0% found this document useful (0 votes)

24 views273 pages

MD 101

Uploaded by

Daboula Bienvenu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

24 views273 pages

MD 101

Uploaded by

Daboula Bienvenu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 273

MD-101 Exam

Exam MD-101

Title Managing Modern Desktops

Version 21.0

Product
319 Q&A with explanations
Type

“Best Material, Great Results”. www.certkingdom.com 1 of 1

QUESTION 1
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company Windows 10 computers that are enrolled in Microsoft Intune. You make use of Intune to
manage the servicing channel settings of all company computers.
You receive an enquiry regarding the servicing status of a specific computer.
You need to review the necessary policy report.
Solution: You navigate to device status via Device configuration.
Does the solution meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/windows-update-compliance-reports

QUESTION 2
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company Windows 10 computers that are enrolled in Microsoft Intune. You make use of Intune to
manage the servicing channel settings of all company computers.
You receive an enquiry regarding the servicing status of a specific computer.
You need to review the necessary policy report.
Solution: You navigate to the audit logs via Software updates.
Does the solution meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/windows-update-compliance-reports

QUESTION 3
You have been tasked with reusing a Windows 10 computer that was assigned to a user who is no longer with
the company.
The computer will be assigned to a new user. You plan to make use of Windows AutoPilot to redeploy the
computer.
Which of the following actions should you take FIRST?

A. Reset the computer.

B. Wipe the computer.
C. Create a HTML file containing the computer info.
D. Create a CSV file containing the computer info.

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-autopilot
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset

QUESTION 4
DRAG DROP
Your company has a number of Windows 7 computers that you want to upgrade to Windows 10.
The computers all have a single MBR disk, and a disabled TPM chip. Also, the computers have hardware
virtualization disabled, Data Execution Prevention (DEP) enabled, and UEFI firmware running in BIOS mode.
You have been tasked with making sure that Secure Boot can be used by the computers.
Which of the following actions should you take? Answer by dragging the correct options from the list to the
answer area. Choose two.
Select and Place:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-biosmode

QUESTION 5
Your company has an Active Directory domain that includes a large number of Windows 10 computers.
You have recently configured hybrid Microsoft Azure Active Directory (Azure AD) and Microsoft Intune in the
environment.
You want to make sure that all the current computers are automatically registered to Azure AD, as well as
enrolled in Intune. The strategy that you employ should reduce the administrative effort required to achieve
your goal.
Which of the following actions should you take?

A. You should make use of Windows Reset.

B. You should make use of a Windows AutoPilot deployment profile.
C. You should make use of a n Autodiscover service connection point (SCP).
D. You should make use of a device configuration profile.

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Autopilot-Hybrid-Azure-AD-join-andautomatic/
ba-p/286126

QUESTION 6
You need to consider the underlined segment to establish whether it is accurate.
You have recently created a provisioning package that uses Comp%RAND:1% as the device name.
You will be able to successfully run the package on as much as 5 devices.
Select ?No adjustment required? if the underlined segment is accurate. If the underlined segment is inaccurate,
select the accurate option.

A. No adjustment required
B. 10
C. 15
D. 20

Answer: B
Section: (none)
Explanation
Explanation/Reference:

Explanation:
The device name uses a single random number (applied by %RAND:1%). This allows for 10 unique values (0
? 9).

QUESTION 7
Your company has an Active Directory domain, named weylandindustries.com. The domain is synced to
Microsoft Azure Active Directory (Azure AD) and all company computers have been enrolled in Microsoft
Intune.
You are preparing to perform a Wipe action on certain company devices.
Which of the following operating systems support the Wipe action? Choose all that apply.

A. Windows Vista
B. Windows 8.1
C. Windows 10
D. iOS

Answer: B,C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/devices-wipe

QUESTION 8
Your company has an Active Directory domain, named weylandindustries.com. The domain is synced to
Microsoft Azure Active Directory (Azure AD) and all company computers have been enrolled in Microsoft
Intune.
You are preparing to perform a Fresh Start action on certain company devices.
Which of the following operating systems support the Fresh Start action? Choose all that apply.

A. Windows Vista
B. Windows 8.1
C. Windows 10
D. iOS

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-fresh-start
QUESTION 9
Your company has a number of Windows 10 Microsoft Azure Active Directory (Azure AD) joined workstations.
These workstations have been enrolled in Microsoft Intune.
You have been tasked with making sure that the has self-service password reset enabled on the logon screen.
You have navigated to the Microsoft Intune blade.
Which of the following is the setting you should configure?

A. The Device configuration settings.

B. The Device compliance settings
C. The Windows AutoPilot deployment settings
D. The App protection settings

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-sspr-windows

QUESTION 10
You need to consider the underlined segment to establish whether it is accurate.
Your company?s Microsoft Azure subscription includes an Azure Log Analytics workspace.
After deploying a new Windows 10 computer, which belongs to a workgroup, you are tasked with making sure
that you are able to utilize Log Analytics to query events from the new computer.
You configure the new computer?s commercial ID.
Select ?No adjustment required? if the underlined segment is accurate. If the underlined segment is inaccurate,
select the accurate option.
What should you do on Computer1?

A. No adjustment required.
B. install the Azure Diagnostic extension on the new computer
C. install the Dependency agent on the new computer
D. install the Microsoft Monitoring Agent on the new computer

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows

QUESTION 11
You need to consider the underlined segment to establish whether it is accurate.
After installing a feature update on a Windows 10 computer, you have 7 days to roll back the update
Select ?No adjustment required? if the underlined segment is accurate. If the underlined segment is inaccurate,
select the accurate option.

A. No adjustment required.
B. 10
C. 90
D. 30

Answer: B
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Microsoft has changed the time period associated with operating system rollbacks with Windows 10 version
1607, decreasing it to 10 days. Previously, Windows 10 had a 30-day rollback period.
Reference:
https://redmondmag.com/articles/2016/08/04/microsoft-shortens-windows-10-rollback-period.aspx

QUESTION 12
Your company has a Microsoft 365 subscription configured for their environment. All devices in the
environment have Windows 10 installed.
You have been instructed to make sure that users are not allowed to enroll devices in the Windows Insider
Program.
To achieve your goal, you access Microsoft 365 Device Management.
Which of the following actions should you take?

A. You should configure a Windows 10 security baseline.

B. You should configure an app protection policy.
C. You should configure device restriction policy.
D. You should configure a Windows 10 update ring.

Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 13
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has a hybrid configuration of Microsoft Azure Active Directory (Azure AD). Your company also
has a Microsoft 365 subscription.
After creating a conditional access policy for Microsoft Exchange Online, you are tasked with configuring the
policy to block access to Exchange Online. However, the policy should allow access for hybrid Azure ADjoined
devices
Solution: You should configure the Device platforms settings.
Does the solution meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions#device-state

QUESTION 14
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has a hybrid configuration of Microsoft Azure Active Directory (Azure AD). Your company also
has a Microsoft 365 subscription.
After creating a conditional access policy for Microsoft Exchange Online, you are tasked with configuring the
policy to block access to Exchange Online. However, the policy should allow access for hybrid Azure ADjoined
devices
Solution: You should configure the Client apps settings.
Does the solution meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions#device-state

QUESTION 15
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has a hybrid configuration of Microsoft Azure Active Directory (Azure AD). Your company also
has a Microsoft 365 subscription.
After creating a conditional access policy for Microsoft Exchange Online, you are tasked with configuring the
policy to block access to Exchange Online. However, the policy should allow access for hybrid Azure ADjoined
devices
Solution: You should configure the Device state settings.
Does the solution meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions#device-state

QUESTION 16
Your company makes use of Microsoft Intune to manage computers.
You have been tasked with configuring Windows Hello for Business. You are preparing to create an Intune
profile to achieve your goal.
Which of the following is an operating system that supports Windows Hello for Business?

A. Windows Vista
B. Windows 8.1
C. Windows 10
D. macOS

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/protect/identity-protection-windows-settings

QUESTION 17
Your company has a large number of Android and iOS devices, which are enrolled in Intune.
You are preparing to deploy new Intune policies will apply to devices, based on the version of Android or iOS
that is being run.
You are required to make sure that the policies are able to target the devices according to your plan.
Which of the following actions should you take?

A. You should start by accessing Intune and configuring corporate device identifiers.
B. You should start by accessing Microsoft Azure Active Directory (Azure AD) and configuring Device
settings.
C. You should start by accessing Microsoft Azure Active Directory (Azure AD) and configuring Application
settings.
D. You should start by creating a distribution group.

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/compliance-policy-create-android
https://docs.microsoft.com/en-us/intune/compliance-policy-create-ios

QUESTION 18
You need to consider the underlined segment to establish whether it is accurate.
Your company has Microsoft Azure Active Directory (Azure AD) joined Windows 10 Pro computers that have
been enrolled in Microsoft Intune.
You have been tasked with making sure that the computers are upgraded to Windows 10 Enterprise.
You start by configuring a device enrollment policy in Intune.
Select ?No adjustment required? if the underlined segment is accurate. If the underlined segment is inaccurate,
select the accurate option.
What should you configure in Intune?

A. No adjustment required
B. an app protection policy
C. a Windows AutoPilot deployment profile
D. A device configuration profile

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://blogs.technet.microsoft.com/skypehybridguy/2018/09/21/intune-upgrade-windows-from-pro-toenterprise-
automatically/

QUESTION 19
Your company has a Microsoft 365 subscription.
You have enrolled all the company computers in Microsoft Intune.
You have been tasked with making sure that Microsoft Exchange Online is only accessible from known
locations.
Which of the following actions should you take?

A. You should create a device configuration profile.

B. You should create a device compliance policy.
C. You should create a Windows AutoPilot deployment profile.
D. You should create a conditional access policy.

Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 20
Your company has a Microsoft 365 subscription.
You have enrolled all the company computers in Microsoft Intune.
You have been tasked with making sure that devices with a high Windows Defender Advanced Threat
Protection (Windows Defender ATP) risk score are locked.
Which of the following actions should you take?

A. You should create a device configuration profile.

B. You should create a device compliance policy.
C. You should create a Windows AutoPilot deployment profile.
D. You should create a conditional access policy.

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 21
Your company plans to deploy tablets to 50 meeting rooms.
The tablets run Windows 10 and are managed by using Microsoft Intune. The tablets have an application
named App1.
You need to configure the tablets so that any user can use App1 without having to sign in. Users must be
prevented from using other applications on the tablets.
Which device configuration profile type should you use?

A. Kiosk
B. Endpoint protection
C. Identity protection
D. Device restrictions

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app

QUESTION 22
All of your company?s devices are managed via Microsoft Intune.
conditional access is used to prevent devices that are not compliant with company security policies, from
accessing Microsoft 365 services.
You need to access Device compliance to view the non-compliant devices.
Where should you access Device compliance from?

A. System Center Configuration Manager

B. Windows Defender Security Center.
C. The Intune admin center.
D. The Azure Active Directory admin center.

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 23
You manage a large number of Windows 10 computers.
You have been tasked with creating a provisioning package that will allow you to remove the Microsoft News
and the Xbox Microsoft Store apps, as well as add a VPN connection to the company network.
Which of the following are the customization settings you should configure?

A. Connections and Personalization

B. ConnectivityProfiles and Policies
C. Connections and Policies
D. ConnectivityProfiles and Personalization

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-connectivityprofiles
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-serviceprovider#
applicationmanagement-applicationrestrictions
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-policies

QUESTION 24
All users at your company have Azure AD joined Windows 10 workstations that are managed via Microsoft
Intune.
You have been tasked with making sure that Windows Analytics is used to monitor the workstations centrally.
Which of the following actions should you take?

A. You should create a device configuration profile via Intune.

B. You should create a device compliance policy via Intune.
C. You should create a Windows AutoPilot deployment profile via Intune.
D. You should create an app configuration policy via Intune.

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.scconfigmgr.com/2019/03/27/windows-analytics-onboarding-with-intune/

QUESTION 25
Your company has a number of Windows 10 Microsoft Azure Active Directory (Azure AD) joined workstations.
These workstations have been enrolled in Microsoft Intune.
You are creating a device configuration profile for the workstations. You have been informed that a custom
image should be displayed on the sign-in screen.
Which of the following is a Device restriction setting that should be configured?

A. Locked screen experience

B. Personalization
C. Display
D. General

Answer: A
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Sign-in screen, or Locked screen, image is set under Locked screen experience
Reference:
https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10

QUESTION 26
Your company has a number of Windows 10 Microsoft Azure Active Directory (Azure AD) joined workstations.
These workstations have been enrolled in Microsoft Intune.
You are creating a device configuration profile for the workstations. You have been informed that a custom
image should be displayed as the Desktop background picture.
Which of the following is a Device restriction setting that should be configured?

A. Locked screen experience

B. Personalization
C. Display
D. General

Answer: B
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Wallpaper image, or Desktop background picture, URL is set under Personalization.
Reference:
https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10

QUESTION 27
Your company has a large number of Windows 10 workstations that are managed via Microsoft Intune.
Delivery Optimization is not being used for Windows updates at present.
You want to make sure that Delivery Optimization is configured for all of the workstations.
Which of the following actions should you take?

A. You should create a device configuration profile via Intune.

B. You should create a device compliance policy via Intune.
C. You should create a Windows AutoPilot deployment profile via Intune.
D. You should create a conditional access policy via Intune.

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/delivery-optimization-windows

QUESTION 28
Your company?s environment includes the following:
Microsoft Azure Active Directory (Azure AD)
Microsoft 365
Microsoft Intune
Azure Information Protection.
A new security policy declares that enrollment for private devices in Intune is not required. However, to access
corporate email information, users have to make use of a PIN for authentication purposes. Also, users are able
to access corporate cloud services from their private iOS and Android devices. Furthermore, the copying
corporate email information to a cloud storage service should not be allowed, unless users are copying the
information to Microsoft OneDrive for Business.
You have to make sure that security policy is enforced.
Which of the following actions should you take?

A. You should create a data loss prevention (DLP) policy.

B. You should create a device enrollment policy.
C. You should create an app protection policy.
D. You should create a Windows AutoPilot deployment profile.

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/app-protection-policy

QUESTION 29
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has a number of Windows 10 Microsoft Azure Active Directory (Azure AD) joined workstations.
These workstations have been enrolled in Microsoft Intune.
You have been tasked with making sure that the workstations are only able to run applications that you have
explicitly permitted.
Solution: You make use of Windows Defender Antivirus.
Does the solution meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 30
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has a number of Windows 10 Microsoft Azure Active Directory (Azure AD) joined workstations.
These workstations have been enrolled in Microsoft Intune.
You have been tasked with making sure that the workstations are only able to run applications that you have
explicitly permitted.
Solution: You make use of Windows Defender SmartScreen.
Does the solution meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 31
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company has a number of Windows 10 Microsoft Azure Active Directory (Azure AD) joined workstations.
These workstations have been enrolled in Microsoft Intune.
You have been tasked with making sure that the workstations are only able to run applications that you have
explicitly permitted.
Solution: You make use of Windows Defender Application Guard.
Does the solution meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-
guardvirtualization-
based-security-and-windows-defender-application-control

QUESTION 32
You are currently making use of the Antimalware Assessment solution in Microsoft Azure Log Analytics.
You have accessed the Protection Status dashboard and find that there is a device that has no real time
protection.
Which of the following could be a reason for this occurring?

A. Windows Defender has been disabled.

B. You need to install the Azure Diagnostic extension.
C. Windows Defender Credential Guard is incorrectly configured.
D. Windows Defender System Guard is incorrectly configured.

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/ga-ie/azure/security-center/security-center-install-endpoint-protection

QUESTION 33
You are currently making use of the Antimalware Assessment solution in Microsoft Azure Log Analytics.
You have accessed the Protection Status dashboard and find that there is a device that is not reporting.
Which of the following could be a reason for this occurring?

A. Windows Defender System Guard is incorrectly configured.

B. You need to install the Azure Diagnostic extension.
C. Windows Defender Application Guard is incorrectly configured.
D. The Microsoft Malicious Software Removal tool is installed.

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/ga-ie/azure/security-center/security-center-install-endpoint-protection

QUESTION 34
You need to consider the underlined segment to establish whether it is accurate.
To enable Windows Defender Credential Guard on Windows 10 computers, the computers must have Hyper-V
installed.
Select ?No adjustment required? if the underlined segment is accurate. If the underlined segment is inaccurate,
select the accurate option.
What should you install on the computers?

A. No adjustment required.
B. Windows Defender Smartscreen
C. a virtual machine
D. a container cluster

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guardrequirements

QUESTION 35
You manage one hundred Microsoft Azure Active Directory (Azure AD) joined Windows 10 devices.
You want to make sure that users are unable to join their home PC?s to Azure AD.
Which of the following actions should you take?

A. You should configure the Enrollment restriction settings via the Device enrollment blade in the Intune
admin center.
B. You should configure the Enrollment restriction settings via the Security & Compliance admin center.
C. You should configure the Enrollment restriction settings via the Azure Active Directory admin center.
D. You should configure the Enrollment restriction settings via the Windows Defender Security Center.

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set

QUESTION 36
You need to consider the underlined segment to establish whether it is accurate.
To enable sideloading in Windows 10, you should navigate to the For developers setting via Update & Security
in the Settings app.
Select ?No adjustment required? if the underlined segment is accurate. If the underlined segment is inaccurate,
select the accurate option.

A. No adjustment required.
B. Widows Insider
C. Delivery Optimization
D. Activation

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.windowscentral.com/how-enable-windows-10-sideload-apps-outside-store
https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10

QUESTION 37
You need to consider the underlined segment to establish whether it is accurate.
To enable sideload a LOB application in Windows 10, you should run the Install-Package cmdlet.
Select ?No adjustment required? if the underlined segment is accurate. If the underlined segment is inaccurate,
select the accurate option.

A. No adjustment required.
B. Install-PackageProvider
C. Save-Package
D. Add-AppxPackage

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10

QUESTION 38
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company?s environment includes a Microsoft 365 subscription.
Users in the company?s sales division have personal iOS or Android devices that are enrolled in Microsoft
Intune. New users are added to the sales division on a monthly basis.
After a mobile application is created for users in the sales division, you are instructed to make sure that the
application can only be downloaded by the sales division users
Solution: You start by adding the application to Microsoft Store for Business.
Does the solution meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 39
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company?s environment includes a Microsoft 365 subscription.
Users in the company?s sales division have personal iOS or Android devices that are enrolled in Microsoft
Intune. New users are added to the sales division on a monthly basis.
After a mobile application is created for users in the sales division, you are instructed to make sure that the
application can only be downloaded by the sales division users
Solution: You start by assigning the application to a group.
Does the solution meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 40
Note: The question is included in a number of questions that depicts the identical set-up. However,
every question has a distinctive result. Establish if the solution satisfies the requirements.
Your company?s environment includes a Microsoft 365 subscription.
Users in the company?s sales division have personal iOS or Android devices that are enrolled in Microsoft
Intune. New users are added to the sales division on a monthly basis.
After a mobile application is created for users in the sales division, you are instructed to make sure that the
application can only be downloaded by the sales division users.
Solution: You start by adding the application to Intune.
Does the solution meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/apps-add

QUESTION 41
You company has a Microsoft Azure Active Directory (Azure AD) tenant that includes Microsoft Intune. All of
the Windows 10 devices are enrolled in Intune.
You are preparing to configure a Windows Information Protection (WIP) policy:
You need to make sure that the policy is configured to allow for the logging of unacceptable data sharing, but
not blocking the action.
Which of the following is the WIP protection mode that you should use?

A. Block
B. Silent
C. Off
D. Allow Overrides

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/
create-wip-policy-using-intune

QUESTION 42
Your company has an Active Directory domain, named weylandindustries.com, and a Microsoft Office 365
subscription. The domain is also synced to Microsoft Azure Active Directory (Azure AD).
All company computers are domain-joined, and are running the most recent Microsoft OneDrive sync client.
You are currently configuring OneDrive group policy settings.
Which of the following is the setting that will minimize the disk space consumed by a user profile, when
enabled?

A. OneDrive Files On-Demand

B. Silently move known folders to OneDrive
C. Prompt users to move Windows known folders to OneDrive
D. Silently configure OneDrive using the primary Windows account

Answer: A
Section: (none)
Explanation
Explanation/Reference:

Explanation:
OneDrive Files On-Demand enables users to view, search for, and interact with files stored in OneDrive from
within File Explorer without downloading them and taking up space on the local hard drive.
Reference:
https://docs.microsoft.com/en-us/onedrive/plan-onedrive-enterprise

QUESTION 43
You manage your company?s Microsoft 365 subscription.
You are tasked with creating an app protection policy for the Microsoft Outlook app on iOS devices that are not
enrolled in Microsoft 365 Device Management.
You have to make sure that the policy is configured to prohibit the users from using the Outlook app if the
operating system version is less than 12.0.0. You also have to make sure that an alphanumeric passcode is
required for users to access the Outlook app.
Which of the following is policy settings that you should configure? (Choose two.)

A. Conditional launch
B. Data transfer exemptions
C. Data protection
D. Access requirements

Answer: A,D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios

QUESTION 44
You are responsible for your company?s Microsoft 365 environment, with co-management enabled.
All company computers have been deployed via Microsoft Deployment Toolkit (MDT), and have Windows 10
installed.
You have been tasked devising a strategy for deploying Microsoft Office 365 ProPlus to new computers. You
have to make sure that most recent version is installed at all times, while also reducing the effort required to
meet the prerequisites.
Which of the following actions should you take?

