MD 102

- Expert Verified, Online, Free.
Prepare for your MD-102 exam with additional products
Study Guide
512 PDF Pages
$19.99
Buy Now
Video Course
84 Lectures
$19.99
Buy Now
 Custom View Settings

Topic 1 - Exam A
Question #1 Topic 1
HOTSPOT -
Case study -
Overview -
ADatum Corporation is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
ADatum has a Microsoft 365 E5 subscription.
Environment -
Network Environment -
The network contains an on-premises Active Directory domain named adatum.com. The domain contains the servers shown in the following table.
ADatum has a hybrid Azure AD tenant named adatum.com.
Users and Groups -
The adatum.com tenant contains the users shown in the following table.
All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.
Enterprise State Roaming is enabled for Group1 and GroupA.
Group1 and Group2 have a Membership type of Assigned.
Devices -
ADatum has the Windows 10 devices shown in the following table.
The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.
The Windows 10 devices are configured as shown in the following table.
All the Azure AD joined devices have an executable file named C:\AppA.exe and a folder named D:\Folder1.
Microsoft Intune Configuration -
Microsoft Intune has the compliance policies shown in the following table.
The Automatic Enrollment settings have the following configurations:
MDM user scope: GroupA -
MAM user scope: GroupB -
You have an Endpoint protection configuration profile that has the following Controlled folder access settings:
Name: Protection1 -
Folder protection: Enable -
List of apps that have access to protected folders: C:\*\AppA.exe
List of additional folders that need to be protected: D:\Folder1
Assignments:
Included groups: Group2, GroupB -
Windows Autopilot Configuration -
ADatum has a Windows Autopilot deployment profile configured as shown in the following exhibit.
Currently, there are no devices deployed by using Windows Autopilot.
The Intune connector for Active Directory is installed on Server1.
Requirements -
Planned Changes -
ADatum plans to implement the following changes:
Purchase a new Windows 10 device named Device6 and enroll the device in Intune
New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.
Deployed a network boundary configuration profile that will have the following settings:
Name: Boundary1 -
Network boundary: 192.168.1.0/24
Scope tags: Tag1 -
Assignments:
Included groups: Group1, Group2 -
Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following settings:
Name: Connection1 -
Connection name: VPN1 -
Connection type: L2TP -
Assignments:
Included groups: Group1, Group2, GroupA
Excluded groups: --
Name: Connection2 -
Connection type: IKEv2 -
Assignments:
Included groups: GroupA -
Excluded groups: GroupB -
Technical Requirements -
ADatum must meet the following technical requirements:
Users in GroupA must be able to deploy new computers.
Administrative effort must be minimized.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Correct Answer:
Question #2 Topic 1
Case study -
Overview -
Environment -
Users and Groups -
Devices -
Name: Protection1 -
Assignments:
Requirements -
Planned Changes -
Name: Boundary1 -
Scope tags: Tag1 -

Assignments:
Name: Connection1 -
Assignments:
Excluded groups: --
Name: Connection2 -
Assignments:
Which devices are registered by using the Windows Autopilot deployment service?
A. Device1 only
B. Device3 only
C. Device1 and Device3 only
D. Device1, Device2, and Device3
Correct Answer: C
Community vote distribution

A (84%) C (16%)
Question #3 Topic 1
HOTSPOT -
Case study -
Overview -
Environment -
Users and Groups -
Devices -
Name: Protection1 -
Assignments:
Requirements -
Planned Changes -
Name: Boundary1 -
Scope tags: Tag1 -
Assignments:
Name: Connection1 -
Assignments:
Excluded groups: --
Name: Connection2 -
Assignments:
Correct Answer:
Question #4 Topic 1
Case study -
Overview -
Environment -
Users and Groups -
Devices -
Name: Protection1 -
Assignments:
Requirements -
Planned Changes -
Name: Boundary1 -
Scope tags: Tag1 -
Assignments:
Name: Connection1 -
Assignments:
Excluded groups: --
Name: Connection2 -
Assignments:
You implement Boundary1 based on the planned changes.
Which devices have a network boundary of 192.168.1.0/24 applied?
A. Device2 only
B. Device3 only
C. Device1, Device2, and Device5 only
D. Device1, Device2, Device3, and Device4 only
Correct Answer: B

D (93%) 7%
Question #5 Topic 1
HOTSPOT -
You have a Microsoft 365 subscription.
You use Microsoft Intune Suite to manage devices.
You have the iOS app protection policy shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Correct Answer:
Question #6 Topic 1
DRAG DROP -
You have a Microsoft 365 E5 subscription and a computer that runs Windows 11.
You need to create a customized installation of Microsoft 365 Apps for enterprise.
Which four actions should you perform in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and
arrange them in the correct order.
Correct Answer:
Question #7 Topic 1
You have devices enrolled in Microsoft Intune as shown in the following table.
On which devices can you apply app configuration policies?
A. Device2 only
B. Device1 and Device2 only
D. Device2, Device3, and Device4 only
E. Device1, Device2, Device3, and Device4
Correct Answer: C

C (100%)
Question #8 Topic 1
HOTSPOT -
You have an Azure AD tenant named contoso.com that contains the devices shown in the following table.
All devices contain an app named App1 and are enrolled in Microsoft Intune.
You need to prevent users from copying data from App1 and pasting the data into other apps.
Which type of policy and how many policies should you create in Intune? To answer, select the appropriate options in the answer area.
Correct Answer:
Question #9 Topic 1
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
You plan to deploy two apps named App1 and App2 to all Windows devices. App1 must be installed before App2.
From the Intune admin center, you create and deploy two Windows app (Win32) apps.
You need to ensure that App1 is installed before App2 on every device.
What should you configure?
A. the App1 deployment configurations
B. a dynamic device group
C. a detection rule
D. the App2 deployment configurations
Correct Answer: C

D (96%) 4%
Question #10 Topic 1
You have a Microsoft Intune subscription.
You have devices enrolled in Intune as shown in the following table.
An app named App1 is installed on each device.
What is the minimum number of app configuration policies required to manage App1?
A. 1
B. 2
C. 3
D. 4
E. 5
Correct Answer: B

B (75%) A (25%)
You have a Microsoft 365 E5 subscription that contains 100 iOS devices enrolled in Microsoft Intune.
You need to deploy a custom line-of-business (LOB) app to the devices by using Intune.
Which extension should you select for the app package file?
A. .intunemac
B. .ipa
C. .apk
D. .appx
Correct Answer: B

B (100%)
You have a Microsoft 365 E5 subscription that contains a user named User1 and a web app named App1.
App1 must only accept modern authentication requests.
You plan to create a Conditional Access policy named CAPolicy1 that will have the following settings:
Assignments -
Users or workload identities: User1
Cloud apps or actions: App1 -
Access controls -
Grant: Block access -
You need to block only legacy authentication requests to App1.
Which condition should you add to CAPolicy1?
A. Filter for devices
B. Device platforms
C. User risk
D. Sign-in risk
E. Client apps
Correct Answer: E

E (100%)
HOTSPOT -
All users have Microsoft 365 apps deployed.
You need to configure Microsoft 365 apps to meet the following requirements:
Enable the automatic installation of WebView2 Runtime.
Prevent users from submitting feedback.
Which two settings should you configure in the Microsoft 365 Apps admin center? To answer, select the appropriate settings in the answer area.
Correct Answer:
You have 10 computers that run Windows 10 and are enrolled in mobile device management (MDM).
You need to deploy the Microsoft 365 Apps for enterprise suite to all the computers.
What should you do?
A. From the Microsoft Intune admin center, create a Windows 10 device profile.
B. From Azure AD, add an app registration.
C. From Azure AD, add an enterprise application.
D. From the Microsoft Intune admin center, add an app.
Correct Answer: A

D (98%)
You have a Windows 11 device named Device1 that is enrolled in Intune. Device1 has been offline for 30 days.
You need to remove Device1 from Intune immediately. The solution must ensure that if the device checks in again, any apps and data provisioned
by Intune are removed. User-installed apps, personal data, and OEM-installed apps must be retained.
What should you use?
A. a Delete action
B. a Retire action
C. a Fresh Start action
D. an Autopilot Reset action
Correct Answer: B

A (67%) B (28%) 2%
You need to review the startup times and restart frequencies of the devices.
A. Azure Monitor
B. Intune Data Warehouse
C. Microsoft Defender for Endpoint
D. Endpoint analytics
Correct Answer: D

D (100%)
HOTSPOT -
You have a Microsoft 365 E5 subscription.
You create a new update rings policy named Policy1 as shown in the following exhibit.

Correct Answer:
You have computers that run Windows 10 and connect to an Azure Log Analytics workspace. The workspace is configured to collect all available
events from the Windows event logs.
The computers have the logged events shown in the following table.
Which events are collected in the Log Analytics workspace?
A. 1 only
B. 2 and 3 only
C. 1 and 3 only
D. 1, 2, and 4 only
E. 1, 2, 3, and 4
Correct Answer: D

D (72%) E (28%)
You have a Microsoft 365 E5 subscription that contains 10 Android Enterprise devices. Each device has a corporate-owned work profile and is
enrolled in Microsoft Intune.
You need to configure the devices to run a single app in kiosk mode.
Which Configuration settings should you modify in the device restrictions profile?
A. Users and Accounts
B. General
C. System security
D. Device experience
Correct Answer: D

D (100%)
You have a Microsoft 365 E5 subscription that contains 500 macOS devices enrolled in Microsoft Intune.
You need to ensure that you can apply Microsoft Defender for Endpoint antivirus policies to the macOS devices. The solution must minimize
administrative effort.
What should you do?
A. Onboard the macOS devices to the Microsoft Purview compliance portal.
B. From the Microsoft Intune admin center, create a security baseline.
C. Install Defender for Endpoint on the macOS devices.
D. From the Microsoft Intune admin center, create a configuration profile.
Correct Answer: C

D (75%) C (25%)
You have an Azure AD tenant and 100 Windows 10 devices that are Azure AD joined and managed by using Microsoft Intune.
You need to configure Microsoft Defender Firewall and Microsoft Defender Antivirus on the devices. The solution must minimize administrative
effort.
Which two actions should you perform? Each correct answer presents part of the solution.
A. To configure Microsoft Defender Antivirus, create a Group Policy Object (GPO) and configure the Windows Defender Antivirus settings.
B. To configure Microsoft Defender Firewall, create a device configuration profile and configure the Device restrictions settings.
C. To configure Microsoft Defender Antivirus, create a device configuration profile and configure the Endpoint protection settings.
D. To configure Microsoft Defender Antivirus, create a device configuration profile and configure the Device restrictions settings.
E. To configure Microsoft Defender Firewall, create a device configuration profile and configure the Endpoint protection settings.
F. To configure Microsoft Defender Firewall, create a Group Policy Object (GPO) and configure Windows Defender Firewall with Advanced
Security.
Correct Answer: CE

DE (64%) CE (17%) Other
You have an Azure AD group named Group1. Group1 contains two Windows 10 Enterprise devices named Device1 and Device2.
You create a device configuration profile named Profile1. You assign Profile1 to Group1.
You need to ensure that Profile1 applies to Device1 only.
What should you modify in Profile1?
A. Assignments
B. Settings
C. Scope (Tags)
D. Applicability Rules
Correct Answer: C

A (80%) D (17%)
DRAG DROP -
You have a Microsoft 365 subscription that includes Microsoft Intune.
You need to implement a Microsoft Defender for Endpoint solution that meets the following requirements:
Enforces compliance for Defender for Endpoint by using Conditional Access
Prevents suspicious scripts from running on devices
What should you configure? To answer, drag the appropriate features to the correct requirements. Each feature may be used once, more than once,
or not at all. You may need to drag the split bar between panes or scroll to view content.
Correct Answer:
Your network contains an on-premises Active Directory domain and an Azure AD tenant.
The Default Domain Policy Group Policy Object (GPO) contains the settings shown in the following table.
You need to migrate the existing Default Domain Policy GPO settings to a device configuration profile.
Which device configuration profile type template should you use?
A. Administrative Templates
B. Endpoint protection
C. Device restrictions
D. Custom
Correct Answer: C

