Topic 1, Litware inc
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
General Overview
Litware, Inc. is an international manufacturing company that has 3,000 employees. The company has sales, marketing, research, human resources (HR), development, and IT departments.
Litware has two main offices in New York and Los Angeles. Litware has five branch offices in Asia.
Existing Environment
Current Business Model
The Los Angeles office has 500 developers. The developers work flexible hours ranging from 11 AM to 10 PM.
Litware has a Microsoft System Center 2012 R2 Configuration Manager deployment.
During discovery, the company discovers a process where users are emailing bank account information of its customers to internal and external recipients.
Current Environment
The network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD). The functional level of the forest and the domain is Windows Server 2012 R2. All domain controllers run Windows Server 2012 R2.
Litware has the computers shown in the following table.
The development department uses projects in Azure DevOps to build applications.
Most of the employees in the sales department are contractors. Each contractor is assigned a computer that runs Windows 10. At the end of each contract, the computer is assigned to a different contractor. Currently, the computers are re-provisioned manually by the IT department.
Problem Statements
Litware identifies the following issues on the network:
– Employees in the Los Angeles office report slow Internet performance when updates are downloading. The employees also report that the updates frequently consume considerable resources when they are installed. The Update settings are configured as shown in the Updates exhibit. (Click the Updates button.)
– Management suspects that the source code for the proprietary applications in Azure DevOps in being shared externally.
– Re-provisioning the sales department computers is too time consuming.
Requirements
Business Goals
Litware plans to transition to co-management for all the company-owned Windows 10 computers.
Whenever possible, Litware wants to minimize hardware and software costs.
Device Management Requirements
Litware identifies the following device management requirements:
– Prevent the sales department employees from forwarding email that contains bank account information.
– Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
– Prevent employees in the research department from copying patented information from trusted applications to untrusted applications.
Technical Requirements
Litware identifies the following technical requirements for the planned deployment:
– Re-provision the sales department computers by using Windows AutoPilot.
– Ensure that the projects in Azure DevOps can be accessed from the corporate network only.
– Ensure that users can sign in to the Azure AD-joined computers by using a PIN. The PIN must expire every 30 days.
– Ensure that the company name and logo appears during the Out of Box Experience (OOBE) when using Windows AutoPilot.
Exhibits
Updates
HOTSPOT
You need to recommend a solution to meet the device management requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
HOTSPOT
You need to meet the technical requirements for Windows AutoPilot.
Which two settings should you configure from the Azure Active Directory blade? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
References: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset
What should you configure to meet the technical requirements for the Azure AD-joined computers?
- A . Windows Hello for Business from the Microsoft Intune blade in the Azure portal.
- B . The Accounts options in an endpoint protection profile.
- C . The Password Policy settings in a Group Policy object (GPO).
- D . A password policy from the Microsoft Office 365 portal.
A
Explanation:
References: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-inorganization
HOTSPOT
You need to resolve the performance issues in the Los Angeles office.
How should you configure the update settings? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
HOTSPOT
You need to meet the OOBE requirements for Windows AutoPilot.
Which two settings should you configure from the Azure Active Directory blade? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.
What should you upgrade before you can configure the environment to support co-management?
- A . the domain functional level
- B . Configuration Manager
- C . the domain controllers
- D . Windows Server Update Services (WSUS)
B
Explanation:
References: https://docs.microsoft.com/en-us/sccm/comanage/tutorial-co-manage-clients
What should you use to meet the technical requirements for Azure DevOps?
- A . An app protection policy
- B . Windows Information Protection (WIP)
- C . Conditional access
- D . A device configuration profile
C
Explanation:
References: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/manage-conditional-access?view=azure-devops
You need to capture the required information for the sales department computers to meet the technical
requirements.
Which Windows PowerShell command should you run first?
- A . Install-Module WindowsAutoPilotIntune
- B . Install-Script Get-WindowsAutoPilotInfo
- C . Import-AutoPilotCSV
- D . Get-WindowsAutoPilotInfo
B
Explanation:
References: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices
"This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Windows 10 devices joined to either Azure Active Directory or Active Directory (Hybrid Azure AD Join) by using Windows Autopilot"
You need to meet the device management requirements for the developers.
What should you implement?