A. You should make use of Windows Deployment Services (WDS).

B. You should make use of the Microsoft Deployment Toolkit
C. You should make use of the Office Deployment Tool (ODT).
D. You should make use of a Windows Configuration Designer provisioning package

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/deployoffice/overview-of-the-office-2016-deployment-tool
Deploy and Update Operating Systems
Testlet 1
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam
in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.
General Overview
Litware, Inc. is an international manufacturing company that has 3,000 employees. The company has sales,
marketing, research, human resources (HR), development, and IT departments.
Litware has two main offices in New York and Los Angeles. Litware has five branch offices in Asia.
Existing Environment
Current Business Model
The Los Angeles office has 500 developers. The developers work flexible hours ranging from 11 AM to 10 PM.
Litware has a Microsoft Endpoint Configuration Manager deployment.
During discovery, the company discovers a process where users are emailing bank account information of its
customers to internal and external recipients.
Current Environment
The network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD). The functional level of the forest and the domain is Windows Server 2012 R2. All domain controllers run
Windows Server 2012 R2.
Litware has the computers shown in the following table.

The development department uses projects in Azure DevOps to build applications.

Most of the employees in the sales department are contractors. Each contractor is assigned a computer that
runs Windows 10. At the end of each contract, the computer is assigned to a different contractor. Currently, the
computers are re-provisioned manually by the IT department.
Problem Statements
Litware identifies the following issues on the network:
Employees in the Los Angeles office report slow Internet performance when updates are downloading. The
employees also report that the updates frequently consume considerable resources when they are
installed. The Update settings are configured as shown in the Updates exhibit. (Click the Updates button.)
Management suspects that the source code for the proprietary applications in Azure DevOps in being
shared externally.
Re-provisioning the sales department computers is too time consuming.
Requirements
Business Goals
Litware plans to transition to co-management for all the company-owned Windows 10 computers.
Whenever possible, Litware wants to minimize hardware and software costs.
Device Management Requirements
Litware identifies the following device management requirements:
Prevent the sales department employees from forwarding email that contains bank account information.
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Prevent employees in the research department from copying patented information from trusted applications
to untrusted applications.
Technical Requirements
Litware identifies the following technical requirements for the planned deployment:
Re-provision the sales department computers by using Windows AutoPilot.
Ensure that the projects in Azure DevOps can be accessed from the corporate network only.
Ensure that users can sign in to the Azure AD-joined computers by using a PIN. The PIN must expire every
30 days.
Ensure that the company name and logo appears during the Out of Box Experience (OOBE) when using
Windows AutoPilot.
Exhibits
Updates
QUESTION 45
You need to capture the required information for the sales department computers to meet the technical
requirements.
Which Windows PowerShell command should you run first?

A. Install-Module WindowsAutoPilotIntune
B. Install-Script Get-WindowsAutoPilotInfo
C. Import-AutoPilotCSV
D. Get-WindowsAutoPilotInfo

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices

QUESTION 46
What should you configure to meet the technical requirements for the Azure AD-joined computers?

A. Windows Hello for Business from the Endpoint Manager admin center.
B. The Accounts options in an endpoint protection profile.
C. The Password Policy settings in a Group Policy object (GPO).
D. A password policy from the Microsoft 365 admin center.

QUESTION 47
HOTSPOT
You need to meet the OOBE requirements for Windows AutoPilot.
Which two settings should you configure from the Azure Active Directory blade? To answer, select the
appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

Explanation:
From the scenario:
Ensure that the company name and logo appears during the Out of Box Experience (OOBE) when using
Windows AutoPilot.
Reference:
https://blogs.technet.microsoft.com/mniehaus/2017/12/22/windows-autopilot-azure-ad-branding/

QUESTION 48
HOTSPOT
You need to meet the technical requirements for Windows AutoPilot.
Which two settings should you configure from the Azure Active Directory blade? To answer, select the
appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset
https://docs.microsoft.com/en-za/azure/active-directory/fundamentals/customize-branding#add-companybranding-
to-your-directory

QUESTION 49
HOTSPOT
You need to resolve the performance issues in the Los Angeles office.
How should you configure the update settings? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:

Explanation:
The Los Angeles office has 500 developers. The developers work flexible hours ranging from 11 AM to 10 PM.
Deploy and Update Operating Systems
Testlet 2
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam
in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and
New York.
Contoso has the users and computers shown in the following table.

The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.
Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.
The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from
home.
Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active
Directory (Azure AD).
All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.
The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are
managed by using Microsoft Intune.
The naming convention for the computers is the department acronym, followed by a hyphen, and then four
numbers, for example, FIN-6785. All the computers are joined to the on-premises Active Directory domain.
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer
account is in the Computers OU of its respective department.
Intune Configuration
The domain has the users shown in the following table.
User2 is a device enrollment manager (DEM) in Intune.
The devices enrolled in Intune are shown in the following table.

The device compliance policies in Intune are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

The device limit restrictions in Intune are configured as shown in the following table.

Requirements
Planned Changes
Contoso plans to implement the following changes:
Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled
and were purchased already.
Start using a free Microsoft Store for Business app named App1.
Implement co-management for the computers.
Technical Requirements
Contoso must meet the following technical requirements:
Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices
that are enrolled in Intune.
Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
Monitor the computers in the LEG department by using Windows Analytics.
Create a provisioning package for new computers in the HR department.
Block iOS devices from sending diagnostic and usage telemetry data.
Use the principle of least privilege whenever possible.
Enable the users in the MKG department to use App1.
Pilot co-management for the IT department.

QUESTION 50
HOTSPOT
You need to meet the technical requirements for the new HR department computers.
How should you configure the provisioning package? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-accounts

QUESTION 51
You need to prepare for the deployment of the Phoenix office computers.
What should you do first?

A. Extract the hardware ID information of each computer to a CSV file and upload the file from the Microsoft
Endpoint Management admin center.
B. Extract the serial number information of each computer to a XML file and upload the file from the Microsoft
Endpoint Management admin center.
C. Extract the serial number information of each computer to a CSV file and upload the file from the Microsoft
Endpoint Management admin center.
D. Generalize the computers and configure the Device settings from the Azure Active Directory admin center.

Answer: A
Section: (none)
Explanation
Explanation/Reference:

Explanation:
To manage devices through Microsoft Store for Business and Education, you'll need a .csv file that contains
specific information about the devices. You should be able to get this from your Microsoft account contact, or
the store where you purchased the devices. Upload the .csv file to Microsoft Store to add the devices.
Reference:
https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices

QUESTION 52
You need to prepare for the deployment of the Phoenix office computers.
What should you do first?

A. Generalize the computers and configure the Mobility (MDM and MAM) settings from the Azure Active
Directory admin center.
B. Extract the hardware ID information of each computer to a CSV file and upload the file from the Microsoft
Intune blade in the Azure portal.
C. Extract the hardware ID information of each computer to an XML file and upload the file from the Devices
settings in Microsoft Store for Business.
D. Extract the serial number information of each computer to a CSV file and upload the file from the Microsoft
Intune blade in the Azure portal.

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices

QUESTION 53
HOTSPOT
You need to meet the technical requirements for Windows Autopilot.
Which two settings should you configure from the Azure Active Directory blade? To answer, select the
appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configuredevice-
settings
https://docs.microsoft.com/en-us/mem/autopilot/existing-devices
Deploy and Update Operating Systems
Testlet 3
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam
in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent
tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and
New York.
Contoso has a Microsoft 365 E5 subscription.
Environment
Network Environment
The network contains an on-premises Active Directory domain named contoso.com. The domain contains the
servers shown in the following table.

All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.
Enterprise State Roaming is enabled for Group1 and GroupA.
Group1 and Group2 have a Membership type of Assigned.
Devices
Contoso has the Windows 10 devices shown in the following table.

The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.
The Windows 10 devices are configured as shown in the following table.

All the Azure AD joined devices have an executable file named C:\AppA.exe and a folder named D:\Folder1.
Microsoft Endpoint Manager Configuration
Microsoft Endpoint Manager has the compliance policies shown in the following table.

The Compliance policy settings are shown in the following exhibit.

The Automatic Enrollment settings have the following configurations:

Currently, there are no devices deployed by using Window Autopilot.

The Intune connector for Active Directory is installed on Server1.
Requirements
Planned Changes
Contoso plans to implement the following changes:
Purchase a new Windows 10 device named Device6 and enroll the device in Intune.
New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.
Deploy a network boundary configuration profile that will have the following settings:
- Name: Boundary1
- Network boundary: 192.168.1.0/24
- Scope tags: Tag1
- Assignments:
- - Included groups: Group1, Group2
Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following
settings:
- Name: Connection1
- Connection name: VPN1
- Connection type: L2TP
- Assignments:
- - Included groups: Group1, Group2, GroupA
- - Excluded groups: --
- Name: Connection2
- Connection name: VPN2
- Connection type: IKEv2
- Assignments:
- - Included groups: GroupA
- - Excluded groups: GroupB
Purchase an app named App1 that is available in Microsoft Store for Business and to assign the app to all
the users.
Technical Requirements
Contoso must meet the following technical requirements:
Users in GroupA must be able to deploy new computers.
Administrative effort must be minimized.

QUESTION 54
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

QUESTION 55
You need to ensure that computer objects can be created as part of the Windows Autopilot deployment. The
solution must meet the technical requirements.
To what should you grant the right to create the computer objects?

A. Server2
B. Server1
C. GroupA
D. DC1

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://blog.matrixpost.net/set-up-windows-autopilot-production-environment-part-2/
Deploy and Update Operating Systems
Question Set 4

QUESTION 56
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company uses Windows Autopilot to configure the computer settings of computers issued to users.
A user named User1 has a computer named Computer1 that runs Windows 10. User1 leaves the company.
You plan to transfer the computer to a user named User2.
You need to ensure that when User2 first starts the computer, User2 is prompted to select the language
setting and to agree to the license agreement.
Solution: You create a new Windows Autopilot self-deploying deployment profile.
Does this meet the goal?
A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/self-deploying

QUESTION 57
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You need to ensure that feature and quality updates install automatically on a Windows 10 computer during a
maintenance window.
Solution: In Group policy, from the Maintenance Scheduler settings, you configure Automatic Maintenance
Random Delay.
Does this meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates

QUESTION 58
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You need to ensure that feature and quality updates install automatically on a Windows 10 computer during a
maintenance window.
Solution: In Group policy, from the Windows Update settings, you enable Configure Automatic Updates,
select 4-Auto download and schedule the install, and then enter a time.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates
QUESTION 59
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You need to ensure that feature and quality updates install automatically on a Windows 10 computer during a
maintenance window.
Solution: In Group policy, from the Maintenance Scheduler settings, you configure Automatic Maintenance
Activation Boundary.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates

QUESTION 60
DRAG DROP
Your company has a computer named Computer1 that runs Windows 10.
Computer1 was used by a user who left the company.
You plan to repurpose Computer1 and assign the computer to a new user. You need to redeploy Computer1
by using Windows AutoPilot.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-autopilot
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset

QUESTION 61
HOTSPOT
Your company has an infrastructure that has the following:
A Microsoft 365 tenant
An Active Directory forest
Microsoft Intune
A Key Management Service (KMS) server
A Windows Deployment Services (WDS) server
A Microsoft Azure Active Directory (Azure AD) Premium tenant
The company purchases 100 new computers that run Windows 10.
You need to ensure that the new computers are joined automatically to Azure AD by using Windows Autopilot.
What should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-autopilot

QUESTION 62
Your company purchases new computers that run Windows 10. The computers have cameras that support
Windows Hello for Business.
You configure the Windows Hello for Business Group Policy settings as shown in the following exhibit.

What are two valid methods a user can use to sign in? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Facial recognition
B. A smartwatch that is Bluetooth-enabled
C. A PIN
D. A USB key

Answer: A,C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://community.windows.com/en-us/stories/windows-sign-in-options
https://fossbytes.com/how-to-unlock-windows-10/

QUESTION 63
You have 10 computers that run Windows 8.1 and have the following configurations:
A single MBR disk
A disabled TPM chip
Disabled hardware virtualization
UEFI firmware running in BIOS mode
Enabled Data Execution Prevention (DEP)
You plan to upgrade the computers to Windows 10.
You need to ensure that the computers can use Secure Boot.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Convert the MBR disk to a GPT disk

B. Enable the TPM chip.
C. Disable DEP
D. Enable hardware virtualization
E. Convert the firmware from BIOS to UEFI.

Answer: A,E
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-biosmode

QUESTION 64
Your network contains an Active Directory domain. The domain contains 2,000 computers that run Windows
10.
You implement hybrid Microsoft Azure Active Directory (Azure AD) and Microsoft Intune.
You need to automatically register all the existing computers to Azure AD and enroll the computers in Intune.
The solution must minimize administrative effort.
What should you use?

A. An Autodiscover address record.

B. A Windows AutoPilot deployment profile.
C. An Autodiscover service connection point (SCP).
D. A Group Policy object (GPO).

QUESTION 65
HOTSPOT
Your network contains an Active Directory domain. The domain contains computers that run Windows 10 and
are enrolled in Microsoft Intune. Updates are deployed by using Windows Update for Business.
Users in a group named Group1 must meet the following requirements:
Update installations must occur any day only between 00:00 and 05:00.
Updates must be downloaded from Microsoft and from other company computers that already downloaded
the updates.
You need to configure the Windows 10 Update Rings settings in Intune to meet the requirements.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://github.com/MicrosoftDocs/IntuneDocs/blob/master/intune/windows-update-settings.md
https://docs.microsoft.com/en-us/intune/delivery-optimization-windows#move-from-existing-update-rings-todelivery-
optimization

QUESTION 66
Your network contains an Active Directory domain named contoso.com.
You create a provisioning package named Package1 as shown in the following exhibit.
What is the maximum number of devices on which you can run Package1 successfully?

A. 1
B. 10
C. 25
D. unlimited

Answer: B
Section: (none)
Explanation
Explanation/Reference:

Explanation:
The device name uses a single random number (applied by %RAND:1%). This allows for 10 unique values (0
? 9).

QUESTION 67
HOTSPOT
You have computers that run Windows 10 and are configured by using Windows Autopilot.
A user performs the following tasks on a computer named Computer1:
Creates a VPN connection to the corporate network
Installs a Microsoft Store app named App1
Connects to a Wi-Fi network
You perform a Windows Autopilot Reset on Computer1.
What will be the state of the computer when the user signs in? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset

QUESTION 68
HOTSPOT
Your network contains an Active Directory domain named constoso.com that is synced to Microsoft Azure
Active Directory (Azure AD). All computers are enrolled in Microsoft Intune.
The domain contains the computers shown in the following table.

You are evaluating which Intune actions you can use to reset the computers to run Windows 10 Enterprise
with the latest update.
Which computers can you reset by using each action? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-fresh-start
https://docs.microsoft.com/en-us/intune/devices-wipe

QUESTION 69
You have the 64-bit computers shown in the following table.
You plan to perform an in-place upgrade to the 64-bit version of Windows 10.
Which computers can you upgrade to the 64-bit version of Windows 10 in their current state?

A. Computer2 and Computer4 only

B. Computer4 only
C. Computer3 and Computer4 only
D. Computer1, Computer2, Computer3 and Computer4
E. Computer2, Computer3, and Computer4 only

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios

QUESTION 70
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(AD) and enrolled in Microsoft Intune.
You need to enable self-service password reset on the sign-in screen.
Which settings should you configure from the Microsoft Endpoint Manager admin center?

A. Device configuration
B. Device compliance
C. Device enrollment
D. Conditional access

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create
https://www.inthecloud247.com/restrict-which-users-can-logon-into-a-windows-10-device-with-microsoftintune/

QUESTION 71
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company uses Windows Update for Business.
The research department has several computers that have specialized hardware and software installed.
You need to prevent the video drivers from being updated automatically by using Windows Update.
Solution: From the Device Installation and Restrictions settings in a Group Policy object (GPO), you enable
Prevent installation of devices using drivers that match these device setup classes, and then you enter
the device GUID.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-
CC-000024

QUESTION 72
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company uses Windows Update for Business.
The research department has several computers that have specialized hardware and software installed.
You need to prevent the video drivers from being updated automatically by using Windows Update.
Solution: From the Settings app, you clear the Give me updates for other Microsoft products when I
update Windows check box.
Does this meet the goal?

A. Yes
B. No

QUESTION 73
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company uses Windows Update for Business.
The research department has several computers that have specialized hardware and software installed.
You need to prevent the video drivers from being updated automatically by using Windows Update.
Solution: From the Device Installation settings in a Group Policy object (GPO), you enable Specify search
order for device driver source locations, and then you select Do not search Windows Update.
Does this meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-
CC-000024

QUESTION 74
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You need to ensure that feature and quality updates install automatically during a maintenance window.
Solution: In Group policy, from the Windows Update settings, you enable Configure Automatic Updates,
select 3 ? Auto download and notify for Install, and then enter a time.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates

QUESTION 75
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a Microsoft 365 subscription.
You have 20 computers that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).
You plan to replace the computers with new computers that run Windows 10. The new computers will be
joined to Azure AD.
You need to ensure that the desktop background, the favorites, and the browsing history are available on the
new computers.
Solution: You configure Enterprise State Roaming.
Does this meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settingsreference

QUESTION 76
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a Microsoft 365 subscription.
You have 20 computers that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).
You plan to replace the computers with new computers that run Windows 10. The new computers will be
joined to Azure AD.
You need to ensure that the desktop background, the favorites, and the browsing history are available on the
new computers.
Solution: You configure roaming user profiles.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles

QUESTION 77
You have a Microsoft Azure subscription that contains an Azure Log Analytics workspace.
You deploy a new computer named Computer1 that runs Windows 10. Computer1 is in a workgroup.
You need to ensure that you can use Log Analytics to query events from Computer1.
What should you do on Computer1?

A. Configure the commercial ID

B. Join Azure Active Directory (Azure AD)
C. Create an event subscription
D. Install the Microsoft Monitoring Agent

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows
QUESTION 78
Your company has a Microsoft Azure Active Directory (Azure AD) tenant.
The company has a Volume Licensing Agreement and uses a product key to activate Windows 10.
You plan to deploy Windows 10 Pro to 200 new computers by using the Microsoft Deployment Toolkit (MDT)
and Windows Deployment Services (WDS).
You need to ensure that the new computers will be configured to have the correct product key during the
installation.
What should you configure?

A. a WDS boot image

B. an MDT task sequence
C. the Device settings in Azure AD
D. a Windows AutoPilot deployment profile

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-imageusing-
mdt#a-href-idsec08astep-8-deploy-the-windows-10-client-image

QUESTION 79
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD). The domain contains 500 laptops that run Windows 8.1 Professional. The users of the laptops work from
home.
Your company uses Microsoft Intune, the Microsoft Deployment Toolkit (MDT), and Windows Configuration
Designer to manage client computers.
The company purchases 500 licenses for Windows 10 Enterprise.
You verify that the hardware and applications on the laptops are compatible with Windows 10.
The users will bring their laptop to the office, where the IT department will deploy Windows 10 to the laptops
while the users wait.
You need to recommend a deployment method for the laptops that will retain their installed applications. The
solution must minimize how long it takes to perform the deployment.
What should you include in the recommendation?

A. an in-place upgrade
B. a clean installation by using a Windows Configuration Designer provisioning package
C. Windows AutoPilot
D. a clean installation and the User State Migration Tool (USMT)

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios#in-place-upgrade

QUESTION 80
You have a computer named Computer5 that has Windows 10 installed.
You create a Windows PowerShell script named config.ps1.
You need to ensure that config.ps1 runs after feature updates are installed on Computer5.
Which file should you modify on Computer5?

A. Unattend.xml
B. Unattend.bat
C. SetupConfig.ini
D. LiteTouch.wsf

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.joseespitia.com/2017/06/01/how-to-run-a-post-script-after-a-windows-10-feature-upgrade/

QUESTION 81
HOTSPOT
You use Microsoft Intune to manage Windows updates.
You have computers that run Windows 10. The computers are in a workgroup and are enrolled in Intune. The
computers are configured as shown in the following table.

On each computer, the Select when Quality Updates are received Group Policy setting is configured as shown
in the following table.

You have Windows 10 update rings in Intune as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

QUESTION 82
Your network contains an Active Directory forest. The forest contains a single domain and three sites named
Site1, Site2, and Site3. Each site is associated to two subnets. Site1 contains two subnets named SubnetA
and SubnetB.
All the client computers in the forest run Windows 10. Delivery Optimization is enabled.
You have a computer named Computer1 that is in SubnetA.
From which hosts will Computer1 download updates?

A. the computers in Site1 only

B. any computer in the domain
C. the computers in SubnetA only
D. any computer on the network

Answer: C
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Delivery Optimization allows updates from other clients that connect to the Internet using the same public IP as
the target client (NAT).
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization

QUESTION 83
HOTSPOT
Your network contains an Active Directory domain. The domain contains 1,200 computers that run Windows
8.1.
You deploy an Upgrade Readiness solution in Microsoft Azure and configure the computers to report to
Upgrade Readiness.
From Upgrade Readiness, you open a table view of the applications.
You need to filter the view to show only applications that can run successfully on Windows 10.
How should you configure the filter in Upgrade Readiness? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-readiness-resolve-issues

QUESTION 84
HOTSPOT
You have two computers that run Windows 10. The computers are enrolled in Microsoft Intune as shown in the
following table.

Windows 10 update rings are defined in Intune as shown in the following table.
You assign the update rings as shown in the following table.

What is the effect of the configurations on Computer1 and Computer2? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Computer1 and Computer2 are members of Group1. Ring1 is applied to Group1.
Note: The term "Exclude" is misleading. It means that the ring is not applied to that group, rather than that
group being blocked.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-wufb-intune
https://allthingscloud.blog/configure-windows-update-business-using-microsoft-intune/

QUESTION 85
Your company standardizes on Windows 10 Enterprise for all users.
Some users purchase their own computer from a retail store. The computers run Windows 10 Pro.
You need to recommend a solution to upgrade the computers to Windows 10 Enterprise, join the computers to
Microsoft Azure Active Directory (Azure AD), and install several Microsoft Store apps. The solution must meet
the following requirements:
Ensure that any applications installed by the users are retained.
Minimize user intervention.
What is the best recommendation to achieve the goal? More than one answer choice may achieve the goal.
Select the BEST answer.