C (73%) D (15%) 12%
You have 100 computers that run Windows 10 and connect to an Azure Log Analytics workspace.
Which three types of data can you collect from the computers by using Log Analytics? Each correct answer presents a complete solution.
A. failure events from the Security log
B. the list of processes and their execution times
C. the average processor utilization
D. error events from the System log
E. third-party application logs stored as text files
Correct Answer: CDE

CDE (56%) ACE (22%) 11% 11%
You have a Microsoft 365 E5 subscription. The subscription contains 25 computers that run Windows 11 and are enrolled in Microsoft Intune.
You need to onboard the devices to Microsoft Defender for Endpoint.
What should you create in the Microsoft Intune admin center?
A. an attack surface reduction (ASR) policy
B. a security baseline
C. an endpoint detection and response (EDR) policy
D. an account protection policy
E. an antivirus policy
Correct Answer: C

C (89%) 11%
Your company uses Microsoft Intune to manage devices.
You need to ensure that only Android devices that use Android work profiles can enroll in Intune.
Which two configurations should you perform in the device enrollment restrictions? Each correct answer presents part of the solution.
A. From Platform Settings, set Android device administrator Personally Owned to Block.
B. From Platform Settings, set Android Enterprise (work profile) to Allow.
C. From Platform Settings, set Android device administrator Personally Owned to Allow.
D. From Platform Settings, set Android device administrator to Block.
Correct Answer: BD

BD (100%)
HOTSPOT -
You have the device configuration profile shown in the following exhibit.
Correct Answer:
HOTSPOT -
You have 100 Windows 10 devices enrolled in Microsoft Intune.
You need to configure the devices to retrieve Windows updates from the internet and from other computers on a local network.
Which Delivery Optimization setting should you configure, and which type of Intune object should you create? To answer, select the appropriate
options in the answer area.
Correct Answer:
HOTSPOT -
You have an Azure AD tenant that contains the users shown in the following table.
From Intune, you create and send a custom notification named Notification1 to Group1.
Correct Answer:
You use Microsoft Intune and Intune Data Warehouse.
You need to create a device inventory report that includes the data stored in the data warehouse.
What should you use to create the report?
A. the Company Portal app
B. Endpoint analytics
C. the Azure portal app
D. Microsoft Power BI
Correct Answer: D

D (100%)
You have a Microsoft 365 E5 subscription and 25 Apple iPads.
You need to enroll the iPads in Microsoft Intune by using the Apple Configurator enrollment method.
What should you do first?
A. Configure an Apply MDM push certificate.
B. Add your user account as a device enrollment manager (DEM).
C. Modify the enrollment restrictions.
D. Upload a file that has the device identifiers for each iPad.
Correct Answer: A

A (100%)
HOTSPOT -
You have 100 computers that run Windows 10. You have no servers. All the computers are joined to Azure AD.
The computers have different update settings, and some computers are configured for manual updates.
You need to configure Windows Update. The solution must meet the following requirements:
The configuration must be managed from a central location.
Internet traffic must be minimized.
Costs must be minimized.
How should you configure Windows Update? To answer, select the appropriate options in the answer area.
Correct Answer:
You have a Microsoft 365 E5 subscription that contains 150 hybrid Azure AD joined Windows devices. All the devices are enrolled in Microsoft
Intune.
You need to configure Delivery Optimization on the devices to meet the following requirements:
Allow downloads from the internet and from other computers on the local network.
Limit the percentage of used bandwidth to 50.
A. a configuration profile
B. a Windows Update for Business Group Policy setting
C. a Microsoft Peer-to-Peer Networking Services Group Policy setting
D. an Update ring for Windows 10 and later profile
Correct Answer: C

A (100%)
Your network contains an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows
10.
You have the groups shown in the following table.
Which groups can you add to Group4?
A. Group2 only
B. Group1 and Group2 only
C. Group2 and Group3 only
D. Group1, Group2, and Group3
Correct Answer: D

A (67%) C (29%) 4%
DRAG DROP -
You have a Microsoft 365 subscription. The subscription contains computers that run Windows 11 and are enrolled in Microsoft Intune.
You need to create a compliance policy that meets the following requirements:
Requires BitLocker Drive Encryption (BitLocker) on each device
Requires a minimum operating system version
Which setting of the compliance policy should you configure for each requirement? To answer, drag the appropriate settings to the correct
requirements. Each setting may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view
content.
Correct Answer:
HOTSPOT -
You have a Microsoft 365 E5 subscription that uses Microsoft Intune.
You have the Windows 11 devices shown in the following table.
You deploy the device compliance policy shown in the exhibit. (Click the Exhibit tab.)
Correct Answer:
DRAG DROP -
You have a Microsoft 365 subscription that contains the devices shown in the following table.
You need to ensure that only devices running trusted firmware or operating system builds can access network resources.
Which compliance policy setting should you configure for each device? To answer, drag the appropriate settings to the correct devices. Each
setting may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Correct Answer:
DRAG DROP -
You have a Microsoft 365 subscription that contains 1,000 Windows 11 devices enrolled in Microsoft Intune.
You plan to create and monitor the results of a compliance policy used to validate the BIOS version of the devices.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
Correct Answer:
DRAG DROP -
You have a computer that runs Windows 10 and contains two local users named User1 and User2.
You need to ensure that the users can perform the following actions:
User1 must be able to adjust the date and time.
User2 must be able to clear Windows logs.
The solution must use the principle of least privilege.
To which group should you add each user? To answer, drag the appropriate groups to the correct users. Each group may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Correct Answer:
HOTSPOT -
You have an Azure AD tenant named contoso.com.
You have the devices shown in the following table.
Which devices can be Azure AD joined, and which devices can be registered in contoso.com? To answer, select the appropriate options in the
answer area.
Correct Answer:
HOTSPOT -
You have an Azure AD tenant named contoso.com that contains the users shown in the following table.
You have a computer named Computer1 that runs Windows 10. Computer1 is in a workgroup and has the local users shown in the following table.
UserA joins Computer1 to Azure AD by using [email protected].
Correct Answer:
Your network contains an Active Directory domain. The domain contains a user named Admin1. All computers run Windows 10.
You enable Windows PowerShell remoting on the computers.
You need to ensure that Admin1 can establish remote PowerShell connections to the computers. The solution must use the principle of least
privilege.
To which group should you add Admin1?
A. Access Control Assistance Operators
B. Remote Desktop Users
C. Power Users
D. Remote Management Users
Correct Answer: B

D (95%) 5%
HOTSPOT -
You have a Microsoft Intune subscription.
You are creating a Windows Autopilot deployment profile named Profile1 as shown in the following exhibit. Profile1 will be deployed to Windows
10 devices.

Correct Answer:
HOTSPOT -
You have a server named Server1 and computers that run Windows 10. Server1 has the Microsoft Deployment Toolkit (MDT) installed.
You plan to upgrade the Windows 10 computers to Windows 11 by using the MDT deployment wizard.
You need create a deployment share on Server1.
What should you do on Server1, and what are the minimum components you should add to the MDT deployment share? To answer, select the
appropriate options in the answer area.
Correct Answer:
DRAG DROP -
You have a Microsoft Deployment Toolkit (MDT) server named MDT1.
When computers start from the LiteTouchPE_x64.iso image and connect to MDT1, the welcome screen appears as shown in the following exhibit.
You need to prevent the welcome screen from appearing when the computers connect to MDT1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
Correct Answer:
You use Windows Admin Center to remotely administer computers that run Windows 10.
When connecting to Windows Admin Center, you receive the message shown in the following exhibit.
You need to prevent the message from appearing when you connect to Windows Admin Center.
To which certificate store should you import the certificate?
A. Client Authentication Issuers
B. Personal
C. Trusted Root Certification Authorities
Correct Answer: C

C (100%)
HOTSPOT -
You have an Azure AD tenant named contoso.com that contains the devices shown in the following table.
Contoso.com contains the Azure AD groups shown in the following table.
You add a Windows Autopilot deployment profile. The profile is configured as shown in the following exhibit.

Correct Answer:
HOTSPOT -
Your network contains an Active Directory domain. The domain contains 1,000 computers that run Windows 11.
You need to configure the Remote Desktop settings of all the computers. The solution must meet the following requirements:
Prevent the sharing of clipboard contents.
Ensure that users authenticate by using Network Level Authentication (NLA).
Which two nodes of the Group Policy Management Editor should you use? To answer, select the appropriate nodes in the answer area.
Correct Answer:
HOTSPOT -
Azure AD joined Windows devices enroll automatically in Intune.
You are preparing to upgrade the devices to Windows11. All the devices are compatible with Windows 11.
You need to evaluate Windows Autopilot and in-place upgrade as deployment methods to implement Windows 11 Pro on the devices, while
retaining all user settings and applications.
Which devices can be upgraded by using each method? To answer, select the appropriate options in the answer area.
Correct Answer:
DRAG DROP -
You have 100 computers that run Windows 10.
You plan to deploy Windows 11 to the computers by performing a wipe and load installation.
You need to recommend a method to retain the user settings and the user data.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the
answer area and arrange them in the correct order.
Correct Answer:
You use Windows Autopilot to deploy Windows 11 to devices.
A support engineer reports that when a deployment fails, they cannot collect deployment logs from failed device.
You need to ensure that when a deployment fails, the deployment logs can be collected.
A. the automatic enrollment settings
B. the Windows Autopilot deployment profile
C. the enrollment status page (ESP) profile
D. the device configuration profile
Correct Answer: C

C (100%)
You have a Microsoft 365 E5 subscription that contains a user named User1 and uses Microsoft Intune Suite.
You have a device named Devic1 that is enrolled in Intune.
You need to ensure that User1 can use Remote Help from the Intune admin center for Device1.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Deploy the Remote Help app to Device1.
B. Assign the Help Desk Operator role to User1.
C. Assign the Intune Administrator role to User1.
D. Assign a Microsoft 365 E5 license to User1.
E. Rerun device onboarding on Device1.
F. Assign the Remote Help add-on license to User1.
Correct Answer: ABE

ABF (79%) ABD (21%)
You have a Windows 11 capable device named Device1 that runs the 64-bit version of Windows 10 Enterprise and has Microsoft Office 2019
installed.
You have the Windows 11 Enterprise images shown in the following table.
Which images can be used to perform an in-place upgrade of Device1?
A. Image1 only
B. Image2 only
C. Image1 and Image2
Correct Answer: B

B (100%)
HOTSPOT -
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure AD tenant by using Azure AD
Connect.
You use Microsoft Intune and Configuration Manager to manage devices.
You need to recommend a deployment plan for new Windows 11 devices. The solution must meet the following requirements:
Devices for the marketing department must be joined to the AD DS domain only. The IT department will install complex applications on the
devices at build time, before giving the devices to the marketing department users.
Devices for the sales department must be Azure AD joined. The devices will be shipped directly from the manufacturer to the homes of the sales
department users.
Which deployment method should you recommend for each department? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth point.
Correct Answer:
You have a Microsoft Deployment Toolkit (MDT) deployment share named DS1.
In the Out-of-Box Drivers node, you create folders that contain drivers for different hardware models.
You need to configure the Inject Drivers MDT task to use PnP detection to install the drivers for one of the hardware models.
A. Import an OS package.
B. Create a selection profile.
C. Add a Gather task to the task sequence.
D. Add a Validate task to the task sequence.
Correct Answer: B