- A . folder redirection
- B . Enterprise State Roaming
- C . home folders
- D . known folder redirection in Microsoft OneDrive
B
Explanation:
Litware identifies the following device management requirements:
✑ Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Enterprise State Roaming allows for the synchronization of Microsoft Edge browser setting, including favorites and reading list, across devices.
Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settings-reference
Topic 2, Contoso Ltd
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview
Contoso, Ltd, is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
Contoso has the users and computers shown in the following table.
The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.
Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.
The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from home.
Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active Directory (Azure AD).
All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.
The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are managed by using Microsoft Intune.
The naming convention for the computers is the department acronym, followed by a hyphen, and then four numbers, for example, FIN-6785. All the computers are joined to the on-premises Active Directory domain.
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer account is in the Computers OU of its respective department.
Intune Configuration
The domain has the users shown in the following table.
User2 is a device enrollment manager (DEM) in Intune.
The devices enrolled in Intune are shown in the following table.
The device compliance policies in Intune are configured as shown in the following table.
The device compliance policies have the assignments shown in the following table.
The device limit restrictions in Intune are configured as shown in the following table.
Requirements
Planned Changes
Contoso plans to implement the following changes:
– Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.
– Start using a free Microsoft Store for Business app named App1.
– Implement co-management for the computers.
Technical Requirements :
Contoso must meet the following technical requirements:
– Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.
– Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
– Monitor the computers in the LEG department by using Windows Analytics.
– Create a provisioning package for new computers in the HR department.
– Block iOS devices from sending diagnostic and usage telemetry data.
– Use the principle of least privilege whenever possible.
– Enable the users in the MKG department to use App1.
– Pilot co-management for the IT department.
You need to meet the technical requirements for the IT department.
What should you do first?
- A . From the Azure Active Directory blade in the Azure portal, enable Seamless single sign-on.
- B . From the Configuration Manager console, add an Intune subscription.
- C . From the Azure Active Directory blade in the Azure portal, configure the Mobility (MDM and MAM) settings.
- D . From the Microsoft Intune blade in the Azure portal, configure the Windows enrollment settings.
C
Explanation:
Reference: https://docs.microsoft.com/en-us/sccm/comanage/tutorial-co-manage-clients
HOTSPOT
You are evaluating which devices are compliant.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
You need to meet the requirements for the MKG department users.
What should you do?
- A . Assign the MKG department users the Purchaser role in Microsoft Store for Business
- B . Download the APPX file for App1 from Microsoft Store for Business
- C . Add App1 to the private store
- D . Assign the MKG department users the Basic Purchaser role in Microsoft Store for Business
- E . Acquire App1 from Microsoft Store for Business
E
Explanation:
References: https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-from-your-private-store
Enable the users in the MKG department to use App1.
The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store.
Reference: https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-from-your-private-store
DRAG DROP
You need to meet the technical requirements for the LEG department computers.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
HOTSPOT
To which devices do Policy1 and Policy2 apply? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
HOTSPOT
You need to meet the technical requirements for the new HR department computers.
How should you configure the provisioning package? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
HOTSPOT
What is the maximum number of devices that User1 and User2 can enroll in Intune? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You need to prepare for the deployment of the Phoenix office computers.
What should you do first?
- A . Generalize the computers and configure the Mobility (MDM and MAM) settings from the Azure Active Directory admin center.
- B . Extract the hardware ID information of each computer to a CSV file and upload the file from the Microsoft Intune blade in the Azure portal.
- C . Extract the hardware ID information of each computer to an XML file and upload the file from the Devices settings in Microsoft Store for Business.
- D . Extract the serial number information of each computer to a CSV file and upload the file from the Microsoft Intune blade in the Azure portal.
A
Explanation:
Reference: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices
HOTSPOT
You need a new conditional access policy that has an assignment for Office 365 Exchange Online.
You need to configure the policy to meet the technical requirements for Group4.
Which two settings should you configure in the policy? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
The policy needs to be applied to Group4 so we need to configure Users and Groups.
The Access controls are set to Block access
We therefore need to exclude compliant devices.
From the scenario:
✑ Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.
Note: When a device enrolls in Intune, the device information is updated in Azure AD to include the device compliance status. This compliance status is used by conditional access policies to block or allow access to e-mail and other organization resources.
References:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions
https://docs.microsoft.com/en-us/intune/device-compliance-get-started
You need to prepare for the deployment of the Phoenix office computers.
What should you do first?
- A . Extract the hardware ID information of each computer to a CSV file and upload the file from the Devices settings in Microsoft Store for Business.
- B . Generalize the computers and configure the Mobility (MDM and MAM) settings from the Azure Active Directory blade in the Azure portal.
- C . Generalize the computers and configure the Device settings from the Azure Active Directory blade in the Azure portal.
- D . Extract the hardware ID information of each computer to an XLSX file and upload the file from the Devices settings in Microsoft Store for Business.
A
Explanation:
References: https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles
You need to meet the technical requirements for the iOS devices.
Which object should you create in Intune?
- A . A compliance policy
- B . An app protection policy
- C . A Deployment profile
- D . A device profile
D
Explanation:
References:
https://docs.microsoft.com/en-us/intune/device-restrictions-configure
https://docs.microsoft.com/en-us/intune/device-restrictions-ios
Topic 3, Contoso, Ltd. (NEW)
Case Study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. When you are ready to answer a question, click the Question button to return to the question.
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
Contoso has a Microsoft 365 E5 subscription.
Network Environment
The network contains an on-premises Active domain named Contoso.com.
The domain contains the servers shown in the following table.
Contoso has a hybrid Azure Active Directory (Azure AD) tenant named Contoso.com.
Contoso has a Microsoft Store for Business instance.
Users and Groups
The Contoso.com tenant contains the users shown in the following table.
All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.
Enterprise State Roaming is enabled for Group1 and GroupA.
Group and Group have a Membership type of Assign
Devices
Contoso has the Windows 10 devices shown in the following table.
The Windows 10 devices are joined to Azure AD and enrolled in Microsoft intune.
The Windows 10 devices are configured as shown in the following table.
All the Azure AD joined devices have an executable file named C:AppA.exe and a folder named D:Folder 1.
Microsoft Endpoint Manager Configuration
Microsoft Endpoint Manager has the compliance policies shown in the following table.
The Compliance policy settings are shown in the following exhibit.
The Automatic Enrolment settings have the following configurations:
• MDM user scope GroupA
• MAM user scope: GroupB
You have an Endpoint protection configuration profile that has the following Controlled folder access settings:
• Name: Protection1
• Folder protection: Enable
• List of apps that have access to protected folders: CVAppA.exe
• List of additional folders that need to be protected: D:Folderi1
• Assignments
Windows Autopilot Configuration
Currently, there are no devices deployed by using Window Autopilot
The Intune connector tor Active Directory is installed on Server 1.
Planned Changes
Contoso plans to implement the following changes:
• Purchase a new Windows 10 device named Device6 and enroll the device in Intune.
• New computers will be deployed by using Windows Autopilot and will be hybrid Azure AO joined.
• Deploy a network boundary configuration profile that will have the following settings:
• Name Boundary 1
• Network boundary 192.168.1.0/24
• Scope tags: Tag 1
• Assignments;
• included groups: Group 1. Group2
• Deploy two VPN configuration profiles named Connection! and Connection that will have the following settings:
• Name: Connection 1
• Connection name: VPNI
• Connection type: L2TP
• Assignments:
• Included groups: Group1. Group2, GroupA
• Excluded groups: ―
• Name: Connection
• Connection name: VPN2
• Connection type: IKEv2 i Assignments:
• included groups: GroupA
• Excluded groups: GroupB
• Purchase an app named App1 that is available in Microsoft Store for Business and to assign the app to all the users.
Technical Requirements
Contoso must meet the following technical requirements:
• Users in GroupA must be able to deploy new computers.
• Administrative effort must be minimized.
Which user can enroll Device6 in Intune?
- A . User4 and User2 only
- B . User4 and User 1 only
- C . User1, User2, User3, and User4
- D . User4. User Land User2 only
You implement Boundary1 based on the planned changes.
Which devices have a network boundary of 192.168.1.0/24 applied?
- A . Device2 only
- B . Device3 only
- C . Device 1. Device2. and Device5 only
- D . Device 1, Device2, Device3, and Device4 only
D
Explanation:
Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/network-boundary-windows
Which devices are registered by using the Windows Autopilot deployment service?
