Testlet 1
Case study
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
Contoso has the users and computers shown in the following table.
The company has IT, human resources (HR), legal (LEG), marketing (MKG), and finance (FIN) departments.
Contoso recently purchased a Microsoft 365 subscription.
The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from home.
Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Azure AD.
All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.
The computers are managed by using Microsoft Configuration Manager. The mobile devices are managed by using Microsoft Intune.
The naming convention for the computers is the department acronym, followed by a hyphen, and then four numbers, for example FIN-6785. All the computers are joined to the on-premises Active Directory domain.
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer account is in the Computers OU of its respective department.
Intune Configuration
Requirements
Planned changes
Contoso plans to implement the following changes:
– Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.
– Implement co-management for the computers.
Technical Requirements
Contoso must meet the following technical requirements:
– Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.
– Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
– Create a provisioning package for new computers in the HR department.
– Block iOS devices from sending diagnostic and usage telemetry data.
– Use the principle of least privilege whenever possible.
– Enable the users in the MKG department to use App1.
– Pilot co-management for the IT department.
You need to prepare for the deployment of the Phoenix office computers.
What should you do first?
- A . Generalize the computers and configure the Device settings from the Microsoft Entra admin center.
- B . Extract the serial number of each computer to an XML file and upload the file from the Microsoft Intune admin center.
- C . Extract the hardware ID information of each computer to a CSV file and upload the file from the Microsoft Intune admin center.
- D . Generalize the computers and configure the Mobility (MDM and MAM) settings from the Microsoft Entra admin center.
- E . Extract the serial number information of each computer to a CSV file and upload the file from the Microsoft Intune admin center.
C
Explanation:
To manage devices through Microsoft Store for Business and Education, you’ll need a .csv file that contains specific information about the devices. You should be able to get this from your Microsoft account contact, or the store where you purchased the devices. Upload the .csv file to Microsoft Store to add the devices.
Note:
Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.
Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
Reference: https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices
HOTSPOT
What is the maximum number of devices that User1 and User2 can enroll in Intune? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 10 devices
User1 is a member of GroupA. GroupA device limit is 10.
Box 2: 15 devices
User2 is a member of GroupB. GroupB device limit is 15.
Deploy Windows client
Testlet 2
Case study
Overview
ADatum Corporation is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
ADatum has a Microsoft 365 E5 subscription.
Environment
Network Environment
The network contains an on-premises Active Directory domain named adatum.com.
The domain contains the servers shown in the following table.
ADatum has a hybrid Azure AD tenant named adatum.com.
Users and Groups
The adatum.com tenant contains the users shown in the following table.
All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.
Enterprise State Roaming is enabled for Group1 and GroupA.
Group1 and Group2 have a Membership type of Assigned.
Devices
ADatum has the Windows 10 devices shown in the following table.
The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.
The Windows 10 devices are configured as shown in the following table.
All the Azure AD joined devices have an executable file named C:AppA.exe and a folder named D: Folder1.
Microsoft Intune Configuration
Microsoft Intune has the compliance policies shown in the following table.
The Automatic Enrolment settings have the following configurations:
• MDM user scope GroupA
• MAM user scope: GroupB
You have an Endpoint protection configuration profile that has the following Controlled folder access settings:
• Name: Protection1
• Folder protection: Enable
• List of apps that have access to protected folders: CVAppA.exe
• List of additional folders that need to be protected: D:Folderi1
• Assignments – Included groups: Group2, GroupB
Windows Autopilot Configuration
ADatum has a Windows Autopilot deployment profile configured as shown in the following exhibit.
Currently, there are no devices deployed by using Windows Autopilot.
The Intune connector for Active Directory is installed on Server1.
Contoso plans to implement the following changes:
• Purchase a new Windows 10 device named Device6 and enroll the device in Intune.
• New computers will be deployed by using Windows Autopilot and will be hybrid Azure AO joined.
• Deploy a network boundary configuration profile that will have the following settings:
– Name Boundary 1
– Network boundary 192.168.1.0/24
– Scope tags: Tag 1
– Assignments;
* included groups: Group 1. Group2
• Deploy two VPN configuration profiles named Connection! and Connection that will have the following settings:
– Name: Connection 1
– Connection name: VPNI
– Connection type: L2TP
– Assignments:
* Included groups: Group1. Group2, GroupA
* Excluded groups: ―
– Name: Connection
– Connection name: VPN2
– Connection type: IKEv2 i Assignments:
– included groups: GroupA
– Excluded groups: GroupB
Technical Requirements
Contoso must meet the following technical requirements:
• Users in GroupA must be able to deploy new computers.
• Administrative effort must be minimized.
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
User1 is a Cloud device administrator.
Local administrative privileges are required when enrolling an already configured Windows 10 device in Intune.
Cloud Device Administrator
Users in this role can enable, disable, and delete devices in Azure AD and read Windows 10 BitLocker keys (if present) in the Azure portal. The role does not grant permissions to manage any other properties on the device.
Note: The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.
Box 2: Yes
User2 is an Azure AD joined device local administrator.
Azure AD Joined Device Local Administrator
This role is available for assignment only as an additional local administrator in Device settings. Users with this role become local machine administrators on all Windows 10 devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects in Azure Active Directory.
Box 3: No
User3 is a Global reader.
Global Reader
Users in this role can read settings and administrative information across Microsoft 365 services but can’t take management actions.
Reference: https://docs.microsoft.com/en-us/troubleshoot/mem/intune/no-permission-to-enroll-windows-devices
https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
You need to ensure that computer objects can be created as part of the Windows Autopilot deployment.
The solution must meet the technical requirements.
To what should you grant the right to create the computer objects?
- A . Server1
- B . DC1
- C . GroupA
- D . Server2
A
Explanation:
Scenario:
The Intune connector for Active Directory is installed on Server1.
Contoso must meet the following technical requirements:
Users in GroupA must be able to deploy new computers.
Administrative effort must be minimized.
Note: To be clear, the entire domain join process will work without any direct connection to the on-premise network and domain controllers. The computer object is created on-premises through the Intune Connector for Active Directory triggered by the Windows Autopilot and Intune.
Reference: https://blog.matrixpost.net/set-up-windows-autopilot-production-environment-part-2/
Which user can enroll Device6 in Intune?
- A . User4 and User1 only
- B . User4 and User2 only
- C . User4, User1, and User2 only
- D . User1, User2, User3, and User4
D
Explanation:
All the users can enroll devices to Intune.
Deploy Windows client
You have a Microsoft 365 E5 subscription. The subscription contains 25 computers that run Windows 11 and are enrolled in Microsoft Intune.
You need to onboard the devices to Microsoft Defender for Endpoint.
What should you create in the Microsoft Intune admin center?
- A . an attack surface reduction (ASR) policy
- B . a security baseline
- C . an endpoint detection and response (EDR) policy
- D . an account protection policy
- E . an antivirus policy
C
Explanation:
Onboard Windows devices to Defender for Endpoint using Intune Enable Microsoft Defender for Endpoint in Intune
The first step you take is to set up the service-to-service connection between Intune and Microsoft Defender for Endpoint. Set up requires administrative access to both the Microsoft Defender Security Center, and to Intune.
Onboard Windows devices
(After you connect Intune and Microsoft Defender for Endpoint, Intune receives an onboarding configuration package from Microsoft Defender for Endpoint. You use a device configuration profile for Microsoft Defender for Endpoint to deploy the package to your Windows devices.
The configuration package configures devices to communicate with Microsoft Defender for Endpoint services to scan files and detect threats. The device also reports its risk level to Microsoft Defender for Endpoint based on your compliance policies.
After onboarding a device using the configuration package, you don’t need to do it again.)
You can also onboard devices using:
*-> Endpoint detection and response (EDR) policy. Intune EDR policy is part of endpoint security in Intune. Use EDR policies to configure device security without the overhead of the larger body of settings found in device configuration profiles. You can also use EDR policy with tenant attached devices, which are devices you manage with Configuration Manager.
Reference: https://learn.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-configure#enable-microsoft-defender-for-endpoint-in-intune
Your company uses Microsoft Intune to manage devices.
You need to ensure that only Android devices that use Android work profiles can enroll in Intune.
Which two configurations should you perform in the device enrollment restrictions? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . From Platform Settings, set Android device administrator Personally Owned to Block.
- B . From Platform Settings, set Android Enterprise (work profile) to Allow.
- C . From Platform Settings, set Android device administrator Personally Owned to Allow.
- D . From Platform Settings, set Android device administrator to Block.
BD
Explanation:
Set up enrollment of Android Enterprise personally-owned work profile devices
Set up enrollment for bring-your-own-device (BYOD) and personal device scenarios using the Android Enterprise personally-owned work profile management solution. During enrollment, a work profile is created on the device to house work apps and work data. The work profile can be managed by Microsoft Intune policies. Personal apps and data stay separate in another part of the device and remain unaffected by Intune.
Set up enrollment
Complete these steps to set up enrollment for Android Enterprise devices in BYOD scenarios.
Your company uses Microsoft Intune to manage devices.
You need to ensure that only Android devices that use Android work profiles can enroll in Intune.
Which two configurations should you perform in the device enrollment restrictions? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . From Platform Settings, set Android device administrator Personally Owned to Block.
- B . From Platform Settings, set Android Enterprise (work profile) to Allow.
- C . From Platform Settings, set Android device administrator Personally Owned to Allow.
- D . From Platform Settings, set Android device administrator to Block.
BD
Explanation:
Set up enrollment of Android Enterprise personally-owned work profile devices
Set up enrollment for bring-your-own-device (BYOD) and personal device scenarios using the Android Enterprise personally-owned work profile management solution. During enrollment, a work profile is created on the device to house work apps and work data. The work profile can be managed by Microsoft Intune policies. Personal apps and data stay separate in another part of the device and remain unaffected by Intune.
Set up enrollment
Complete these steps to set up enrollment for Android Enterprise devices in BYOD scenarios.
Your company uses Microsoft Intune to manage devices.
You need to ensure that only Android devices that use Android work profiles can enroll in Intune.
Which two configurations should you perform in the device enrollment restrictions? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . From Platform Settings, set Android device administrator Personally Owned to Block.
- B . From Platform Settings, set Android Enterprise (work profile) to Allow.
- C . From Platform Settings, set Android device administrator Personally Owned to Allow.
- D . From Platform Settings, set Android device administrator to Block.
BD
Explanation:
Set up enrollment of Android Enterprise personally-owned work profile devices
Set up enrollment for bring-your-own-device (BYOD) and personal device scenarios using the Android Enterprise personally-owned work profile management solution. During enrollment, a work profile is created on the device to house work apps and work data. The work profile can be managed by Microsoft Intune policies. Personal apps and data stay separate in another part of the device and remain unaffected by Intune.
Set up enrollment
Complete these steps to set up enrollment for Android Enterprise devices in BYOD scenarios.
HOTSPOT
You have 100 Windows 10 devices enrolled in Microsoft Intune.
You need to configure the devices to retrieve Windows updates from the internet and from other computers on a local network.
Which Delivery Optimization setting should you configure, and which type of Intune object should you create? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Download mode
Delivery Optimization settings for Windows devices in Intune
Delivery Optimization
* Download mode
Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers.
* Etc.
Box 2: A configuration profile
With Intune, use Delivery Optimization settings for your Windows devices to reduce bandwidth consumption when those devices download applications and updates. Configure Delivery Optimization as part of your device cs.
Reference:
https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-reference
https://learn.microsoft.com/en-us/mem/intune/configuration/delivery-optimization-windows
You have a Microsoft 365 E5 subscription and 25 Apple iPads.
