manager (DEM) in Intune.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Explanation:Box 1: No
User1 is part of Group1 which only allows enrollment of Android, iOS devices (NOT Windows devices)Box 2: Yes
User2 is part of Group1 and Group2 but Group2 has Priority 2 which is higher priority than Group 1, so only Policy2 applies. Policy2 allows enrollment of Windows devicesBox 3: No
User3 is not part of any group and is therefore in “All users”
The “All users” Device Restriction Types only allow Android and Windows (MDM) but not iOS. -
HOTSPOT
Your network contains an Active Directory domain. Active Directory is synced with Microsoft Azure Active Directory (Azure AD).
There are 500 Active Directory domain-joined computers that run Windows 10 and are enrolled in Microsoft Intune.
You plan to implement Microsoft Defender Exploit Guard.
You need to create a custom Microsoft Defender Exploit Guard policy, and then distribute the policy to all the computers.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
-
HOTSPOT
Your company has computers that run Windows 10 and are Microsoft Azure Active Directory (Azure AD)-joined.
The company purchases an Azure subscription.
You need to collect Windows events from the Windows 10 computers in Azure. The solution must enable you to create alerts based on the collected events.
What should you create in Azure and what should you configure on the computers? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
-
You have a public computer named Public1 that runs Windows 10.
Users use Public1 to browse the internet by using Microsoft Edge.
You need to view events associated with website phishing attacks on Public1.
Which Event Viewer log should you view?
- Applications and Services Logs > Microsoft\Windows > Device Guard > Operational
- Applications and Services Logs > Microsoft > Windows > Security-Mitigations > User Mode
- Applications and Services Logs > Microsoft > Windows > SmartScreen > Debug
- Applications and Services Logs > Microsoft > Windows > Microsoft Defender > Operational
-
You have a hybrid Microsoft Azure Active Directory (Azure AD) tenant, a Microsoft System Center Configuration Manager (Current Branch) environment, and a Microsoft 365 subscription.
You have computers that run Windows 10 as shown in the following table.
You plan to use Microsoft 365 Device Management.
Which computers support co-management by Configuration Manager and Device Management?
- Computer3 only
- Computer1 and Computer2 only
- Computer2 only
- Computer1, Computer2, and Computer3