A. Microsoft Deployment ToolKit (MDT)

B. Windows Deployment Services (WDS)
C. a Windows Configuration Designer provisioning package
D. Windows AutoPilot

Answer: C
Section: (none)
Explanation
Explanation/Reference:

Explanation:
You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization
settings. You can apply the provisioning package to a device running Windows 10.
Incorrect Answers:
A: Microsoft Deployment Toolkit (MDT) allows you to automate the deployment of Windows operating systems
in your organization. It is not used to upgrade to Windows 10 Enterprise.
B: Windows Deployment Services (WDS) is the revised version of Remote Installation Services (RIS). WDS
enables the deployment of Windows operating systems. You can use it to set up new computers using
network-based installations. It is not used to upgrade to Windows 10 Enterprise.
D: Windows Autopilot is a user-driven mode designed to minimize intervention of the IT administrator.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/upgrade/windows-10-edition-upgrades
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package

QUESTION 86
You install a feature update on a computer that runs Windows 10.
How many days do you have to roll back the update?

A. 5
B. 10
C. 14
D. 30

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 87
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company uses Windows Update for Business.
The research department has several computers that have specialized hardware and software installed.
You need to prevent the video drivers from being updated automatically by using Windows Update.
Solution: From the Windows Update settings in a Group Policy object (GPO), you enable Do not include
drivers with Windows Updates.
Does this meet the goal?

A. Yes
B. No

QUESTION 88
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains 500 computers
that run Windows 8.1. Some of the computers are used by multiple users.
You plan to refresh the operating system of the computers to Windows 10.
You need to retain the personalization settings to applications before you refresh the computers. The solution
must minimize network bandwidth and network storage space.
Which command should you run on the computers? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-scanstate-syntax#how-to-use-ui-and-ue

QUESTION 89
HOTSPOT
You have a hybrid Microsoft Azure Active Directory (Azure AD) tenant.
You configure a Windows Autopilot deployment profile as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-autopilot

QUESTION 90
DRAG DROP
You have 100 computers that run Windows 8.1.
You plan to deploy Windows 10 to the computers by performing a wipe and load installation.
You need to recommend a method to retain the user settings and the user data.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios
http://itproguru.com/expert/2016/01/step-by-step-how-to-migrate-users-and-user-data-from-xp-vista-windows-
7-or-8-to-windows-10-using-microsoft-tool-usmt-user-state-migration-toolkit/

QUESTION 91
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company uses Windows Autopilot to configure the computer settings of computers issued to users.
A user named User1 has a computer named Computer1 that runs Windows 10.
User1 leaves the company.
You plan to transfer the computer to a user named User2.
You need to ensure that when User2 first starts the computer, User2 is prompted to select the language
setting and to agree to the license agreement.
Solution: You perform a local Windows Autopilot Reset.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset

QUESTION 92
You have a Microsoft 365 subscription.
A remote user purchases a laptop from a retail store. The laptop is intended for company use and has
Windows 10 Pro edition installed.
You need to configure the laptop to meet the following requirements:
Modify the layout of the Start menu
Upgrade Windows 10 to Windows 10 Enterprise
Join the laptop to a Microsoft Azure Active Directory (Azure AD) domain named contoso.com
The solution must minimize how long it takes for the user to apply the configurations.
What should you do?

A. Create a custom Windows image (.wim) file that contains an image of Windows 10 Enterprise and upload
the file to a Microsoft
B. Create a provisioning package (.ppkg) file and email the file to the user
C. Create a Windows To Go workspace and ship the workspace to the user
D. Create a Sysprep Unattend (.xml) file and email the file to the user

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-packages

QUESTION 93
You have a Microsoft 365 subscription. All devices run Windows 10.
You need to prevent users from enrolling the devices in the Windows Insider Program.
What two configurations should you perform from the Endpoint Management admin center? Each correct
answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. a Windows 10 security baseline

B. an app configuration policy
C. a custom device configuration profile
D. a Windows 10 update ring
E. a device restrictions device configuration profile

Answer: C,D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 94
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory
(Azure AD).
Existing on-premises computers are managed by using Microsoft Endpoint Configuration Manager. You
configure contoso.com for co-management.
You deploy 100 new devices that run Windows 10. The devices are joined to Azure AD and enrolled in
Microsoft Intune.
You need to ensure that the devices are co-managed.
What should you create in Intune first?

A. a conditional access policy

B. a device compliance policy
C. an app for the Endpoint Configuration Manager client
D. a device configuration profile
E. an app configuration policy

Answer: C
Section: (none)
Explanation
Explanation/Reference:

Explanation:
For new internet-based devices, you need to create an app in Intune. Deploy this app to Windows 10 devices
that aren't already Configuration Manager clients. This scenario is when you have new Windows 10 devices
that join Azure AD and automatically enroll to Intune. You install the Configuration Manager client to reach a
co-management state.
Reference:
https://docs.microsoft.com/en-us/configmgr/comanage/how-to-prepare-win10

QUESTION 95
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory
(Azure AD).
The Active Directory domain contains 200 computers that run Windows 10. The computers are managed by
using Microsoft System Center Configuration Manager (Current Branch).
You need to pilot co-management for only five of the computers.
What should you create first?

A. a domain local distribution group in Active Directory

B. an Intune Connector for Active Directory
C. a device collection in Endpoint Configuration Manager
D. a dynamic device group in Azure AD

Answer: C
Section: (none)
Explanation
Explanation/Reference:

Explanation:
The Pilot Intune setting switches the associated workload only for the devices in the pilot collection.
Note: When you enable co-management, you'll assign a collection as a Pilot group. This is a group that
contains a small number of clients to test your co-management configurations. We recommend you create a
suitable collection before you start the procedure. Then you can select that collection without exiting the
procedure to do so.
Reference:
https://docs.microsoft.com/en-us/configmgr/comanage/tutorial-co-manage-new-devices

QUESTION 96
HOTSPOT
You network contains an Active Directory domain. The domain contains 200 computers that run Windows 8.1.
You have a Microsoft Azure subscription.
You plan to upgrade the computers to Windows 10.
You need to generate an Upgrade Readiness report for the computers.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

QUESTION 97
You have a Microsoft 365 subscription.
You have 20 computers that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).
You plan to replace the computers with new computers that run Windows 10. The new computers will be
joined to Azure AD.
You need to ensure that the desktop background, the favorites, and the browsing history are available on the
new computers.
What should you use?

A. Folder Redirection
B. The Microsoft SharePoint Migration Tool
C. Enterprise State Roaming
D. Roaming user profiles

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settingsreference

QUESTION 98
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a computer named Computer1 that runs Windows 10.
You save a provisioning package named Package1 to a folder named C:\Folder1.
You need to apply Package1 to Computer1.
Solution: From the Settings app, you select Access work or school, and then you select Add or remove a
provisioning package.
Does this meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:

Explanation:
To install a provisioning package, navigate to Settings > Accounts > Access work or school > Add or remove a
provisioning package > Add a package, and select the package to install.
Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package

QUESTION 99
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a computer named Computer1 that runs Windows 10.
You save a provisioning package named Package1 to a folder named C:\Folder1.
You need to apply Package1 to Computer1.
Solution: From File Explorer, you go to C:\Folder1, and then you double-click the Package1.ppkg file.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 100
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a computer named Computer1 that runs Windows 10.
You save a provisioning package named Package1 to a folder named C:\Folder1.
You need to apply Package1 to Computer1.
Solution: At a command prompt, you change the current folder to C:\Folder1, and then you run the
RegSvr32.exe Package1.ppkg command.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 101
You manage 1,000 computers that run Windows 10. All the computers are enrolled in Microsoft Intune. You
manage the servicing channel settings of the computers by using Intune.
You need to review the servicing status of a computer.
What should you do?

A. From Device configuration - Profiles, view the device status.

B. From Device compliance, view the device compliance.
C. From Software updates, view the audit logs.
D. From Software updates, view the Per update ring deployment state.

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/windows-update-compliance-reports

QUESTION 102
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to use Windows Autopilot to configure the Windows 10 devices shown in the following table.

Which devices can be configured by using Windows Autopilot self-deploying mode?

A. Device2 and Device3 only

B. Device3 only
C. Device2 only
D. Device1, Device2, and Device3

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/self-deploying

QUESTION 103
HOTSPOT
Your network contains an on-premises Active Directory forest named contoso.com that syncs to Azure Active
Directory (Azure AD). Azure AD contains the users shown in the following table.

You assign Windows 10 Enterprise E5 licenses to Group1 and User2.

You add computers to the network as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation
QUESTION 104
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in
the following table.

You configure the following device settings for the tenant:

Users may join devices to Azure AD: User1
Additional local administrators on Azure AD joined devices: None
You install Windows 10 on a computer named Computer1.
You need to identify which users can join Computer1 to adatum.com, and which users will be added to the
Administrators group after joining adatum.com.
Which users should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

QUESTION 105
You use Microsoft Intune to manage client computers. The computers run one of the following operating
systems:
Windows 8.1
Windows 10 Pro
Windows 10 Enterprise
Windows 10 Enterprise LTSC
You plan to manage Windows updates on the computers by using update rings.
Which operating systems support update rings?

A. Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Enterprise LTSC only

B. Windows 8.1, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Enterprise LTSC
C. Windows 10 Enterprise and Windows 10 Enterprise LTSC only
D. Windows 10 Pro and Windows 10 Enterprise only

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/windows-update-for-business-configure

QUESTION 106
HOTSPOT
You have a Microsoft Intune subscription.
You are creating a Windows Autopilot deployment profile named Profile1 as shown in the following exhibit.
Profile1 will be deployed to Windows 10 devices.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven#:~:text=Windows%
20Autopilot%20user%2Ddriven%20mode%20is%20designed%20to%20enable%20new,personnel%20ever%
20touch%20the%20device.
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/white-glove

QUESTION 107
You have a computer named Computer1 that runs Windows 8.1.
You plan to perform an in-place upgrade of Computer1 to Windows 10 by using an answer file.
You need to identify which tool to use to create the answer file.
What should you identify?

A. System Configuration (Msconfig.exe)

B. Windows Configuration Designer
C. Windows System Image Manager (Windows SIM)
D. Windows Deployment Services (WDS)

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://thesleepyadmins.com/2019/05/31/create-windows-10-answer-file/

QUESTION 108
Your network contains an Active Directory domain. The domain contains 10 computers that run Windows 8.1
and use local user profiles.
You deploy 10 new computers that run Windows 10 and join the computers to the domain.
You need to migrate the user profiles from the Windows 8.1 computers to the Windows 10 computers.
What should you do?

A. From the Windows 8.1 computer of each user, run imagex.exe/capture, and then from the Windows 10
computer of each user, run imagex.exe/apply.
B. Configure roaming user profiles for the users. Instruct the users to first sign in to and out of their Windows
8.1 computer and then to sign in to their Windows 10 computer.
C. From the Windows 8.1 computer of each user, run scanstate.exe, and then from the Windows 10
computer of each user, run loadstate.exe.
D. Configure Folder Redirection for the users. Instruct the users to first sign in to and out of their Windows 8.1
computer, and then to sign in to their Windows 10 computer.

Answer: C
Section: (none)
Explanation
Explanation/Reference:

Explanation:
The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source
computer, collect the files and settings, and create a store.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-scanstate-syntax
https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-loadstate-syntax

QUESTION 109
You have computers that run Windows 8.1 or Windows 10. All the computers are enrolled in Microsoft Intune,
Endpoint Configuration Manager, and Desktop Analytics. Co-management is enabled for your environment.
You plan to upgrade the Windows 8.1 computers to Windows 10.
You need to identify which Windows 8.1 computers do NOT have supported Windows 10 drivers.
What should you use?

A. the General Hardware Inventory report in Configuration Manager

B. the List of devices in a specific device category report in Configuration Manager
C. Deployment plans in Desktop Analytics
D. the Device compliance report in Intune

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/about-deployment-plans

QUESTION 110
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a computer that runs Windows 8.1.
Two days ago, you upgraded the computer to Windows 10.
You need to downgrade the computer to Windows 8.1.
Solution: From the Settings app, you use the Recovery options.
Does this meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/how-to-recover-restoreyour-
previous-version-of/94368560-9c64-4387-92b9-82a9234216ad

QUESTION 111
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a computer that runs Windows 8.1.
Two days ago, you upgraded the computer to Windows 10.
You need to downgrade the computer to Windows 8.1.
Solution: You restart the computer to Windows Recovery Environment (Windows RE) and use the Advanced
options.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 112
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a computer that runs Windows 8.1.
Two days ago, you upgraded the computer to Windows 10.
You need to downgrade the computer to Windows 8.1.
Solution: From Windows Update in the Settings app, you use the Advanced options.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 113
DRAG DROP
You have five computers that runs Windows 10.
You need to create a provisioning package to configure the computers to meet the following requirements:
Run an interactive app.
Automatically sign in by using a local user account.
Prevent users from accessing the desktop and running other applications.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd
QUESTION 114
HOTSPOT
You upgrade three computers from Windows 8.1 to Windows 10 as shown in the following table.

The in-place upgrade settings used to perform the upgrade are shown in the following table.

After the upgrade, you perform the following actions on each computer:
Add a local user account named LocalAdmin1.
Install Microsoft Office 2019.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.infoworld.com/article/3033806/how-to-roll-back-your-windows-10-upgrade.html

QUESTION 115
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an Active Directory domain. The domain contains member computers that run Windows
8.1 and are enrolled in Microsoft Intune.
You need to identify which computers can be upgraded to Windows 10.
Solution: From the Microsoft Endpoint Manager admin center, you create a device compliance policy and
assign the policy to the computers. After 24 hours, you view the Device compliance report in Intune.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 116
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an Active Directory domain. The domain contains member computers that run Windows
8.1 and are enrolled in Microsoft Intune.
You need to identify which computers can be upgraded to Windows 10.
Solution: From Windows on the Devices blade of the Microsoft Endpoint Manager admin center, you create a
filter and export the results as a CSV file.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 117
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an Active Directory domain. The domain contains member computers that run Windows
8.1 and are enrolled in Microsoft Intune.
You need to identify which computers can be upgraded to Windows 10.
Solution: You install the Microsoft Assessment and Planning Toolkit. From the Microsoft Assessment and
Planning Toolkit, you collect inventory data and run the Windows 10 Readiness scenario.
Does this meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.techielass.com/using-maps-azure-readiness/

QUESTION 118
You have a Microsoft 365 tenant that uses Microsoft Intune for mobile device management (MDM).
You associate a Microsoft Store for Business account with Intune.
You purchase an app named App1 from the Microsoft Store for Business.
You need to ensure that App1 can be deployed by using Intune.
What should you do?

A. Sync purchased apps from the Microsoft Store for Business.

B. Integrate the Windows Autopilot Deployment Program into the Microsoft Store for Business.
C. Create an app category in Intune.
D. Create an app protection policy in Intune.

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business

QUESTION 119
HOTSPOT
Your network contains an on-premises Active Directory domain named contoso.com that syncs to Azure Active
Directory (Azure AD).
A user named User1 uses the domain-joined devices shown in the following table.

In the Azure Active Directory admin center, you assign a Windows 10 Enterprise E5 license to User1.
You need to identify what will occur when User1 next signs in to the devices.
What should you identify for each device? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation

QUESTION 120
You have a server that runs the Microsoft Deployment Toolkit (MDT). You have computers that run Windows
8.1 or Windows 10.
You have a Microsoft 365 tenant. Microsoft 365 Enterprise E5 licenses are assigned to all users.
You need to recommend a strategy to install Windows 10 on the Windows 8.1 computers. The installation
must retain the user files, settings, and supported applications.
What should you recommend?

A. Refresh the Window 8.1 computers by using Windows 10 and use the User State Migration Tool (USMT).
B. Perform an in-place upgrade of Windows 8.1 to Windows 10.
C. Refresh the Window 8.1 computers by using Windows 10 and use Windows Autopilot white glove service
to finalize the installation.
D. Refresh the Window 8.1 computers by using Windows 10 and use Windows Autopilot user-driven mode.

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-m365
https://docs.microsoft.com/en-us/windows/deployment/upgrade/windows-10-upgrade-paths

QUESTION 121
You use the Microsoft Deployment Toolkit (MDT) to deploy Windows 10.
You create a new task sequence by using the Standard Client Task Sequence template to deploy Windows 10
Enterprise to new computers. The computers have a single hard disk.
You need to modify the task sequence to create a system volume and a data volume.
Which phase should you modify in the task sequence?

A. Preinstall
B. State Restore
C. Initialization
D. Postinstall

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.prajwaldesai.com/create-extra-partition-in-mdt/

QUESTION 122
HOTSPOT
You have the Microsoft Deployment Toolkit (MDT) installed in three sites as shown in the following table.

You use Distributed File System (DFS) Replication to replicate images in a share named Production.
You configure the following settings in the Bootstrap.ini file.
[Settings]
Priority=DefaultGateway, Default
[DefaultGateway]
10.1.1.1=NewYork
10.5.5.1=London
[NewYork]
DeployRoot=\\MDT1\Production$
[London]
DeployRoot=\\MDT2\Production$
KeyboardLocale=en-gb
[Default]
DeployRoot=\\MDT3\Production$
KeyboardLocale=en-us
You plan to deploy Windows 10 to the computers shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/build-a-distributed-environmentfor-
windows-10-deployment
QUESTION 123
You are replacing 100 company-owned Windows devices.
You need to use the Microsoft Deployment Toolkit (MDT) to securely wipe and decommission the devices. The
solution must meet the following requirements:
Back up the user state.
Minimize administrative effort.
Which task sequence template should you use?

A. Litetouch OEM Task Sequence

B. Sysprep and Capture
C. Standard Client Replace Task Sequence
D. Standard Client Task Sequence

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoftdeployment-
toolkit

QUESTION 124
HOTSPOT
You have the devices shown in the following table.

You plan to implement Desktop Analytics.

You need to identify which devices support the following:
Compatibility insights
App usage insights
Which devices should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/compat-assessmenthttps://
docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/compat-assessment
https://azure.microsoft.com/en-us/updates/application-insights-adds-support-for-ios-and-android-appsimproved-
java-app-support-and-fine-time-selection/

QUESTION 125
HOTSPOT
You use the Microsoft Deployment Toolkit (MDT) to deploy Windows 10.
You need to modify the deployment share to meet the following requirements:
Ensure that the user who performs the installation is prompted to set the local Administrator password.
Define a rule for how to name computers during the deployment.
The solution must NOT replace the existing WinPE image.
Which file should you modify for each requirement? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-imageusing-
mdt

QUESTION 126
You have the Microsoft Deployment Toolkit (MDT) installed.
You install and customize Windows 10 on a reference computer.
You need to capture an image of the reference computer and ensure that the image can be deployed to
multiple computers.
Which command should you run before you capture the image?

A. dism
B. wpeinit
C. bcdedit
D. sysprep

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sysprep--system-preparation--
overview

QUESTION 127
You have a Microsoft Deployment Toolkit (MDT) deployment share named DS1.
In the Out-of-Box Drivers node, you create folders that contain drivers for different hardware models.
You need to configure the Inject Drivers MDT task to use PnP detection to install the drivers for one of the
hardware models.
What should you do first?

A. Create a selection profile

B. Import an OS package
C. Add a Validate task to the task sequence
D. Add a Gather task to the task sequence

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-imageusing-
mdt

QUESTION 128
Your network contains an Active Directory domain. The domain contains computers that run Windows 8.1 and
the users shown in the following table.

You plan to use the Microsoft Assessment and Planning (MAP) Toolkit to collect inventory data. The MAP
Toolkit has the following configurations:
Inventory scenario: Windows computers
Discovery method: Use Active Directory Domain Services (AD DS)
You need to identify which user to use for the MAP Toolkit inventory discovery. The solution must use principle
of least privilege.
What should you identify?

A. User3
B. User1
C. User4
D. User2

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://social.technet.microsoft.com/wiki/contents/articles/17808.map-toolkit-choose-a-discovery-method.aspx

QUESTION 129
You are configuring an SSTP VPN.
When you attempt to connect to the VPN, you receive the message shown in the exhibit. (Click the Exhibit
tab.)

What should you do to ensure that you can connect to the VPN?

A. Change the VPN type

B. Generate a computer certificate from the root certification authority (CA)
C. Install the root certificate

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 130
HOTSPOT
You have a Microsoft 365 tenant that contains the users shown in the following table.
You have Windows 10 devices enrolled in Microsoft Intune as shown in the following table.