You need to enroll the iPads in Microsoft Intune by using the Apple Configurator enrollment method.
What should you do first?
- A . Configure an Apply MDM push certificate.
- B . Add your user account as a device enrollment manager (DEM).
- C . Modify the enrollment restrictions.
- D . Upload a file that has the device identifiers for each iPad.
A
Explanation:
Set up iOS/iPadOS device enrollment with Apple Configurator Prerequisites
Physical access to iOS/iPadOS devices
Set MDM authority
An Apple MDM push certificate
Device serial numbers (Setup Assistant enrollment only)
USB connection cables
macOS computer running Apple Configurator 2.0
Note:
Upload and renew your Apple MDM push certificates in Microsoft Intune. An Apple MDM Push certificate is required to manage iOS/iPadOS and macOS devices in Microsoft Intune, and enables devices to enroll via:
The Intune Company Portal app.
Apple bulk enrollment methods, such as the Device Enrollment Program, Apple School Manager, and Apple Configurator.
Certificates must be renewed annually.
Reference: https://learn.microsoft.com/en-us/mem/intune/enrollment/apple-mdm-push-certificate-get
You have a Microsoft 365 E5 subscription that contains 150 hybrid Microsoft Entra joined Windows devices.
All the devices are enrolled in Microsoft Intune.
You need to configure Delivery Optimization on the devices to meet the following requirements:
• Allow downloads from the internet and from other computers on the local network.
• Limit the percentage of used bandwidth to 50.
What should you use?
- A . a configuration profile
- B . a Windows Update for Business Group Policy setting
- C . a Microsoft Peer-to-Peer Networking Services Group Policy setting
- D . an Update ring for Windows 10 and later profile
C
Explanation:
How Microsoft uses Delivery Optimization
At Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away
bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
Note: Delivery Optimization options
You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization.
Summary of Delivery Optimization settings
* Maximum foreground download bandwidth (percentage) DOPercentageMaxForegroundBandwidth
* Maximum background download bandwidth (percentage) DOPercentageMaxBackgroundBandwidth
* Etc.
Note 2: Policies to prioritize the use of Peer-to-Peer and Cache Server sources
When Delivery Optimization client is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to both MCC and peers in parallel. If the desired content can’t be obtained from MCC or peers, Delivery Optimization will automatically fallback to the HTTP source to get the requested content. There are four settings that allow you to prioritize peer-to-peer or MCC sources by delaying the immediate fallback to HTTP source which is the default behavior.
Incorrect:
Not D: Update rings for Windows 10 and later policy in Intune
Create update rings that specify how and when Windows as a Service updates your Windows 10/11 devices with feature and quality updates. With Windows 10/11, new feature and quality updates include the contents of all previous updates. As long as you’ve installed the latest update, you know your Windows devices are up to date. Unlike with previous versions of Windows, you now must install the entire update instead of part of an update.
Reference:
https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization
https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-reference
HOTSPOT
You have a Microsoft Intune subscription.
You are creating a Windows Autopilot deployment profile named Profile1 as shown in the following exhibit.
Profile1 will be deployed to Windows 10 devices.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: can modify the desktop settings only for themselves
We see: User account type: Standard (not Administrator)
Incorrect:
* can create additional local users on the device
* can modify the desktop settings for all device users
Box 2: Cortana settings
Incorrect:
* computer name
We see: Hide change account options: Hide
* keyboard layout
We see: Automatically configure keyboard: Yes
Reference: https://learn.microsoft.com/en-us/mem/autopilot/profiles
HOTSPOT
You have a server named Server1 and computers that run Windows 10. Server1 has the Microsoft Deployment Toolkit (MDT) installed.
You plan to upgrade the Windows 10 computers to Windows 11 by using the MDT deployment wizard.
You need create a deployment share on Server1.
What should you do on Server1, and what are the minimum components you should add to the MDT deployment share? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Windows Assessment and Deployment Kit (Windows ADK)
Server1
MDT installation requires the following:
The Windows ADK for Windows 10
Windows PowerShell (version 5.1 is recommended; enter $host to check)
Microsoft .NET Framework
Box 2: Windows 11 image and task sequence only
Deployment share
Create a deployment share and reference image
A reference image serves as the foundation for Windows 11 devices in your organization.
*Details omitted*
The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the Task Sequences node and then select New Task Sequence.
Create a Windows 11 reference image
Reference:
https://learn.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt
https://learn.microsoft.com/en-us/windows/deployment/windows-10-poc-mdt#create-a-deployment-share-and-reference-image
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) server named MDT1.
When computers start from the LiteTouchPE_x64.iso image and connect to MDT1, the welcome screen appears as shown in the following exhibit.
You need to prevent the welcome screen from appearing when the computers connect to MDT1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Modify the CustomSettings.ini file
CustomSettings.ini (CS) may be edited to include information that you wish to take into account prior to beginning the deployment processCsuch as data that will exist as variables that can be called upon as needed. This is extremely useful when working with multiple sites or when you want certain settings to apply to desktops, while mobile devices receive a different set of settings.
Example of line included:
SkipBDDWelcome=NO
Step 2: Modify the task sequence
Create the deployment task sequence, example:
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) server named MDT1.
When computers start from the LiteTouchPE_x64.iso image and connect to MDT1, the welcome screen appears as shown in the following exhibit.
You need to prevent the welcome screen from appearing when the computers connect to MDT1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Modify the CustomSettings.ini file
CustomSettings.ini (CS) may be edited to include information that you wish to take into account prior to beginning the deployment processCsuch as data that will exist as variables that can be called upon as needed. This is extremely useful when working with multiple sites or when you want certain settings to apply to desktops, while mobile devices receive a different set of settings.
Example of line included:
SkipBDDWelcome=NO
Step 2: Modify the task sequence
Create the deployment task sequence, example:
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) server named MDT1.
When computers start from the LiteTouchPE_x64.iso image and connect to MDT1, the welcome screen appears as shown in the following exhibit.
You need to prevent the welcome screen from appearing when the computers connect to MDT1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Modify the CustomSettings.ini file
CustomSettings.ini (CS) may be edited to include information that you wish to take into account prior to beginning the deployment processCsuch as data that will exist as variables that can be called upon as needed. This is extremely useful when working with multiple sites or when you want certain settings to apply to desktops, while mobile devices receive a different set of settings.
Example of line included:
SkipBDDWelcome=NO
Step 2: Modify the task sequence
Create the deployment task sequence, example:
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) server named MDT1.
When computers start from the LiteTouchPE_x64.iso image and connect to MDT1, the welcome screen appears as shown in the following exhibit.
You need to prevent the welcome screen from appearing when the computers connect to MDT1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Modify the CustomSettings.ini file
CustomSettings.ini (CS) may be edited to include information that you wish to take into account prior to beginning the deployment processCsuch as data that will exist as variables that can be called upon as needed. This is extremely useful when working with multiple sites or when you want certain settings to apply to desktops, while mobile devices receive a different set of settings.
Example of line included:
SkipBDDWelcome=NO
Step 2: Modify the task sequence
Create the deployment task sequence, example:
You use Windows Admin Center to remotely administer computers that run Windows 10.
When connecting to Windows Admin Center, you receive the message shown in the following exhibit.
You need to prevent the message from appearing when you connect to Windows Admin Center.
To which certificate store should you import the certificate?
- A . Client Authentication Issuers
- B . Personal
- C . Trusted Root Certification Authorities
C
Explanation:
"Error Code: DLG_FLAGS_INVALID_CA" while login to Admin Console after enabling HTTPS in PowerCenter.
Solution
To resolve this issue, add the CA-signed certificates to the "Trusted Root Certification Authorities" in the browser. After adding the certificates, restart the browser.
Reference: https://knowledge.informatica.com/s/article/578585
HOTSPOT
You have a Microsoft Entra tenant named contoso.com that contains the devices shown in the following table.
Contoso.com contains the Microsoft Entra groups shown in the following table.
You add a Windows Autopilot deployment profile.
The profile is configured as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
Device1 has no Mobile device Management (MDM) configured.
Note: Device1 is running Windows 8.1, and is registered, but not joined.
Device1 is in Group1.
Profile1 is assigned to Group1.
Box 2: No
Device2 has no Mobile device Management (MDM) configured.
Note: Device2 is running Windows 10, and is joined.
Device2 is in Group2.
Group2 is in Group1.
Profile1 is assigned to Group1.
Box 3: Yes
Device3 has Mobile device Management (MDM) configured.
Device3 is running Windows 10, and is joined
Device1 is in Group1.
Profile1 is assigned to Group1.
Mobile device management (MDM) enrollment: Once your Windows 10 device joins Azure AD, Autopilot ensures your device is automatically enrolled with MDMs such as Microsoft Intune. This program can automatically push configurations, policies and settings to the device, and install Office 365 and other business apps without you having to get IT admins to manually sort the device. Intune can also apply the latest updates from Windows Update for Business.
Reference: https://xo.xello.com.au/blog/windows-autopilot
DRAG DROP
You have 100 computers that run Windows 10.
You plan to deploy Windows 11 to the computers by performing a wipe and load installation.
You need to recommend a method to retain the user settings and the user data.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Explanation:
Step 1: Run scanstate.exe
DRAG DROP
You have 100 computers that run Windows 10.
You plan to deploy Windows 11 to the computers by performing a wipe and load installation.
You need to recommend a method to retain the user settings and the user data.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Explanation:
Step 1: Run scanstate.exe
DRAG DROP
You have 100 computers that run Windows 10.
You plan to deploy Windows 11 to the computers by performing a wipe and load installation.
You need to recommend a method to retain the user settings and the user data.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Explanation:
Step 1: Run scanstate.exe
DRAG DROP
You have 100 computers that run Windows 10.
You plan to deploy Windows 11 to the computers by performing a wipe and load installation.
You need to recommend a method to retain the user settings and the user data.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Explanation:
Step 1: Run scanstate.exe
DRAG DROP
You have 100 computers that run Windows 10.
You plan to deploy Windows 11 to the computers by performing a wipe and load installation.
You need to recommend a method to retain the user settings and the user data.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Explanation:
Step 1: Run scanstate.exe
DRAG DROP
You have 100 computers that run Windows 10.
You plan to deploy Windows 11 to the computers by performing a wipe and load installation.
You need to recommend a method to retain the user settings and the user data.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Explanation:
Step 1: Run scanstate.exe
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
You use Windows Autopilot to deploy Windows 11 to devices.
A support engineer reports that when a deployment fails, they cannot collect deployment logs from failed device.
You need to ensure that when a deployment fails, the deployment logs can be collected.
What should you configure?
- A . the automatic enrollment settings
- B . the Windows Autopilot deployment profile
- C . the enrollment status page (ESP) profile
- D . the device configuration profile
C
Explanation:
Troubleshooting the Enrollment Status Page
To troubleshoot ESP issues, it’s important to get more information about the ESP settings that are received by the device, and the applications and policies that are tracked at each stage. All ESP settings and tracking information are logged in the device registry.
Collect logs
You can enable the ability for users to collect ESP logs in the ESP policy. When a timeout occurs in the ESP, the user can select the option to Collect logs.
Note: Windows Autopilot diagnostics page
On Windows 11, you can open the Autopilot diagnostic page to view additional detailed troubleshooting information about the Autopilot provisioning process. To enable the Autopilot diagnostics page:
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
You use Windows Autopilot to deploy Windows 11 to devices.
A support engineer reports that when a deployment fails, they cannot collect deployment logs from failed device.
You need to ensure that when a deployment fails, the deployment logs can be collected.
What should you configure?