- A . Device1 only
- B . Device3 only
- C . Device1 and Device3 only
- D . Device1, Device2, and Device3
C
Explanation:
Scenario: Windows Autopilot Configuration
Assignments
Included groups: Group1
Excluded groups: Group2
Device1 is member of Group1.
Device2 is member of Group1 and member of Group2.
Device3 is member of Group1.
Group1 and Group2 have a Membership type of Assigned.
Exclusion takes precedence over inclusion in the following same group type scenarios.
Reference: https://learn.microsoft.com/en-us/mem/intune/apps/apps-inc-exl-assignments
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Text, letter
Description automatically generated
Which users can purchase and assign App1?
- A . User3 only
- B . User1 and User3 only
- C . User1, User2, User3, and User4
- D . User1, User3, and User4 only
- E . User3 and User4 only
B
Explanation:
Reference:
https://docs.microsoft.com/en-us/microsoft-store/acquire-apps-microsoft-store-for-business
https://docs.microsoft.com/en-us/microsoft-store/assign-apps-to-employees
HOTSPOT
User1 and User2 plan to use Sync your settings.
On which devices can the users use Sync your settings? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Graphical user interface, text, application, email
Description automatically generated
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Text
Description automatically generated
You need to ensure that computer objects can be created as part of the Windows Autopilot deployment. The solution must meet the technical requirements.
To what should you grant the right to create the computer objects?
- A . Server2
- B . Server1
- C . GroupA
- D . DC1
B
Explanation:
Reference: https://blog.matrixpost.net/set-up-windows-autopilot-production-environment-part-2/
HOTSPOT
You implement the planned changes for Connection1 and Connection2
How many VPN connections will there be for User1 when the user signs in to Device 1 and Devke2? To answer select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Graphical user interface, table
Description automatically generated
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
A screenshot of a computer
Description automatically generated with medium confidence
Topic 4, Misc. Questions
HOTSPOT
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD).
You have a Microsoft Office 365 subscription. All computers are joined to the domain and have the latest Microsoft OneDrive sync client (OneDrive.exe) installed.
On all the computers, you configure the OneDrive settings as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1:
Silently move known folders to OneDrive is enabled. Known folder include:
Desktop, Documents, Pictures, Screenshots, and Camera Roll
Box 2:
OneDrive Files On-Demand enables users to view, search for, and interact with files stored in OneDrive from within File Explorer without downloading them and taking up space on the local hard drive.
References:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders
https://docs.microsoft.com/en-us/onedrive/plan-onedrive-enterprise
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.
You configure the following device settings for the tenant:
✑ Users may join devices to Azure AD: User1
✑ Additional local administrators on Azure AD joined devices: None
You install Windows 10 on a computer named Computer1.
You need to identify which users can join Computer1 to adatum.com, and which users will be added to the Administrators group after joining adatum.com.
Which users should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
HOTSPOT
You have a Microsoft Deployment Toolkit (MDT) solution that is used to manage Windows 10 deployment tasks.
MDT contains the operating system images shown in the following table.
You need to perform a Windows 10 in-place upgrade on several computers that run Windows 8.1.
From the Deployment Workbench, you open the New Task Sequence Wizard.
You need to identify which task sequence template and which operating system image to use for the task sequence. The solution must minimize administrative effort.
What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Standard Client Upgrade Task Sequence
Use Template: Standard Client Upgrade Task Sequence
In-place upgrade is the preferred method to use when migrating from Windows 10 to a later release of Windows 10, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device’s configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple.
Box 2: Install.wim
In-place upgrade differs from computer refresh in that you cannot use a custom image to perform the in-place upgrade. I
HOTSPOT
You have computers that run Windows 10 and are configured by using Windows AutoPilot.
A user performs the following tasks on a computer named Computer1:
✑ Creates a VPN connection to the corporate network
✑ Installs a Microsoft Store app named App1
✑ Connects to a Wi-Fi network
You perform a Windows AutoPilot Reset on Computer1.
What will be the state of the computer when the user signs in? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You have a Microsoft 365 E5 subscription and 150 Windows 10 devices.