You create a Windows 10 update ring that has the following settings:
Basics:
- Name: Ring1
Update ring settings:
- Active hours start: 8 AM
- Active hours end: 8 PM
Assignments:
- Included Groups: All devices
- Excluded Groups: Group1
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Box 1: No
Device1 is a personal device
Box 2: Yes
Box 3: Yes
You cannot mix User and Device Groups while Excluding groups. It is not supported, and the Excluded group
will be ignored.
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-update-rings

QUESTION 131
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com and a Microsoft Intune
subscription.
Contoso.com contains a user named [email protected].
You have a computer named Computer1 that runs Windows 8.1.
You need to perform an in-place upgrade of Computer1 to Windows 10.
Solution: You start Computer1 from the Windows 10 installation media and use the Install option.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 132
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com and a Microsoft Intune
subscription.
Contoso.com contains a user named [email protected].
You have a computer named Computer1 that runs Windows 8.1.
You need to perform an in-place upgrade of Computer1 to Windows 10.
Solution: You assign a Windows 10 license to User1. You instruct User1 to sign in to Computer1.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 133
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com and a Microsoft Intune
subscription.
Contoso.com contains a user named [email protected].
You have a computer named Computer1 that runs Windows 8.1.
You need to perform an in-place upgrade of Computer1 to Windows 10.
Solution: From Windows 8.1, you run setup.exe from the Windows 10 installation media.
Does this meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.kapilarya.com/how-to-upgrade-to-windows-10-using-iso-file

QUESTION 134
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) deployment share that has a path of D:\MDTShare.
You need to add a feature pack to the boot image.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-imageusing-
mdt
QUESTION 135
HOTSPOT
You create a Windows Autopilot deployment profile.
You need to configure the profile settings to meet the following requirements:
Automatically enroll new devices and provision system apps without requiring end-user authentication.
Include the hardware serial number in the computer name.
Which two settings should you configure? To answer, select the appropriate settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/autopilot/profiles

QUESTION 136
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a computer that runs Windows 8.1.
Two days ago, you upgraded the computer to Windows 10.
You need to downgrade the computer to Windows 8.1.
Solution: From View update history in the Settings app, you select Uninstall updates.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 137
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains an Active Directory domain. The domain contains member computers that run Windows
8.1 and are enrolled in Microsoft Intune.
You need to identify which computers can be upgraded to Windows 10.
Solution: You install the Microsoft Assessment and Planning Toolkit. From the Microsoft Assessment and
Planning Toolkit, you collect inventory data and run the Windows 8.1 Readiness scenario.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 138
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) deployment share named DS1.
You import a Windows 10 image to DS1.
You have an executable installer for an application named App1.
You need to ensure that App1 will be installed for all the task sequences that deploy the image.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:

QUESTION 139
You have 100 computers that run Windows 8.1.
You need to identify which computers can be upgraded to Windows 10.
What should you use?

A. Microsoft Assessment and Planning (MAP) Toolkit

B. Update Compliance in Azure
C. Windows Assessment Toolkit
D. Microsoft Deployment Toolkit (MDT)

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.techielass.com/using-maps-azure-readiness/
QUESTION 140
You have 100 computers that run Windows 8.1.
You need to create a report that will assess the Windows 10 readiness of the computers.
What should you use?

A. Windows Assessment and Deployment Kit (Windows ADK)

B. Microsoft Assessment and Planning (MAP) Toolkit
C. Windows Deployment Services (WDS)
D. Microsoft Desktop Optimization Pack (MDOP)

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.techielass.com/using-maps-azure-readiness/

QUESTION 141
HOTSPOT
You have a Microsoft 365 tenant.
You have a Windows 10 update ring named Policy1 as shown in the following exhibit.

A Windows 10 Feature update deployment named Policy2 is configured as shown in the following exhibit.
You have devices enrolled in Microsoft Intune as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/windows-10-update-rings

QUESTION 142
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com and a Microsoft Intune
subscription.
Contoso.com contains a user named [email protected].
You have a computer named Computer1 that runs Windows 8.1.
You need to perform an in-place upgrade of Computer1 to Windows 10.
Solution: You assign an Enterprise Mobility + Security license to User1. You instruct User1 to sign in to
Computer1.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 143
HOTSPOT
Your network contains an on-premises Active Directory domain that contains the locations shown in the
following table.

In Microsoft Intune, you enroll the Windows 10 devices shown in the following table.

You have a Delivery Optimization device configuration profile applied to all the devices. The profile is
configured as shown in the following exhibit.
From which devices can Device1 and Device2 get updates? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/delivery-optimization-settings
https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization-reference#selectthe-
source-of-group-ids

QUESTION 144
DRAG DROP
Your network contains an Active Directory domain.
You install the Microsoft Deployment Toolkit (MDT) on a server.
You have a custom image of Windows 10.
You need to deploy the image to 100 devices by using MDT.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-imageusing-
mdt

QUESTION 145
You have a Microsoft 365 tenant.
You plan to enable Enterprise State Roaming.
Which three types of data will sync across devices? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Microsoft Teams settings

B. mouse settings
C. Microsoft Edge Chromium settings
D. internet passwords
E. desktop theme settings

Answer: C,D,E
Section: (none)
Explanation
Explanation/Reference:

QUESTION 146
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company uses Windows Autopilot to configure the computer settings of computers issued to users.
A user named User1 has a computer named Computer1 that runs Windows 10. User1 leaves the company.
You plan to transfer the computer to a user named User2.
You need to ensure that when User2 first starts the computer, User2 is prompted to select the language
setting and to agree to the license agreement.
Solution: You perform a remote Windows Autopilot Reset.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset-remote

QUESTION 147
HOTSPOT
You have 100 Windows 10 devices enrolled in Microsoft Intune.
You need to configure the devices to retrieve Windows updates from the internet and from other computers on
a local network.
Which Delivery Optimization setting should you configure, and which type of Intune object should you create?
To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Explanation:
Box 1: Download mode
Download mode specifies the download method that Delivery Optimization uses to download content.
Box 2: A configuration profile
Delivery Optimization settings are configured as part of the device configuration profile.
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/delivery-optimization-settings
https://docs.microsoft.com/en-us/mem/intune/configuration/delivery-optimization-windows

QUESTION 148
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company uses Windows Autopilot to configure the computer settings of computers issued to users.
A user named User1 has a computer named Computer1 that runs Windows 10. User1 leaves the company.
You plan to transfer the computer to a user named User2.
You need to ensure that when User2 first starts the computer, User2 is prompted to select the language
setting and to agree to the license agreement.
Solution: You create a new Windows Autopilot user-driven deployment profile.
Does this meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven

QUESTION 149
You have a Microsoft 365 subscription.
You have 20 computers that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).
You plan to replace the computers with new computers that run Windows 10. The new computers will be
joined to Azure AD.
You need to ensure that the desktop theme, taskbar settings, and Bluetooth settings are available on the new
computers.
What should you use?

A. Folder Redirection
B. The Microsoft SharePoint Migration Tool
C. Enterprise State Roaming
D. Roaming user profiles

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview
Manage Policies and Profiles
Testlet 1
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam
in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.
General Overview
Litware, Inc. is an international manufacturing company that has 3,000 employees. The company has sales,
marketing, research, human resources (HR), development, and IT departments.
Litware has two main offices in New York and Los Angeles. Litware has five branch offices in Asia.
Existing Environment
Current Business Model
The Los Angeles office has 500 developers. The developers work flexible hours ranging from 11 AM to 10 PM.
Litware has a Microsoft Endpoint Configuration Manager deployment.
During discovery, the company discovers a process where users are emailing bank account information of its
customers to internal and external recipients.
Current Environment
The network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD). The functional level of the forest and the domain is Windows Server 2012 R2. All domain controllers run
Windows Server 2012 R2.
Litware has the computers shown in the following table.

The development department uses projects in Azure DevOps to build applications.

Most of the employees in the sales department are contractors. Each contractor is assigned a computer that
runs Windows 10. At the end of each contract, the computer is assigned to a different contractor. Currently, the
computers are re-provisioned manually by the IT department.
Problem Statements
Litware identifies the following issues on the network:
Employees in the Los Angeles office report slow Internet performance when updates are downloading. The
employees also report that the updates frequently consume considerable resources when they are
installed. The Update settings are configured as shown in the Updates exhibit. (Click the Updates button.)
Management suspects that the source code for the proprietary applications in Azure DevOps in being
shared externally.
Re-provisioning the sales department computers is too time consuming.
Requirements
Business Goals
Litware plans to transition to co-management for all the company-owned Windows 10 computers. Whenever
possible, Litware wants to minimize hardware and software costs.
Device Management Requirements
Litware identifies the following device management requirements:
Prevent the sales department employees from forwarding email that contains bank account information.
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Prevent employees in the research department from copying patented information from trusted applications
to untrusted applications.
Technical Requirements
Litware identifies the following technical requirements for the planned deployment:
Re-provision the sales department computers by using Windows AutoPilot.
Ensure that the projects in Azure DevOps can be accessed from the corporate network only.
Ensure that users can sign in to the Azure AD-joined computers by using a PIN. The PIN must expire every
30 days.
Ensure that the company name and logo appears during the Out of Box Experience (OOBE) when using
Windows AutoPilot.
Exhibits
Updates
QUESTION 150
What should you use to meet the technical requirements for Azure DevOps?

A. An app protection policy

B. Windows Information Protection (WIP)
C. Conditional access
D. A device configuration profile

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/manage-conditional-access?
view=azure-devops

QUESTION 151
What should you upgrade before you can configure the environment to support co-management?

A. the domain functional level

B. Microsoft Endpoint Configuration Manager
C. the domain controllers
D. Windows Server Update Services (WSUS)

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/comanage/tutorial-co-manage-clients

QUESTION 152
You need to meet the device management requirements for the developers.
What should you implement?

A. Enterprise State Roaming

B. folder redirection
C. home folders
D. known folder redirection in Microsoft OneDrive

Answer: A
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Litware identifies the following device management requirements:
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Enterprise State Roaming allows for the synchronization of Microsoft Edge browser setting, including favorites
and reading list, across devices.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settingsreference
Manage Policies and Profiles
Testlet 2
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam
in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and
New York.
Contoso has the users and computers shown in the following table.

User2 is a device enrollment manager (DEM) in Intune.

The devices enrolled in Intune are shown in the following table.
The device compliance policies in Intune are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

The device limit restrictions in Intune are configured as shown in the following table.

QUESTION 153
You need to meet the technical requirements for the iOS devices.
Which object should you create in Intune?
A. A compliance policy
B. An app protection policy
C. A deployment profile
D. A device configuration profile

Answer: D
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Scenario: Technical requirements include: Block iOS devices from sending diagnostic and usage telemetry
data.
Intune includes device restriction policies that help administrators control Android, iOS, macOS, and Windows
devices. These restrictions let you control a wide range of settings and features to protect your organization's
resources. For example, administrators can:
Allow or block the device camera
Control access to Google Play, app stores, viewing documents, and gaming
Block built-in apps, or create a list of apps that allowed or prohibited
Allow or prevent backing up files to cloud and storage accounts
Set a minimum password length, and block simple passwords
Reference:
https://docs.microsoft.com/en-us/intune/device-restrictions-configure

QUESTION 154
HOTSPOT
To which devices do Policy1 and Policy2 apply? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-profile-assign

QUESTION 155
HOTSPOT
What is the maximum number of devices that User1 and User2 can enroll in Intune? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

QUESTION 156
You need to meet the technical requirements for the IT department.
What should you do first?

A. From the Azure Active Directory blade in the Azure portal, enable Seamless single sign-on.
B. From the Configuration Manager console, add an Intune subscription.
C. From the Azure Active Directory blade in the Azure portal, configure the Mobility (MDM and MAM) settings.
D. From the Microsoft Intune blade in the Azure portal, configure the Windows enrollment settings.

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/comanage/tutorial-co-manage-clients

QUESTION 157
HOTSPOT
You are evaluating which devices are compliant.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:

QUESTION 158
HOTSPOT
You create a new conditional access policy that has an assignment for Office 365 Exchange Online.
You need to configure the policy to meet the technical requirements for Group4.
Which two settings should you configure in the policy? To answer, select the appropriate settings in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

Explanation:
The policy needs to be applied to Group4 so we need to configure Users and Groups.
The Access controls are set to Block access

We therefore need to exclude compliant devices.

From the scenario:
Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices
that are enrolled in Intune.
Note: When a device enrolls in Intune, the device information is updated in Azure AD to include the device
compliance status. This compliance status is used by conditional access policies to block or allow access to email
and other organization resources.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions
https://docs.microsoft.com/en-us/intune/device-compliance-get-started
Manage Policies and Profiles
Testlet 3
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam
in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent
tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and
New York.
Contoso has a Microsoft 365 E5 subscription.
Environment
Network Environment
The network contains an on-premises Active Directory domain named contoso.com. The domain contains the
servers shown in the following table.

The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.
The Windows 10 devices are configured as shown in the following table.

The Compliance policy settings are shown in the following exhibit.

The Automatic Enrollment settings have the following configurations:

Currently, there are no devices deployed by using Window Autopilot.

QUESTION 159
HOTSPOT
User1 and User2 plan to use Sync your settings.
On which devices can the users use Sync your settings? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.jeffgilb.com/managing-local-administrators-with-azure-ad-and-intune/

QUESTION 160
Which user can enroll Device6 in Intune?

A. User4 and User2 only

B. User4 and User1 only
C. User4, User1, and User2 only
D. User1, User2, User3, and User4

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 161
HOTSPOT
You implement the planned changes for Connection1 and Connection2.
How many VPN connections will there be for User1 when the user signs in to Device1 and Device2? To
answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

QUESTION 162
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

QUESTION 163
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Manage Policies and Profiles
Question Set 4

QUESTION 164
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1.
User1 has the devices shown in the following table.
On September 5, 2019, you create and enforce a terms of use (ToU) in contoso.com. The ToU has the
following settings:
Name: Terms1
Display name: Terms1 name
Require users to expand the terms of use: Off
Require users to consent on every device: On
Expire consents: On
Expire starting on: October 10, 2019
Frequency: Monthly
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use#frequently-askedquestions

QUESTION 165
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the devices shown in
the following table.
All devices contain an app named App1 and are enrolled in Microsoft Intune.
You need to prevent users from copying data from App1 and pasting the data into other apps.
Which type of policy and how many policies should you create in Intune? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies-configure-windows-10

QUESTION 166
Your company has an internal portal that uses a URL of http://contoso.com.
The network contains computers that run Windows 10. The default browser on all the computers is Microsoft
Edge.
You need to ensure that all users only use Internet Explorer to connect to the internal portal. The solution must
ensure that Microsoft Edge can be used to connect to all other websites.
What should you do from each computer?

A. From Internet Explorer, configure the Compatibility View settings

B. From the local policy, configure Enterprise Mode
C. From Microsoft Edge, configure the Advanced Site Settings
D. From the Settings app, configure the default web browser settings

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility

QUESTION 167
Your company uses Microsoft Intune.
More than 500 Android and iOS devices are enrolled in the Intune tenant.
You plan to deploy new Intune policies. Different policies will apply depending on the version of Android or iOS
installed on the device.
You need to ensure that the policies can target the devices based on their version of Android or iOS.
What should you configure first?

A. Corporate device identifiers in Intune

B. Device settings in Microsoft Azure Active Directory (Azure AD)
C. Device categories in Intune
D. Groups that have dynamic membership rules in Microsoft Azure Active Directory (Azure AD)

Answer: D
Section: (none)
Explanation
Explanation/Reference:

Explanation:
We can create dynamic groups by using the deviceOSVersion or deviceOSType properties, and then apply
Intune configuration policies to those groups.
Reference:
https://docs.microsoft.com/en-us/archive/blogs/pauljones/dynamic-group-membership-in-azure-activedirectory-
part-2
https://docs.microsoft.com/en-ie/mem/intune/enrollment/device-group-mapping

QUESTION 168
You have computers that run Windows 10 Pro. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.
You need to upgrade the computers to Windows 10 Enterprise.
What should you configure in Intune?

A. A device enrollment policy

B. A device cleanup rule
C. A device compliance policy
D. A device configuration profile

QUESTION 169
You are creating a device configuration profile in Microsoft Intune.
You need to implement an ADMX-backed policy.
Which profile type should you use?

A. Identity protection
B. Custom
C. Device restrictions
D. Device restrictions (Windows 10 Team)

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://blogs.technet.microsoft.com/senthilkumar/2018/05/21/intune-deploying-admx-backed-policies-usingmicrosoft-
intune/

QUESTION 170
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in
the following table.

Contoso.com contains the devices shown in the following table.

In Intune, you create the app protection policies shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy

QUESTION 171
Your network contains an Active Directory named contoso.com. The domain contains two computers named
Computer1 and Computer2 that run Windows 10.
Folder Redirection is configured for a domain user named User1. The AppData\Roaming folder and the
Desktop folder are redirected to a network share.
User1 signs in to Computer1 and performs the following tasks:
Configures screen saver to start after five minutes of inactivity
Modifies the default save location for Microsoft Word
Creates a file named File1.docx on the desktop
Modifies the desktop background
What will be retained when User1 signs in to Computer2?

A. File1.docx and the desktop background only

B. File1.docx, the screen saver settings, the desktop background, and the default save location for Word
C. File1.docx only
D. File1.docx, the desktop background, and the default save location for Word only

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview

QUESTION 172
HOTSPOT
You have a computer named Computer1 that runs Windows 10.
Computer1 has the users shown in the following table.
User1 signs in to Computer1, creates the following files, and then signs out:
File1.docx in C:\Users\User1\Desktop
File2.docx in C:\Users\Public\Public Desktop
File3.docx in C:\Users\Default\ Desktop
User3 then signs in to Computer1 and creates a file named File4.docx in C:\Users\User3\Desktop.
User2 has never signed in to Computer1.
How many DOCX files will appear on the desktop of each user the next time each user signs in? To answer,
select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

QUESTION 173
Your network contains an Active Directory domain named contoso.com. The domain contains 200 computers
that run Windows 10.
Folder Redirection for the Desktop folder is configured as shown in the following exhibit.
The target is set to Server1.
You plan to use known folder redirection in Microsoft OneDrive for Business.
You need to ensure that the desktop content of users remains on their desktop when you implement known
folder redirection.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Clear the Grant the user exclusive rights to Desktop check box.
B. Change the Policy Removal setting.
C. Disable Folder Redirection.
D. Clear the Move the contents of Desktop to the new location check box.

Answer: A,B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders

QUESTION 174
HOTSPOT
You have a Microsoft 365 subscription.
All computers are enrolled in Microsoft Intune.
You have business requirements for securing your Windows 10 environment as shown in the following table.

What should you implement to meet each requirement? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started

QUESTION 175
HOTSPOT
Your company has computers that run Windows 10. The employees at the company use the computers.
You plan to monitor the computers by using the Update Compliance solution.
You create the required resources in Azure.
You need to configure the computers to send enhanced Update Compliance data.
Which two Group Policy settings should you configure? To answer, select the appropriate settings in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-configuration-manual

QUESTION 176
HOTSPOT
You are licensed for Microsoft Endpoint Manager.
You use Microsoft Endpoint Configuration Manager and Microsoft Intune.
You have devices enrolled in Configuration Manager as shown in the following table.

In Configuration Manager, you enable co-management and configure the following settings:
Automatic enrolment in Intune: Pilot
Intune Auto Enrollment: Collection1
In Configuration Manager, you configure co-management staging to have the following settings:
Compliance policies: Collection2
Device Configuration: Collection1
In Configuration Manager, you configure co-management workloads as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/comanage/workloads

QUESTION 177
You have an Azure Active Directory group named Group1. Group1 contains two Windows 10 Enterprise
devices named Device1 and Device2.
You create a device configuration profile named Profile1. You assign Profile1 to Group1.
You need to ensure that Profile1 applies to Device1 only.
What should you modify in Profile1?

A. Scope (Tags)
B. Settings
C. Applicability Rules
D. Assignments

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-assign

QUESTION 178
Your network contains an on-premises Active Directory domain and an Azure Active Directory (Azure AD)
tenant.
The Default Domain Policy Group Policy Object (GPO) contains the settings shown in the following table.

You need to migrate the existing Default Domain Policy GPO settings to a device configuration profile.
Which type of device configuration profile should you create?

A. Custom
B. Endpoint protection
C. Administrative Templates
D. Device restrictions

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://danielchronlund.com/2018/11/27/how-to-replace-your-old-gpos-with-intune-configuration-profiles/

QUESTION 179
Your company plans to deploy tablets to 50 meeting rooms.
The tablets run Windows 10 and are managed by using Microsoft Intune. The tablets have an application
named App1.
You need to configure the tablets so that any user can use App1 without having to sign in. Users must be
prevented from using other applications on the tablets.
Which device configuration profile type should you use?

A. Kiosk
B. Endpoint protection
C. Identity protection
D. Device restrictions

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app

QUESTION 180
HOTSPOT
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory
(Azure AD). The domain contains computers that run Windows 10. The computers are configured as shown in
the following table.

All the computers are enrolled in Microsoft Intune.

You configure the following Maintenance Scheduler settings in the Default Domain Policy:
Turn off auto-restart for updates during active hours: Enabled
Active hours start: 08:00
Active hours end: 22:00
In Intune, you create a device configuration profile named Profile1 that has the following OMA-URI settings:
./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP set to value 1
./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursStart set to value 9
./Device/Vendor/MSFT/Policy/Config/Update/ActiveHoursEnd set to value 21
You assign Profile to Group1.
How are the active hours configured on Computer1 and Computer2? To answer, select the appropriate options
in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict

QUESTION 181
HOTSPOT
You have a Microsoft 365 subscription.
You have 25 Microsoft Surface Hub devices that you plan to manage by using Microsoft Endpoint Manager.
You need to configure the devices to meet the following requirements:
Enable Windows Hello for Business.
Configure Microsoft Defender SmartScreen to block users from running unverified files.
Which profile types should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/identity-protection-windows-settings?toc=/intune/
configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json
https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/
configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json

QUESTION 182
DRAG DROP
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD). All computers are joined to the domain and registered to Azure AD.
The network contains a Microsoft Endpoint Configuration Manager deployment that is configured for comanagement
with Microsoft Intune.
All the computers in the finance department are managed by using Endpoint Configuration Manager. All the
computers in the marketing department are managed by using Intune.
You install new computers for the users in the marketing department by using the Microsoft Deployment
Toolkit (MDT).
You purchase an application named App1 that uses an MSI package.
You need to install App1 on the finance department computers and the marketing department computers.
How should you deploy App1 to each department? To answer, drag the appropriate deployment methods to
the correct departments. Each deployment method may be used once, more than once, or not at all. You may
need to drag the split bat between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/apps-add
https://docs.microsoft.com/en-us/sccm/apps/get-started/create-and-deploy-an-application

QUESTION 183
Your company has a Microsoft 365 subscription.
The company uses Microsoft Intune to manage all devices.
The company uses conditional access to restrict access to Microsoft 365 services for devices that do not
comply with the company?s security policies.
You need to identify which devices will be prevented from accessing Microsoft 365 services.
What should you use?