- A . the automatic enrollment settings
- B . the Windows Autopilot deployment profile
- C . the enrollment status page (ESP) profile
- D . the device configuration profile
C
Explanation:
Troubleshooting the Enrollment Status Page
To troubleshoot ESP issues, it’s important to get more information about the ESP settings that are received by the device, and the applications and policies that are tracked at each stage. All ESP settings and tracking information are logged in the device registry.
Collect logs
You can enable the ability for users to collect ESP logs in the ESP policy. When a timeout occurs in the ESP, the user can select the option to Collect logs.
Note: Windows Autopilot diagnostics page
On Windows 11, you can open the Autopilot diagnostic page to view additional detailed troubleshooting information about the Autopilot provisioning process. To enable the Autopilot diagnostics page:
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
You use Windows Autopilot to deploy Windows 11 to devices.
A support engineer reports that when a deployment fails, they cannot collect deployment logs from failed device.
You need to ensure that when a deployment fails, the deployment logs can be collected.
What should you configure?
- A . the automatic enrollment settings
- B . the Windows Autopilot deployment profile
- C . the enrollment status page (ESP) profile
- D . the device configuration profile
C
Explanation:
Troubleshooting the Enrollment Status Page
To troubleshoot ESP issues, it’s important to get more information about the ESP settings that are received by the device, and the applications and policies that are tracked at each stage. All ESP settings and tracking information are logged in the device registry.
Collect logs
You can enable the ability for users to collect ESP logs in the ESP policy. When a timeout occurs in the ESP, the user can select the option to Collect logs.
Note: Windows Autopilot diagnostics page
On Windows 11, you can open the Autopilot diagnostic page to view additional detailed troubleshooting information about the Autopilot provisioning process. To enable the Autopilot diagnostics page:
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
You use Windows Autopilot to deploy Windows 11 to devices.
A support engineer reports that when a deployment fails, they cannot collect deployment logs from failed device.
You need to ensure that when a deployment fails, the deployment logs can be collected.
What should you configure?
- A . the automatic enrollment settings
- B . the Windows Autopilot deployment profile
- C . the enrollment status page (ESP) profile
- D . the device configuration profile
C
Explanation:
Troubleshooting the Enrollment Status Page
To troubleshoot ESP issues, it’s important to get more information about the ESP settings that are received by the device, and the applications and policies that are tracked at each stage. All ESP settings and tracking information are logged in the device registry.
Collect logs
You can enable the ability for users to collect ESP logs in the ESP policy. When a timeout occurs in the ESP, the user can select the option to Collect logs.
Note: Windows Autopilot diagnostics page
On Windows 11, you can open the Autopilot diagnostic page to view additional detailed troubleshooting information about the Autopilot provisioning process. To enable the Autopilot diagnostics page:
You have a Windows 11 capable device named Device1 that runs the 64-bit version of Windows 10 Enterprise and has Microsoft Office 2019 installed.
You have the Windows 11 Enterprise images shown in the following table.
Which images can be used to perform an in-place upgrade of Device1?
- A . Image1 only
- B . Image2 only
- C . Image1 and Image2
B
Explanation:
How to Perform an In-Place Upgrade on Windows 11.
To perform an in- place upgrade, you need to do two things. Firstly, you need to download the latest Windows 11 ISO file. Then, you need to run the setup from the ISO file, pick the appropriate in-place upgrade option, and proceed.
You have a Windows 11 capable device named Device1 that runs the 64-bit version of Windows 10 Enterprise and has Microsoft Office 2019 installed.
You have the Windows 11 Enterprise images shown in the following table.
Which images can be used to perform an in-place upgrade of Device1?
- A . Image1 only
- B . Image2 only
- C . Image1 and Image2
B
Explanation:
How to Perform an In-Place Upgrade on Windows 11.
To perform an in- place upgrade, you need to do two things. Firstly, you need to download the latest Windows 11 ISO file. Then, you need to run the setup from the ISO file, pick the appropriate in-place upgrade option, and proceed.
You have a Windows 11 capable device named Device1 that runs the 64-bit version of Windows 10 Enterprise and has Microsoft Office 2019 installed.
You have the Windows 11 Enterprise images shown in the following table.
Which images can be used to perform an in-place upgrade of Device1?
- A . Image1 only
- B . Image2 only
- C . Image1 and Image2
B
Explanation:
How to Perform an In-Place Upgrade on Windows 11.
To perform an in- place upgrade, you need to do two things. Firstly, you need to download the latest Windows 11 ISO file. Then, you need to run the setup from the ISO file, pick the appropriate in-place upgrade option, and proceed.
HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with a Microsoft Entra tenant by using Microsoft Entra Connect.
You use Microsoft Intune and Configuration Manager to manage devices.
You need to recommend a deployment plan for new Windows 11 devices.
The solution must meet the following requirements:
• Devices for the marketing department must be joined to the AD DS domain only. The IT department will install complex applications on the devices at build time, before giving the devices to the marketing department users.
• Devices for the sales department must be Microsoft Entra joined. The devices will be shipped directly from the manufacturer to the homes of the sales department users.
• Administrative effort must be minimized.
Which deployment method should you recommend for each department? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth point.
Hot Area:
Explanation:
Box 1: Windows Autopilot with OEM registration
Devices for the sales department must be Azure AD joined. The devices will be shipped directly from the manufacturer to the homes of the sales department users. Administrative effort must be minimized.
When you purchase devices from an OEM, that OEM can automatically register the devices with the Windows Autopilot.
Box 2: Configuration Manager
Devices for the marketing department must be joined to the AD DS domain only. The IT department will install complex applications on the devices at build time, before giving the devices to the marketing department users.
Configuration Manager is part of the Microsoft Intune family of products.
The Microsoft Intune family of products is an integrated solution for managing all of your devices. Microsoft brings together Configuration Manager and Intune, without a complex migration, and with simplified licensing.
Configuration Manager also uses:
* Active Directory Domain Services and Azure Active Directory for security, service location, configuration, and to discover the users and devices that you want to manage.
Software Center is an application that’s installed when you install the Configuration Manager client on a Windows device. Users use Software Center to request and install software that you deploy. Software Center lets users do the following actions:
Browse for and install applications, software updates, and new OS versions View their software request history
View device compliance against your organization’s policies
You can also show custom tabs in Software Center to meet additional business requirements.
Reference:
https://learn.microsoft.com/en-us/mem/autopilot/oem-registration
https://learn.microsoft.com/en-us/mem/configmgr/core/understand/introduction
You have a Microsoft Deployment Toolkit (MDT) deployment share named DS1.
In the Out-of-Box Drivers node, you create folders that contain drivers for different hardware models.
You need to configure the Inject Drivers MDT task to use PnP detection to install the drivers for one of the hardware models.
What should you do first?
- A . Import an OS package.
- B . Create a selection profile.
- C . Add a Gather task to the task sequence.
- D . Add a Validate task to the task sequence.
B
Explanation:
By default, MDT adds any storage and network drivers that you import to the boot images. However, you should add only the drivers that are necessary to the boot image. You can control which drivers are added by using selection profiles.
Reference: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt
You have an on-premises server named Server1 that hosts a Microsoft Deployment Toolkit (MDT) deployment share named MDT1.
You need to ensure that MDT1 supports multicast deployments.
What should you install on Server1?
- A . Multipath I/O (MPIO)
- B . Multipoint Connector
- C . Windows Deployment Services (WDS)
- D . Windows Server Update Services (WSUS)
C
Explanation:
Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later.
Reference: https://learn.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt
Your company standardizes on Windows 10 Enterprise for all users.
Some users purchase their own computer from a retail store. The computers run Windows 10 Pro.
You need to recommend a solution to upgrade the computers to Windows 10 Enterprise, join the computers to Microsoft Entra, and install several Microsoft Store apps.
The solution must meet the following requirements:
• Ensure that any applications installed by the users are retained.
• Minimize user intervention.
What is the best recommendation to achieve the goal? More than one answer choice may achieve the goal. Select the BEST answer.
- A . Windows Autopilot
- B . Microsoft Deployment Toolkit (MDT)
- C . a Windows Configuration Designer provisioning package
- D . Windows Deployment Services (WDS)
C
Explanation:
You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10.
Incorrect Answers:
A: Windows Autopilot is a user-driven mode designed to minimize intervention of the IT administrator.
B: Microsoft Deployment Toolkit (MDT) allows you to automate the deployment of Windows operating systems in your organization. It is not used to upgrade to Windows 10 Enterprise.
D: Windows Deployment Services (WDS) is the revised version of Remote Installation Services (RIS). WDS enables the deployment of Windows operating systems. You can use it to set up new computers using network-based installations. It is not used to upgrade to Windows 10 Enterprise.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/upgrade/windows-10-edition-upgrades
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package
Your network contains an Active Directory domain named contoso.com. The domain contains two computers named Computer1 and Computer2 that run Windows 10.
On Computer1, you need to run the Invoke-Command cmdlet to execute several PowerShell commands on Computer2.
What should you do first?
- A . On Computer2, run the Enable-PSRemoting cmdlet.
- B . On Computer2, add Computer1 to the Remote Management Users group.
- C . From Active Directory, configure the Trusted for Delegation setting for the computer account of Computer2.
- D . On Computer1, run the New-PSSession cmdlet.
A
Explanation:
Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting
You have a Microsoft Entra tenant that contains the devices shown in the following table.
Which devices can be activated by using subscription activation?
- A . Device1 only
- B . Device1 and Device2 only
- C . Device1 and Device3 only
- D . Device1, Device2, Device3, and Device4
C
Explanation:
Windows subscription activation
The subscription activation feature enables you to "step-up" from Windows Pro edition to Enterprise or Education editions. You can use this feature if you’re subscribed to Windows Enterprise E3 or E5 licenses. Subscription activation also supports step-up from Windows Pro Education edition to Education edition.
Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren’t supported.
Reference: https://learn.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation
You have 25 computers that run Windows 10 Pro.
You have a Microsoft 365 E5 subscription that uses Microsoft Intune.
You need to upgrade the computers to Windows 11 Enterprise by using an in-place upgrade. The solution must minimize administrative effort.
What should you use?
- A . Microsoft Deployment Toolkit (MDT) and a default image of Windows 11 Enterprise
- B . Microsoft Configuration Manager and a custom image of Windows 11 Enterprise
- C . Windows Autopilot
- D . Subscription Activation
You use the Microsoft Deployment Toolkit (MDT) to manage Windows 11 deployments.
From Deployment Workbench, you modify the WinPE settings and add PowerShell support.
You need to generate a new set of WinPE boot image files that contain the updated settings.
What should you do?
- A . From the Deployment Shares node, update the deployment share.
- B . From the Advanced Configuration node, create new media.
- C . From the Packages node, import a new operating system package.
- D . From the Operating Systems node, import a new operating system.
A
Explanation:
Distribute content to the CM01 (for example) distribution portal.
In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point.
On CM01:
You use the Microsoft Deployment Toolkit (MDT) to manage Windows 11 deployments.
From Deployment Workbench, you modify the WinPE settings and add PowerShell support.
You need to generate a new set of WinPE boot image files that contain the updated settings.
What should you do?
- A . From the Deployment Shares node, update the deployment share.
- B . From the Advanced Configuration node, create new media.
- C . From the Packages node, import a new operating system package.
- D . From the Operating Systems node, import a new operating system.
A
Explanation:
Distribute content to the CM01 (for example) distribution portal.
In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point.
On CM01:
You use the Microsoft Deployment Toolkit (MDT) to manage Windows 11 deployments.
From Deployment Workbench, you modify the WinPE settings and add PowerShell support.
You need to generate a new set of WinPE boot image files that contain the updated settings.
What should you do?
- A . From the Deployment Shares node, update the deployment share.