B (100%)
You have an on-premises server named Server1 that hosts a Microsoft Deployment Toolkit (MDT) deployment share named MDT1.
You need to ensure that MDT1 supports multicast deployments.
What should you install on Server1?
A. Multipath I/O (MPIO)
B. Multipoint Connector
C. Windows Deployment Services (WDS)
D. Windows Server Update Services (WSUS)
Correct Answer: C

C (100%)
Your company standardizes on Windows 10 Enterprise for all users.
Some users purchase their own computer from a retail store. The computers run Windows 10 Pro.
You need to recommend a solution to upgrade the computers to Windows 10 Enterprise, join the computers to Azure AD, and install several
Microsoft Store apps. The solution must meet the following requirements:
Ensure that any applications installed by the users are retained.
Minimize user intervention.
What is the best recommendation to achieve the goal? More than one answer choice may achieve the goal. Select the BEST answer.
A. Windows Autopilot
B. Microsoft Deployment Toolkit (MDT)
C. a Windows Configuration Designer provisioning package
D. Windows Deployment Services (WDS)
Correct Answer: C

C (63%) A (37%)
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an Azure AD tenant named contoso.com that contains several Windows 10 devices.
When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.
You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10 devices to contoso.com.
Solution: From the Microsoft Entra admin center, you modify the User settings and the Device settings.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B

B (100%)
Solution: From the Microsoft Entra admin center, you configure automatic mobile device management (MDM) enrollment. From the Microsoft
Intune admin center, you create and assign a device restrictions profile.
A. Yes
B. No
Correct Answer: B

B (56%) A (44%)
Solution: From the Microsoft Entra admin center, you configure automatic mobile device management (MDM) enrollment. From the Microsoft
Intune admin center, you configure the Windows Hello for Business enrollment options.
A. Yes
B. No
Correct Answer: A

A (100%)
Case study -
Overview -
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
Contoso has the users and computers shown in the following table.
The company has IT, human resources (HR), legal (LEG), marketing (MKG), and finance (FIN) departments.
Contoso recently purchased a Microsoft 365 subscription.
The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from home.
Existing Environment -
The network contains an Active Directory domain named contoso.com that is synced to Azure AD.
All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.
The computers are managed by using Microsoft Configuration Manager. The mobile devices are managed by using Microsoft Intune.
The naming convention for the computers is the department acronym, followed by a hyphen, and then four numbers, for example FIN-6785. All the
computers are joined to the on-premises Active Directory domain.
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer account is in the Computers OU of
its respective department.
Intune Configuration -
The domain has the users shown in the following table.
User2 is a device enrollment manager (DEM) in Intune.
The devices enrolled in Intune are shown in the following table.
The device compliance policies in Intune are configured as shown in the following table.
The device compliance policies have the assignments shown in the following table.
The device limit restrictions in Intune are configured as shown in the following table.
Requirements -
Planned changes -
Contoso plans to implement the following changes:
• Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.
• Implement co-management for the computers.
Contoso must meet the following technical requirements:
• Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.
• Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
• Create a provisioning package for new computers in the HR department.
• Block iOS devices from sending diagnostic and usage telemetry data.
• Use the principle of least privilege whenever possible.
• Enable the users in the MKG department to use App1.
• Pilot co-management for the IT department.
You need to meet the technical requirements for the iOS devices.
Which object should you create in Intune?
A. a deployment profile
B. an app protection policy
C. a device configuration profile
D. a compliance policy
Correct Answer: C

C (100%)
HOTSPOT
Case study
Overview
Existing Environment
Intune Configuration

Requirements
Planned changes
Technical Requirements
You are evaluating which devices are compliant.
Correct Answer:
Case study -
Overview -
Existing Environment -
Intune Configuration -
Requirements -
Planned changes -
You need to prepare for the deployment of the Phoenix office computers.
A. Generalize the computers and configure the Device settings from the Microsoft Entra admin center.
B. Extract the serial number of each computer to an XML file and upload the file from the Microsoft Intune admin center.
C. Extract the hardware ID information of each computer to a CSV file and upload the file from the Microsoft Intune admin center.
D. Generalize the computers and configure the Mobility (MDM and MAM) settings from the Microsoft Entra admin center.
E. Extract the serial number information of each computer to a CSV file and upload the file from the Microsoft Intune admin center.
Correct Answer: C

C (100%)
HOTSPOT
Case study
Overview

Requirements
Planned changes
What is the maximum number of devices that User1 and User2 can enroll in Intune? To answer, select the appropriate options in the answer area.
Correct Answer:
HOTSPOT
Case study
Overview

Requirements
Planned changes
To which devices do Policy1 and Policy2 apply? To answer, select the appropriate options in the answer area.
Correct Answer:
Your network contains an Active Directory domain named contoso.com. The domain contains two computers named Computer1 and Computer2
that run Windows 10.
On Computer1, you need to run the Invoke-Command cmdlet to execute several PowerShell commands on Computer2.
A. On Computer2, run the Enable-PSRemoting cmdlet.
B. On Computer2, add Computer1 to the Remote Management Users group.
C. From Active Directory, configure the Trusted for Delegation setting for the computer account of Computer2.
D. On Computer1, run the New-PSSession cmdlet.
Correct Answer: A

A (88%) 13%
You have an Azure AD tenant that contains the devices shown in the following table.
Which devices can be activated by using subscription activation?
A. Device1 only
D. Device1, Device2, Device3, and Device4
Correct Answer: C

C (100%)
You have 25 computers that run Windows 10 Pro.
You need to upgrade the computers to Windows 11 Enterprise by using an in-place upgrade. The solution must minimize administrative effort.
A. Microsoft Deployment Toolkit (MDT) and a default image of Windows 11 Enterprise
B. Microsoft Configuration Manager and a custom image of Windows 11 Enterprise
C. Windows Autopilot
D. Subscription Activation
Correct Answer: D

A (55%) C (29%) D (16%)
You use the Microsoft Deployment Toolkit (MDT) to manage Windows 11 deployments.
From Deployment Workbench, you modify the WinPE settings and add PowerShell support.
You need to generate a new set of WinPE boot image files that contain the updated settings.
What should you do?
A. From the Deployment Shares node, update the deployment share.
B. From the Advanced Configuration node, create new media.
C. From the Packages node, import a new operating system package.
D. From the Operating Systems node, import a new operating system.
Correct Answer: A

A (75%) B (25%)
You are replacing 100 company-owned Windows devices.
You need to use the Microsoft Deployment Toolkit (MDT) to securely wipe and decommission the devices. The solution must meet the following
requirements:
• Back up the user state.
• Minimize administrative effort.
Which task sequence template should you use?
A. Standard Client Task Sequence
B. Standard Client Replace Task Sequence
C. Litetouch OEM Task Sequence
D. Sysprep and Capture
Correct Answer: B

B (100%)
Your network contains an Active Directory domain. The domain contains a computer named Computer1 that runs Windows 11.
You need to enable the Windows Remote Management (WinRM) service on Computer1 and perform the following configurations:
• For the WinRM service, set Startup type to Automatic.
• Create a listener that accepts requests from any IP address.
• Enable a firewall exception for WS-Management communications.
Which PowerShell cmdlet should you use?
A. Connect-WSMan
B. Enable-PSRemoting
C. Invoke-WSManAction
D. Enable-PSSessionConfiguration
Correct Answer: B
HOTSPOT
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure AD tenant. The tenant contains
the users shown in the following table.
You assign Windows 10/11 Enterprise E5 licenses to Group1 and User2.
You deploy the devices shown in the following table.
Correct Answer:
HOTSPOT
Your network contains an Active Directory domain named adatum.com, a workgroup, and computers that run Windows 10. The computers are
configured as shown in the following table.
The local Administrator accounts on Computer1, Computer2, and Computer3 have the same user name and password.
On Computer1, Windows Defender Firewall is configured as shown in the following exhibit.
The services on Computer1 have the following states.
Correct Answer:
You have a Hyper-V host that contains the virtual machines shown in the following table.
On which virtual machines can you install Windows 11?
A. VM1 only
B. VM3 only
C. VM1 and VM2 only
D. VM2 and VM3 only
E. VM1, VM2, and VM3
Correct Answer: B

B (100%)
HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Intune and contains the users shown in the following table.
Group2 has been assigned in the Enrollment Status Page.
You capture and upload the hardware IDs of the devices in the marketing department.
You configure Windows Autopilot.
Correct Answer:
QUESTION NO: 77 -
You have a Microsoft 365 subscription that contains a user named User1. User1 is assigned a Windows 10/11 Enterprise E3 license.
You use Microsoft Intune Suite to manage devices.
User1 activates the following devices:
• Device1: Windows 11 Enterprise
How many more devices can User1 activate?
A. 2
B. 3
C. 7
D. 8
Correct Answer: A

A (100%)
DRAG DROP
Your company has a computer named Computer1 that runs Windows 10.
Computer1 was used by a user who left the company.
You plan to repurpose Computer1 and assign the computer to a new user.
You need to redeploy Computer1 by using Windows Autopilot.
Correct Answer:
You use the Microsoft Deployment Toolkit (MDT) to deploy Windows 11.
You create a new task sequence by using the Standard Client Task Sequence template to deploy Windows 11 Enterprise to new computers. The
computers have a single hard disk.
You need to modify the task sequence to create a system volume and a data volume.
Which phase should you modify in the task sequence?
A. Initialization
B. State Restore
C. Preinstall
D. Postinstall
Correct Answer: C

C (100%)
You have a Microsoft Deployment Toolkit (MDT) deployment share.
From the Deployment Workbench, you open the New Task Sequence Wizard and select the Standard Client Upgrade Task Sequence task sequence
template.
You discover that there are no operating system images listed on the Select OS page as shown in the following exhibit.
You need to be able to select an operating system image to perform a Windows 11 in-place upgrade.
What should you do?
A. Enable monitoring for the deployment share.
B. Import a full set of source files.
C. Import a custom image file.
D. Run the Update Deployment Share Wizard.
Correct Answer: C

B (89%) 11%
Your company implements Azure AD, Microsoft 365, Microsoft Intune, and Azure Information Protection.
The company's security policy states the following:
• Personal devices do not need to be enrolled in Intune.
• Users must authenticate by using a PIN before they can access corporate email data.
• Users can use their personal iOS and Android devices to access corporate cloud services.
• Users must be prevented from copying corporate email data to a cloud storage service other than Microsoft OneDrive for Business.
You need to configure a solution to enforce the security policy.
What should you create?
A. a device configuration profile from the Microsoft Intune admin center
B. a data loss prevention (DLP) policy from the Microsoft Purview compliance portal
C. an insider risk management policy from the Microsoft Purview compliance portal
D. an app protection policy from the Microsoft Intune admin center
Correct Answer: D

D (100%)
You have a Microsoft 365 subscription that contains 500 Android Enterprise devices.
All the devices are enrolled in Microsoft Intune.
You need to deliver bookmarks to the Chrome browser on the devices.
A. a compliance policy
B. a configuration profile
C. an app protection policy
D. an app configuration policy
Correct Answer: C

D (81%) Other
You have a Microsoft 365 E5 subscription and 100 computers that run Windows 10.
You need to deploy Microsoft Office Professional Plus 2019 to the computers by using Microsoft Office Deployment Tool (ODT).
What should you use to create a customization file for ODT?
A. the Microsoft 365 admin center
B. the Microsoft Intune admin center
C. the Microsoft Purview compliance portal
D. the Microsoft 365 Apps admin center
Correct Answer: D

D (100%)
You have a Microsoft 365 subscription that contains 1,000 Windows 11 devices enrolled in Microsoft Intune.
You plan to use Intune to deploy an application named App1 that contains multiple installation files.
A. Prepare the contents of App1 by using the Microsoft Win32 Content Prep Tool.
B. Create an Android application package (APK).
C. Upload the contents of App1 to Intune.
D. Install the Microsoft Deployment Toolkit (MDT).
Correct Answer: C