All the devices are enrolled in Microsoft Intune.
You need to use Intune to apply Windows updates to the devices.
What should you do first?
- A . From the Microsoft Endpoint Manager admin center, configure scope tags.
- B . Create a device restriction policy that has telemetry set to the minimum setting of Required
- C . From the Microsoft Endpoint Manager admin center, configure a security baseline.
- D . Create a device restriction policy that has telemetry set to Security (Enterprise Only).
You have devices enrolled in Microsoft Intune as shown in the following table.
On which devices can you apply app configuration policies?
- A . Create an Azure Active Directory group that contains all users.
- B . From the Intune portal, create a Microsoft Store app for the Remote Desktop modern app.
- C . From the Intune portal assign the app to the Azure Active Directory group.
- D . Create an Azure Active Directory group that contains the Windows 10 devices.
- E . From the Microsoft Store for Business portal, assign a license for the app to all the users in the Azure Active Directory group.
- F . For your organization, make the app available in the Microsoft Store for Business.
B,C,D
Explanation:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add
https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy
https://docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business
You have 100 devices that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).
You need to prevent users from joining their home computer to Azure AD.
What should you do?
- A . From the Device enrollment blade in the Intune admin center, modify the Enrollment restriction settings.
- B . From the Devices blade in the Azure Active Directory admin center, modify the Device settings.
- C . From the Device enrollment blade in the Intune admin center, modify the Device enrollment manages settings.
- D . From the Mobility (MDM and MAM) blade in the Azure Active Directory admin center, modify the Microsoft Intune enrollment settings.
B
Explanation:
References: https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer that runs Windows 8.1.
Two days ago, you upgraded the computer to Windows 10.
You need to downgrade the computer to Windows 8.1.
Solution: From Windows Update in the Settings app, you use the Advanced options.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several Windows 10 devices.
When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.
You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10 devices to contoso.com.
Solution: From the Azure Active Directory admin center, you modify the User settings and the Device settings.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Instead, from the Azure Active Directory admin center, you configure automatic mobile device management (MDM) enrollment. From the Device Management admin center, you configure the Windows Hello for Business enrollment options.
Reference: https://docs.microsoft.com/en-us/intune/protect/windows-hello
You have a Windows 10 device named Device1 that is joined to Active Directory and enrolled in Microsoft Intune.
Device 1 is managed by using Group Policy and Intune.
You need to ensure that the Intune settings override the Group Policy settings.
What should you configure?
- A . a device configuration profile
- B . an MDM Security Baseline profile
- C . a device compliance policy
- D . a Group Policy Object (GPO)
A
Explanation:
Reference: https://uem4all.com/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/
You have a Microsoft 365 E5 subscription.
You need to download a report that lists all the devices that are NOT enrolled in Microsoft Intune and are assigned an app protection policy.
What should you select in the Microsoft Endpoint Manager admin center?
- A . Apps. and then Monitor
- B . Devices, and then Monitor
- C . Reports, and the Device compliance
A
Explanation:
App report: You can search by platform and app, and then this report will provide two different app protection statuses that you can select before generating the report. The statuses can be Protected or Unprotected.
Reference: https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies-monitor
You have a Microsoft 365 subscription that uses Microsoft Intune.
You need to ensure that you can deploy apps to Android Enterprise devices.
What should you do first?
- A . Create a configuration profile.
- B . Link your managed Google Play account to intune.
- C . Configure the Partner device management settings.
- D . Add a certificate connector.
B
Explanation:
Connect your Intune account to your Managed Google Play account.
Managed Google Play is Google’s enterprise app store and sole source of applications for Android Enterprise in Intune. You can use Intune to orchestrate app deployment through Managed Google Play for any Android Enterprise scenario (including personally-owned work profile, dedicated, fully managed, and corporate-owned work profile enrollments).
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add-android-for-work
https://docs.microsoft.com/en-us/mem/intune/enrollment/connect-intune-android-enterprise
You have a Microsoft 365 subscription.
You have 20 computers that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).
You plan to replace the computers with new computers that run Windows 10. The new computers will be
joined to Azure AD.
You need to ensure that the desktop background, the favorites, and the browsing history are available on the new computers.
What should you use?