- B . From the Advanced Configuration node, create new media.
- C . From the Packages node, import a new operating system package.
- D . From the Operating Systems node, import a new operating system.
A
Explanation:
Distribute content to the CM01 (for example) distribution portal.
In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point.
On CM01:
You are replacing 100 company-owned Windows devices.
You need to use the Microsoft Deployment Toolkit (MDT) to securely wipe and decommission the devices.
The solution must meet the following requirements:
• Back up the user state.
• Minimize administrative effort.
Which task sequence template should you use?
- A . Standard Client Task Sequence
- B . Standard Client Replace Task Sequence
- C . Litetouch OEM Task Sequence
- D . Sysprep and Capture
B
Explanation:
Standard Client Replace task sequence. Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned.
Reference: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit
Your network contains an Active Directory domain. The domain contains a computer named Computer1 that runs Windows 11.
You need to enable the Windows Remote Management (WinRM) service on Computer1 and perform the following configurations:
• For the WinRM service, set Startup type to Automatic.
• Create a listener that accepts requests from any IP address.
• Enable a firewall exception for WS-Management communications.
Which PowerShell cmdlet should you use?
- A . Connect-WSMan
- B . Enable-PSRemoting
- C . Invoke-WSManAction
- D . Enable-PSSessionConfiguration
B
Explanation:
The Enable-PSRemoting cmdlet configures the computer to receive PowerShell remote commands that are sent by using the WS-Management technology. WS-Management based PowerShell remoting is currently supported only on Windows platform.
The Enable-PSRemoting cmdlet performs the following operations:
* Runs the Set-WSManQuickConfig cmdlet, which performs the following tasks: Starts the WinRM service.
Sets the startup type on the WinRM service to Automatic. Creates a listener to accept requests on any IP address.
Enables a firewall exception for WS-Management communications.
Creates the simple and long name session endpoint configurations if needed. Enables all session configurations.
Changes the security descriptor of all session configurations to allow remote access.
* Restarts the WinRM service to make the preceding changes effective.
Reference: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting
HOTSPOT
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with a Microsoft Entra tenant.
The tenant contains the users shown in the following table.
You assign Windows 10/11 Enterprise E5 licenses to Group1 and User2.
You deploy the devices shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Yes
Computer 1 is directly connected to Azure AD.
Box 2: Yes
Computer 2 is Hybrid Azure AD connected.
Box 3: No
User2 is not in Azure Active Directory.
Reference: https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation
HOTSPOT
Your network contains an Active Directory domain named adatum.com, a workgroup, and computers that run Windows 10.
The computers are configured as shown in the following table.
The local Administrator accounts on Computer1, Computer2, and Computer3 have the same user name and password.
On Computer1, Windows Defender Firewall is configured as shown in the following exhibit.
The services on Computer1 have the following states.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
Because the firewall is blocking Remote Volume Management.
Box 2: No
Because the Remote Registry Service is stopped.
Box 3: No
Because the Remote Registry Service is stopped. Perfmon needs both the RPC service and the Remote Registry service to be running.
You have a Hyper-V host that contains the virtual machines shown in the following table.
On which virtual machines can you install Windows 11?
- A . VM1 only
- B . VM3 only
- C . VM1 and VM2 only
- D . VM2 and VM3 only
- E . VM1, VM2, and VM3
B
Explanation:
Windows 11 VM Hyper-V Requirements
Generation 2 VM.
UEFI (System Firmware)
Secure Boot Enabled (Secure Boot can only be enabled with UEFI)
TPM 2.0 Enabled.
1 (GHz) or faster CPU with 2 or more cores.
4GM Memory or more.
64GB or more of disk space.
Reference: https://activedirectorypro.com/install-windows-11-vm-hyper-v/
HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Intune and contains the users shown in the following table.
Group2 has been assigned in the Enrollment Status Page.
You have the devices shown in the following table.
You capture and upload the hardware IDs of the devices in the marketing department.
You configure Windows Autopilot.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
The hardware ID of Device1 has been uploaded.
Note: To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following subscriptions is required:
Microsoft 365 Business Premium subscription
Microsoft 365 F1 or F3 subscription
Microsoft 365 Academic A1, A3, or A5 subscription
Microsoft 365 Enterprise E3 or E5 subscription, which include all Windows client, Microsoft 365, and EMS
features (Azure AD and Intune).
Etc.
Box 2: Yes
Box 3: Yes
User3 is member of Group2.
Group2 has been assigned in the Enrollment Status Page
Note: You can perform Windows Autopilot device registration within your organization by manually collecting the hardware identity of devices (hardware hashes) and uploading this information in a comma-separated-values (CSV) file. Capturing the hardware hash for manual registration requires booting the device into Windows. So, this process is primarily for testing and evaluation scenarios.
Device owners can only register their devices with a hardware hash. Other methods (PKID, tuple) are available through OEMs or CSP partners.
Reference: https://learn.microsoft.com/en-us/mem/autopilot/licensing-requirements
https://learn.microsoft.com/en-us/mem/autopilot/add-devices
You have a Microsoft 365 subscription that contains a user named User1. User1 is assigned a Windows 10/11 Enterprise E3 license.
You use Microsoft Intune Suite to manage devices.
User1 activates the following devices:
• Device1: Windows 11 Enterprise
• Device2: Windows 10 Enterprise
• Device3: Windows 11 Enterprise
How many more devices can User1 activate?
- A . 2
- B . 3
- C . 7
- D . 8
A
Explanation:
When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits:
* Deploy on up to five devices. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
* Etc.
Reference: https://learn.microsoft.com/en-us/windows/deployment/windows-10-enterprise-e3-overview
DRAG DROP
Your company has a computer named Computer1 that runs Windows 10.
Computer1 was used by a user who left the company.
You plan to repurpose Computer1 and assign the computer to a new user.
You need to redeploy Computer1 by using Windows Autopilot.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Generate a CSV file that contains the computer information
You can perform Windows Autopilot device registration within your organization by manually collecting the hardware identity of devices (hardware hashes) and uploading this information in a comma-separated-values (CSV) file.
Step 2: Upload the file by using Microsoft Intune
By default, Intune only applies this profile to Windows Autopilot devices. Yes, to convert all targeted, non-auto pilot devices to Autopilot so that they can receive the profile the next time they perform a factory reset.
Step 3: Reset the computer
Windows Autopilot Reset takes the device back to a business-ready state, allowing the next user to sign in and get productive quickly and simply. Specifically, Windows Autopilot Reset: Removes personal files, apps, and settings.
Reapplies a device’s original settings.
Sets the region, language, and keyboard to the original values.
Maintains the device’s identity connection to Azure AD.
Maintains the device’s management connection to Intune.
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-autopilot
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset
You use the Microsoft Deployment Toolkit (MDT) to deploy Windows 11.
You create a new task sequence by using the Standard Client Task Sequence template to deploy Windows 11 Enterprise to new computers. The computers have a single hard disk.
You need to modify the task sequence to create a system volume and a data volume.
Which phase should you modify in the task sequence?
- A . Initialization
- B . State Restore
- C . Preinstall
- D . Postinstall
C
Explanation:
Step 1 C Create Extra Partition in MDT
1) First we will look to create extra partition in MDT. We will create a new task sequence for a machine that doesn’t have an extra partition. Specify the TS name and comments. Click Next.
2) On the Select Template page, click the drop-down and select Standard Client Task Sequence. Complete the remaining steps.
3) Edit the task sequence and click the New Computer only step. Within that step, click Format and Partition Disk(BIOS) step and edit it.
Etc.
Reference: https://www.prajwaldesai.com/create-extra-partition-in-mdt/
You have a Microsoft Deployment Toolkit (MDT) deployment share.
From the Deployment Workbench, you open the New Task Sequence Wizard and select the Standard Client Upgrade Task Sequence task sequence template.
You discover that there are no operating system images listed on the Select OS page as shown in the following exhibit.
You need to be able to select an operating system image to perform a Windows 11 in-place upgrade.
What should you do?
- A . Enable monitoring for the deployment share.
- B . Import a full set of source files.
- C . Import a custom image file.
- D . Run the Update Deployment Share Wizard.
C
Explanation:
Operating systems
Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you’ve created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments.
Reference: https://learn.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit
DRAG DROP
You have a Microsoft Intune subscription that is configured to use a PFX certificate connector to an on-premises Enterprise certification authority (CA).
You need to use Intune to configure autoenrollment for Android devices by using public key pair (PKCS) certificates.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Obtain the root certificate.
Export the root certificate from the Enterprise CA.
To authenticate a device with VPN, WiFi, or other resources, a device needs a root or intermediate CA certificate.
Step 2: From the Microsoft Endpoint Manager admin center, create a trusted certificate profile Create a trusted certificate profile
DRAG DROP
You have a Microsoft Intune subscription that is configured to use a PFX certificate connector to an on-premises Enterprise certification authority (CA).
You need to use Intune to configure autoenrollment for Android devices by using public key pair (PKCS) certificates.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Obtain the root certificate.
Export the root certificate from the Enterprise CA.
To authenticate a device with VPN, WiFi, or other resources, a device needs a root or intermediate CA certificate.
Step 2: From the Microsoft Endpoint Manager admin center, create a trusted certificate profile Create a trusted certificate profile
DRAG DROP
You have a Microsoft Intune subscription that is configured to use a PFX certificate connector to an on-premises Enterprise certification authority (CA).
You need to use Intune to configure autoenrollment for Android devices by using public key pair (PKCS) certificates.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Obtain the root certificate.
Export the root certificate from the Enterprise CA.
To authenticate a device with VPN, WiFi, or other resources, a device needs a root or intermediate CA certificate.
Step 2: From the Microsoft Endpoint Manager admin center, create a trusted certificate profile Create a trusted certificate profile
DRAG DROP
You have a Microsoft Intune subscription that is configured to use a PFX certificate connector to an on-premises Enterprise certification authority (CA).
You need to use Intune to configure autoenrollment for Android devices by using public key pair (PKCS) certificates.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Obtain the root certificate.
Export the root certificate from the Enterprise CA.
To authenticate a device with VPN, WiFi, or other resources, a device needs a root or intermediate CA certificate.
Step 2: From the Microsoft Endpoint Manager admin center, create a trusted certificate profile Create a trusted certificate profile
DRAG DROP
You have a Microsoft Intune subscription that is configured to use a PFX certificate connector to an on-premises Enterprise certification authority (CA).
You need to use Intune to configure autoenrollment for Android devices by using public key pair (PKCS) certificates.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Obtain the root certificate.
Export the root certificate from the Enterprise CA.
To authenticate a device with VPN, WiFi, or other resources, a device needs a root or intermediate CA certificate.
Step 2: From the Microsoft Endpoint Manager admin center, create a trusted certificate profile Create a trusted certificate profile
DRAG DROP
You have a Microsoft Intune subscription that is configured to use a PFX certificate connector to an on-premises Enterprise certification authority (CA).
You need to use Intune to configure autoenrollment for Android devices by using public key pair (PKCS) certificates.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Obtain the root certificate.
Export the root certificate from the Enterprise CA.
To authenticate a device with VPN, WiFi, or other resources, a device needs a root or intermediate CA certificate.
Step 2: From the Microsoft Endpoint Manager admin center, create a trusted certificate profile Create a trusted certificate profile
DRAG DROP
You have a Microsoft Intune subscription that is configured to use a PFX certificate connector to an on-premises Enterprise certification authority (CA).
You need to use Intune to configure autoenrollment for Android devices by using public key pair (PKCS) certificates.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Obtain the root certificate.
Export the root certificate from the Enterprise CA.