A (94%) 6%
HOTSPOT
You have groups that use the Dynamic Device membership type as shown in the following table.
You are deploying Microsoft 365 apps.
In the Microsoft Intune admin center, you create a Microsoft 365 Apps app as shown in the exhibit. (Click the Exhibit tab.)
Correct Answer:
You have a Microsoft 365 subscription. All devices run Windows 10.
You need to prevent users from enrolling the devices in the Windows Insider Program.
What two configurations should you perform from the Microsoft Intune admin center? Each correct answer is a complete solution.
A. a device restrictions device configuration profile
B. an app configuration policy
C. a Windows 10 and later security baseline
D. a custom device configuration profile
E. a Windows 10 and later update ring
Correct Answer: DE

AD (50%) DE (40%) 10%
You have a Microsoft 365 E5 subscription that contains 100 Windows 10 devices enrolled in Microsoft Intune.
You plan to use Endpoint analytics.
You need to create baseline metrics.
A. Modify the Baseline regression threshold.
B. Onboard 10 devices to Endpoint analytics.
C. Create a Log Analytics workspace.
D. Create an Azure Monitor workbook.
Correct Answer: B

B (56%) C (44%)
You install a feature update on a computer that runs Windows 10.
How many days do you have to roll back the update?
A. 5
B. 10
C. 14
D. 30
Correct Answer: B

B (100%)
You have a Microsoft Azure subscription that contains an Azure Log Analytics workspace.
You deploy a new computer named Computer1 that runs Windows 10. Computer1 is in a workgroup.
You need to ensure that you can use Log Analytics to query events from Computer1.
What should you do on Computer1?
A. Join Azure AD.
B. Configure Windows Defender Firewall.
C. Create an event subscription
D. Install the Azure Monitor Agent.
Correct Answer: D

A (80%) D (20%)
You have a Microsoft 365 E5 subscription and 100 unmanaged iPad devices.
You need to deploy a specific iOS update to the devices. Users must be prevented from manually installing a more recent version of iOS.
A. Create a device configuration profile.
B. Enroll the devices in Microsoft Intune by using the Intune Company Portal.
C. Create a compliance policy.
D. Create an iOS app provisioning profile.
E. Enroll the devices in Microsoft Intune by using Apple Business Manager.
Correct Answer: AE

AE (75%) AB (25%)
You have an update ring named UpdateRing1 that contains the following settings:
• Automatic update behavior: Auto install and restart at a scheduled time
• Automatic behavior frequency: First week of the month
• Scheduled install day: Tuesday
• Scheduled install time: 3 AM
From the Microsoft Intune admin center, you select Uninstall for the feature updates of UpdateRing1.
When will devices start to remove the feature updates?
A. when a user approves the uninstall
B. as soon as the policy is received
C. next Tuesday
D. the first Tuesday of the next month
Correct Answer: B

B (100%)
You have a hybrid deployment of Azure AD that contains 50 Windows 10 devices. All the devices are enrolled in Microsoft Intune.
You discover that Group Policy settings override the settings configured in Microsoft Intune policies.
You need to ensure that the settings configured in Microsoft Intune override the Group Policy settings.
What should you do?
A. From Group Policy Management Editor, configure the Computer Configuration settings in the Default Domain Policy.
B. From the Microsoft Intune admin center, create a custom device profile.
C. From the Microsoft Intune admin center, create an Administrative Templates device profile.
D. From Group Policy Management Editor, configure the User Configuration settings in the Default Domain Policy.
Correct Answer: B

B (57%) C (43%)
You need to ensure that the startup performance of managed Windows 11 devices is captured and available for review in the Intune admin center.
A. the Azure Monitor agent
B. a device compliance policy
C. a Conditional Access policy
D. an Intune data collection policy
Correct Answer: A

D (100%)
HOTSPOT
Devices are enrolled in Intune as shown in the following table.
The devices are the members of groups as shown in the following table.
You create an iOS/iPadOS update profile as shown in the following exhibit.
Correct Answer:
You have a Microsoft Intune deployment that contains the resources shown in the following table.
You create a policy set named Set1 and add Comply1 to Set1.
Which additional resources can you add to Set1?
A. Conf1 only
B. Comply2 only
C. Comply2 and Conf1 only
D. CA1, Conf1, and Office1 only
E. Comply2, CA1, Conf1, and Office1
Correct Answer: C

C (100%)
You use Microsoft Defender for Endpoint to protect computers that run Windows 10.
You need to assess the differences between the configuration of Microsoft Defender for Endpoint and the Microsoft-recommended configuration
baseline.
Which tool should you use?
A. Microsoft Defender for Endpoint Power BI app
B. Microsoft Secure Score
C. Endpoint Analytics
D. Microsoft 365 Defender portal
Correct Answer: D

B (100%)
You have a Microsoft 365 E5 subscription that contains 1,000 Windows 11 devices. All the devices are enrolled in Microsoft Intune.
You plan to integrate Intune with Microsoft Defender for Endpoint.
You need to establish a service-to-service connection between Intune and Defender for Endpoint.
Which settings should you configure in the Microsoft Intune admin center?
A. Premium add-ons
B. Connectors and tokens
C. Tenant enrollment
D. Microsoft Tunnel Gateway
Correct Answer: B

B (67%) C (33%)
DRAG DROP
You have a Microsoft Intune subscription that is configured to use a PFX certificate connector to an on-premises Enterprise certification authority
(CA).
You need to use Intune to configure autoenrollment for Android devices by using public key pair (PKCS) certificates.
Correct Answer:
Your company uses Microsoft Intune.
More than 500 Android and iOS devices are enrolled in the Intune tenant.
You plan to deploy new Intune policies. Different policies will apply depending on the version of Android or iOS installed on the device.
You need to ensure that the policies can target the devices based on their version of Android or iOS.
What should you configure first?
A. groups that have dynamic membership rules in Azure AD
B. Device categories in Intune
C. Corporate device identifiers in Intune
D. Device settings in Azure AD
Correct Answer: A

A (61%) B (39%)
DRAG DROP
You have 500 Windows 10 devices enrolled in Microsoft Intune.
You plan to use Exploit protection in Microsoft Intune to enable the following system settings on the devices:
• Data Execution Prevention (DEP)
• Force randomization for images (Mandatory ASLR)
You need to configure a Windows 10 device that will be used to create a template file.
Which protection areas on the device should you configure in the Windows Security app before you create the template file? To answer, drag the
appropriate protection areas to the correct settings. Each protection area may be used once, more than once, or not at all. You may need to drag
the split bar between panes or scroll to view content.
Correct Answer:
You have a workgroup computer named Computer1 that runs Windows 11.
You need to add Computer1 to contoso.com.
A. dsregcmd.exe
B. Computer Management
C. netdom.exe
D. the Settings app
Correct Answer: D

D (89%) 11%
You use Microsoft Intune to manage Windows 11 devices.
You need to implement passwordless authentication that requires users to use number matching.
Which authentication method should you use?
A. Microsoft Authenticator
B. voice calls
C. FIDO2 security keys
D. text messages
Correct Answer: A

A (100%)
You use a Microsoft Intune subscription to manage iOS devices.
You configure a device compliance policy that blocks jailbroken iOS devices.
You need to enable Enhanced jailbreak detection.
A. the Compliance policy settings
B. the device compliance policy
C. a network location
D. a configuration profile
Correct Answer: B

B (83%) A (17%)
DRAG DROP
You have a Microsoft 365 subscription that contains two users named User1 and User2.
You need to ensure that the users can perform the following tasks:
• User1 must be able to create groups and manage users.
• User2 must be able to reset passwords for nonadministrative users.
The solution must use the principle of least privilege.
Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Correct Answer:
HOTSPOT
You have a Microsoft Intune subscription that has the following device compliance policy settings:
• Mark devices with no compliance policy assigned as: Compliant
• Compliance status validity period (days): 14
On January1, you enroll Windows 10 devices in Intune as shown in the following table.
On January 4, you create the following two device compliance policies:
• Name: Policy1
• Platform: Windows 10 and later
• Require BitLocker: Require
• Mark device noncompliant: 5 days after noncompliance
• Scope (Tags): Tag1
• Name: Policy2
• Platform: Windows 10 and later
• Firewall: Require
• Mark device noncompliant: Immediately
• Scope (Tags): Tag2
On January 5, you assign Policy1 and Policy2 to Group1.
Correct Answer:
HOTSPOT
You have computers that run Windows 11 as shown in the following table.
You have the groups shown in the following table.
You create and assign the compliance policies shown in the following table.
The next day, you review the compliance status of the computers.
Correct Answer:
Solution: From the Microsoft Entra admin center, you configure the Authentication methods.
A. Yes
B. No
Correct Answer: B

B (100%)
You have a Microsoft 365 tenant that contains the objects shown in the following table.
You are creating a compliance policy named Compliance1.
Which objects can you specify in Compliance1 as additional recipients of noncompliance notifications?
A. Group3 and Group4 only
B. Group3, Group4, and Admin1 only
C. Group1, Group2, and Group3 only
D. Group1, Group2, Group3, and Group4 only
E. Group1, Group2, Group3, Group4, and Admin1
Correct Answer: C

C (100%)
HOTSPOT
You have an Azure AD tenant named contoso.com that contains a user named User1. User1 has a user principal name (UPN) of
[email protected].
You join a Windows 11 device named Client1 to contoso.com.
You need to add User1 to the local Administrators group of Client1.
How should you complete the command? To answer, select the appropriate options in the answer area.
Correct Answer:
You need to provide a user the ability Security defaults and create Conditional Access policies. The solution must use the principle of least
privilege.
Which role should you assign to the user?
A. Global Administrator
B. Conditional Access Administrator
C. Security Administrator
D. Intune Administrator
Correct Answer: B

B (69%) C (31%)
HOTSPOT
In Microsoft Intune, you have the device compliance policies shown in the following table.
The Intune compliance policy settings are configured as shown in the following exhibit.
On June 1, you enroll Windows 10 devices in Intune as shown in the following table.
Correct Answer:
You have a Microsoft 365 subscription that contains a user named User1 and uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices that run Windows 11.
User provides remote support for 75 devices in the marketing department.
You need to add User1 to the Remote Desktop Users group on each marketing department device.
A. an app configuration policy
C. an account protection policy
D. a device configuration profile
Correct Answer: B

C (94%) 6%
HOTSPOT
You have an Azure AD tenant named contoso.com that contains the users shown in the following table.
For contoso.com, the Mobility (MDM and MAM) settings have the following configurations:
• MDM user scope: Group1
• MAM user scope: Group2
You purchase the devices shown in the following table:
Correct Answer:
You use Microsoft Intune to deploy and manage Windows devices.
You have 100 devices from users that left your company.
You need to repurpose the devices for new users by removing all the data and applications installed by the previous users. The solution must
minimize administrative effort.
What should you do?
A. Deploy a new configuration profile to the devices.
B. Perform a Windows Autopilot reset on the devices.
C. Perform an in-place upgrade on the devices.
D. Perform a clean installation of Windows 11 on the devices.
Correct Answer: B

B (100%)
HOTSPOT
You create a Windows Autopilot deployment profile.
You need to configure the profile settings to meet the following requirements:
• Automatically enroll new devices and provision system apps without requiring end-user authentication
• Include the hardware serial number in the computer name.
Which two settings should you configure? To answer, select the appropriate settings in the answer area.