A. The Device tab in Desktop Analytics.

B. Microsoft Defender Security Center.
C. The Device compliance blade in the Microsoft Endpoint Manager admin center.
D. The Conditional access blade in the Azure Active Directory admin center.

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 184
HOTSPOT
You have 200 computers that run Windows 10.
You need to create a provisioning package to configure the following tasks:
Remove the Microsoft News and the Xbox Microsoft Store apps.
Add a VPN connection to the corporate network.
Which two customizations should you configure? To answer, select the appropriate customizations in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-connectivityprofiles
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-serviceprovider#
applicationmanagement-applicationrestrictions
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-policies

QUESTION 185
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You create a terms of use (ToU) named Terms1 in contoso.com.
You are creating a conditional access policy named Policy1 to assign a cloud app named App1 to the users in
contoso.com.
You need to configure Policy1 to require the users to accept Terms1.
What should you configure in Policy1?
A. Grant in the Access controls section
B. Conditions in the Assignments section
C. Cloud apps or actions in the Assignments section
D. Session in the Access controls section

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-tou

QUESTION 186
HOTSPOT
You have devices enrolled in Microsoft Intune as shown in the following table.

You create device configuration profiles in Intune as shown in the following table.

You assign the device configuration profiles to groups as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

Explanation:
If a compliance policy evaluates against the same setting in another compliance policy, then the most
restrictive compliance policy setting applies.
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot

QUESTION 187
HOTSPOT
You use Microsoft Endpoint Manager to manage Windows 10 devices.
You are designing a reporting solution that will provide reports on the following:
Compliance policy trends
Trends in device and user enrolment
App and operating system version breakdowns of mobile devices
You need to recommend a data source and a data visualization tool for the design.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/developer/reports-nav-create-intune-reports
https://docs.microsoft.com/en-us/mem/intune/developer/reports-proc-get-a-link-powerbi

QUESTION 188
HOTSPOT
In Microsoft Intune, you have the device compliance policies shown in the following table.

The Intune compliance policy settings are configured as shown in the following exhibit.

On June 1, you enroll Windows 10 devices in Intune as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance

QUESTION 189
HOTSPOT
You have a Microsoft Intune subscription.
You create the Windows Autopilot deployment profile-shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven

QUESTION 190
You need to assign the same deployment profile to all the computers that are configured by using Windows
Autopilot.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Join the computers to Microsoft Azure Active Directory (Azure AD)

B. Assign a Windows Autopilot deployment profile to a group
C. Join the computers to an on-premises Active Directory domain
D. Create a Microsoft Azure Active Directory (Azure AD) group that has dynamic membership rules and uses
the operatingSystem tag
E. Create a Group Policy object (GPO) that is linked to a domain
F. Create a Microsoft Azure Active Directory (Azure AD) group that has dynamic membership rules and uses
the ZTDID tag

Answer: BF
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.petervanderwoude.nl/post/automatically-assign-windows-autopilot-deployment-profile-to-windowsautopilot-
devices/

QUESTION 191
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All users have
computers that run Windows 10. The computers are joined to Azure AD and managed by using Microsoft
Intune.
You need to ensure that you can centrally monitor the computers by using Windows Analytics.
What should you create in Intune?

A. a device configuration profile

B. a conditional access policy
C. a device compliance policy
D. an update policy

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.scconfigmgr.com/2019/03/27/windows-analytics-onboarding-with-intune/

QUESTION 192
HOTSPOT
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.
You need to set a custom image as the wallpaper and sign-in screen.
Which two settings should you configure in Device restrictions? To answer, select the appropriate settings in
the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Sign-in screen, or Locked screen, image is set under Locked screen experience
Wallpaper image, or Desktop background picture, URL is set under Personalization.
Reference:
https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10

QUESTION 193
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All users have
computers that run Windows 10. The computers are joined to Azure AD and managed by using Microsoft
Intune.
You need to ensure that you can centrally monitor the computers by using the Update Compliance solution.
What should you create in Intune?

A. a device configuration profile

B. a conditional access policy
C. a device compliance policy
D. an update policy
Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.jeffgilb.com/update-compliance-with-intune/

QUESTION 194
HOTSPOT
You have a Microsoft Intune subscription that has the following device compliance policy settings:
Mark devices with no compliance policy assigned as: Compliant
Compliance status validity period (days): 14
On January 1, you enroll Windows 10 devices in Intune as shown in the following table.

On January 4, you create the following two device compliance policies:

Name: Policy1
Platform: Windows 10 and later
Require BitLocker: Require
Mark device noncompliant: 5 days after noncompliance
Scope (Tags): Tag1
Name: Policy2
Platform: Windows 10 and later
Firewall: Require
Mark device noncompliant: Immediately
Scope (Tags): Tag2
On January 5, you assign Policy1 and Policy2 to Group1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Box 1: No.
Policy1 and Policy2 apply to Group1 which Device1 is a member of. Device1 does not meet the firewall
requirement in Policy2 so the device will immediately be marked as non-compliant.
Box 2: No
For the same reason as Box1.
Box 3: Yes
Policy1 and Policy2 apply to Group1. Device2 is not a member of Group1 so the policies don?t apply.
The Scope (tags) have nothing to do with whether the policy is applied or not. The tags are used in RBAC.

QUESTION 195
HOTSPOT
You have 100 Windows 10 devices that are managed by using Microsoft Endpoint Manager.
You plan to sideload an app to the devices.
You need to configure Microsoft Endpoint Manager to enable sideloading.
Which device profile type and setting should you configure? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10
QUESTION 196
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have an Azure Directory group named Group1 that contains Windows 10 Enterprise devices and
Windows 10 Pro devices.
From Microsoft Intune, you create a device configuration profile named Profile1.
You need to ensure that Profile1 applies to only the Windows 10 Enterprise devices in Group1.
Solution: You create a scope tag, and then you add the scope tag to the Windows 10 Enterprise devices and
Profile1.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 197
Your company has a System Center Configuration Manager deployment that uses hybrid mobile device
management (MDM). All Windows 10 devices are Active Directory domain-joined.
You plan to migrate from hybrid MDM to Microsoft Intune standalone.
You successfully run the Intune Data Importer tool.
You need to complete the migration.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. In Intune, add a device enrollment manager (DEM).

B. Change the tenant MDM authority to Intune.
C. Assign all users Intune licenses.
D. Create a new Intune tenant.

Answer: B,C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/migrate-hybridmdm-to-intunesa
https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/migrate-prepare-intune
https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/change-mdm-authority

QUESTION 198
Your company has 200 computers that run Windows 10. The computers are managed by using Microsoft
Intune.
Currently, Windows updates are downloaded without using Delivery Optimization.
You need to configure the computers to use Delivery Optimization.
What should you create in Intune?

A. a device configuration profile

B. a device compliance policy
C. an app protection policy
D. a Windows 10 update ring

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/delivery-optimization-windows

QUESTION 199
You have 500 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.
You plan to distribute certificates to the computers by using Simple Certificate Enrollment Protocol (SCEP).
You have the servers shown in the following table.

NDES issues certificates from the subordinate CA.

You are configuring a device profile as shown in the exhibit. (Click the Exhibit tab.)
On which server is the required root certificate located?

A. Server1
B. Server2
C. Server3
D. Server4

Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 200
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.
You redirect Windows known folders to Microsoft OneDrive for Business.
Which folder will be included in the redirection?
A. Saved Games
B. Desktop
C. Music
D. Downloads

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders

QUESTION 201
You have a Microsoft Azure Active Directory (Azure AD) tenant. All corporate devices are enrolled in Microsoft
Intune.
You have a web-based application named App1 that uses Azure AD to authenticate.
You need to prompt all users of App1 to agree to the protection of corporate data when they access App1 from
both corporate and noncorporate devices.
What should you configure?

A. Notifications in Device compliance

B. Terms and Conditions in Device enrollment
C. Terms of use in Conditional access
D. an Endpoint protection profile in Device configuration

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use

QUESTION 202
You are creating a device configuration profile in Microsoft Intune.
You need to configure specific OMA-URI settings in the profile.
Which profile type should you use?

A. Identity protection
B. Custom
C. Device restrictions (Windows 10 Team)
D. Device restrictions

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/custom-settings-windows-10

QUESTION 203
DRAG DROP
You have an Azure Active Directory (Azure AD) tenant that syncs to an on-premises Active Directory domain.
The tenant contains computers that run Windows 10. The computers are hybrid Azure AD joined and enrolled
in Microsoft Intune. The Microsoft Office settings on the computers are configured by using a Group Policy
Object (GPO).
You need to migrate the GPO to Intune.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/administrative-templates-windows

QUESTION 204
HOTSPOT
Your network contains an on-premises Active Directory forest named contoso.com. The forest contains a user
named User1 and two computers named Computer1 and Computer2 that run Windows 10.
User1 is configured as shown in the following exhibit.
You rename file \\Server1\Profiles\User1.V6\NTUSER.DAT as NTUSER.MAN.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

Explanation:
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify
settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that
appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more.
Configuration changes made during a user's session that are normally saved to a roaming user profile are not
saved when a mandatory user profile is assigned.
The .man extension causes the user profile to be a read-only profile.
Reference:
https://docs.microsoft.com/en-us/windows/client-management/mandatory-user-profile

QUESTION 205
You have a Windows 10 device named Device1 that is joined to Active Directory and enrolled in Microsoft
Intune.
Device 1 is managed by using Group Policy and Intune.
You need to ensure that the Intune settings override the Group Policy settings.
What should you configure?

A. a device configuration profile

B. an MDM Security Baseline profile
C. a device compliance policy
D. a Group Policy Object (GPO)

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://uem4all.com/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/

QUESTION 206
You use a Microsoft Intune subscription to manage iOS devices.
You configure a device compliance policy that blocks jailbroken iOS devices.
You need to enable Enhanced jailbreak detection.
What should you configure?

A. the device compliance policy

B. the Compliance policy settings
C. a network location
D. a configuration profile

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started

QUESTION 207
Your network contains an Active Directory domain. The domain contains computers that run Windows 10.
All users use Roaming User Profiles.
You have a user named Public1 that is used to sign-in to a public computer.
You need to prevent changes to the user settings of Public1 from being saved to the user profile.
What should you do?

A. Rename the Roaming User Profile folder to Public1.man

B. Rename Ntuser.dat to Ntuser.v6
C. Rename Ntuser.dat to Ntuser.man
D. Rename the Roaming User Profile folder to Public1.v1

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/answers/questions/168551/set-roaming-profile-download-from-server-to-pcbut.
html
https://docs.microsoft.com/en-us/windows/client-management/mandatory-user-profile

QUESTION 208
You have a hybrid deployment of Azure Active Directory (Azure AD) that contains 50 Windows 10 devices. All
the devices are enrolled in Microsoft Endpoint Manager.
You discover that Group Policy settings override the settings configured in Microsoft Endpoint Manager
policies.
You need to ensure that the settings configured in Microsoft Endpoint Manager override the Group Policy
settings.
What should you do?

A. From the Microsoft Endpoint Manager admin center, create an Administrative Templates device profile
B. From Group Policy Management Editor, configure the Computer Configuration settings in the Default
Domain Policy
C. From the Microsoft Endpoint Manager admin center, create a custom device profile
D. From Group Policy Management Editor, configure the User Configuration settings in the Default Domain
Policy

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://uem4all.com/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/
QUESTION 209
You have computers that run Windows 10, are joined to Azure Active Directory (Azure AD), and are enrolled in
Microsoft Intune.
You have an Azure web app named App1. App1 only allows connections over HTTPS. App1 uses a certificate
from an on-premises certification authority (CA).
You need to ensure that the computers can connect to App1 from Microsoft Edge.
Which type of device configuration profile should you create in Microsoft Endpoint Manager?

A. trusted certificate
B. Simple Certificate Enrollment Protocol (SCEP) certificate
C. imported public key pair (PKCS) certificate
D. public key pair (PKCS) certificate

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-configure

QUESTION 210
HOTSPOT
You have a computer named Computer1 that runs Windows 10.
The Wi-Fi network profile for Computer1 is configured as shown in the following exhibit.
From which computers will Computer1 will receive updates and to which computers will Computer1 provide
updates? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:

QUESTION 211
HOTSPOT
You have a Microsoft 365 tenant named contoso.com that contains a group named ContosoUsers. All the
users in contoso.com are members of ContosoUsers.
You have two Windows 10 devices as shown in the following table.

Both Computer1 and Computer2 contain two apps named App1 and App2.
You configure an app protection policy named AppPolicy1 that has the following settings:
Protected apps: App1
Assignments: ContosoUsers
Enrollment state: Without enrollment
Windows Information Protection mode: Block
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/windows-information-protection-policy-create
https://docs.microsoft.com/en-us/mem/intune/apps/apps-selective-wipe

QUESTION 212
HOTSPOT
You have devices that are not rooted enrolled in Microsoft Intune as shown in the following table.

The devices are members of a group named Group1.

In Intune, you create a device compliance location that has the following configurations:
Name: Network1
IPv4 range: 192.168.0.0/16
In Intune, you create a device compliance policy for the Android platform. The policy has the following
configurations:
Name: Policy1
Device health: Rooted devices: Block
Locations: Location: Network1
Mark device noncompliant: Immediately
Assigned: Group1
The Intune device compliance policy has the following configurations:
Mark devices with no compliance policy assigned as: Compliant
Enhanced jailbreak detection: Enabled
Compliance status validity period (days): 20
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-compliance-get-started

QUESTION 213
You have an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant contains Windows 10
devices that are enrolled in Microsoft Intune.
You create an Azure Log Analytics workspace and add the Update Compliance Solution to the workspace.
You need to create a custom device configuration profile that will enroll the Windows 10 devices in Update
Compliance.
Which OMA-URI should you add to the profile?

A. ./Vendor/MSFT/DMClient/Provider/MS DM Server/Push
B. ./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID
C. ./Vendor/MSFT/DMClient/Provider/MS DM Server/ManagementServerAddressList
D. ./Vendor/MSFT/DMClient/Provider/MS DM Server/Push/ChannelURI

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://allthingscloud.blog/monitor-windows-10-updates-for-intune-mdm-enrolled-devices/

QUESTION 214
HOTSPOT
You have 100 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.
You need to configure the following device restrictions:
Block users from browsing to suspicious websites.
Scan all scripts loaded into Microsoft Edge.
Which two settings should you configure in Device restrictions? To answer, select the appropriate settings in
the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windowsdefender-
smartscreen-overview

QUESTION 215
HOTSPOT
You have computers that run Windows 10 as shown in the following table.

Computer2 and Computer3 are enrolled in Microsoft Intune.

In a Group Policy object (GPO) linked to the domain, you enable the Computer Configuration/Administrative
Templates/Windows Components/Search/Allow Cortana setting.
In an Intune device configuration profile that is assigned to an Azure Active Directory group that includes
Computer2 and Computer3, you configure the following:
Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP to a value of 1
Experience/AllowCortana to a value of 0.
Each of the following statement, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-whowins/

QUESTION 216
Your company plans to deploy Windows 10 to devices that will be configured for English use and other devices
that will be configured for Korean use.
You need to create a single multivariant provisioning package for the planned devices.
You create the provisioning package.
What should you do next to add the language settings to the package?

A. Modify the Customizations.xml file.

B. Create a file named Languages.xml that contains a header for Korean.
C. Modify the .ppkg file.
D. Create a file named Languages.xml that contains a header for English.

Answer: A
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Follow these steps to create a provisioning package with multivariant capabilities.
1. Build a provisioning package and configure the customizations you want to apply during certain conditions.
2. After you've configured the settings, save the project.
3. Open the project folder and copy the customizations.xml file to any local location.
4. Use an XML or text editor to open the customizations.xml file.
5. Edit the customizations.xml file to create a Targets section to describe the conditions that will handle your
multivariant settings.
6. In the customizations.xml file, create a Variant section for the settings you need to customize.
7. Save the updated customizations.xml file and note the path to this updated file. You will need the path as
one of the values for the next step.
8. Use the Windows Configuration Designer command-line interface to create a provisioning package using
the updated customizations.xml.
Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-multivariant
QUESTION 217
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD).
You have a Microsoft 365 subscription.
You create a conditional access policy for Microsoft Exchange Online.
You need to configure the policy to prevent access to Exchange Online unless a user is connecting from a
device that is hybrid Azure AD-joined.
Which settings should you configure?

A. Locations
B. Device platforms
C. Sign-in risk
D. Device state

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions#device-state

QUESTION 218
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.
You redirect Windows known folders to Microsoft OneDrive for Business.
Which folder will be included in the redirection?

A. Saved Games
B. Documents
C. Music
D. Downloads
E. Favorites
F. AppData
G. Videos

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders

QUESTION 219
You have a Microsoft 365 subscription.
You have a conditional access policy that requires multi-factor authentication (MFA) for users in a group name
Sales when the users sign in from a trusted location. The policy is configured as shown in the exhibit. (Click
the Exhibit tab.)
You create a compliance policy.
You need to ensure that the users are authenticated only if they are using a compliant device.
What should you configure in the conditional access policy?

A. a condition
B. a session control
C. a cloud app
D. a grant control

Answer: A
Section: (none)
Explanation
Explanation/Reference:

Explanation:
The device state condition can be used to exclude devices that are hybrid Azure AD joined and/or devices
marked as compliant with a Microsoft Intune compliance policy from an organization's Conditional Access
policies.
Device state is located on the Condition tab.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-accessconditions#
device-state

QUESTION 220
You have an Azure Active Directory (Azure AD) tenant that contains a user named User1. User1 has the
devices shown in the following table.

Enterprise State Roaming is configured for User1.

User1 signs in to Device4 and changes the desktop.
You need to identify on which devices User1 will have a changed desktop.
Which devices should you identify?

A. Device1, Device2, Device3, and Device4

B. Device4 only
C. Device2, Device3, and Device4 only
D. Device2 and Device4 only
E. Device3 and Device4 only

Answer: E
Section: (none)
Explanation
Explanation/Reference:

QUESTION 221
You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains two computers
named Computer1 and Computer2. The computers run Windows 10 and are members of a group named
GroupA.
The tenant contains a user named User1 that is a member of a group named Group1.
You need to ensure that if User1 changes the desktop background on Computer1, the new desktop
background will appear when User1 signs in to Computer2.
What should you do?
A. Create a device configuration profile for Windows 10 and configure the Shared multi-user device settings.
Assign the profile to Group1.
B. Create a device configuration profile for Windows 10 and configure the Shared multi-user device settings.
Assign the profile to GroupA.
C. From the Azure Active Directory admin center, enable Enterprise State Roaming for Group1.
D. From the Azure Active Directory admin center, enable Enterprise State Roaming for GroupA.

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/shared-user-device-settings-windows
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-assign

QUESTION 222
You have a Microsoft 365 tenant that contains the devices shown in the following table.

You need to assign app protection settings to the devices.

What is the minimum number of app protection policies required?

A. 1
B. 2
C. 3
D. 4
E. 5

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies

QUESTION 223
You have following types of devices enrolled in Microsoft Intune:
Windows 10
Android
iOS
For which types of devices can you create VPN profiles in Microsoft Endpoint Manager?

A. Windows 10 only
B. Windows 10 and Android only
C. Windows 10 and iOS only
D. Windows 10, Android, and iOS
E. Android and iOS only

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/vpn-settings-android

QUESTION 224
HOTSPOT
You have a Microsoft 365 tenant that uses Microsoft Intune to manage the devices shown in the following
table.

You need to deploy a compliance solution that meets the following requirements:
Marks the devices as Not Compliant if they do not meet compliance policies
Remotely locks noncompliant devices
What is the minimum number of compliance policies required, and which devices support the remote lock
action? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance

QUESTION 225
You have a Microsoft 365 tenant that contains the devices shown in the following table.

The devices are managed by using Microsoft Intune.

You create a compliance policy named Policy1 and assign Policy1 to Group1. Policy1 is configured to mark a
device as Compliant only if the device security settings match the settings specified in the policy.
You discover that devices that are not members of Group1 are shown as Compliant.
You need to ensure that only devices that are assigned a compliance policy can be shown as Compliant. All
other devices must be shown as Not compliant.
What should you do?

A. From Endpoint security, configure the Conditional access settings.

B. From Device compliance, configure the Compliance policy settings.
C. From Policy1, modify the actions for noncompliance.
D. From Tenant administration, modify the Diagnostic settings.

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started

QUESTION 226
Your network contains an Active Directory domain. The domain contains 5,000 computers that run Windows
10.
All users use Roaming User Profiles.
Some users report that it takes a long time to sign in to the computers.
You discover that the users have user profiles that are larger than 1 GB.
You need to reduce the amount of time it takes for the users to sign in.
What should you configure?

A. Folder Redirection by using a Group Policy Object (GPO)

B. Sync your settings in the Settings app
C. Delivery Optimization in the Settings app
D. Microsoft User Experience Virtualization (UE-V) by using PowerShell

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/ue-v/uev-for-windows

QUESTION 227
You have a Microsoft 365 tenant that contains the objects shown in the following table.

You are creating a compliance policy named Compliance1.