To authenticate a device with VPN, WiFi, or other resources, a device needs a root or intermediate CA certificate.
Step 2: From the Microsoft Endpoint Manager admin center, create a trusted certificate profile Create a trusted certificate profile
DRAG DROP
You have a Microsoft Intune subscription that is configured to use a PFX certificate connector to an on-premises Enterprise certification authority (CA).
You need to use Intune to configure autoenrollment for Android devices by using public key pair (PKCS) certificates.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Obtain the root certificate.
Export the root certificate from the Enterprise CA.
To authenticate a device with VPN, WiFi, or other resources, a device needs a root or intermediate CA certificate.
Step 2: From the Microsoft Endpoint Manager admin center, create a trusted certificate profile Create a trusted certificate profile
DRAG DROP
You have a Microsoft Intune subscription that is configured to use a PFX certificate connector to an on-premises Enterprise certification authority (CA).
You need to use Intune to configure autoenrollment for Android devices by using public key pair (PKCS) certificates.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Obtain the root certificate.
Export the root certificate from the Enterprise CA.
To authenticate a device with VPN, WiFi, or other resources, a device needs a root or intermediate CA certificate.
Step 2: From the Microsoft Endpoint Manager admin center, create a trusted certificate profile Create a trusted certificate profile
HOTSPOT
You create a Windows Autopilot deployment profile.
You need to configure the profile settings to meet the following requirements:
• Automatically enroll new devices and provision system apps without requiring end-user authentication
• Include the hardware serial number in the computer name.
Which two settings should you configure? To answer, select the appropriate settings in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Deployment mode User-driven
User-driven: Devices with this profile are associated with the user enrolling the device. User credentials are required to enroll the device.
Change it to: Self -deploying (preview): (requires Windows 10, version 1809 or later) Devices with this profile aren’t associated with the user enrolling the device. User credentials aren’t required to enroll the device. When a device has no user associated with it, user-based compliance policies don’t apply to it. When using self-deploying mode, only compliance policies targeting the device will be applied.
Box 2: Apply device name template
Apply device name template (requires Windows 10, version 1809 or later, and Azure AD join type): Choose Yes to create a template to use when naming a device during enrollment. Names must be 15 characters or less, and can have letters, numbers, and hyphens. Names can’t be all numbers. Use the %SERIAL% macro to add a hardware-specific serial number. Or, use the %RAND:x% macro to add a random string of numbers, where x equals the number of digits to add.
Reference: https://docs.microsoft.com/en-us/mem/autopilot/profiles
HOTSPOT
Your network contains an Active Directory domain named adatum.com. The domain contains two computers named Computer1 and Computer2 that run Windows 10. Remote Desktop is enabled on Computer2.
The domain contains the user accounts shown in the following table.
Computer2 contains the local groups shown in the following table.
The relevant user rights assignments for Computer2 are shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Yes
User1 is an administrator and has the Allow log on through Remote Desktop Services.
Box 2: No
User2 is a member of Group2 which has the Deny log on through Remote Desktop Services.
Box 3: Yes
User3 is a member of the administrators group and has the Allow log on through Remote Desktop Services.
Note: Deny permissions take precedence over Allow permissions. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user is not able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
Reference: https://docs.microsoft.com/en-us/azure/devops/organizations/security/about-permissions
You have two computers named Computer1 and Computer2 that run Windows 10. Computer2 has Remote Desktop enabled.
From Computer1, you connect to Computer2 by using Remote Desktop Connection.
You need to ensure that you can access the local drives on Computer1 from within the Remote Desktop session.
What should you do?
- A . From Computer2, configure the Remote Desktop settings.
- B . From Windows Defender Firewall on Computer1, allow Remote Desktop.
- C . From Windows Defender Firewall on Computer2, allow File and Printer Sharing.
- D . From Computer1, configure the Remote Desktop Connection settings.
D
Explanation:
How to gain access to local files:
You can gain access to your disk drives on the local computer during a Remote Desktop session. You can redirect the local disk drives, including the hard disk drives, CD-ROM disk drives, floppy disk drives, and
mapped network disk drives so that you can transfer files between the local host and the remote computer in the same way that you copy files from a network share. You can use Microsoft Windows Explorer to view the disk drives and files for each redirected disk drive. Alternatively, you can view the files for each redirected disk drive in My Computer. The drives are displayed as "drive_letter on terminal_server_client_name" in both Windows Explorer and My Computer.
To view the disk drives and files for the redirected disk drive:
You have two computers named Computer1 and Computer2 that run Windows 10. Computer2 has Remote Desktop enabled.
From Computer1, you connect to Computer2 by using Remote Desktop Connection.
You need to ensure that you can access the local drives on Computer1 from within the Remote Desktop session.
What should you do?
- A . From Computer2, configure the Remote Desktop settings.
- B . From Windows Defender Firewall on Computer1, allow Remote Desktop.
- C . From Windows Defender Firewall on Computer2, allow File and Printer Sharing.
- D . From Computer1, configure the Remote Desktop Connection settings.
D
Explanation:
How to gain access to local files:
You can gain access to your disk drives on the local computer during a Remote Desktop session. You can redirect the local disk drives, including the hard disk drives, CD-ROM disk drives, floppy disk drives, and
mapped network disk drives so that you can transfer files between the local host and the remote computer in the same way that you copy files from a network share. You can use Microsoft Windows Explorer to view the disk drives and files for each redirected disk drive. Alternatively, you can view the files for each redirected disk drive in My Computer. The drives are displayed as "drive_letter on terminal_server_client_name" in both Windows Explorer and My Computer.
To view the disk drives and files for the redirected disk drive:
You have two computers named Computer1 and Computer2 that run Windows 10. Computer2 has Remote Desktop enabled.
From Computer1, you connect to Computer2 by using Remote Desktop Connection.
You need to ensure that you can access the local drives on Computer1 from within the Remote Desktop session.
What should you do?
- A . From Computer2, configure the Remote Desktop settings.
- B . From Windows Defender Firewall on Computer1, allow Remote Desktop.
- C . From Windows Defender Firewall on Computer2, allow File and Printer Sharing.
- D . From Computer1, configure the Remote Desktop Connection settings.
D
Explanation:
How to gain access to local files:
You can gain access to your disk drives on the local computer during a Remote Desktop session. You can redirect the local disk drives, including the hard disk drives, CD-ROM disk drives, floppy disk drives, and
mapped network disk drives so that you can transfer files between the local host and the remote computer in the same way that you copy files from a network share. You can use Microsoft Windows Explorer to view the disk drives and files for each redirected disk drive. Alternatively, you can view the files for each redirected disk drive in My Computer. The drives are displayed as "drive_letter on terminal_server_client_name" in both Windows Explorer and My Computer.
To view the disk drives and files for the redirected disk drive:
You have two computers named Computer1 and Computer2 that run Windows 10. Computer2 has Remote Desktop enabled.
From Computer1, you connect to Computer2 by using Remote Desktop Connection.
You need to ensure that you can access the local drives on Computer1 from within the Remote Desktop session.
What should you do?
- A . From Computer2, configure the Remote Desktop settings.
- B . From Windows Defender Firewall on Computer1, allow Remote Desktop.
- C . From Windows Defender Firewall on Computer2, allow File and Printer Sharing.
- D . From Computer1, configure the Remote Desktop Connection settings.
D
Explanation:
How to gain access to local files:
You can gain access to your disk drives on the local computer during a Remote Desktop session. You can redirect the local disk drives, including the hard disk drives, CD-ROM disk drives, floppy disk drives, and
mapped network disk drives so that you can transfer files between the local host and the remote computer in the same way that you copy files from a network share. You can use Microsoft Windows Explorer to view the disk drives and files for each redirected disk drive. Alternatively, you can view the files for each redirected disk drive in My Computer. The drives are displayed as "drive_letter on terminal_server_client_name" in both Windows Explorer and My Computer.
To view the disk drives and files for the redirected disk drive:
You have a Microsoft 365 subscription that uses Microsoft Intune.
You have five new Windows 11 Pro devices.
You need to prepare the devices for corporate use.
The solution must meet the following requirements:
• Install Windows 11 Enterprise on each device.
• Install a Windows Installer (MSI) package named App1 on each device.
• Add a certificate named Certificate1 that is required by App1.
• Join each device to Azure AD.
Which three provisioning options can you use? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
- A . subscription activation
- B . a custom Windows image
- C . an in-place upgrade
- D . Windows Autopilot
- E . provisioning packages
BDE
Explanation:
D: Windows Autopilot can provide a pre-provisioning service that helps partners or IT staff pre-provision a fully configured and business-ready Windows PC. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.
With Windows Autopilot for pre-provisioned deployment, the provisioning process is split. The time-consuming portions are done by IT, partners, or OEMs. The end user simply completes a few necessary settings and policies and then they can begin using their device.
The pre-provisioning process applies all device-targeted policies from Intune. Those policies include certificates, security templates, settings, apps, and more – anything targeting the device. Additionally, any Win32 or LOB apps are installed if they meet the following conditions:
Configured to install in the device context.
Assigned to either the device or to the user preassigned to the Autopilot device.
E: Join new Windows devices to Azure Active Directory and Intune. To bulk enroll devices for your Azure AD tenant, you create a provisioning package with the Windows Configuration Designer (WCD) app. Applying the provisioning package to corporate-owned devices joins the devices to your Azure AD tenant and enrolls them for Intune management. Once the package is applied, it’s ready for your Azure AD users to sign in.
Note: Configuration Designer wizards
The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages.
Reference:
https://learn.microsoft.com/en-us/mem/autopilot/pre-provision
https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll
https://learn.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-packages
You have a Microsoft 365 subscription.
You plan to use Windows Autopilot to provision 25 Windows 11 devices.
You need to configure the Out-of-box experience (OOBE) settings.
What should you create in the Microsoft Intune admin center?
- A . an enrollment status page (ESP)
- B . a deployment profile
- C . a compliance policy
- D . a PowerShell script
- E . a configuration profile
B
Explanation:
Use Windows Autopilot profiles on new devices to customize a customer’s out-of-box experience In Partner Center, you can create Windows Autopilot deployment profiles and apply them to devices.
Note:
Create a new Autopilot profile
To create a new Autopilot profile, use the following steps:
You have a Microsoft 365 subscription.
You plan to use Windows Autopilot to provision 25 Windows 11 devices.
You need to configure the Out-of-box experience (OOBE) settings.
What should you create in the Microsoft Intune admin center?
- A . an enrollment status page (ESP)
- B . a deployment profile
- C . a compliance policy
- D . a PowerShell script
- E . a configuration profile
B
Explanation:
Use Windows Autopilot profiles on new devices to customize a customer’s out-of-box experience In Partner Center, you can create Windows Autopilot deployment profiles and apply them to devices.
Note:
Create a new Autopilot profile
To create a new Autopilot profile, use the following steps:
You have a Microsoft 365 subscription.
You plan to use Windows Autopilot to provision 25 Windows 11 devices.
You need to configure the Out-of-box experience (OOBE) settings.
What should you create in the Microsoft Intune admin center?
- A . an enrollment status page (ESP)
- B . a deployment profile
- C . a compliance policy
- D . a PowerShell script
- E . a configuration profile
B
Explanation:
Use Windows Autopilot profiles on new devices to customize a customer’s out-of-box experience In Partner Center, you can create Windows Autopilot deployment profiles and apply them to devices.
Note:
Create a new Autopilot profile
To create a new Autopilot profile, use the following steps:
You have a Microsoft 365 subscription.
You plan to use Windows Autopilot to provision 25 Windows 11 devices.
You need to configure the Out-of-box experience (OOBE) settings.