Correct Answer:
You have a computer named Computer1 that runs Windows 11.
A user named User1 plans to use Remote Desktop to connect to Computer1.
You need to ensure that the device of User1 is authenticated before the Remote Desktop connection is established and the sign in page appears.
A. Turn on Reputation-based protection
B. Enable Network Level Authentication (NLA)
C. Turn on Network Discovery
D. Configure the Remote Desktop Configuration service
Correct Answer: B

B (100%)
Which devices can be changed to Windows 11 Enterprise by using subscription activation?
A. Device3 only
Correct Answer: D

B (87%) 13%
HOTSPOT
Your network contains an Active Directory domain named adatum.com. The domain contains two computers named Computer1 and Computer2
that run Windows 10. Remote Desktop is enabled on Computer2.
The domain contains the user accounts shown in the following table.
Computer2 contains the local groups shown in the following table.
The relevant user rights assignments for Computer2 are shown in the following table.
Correct Answer:
You have two computers named Computer1 and Computer2 that run Windows 10. Computer2 has Remote Desktop enabled.
From Computer1, you connect to Computer2 by using Remote Desktop Connection.
You need to ensure that you can access the local drives on Computer1 from within the Remote Desktop session.
What should you do?
A. From Computer2, configure the Remote Desktop settings.
B. From Windows Defender Firewall on Computer1, allow Remote Desktop.
C. From Windows Defender Firewall on Computer2, allow File and Printer Sharing.
D. From Computer1, configure the Remote Desktop Connection settings.
Correct Answer: D

D (83%) A (17%)
You have a Microsoft 365 subscription that uses Microsoft Intune.
You have five new Windows 11 Pro devices.
You need to prepare the devices for corporate use. The solution must meet the following requirements:
• Install Windows 11 Enterprise on each device.
• Install a Windows Installer (MSI) package named App1 on each device.
• Add a certificate named Certificate1 that is required by App1.
• Join each device to Azure AD.
Which three provisioning options can you use? Each correct answer presents a complete solution.
A. subscription activation
B. a custom Windows image
C. an in-place upgrade
D. Windows Autopilot
E. provisioning packages
Correct Answer: BDE

BDE (55%) ADE (45%)
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) deployment share named DS1.
You import a Windows 11 image to DS1.
You have an executable installer for an application named App1.
You need to ensure that App1 will be installed for all the task sequences that deploy the image.
Correct Answer:
HOTSPOT
You need to migrate app data from Device1 to Device2. The data must be encrypted and stored on Server1 during the migration.
Which command should you run on each device? To answer, select the appropriate options in the answer area.
Correct Answer:
You plan to use Windows Autopilot to provision 25 Windows 11 devices.
You need to configure the Out-of-box experience (OOBE) settings.
What should you create in the Microsoft Intune admin center?
A. an enrollment status page (ESP)
B. a deployment profile
C. a compliance policy
D. a PowerShell script
E. a configuration profile
Correct Answer: B

B (100%)
You have an Azure AD tenant that contains the devices shown in the following table.
You purchase Windows 11 Enterprise E5 licenses.
Which devices can use Subscription Activation to upgrade to Windows 11 Enterprise?
A. Device1 only
D. Device1, Device2, Device3, and Device4
Correct Answer: C

A (100%)
You have a Microsoft 365 Subscription that uses Microsoft Intune.
You add apps to Intune as shown in the following table.
You need to create an app configuration policy named Policy1 for the Android Enterprise platform.
Which apps can you manage by using Policy1?
A. App2 only
B. App3 only
C. App1 and App3 only
D. App2 and App3 only
E. App1, App2, and App3
Correct Answer: B

B (100%)
You need to ensure that you can deploy apps to Android Enterprise devices.
A. Create a configuration profile.
B. Add a certificate connector.
C. Configure the Partner device management settings.
D. Link your managed Google Play account to Intune.
Correct Answer: D

D (100%)
You have a Microsoft 365 tenant that uses Microsoft Intune.
You use the Company Portal app to access and install published apps to enrolled devices.
From the Microsoft Intune admin center, you add a Microsoft Store app.
Which two App information types are visible in the Company Portal?
A. Privacy URL
B. Information URL
C. Developer
D. Owner
Correct Answer: AC

AB (100%)
HOTSPOT
You have 200 computers that run Windows 10. The computers are joined to Azure AD and enrolled in Microsoft Intune.
You need to set a custom image as the wallpaper and sign-in screen.
Which two settings should you configure in the Device restrictions configuration profile? To answer, select the appropriate settings in the answer
area.

Correct Answer:
You have computers that run Windows 11 Pro. The computers are joined to Azure AD and enrolled in Microsoft Intune.
You need to upgrade the computers to Windows 11 Enterprise.
What should you configure in Intune?
A. a device compliance policy
B. a device cleanup rule
C. a device enrollment policy
D. a device configuration profile
Correct Answer: D

D (83%) C (17%)
You have computers that run Windows 10 and are managed by using Microsoft Intune.
Users store their files in a folder named D:\Folder1.
You need to ensure that only a trusted list of applications is granted write access to D:\Folder1.
What should you configure in the device configuration profile?
A. Microsoft Defender Exploit Guard
B. Microsoft Defender Application Guard
C. Microsoft Defender SmartScreen
D. Microsoft Defender Application Control
Correct Answer: A

A (50%) D (50%)
HOTSPOT
You have a Microsoft 365 E5 subscription that contains 100 Windows 10 devices enrolled in Microsoft Intune.
You need to create Endpoint security policies to meet the following requirements:
• Hide the Firewall & network protection area in the Windows Security app.
• Disable the provisioning of Windows Hello for Business on the devices.
Which two policy types should you use? To answer, select the policies in the answer area.
Correct Answer:
You have a Microsoft 365 subscription that contains 100 devices enrolled in Microsoft Intune.
You need to review the startup processes and how often each device restarts.
A. Endpoint analytics
B. Device Management
C. Azure Monitor
D. Intune Data Warehouse
Correct Answer: D

A (100%)
DRAG DROP
You have a Microsoft 365 subscription that contains devices enrolled in Microsoft Intune.
You need to create Endpoint security policies to enforce the following requirements:
• Computers that run macOS must have FileVault enabled.
• Computers that run Windows 10 must have Microsoft Defender Credential Guard enabled.
• Computers that run Windows 10 must have Microsoft Defender Application Control enabled.
Which Endpoint security feature should you use for each requirement? To answer, drag the appropriate features to the correct requirements. Each
feature may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Correct Answer:
Your company has 200 computers that run Windows 10. The computers are managed by using Microsoft Intune.
Currently, Windows updates are downloaded without using Delivery Optimization.
You need to configure the computers to use Delivery Optimization.
What should you create in Intune?
B. a Windows 10 update ring
D. an app protection policy
Correct Answer: C

C (100%)
Auto-enrollment in Intune is configured.
You have 100 Windows 11 devices in a workgroup.
You need to connect the devices to the corporate wireless network and enroll 100 new Windows 11 devices in Intune.
A. a provisioning package
B. a Group Policy Object (GPO)
C. mobile device management (MDM) automatic enrollment
D. a device configuration policy
Correct Answer: C

A (100%)
HOTSPOT
You have a Microsoft 365 tenant that uses Microsoft Intune to manage personal and corporate devices. The tenant contains Windows 10 devices
as shown in the following exhibit.
How will Intune classify each device after the devices are enrolled in Intune automatically? To answer, select the appropriate options in the answer
area.
Correct Answer:
You use Microsoft Intune to manage devices. All devices are in the same time zone.
You create an update rings policy and assign the policy to all Windows devices.
On the November 1, you pause the update rings policy.
All devices remain online.
Without further modification to the policy, on which date will the devices next attempt to update?
A. December 1
B. December 6
C. November 15
D. November 22
Correct Answer: B

B (100%)
You have a Microsoft 365 E5 subscription that contains the devices shown in the following table.
All devices have Microsoft Edge installed.
From the Microsoft Intune admin center, you create a Microsoft Edge Baseline profile named Edge1.
You need to apply Edge1 to all the supported devices.
To which devices should you apply Edge1?
A. Device1 only
Correct Answer: B

B (100%)
HOTSPOT
You plan to manage Windows updates by using Intune.
You create an update ring for Windows 10 and later and configure the User experience settings for the ring as shown in the following exhibit.

Correct Answer:
You have a Microsoft 365 tenant.
You have devices enrolled in Microsoft Intune.
You assign a conditional access policy named Policy1 to a group named Group1. Policy1 restricts devices marked as noncompliant from
accessing Microsoft OneDrive for Business.
You need to identify which noncompliant devices attempt to access OneDrive for Business.
What should you do?
A. From the Microsoft Entra admin center, review the Conditional Access Insights and Reporting workbook.
B. From the Microsoft Intune admin center, review Device compliance report.
C. From the Microsoft Intune admin center, review the Noncompliant devices report.
D. From the Microsoft Intune admin center, review the Setting compliance report.
Correct Answer: C

A (88%) 13%
HOTSPOT
You are designing a reporting solution that will provide reports on the following:
• Compliance policy trends
• Trends in device and user enrollment
• App and operating system version breakdowns of mobile devices
You need to recommend a data source and a data visualization tool for the design.
What should you recommend? To answer, select the appropriate options in the answer area.
Correct Answer:
Your network contains an Active Directory domain. The domain contains 2,000 computers that run Windows 10.
You implement hybrid Azure AD and Microsoft Intune.
You need to automatically register all the existing computers to Azure AD and enroll the computers in Intune. The solution must minimize
A. an Autodiscover address record
B. a Group Policy object (GPO)
C. an Autodiscover service connection point (SCP)
D. a Windows Autopilot deployment profile
Correct Answer: D

B (94%) 6%
HOTSPOT
You have two computers that run Windows 10. The computers are enrolled in Microsoft Intune as shown in the following table.
Windows 10 update rings are defined in Intune as shown in the following table.
You assign the update rings as shown in the following table.
What is the effect of the configurations on Computer1 and Computer2? To answer, select the appropriate options in the answer area.
Correct Answer:
HOTSPOT
You need to configure an Intune device configuration profile to meet the following requirements:
• Prevent Microsoft Office applications from launching child processes.
• Block users from transferring files over FTP.
Which two settings should you configure in the Endpoint protection configuration profile? To answer, select the appropriate settings in the answer
area.

Correct Answer:
You have following types of devices enrolled in Microsoft Intune:
• Windows 10
• Android
• iOS
For which types of devices can you create VPN profiles in Microsoft Intune admin center?
A. Windows 10 only
B. Windows 10 and Android only
C. Windows 10 and iOS only
D. Android and iOS only
E. Windows 10, Android, and iOS
Correct Answer: D

E (100%)
You are creating a device configuration profile in Microsoft Intune.
You need to configure specific OMA-URI settings in the profile.
Which profile type template should you use?
A. Device restrictions (Windows 10 Team)
B. Identity protection
C. Custom
D. Device restrictions
Correct Answer: C

C (100%)
HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Intune and contains the users shown in the following table.
You create a policy set named Set1 as shown in the exhibit. (Click the Exhibit tab.)
You enroll devices in Intune as shown in the following table.