- A . Folder Redirection
- B . The Microsoft SharePoint Migration Tool
- C . Enterprise State Roaming
- D . Roaming user profiles
C
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settingsreference
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-faqs
HOTSPOT
You have the MDM Security Baseline profile shown in the MDM exhibit. (Click the MDM tab.)
You have the ASR Endpoint Security profile shown in the ASR exhibit. (Click the ASR tab.)
You plan to deploy both profiles to devices enrolled in Microsoft Intune.
You need to identify how the following settings will be configured on the devices:
✑ Block Office applications from creating executable content
✑ Block Win32 API calls from Office macro
Currently, the settings are disabled locally on each device.
What are the effective settings on the devices? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Audit mode
According to the ASR Endpoint Security profile and to the MDM Security Baseline profile, Block Office applications from creating executable content is set to Audit mode.
Box 2: Disable
Block Win32 API calls from Office macro: According to MDM Security Baseline profile it is set to disable. According to the ASR Endpoint Security profile it is set to Audit mode.
The profiles are merged. The Baseline profile overrides the Endpoint Security profile.
Note:
When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device.
Attack surface reduction rule merge behavior is as follows:
Endpoint security > Security baselines > Microsoft Defender for Endpoint Baseline > Attack Surface Reduction Rules.
MDM Security Baseline profile ASR Endpoint Security profile.
Your company has several Windows 10 devices that are enrolled in Microsoft Inline.
You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.
You need to enroll Computer1 in Intune.
Solution: From Computer1, you sign in to https://portal.manage.microsoft.com and use the Devices tab.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Use MDM enrolment.
MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined PC into Intune. Users enroll from Settings on the existing Windows PC.
Reference: https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods
You are creating a device configuration profile in Microsoft Intune.
You need to configure specific OMA-URI settings in the profile.
Which profile type should you use?
- A . Identity protection
- B . Custom
- C . Device restrictions (Windows 10 Team)
- D . Device restrictions
B
Explanation:
Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/custom-settings-windows-10
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain. The domain contains member computers that run Windows 8.1 and are enrolled in Microsoft Intune.
You need to identify which computers can be upgraded to Windows 10.
Solution: From Windows on the Devices blade of the Microsoft Endpoint Manager admin center, you create a filter and export the results as a CSV file.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a computer named Computer1 that runs Windows 10.
You save a provisioning package named Package1 to a folder named C:Folder1.
You need to apply Package1 to Computer1.
Solution: From File Explorer, you go to C:Folder1, and then you double-click the Package1.ppkg file.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
To install a provisioning package, navigate to Settings > Accounts > Access work or school > Add or remove a provisioning package > Add a package, and select the package to install.
Reference: https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains 500 computers that run Windows 7. Some of the computers are used by multiple users.
You plan to refresh the operating system of the computers to Windows 10.
You need to retain the personalization settings to applications before you refresh the computers. The solution must minimize network bandwidth and network storage space.
Which command should you run on the computer? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
References: https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-scanstate-syntax#how-to-use-ui-and-ue
Your company has an internal portal that uses a URL of http://contoso.com.
The network contains computers that run Windows 10. The default browser on all the computers is Microsoft Edge.
You need to ensure that all users only use Internet Explorer to connect to the internal portal. The solution must ensure that Microsoft Edge can be used to connect to all other websites.
What should you do from each computer?
- A . From Internet Explorer, configure the Compatibility View settings
- B . From the local policy, configure Enterprise Mode
- C . From Microsoft Edge, configure the Advanced Site Settings
- D . From the Settings app, configure the default web browser settings
B
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain. The domain contains member computers that run Windows 8.1 and are enrolled in Microsoft Intune.
You need to identify which computers can be upgraded to Windows 10.
Solution: From the Microsoft Endpoint Manager admin center, you create a device compliance policy and assign the policy to the computers. After 24 hours, you view the Device compliance report in Intune.
Does this meet the goal?
- A . Yes
- B . No
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All users have computers that run Windows 10. The computers are joined to Azure AD and managed by using Microsoft Intune.
You need to ensure that you can centrally monitor the computers by using Windows Analytics.
What should you create in Intune?