What should you create in the Microsoft Intune admin center?
- A . an enrollment status page (ESP)
- B . a deployment profile
- C . a compliance policy
- D . a PowerShell script
- E . a configuration profile
B
Explanation:
Use Windows Autopilot profiles on new devices to customize a customer’s out-of-box experience In Partner Center, you can create Windows Autopilot deployment profiles and apply them to devices.
Note:
Create a new Autopilot profile
To create a new Autopilot profile, use the following steps:
You have a Microsoft 365 subscription.
You plan to use Windows Autopilot to provision 25 Windows 11 devices.
You need to configure the Out-of-box experience (OOBE) settings.
What should you create in the Microsoft Intune admin center?
- A . an enrollment status page (ESP)
- B . a deployment profile
- C . a compliance policy
- D . a PowerShell script
- E . a configuration profile
B
Explanation:
Use Windows Autopilot profiles on new devices to customize a customer’s out-of-box experience In Partner Center, you can create Windows Autopilot deployment profiles and apply them to devices.
Note:
Create a new Autopilot profile
To create a new Autopilot profile, use the following steps:
You have a Microsoft 365 subscription.
You plan to use Windows Autopilot to provision 25 Windows 11 devices.
You need to configure the Out-of-box experience (OOBE) settings.
What should you create in the Microsoft Intune admin center?
- A . an enrollment status page (ESP)
- B . a deployment profile
- C . a compliance policy
- D . a PowerShell script
- E . a configuration profile
B
Explanation:
Use Windows Autopilot profiles on new devices to customize a customer’s out-of-box experience In Partner Center, you can create Windows Autopilot deployment profiles and apply them to devices.
Note:
Create a new Autopilot profile
To create a new Autopilot profile, use the following steps:
You have a Microsoft 365 subscription.
You plan to use Windows Autopilot to provision 25 Windows 11 devices.
You need to configure the Out-of-box experience (OOBE) settings.
What should you create in the Microsoft Intune admin center?
- A . an enrollment status page (ESP)
- B . a deployment profile
- C . a compliance policy
- D . a PowerShell script
- E . a configuration profile
B
Explanation:
Use Windows Autopilot profiles on new devices to customize a customer’s out-of-box experience In Partner Center, you can create Windows Autopilot deployment profiles and apply them to devices.
Note:
Create a new Autopilot profile
To create a new Autopilot profile, use the following steps:
You have a Microsoft Entra tenant that contains the devices shown in the following table.
You purchase Windows 11 Enterprise E5 licenses.
Which devices can use Subscription Activation to upgrade to Windows 11 Enterprise?
- A . Device1 only
- B . Device1 and Device2 only
- C . Device1 and Device3 only
- D . Device1, Device2, Device3, and Device4
C
Explanation:
The subscription activation feature enables you to "step-up" from Windows Pro edition to Enterprise or Education editions. You can use this feature if you’re subscribed to Windows Enterprise E3 or E5 licenses. Subscription activation also supports step-up from Windows Pro Education edition to Education edition.
Requirements
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded.
Azure AD available for identity management.
Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren’t supported.
Reference: https://learn.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation
You have computers that run Windows 11 Pro. The computers are joined to Microsoft Entra and enrolled in Microsoft Intune.
You need to upgrade the computers to Windows 11 Enterprise.
What should you configure in Intune?
- A . a device compliance policy
- B . a device cleanup rule
- C . a device enrollment policy
- D . a device configuration profile
D
Explanation:
Intune: Upgrade Windows Pro to Enterprise.
1) First, create a Microsoft Intune configuration policy. In the Azure Portal navigate to Microsoft Intune -> Device Configuration -> Profiles. Click Create Profile.
2) Next, create a new Windows 10 and later profile, with a type of Edition Upgrade. Click Settings
3) Etc.
Reference: https://blogs.technet.microsoft.com/skypehybridguy/2018/09/21/intune-upgrade-windows-from-pro-to-
enterprise-automatically/
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
Auto-enrollment in Intune is configured.
You have 100 Windows 11 devices in a workgroup.
You need to connect the devices to the corporate wireless network and enroll 100 new Windows 11 devices in Intune.
What should you use?
- A . a provisioning package
- B . a Group Policy Object (GPO)
- C . mobile device management (MDM) automatic enrollment
- D . a device configuration policy
C
Explanation:
Set up automatic enrollment for Windows 10/11 devices
You can set up Microsoft Intune to automatically enroll corporate owned or user owned devices. You can scope automatic enrollment to some Azure AD users, all users, or none.
You can configure MDM enrollment settings so that both corporate and bring-your- own-devices can be automatically enrolled in Intune. If your intent is to enable automatic enrollment for Windows BYOD devices to an MDM, configure the MDM user scope to All (or Some, and specify a group) and configure the MAM user scope to None (or Some, and specify a group, ensuring that users are not members of a group targeted by both MDM and MAM user scopes). For corporate devices, the MDM user scope takes precedence if both MDM and MAM user scopes are enabled. The device will be automatically enrolled in the configured MDM.
Reference: https://learn.microsoft.com/en-us/mem/intune/enrollment/quickstart-setup-auto-enrollment
HOTSPOT
You have a Microsoft 365 tenant that uses Microsoft Intune to manage personal and corporate devices.
The tenant contains Windows 10 devices as shown in the following exhibit.
How will Intune classify each device after the devices are enrolled in Intune automatically? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: LON-CL2 only
Box 2: LON-CL4 only
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register
HOTSPOT
You have a Microsoft 365 subscription that contains 1,000 iOS devices.
The devices are enrolled in Microsoft Intune as follows:
• Two hundred devices are enrolled by using the Intune Company Portal.
• Eight hundred devices are enrolled by using Apple Automated Device Enrollment (ADE).
You create an iOS/iPadOS software updates policy named Policy 1 that is configured to install iOS/iPadOS 15.5.
How many iOS devices will Policy1 update, and what should you configure to ensure that only iOS/iPadOS 15.5 is installed? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 800
Manage iOS/iPadOS software update policies in Intune
You can use Microsoft Intune device configuration profiles to manage software updates for iOS/iPad devices that enrolled as supervised devices.
Supervised devices are devices that enroll through one of Apple’s Automated Device Enrollment (ADE) options. Devices enrolled through ADE support management control through a mobile device management solution like Intune.
Box 2: Device restriction policy
With policies for iOS software updates, you can:
* Choose to deploy the latest update that’s available, or choose to deploy an older update, based on the update version number.
* When deploying an older update, you must also deploy a device restrictions profile to restrict visibility of software updates. This is because update profiles don’t prevent users from updating the OS manually. Users can be prevented from updating the OS manually with a device configuration policy that restricts visibility of software updates.
Incorrect:
* Compliance policy Create compliance rules
Use compliance policies to define the rules and conditions that users and devices should meet to access your organization’s protected resources.
* Conditional Access policy
You can also create Conditional Access policies, which work alongside your device compliance results to block access to resources from noncompliant devices.
Reference:
https://learn.microsoft.com/en-us/mem/intune/protect/software-updates-ios
https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-program-enroll-ios
You have the Windows 10 devices shown in the following table.
You plan to upgrade the devices to Windows 11 Enterprise.
On which devices can you perform a direct in-place upgrade to Windows 11 Enterprise?
- A . Device3 only
- B . Device3 and Device 4 only
- C . Device2, Device3, and Device4 only
- D . Device1, Device3, and Device4 only
- E . Device1, Device2, Device3, and Device4 only
A
Explanation:
The upgrade to Windows 11 is for the same edition as you have on your Windows 10 device. Devices with Windows 10 Pro installed will be upgraded to Windows 11 Pro. Devices running Windows 10 Enterprise will upgrade to Windows 11 Enterprise.
Reference: https://www.microsoft.com/en-us/licensing/product-licensing/windows
HOTSPOT
You have a Microsoft Deployment Toolkit (MDT) deployment share named Share1.
You add Windows 10 images to Share1 as shown in the following table.
Which images can be used in the Standard Client Task Sequence, and which images can be used in the Standard Client Upgrade Task Sequence? NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Image1, Image2, Image3, Image4, and Image5.
All images.
Standard Client Task Sequence
Standard Client task sequence. The most frequently used task sequence. Used for creating reference images and for deploying clients in production.
Box 2: Image1, Image2, Image3, and Image4 only.
Exclude image5 with applications.
Standard Client Upgrade Task Sequence
Standard Client Upgrade task sequence. A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers.
Reference: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit
Your company has a Remote Desktop Gateway (RD Gateway).
You have a server named Server1 that is accessible by using Remote Desktop Services (RDS) through the RD Gateway.
You need to configure a Remote Desktop connection to connect through the gateway.
Which setting should you configure?
- A . Connect from anywhere
- B . Server authentication
- C . Connection settings
- D . Local devices and resources
A
Explanation:
How to test your Remote Desktop Gateway connection:
The simplest way to test your Remote Desktop Gateway connection is to configure your Remote Desktop Client to go through the Gateway server.
The Remote Desktop Gateway (RD Gateway) is a secure link between the client computer and the host computer. This allows for a secure connection between the two, where the client and the server are both protected.
If you have your host computer and Remote Desktop Gateway ready, do the following.
Your company has a Remote Desktop Gateway (RD Gateway).
You have a server named Server1 that is accessible by using Remote Desktop Services (RDS) through the RD Gateway.
You need to configure a Remote Desktop connection to connect through the gateway.
Which setting should you configure?
- A . Connect from anywhere
- B . Server authentication
- C . Connection settings
- D . Local devices and resources
A
Explanation:
How to test your Remote Desktop Gateway connection:
The simplest way to test your Remote Desktop Gateway connection is to configure your Remote Desktop Client to go through the Gateway server.
The Remote Desktop Gateway (RD Gateway) is a secure link between the client computer and the host computer. This allows for a secure connection between the two, where the client and the server are both protected.
If you have your host computer and Remote Desktop Gateway ready, do the following.
Your company has a Remote Desktop Gateway (RD Gateway).
You have a server named Server1 that is accessible by using Remote Desktop Services (RDS) through the RD Gateway.
You need to configure a Remote Desktop connection to connect through the gateway.
Which setting should you configure?
- A . Connect from anywhere
- B . Server authentication
- C . Connection settings
- D . Local devices and resources
A
Explanation:
How to test your Remote Desktop Gateway connection:
The simplest way to test your Remote Desktop Gateway connection is to configure your Remote Desktop Client to go through the Gateway server.
The Remote Desktop Gateway (RD Gateway) is a secure link between the client computer and the host computer. This allows for a secure connection between the two, where the client and the server are both protected.
If you have your host computer and Remote Desktop Gateway ready, do the following.
Your company has a Remote Desktop Gateway (RD Gateway).
You have a server named Server1 that is accessible by using Remote Desktop Services (RDS) through the RD Gateway.
You need to configure a Remote Desktop connection to connect through the gateway.
Which setting should you configure?
- A . Connect from anywhere
- B . Server authentication
- C . Connection settings
- D . Local devices and resources
A
Explanation:
How to test your Remote Desktop Gateway connection:
The simplest way to test your Remote Desktop Gateway connection is to configure your Remote Desktop Client to go through the Gateway server.
The Remote Desktop Gateway (RD Gateway) is a secure link between the client computer and the host computer. This allows for a secure connection between the two, where the client and the server are both protected.
If you have your host computer and Remote Desktop Gateway ready, do the following.
Your company has a Remote Desktop Gateway (RD Gateway).
You have a server named Server1 that is accessible by using Remote Desktop Services (RDS) through the RD Gateway.
You need to configure a Remote Desktop connection to connect through the gateway.