Correct Answer:
HOTSPOT
You have a Microsoft 365 subscription that contains 1,000 iOS devices. The devices are enrolled in Microsoft Intune as follows:
• Two hundred devices are enrolled by using the Intune Company Portal.
• Eight hundred devices are enrolled by using Apple Automated Device Enrollment (ADE).
You create an iOS/iPadOS software updates policy named Policy1 that is configured to install iOS/iPadOS 15.5.
How many iOS devices will Policy1 update, and what should you configure to ensure that only iOS/iPadOS 15.5 is installed? To answer, select the
appropriate options in the answer area.
Correct Answer:
HOTSPOT
Case study
Overview
Environment
Network Environment
Users and Groups
Devices

Microsoft Intune Configuration
• MDM user scope: GroupA
• MAM user scope: GroupB
• Name: Protection1
• Folder protection: Enable
• List of apps that have access to protected folders: C:\*\AppA.exe
• List of additional folders that need to be protected: D:\Folder1
• Assignments:
- Included groups: Group2, GroupB
Windows Autopilot Configuration

Requirements
Planned Changes

• Purchase a new Windows 10 device named Device6 and enroll the device in Intune
• New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.
• Deployed a network boundary configuration profile that will have the following settings:
- Name: Boundary1
- Network boundary: 192.168.1.0/24
- Scope tags: Tag1
- Assignments:
- Included groups: Group1, Group2
• Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following settings:
- Name: Connection1
- Connection name: VPN1
- Connection type: L2TP
- Assignments:
- Included groups: Group1, Group2, GroupA
- Excluded groups: --
- Name: Connection2
- Connection type: IKEv2
- Assignments:
- Included groups: GroupA
- Excluded groups: GroupB
• Users in GroupA must be able to deploy new computers.
• Administrative effort must be minimized.
Correct Answer:
Case study -
Overview -
Environment -
Users and Groups -
Devices -

• Assignments:
Requirements -
Planned Changes -
- Name: Boundary1
- Scope tags: Tag1
- Assignments:
- Name: Connection1
- Assignments:
- Name: Connection2
- Assignments:
You need to ensure that computer objects can be created as part of the Windows Autopilot deployment. The solution must meet the technical
requirements.
To what should you grant the right to create the computer objects?
A. Server1
B. DC1
C. GroupA
D. Server2
Correct Answer: A

A (100%)
HOTSPOT
Case study
Overview
Environment
Network Environment
Users and Groups
Devices

Microsoft Intune Configuration
• Assignments:
Windows Autopilot Configuration

Requirements
Planned Changes

- Name: Boundary1
- Scope tags: Tag1
- Assignments:
- Name: Connection1
- Assignments:
- Name: Connection2
- Assignments:
Correct Answer:
Case study -
Overview -
Environment -
Users and Groups -
Devices -

• Assignments:
Requirements -
Planned Changes -
- Name: Boundary1
- Scope tags: Tag1
- Assignments:
- Name: Connection1
- Assignments:
- Name: Connection2
- Assignments:
Which user can enroll Device6 in Intune?
A. User4 and User1 only
B. User4 and User2 only
C. User4, User1, and User2 only
D. User1, User2, User3, and User4
Correct Answer: D
You have a Microsoft 365 subscription that contains 1,000 iOS devices and includes Microsoft Intune.
You need to prevent the printing of corporate data from managed apps on the devices.
B. a security baseline
C. an app protection policy
D. an iOS app provisioning profile
Correct Answer: C

C (100%)
You have a Microsoft 365 E5 subscription that contains the users shown in the following table.
In the Microsoft 365 Apps admin center, you create a Microsoft Office customization.
Which users can download the Office customization file from the admin center?
A. Admin3 only
B. Admin1 and Admin3 only
C. Admin3 and Admin4 only
D. Admin1, Admin2, and Admin3 only
E. Admin1, Admin2, Admin3, Admin4
Correct Answer: D

C (100%)
You need to download a report that lists all the devices that are NOT enrolled in Microsoft Intune and are assigned an app protection policy.
What should you select in the Microsoft Intune admin center?
A. Reports, and then Device compliance
B. Apps, and then App protection policies
C. Devices, and then Monitor
D. Apps, and then Monitor
Correct Answer: B

D (38%) B (31%) A (15%) Other
You have a Microsoft 365 tenant that contains the objects shown in the following table.
In the Microsoft Intune admin center, you are creating a Microsoft 365 Apps app named App1.
To which objects can you assign App1?
A. Group3 and Group4 only
B. Admin1, Group3, and Group4 only
C. Group1, Group3, and Group4 only
D. Group1, Group2, Group3, and Group4 only
E. Admin1, Group1, Group2, Group3, and Group4
Correct Answer: C

C (100%)
HOTSPOT
You create an app protection policy for Android device named Policy1 as shown in the following exhibit.
Correct Answer:
You have 500 corporate-owned Android devices enrolled as fully managed devices.
You need to prepare an app named App1 for deployment to the devices.
A. From the Intune Company Portal, download App1.
B. Sync App1 with Intune.
C. From the Managed Google Play Store, approve App1.
D. Create an OEMConfig profile.
Correct Answer: BC

BC (80%) AC (20%)
You have the Windows 10 devices shown in the following table.
You plan to upgrade the devices to Windows 11 Enterprise.
On which devices can you perform a direct in-place upgrade to Windows 11 Enterprise?
A. Device3 only
B. Device3 and Device 4 only
E. Device1, Device2, Device3, and Device4 only
Correct Answer: A

B (100%)
HOTSPOT
Your network contains an on-premises Active Directory domain named contoso.com that syncs to Azure AD.
A user named User1 uses the domain-joined devices shown in the following table.
In the Microsoft Entra admin center, you assign a Windows 11 Enterprise E5 license to User1.
You need to identify what will occur when User1 next signs in to the devices.
What should you identify for each device? To answer, select the appropriate options in the answer area.
Correct Answer:
HOTSPOT
You have a Microsoft Deployment Toolkit (MDT) deployment share named Share1.
You add Windows 10 images to Share1 as shown in the following table.
Which images can be used in the Standard Client Task Sequence, and which images can be used in the Standard Client Upgrade Task Sequence?
Correct Answer:
DRAG DROP
You plan to use Windows Autopilot to provision 25 Windows 11 devices.
You need to meet the following requirements during device provisioning:
• Display the progress of app and profile deployments.
• Join the devices to Azure AD.
What should you configure to meet each requirement? To answer, drag the appropriate settings to the correct requirements. Each setting may be
used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Correct Answer:
Your company has a Remote Desktop Gateway (RD Gateway).
You have a server named Server1 that is accessible by using Remote Desktop Services (RDS) through the RD Gateway.
You need to configure a Remote Desktop connection to connect through the gateway.
Which setting should you configure?
A. Connect from anywhere
B. Server authentication
C. Connection settings
D. Local devices and resources
Correct Answer: A

C (100%)
You have a Microsoft Deployment Toolkit (MDT) deployment share.
You plan to deploy Windows 11 by using the Standard Client Task Sequence template.
You need to modify the task sequence to perform the following actions:
• Format disks to support Unified Extensible Firmware Interface (UEFI).
• Create a recovery partition.
Which phase of the task sequence should you modify?
A. Preinstall
B. PostInstall
C. Install
D. Initialization
Correct Answer: A
DRAG DROP
Your network contains an Active Directory domain.
You install the Microsoft Deployment Toolkit (MDT) on a server.
You have a custom image of Windows 11.
You need to deploy the image to 100 devices by using MDT.
Correct Answer:
You have the Microsoft Deployment Toolkit (MDT) installed.
You install and customize Windows 11 on a reference computer.
You need to capture an image of the reference computer and ensure that the image can be deployed to multiple computers.
Which command should you run before you capture the image?
A. dism
B. wpeinit
C. sysprep
D. bcdedit
Correct Answer: C

C (100%)
Your network contains an on-premises Active Directory domain. The domain contains two computers named Computer1 and Computer2 that run
Windows 10.
You install Windows Admin Center on Computer1.
You need to manage Computer2 from Computer1 by using Windows Admin Center.
A. Update the TrustedHosts list.
B. Run the Enable-PSRemoting cmdlet.
C. Allow Windows Remote Management (WinRM) through the Microsoft Defender firewall.
D. Add an inbound Microsoft Defender Firewall rule.
Correct Answer: D

C (100%)
HOTSPOT
You have a hybrid Azure AD tenant.
You configure a Windows Autopilot deployment profile as shown in the following exhibit.

Correct Answer:
HOTSPOT
You plan to create Windows 11 device builds for the marketing and research departments. The solution must meet the requirements:
• Marketing department devices must support Windows Update for Business.
• Research department devices must have support for feature update versions for up to 36 months from release.
What is the minimum Windows 11 edition required for each department? To answer, select the appropriate options in the answer area.
Correct Answer:
You plan to use Windows Autopilot to configure the Windows 10 devices shown in the following table.
Which devices can be configured by using Windows Autopilot self-deploying mode?
A. Device2 only
B. Device3 only
Correct Answer: B

B (100%)
HOTSPOT
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure AD tenant.
You plan to use Windows Autopilot to deploy new Windows devices.
You plan to create a deployment profile.
You need to ensure that the deployment meets the following requirements:
• Devices must be joined to AD DS regardless of their current working location.
• Users in the marketing department must have a line-of-business (LOB) app installed during the deployment.
The solution must minimize administrative effort.
What should you do for each requirement? To answer, select the appropriate options in the answer area.
Correct Answer:
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution.
A. Enable the Allow Remote Shell access setting.
B. Enable the Allow remote server management through WinRM setting.
C. Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
D. Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
E. Set the Startup Type of the Remote Registry service to Automatic.
F. Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
Correct Answer: BCF
You have a Microsoft 365 Business Standard subscription and 100 Windows 10 Pro devices.
You purchase a Microsoft 365 E5 subscription.
You need to upgrade the Windows 10 Pro devices to Windows 10 Enterprise. The solution must minimize administrative effort.
Which upgrade method should you use?
B. a Microsoft Deployment Toolkit (MDT) lite-touch deployment
C. Subscription Activation
D. an in-place upgrade by using Windows installation media
Correct Answer: C

C (100%)
HOTSPOT
You have devices that are not rooted enrolled in Microsoft Intune as shown in the following table.
The devices are members of a group named Group1.
In Intune, you create a device compliance location that has the following configurations:
• Name: Network1
• IPv4 range: 192.168.0.0/16
In Intune, you create a device compliance policy for the Android platform. The policy has the following configurations:
• Name: Policy1
• Device health: Rooted devices: Block
• Locations: Location: Network1
• Mark device noncompliant: Immediately
• Assigned: Group1
The Intune device compliance policy has the following configurations:
• Mark devices with no compliance policy assigned as: Compliant
• Enhanced jailbreak detection: Enabled
• Compliance status validity period (days): 20
Correct Answer:
You need to implement mobile device management (MDM) for personal devices that run Windows 11. The solution must meet the following
requirements:
• Ensure that you can manage the personal devices by using Microsoft Intune.
• Ensure that users can access company data seamlessly from their personal devices.
• Ensure that users can only sign in to their personal devices by using their personal account.
What should you use to add the devices to Azure AD?
A. Azure AD registered
B. hybrid Azure AD join
C. Azure AD joined
Correct Answer: C

A (100%)
HOTSPOT
All computers are enrolled in Microsoft Intune.
You have business requirements for securing your Windows 11 environment as shown in the following table.
What should you implement to meet each requirement? To answer, select the appropriate options in the answer area.
Correct Answer:
HOTSPOT
You have a Microsoft 365 subscription that contains two security groups named Group1 and Group2. Microsoft 365 uses Microsoft Intune Suite.
You need to assign roles in Intune to meet the following requirements:
• The members of Group1 must manage Intune roles and assignments.
• The members of Group2 must assign existing apps and policies to users and devices.
The solution must follow the principle of least privilege.
Which role should you assign to each group? To answer, select the appropriate options in the answer area.
Correct Answer:
HOTSPOT
Intune includes the device compliance policies shown in the following table.
The device compliance policies has the assignments shown in the following table.
Correct Answer:
HOTSPOT
You have a Microsoft 365 subscription that contains a user named User1. The subscription contains devices enrolled in Microsoft Intune as
shown in the following table.
Microsoft Edge is available on all the devices.
Intune has the device compliance policies shown in the following table.
The Compliance policy settings are configured as shown in the exhibit. (Click the Exhibit tab.)
You create the following Conditional Access policy:
• Name: Policy1
• Assignments
o Users and groups: User1
o Cloud apps or actions: Office 365 SharePoint Online
• Access controls
o Grant: Require device to be marked as compliant
• Enable policy: On
Correct Answer:
You need to ensure that users are not added automatically to the local Administrators group when they join their Windows 11 device to
contoso.com.
B. provisioning packages for Windows
C. Security defaults in Azure AD
D. Device settings in Azure AD
Correct Answer: A

A (90%) 10%
Your company has devices enrolled in Microsoft Intune as shown in the following table.
In Microsoft Intune admin center, you define the company’s network as a location named Location1.
Which devices can use network location-based compliance policies?
A. Device1 only
B. Device2 only
D. Device2 and Device3 only
E. Device1, Device2, and Device3
Correct Answer: E

E (100%)
You have an Azure subscription.
You have an on-premises Windows 11 device named Device1.
You plan to monitor Device1 by using Azure Monitor.
You create a data collection rule (DCR) named DCR1 in the subscription.
To what should you associate DCR1?
A. Azure Network Watcher
B. Device1
C. a Log Analytics workspace
D. a Monitored Object
Correct Answer: D

C (58%) D (25%) B (17%)
HOTSPOT
You need to configure an update ring that meets the following requirements:
• Fixes and improvements to existing Windows functionality can be deferred for 14 days but will install automatically seven days after that date.
• The installation of new Windows features can be deferred for 90 days but will install automatically 10 days after that date.
• Devices must restart automatically three days after an update is installed.
How should you configure the update ring? To answer, select the appropriate options in the answer area.