- A . a device configuration profile
- B . a conditional access policy
- C . a device compliance policy
- D . an update policy
A
Explanation:
References: https://www.scconfigmgr.com/2019/03/27/windows-analytics-onboarding-with-intune/
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company uses Windows Update for Business.
The research department has several computers that have specialized hardware and software installed.
You need to prevent the video drivers from being updated automatically by using Windows Update.
Solution: From the Device Installation and Restrictions settings in a Group Policy object (GPO), you enable Prevent installation of devices using drivers that match these device setup classes, and then you enter the device GUID.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
References: https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000024
You have a computer named Computer1 that runs Windows 10. Computer is used by a user named User1.
You need to ensure that when User1 opens websites from untrusted locations by using Microsoft Edge, Microsoft Edge runs in isolated container.
What should you do first?
- A . From Windows Features, turn on Windows Defender Application Guard.
- B . From Windows Security, configure the Device security settings.
- C . From Windows Security, configure the Virus & threat protection settings.
- D . From Windows Features, turn on Hyper-V Platform.
A
Explanation:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard
You have a Microsoft 365 subscription that contains 100 devices enrolled in Microsoft Intune.
You need to review the startup processes and how often each device restarts.
What should you use?
- A . Endpoint analytics
- B . Intune Data Warehouse
- C . Azure Monitor
- D . Device Management
You have a Microsoft Deployment Toolkit (MDT) deployment share.
You plan to deploy Windows 10 by using the Standard Client Task Sequence template.
You need to modify the task sequence to perform the following actions:
✑ Format disks to support Unified Extensible Firmware Interface (UEFI).
✑ Create a recovery partition.
Which phase of the task sequence should you modify?
- A . Initialization
- B . Install
- C . Postlnstall
- D . Preinstall
D
Explanation:
Reference: https://www.prajwaldesai.com/create-extra-partition-in-mdt/
HOTSPOT
Your company has computers that run Windows 10 and are Microsoft Azure Active Directory (Azure AD)-joined.
The company purchases an Azure subscription.
You need to collect Windows events from the Windows 10 computers in Azure. The solution must enable you to create alerts based on the collected events.
What should you create in Azure and what should you configure on the computers? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
HOTSPOT
You have a Microsoft 365 subscription that contains the devices shown in the following table.
You plan to enroll the devices in Microsoft Intune.
How often will the compliance policy check-ins run after each device is enrolled in Intune? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Every three minutes for 15 minutes, then every 15 minutes for two hours, and then around every eight hours
If devices recently enroll, then the compliance, non-compliance, and configuration check-in runs more frequently. The check-ins are estimated at:
Windows 10: Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, and then around every 8 hours
Graphical user interface, text, application, email
Description automatically generated
Box 2: Every 15 minutes for one hour, and then every eight hours
iOS/iPadOS: Every 15 minutes for 1 hour, and then around every 8 hours
You have a Microsoft 365 tenant that contains the devices shown in the following table.
The devices are managed by using Microsoft Intune.
You create a compliance policy named Policy1 and assign Policy1 to Group1. Policy1 is configured to mark a device as Compliant only if the device security settings match the settings specified in the policy.
You discover that devices that are not members of Group1 are shown as Compliant.
You need to ensure that only devices that are assigned a compliance policy can be shown as Compliant. All other devices must be shown as Not compliant.
What should you do?
- A . From Tenant administration, modify the Diagnostic settings.
- B . From Device compliance, configure the Compliance policy settings.
- C . From Endpoint security, configure the Conditional access
- D . From Policy1, modify the actions for noncompliance.
B
Explanation:
Reference: https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
HOTSPOT
You have a Microsoft 365 E5 subscription that contains a user named User1.
You need to perform the following tasks for User1:
✑ Set the Usage location to Canada.
✑ Configure the Phone and Email authentication contact info for self-service password reset (SSPR).
Which two settings should you configure in the Azure Active Directory admin center? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Graphical user interface, application
Description automatically generated
You have a Microsoft 365 subscription. All devices run Windows 10.
You need to prevent users from enrolling the devices in the Windows Insider Program.
What should you configure from Microsoft 365 Device Management? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a Windows 10 security baseline
- B . an app configuration policy
- C . a custom device configuration profile
- D . a Windows 10 update ring
- E . a device restrictions device configuration profile
DRAG DROP
Your network contains an Active Directory domain.