Which setting should you configure?
- A . Connect from anywhere
- B . Server authentication
- C . Connection settings
- D . Local devices and resources
A
Explanation:
How to test your Remote Desktop Gateway connection:
The simplest way to test your Remote Desktop Gateway connection is to configure your Remote Desktop Client to go through the Gateway server.
The Remote Desktop Gateway (RD Gateway) is a secure link between the client computer and the host computer. This allows for a secure connection between the two, where the client and the server are both protected.
If you have your host computer and Remote Desktop Gateway ready, do the following.
Your company has a Remote Desktop Gateway (RD Gateway).
You have a server named Server1 that is accessible by using Remote Desktop Services (RDS) through the RD Gateway.
You need to configure a Remote Desktop connection to connect through the gateway.
Which setting should you configure?
- A . Connect from anywhere
- B . Server authentication
- C . Connection settings
- D . Local devices and resources
A
Explanation:
How to test your Remote Desktop Gateway connection:
The simplest way to test your Remote Desktop Gateway connection is to configure your Remote Desktop Client to go through the Gateway server.
The Remote Desktop Gateway (RD Gateway) is a secure link between the client computer and the host computer. This allows for a secure connection between the two, where the client and the server are both protected.
If you have your host computer and Remote Desktop Gateway ready, do the following.
Your company has a Remote Desktop Gateway (RD Gateway).
You have a server named Server1 that is accessible by using Remote Desktop Services (RDS) through the RD Gateway.
You need to configure a Remote Desktop connection to connect through the gateway.
Which setting should you configure?
- A . Connect from anywhere
- B . Server authentication
- C . Connection settings
- D . Local devices and resources
A
Explanation:
How to test your Remote Desktop Gateway connection:
The simplest way to test your Remote Desktop Gateway connection is to configure your Remote Desktop Client to go through the Gateway server.
The Remote Desktop Gateway (RD Gateway) is a secure link between the client computer and the host computer. This allows for a secure connection between the two, where the client and the server are both protected.
If you have your host computer and Remote Desktop Gateway ready, do the following.
Your company has a Remote Desktop Gateway (RD Gateway).
You have a server named Server1 that is accessible by using Remote Desktop Services (RDS) through the RD Gateway.
You need to configure a Remote Desktop connection to connect through the gateway.
Which setting should you configure?
- A . Connect from anywhere
- B . Server authentication
- C . Connection settings
- D . Local devices and resources
A
Explanation:
How to test your Remote Desktop Gateway connection:
The simplest way to test your Remote Desktop Gateway connection is to configure your Remote Desktop Client to go through the Gateway server.
The Remote Desktop Gateway (RD Gateway) is a secure link between the client computer and the host computer. This allows for a secure connection between the two, where the client and the server are both protected.
If you have your host computer and Remote Desktop Gateway ready, do the following.
You have a Microsoft Deployment Toolkit (MDT) deployment share.
You plan to deploy Windows 11 by using the Standard Client Task Sequence template.
You need to modify the task sequence to perform the following actions:
• Format disks to support Unified Extensible Firmware Interface (UEFl).
• Create a recovery partition.
Which phase of the task sequence should you modify?
- A . Preinstall
- B . PostInstall
- C . Install
- D . Initialization
A
Explanation:
Create Extra Partition in MDT
We will create a new task sequence for a machine that doesn’t have an extra partition.
You have a Microsoft Deployment Toolkit (MDT) deployment share.
You plan to deploy Windows 11 by using the Standard Client Task Sequence template.
You need to modify the task sequence to perform the following actions:
• Format disks to support Unified Extensible Firmware Interface (UEFl).
• Create a recovery partition.
Which phase of the task sequence should you modify?
- A . Preinstall
- B . PostInstall
- C . Install
- D . Initialization
A
Explanation:
Create Extra Partition in MDT
We will create a new task sequence for a machine that doesn’t have an extra partition.
You have a Microsoft Deployment Toolkit (MDT) deployment share.
You plan to deploy Windows 11 by using the Standard Client Task Sequence template.
You need to modify the task sequence to perform the following actions:
• Format disks to support Unified Extensible Firmware Interface (UEFl).
• Create a recovery partition.
Which phase of the task sequence should you modify?
- A . Preinstall
- B . PostInstall
- C . Install
- D . Initialization
A
Explanation:
Create Extra Partition in MDT
We will create a new task sequence for a machine that doesn’t have an extra partition.
DRAG DROP
Your network contains an Active Directory domain.
You install the Microsoft Deployment Toolkit (MDT) on a server.
You have a custom image of Windows 11.
You need to deploy the image to 100 devices by using MDT.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Explanation:
Step 1: Create a deployment share.
Set up the MDT production deployment share.
Step 2: Add the Windows 11 image.
Add a custom image.
The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 11.
Step 3: Create a task sequence.
Create the deployment task sequence.
Reference: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt
You have the Microsoft Deployment Toolkit (MDT) installed.
You install and customize Windows 11 on a reference computer.
You need to capture an image of the reference computer and ensure that the image can be deployed to multiple computers.
Which command should you run before you capture the image?
- A . dism
- B . wpeinit
- C . sysprep
- D . bcdedit
C
Explanation:
Sysprep (System Preparation) prepares a Windows client or Windows Server installation for imaging. Sysprep can remove PC-specific information from a Windows installation (generalizing) so it can be installed on different PCs.
Reference: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sysprep–system-preparation–
overview
Your network contains an on-premises Active Directory domain. The domain contains two computers named Computer1 and Computer2 that run Windows 10.
You install Windows Admin Center on Computer1.
You need to manage Computer2 from Computer1 by using Windows Admin Center.
What should you do on Computer2?
- A . Update the TrustedHosts list.
- B . Run the Enable-PSRemoting cmdlet.
- C . Allow Windows Remote Management (WinRM) through the Microsoft Defender firewall.
- D . Add an inbound Microsoft Defender Firewall rule.
D
Explanation:
Manage a Windows Server VM using Windows Admin Center in Azure
For an inbound port, why must I open a port and why should the source be set to “Any”?
Windows Admin Center installs on your Azure Virtual Machine. The installation consists of a web server and a gateway. By publishing the web server to DNS and opening the firewall (the inbound port in your VM), you can access Windows Admin Center from the Azure portal. The rules for this port perform very similar to the “RDP” port. If you don’t wish to open this port up to “Any”, we recommend specifying the rule to the IP address of the machine used to open the Azure portal.
Note: How does Windows Admin Center handle security?
Traffic from the Azure portal to Windows Admin Center running on your VM uses HTTPS. Your Azure VM is managed using PowerShell and WMI over WinRM.
Note: How does Windows Admin Center work?
Windows Admin Center runs in a web browser and manages Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 11, Windows 10, Azure Stack HCI and more through the Windows Admin Center gateway installed on Windows Server or domain-joined Windows 10. The gateway manages servers by using Remote PowerShell and WMI over WinRM. The gateway is included with Windows Admin Center in a single lightweight .msi package that you can download.
The Windows Admin Center gateway, when published to DNS and given access through corresponding corporate firewalls, lets you securely connect to, and manage, your servers from anywhere with Microsoft Edge or Google Chrome.
Reference:
https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm
https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/understand/what-is
HOTSPOT
You have a hybrid Azure AD tenant.
You configure a Windows Autopilot deployment profile as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: import a CSV file into Windows Autopilot
You can perform Windows Autopilot device registration within your organization by manually collecting the hardware identity of devices (hardware hashes) and uploading this information in a comma-separated-values (CSV) file.
Box 2: joined to Azure AD only
As per exhibit (Azure AD joined).
Reference:
https://docs.microsoft.com/en-us/mem/autopilot/add-devices
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid
HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You use Microsoft Intune to manage devices.
You plan to create Windows 11 device builds for the marketing and research departments.
The solution must meet the requirements:
• Marketing department devices must support Windows Update for Business.
• Research department devices must have support for feature update versions for up to 36 months from release.
What is the minimum Windows 11 edition required for each department? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Windows 11 Enterprise
Marketing department devices must support Windows Update for Business.
Licensing
Windows Update for Business deployment service requires users of the devices to have one of the following licenses:
Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5) Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) Windows Virtual Desktop Access E3 or E5 Microsoft 365 Business Premium
Box 2: Windows 11 Enterprise
Research department devices must have support for feature update versions for up to 36 months from release.
Feature updates for Windows 10 and later policy in Intune
In addition to a license for Intune, your organization must have one of the following subscriptions that include a license for Windows Update for Business deployment service:
Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5) Windows Virtual Desktop Access E3 or E5 Microsoft 365 Business Premium
Reference: https://learn.microsoft.com/en-us/windows/deployment/update/deployment-service-prerequisites
https://learn.microsoft.com/en-us/mem/intune/protect/windows-10-feature-updates
You have a Microsoft Entra tenant named contoso.com.
You plan to use Windows Autopilot to configure the Windows 10 devices shown in the following table.
Which devices can be configured by using Windows Autopilot self-deploying mode?
- A . Device2 only
- B . Device3 only
- C . Device1 and Device3 only
- D . Device1, Device2, and Device3
B
Explanation:
Self-deploying mode uses a device’s TPM 2.0 hardware to authenticate the device into an organization’s
Azure AD tenant. Therefore, devices without TPM 2.0 can’t be used with this mode.
Reference: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/self-deploying
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have 200 computers that run Windows 10 and are joined to an Active Directory domain.
You need to enable Windows Remote Management (WinRM) on all the computers by using Group Policy.
Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Enable the Allow Remote Shell access setting.
- B . Enable the Allow remote server management through WinRM setting.
- C . Set the Startup Type of the Windows Remote Management (WS-Management) service to Automatic.
- D . Enable the Windows Defender Firewall: Allow inbound Remote Desktop exceptions setting.
- E . Set the Startup Type of the Remote Registry service to Automatic.
- F . Enable the Windows Defender Firewall: Allow inbound remote administration exception setting.
BCF
Explanation:
How to enable WinRM with domain controller Group Policy for WMI monitoring First, we need to create a Group Policy object for your domain.
Next, edit the new Group Policy object you just created. When you’re done, there will be three WinRM service settings enabled:
B: Allow remote server management through WinRM
You have a Microsoft 365 Business Standard subscription and 100 Windows 10 Pro devices.
You purchase a Microsoft 365 E5 subscription.
You need to upgrade the Windows 10 Pro devices to Windows 10 Enterprise. The solution must minimize administrative effort.
Which upgrade method should you use?
- A . Windows Autopilot
- B . a Microsoft Deployment Toolkit (MDT) lite-touch deployment
- C . Subscription Activation
- D . an in-place upgrade by using Windows installation media
C
Explanation:
Windows 10/11 Subscription Activation
Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5.
Reference: https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation
HOTSPOT
You have a Microsoft 365 subscription.
You plan to enable Microsoft Intune enrollment for the following types of devices:
• Existing Windows 11 devices managed by using Configuration Manager
• Personal iOS devices
The solution must minimize user disruption.
Which enrollment method should you use for each device type? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Co-management
Existing Windows 11 devices managed by using Configuration Manager
Co-management enrollment
If you use Configuration Manager, and want to continue to use Configuration Manager, then co-management enrollment is for you. Co-management manages Windows 10/11 devices using Configuration
Manager and Microsoft Intune together. You cloud-attach your existing Configuration Manager environment to Intune. This enrollment option runs some workloads in Configuration Manager, and other workloads in Intune.
Box 2: User enrollment
Personal iOS devices
BYOD: User and Device enrollment
These iOS/iPadOS devices are personal or BYOD (bring your own device) devices that can access organization email, apps, and other data. Starting with iOS 13 and newer, this enrollment option targets users or targets devices. It doesn’t require resetting the devices.