Which objects can you specify in Compliance1 as additional recipients of noncompliance notifications?

A. Group1, Group2, Group3, Group4, and Admin1

B. Group1, Group2, Group3, and Group4 only
C. Group3, Group4, and Admin1 only
D. Group1, Group2, and Group3 only
E. Group3 and Group4 only

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.ravenswoodtechnology.com/microsoft-intune-compliance-notifications/
https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide

QUESTION 228
HOTSPOT
You have a workgroup computer named Computer1 that runs Windows 10 and has the users shown in the
following table.

Group1 is a member of Group3.

You are creating a file named Kiosk.xml that specifies a lockdown profile for a multi-app kiosk.
Kiosk.xml contains the following section.

You apply Kiosk.xml to Computer1.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps#config-forgroup-
accounts

QUESTION 229
HOTSPOT
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory
(Azure AD). The domain contains the users shown in the following table.

Enterprise State Roaming is enabled for User2.

You have the computers shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

Explanation:
The requirements of Enterprise State Roaming are:
Windows 10, with the latest updates, and a minimum Version 1511 (OS Build 10586 or later) is installed on
the device.
The device is Azure AD joined or hybrid Azure AD joined.
Ensure that Enterprise State Roaming is enabled for the tenant in Azure AD.
The user is assigned an Azure Active Directory Premium license.
The device must be restarted and the user must sign in again to access Enterprise State Roaming
features.
Box 1: No
Computer2 runs Windows 8.1.
Enterprise State Roaming requires Windows 10, with the latest updates, and a minimum Version 1511 (OS
Build 10586).
Also, Enterprise State Roaming is enabled for User2, not for User1.
Box 2: No
The device must be Azure AD joined or hybrid Azure AD joined.
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory
(Azure AD), in other words, a hybrid Azure AD.
Also, Enterprise State Roaming is enabled for User2, not for User1.
Box 3: Yes
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-troubleshooting

QUESTION 230
HOTSPOT
Your company has computers that run Windows 8.1, Windows 10, or macOS.
The company uses Microsoft Intune to manage the computers.
You need to create a device configuration profile to configure Windows Hello for Business on the computers
that support it.
Which platform type and profile type should you use? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:

Explanation:
Windows Hello for Business is a method for signing in to Windows devices by replacing passwords, smart
cards, and virtual smart cards. Intune includes built-in settings so Administrators can configure and use
Windows Hello for Business. For example, you can use these settings to:
Enable Windows Hello for Business for devices and users
Set device PIN requirements, including a minimum or maximum PIN length
Allow gestures, such as a fingerprint, that users can (or can't use) to sign in to devices
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/identity-protection-configure

QUESTION 231
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have an Azure Directory group named Group1 that contains Windows 10 Enterprise devices and
Windows 10 Pro devices.
From Microsoft Intune, you create a device configuration profile named Profile1.
You need to ensure that Profile1 applies to only the Windows 10 Enterprise devices in Group1.
Solution: You create an Azure Active Directory group that contains only the Windows 10 Enterprise devices.
You assign Profile1 to the new group.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create

QUESTION 232
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have an Azure Directory group named Group1 that contains Windows 10 Enterprise devices and
Windows 10 Pro devices.
From Microsoft Intune, you create a device configuration profile named Profile1.
You need to ensure that Profile1 applies to only the Windows 10 Enterprise devices in Group1.
Solution: You create a scope tag, and then you add the scope tag to the Windows 10 Enterprise devices. You
edit the settings of Profile1.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create
QUESTION 233
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have an Azure Directory group named Group1 that contains Windows 10 Enterprise devices and
Windows 10 Pro devices.
From Microsoft Intune, you create a device configuration profile named Profile1.
You need to ensure that Profile1 applies to only the Windows 10 Enterprise devices in Group1.
Solution: You configure an applicability rule for Profile1. You assign Profile1 to Group1.
Does this meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create
Manage and Protect Devices
Testlet 1
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam
in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.

Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and
New York.
Contoso has the users and computers shown in the following table.
The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.
Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.
The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from
home.
Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active
Directory (Azure AD).
All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.
The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are
managed by using Microsoft Intune.
The naming convention for the computers is the department acronym, followed by a hyphen, and then four
numbers, for example, FIN-6785. All the computers are joined to the on-premises Active Directory domain.
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer
account is in the Computers OU of its respective department.
Intune Configuration
The domain has the users shown in the following table.

User2 is a device enrollment manager (DEM) in Intune.

The devices enrolled in Intune are shown in the following table.

The device compliance policies in Intune are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

The device limit restrictions in Intune are configured as shown in the following table.
Requirements
Planned Changes
Contoso plans to implement the following changes:
Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled
and were purchased already.
Start using a free Microsoft Store for Business app named App1.
Implement co-management for the computers.
Technical Requirements
Contoso must meet the following technical requirements:
Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices
that are enrolled in Intune.
Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
Monitor the computers in the LEG department by using Windows Analytics.
Create a provisioning package for new computers in the HR department.
Block iOS devices from sending diagnostic and usage telemetry data.
Use the principle of least privilege whenever possible.
Enable the users in the MKG department to use App1.
Pilot co-management for the IT department.

QUESTION 234
DRAG DROP
You need to meet the technical requirements for the LEG department computers.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-azure-portal
https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started
Manage and Protect Devices
Testlet 2
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam
in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent
tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and
New York.
Contoso has a Microsoft 365 E5 subscription.
Environment
Network Environment
The network contains an on-premises Active Directory domain named contoso.com. The domain contains the
servers shown in the following table.

The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.
The Windows 10 devices are configured as shown in the following table.

The Compliance policy settings are shown in the following exhibit.

The Automatic Enrollment settings have the following configurations:

MDM user scope: GroupA
MAM user scope: GroupB
You have an Endpoint protection configuration profile that has the following Controlled folder access settings:
Name: Protection1
Folder protection: Enable
List of apps that have access to protected folders: C:\*\AppA.exe
List of additional folders that need to be protected: D:\Folder1
Assignments:
- Included groups: Group2, GroupB
Windows Autopilot Configuration
Contoso has a Windows Autopilot deployment profile configured as shown in the following exhibit.
Currently, there are no devices deployed by using Window Autopilot.
The Intune connector for Active Directory is installed on Server1.
Requirements
Planned Changes
Contoso plans to implement the following changes:
Purchase a new Windows 10 device named Device6 and enroll the device in Intune.
New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.
Deploy a network boundary configuration profile that will have the following settings:
- Name: Boundary1
- Network boundary: 192.168.1.0/24
- Scope tags: Tag1
- Assignments:
- - Included groups: Group1, Group2
Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following
settings:
- Name: Connection1
- Connection name: VPN1
- Connection type: L2TP
- Assignments:
- - Included groups: Group1, Group2, GroupA
- - Excluded groups: --
- Name: Connection2
- Connection name: VPN2
- Connection type: IKEv2
- Assignments:
- - Included groups: GroupA
- - Excluded groups: GroupB
Purchase an app named App1 that is available in Microsoft Store for Business and to assign the app to all
the users.
Technical Requirements
Contoso must meet the following technical requirements:
Users in GroupA must be able to deploy new computers.
Administrative effort must be minimized.

QUESTION 235
You implement Boundary1 based on the planned changes.
Which devices have a network boundary of 192.168.1.0/24 applied?

A. Device2 only
B. Device3 only
C. Device1, Device2, and Device5 only
D. Device1, Device2, Device3, and Device4 only

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/network-boundary-windows
Manage and Protect Devices
Question Set 3

QUESTION 236
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.
You need to ensure that only applications that you explicitly allow can run on the computers.
What should you use?

A. Microsoft Defender Credential Guard

B. Microsoft Defender Exploit Guard
C. Microsoft Defender Application Guard
D. Microsoft Defender Application Control

Answer: D
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Application control can help mitigate these types of security threats by restricting the applications that users
are allowed to run and the code that runs in the System Core (kernel). Application control policies can also
block unsigned scripts and MSIs, and restrict Windows PowerShell to run in Constrained Language Mode.
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/
windows-defender-application-control

QUESTION 237
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company has several Windows 10 devices that are enrolled in Microsoft Intune.
You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.
You need to enroll Computer1 in Intune.
Solution: From Computer1, you sign in to https://portal.manage.microsoft.com and use the Devices tab.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Use MDM enrolment.
MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined
PC into Intune. Users enroll from Settings on the existing Windows PC.
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods

QUESTION 238
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company has several Windows 10 devices that are enrolled in Microsoft Intune.
You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.
You need to enroll Computer1 in Intune.
Solution: You install the Company Portal app on Computer1 and use the Devices tab from the app.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 239
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company has several Windows 10 devices that are enrolled in Microsoft Intune.
You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.
You need to enroll Computer1 in Intune.
Solution: From the Settings app on Computer1, you use the Connect to work or school account settings.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 240
HOTSPOT
You have a Microsoft 365 subscription.
You plan to enroll devices in Microsoft Endpoint Manager that have the platforms and versions shown in the
following table.

You need to configure device enrollment to meet the following requirements:

Ensure that only devices that have approved platforms and versions can enroll in Endpoint Manager.
Ensure that devices are added to Microsoft Azure Active Directory (Azure AD) groups based on a selection
made by users during the enrollment.
Which device enrollment setting should you configure for each requirement? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set
https://docs.microsoft.com/en-us/mem/intune/enrollment/device-group-mapping
QUESTION 241
HOTSPOT
Your company has 1,000 Windows 10 devices that are enrolled in Windows Analytics.
You need to view the following information:
The number of devices that are vulnerable to Spectre and Meltdown vulnerabilities
The number of devices that have Windows Defender real-time protection turned off
Which Windows Analytics solutions should you use? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Explanation:
Note: Windows Analytics is now known as Desktop Analytics and Windows Defender is now known as
Microsoft Defender Antivirus

QUESTION 242
Your network contains an on-premises Active Directory domain named contoso.com that syncs to Azure Active
Directory (Azure AD).
You have the Windows 10 devices shown in the following table.

You need to ensure that you can use co-management to manage all the Windows 10 devices.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Join Device 1, Device2, and Device4 to Azure AD.

B. Unjoin Device3, Device5, and Device6 from Azure AD, and then register the devices in Azure AD.
C. Enroll Device4 and Device5 in Intune.
D. Join Device2, Device3, and Device5 to the domain.
E. Install the Endpoint Configuration Manager agent on Device1 and Device3.

Answer: C,E
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Co-management enables you to concurrently manage Windows 10 devices by using both Configuration
Manager and Microsoft Intune.
Co-management requires Configuration Manager version 1710 or later and enrollment in Microsoft Intune.
Windows 10 devices must be hybrid Azure AD joined.
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview

QUESTION 243
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several
Windows 10 devices.
When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.
You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10
devices to contoso.com.
Solution: From the Azure Active Directory admin center, you modify the User settings and the Device settings.
Does this meet the goal?
A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Instead, from the Azure Active Directory admin center, you configure automatic mobile device management
(MDM) enrollment. From the Endpoint Management admin center, you configure the Windows Hello for
Business enrollment options.
Reference:
https://docs.microsoft.com/en-us/intune/protect/windows-hello

QUESTION 244
Your network contains an Active Directory domain named contoso.com. The domain contains computers that
run Windows 10 and are joined to the domain.
The domain is synced to Microsoft Azure Active Directory (Azure AD).
You create an Azure Log Analytics workspace and deploy the Device Health solution.
You need to enroll the computers in Windows Analytics.
Which Group Policy setting should you configure?

A. Specify intranet Microsoft update service location

B. Allow Telemetry
C. Configure the Commercial ID
D. Connected User Experiences and Telemetry

Answer: C
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Microsoft uses a unique commercial ID to map information from user computers to your Azure workspace.
Copy your commercial ID key from any of the Windows Analytics solutions you have added to your Windows
Portal, and then deploy it to user computers.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started

QUESTION 245
DRAG DROP
You use the Antimalware Assessment solution in Microsoft Azure Log Analytics.
From the Protection Status dashboard, you discover the computers shown in the following table.

You verify that both computers are connected to the network and running.
What is a possible cause of the issue on each computer? To answer, drag the appropriate causes to the
correct computers. Each cause may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/ga-ie/azure/security-center/security-center-install-endpoint-protection

QUESTION 246
You have a shared computer that runs Windows 10.
The computer is infected with a virus.
You discover that a malicious TTF font was used to compromise the computer.
You need to prevent this type of threat from affecting the computer in the future.
What should you use?

A. Microsoft Defender Exploit Guard

B. Microsoft Defender Application Guard
C. Microsoft Defender Credential Guard
D. Microsoft Defender System Guard
E. Microsoft Defender SmartScreen
Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attacksurface-
against-next-generation-malware/

QUESTION 247
DRAG DROP
Your company has a Microsoft Azure Active Directory (Azure AD) tenant.
The company uses Microsoft Intune to manage iOS, Android, and Windows 10 devices.
The company plans to purchase 1,000 iOS devices. Each device will be assigned to a specific user.
You need to ensure that the new iOS devices are enrolled automatically in Intune when the assigned user
signs in for the first time.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-ios

QUESTION 248
Your network contains an Active Directory domain. The functional level of the forest and the domain is
Windows Server 2012 R2.
The domain contains 500 computers that run Windows 10. All the computers are managed by using Microsoft
System Center 2012 R2 Configuration Manager.
You need to enable co-management.
What should you do first?

A. Deploy the Microsoft Intune client.

B. Raise the forest functional level.
C. Upgrade Configuration Manager to Current Branch.
D. Raise the domain functional level.

Answer: C
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Co-management requires Configuration Manager version 1710 or later.
Reference:
https://docs.microsoft.com/en-us/sccm/comanage/overview#prerequisites

QUESTION 249
HOTSPOT
Your company uses Microsoft Intune to manage Windows 10, Android, and iOS devices.
Several users purchase new iPads and Android devices.
You need to tell the users how to enroll their device in Intune.
What should you instruct the users to use for each device? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

Explanation:
The Intune Company Portal app is used to enroll Android, iOS, macOS, and Windows devices
Reference:
https://docs.microsoft.com/en-us/intune-user-help/enroll-device-android-company-portal
https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-ios
https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp

QUESTION 250
HOTSPOT
Your company has a Microsoft Azure Active Directory (Azure AD) tenant and computers that run Windows 10.
The company uses Microsoft Intune to manage the computers.
The Azure AD tenant has the users shown in the following table.

The device type restrictions in Intune are configured as shown in the following table:

User3 is a device enrollment manager (DEM) in Intune.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:

Explanation:
Box 1: No
User1 is part of Group1 which only allows enrollment of Android, iOS devices (NOT Windows devices)
Box 2: Yes
User2 is part of Group1 and Group2 but Group2 has Priority 2 which is higher priority than Group 1, so only
Policy2 applies. Policy2 allows enrollment of Windows devices
Box 3: No
User3 is not part of any group and is therefore in "All users"
The "All users" Device Restriction Types only allow Android and Windows (MDM) but not iOS.
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll
https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-android

QUESTION 251
HOTSPOT
Your network contains an Active Directory domain. Active Directory is synced with Microsoft Azure Active
Directory (Azure AD).
There are 500 Active Directory domain-joined computers that run Windows 10 and are enrolled in Microsoft
Intune.
You plan to implement Microsoft Defender Exploit Guard.
You need to create a custom Microsoft Defender Exploit Guard policy, and then distribute the policy to all the
computers.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/import-exportexploit-
protection-emet-xml#manage-or-deploy-a-configuration
https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-exploitprotection

QUESTION 252
HOTSPOT
Your company has computers that run Windows 10 and are Microsoft Azure Active Directory (Azure AD)-
joined.
The company purchases an Azure subscription.
You need to collect Windows events from the Windows 10 computers in Azure. The solution must enable you
to create alerts based on the collected events.
What should you create in Azure and what should you configure on the computers? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent

QUESTION 253
You have a public computer named Public1 that runs Windows 10.
Users use Public1 to browse the internet by using Microsoft Edge.
You need to view events associated with website phishing attacks on Public1.
Which Event Viewer log should you view?

A. Applications and Services Logs > Microsoft\Windows > DeviceGuard > Operational
B. Applications and Services Logs > Microsoft > Windows > Security-Mitigations > User Mode
C. Applications and Services Logs > Microsoft > Windows > SmartScreen > Debug
D. Applications and Services Logs > Microsoft > Windows > Microsoft Defender > Operational

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoftdefender-
smartscreen-overview#viewing-windows-event-logs-for-microsoft-defender-smartscreen

QUESTION 254
You have a hybrid Microsoft Azure Active Directory (Azure AD) tenant, a Microsoft System Center
Configuration Manager (Current Branch) environment, and a Microsoft 365 subscription.
You have computers that run Windows 10 as shown in the following table.

You plan to use Microsoft 365 Device Management.

Which computers support co-management by Configuration Manager and Device Management?

A. Computer3 only
B. Computer1 and Computer2 only
C. Computer2 only
D. Computer1, Computer2, and Computer3

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview

QUESTION 255
You have a computer named Computer1 that runs Windows 10.
Computer1 is used by a user named User1.
You need to ensure that when User1 opens websites from untrusted locations by using Microsoft Edge,
Microsoft Edge runs in an isolated container.
What should you do first?

A. From Windows Features, turn on Microsoft Defender Application Guard.

B. From Windows Features, turn on Hyper-V Platform.
C. From Windows Security, configure the Virus & threat protection settings.
D. From Windows Security, configure the Device security settings.

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wdapp-
guard-overview
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/
install-wd-app-guard

QUESTION 256
You have computers that run Windows 10 and are managed by using Microsoft Intune.
Users store their files in a folder named D:\Folder1.
You need to ensure that only a trusted list of applications is granted write access to D:\Folder1.
What should you configure in the device configuration profile?

A. Microsoft Defender SmartScreen

B. Microsoft Defender Exploit Guard
C. Microsoft Defender Application Guard
D. Microsoft Defender Application Control

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attacksurface-
against-next-generation-malware/

QUESTION 257
HOTSPOT
Your company uses Microsoft Endpoint Configuration Manager and purchases a Microsoft 365 subscription.
You need to set up Desktop Analytics.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/connect-configmgr
https://en.wikipedia.org/wiki/Microsoft_System_Center_Configuration_Manager

QUESTION 258
You need to enable Microsoft Defender Credential Guard on computers that run Windows 10.
What should you install on the computers?

A. Hyper-V
B. Microsoft Defender Application Guard
C. a guarded host
D. containers

Answer: A
Section: (none)
Explanation
Explanation/Reference:

QUESTION 259
DRAG DROP
You have a Microsoft Intune subscription that is configured to use a PFX certificate connector to an onpremises
Enterprise certification authority (CA).
You need to use Intune to configure autoenrollment for Android devices by using public key pair (PKCS)
certificates.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-pfx-configure

QUESTION 260
HOTSPOT
You have a Microsoft 365 tenant that uses Microsoft Intune to manage personal and corporate devices. The
tenant contains three Windows 10 devices as shown in the following exhibit.

How will Intune classify each device after the devices are enrolled in Intune automatically? To answer, select
the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register

QUESTION 261
You have computers that run Windows 10 and are joined to Azure Active Directory (Azure AD).
All users sign in to the computers by using their Azure AD account.
Enterprise State Roaming is enabled.
From the Settings app, a user named User1 adds a Microsoft account.
Which account will be used for the Synchronizing Windows setting?

A. the work account only

B. the Microsoft account only
C. both the Microsoft account and the work account

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-enable

QUESTION 262
Your network contains an Active Directory domain. The domain contains 100 computers that run Windows 10.
You need to prevent users and apps from accessing dangerous websites.
What should you configure?

A. Microsoft Defender Application Control

B. Microsoft Defender Exploit Guard
C. Microsoft Defender Application Guard
D. Microsoft Defender Firewall

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?
view=o365-worldwide

QUESTION 263
You have a Microsoft Intune subscription associated to an Azure Active Directory (Azure AD) tenant named
contoso.com.
Users use one of the following three suffixes when they sign in to the tenant: us.contoso.com, eu.contoso.com,
or contoso.com.
You need to ensure that the users are NOT required to specify the mobile device management (MDM)
enrollment URL as part of the enrollment process. The solution must minimize the number of changes.
Which DNS records do you need?

A. three TXT records

B. one CNAME record only
C. one TXT record only
D. three CNAME records

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#simplify-windows-enrollment-withoutazure-
ad-premium

QUESTION 264
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company has several Windows 10 devices that are enrolled in Microsoft Intune.
You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.
You need to enroll Computer1 in Intune.
Solution: From Computer1, you sign in to https://endpoint.microsoft.com and use the Windows enrollment
blade.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 265
HOTSPOT
Your network contains an Active Directory domain. Active Directory is synced with Microsoft Azure Active
Directory (Azure AD).
There are 500 Active Directory domain-joined computers that run Windows 10 and are enrolled in Microsoft
Intune.
You plan to implement Microsoft Defender Exploit Guard.
You need to create a custom Microsoft Defender Exploit Guard policy, and then distribute the policy to all the
computers.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

QUESTION 266
You have 100 devices that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).
You need to prevent users from joining their home computer to Azure AD.
What should you do?

A. From the Device enrollment blade in the Intune admin center, modify the Enrollment restriction settings.
B. From the Devices blade in the Azure Active Directory admin center, modify the Device settings.
C. From the Device enrollment blade in the Intune admin center, modify the Device enrollment manages
settings.
D. From the Mobility (MDM and MAM) blade in the Azure Active Directory admin center, modify the Microsoft
Intune enrollment settings.