You install the Microsoft Deployment Toolkit (MDT) on a server
You have a custom image of Windows 10.
You need to deploy the image to 100 devices by using MDT.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the List of actions to the answer area and arrange them in the correct order.
Explanation:
Graphical user interface, text, application
Description automatically generated
HOTSPOT
You have 200 computers that run Windows 10.
You need to create a provisioning package to configure the following tasks:
✑ Remove the Microsoft News and the Xbox Microsoft Store apps.
✑ Add a VPN connection to the corporate network.
Which two customizations should you configure? To answer, select the appropriate customizations in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Connectivityprofiles
Policies
References:
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-connectivityprofiles
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-policies
You have a Microsoft 365 subscription.
You are assigned the User administrator role.
An Azure AD security group named Group1 was deleted five days ago.
You need to restore Group1.
What should you do?
- A . Modify the group expiration policy.
- B . From Deleted groups, restore Group1.
- C . Manually recreate Group1.
- D . Ask a global administrator to restore Group1.
You use a Microsoft Intune subscription to manage iOS devices.
You configure a device compliance policy that blocks jailbroken iOS devices.
You need to enable Enhanced jailbreak detection.
What should you configure?
- A . the device compliance policy
- B . the Compliance policy settings
- C . a network location
- D . a configuration profile
A
Explanation:
Reference: https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1. User1 has a user principal name (UPN) of user1 @contoso.com.
You join a Windows 10 device named Client1 to contoso.com.
You need to add User1 to the local Administrators group of Client1.
How should you complete the command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: net localgroup
Add user to group from command line (CMD)
Windows provides command line utilities to manager user groups. In this post, learn how to use the command net localgroup to add user to a group from command prompt’
For example to add a user ‘John’ to administrators group, we can run the below command.
net localgroup administrators John /add
Box 2: Contoso
The domain of the user is Contoso.
You need to assign the same deployment profile to all the computers that are configured by using Windows Autopilot.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: each correct selection is worth one point.
- A . Join the computers to Microsoft Azure Active Directory (Azure AD)
- B . Assign a Windows AutoPilot deployment profile to a group
- C . Join the computers to an on-premises Active Directory domain
- D . Create a Microsoft Azure Active Directory (Azure AD) group that has dynamic membership rules and uses the operatingSystem tag
- E . Create a Group Policy object (GPO) that is linked to a domain
- F . Create a Microsoft Azure Active Directory (Azure AD) group that has dynamic membership rules and uses the ZTDID tag
B,F
Explanation:
References: https://www.petervanderwoude.nl/post/automatically-assign-windows-autopilot-deployment-profile-to-windowsautopilot-devices/
HOTSPOT
Your company uses Microsoft Intune to manage Windows 10, Android, and iOS devices.
Several users purchase new iPads and Android devices.
You need to tell the users how to enroll their device in Intune.
What should you instruct the users to use for each device? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
The Intune Company Portal app is used to enroll Android, iOS, macOS, and Windows devices
References:
https://docs.microsoft.com/en-us/intune-user-help/enroll-device-android-company-portal
https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-ios
https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp
You have a Microsoft 365 tenant that contains the objects shown in the following table.
In the Microsoft Endpoint Manager admin center, you are creating a Microsoft 365 Apps app named App1.
To which objects can you assign App1?
- A . Admin1, Group3. and Group4 only
- B . Group1, Group2. Group3. and Group4 only
- C . Admin1, Group1, Group2. Group3, and Group4
- D . Group1, Group3, and Group4 only
- E . Group3 and Group4 only
D
Explanation:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy
https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide
HOTSPOT
Your network contains an Active Directory forest named contoso.com that is synced to Microsoft Azure Active Directory (Azure AD).
You use Microsoft Endpoint Configuration Manager for device management.
You have the Windows 10 devices shown in the following table.
You configure Endpoint Configuration Manager co-management as follows:
✑ Automatic enrollment in Intune: Pilot
✑ Pilot collection for all workloads: Collection2
You configure co-management workloads as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
The Pilot Group does not include Device1.
Box 2: Yes
Box 3: Yes
The Pilot Group includes Device3.