Correct Answer:
HOTSPOT
You need to review and implement Microsoft 365 Defender device onboarding. The solution must meet the following requirements:
• View onboarded devices that have the Chromium-based version for Microsoft Edge installed.
• Download an onboarding package for a Windows 11 device.
• Minimize administrative effort.
Which two settings should you use in the Microsoft 365 Defender portal? To answer, select the appropriate settings in the answer area.

Correct Answer:
You have a Microsoft 365 subscription that contains 500 computers that run Windows 11. The computers are Azure AD joined and are enrolled in
Microsoft Intune.
You plan to manage Microsoft Defender Antivirus on the computers.
You need to prevent users from disabling Microsoft Defender Antivirus.
What should you do?
A. From the Microsoft Intune admin center, create a security baseline.
B. From the Microsoft 365 Defender portal, enable tamper protection.
C. From the Microsoft Intune admin center, create an account protection policy.
D. From the Microsoft Intune admin center, create an endpoint detection and response (EDR) policy.
Correct Answer: B
HOTSPOT
You have 1,000 computers that run Windows 10 and are members of an Active Directory domain.
You need to capture the event logs from the computers to Azure.
What should you do? To answer, select the appropriate options in the answer area.
Correct Answer:
You have a computer named Computer5 that has Windows 10 installed.
You create a Windows PowerShell script named config.ps1.
You need to ensure that config.ps1 runs after feature updates are installed on Computer5.
Which file should you modify on Computer5?
A. LiteTouch.wsf
B. SetupConfig.ini
C. Unattend.bat
D. Unattend.xml
Correct Answer: B
HOTSPOT
You have a Microsoft 365 tenant and an internal certification authority (CA).
You need to use Microsoft Intune to deploy the root CA certificate to managed devices.
Which type of Intune policy and profile type template should you use? To answer, select the appropriate options in the answer area.
Correct Answer:
HOTSPOT
Your company uses Microsoft Defender for Endpoint. Microsoft Defender for Endpoint includes the device groups shown in the following table.
You onboard a computer to Microsoft Defender for Endpoint as shown in the following exhibit.
What is the effect of the Microsoft Defender for Endpoint configuration? To answer, select the appropriate options in the answer area.
Correct Answer:
You manage 1,000 devices by using Microsoft Intune.
You review the Device compliance trends report.
For how long will the report display trend data?
A. 30 days
B. 60 days
C. 90 days
D. 365 days
Correct Answer: B

B (100%)
You have a Microsoft 365 E5 subscription that contains 100 iOS devices enrolled in Microsoft Intune.
You need to ensure that notifications of iOS updates are deferred for 30 days after the updates are released.
A. an iOS app provisioning profile
B. a device configuration profile based on the Device features templates
C. an update policy for iOS/iPadOS
D. a device configuration profile based on the Device restrictions template
Correct Answer: C

D (75%) C (25%)
HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Intune and contains 100 Windows 10 devices.
You need to create Intune configuration profiles to perform the following actions on the devices:
• Deploy a custom Start layout.
• Rename the local Administrator account.
Which profile type template should you use for each action? To answer, select the appropriate options in the answer area.
Correct Answer:
HOTSPOT
You plan to enable Microsoft Intune enrollment for the following types of devices:
• Existing Windows 11 devices managed by using Configuration Manager
• Personal iOS devices
The solution must minimize user disruption.
Which enrollment method should you use for each device type? To answer, select the appropriate options in the answer area.
Correct Answer:
You have a Windows 10 device named Device1 that is joined to Active Directory and enrolled in Microsoft Intune.
Device1 is managed by using Group Policy and Intune.
You need to ensure that the Intune settings override the Group Policy settings.
A. a device configuration profile
C. an MDM Security Baseline profile
D. a Group Policy Object (GPO)
Correct Answer: A
HOTSPOT
You have an Azure AD Premium P2 subscription that contains the users shown in the following table.
You purchase the devices shown in the following table.
You configure automatic mobile device management (MDM) and mobile application management (MAM) enrollment by using the following
settings:
• MDM user scope: Group1
• MAM user scope: Group2
Correct Answer:
HOTSPOT
You have the MDM Security Baseline profile shown in the MDM exhibit. (Click the MDM tab.)
You have the ASR Endpoint Security profile shown in the ASR exhibit. (Click the ASR tab.)
You plan to deploy both profiles to devices enrolled in Microsoft Intune.
You need to identify how the following settings will be configured on the devices:
• Block Office applications from creating executable content
• Block Win32 API calls from Office macro
Currently, the settings are disabled locally on each device.
What are the effective settings on the devices? To answer, select the appropriate options in the answer area.

Correct Answer:
DRAG DROP
You have an on-premises Active Directory domain that syncs to Azure AD tenant.
The tenant contains computers that run Windows 10. The computers are hybrid Azure AD joined and enrolled in Microsoft Intune.
The Microsoft Office settings on the computers are configured by using a Group Policy Object (GPO).
You need to migrate the GPO to Intune.
Correct Answer:
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains 100 client computers that run Windows 10.
Currently, your company does NOT have a deployment infrastructure.
The company purchases Windows 11 licenses through a volume licensing agreement.
You need to recommend how to upgrade the computers to Windows 11. The solution must minimize licensing costs.
What should you include in the recommendation?
B. Configuration Manager
C. subscription activation
D. Microsoft Deployment Toolkit (MDT)
Correct Answer: C

D (88%) 13%
You have a Microsoft 365 subscription that contains a user named User1 and uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices that run Windows 11.
You need to remove User1 from the local Administrators group on all enrolled devices.
B. an account protection policy
C. an app configuration policy
Correct Answer: B

B (100%)
HOTSPOT
You have computers that run Windows 10 and are configured by using Windows Autopilot.
A user performs the following tasks on a computer named Computer1:
• Creates a VPN connection to the corporate network
• Installs a Microsoft Store app named App1
• Connections to a Wi-Fi network
You perform a Windows Autopilot Reset on Computer1.
What will be the state of the computer when the user signs in? To answer, select the appropriate options in the answer area.
Correct Answer:
HOTSPOT
You have a Microsoft Deployment Toolkit (MDT) solution that is used to manage Windows 11 deployment tasks.
MDT contains the operating system images shown in the following table.
You need to perform a Windows 11-place upgrade on several computers that run Windows 10.
From the Deployment Workbench, you open the New Task Sequence Wizard.
You need to identify which task sequence template and which operating system image to use for the task sequence. The solution must minimize
What should you identify? To answer, select the appropriate options in the answer area.
Correct Answer:
You have a workgroup computer named Client1 that runs Windows 11 and connects to a public network.
You need to enable PowerShell remoting on Client1. The solution must ensure that PowerShell remoting connections are accepted from the local
subnet only.
Which PowerShell command should you run?
A. Set-PSSessionConfiguration –AccessMode Local
B. Enable-PSRemoting –SkipNetworkProfileCheck
C. Enable-PSRemoting –Force
D. Set-NetFirewallRule –Name “WINRM-HTTP-In-TCP-PUBLIC” –RemoteAddress Any
Correct Answer: B

B (100%)
HOTSPOT
You need to enable passwordless authentication for all users. The solution must meet the following requirements:
• Users in the research department cannot use mobile devices and must authenticate from unmanaged Linux devices by using an alternative
method.
• To access services, users in the sales department must authenticate by using their mobile phone.
Which authentication method should you use for each department? To answer, select the appropriate options in the answer area.
Correct Answer:
HOTSPOT
Users have iOS devices that are not enrolled in Microsoft Intune.
You create an app protection policy for the Microsoft Outlook app as shown in the exhibit. (Click the Exhibit tab.)
You need to configure the policy to meet the following requirements:
• Prevent the users from using the Outlook app if the operating system version is less than 12.0.0.
• Require the users to use an alphanumeric passcode to access the Outlook app.
What should you configure in an app protection policy for each requirement? To answer, select the appropriate options in the answer area.

Correct Answer:
You manage 1,000 computers that run Windows 10. All the computers are enrolled in Microsoft Intune. You manage the servicing channel settings
of the computers by using Intune.
You need to review the servicing status of a computer.
What should you do?
A. From Device configuration – Profiles, view the device status.
B. From Software updates, view the Per update ring deployment state.
C. From Software updates, view the audit logs.
D. From Device compliance, view the device compliance.
Correct Answer: B
HOTSPOT
Your network contains an Active Directory domain. Active Directory is synced with Azure AD.
There are 500 Active Directory domain-joined computers that run Windows 10 and are enrolled in Microsoft Intune.
You plan to implement Microsoft Defender Exploit Guard.
You need to create a custom Microsoft Defender Exploit Guard policy, and then distribute the policy to all the computers.
Correct Answer:
You have a Microsoft Intune subscription associated to an Azure AD tenant named contoso.com.
Users use one of the following three suffixes when they sign in to the tenant: us.contoso.com, eu.contoso.com, or contoso.com.
You need to ensure that the users are NOT required to specify the mobile device management (MDM) enrollment URL as part of the enrollment
process. The solution must minimize the number of changes.
Which DNS records do you need?
A. one TXT record only
B. three CNAME records
C. three TXT records
D. one CNAME record only
Correct Answer: B
HOTSPOT
You plan to enroll devices in Microsoft Intune that have the platforms and versions shown in the following table.
You need to configure device enrollment to meet the following requirements:
• Ensure that only devices that have approved platforms and versions can enroll in Microsoft Intune.
• Ensure that devices are added to Azure AD groups based on a selection made by users during the enrollment.
Which device enrollment setting should you configure for each requirement? To answer, select the appropriate options in the answer area.
Correct Answer:
HOTSPOT
You have a Microsoft 365 tenant that uses Microsoft Intune and contains the devices shown in the following table.
In Microsoft Intune Endpoint security, you need to configure a disk encryption policy for each device.
Which encryption type should you use for each device, and which role-based access control (RBAC) role in Intune should you use to manage the
encryption keys? To answer, select the appropriate options in the answer area.
Correct Answer:
DRAG DROP
Your company has a Microsoft 365 E5 tenant.
All the devices of the company are enrolled in Microsoft Intune.
You need to create advanced reports by using custom queries and visualizations from raw Microsoft Intune data.
Correct Answer:
DRAG DROP
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.
You plan to onboard the following types of devices to Defender for Endpoint:
• macOS
• Linux Server
What should you use to onboard each device? To answer, drag the appropriate tools to the correct device types. Each tool may be used once, more
than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Correct Answer:
You have a Windows 10 device named Computer1 enrolled in Microsoft Intune.
You need to configure Computer1 as a public workstation that will run a single customer-facing, full-screen application.
Which configuration profile type template should you use in Microsoft Intune admin center?
A. Shared multi-user device
B. Device restrictions
C. Kiosk
D. Endpoint protection
Correct Answer: C

C (100%)
You create a new policy set named Set and add five device configuration profiles for Windows 10 and later.
You create a device compliance policy named Policy1.
You need to ensure that when users are assigned the device configuration profiles in Set1, they are always assigned Policy1 also.
A. the assignments of Policy1
B. the Policy1 configurations
C. the assignments of Set1
D. the Set1 configurations
Correct Answer: C

D (67%) A (33%)
HOTSPOT
Your network contains an on-premises Active Directory domain that contains the locations shown in the following table.
In Microsoft Intune, you enroll the Windows 10 devices shown in the following table.
You have a Delivery Optimization device configuration profile applied to all the devices. The profile is configured as shown in the following exhibit.
From which devices can Device1 and Device2 get updates? To answer, select the appropriate options in the answer area.