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set

QUESTION 267
Your company has a Microsoft 365 subscription.
A new user named Admin1 is responsible for deploying Windows 10 to computers and joining the computers
to Microsoft Azure Active Directory (Azure AD).
Admin1 successfully joins computers to Azure AD.
Several days later, Admin1 receives the following error message: ?This user is not authorized to enroll. You
can try to do this again or contact your system administrator with the error code (0x801c0003).?
You need to ensure that Admin1 can join computers to Azure AD and follow the principle of least privilege.
What should you do?

A. Assign the Global administrator role to Admin1.

B. Modify the Device settings in Azure AD.
C. Assign the Cloud device administrator role to Admin1.
D. Modify the User settings in Azure AD.

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal

QUESTION 268
Your network contains an Active Directory domain named contoso.com. The domain contains computers that
run Windows 10 and are joined to the domain.
The domain is synced to Microsoft Azure Active Directory (Azure AD).
You create an Azure Log Analytics workspace and deploy the Update Compliance solution.
You need to enroll the computers in the Update Compliance solution.
Which Group Policy setting should you configure?

A. Specify intranet Microsoft update service location

B. Allow Telemetry
C. Configure the Commercial ID
D. Connected User Experiences and Telemetry

Answer: C
Section: (none)
Explanation
Explanation/Reference:

QUESTION 269
You have an Azure Active Directory (Azure AD) tenant and 100 Windows 10 devices that are Azure AD joined
and managed by using Microsoft Intune.
You need to configure Microsoft Defender Firewall and Microsoft Defender Antivirus on the devices. The
solution must minimize administrative effort.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. To configure Microsoft Defender Antivirus, create a device configuration profile and configure the Endpoint
protection settings.
B. To configure Microsoft Defender Firewall, create a device configuration profile and configure the Device
restrictions settings.
C. To configure Microsoft Defender Firewall, create a Group Policy Object (GPO) and configure Windows
Defender Firewall with Advanced Security.
D. To configure Microsoft Defender Antivirus, create a Group Policy Object (GPO) and configure Windows
Defender Antivirus settings.
E. To configure Microsoft Defender Antivirus, create a device configuration profile and configure the Device
restrictions settings.
F. To configure Microsoft Defender Firewall, create a device configuration profile and configure the Endpoint
protection settings.

Answer: E,F
Section: (none)
Explanation
Explanation/Reference:

Explanation:
F: With Intune, you can use device configuration profiles to manage common endpoint protection security
features on devices, including:
Firewall
BitLocker
Allowing and blocking apps
Microsoft Defender and encryption
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-configure
https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-policy#create-an-endpoint-securitypolicy

QUESTION 270
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD). The domain contains computers that run Windows 10. The computers are enrolled in Microsoft Intune
and Windows Analytics.
Your company protects documents by using Windows Information Protection (WIP).
You need to identify non-approved apps that attempt to open corporate documents.
What should you use?

A. the Device Health solution in Windows Analytics

B. Microsoft Cloud App Security
C. Intune Data Warehouse
D. the App protection status report in Intune

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/wiplearning

QUESTION 271
HOTSPOT
Your company uses Microsoft Defender for Endpoint. Microsoft Defender for Endpoint includes the device
groups shown in the following table.
You onboard a computer to Microsoft Defender for Endpoint as shown in the following exhibit.

What is the effect of the Microsoft Defender for Endpoint configuration? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:

QUESTION 272
Your company has computers that run Windows 10. The company uses Microsoft Intune to manage the
computers.
You have an app protection policy for Microsoft Edge. You assign the policy to a group.
On a computer named Computer1, you open Microsoft Edge.
You need to verify whether Microsoft Edge on Computer1 is protected by the app protection policy.
Which column should you add in Task Manager?

A. Operating system context

B. UAC virtualization
C. Enterprise Context
D. Data Execution Prevention

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/wipapp-
enterprise-context
https://www.itpromentor.com/win10-mam-wip/

QUESTION 273
HOTSPOT
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory
(Azure AD) and enrolled in Microsoft Intune.
You need to configure an Intune device configuration profile to meet the following requirements:
Prevent Microsoft Office applications from launching child processes.
Block users from transferring files over FTP.
Which two settings should you configure in Endpoint protection? To answer, select the appropriate settings in
the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10

QUESTION 274
HOTSPOT
You have a Microsoft 365 subscription.
You need to configure access to Microsoft Office 365 for unmanaged devices. The solution must meet the
following requirements:
Allow only the Microsoft Intune Managed Browser to access Office 365 web interfaces.
Ensure that when users use the Intune Managed Browser to access Office 365 web interfaces, they can
only copy data to applications that are managed by the company.
Which two settings should you configure from the Microsoft Intune blade? To answer, select the appropriate
settings in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser#application-protection-policiesfor-
protected-browsers

QUESTION 275
Your company implements Microsoft Azure Active Directory (Azure AD), Microsoft 365, Microsoft Intune, and
Azure Information Protection.
The company?s security policy states the following:
Personal devices do not need to be enrolled in Intune.
Users must authenticate by using a PIN before they can access corporate email data.
Users can use their personal iOS and Android devices to access corporate cloud services.
Users must be prevented from copying corporate email data to a cloud storage service other than Microsoft
OneDrive for Business.
You need to configure a solution to enforce the security policy.
What should you create?

A. a data loss prevention (DLP) policy from the Microsoft 365 Compliance admin center
B. an insider risk management policy from the Microsoft 365 Compliance admin center
C. an app protection policy from the Endpoint Management admin center
D. a device configuration profile from the Endpoint Management admin center

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/app-protection-policy

QUESTION 276
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several
Windows 10 devices.
When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.
You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10
devices to contoso.com.
Solution: From the Azure Active Directory admin center, you configure the Authentication methods.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 277
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several
Windows 10 devices.
When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.
You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10
devices to contoso.com.
Solution: From the Azure Active Directory admin center, you configure automatic mobile device management
(MDM) enrollment. From the Endpoint Manager admin center, you configure the Windows Hello for Business
enrollment options.
Does this meet the goal?

A. Yes
B. No

Answer: A
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Hello for Business is an alternative sign-in method that uses Active Directory or an Azure Active Directory
account to replace a password, smart card, or a virtual smart card. It lets you use a user gesture to sign in,
instead of a password. A user gesture might be a PIN, biometric authentication such as Windows Hello, or an
external device such as a fingerprint reader.
Intune integrates with Hello for Business in two ways:
An Intune policy can be created under Device enrollment. This policy targets the entire organization
(tenant-wide). It supports the Windows AutoPilot out-of-box-experience (OOBE) and is applied when a
device enrolls.
An identity protection profile can be created under Device configuration. This profile targets assigned users
and devices, and is applied during check-in.
Reference:
https://docs.microsoft.com/en-us/intune/protect/windows-hello

QUESTION 278
You enable controlled folder access in audit mode for several computers that run Windows 10.
You need to review the events audited by controlled folder access.
Which Event Viewer log should you view?

A. Applications and Services\Microsoft\Windows\Windows Defender\Operational

B. Windows\Security
C. Applications and Services\Microsoft\Windows\Known Folders\Operational

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access?
view=o365-worldwide

QUESTION 279
HOTSPOT
You have a Microsoft 365 tenant that uses Microsoft Intune.
From the Microsoft Endpoint Manager admin center, you plan to create a baseline to monitor the Startup score
and the App reliability score of enrolled Windows 10 devices.
You need to identify which tool to use to create the baseline and the minimum number of devices required to
create the baseline.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/analytics/scores#understanding-scores

QUESTION 280
Your company has a Microsoft 365 tenant.
Users sign in to Windows 10 devices by using their Microsoft 365 account.
On a computer, you open Sync your settings as shown in the exhibit. (Click the Exhibit tab.)

You need to set Sync settings to On.

What should you do?

A. Enable User Experience Virtualization (UE-V).

B. Enable Windows Mobility Center.
C. Disable Windows Hello for Business.
D. Enable Enterprise State Roaming.

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-enable

QUESTION 281
HOTSPOT
Your network contains an Active Directory domain. The domain contains the computers shown in the following
table.

Microsoft Defender Application Guard is installed on the computers.

Application Guard Group Policy settings are applied to the computers as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

QUESTION 282
You have a Microsoft 365 tenant that contains the Windows 10 devices shown in the following table.

You enable Enterprise State Roaming.

You need to ensure that User1 can sync Windows settings across the devices.
What should you do?
A. Remove Device1 and Device2 from Intune.
B. Join Device2 to Azure AD.
C. Add a Microsoft account to each device.
D. Enroll Device3 in Intune.

Answer: D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 283
You use Microsoft Defender for Endpoint to protect computers that run Windows 10.
You need to assess the differences between the configuration of Microsoft Defender for Endpoint and the
Microsoft-recommended configuration baseline.
Which tool should you use?

A. Microsoft Defender Security Center

B. Desktop Analytics
C. Microsoft Defender for Endpoint Power BI app
D. Microsoft Secure Score

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-
worldwide

QUESTION 284
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several
Windows 10 devices.
When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.
You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10
devices to contoso.com.
Solution: From the Azure Active Directory admin center, you configure automatic mobile device management
(MDM) enrollment. From the Endpoint Manager admin center, you create and assign a device restrictions
profile.
Does this meet the goal?

A. Yes
B. No

Answer: B
Section: (none)
Explanation
Explanation/Reference:

QUESTION 285
Your company has a Microsoft Azure Active Directory (Azure AD) tenant. All users in the company are
licensed for Microsoft Intune.
You need to ensure that the users enroll their iOS device in Intune.
What should you configure first?

A. A Device Enrollment Program (DEP) token.

B. An Intune device configuration profile.
C. A Device enrollment manager (DEM) account.
D. An Apple MDM Push certificate.

Answer: D
Section: (none)
Explanation
Explanation/Reference:

Explanation:
You need to create an Apple MDM push certificate and use it to manage Apple devices with Intune. The Apple
MDM push certificate must be added to Endpoint Manager, and must be active.
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/apple-mdm-push-certificate-get

QUESTION 286
You have the devices shown in the following table.

You plan to implement Microsoft Defender for Endpoint.

You need to identify which devices can be onboarded to Microsoft Defender for Endpoint.
What should you identify?

A. Device3 only
B. Device1, Device2, and Device3 only
C. Device1, Device2, Device3, and Device4
D. Device2 and Device3 only
E. Device2, Device3, and Device4 only

Answer: B
Section: (none)
Explanation
Explanation/Reference:
References:
https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/defender-advanced-threatprotection#
bkmk_os
QUESTION 287
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

You have devices enrolled in Microsoft Intune as shown in the following table.

From Intune, you create and send a custom notification named Notification1 to Group1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/remote-actions/custom-notifications

QUESTION 288
You have a Microsoft Azure Log Analytics workplace that collects all the event logs from the computers at your
company.
You have a computer named Computer1 than runs Windows 10. You need to view the events collected from
Computer1.
Which query should you run in Log Analytics?
A. Event
| where Computer = = "Computer1"
B. ETWEvent
| where SourceSystem = = "Computer1"
C. ETWEvent
| where Computer = = "Computer1"
D. Event
| where SourceSystem = = "Computer1"

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events

QUESTION 289
HOTSPOT
A company named A.Datum Corporation uses Microsoft Endpoint Configuration Manager, Microsoft Intune,
and Desktop Analytics.
A.Datum purchases a company named Contoso, Ltd. Contoso has devices that run the following operating
systems:
Windows 8.1
Windows 10
Android
iOS
A.Datum plans to use Desktop Analytics to monitor the Contoso devices.
You need to identify which devices can be monitored by using Desktop Analytics and how to add the devices
to Desktop Analytics.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview

QUESTION 290
Your company uses Microsoft Intune to manage devices. You need to ensure that only Android devices that
use Android work profiles can enroll in Intune.
Which two configurations should you perform in the device enrollment restrictions? Each correct answer
presents part of the solution.
NOTE: Each correct selection is worth one point.

A. From Platform Settings, set Android Enterprise (work profile) to Allow.

B. From Platform Settings, set Android device administrator Personally Owned to Block.
C. From Platform Settings, set Android device administrator Personally Owned to Allow.
D. From Platform Settings, set Android device administrator to Block.

Answer: A,D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/InTune/enrollment-restrictions-set

QUESTION 291

QUESTION 292
You have a Microsoft 365 E5 subscription and 25 Apple iPads.
You need to enroll the iPads in Microsoft Intune by using the Apple Configurator enrollment method.
What should you do first?

A. Upload a file that has the device identifiers for each iPad.
B. Modify the enrollment restrictions.
C. Configure an Apple MDM push certificate.
D. Add your user account as a device enrollment manager (DEM).

Answer: C
Section: (none)
Explanation
Explanation/Reference:

Explanation:
An Apple MDM Push certificate is required for Intune to manage iOS/iPadOS and macOS devices. After you
add the certificate to Intune, your users can enroll their devices.
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/apple-mdm-push-certificate-get

QUESTION 293
HOTSPOT
You have 1,000 computers that run Windows 10 and are members of an Active Directory domain.
You need to capture the event logs from the computers to Azure.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows

QUESTION 294
HOTSPOT
You have a Microsoft 365 E5 subscription that contains 100 Windows 10 devices enrolled in Microsoft Intune.
You need to create Endpoint security policies to meet the following requirements:
Hide the Firewall & network protection area in the Windows Security app.
Disable the provisioning of Windows Hello for Business on the devices.
Which two policy types should you use? To answer, select the policies in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:

Explanation:
In the Antivirus policy settings, you can hide the Firewall and network protection area in the Windows Security
app.
Windows Hello for Business settings are configured in Identity protection.
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/antivirus-security-experience-windows-settings
https://docs.microsoft.com/en-us/mem/intune/protect/identity-protection-windows-settings
Manage Apps and Data
Testlet 1
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam
in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. If the case study has an All
Information tab, note that the information displayed is identical to the information displayed on the subsequent
tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and
New York.
Contoso has a Microsoft 365 E5 subscription.
Environment
Network Environment
The network contains an on-premises Active Directory domain named contoso.com. The domain contains the
servers shown in the following table.

Contoso has a hybrid Azure Active Directory (Azure AD) tenant named contoso.com.
Contoso has a Microsoft Store for Business instance.
Users and Groups
The contoso.com tenant contains the users shown in the following table.
All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.
Enterprise State Roaming is enabled for Group1 and GroupA.
Group1 and Group2 have a Membership type of Assigned.
Devices
Contoso has the Windows 10 devices shown in the following table.

The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.
The Windows 10 devices are configured as shown in the following table.

The Compliance policy settings are shown in the following exhibit.

The Automatic Enrollment settings have the following configurations:
MDM user scope: GroupA
MAM user scope: GroupB
You have an Endpoint protection configuration profile that has the following Controlled folder access settings:
Name: Protection1
Folder protection: Enable
List of apps that have access to protected folders: C:\*\AppA.exe
List of additional folders that need to be protected: D:\Folder1
Assignments:
- Included groups: Group2, GroupB
Windows Autopilot Configuration
Contoso has a Windows Autopilot deployment profile configured as shown in the following exhibit.
Currently, there are no devices deployed by using Window Autopilot.
The Intune connector for Active Directory is installed on Server1.
Requirements
Planned Changes
Contoso plans to implement the following changes:
Purchase a new Windows 10 device named Device6 and enroll the device in Intune.
New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.
Deploy a network boundary configuration profile that will have the following settings:
- Name: Boundary1
- Network boundary: 192.168.1.0/24
- Scope tags: Tag1
- Assignments:
- - Included groups: Group1, Group2
Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following
settings:
- Name: Connection1
- Connection name: VPN1
- Connection type: L2TP
- Assignments:
- - Included groups: Group1, Group2, GroupA
- - Excluded groups: --
- Name: Connection2
- Connection name: VPN2
- Connection type: IKEv2
- Assignments:
- - Included groups: GroupA
- - Excluded groups: GroupB
Purchase an app named App1 that is available in Microsoft Store for Business and to assign the app to all
the users.
Technical Requirements
Contoso must meet the following technical requirements:
Users in GroupA must be able to deploy new computers.
Administrative effort must be minimized.

QUESTION 295
Which users can purchase and assign App1?

A. User3 only
B. User1 and User3 only
C. User1, User2, User3, and User4
D. User1, User3, and User4 only
E. User3 and User4 only

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/microsoft-store/acquire-apps-microsoft-store-for-business
https://docs.microsoft.com/en-us/microsoft-store/assign-apps-to-employees
Manage Apps and Data
Testlet 2
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam
in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.
General Overview
Litware, Inc. is an international manufacturing company that has 3,000 employees. The company has sales,
marketing, research, human resources (HR), development, and IT departments.
Litware has two main offices in New York and Los Angeles. Litware has five branch offices in Asia.
Existing Environment
Current Business Model
The Los Angeles office has 500 developers. The developers work flexible hours ranging from 11 AM to 10 PM.
Litware has a Microsoft Endpoint Configuration Manager deployment.
During discovery, the company discovers a process where users are emailing bank account information of its
customers to internal and external recipients.
Current Environment
The network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD). The functional level of the forest and the domain is Windows Server 2012 R2. All domain controllers run
Windows Server 2012 R2.
Litware has the computers shown in the following table.

The development department uses projects in Azure DevOps to build applications.

Most of the employees in the sales department are contractors. Each contractor is assigned a computer that
runs Windows 10. At the end of each contract, the computer is assigned to a different contractor. Currently, the
computers are re-provisioned manually by the IT department.
Problem Statements
Litware identifies the following issues on the network:
Employees in sales department computers is too time the Los Angeles office report slow Internet
performance when updates are downloading. The employees also report that the updates frequently
consume considerable resources when they are installed. The Update settings are configured as shown in
the Updates exhibit. (Click the Updates button.)
Management suspects that the source code for the proprietary applications in Azure DevOps in being
shared externally.
Re-provisioning theconsuming.
Requirements
Business Goals
Litware plans to transition to co-management for all the company-owned Windows 10 computers. Whenever
possible, Litware wants to minimize hardware and software costs.
Device Management Requirements
Litware identifies the following device management requirements:
Prevent the sales department employees from forwarding email that contains bank account information.
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Prevent employees in the research department from copying patented information from trusted applications
to untrusted applications.
Technical Requirements
Litware identifies the following technical requirements for the planned deployment:
Re-provision the sales department computers by using Windows AutoPilot.
Ensure that the projects in Azure DevOps can be accessed from the corporate network only.
Ensure that users can sign in to the Azure AD-joined computers by using a PIN. The PIN must expire every
30 days.
Ensure that the company name and logo appears during the Out of Box Experience (OOBE) when using
Windows AutoPilot.
Exhibits
Updates
QUESTION 296
HOTSPOT
You need to recommend a solution to meet the device management requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:

Explanation:
From the scenario:
Litware identifies the following device management requirements:
Prevent the sales department employees from forwarding email that contains bank account information.
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Prevent employees in the research department from copying patented information from trusted applications
to untrusted applications.
Box 1:
Employees in the research department must be prevented from copying patented information from trusted
applications to untrusted applications. This requires an App protection policy.
App protection policies make sure that the app-layer protections are in place. For example, you can:
Require a PIN to open an app in a work context
Control the sharing of data between apps
Prevent the saving of company app data to a personal storage location
Box 2:
Employees in the sales department must be prevented from forwarding email that contains bank account
information.
Azure Information Protection is a cloud-based solution that helps an organization to classify and optionally,
protect its documents and emails by applying labels. Labels can be applied automatically by administrators
who define rules and conditions, manually by users, or a combination where users are given
recommendations.
Reference:
https://docs.microsoft.com/en-us/intune/app-protection-policy
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
Manage Apps and Data
Testlet 3
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam
in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case
study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and
to make changes before you move to the next section of the exam. After you begin a new section, you cannot
return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information
such as business requirements, existing environment, and problem statements. When you are ready to answer
a question, click the Question button to return to the question.

Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and
New York.
Contoso has the users and computers shown in the following table.

User2 is a device enrollment manager (DEM) in Intune.

The devices enrolled in Intune are shown in the following table.

The device compliance policies in Intune are configured as shown in the following table.

The device compliance policies have the assignments shown in the following table.

The device limit restrictions in Intune are configured as shown in the following table.

QUESTION 297
You need to meet the requirements for the MKG department users.
What should you do?

A. Assign the MKG department users the Purchaser role in Microsoft Store for Business
B. Download the APPX file for App1 from Microsoft Store for Business
C. Add App1 to the private store
D. Assign the MKG department users the Basic Purchaser role in Microsoft Store for Business
E. Acquire App1 from Microsoft Store for Business

Answer: E
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-from-your-private-store
Manage Apps and Data
Question Set 4

QUESTION 298
You have Windows 10 devices that are managed by using Microsoft Intune. Intune and the Microsoft Store for
Business are integrated.
You need to deploy the Remote Desktop modern app as an automatic install to the Windows 10 devices
without user interaction.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Create an Azure Active Directory group that contains all users.

B. From the Endpoint Manager admin center, create a Microsoft Store app for the Remote Desktop modern
app.
C. From the Endpoint Manager admin center, assign the app to the Azure Active Directory group.
D. Create an Azure Active Directory group that contains the Windows 10 devices.
E. From the Microsoft Store for Business portal, assign a license for the app to all the users in the Azure
Active Directory group.
F. For your organization, make the app available in the Microsoft Store for Business.

Answer: B,C,D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/store-apps-windows
https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy
https://docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add

QUESTION 299
You have devices enrolled in Microsoft Intune as shown in the following table.

On which devices can you apply app configuration policies?

A. Device1, Device2, Device3, and Device4

B. Device2 only
C. Device3 and Device4 only
D. Device1 and Device2 only
E. Device2, Device3, and Device4 only

Answer: C
Section: (none)
Explanation
Explanation/Reference:

Explanation:
App configuration policies are only required for iOS/iPadOS or Android apps
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview

QUESTION 300
You have a Microsoft Intune subscription.
You have devices enrolled in Intune as shown in the following table.

An app named App1 is installed on each device.

What is the minimum number of app configuration policies required to manage App1?

A. 1
B. 2
C. 3
D. 4
E. 5

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview

QUESTION 301
HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The
domain contains Windows 10 devices that are managed by using Microsoft Endpoint Configuration Manager.
You plan to deploy Microsoft 365 Apps for enterprise to the devices by using Configuration Manager.
You create a Configuration.xml file as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/deployoffice/office-deployment-tool-configuration-options
https://docs.microsoft.com/en-us/deployoffice/overview-update-channels#semi-annual-enterprise-channeloverview

QUESTION 302
HOTSPOT
You have groups that use the Dynamic Device membership type as shown in the following table.

You are deploying Microsoft 365 apps.

You have devices enrolled in Microsoft Intune as shown in the following table.

In the Microsoft Endpoint Manager admin center, you create a Microsoft 365 Apps app as shown in the exhibit.
(Click the Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add-office365
https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add

QUESTION 303
HOTSPOT
You have a Microsoft 365 E5 tenant that contains the users shown in the following table.

You provision the private store in Microsoft Store for Business and assign Microsoft Store for Business roles to
the users as shown in the following table.

You configure the following Shopping behavior settings for the Microsoft Store for Business:
Allow users to shop: Yes
Make everyone a Basic Purchaser: Off
Allow app requests: On
Shop offline apps: Off
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/microsoft-store/roles-and-permissions-microsoft-store-for-business
https://docs.microsoft.com/en-us/microsoft-store/acquire-apps-microsoft-store-for-business

QUESTION 304
You have a Microsoft 365 tenant that uses Microsoft Intune.
You use the Company Portal app to access and install published apps to enrolled devices.
From the Microsoft Endpoint Manager admin center, you add a Microsoft Store app.
Which two App information types are visible in the Company Portal?
NOTE: Each correct selection is worth one point.

A. Information URL
B. Owner
C. Privacy URL
D. Developer

Answer: C,D
Section: (none)
Explanation
Explanation/Reference:

QUESTION 305
You have a Microsoft 365 tenant that contains the objects shown in the following table.

In the Microsoft Endpoint Manager admin center, you are creating a Microsoft 365 Apps app named App1.
To which objects can you assign App1?

A. Admin1, Group3, and Group4 only

B. Group1, Group2, Group3, and Group4 only
C. Admin1, Group1, Group2, Group3, and Group4
D. Group1, Group3, and Group4 only
E. Group3 and Group4 only

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy
https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide

QUESTION 306
You use Windows Admin Center to remotely administer computers that run Windows 10.
When connecting to Windows Admin Center, you receive the message shown in the following exhibit.
You need to prevent the message from appearing when you connect to Windows Admin Center.
To which certificate store should you import the certificate?

A. Client Authentication Issuers

B. Trusted Root Certification Authorities
C. Personal

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://social.technet.microsoft.com/Forums/en-US/6b3abb8e-007e-4047-bd30-2946b9c3aaba/windowsadmin-
center-three-questions-login-and-certs?forum=ws2016

QUESTION 307
DRAG DROP
Your company has a Microsoft 365 E5 tenant.
All the devices of the company are enrolled in Microsoft Endpoint Manager.
You need to create advanced reports by using custom queries and visualizations from raw Microsoft Endpoint
Manager data.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/fundamentals/reports

QUESTION 308
HOTSPOT
Your network contains an Active Directory domain. The domain contains computers that are managed by
using Microsoft Endpoint Configuration Manager.
You plan to integrate Configuration Manager and Azure as part of a Desktop Analytics implementation.
You create a new organizational unit (OU) and place several test computers that run Windows 10 into the OU.
You need to collect diagnostic data from the test computers to Desktop Analytics.
App usage and insights data
Health monitoring data
Deployment status data
The solution must minimize the data collected.
Which two Group Policy settings should you configure? To answer, select the appropriate settings in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/enterprise-threat-detection/collector/collector-client-configuration-windows-
10-telemetry-requirements
https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/enable-data-sharing

QUESTION 309
DRAG DROP
Your company uses Microsoft Intune. You have a Microsoft Store for Business account.
You need to ensure that you can deploy Microsoft Store for Business apps by using Intune.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders
you select.
Select and Place:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business

QUESTION 310
Your company has a Microsoft 365 subscription.
All the users in the finance department own personal devices that run iOS or Android. All the devices are
enrolled in Microsoft Intune.
The finance department adds new users each month.
The company develops a mobile application named App1 for the finance department users.
You need to ensure that only the finance department users can download App1.
What should you do first?

A. Add App1 to Intune.

B. Add App1 to a Microsoft Deployment Toolkit (MDT) deployment share.
C. Add App1 to Microsoft Store for Business.
D. Add App1 to the vendor stores for iOS and Android applications.

Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/apps-add

QUESTION 311
HOTSPOT
You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All Windows 10 devices
have apps named App1, App2 and App3 installed and are enrolled in Microsoft Intune.
You configure the following settings in Windows Information Protection (WIP):
Protected apps: App1
Exempt apps: App2
Windows Information Protection mode: Silent
App1, App2, and App3 use the same file format.
You create a file named File1 in App1.
You need to identify which apps can open File1.
Which apps should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/
create-wip-policy-using-intune
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/
create-wip-policy-using-intune#exempt-apps-from-wip-restrictions

QUESTION 312
Your company has a main office and six branch offices. The branch offices connect to the main office by using
a WAN link. All offices have a local Internet connection and a Hyper-V host cluster.
The company has a Microsoft Endpoint Configuration Manager deployment. The main office is the primary site.
Each branch office has a distribution point.
All computers that run Windows 10 are managed by using both Configuration Manager and Microsoft Intune.
You plan to deploy the latest build of Microsoft Office 365 ProPlus to all the computers.
You need to minimize the amount of network traffic on the company?s Internet links for the planned
deployment.
What should you include in the deployment plan?

A. From Intune, configure app assignments for the Office 365 ProPlus suite. In each office, copy the Office
365 distribution files to a Microsoft Deployment Toolkit (MDT) deployment share.
B. From Intune, configure app assignments for the Office 365 ProPlus suite. In each office, copy the Office
365 distribution files to a Configuration Manager distribution point.
C. From Endpoint Configuration Manager, create an application deployment. Copy the Office 365 distribution
files to a Configuration Manager cloud distribution point.
D. From Endpoint Configuration Manager, create an application deployment. In each office, copy the Office
365 distribution files to a Configuration Manager distribution point.

Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/deployoffice/deploy-office-365-proplus-with-system-center-configurationmanager-
2012r2#distribute-the-office-365-proplus-application-to-distribution-points-in-configuration-manager
QUESTION 313
HOTSPOT
Your company has a computer named Computer1 that runs Windows 10 Pro.
The company develops a proprietary Universal Windows Platform (UWP) app named App1. App1 is signed
with a certificate from a trusted certification authority (CA).
You need to sideload App1 to Computer1.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.windowscentral.com/how-enable-windows-10-sideload-apps-outside-store
https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10
QUESTION 314
You manage a Microsoft 365 environment that has co-management enabled.
All computers run Windows 10 and are deployed by using the Microsoft Deployment Toolkit (MDT).
You need to recommend a solution to deploy Microsoft Office 365 ProPlus to new computers. The latest
version must always be installed. The solution must minimize administrative effort.
What is the best tool to use for the deployment? More than one answer choice may achieve the goal. Select
the BEST answer.

A. Microsoft Intune
B. Microsoft Deployment Toolkit
C. Office Deployment Tool (ODT)
D. a Group Policy object (GPO)
E. Microsoft System Center Configuration Manager

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/deployoffice/overview-of-the-office-2016-deployment-tool

QUESTION 315
You have a Microsoft 365 subscription.
You have 10 computers that run Windows 10 and are enrolled in mobile device management (MDM).
You need to deploy the Microsoft 365 Apps for enterprise suite to all the computers.
What should you do?

A. From the Endpoint Manager admin center, add an app.

B. From Microsoft Azure Active Directory (Azure AD), add an app registration.
C. From Microsoft Azure Active Directory (Azure AD), add an enterprise application.
D. From the Endpoint Manager admin center, create a Windows 10 device profile.

Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/client-management/mdm/enterprise-app-management#applicationmanagement-
goals

QUESTION 316
You have a Microsoft 365 subscription.
You need to deploy Microsoft 365 Apps for enterprise applications to Windows 10 devices.
What should you do first?

A. From Microsoft Azure Active Directory (Azure AD), create an app registration.
B. From the Endpoint Manager admin center, create an app.
C. From the Endpoint Manager admin center, create an app configuration policy.
D. From the Endpoint Manager admin center, enable Microsoft Store for Business synchronization.

Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add-office365

QUESTION 317
You have devices enrolled in Microsoft Intune as shown in the following table.

You create an app protection policy named Policy1 that has the following settings:
Platform: Windows 10
Protected apps: App1
Exempt apps: App2
Network boundary: Cloud resources, IPv4 ranges
You assign Policy1 to Group1 and Group2. You exclude Group3 from Policy1.
Which devices will apply Policy1?

A. Device1, Device2, Device4, and Device5

B. Device1, Device4, and Device5 only
C. Device4 and Device5 only
D. Device1, Device3, Device4 and Device5

Answer: C
Section: (none)
Explanation
Explanation/Reference:

Explanation:
Intune device configuration profiles let you include and exclude groups from profile assignment. Exclusion
takes precedence over inclusion in same group types.
Policy1 excludes Group3 and Group3 includes Device1, Device2, and Device3.
Incorrect Answers:
A, B, D: Device1, Device2, and Device3 are members of Group3. Policy1 excludes Group3. Exclusion takes
precedence over inclusion.
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-assign#exclude-groups-from-aprofile-
assignment
https://docs.microsoft.com/en-us/intune/app-protection-policies

QUESTION 318
HOTSPOT
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure
AD).
You have a Microsoft Office 365 subscription. All computers are joined to the domain and have the latest
Microsoft OneDrive sync client (OneDrive.exe) installed.
On all the computers, you configure the OneDrive settings as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the
information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:

Correct Answer:

Section: (none)
Explanation
Explanation/Reference:

Explanation:
Box 1:
Silently move known folders to OneDrive is enabled. Known folder include:
Desktop, Documents, Pictures, Screenshots, and Camera Roll
Box 2:
OneDrive Files On-Demand enables users to view, search for, and interact with files stored in OneDrive from
within File Explorer without downloading them and taking up space on the local hard drive.
Reference:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders
https://docs.microsoft.com/en-us/onedrive/plan-onedrive-enterprise

QUESTION 319
HOTSPOT
You have a Microsoft 365 subscription.
Users have iOS devices that are not enrolled in Microsoft 365 Device Management.
You create an app protection policy for the Microsoft Outlook app as shown in the exhibit. (Click the Exhibit
tab.)

You need to configure the policy to meet the following requirements:

Prevent the users from using the Outlook app if the operating system version is less than 12.0.0.
Require the users to use an alphanumeric passcode to access the Outlook app.
What should you configure in an app protection policy for each requirement? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:

Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios
https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios

E4H Conversion Guide
No ratings yet
E4H Conversion Guide
96 pages
Simulado Completo MD-102 1
No ratings yet
Simulado Completo MD-102 1
275 pages
MS 102 Questions
No ratings yet
MS 102 Questions
8 pages
MD 102
100% (1)
MD 102
225 pages
MD-102 Dump
100% (2)
MD-102 Dump
152 pages
MD-102 Exam Simulation
100% (2)
MD-102 Exam Simulation
77 pages
SC-200: Microsoft Security Operations Analyst Preparation
From Everand
SC-200: Microsoft Security Operations Analyst Preparation
Georgio Daccache
No ratings yet
MD-102 Exam - Free Actual Q&as, Page 2 - ExamTopics
No ratings yet
MD-102 Exam - Free Actual Q&as, Page 2 - ExamTopics
45 pages
MD 102
100% (2)
MD 102
97 pages
MS 101 PDF
No ratings yet
MS 101 PDF
105 pages
MCA Microsoft 365 Certified Associate Modern Desktop Administrator Complete Study Guide with 900 Practice Test Questions: Exam MD-100 and Exam MD-101
From Everand
MCA Microsoft 365 Certified Associate Modern Desktop Administrator Complete Study Guide with 900 Practice Test Questions: Exam MD-100 and Exam MD-101
William Panek
No ratings yet
Setting Up VCP Instance - Release 12.2.5/12.2.5.2: Step 1: Identify The Architecture
No ratings yet
Setting Up VCP Instance - Release 12.2.5/12.2.5.2: Step 1: Identify The Architecture
4 pages
Overview Direct Updates For End Customers Worev PDF
No ratings yet
Overview Direct Updates For End Customers Worev PDF
3 pages
Ee PDF 2024-Mar-25 by Hilary 214q Vce
No ratings yet
Ee PDF 2024-Mar-25 by Hilary 214q Vce
7 pages
MS-101 26april2020
No ratings yet
MS-101 26april2020
165 pages
MS 101 Examcollection - Premium.exam.209q
100% (1)
MS 101 Examcollection - Premium.exam.209q
194 pages
MD 101 Demo
No ratings yet
MD 101 Demo
6 pages
MD-101 Dumps Managing Modern Desktops (Beta)
No ratings yet
MD-101 Dumps Managing Modern Desktops (Beta)
12 pages
MD 102
No ratings yet
MD 102
10 pages
Update Ring
No ratings yet
Update Ring
6 pages
(Oct-2023) New PassLeader MD-102 Exam Dumps
No ratings yet
(Oct-2023) New PassLeader MD-102 Exam Dumps
7 pages
IT Mock Test Questions Practice
No ratings yet
IT Mock Test Questions Practice
17 pages
Microsoft Azure Security Engineer AZ 500
From Everand
Microsoft Azure Security Engineer AZ 500
Manish Soni
No ratings yet
MS-101 Exam
No ratings yet
MS-101 Exam
237 pages
Microsoft Azure Virtual Desktop AZ 140
From Everand
Microsoft Azure Virtual Desktop AZ 140
Manish Soni
No ratings yet
Ms 101
No ratings yet
Ms 101
244 pages
md-102 6
No ratings yet
md-102 6
30 pages
Microsoft MD 102 Dumpshq Actual Questions by George 29 01 2024 11qa
No ratings yet
Microsoft MD 102 Dumpshq Actual Questions by George 29 01 2024 11qa
19 pages
Microsoft Azure Administrator AZ 104
From Everand
Microsoft Azure Administrator AZ 104
Manish Soni
No ratings yet
MS 101.prepaway - Premium.exam.301q
No ratings yet
MS 101.prepaway - Premium.exam.301q
217 pages
Microsoft Ensurepass md-101 Vce Download 2024-Feb-06 by Heather 221q Vce
No ratings yet
Microsoft Ensurepass md-101 Vce Download 2024-Feb-06 by Heather 221q Vce
13 pages
Aindump2go - Ms 101.PDF - Download.2022 Sep 18.by - Kelly.160q.vce
No ratings yet
Aindump2go - Ms 101.PDF - Download.2022 Sep 18.by - Kelly.160q.vce
22 pages
Microsoft Azure Fundamentals AZ 900
From Everand
Microsoft Azure Fundamentals AZ 900
Manish Soni
No ratings yet
Microsoft Azure Developer AZ 204
From Everand
Microsoft Azure Developer AZ 204
Manish Soni
No ratings yet
03 Drop-Down
No ratings yet
03 Drop-Down
24 pages
Microsoft Premium MD-102 30q-DEMO
No ratings yet
Microsoft Premium MD-102 30q-DEMO
26 pages
Microsoft Azure DevOps Engineer AZ 400
From Everand
Microsoft Azure DevOps Engineer AZ 400
Manish Soni
No ratings yet
MS-102 Exam Part 1
100% (1)
MS-102 Exam Part 1
41 pages
MD-102 Exam Valid Dumps
100% (1)
MD-102 Exam Valid Dumps
62 pages
MS-102 Final
No ratings yet
MS-102 Final
41 pages
Microsoft: Exam Questions MD-100
No ratings yet
Microsoft: Exam Questions MD-100
11 pages
md-102 1
No ratings yet
md-102 1
315 pages
Microsoft Lead2pass md-100 PDF 2021-Feb-02 by Rod 163q Vce
No ratings yet
Microsoft Lead2pass md-100 PDF 2021-Feb-02 by Rod 163q Vce
21 pages
(Apr-2024) New PassLeader MS-102 Exam Dumps
No ratings yet
(Apr-2024) New PassLeader MS-102 Exam Dumps
7 pages
Microsoft Azure Network Engineer AZ 700
From Everand
Microsoft Azure Network Engineer AZ 700
Manish Soni
No ratings yet
MD 101 PDF
No ratings yet
MD 101 PDF
166 pages
Microsoft MS-101 Certification Questions With Free Demo
No ratings yet
Microsoft MS-101 Certification Questions With Free Demo
5 pages
70-698 Students Practice Questions and Answers
No ratings yet
70-698 Students Practice Questions and Answers
22 pages
MD 102
100% (2)
MD 102
142 pages
MS 102
No ratings yet
MS 102
9 pages
Microsoft Premium MS-101by VCEplus 106q-DEMO PDF
No ratings yet
Microsoft Premium MS-101by VCEplus 106q-DEMO PDF
71 pages
MD-102 837 1
No ratings yet
MD-102 837 1
252 pages
Comptia Practicetest 220-1102 Vce Dumps 2023-Jan-01 by Barton 73q Vce
No ratings yet
Comptia Practicetest 220-1102 Vce Dumps 2023-Jan-01 by Barton 73q Vce
10 pages
ms-102 7
No ratings yet
ms-102 7
71 pages
Microsoft 70-687 / Configuring Windows 8 / 80 Q&A
No ratings yet
Microsoft 70-687 / Configuring Windows 8 / 80 Q&A
59 pages
2 MS-900 Exam - Page 2
No ratings yet
2 MS-900 Exam - Page 2
5 pages
CompTIA A+ Blueprint : Study Guide & Mock Tests
From Everand
CompTIA A+ Blueprint : Study Guide & Mock Tests
PRIYANKA
No ratings yet
md-102 7
No ratings yet
md-102 7
18 pages
MS-102 Microsoft Updated Practice Questions
100% (1)
MS-102 Microsoft Updated Practice Questions
67 pages
Certification Checkpoint Exam #4 (Chapters 10 - 11) Answers
No ratings yet
Certification Checkpoint Exam #4 (Chapters 10 - 11) Answers
8 pages
System Software Extended Test 3
No ratings yet
System Software Extended Test 3
3 pages
MD-102 Exam - Free Actual Q&as, Page 1 - ExamTopics
No ratings yet
MD-102 Exam - Free Actual Q&as, Page 1 - ExamTopics
53 pages
Microsoft PracticeTest MD-101 v2019-09-05 by - Gracelynn 58q PDF
No ratings yet
Microsoft PracticeTest MD-101 v2019-09-05 by - Gracelynn 58q PDF
64 pages
BioStar 2 New Features - v2.9.8
No ratings yet
BioStar 2 New Features - v2.9.8
36 pages
Information: Title: Document ID: Product - Version: OS: Updated: Critical: Summary
No ratings yet
Information: Title: Document ID: Product - Version: OS: Updated: Critical: Summary
32 pages
What S New in Sap Process Orchestration 75 Sp00
No ratings yet
What S New in Sap Process Orchestration 75 Sp00
13 pages
NN10600 550
No ratings yet
NN10600 550
346 pages
02.centum VP Installation
100% (1)
02.centum VP Installation
541 pages
Eula Eng 250723
No ratings yet
Eula Eng 250723
18 pages
How To Recover Update
No ratings yet
How To Recover Update
18 pages
Fix - No PC - PPI in STEP 7 MicroWin - Siemens
No ratings yet
Fix - No PC - PPI in STEP 7 MicroWin - Siemens
18 pages
Project Report Document FINAL REPORT
No ratings yet
Project Report Document FINAL REPORT
75 pages
Vom Ms Install 6 1
No ratings yet
Vom Ms Install 6 1
255 pages
Readme For PK2CMD
No ratings yet
Readme For PK2CMD
17 pages
CIS Google Android Benchmark v1.5.0
No ratings yet
CIS Google Android Benchmark v1.5.0
109 pages
All Chapter CCNA1
No ratings yet
All Chapter CCNA1
49 pages
Datos PC Snacc Mauricio Diaz
No ratings yet
Datos PC Snacc Mauricio Diaz
8 pages
Update 202108
No ratings yet
Update 202108
4 pages
Infrastructure Manager
No ratings yet
Infrastructure Manager
2 pages
Cisco IOS Software Product Lifecycle Dates & Milestones - Cisco
No ratings yet
Cisco IOS Software Product Lifecycle Dates & Milestones - Cisco
7 pages
Recommendation Report EPC
No ratings yet
Recommendation Report EPC
13 pages
Nemesis Service Suite
No ratings yet
Nemesis Service Suite
13 pages
SN000144 Ecube 9 DIA Software Update App V3.6.2.259 - Base V2.0.10.10
No ratings yet
SN000144 Ecube 9 DIA Software Update App V3.6.2.259 - Base V2.0.10.10
7 pages
Hacking The IT Cube
100% (2)
Hacking The IT Cube
302 pages
RSA EnVision 3.5.2 Release Notes
No ratings yet
RSA EnVision 3.5.2 Release Notes
35 pages
SFRAC Install For Aix
No ratings yet
SFRAC Install For Aix
783 pages
PSN Code of Connection v1.32
No ratings yet
PSN Code of Connection v1.32
11 pages
CarSim New Features
No ratings yet
CarSim New Features
3 pages
Server Administration and Management
No ratings yet
Server Administration and Management
3 pages