Correct Answer:
You need to enable self-service password reset on the sign-in screen.
Which settings should you configure from the Microsoft Intune admin center?
A. Device configuration
B. Device enrollment
C. Conditional access
D. Device compliance
Correct Answer: A
HOTSPOT
You have a Microsoft 365 tenant that uses Microsoft Intune.
From the Microsoft Intune admin center, you plan to create a baseline to monitor the Startup score and the App reliability score of enrolled
Windows 10 devices.
You need to identify which tool to use to create the baseline and the minimum number of devices required to create the baseline.
What should you identify? To answer, select the appropriate options in the answer area.
Correct Answer:
You are implementing Microsoft Intune Suite.
You enroll devices in Intune as shown in the following table.
The performance of which devices can be analyzed by using Endpoint analytics?
A. Device1 only
Correct Answer: B

B (100%)
You plan to implement Microsoft Defender for Endpoint.
You need to identify which devices can be onboarded to Microsoft Defender for Endpoint.
What should you identify?
A. Device1 only
B. Device2 only
C. Device1, Device2 only
Correct Answer: D

D (67%) E (33%)
You use app protection policies to protect corporate data on Android devices.
You need to ensure that any user connecting from an Android device can only access the corporate data if they connect from an app that supports
mobile application management (MAM).
B. a Conditional Access policy
D. a device compliance policy
Correct Answer: B

B (100%)
Your company has a Microsoft 365 subscription.
All the users in the finance department own personal devices that run iOS or Android. All the devices are enrolled in Microsoft Intune.
The finance department adds new users each month.
The company develops a mobile application named App1 for the finance department users.
You need to ensure that only the finance department users can download App1.
A. Register App1 in Azure AD.
B. Add App1 to the vendor stores for iOS and Android applications.
C. Add App1 to a Microsoft Deployment Toolkit (MDT) deployment share.
D. Add App1 to Intune.
Correct Answer: D
DRAG DROP
You need to configure the Microsoft Edge settings for each device.
What should you use? To answer, drag the appropriate Intune features to the correct devices. Each feature may be used once, more than once, or
not at all. You may need to drag the split bar between panes or scroll to view content.
Correct Answer:
You have a Microsoft 365 E5 subscription that uses Microsoft Intune. The subscription contains the users shown in the following table.
Group2 and Group3 are members of Group1.
All the users use Microsoft Excel.
From the Microsoft Intune admin center, you create the policies shown in the following table.
Correct Answer:
HOTSPOT
You have a Microsoft 365 E5 subscription that contains a computer named Computer1 that runs Windows 11. Computer1 is enrolled in Microsoft
Intune.
You need to deploy an app named App1 to Computer1. The App1 installation will use multiple files.
What should you use to package App1, and which file format will be used? To answer, select the appropriate options in the answer area.
Correct Answer:
You have a Microsoft 365 tenant that contains the devices shown in the following table.
The devices are managed by using Microsoft Intune.
You create a compliance policy named Policy1 and assign Policy1 to Group1. Policy1 is configured to mark a device as Compliant only if the
device security settings match the settings specified in the policy.
You discover that devices that are not members of Group1 are shown as Compliant.
You need to ensure that only devices that are assigned a compliance policy can be shown as Compliant. All other devices must be shown as Not
compliant.
What should you do from the Microsoft Intune admin center?
A. From Device compliance, configure the Compliance policy settings.
B. From Endpoint security, configure the Conditional access settings.
C. From Tenant administration, modify the Diagnostic settings.
D. From Policy1, modify the actions for noncompliance.
Correct Answer: A
HOTSPOT
Your company has an infrastructure that has the following:
• A Microsoft 365 tenant
• An Active Directory forest
• Microsoft Intune
• A Key Management Service (KMS) server
• A Windows Deployment Services (WDS) server
• An Azure AD Premium tenant
The company purchases 100 new client computers that run Windows.
You need to ensure that the new computers are joined automatically to Azure AD by using Windows Autopilot.
What should you use? To answer, select the appropriate options in the answer area,
Correct Answer:
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use
Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution.
A. a provisioning package
B. automatic enrollment
C. an unattend.xml answer file
D. a Windows Autopilot deployment profile for self-deploying mode
E. a Windows Autopilot deployment profile for user-driven mode
Correct Answer: BE

BE (70%) BD (30%)
You need to assign the same deployment profile to all the computers that are configured by using Windows Autopilot.
A. Create an Azure AD group that has dynamic membership rules and uses the ZTDID tag.
B. Create an Azure AD group that has dynamic membership rules and uses the operatingSystem tag.
C. Assign a Windows Autopilot deployment profile to a group.
D. Join the computers to Azure AD.
E. Create a Group Policy object (GPO) that is linked to a domain.
F. Join the computers to an on-premises Active Directory domain.
Correct Answer: AC
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) deployment share that has a path of D:\MDTShare.
You need to add a feature pack to the boot image.
Correct Answer:
You plan to deploy Windows 11 Pro to 200 new computers by using the Microsoft Deployment Toolkit (MDT) and Windows Deployment Services
(WDS).
The company has a Volume Licensing Agreement and uses a product key to activate Windows 11.
You need to ensure that the new computers will be configured to have the correct product key during the installation.
A. an MDT task sequence
B. the Device settings in Azure AD
C. a WDS boot image
D. a Windows Autopilot deployment profile
Correct Answer: A
HOTSPOT
You manage a Microsoft Deployment Toolkit (MDT) deployment share named DS1. DS1 contains an Out-of-Box Drivers folder named Windows 11
x64 that has subfolders in the format of {make name}\{model name}.
You need to modify a deployment task sequence to ensure that all the drivers in the folder that match the make and model of the computers are
installed without using PnP detection or selection profiles.
Correct Answer:
HOTSPOT
You use the Microsoft Deployment Toolkit (MDT) to deploy Windows 11.
You need to modify the deployment share to meet the following requirements:
• Ensure that the user who performs the installation is prompted to set the local Administrator password
• Define a rule for how to name computers during the deployment.
The solution must NOT replace the existing WinPE image.
Which file should you modify for each requirement? To answer, select the appropriate options in the answer area,
Correct Answer:
HOTSPOT
You have an Azure AD tenant that contains the following:
• Windows 11 devices that are joined to Azure AD
• A user that has a display name of User1 and a UPN of [email protected]
You enable Remote Desktop on the Windows 11 devices.
You need to ensure that User1 can use Remote Desktop to connect to the devices.
How should you complete the command that must be run on each device? To answer, select the appropriate options in the answer area
Correct Answer:
HOTSPOT
All the devices will be reimaged and licensed by using subscription activation.
The devices are assigned to the users shown in the following table.
Correct Answer:
Your network contains an Active Directory domain. The domain contains 10 computers that run Windows 10. Users in the finance department use
the computers.
You have a computer named Computer1 that runs Windows 10.
From Computer1, you plan to run a script that executes Windows PowerShell commands on the finance department computers.
You need to ensure that you can run the PowerShell commands on the finance department computers from Computer.
What should you do on the finance department computers?
A. From Windows PowerShell, run the Enable-MMAgent cmdlet.
B. From the local Group Policy, enable the Allow Remote Shell Access setting.
C. From Windows PowerShell, run the Enable-PSRemoting cmdlet.
D. From the local Group Policy, enable the Turn on Script Execution setting.
Correct Answer: D

C (100%)
You plan to use Windows Autopilot to deploy Windows 11 devices.
You need to meet the following requirements during Autopilot provisioning:
• Display the app and profile configuration progress.
• Block users from using the devices until all apps and profiles are installed
B. an app protection policy
C. an enrollment device platform restriction
D. an enrollment status page
Correct Answer: A

D (100%)
HOTSPOT
You have a Microsoft 365 subscription. The subscription contains 1,000 computers that run Windows 11 and are enrolled in Microsoft Intune.
You plan to create a compliance policy that has the following options enabled:
• Require Secure Boot to be enabled on the device.
• Require the device to be at or under the machine risk score.
Which two Compliance settings should you configure? To answer, select the appropriate settings in the answer area.
Correct Answer:
Your network contains an Active Directory domain named contoso.com. The domain contains 25 computers that run Windows 11.
You have a Microsoft 365 subscription
You have an Azure AD tenant that syncs with contoso.com.
You configure hybrid Azure AD join and discover that some of the computers have a registered state of Pending.
You need to ensure that the computers complete the join successfully.
What should you ensure?
A. that Windows is activated on all the computers
B. that the users of the computers are assigned Microsoft 365 licenses
C. that each computer has a line of sight to a domain controller
D. that the computers contain the latest quality updates
Correct Answer: C

C (100%)

MD 102

Uploaded by

Copyright:

Available Formats

MD 102

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MD 102

Uploaded by

Copyright:

Available Formats

- Expert Verified, Online, Free.

Prepare for your MD-102 exam with additional products

512 PDF Pages

 Custom View Settings

ADatum has a Microsoft 365 E5 subscription.

ADatum has a hybrid Azure AD tenant named adatum.com.

Users and Groups -

Enterprise State Roaming is enabled for Group1 and GroupA.

Group1 and Group2 have a Membership type of Assigned.

ADatum has the Windows 10 devices shown in the following table.

The Windows 10 devices are configured as shown in the following table.

Microsoft Intune Configuration -

MDM user scope: GroupA -

MAM user scope: GroupB -

Folder protection: Enable -

List of apps that have access to protected folders: C:\*\AppA.exe

List of additional folders that need to be protected: D:\Folder1

Included groups: Group2, GroupB -

Windows Autopilot Configuration -

The Intune connector for Active Directory is installed on Server1.

ADatum plans to implement the following changes:

Network boundary: 192.168.1.0/24

Scope tags: Tag1 -

Connection name: VPN1 -

Connection type: L2TP -

Included groups: Group1, Group2, GroupA

Connection name: VPN2 -

Connection type: IKEv2 -

Included groups: GroupA -

Excluded groups: GroupB -

ADatum must meet the following technical requirements:

Users in GroupA must be able to deploy new computers.

Administrative effort must be minimized.

NOTE: Each correct selection is worth one point.

ADatum has a Microsoft 365 E5 subscription.

ADatum has a hybrid Azure AD tenant named adatum.com.

Users and Groups -

Enterprise State Roaming is enabled for Group1 and GroupA.

Group1 and Group2 have a Membership type of Assigned.

ADatum has the Windows 10 devices shown in the following table.

The Windows 10 devices are configured as shown in the following table.

Microsoft Intune Configuration -

MDM user scope: GroupA -

MAM user scope: GroupB -

Folder protection: Enable -

List of apps that have access to protected folders: C:\*\AppA.exe

List of additional folders that need to be protected: D:\Folder1

Included groups: Group2, GroupB -

Windows Autopilot Configuration -

The Intune connector for Active Directory is installed on Server1.

ADatum plans to implement the following changes:

Network boundary: 192.168.1.0/24

Scope tags: Tag1 -

Included groups: Group1, Group2 -

Connection name: VPN1 -

Connection type: L2TP -

Included groups: Group1, Group2, GroupA

Connection name: VPN2 -

Connection type: IKEv2 -