Note: Enroll iOS and iPadOS devices in Microsoft Intune
Personal and organization-owned devices can be enrolled in Intune. Once they’re enrolled, they receive the policies and profiles you create. You have the following options when enrolling iOS/iPadOS devices:
Automated device enrollment (ADE)
Apple Configurator
BYOD: User and Device enrollment
Incorrect:
* Automated Device Enrollment
Automated Device Enrollment (ADE) (supervised)
Previously called Apple Device Enrollment Program (DEP). Use on devices owned by your organization. This option configures settings using Apple Business Manager (ABM) or Apple School Manager (ASM). It enrolls a large number of devices, without you ever touching the devices. These devices are purchased from Apple, have your preconfigured settings, and can be shipped directly to users or schools. You create an enrollment profile in the Intune admin center, and push this profile to the devices.
* Apple Configurator
Apple Configurator enrollment
Use on devices owned by your organization, and includes Direct Enrollment. This option requires you to physically connect iOS/iPadOS devices to a Mac computer using the USB port.
Reference:
https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-windows
https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-ios-ipados
HOTSPOT
You have a Microsoft Entra ID P2 subscription that contains the users shown in the following table.
You purchase the devices shown in the following table.
You configure automatic mobile device management (MDM) and mobile application management (MAM) enrollment by using the following settings:
• MDM user scope: Group1
• MAM user scope: Group2
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/android-enroll
https://powerautomate.microsoft.com/fr-fr/blog/mam-flow-mobile/
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains 100 client computers that run Windows 10.
Currently, your company does NOT have a deployment infrastructure.
The company purchases Windows 11 licenses through a volume licensing agreement.
You need to recommend how to upgrade the computers to Windows 11. The solution must minimize licensing costs.
What should you include in the recommendation?
- A . Windows Autopilot
- B . Configuration Manager
- C . subscription activation
- D . Microsoft Deployment Toolkit (MDT)
C
Explanation:
Deploy Windows Enterprise licenses
Active Directory synchronization with Azure AD
If you have an on-premises Active Directory Domain Services (AD DS) domain, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. This synchronization is required for users to have a single identity that they can use to access their on- premises apps and cloud services that use Azure AD. An example of a cloud service is Windows Enterprise E3 or E5.
Note: You can deploy Windows 10 or Windows 11 Enterprise E3 or E5 licenses with subscription activation or Enterprise E3 in CSP and Azure Active Directory (Azure AD).
These activation features require a supported and licensed version of Windows 10 Pro or Windows 11 Pro:
Subscription activation with an enterprise agreement (EA) or a Microsoft Products & Services Agreement (MPSA).
Enterprise E3 in CSP.
Automatic, non-KMS activation also requires a device with a firmware-embedded activation key.
Subscription activation requires Enterprise per user licensing. It doesn’t work with per device licensing.
Reference: https://learn.microsoft.com/en-us/windows/deployment/deploy-enterprise-licenses
HOTSPOT
You have computers that run Windows 10 and are configured by using Windows Autopilot.
A user performs the following tasks on a computer named Computer1:
• Creates a VPN connection to the corporate network
• Installs a Microsoft Store app named App1
• Connections to a Wi-Fi network
You perform a Windows Autopilot Reset on Computer1.
What will be the state of the computer when the user signs in? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Retained and the passphrase will be retained
The Windows Autopilot Reset process automatically keeps information from the existing device:
* Wi-Fi connection details.
Box 2: Removed
Windows Autopilot Reset:
* Removes personal files, apps, and settings.
Box 3: Removed
Windows Autopilot Reset:
Removes personal files, apps, and settings.
Reapplies a device’s original settings.
Sets the region, language, and keyboard to the original values.
Maintains the device’s identity connection to Azure AD.
Maintains the device’s management connection to Intune.
The Windows Autopilot Reset process automatically keeps information from the existing device:
Wi-Fi connection details.
Provisioning packages previously applied to the device.
A provisioning package present on a USB drive when the reset process is started.
Azure Active Directory device membership and MDM enrollment information.
Reference: https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset
HOTSPOT
You have a Microsoft Deployment Toolkit (MDT) solution that is used to manage Windows 11 deployment tasks.
MDT contains the operating system images shown in the following table.
You need to perform a Windows 11-place upgrade on several computers that run Windows 10.
From the Deployment Workbench, you open the New Task Sequence Wizard.
You need to identify which task sequence template and which operating system image to use for the task sequence. The solution must minimize administrative effort.
What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Standard Client Upgrade Task Sequence
Use Template: Standard Client Upgrade Task Sequence
In-place upgrade is the preferred method to use when migrating from Windows 10/11 to a later release of Windows 10/11, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the device’s configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple.
Box 2: Install.wim
In-place upgrade differs from computer refresh in that you cannot use a custom image to perform the in-place upgrade.
Reference: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit
You have a workgroup computer named Client1 that runs Windows 11 and connects to a public network.
You need to enable PowerShell remoting on Client1. The solution must ensure that PowerShell remoting connections are accepted from the local subnet only.
Which PowerShell command should you run?
- A . Set-PSSessionConfiguration CAccessMode Local
- B . Enable-PSRemoting CSkipNetworkProfileCheck
- C . Enable-PSRemoting CForce
- D . Set-NetFirewallRule CName “WINRM-HTTP-In-TCP-PUBLIC” CRemoteAddress Any
B
Explanation:
The Enable-PSRemoting cmdlet configures the computer to receive PowerShell remote commands that are sent by using the WS-Management technology. WS-Management based PowerShell remoting is currently supported only on Windows platform.
Syntax
Enable-PSRemoting
[-Force]
[-SkipNetworkProfileCheck]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Parameters include:
* -SkipNetworkProfileCheck
Indicates that this cmdlet enables remoting on client versions of the Windows operating system when the computer is on a public network. This parameter enables a firewall rule for public networks that allows remote access only from computers in the same local subnet.
Reference: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting
You have a Microsoft Intune subscription associated to a Microsoft Entra tenant named contoso.com.
Users use one of the following three suffixes when they sign in to the tenant: us.contoso.com, eu.contoso.com, or contoso.com.
You need to ensure that the users are NOT required to specify the mobile device management (MDM) enrollment URL as part of the enrollment process. The solution must minimize the number of changes.
Which DNS records do you need?
- A . one TXT record only
- B . three CNAME records
- C . three TXT records
- D . one CNAME record only
B
Explanation:
To simplify enrollment, create a domain name server (DNS) alias (CNAME record type) that redirects enrollment requests to Intune servers. Otherwise, users trying to connect to Intune must enter the Intune server name during enrollment.
If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com.
For example, users at Contoso use the following formats as their email/UPN:
name@contoso.com
name@us.contoso.com
name@eu.contoso.com
Reference: https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#simplify-windows-enrollment-without-azure-ad-premium
HOTSPOT
You have a Microsoft 365 subscription.
You plan to enroll devices in Microsoft Intune that have the platforms and versions shown in the following table.
You need to configure device enrollment to meet the following requirements:
• Ensure that only devices that have approved platforms and versions can enroll in Microsoft Intune.
• Ensure that devices are added to Microsoft Entra groups based on a selection made by users during the enrollment.
Which device enrollment setting should you configure for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Enrollment restrictions
As an Intune administrator, you can create and manage enrollment restrictions that define what devices can enroll into management with Intune, including the:
Number of devices.
Operating systems and versions.
Box 2: Device categories
To make managing devices easier, you can use Microsoft Intune device categories to automatically add devices to groups based on categories that you define.
Device categories use the following workflow:
Create categories that users can choose from when they enroll their device.
When users of iOS/iPadOS and Android devices enroll a device, they must choose a category from the list of categories you configured. To assign a category to a Windows device, users must use the Company Portal website.
You can then deploy policies and apps to these groups.
You can create any device categories you want. For example:
– Point-of-sale device
– Demonstration device
– Sales
– Accounting
– Manager
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set
https://docs.microsoft.com/en-us/mem/intune/enrollment/device-group-mapping
HOTSPOT
Your network contains an on-premises Active Directory domain that contains the locations shown in the following table.
In Microsoft Intune, you enroll the Windows 10 devices shown in the following table.
You have a Delivery Optimization device configuration profile applied to all the devices.
The profile is configured as shown in the following exhibit.
From which devices can Device1 and Device2 get updates? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://garvis.ca/2021/06/01/delivery-optimization-know-your-options/
You have a Microsoft Entra tenant named contoso.com.
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a provisioning package
- B . automatic enrollment
- C . an unattend.xml answer file
- D . a Windows Autopilot deployment profile for self-deploying mode
- E . a Windows Autopilot deployment profile for user-driven mode
BE
Explanation:
B: Automatic MDM enrollment in the Intune admin center
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
You have a Microsoft Entra tenant named contoso.com.
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a provisioning package
- B . automatic enrollment
- C . an unattend.xml answer file
- D . a Windows Autopilot deployment profile for self-deploying mode
- E . a Windows Autopilot deployment profile for user-driven mode
BE
Explanation:
B: Automatic MDM enrollment in the Intune admin center
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
You have a Microsoft Entra tenant named contoso.com.
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a provisioning package
- B . automatic enrollment
- C . an unattend.xml answer file
- D . a Windows Autopilot deployment profile for self-deploying mode
- E . a Windows Autopilot deployment profile for user-driven mode
BE
Explanation:
B: Automatic MDM enrollment in the Intune admin center
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
You have a Microsoft Entra tenant named contoso.com.
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a provisioning package
- B . automatic enrollment
- C . an unattend.xml answer file
- D . a Windows Autopilot deployment profile for self-deploying mode
- E . a Windows Autopilot deployment profile for user-driven mode
BE
Explanation:
B: Automatic MDM enrollment in the Intune admin center
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
You have a Microsoft Entra tenant named contoso.com.
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a provisioning package
- B . automatic enrollment
- C . an unattend.xml answer file
- D . a Windows Autopilot deployment profile for self-deploying mode
- E . a Windows Autopilot deployment profile for user-driven mode
BE
Explanation:
B: Automatic MDM enrollment in the Intune admin center
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
You have a Microsoft Entra tenant named contoso.com.
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a provisioning package
- B . automatic enrollment
- C . an unattend.xml answer file
- D . a Windows Autopilot deployment profile for self-deploying mode
- E . a Windows Autopilot deployment profile for user-driven mode
BE
Explanation:
B: Automatic MDM enrollment in the Intune admin center
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
You have a Microsoft Entra tenant named contoso.com.
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a provisioning package
- B . automatic enrollment
- C . an unattend.xml answer file
- D . a Windows Autopilot deployment profile for self-deploying mode
- E . a Windows Autopilot deployment profile for user-driven mode
BE
Explanation:
B: Automatic MDM enrollment in the Intune admin center
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
You have a Microsoft Entra tenant named contoso.com.
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a provisioning package
- B . automatic enrollment
- C . an unattend.xml answer file
- D . a Windows Autopilot deployment profile for self-deploying mode
- E . a Windows Autopilot deployment profile for user-driven mode
BE
Explanation:
B: Automatic MDM enrollment in the Intune admin center
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
You have a Microsoft Entra tenant named contoso.com.
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a provisioning package
- B . automatic enrollment
- C . an unattend.xml answer file
- D . a Windows Autopilot deployment profile for self-deploying mode
- E . a Windows Autopilot deployment profile for user-driven mode
BE
Explanation:
B: Automatic MDM enrollment in the Intune admin center
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
You have a Microsoft Entra tenant named contoso.com.
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a provisioning package
- B . automatic enrollment
- C . an unattend.xml answer file
- D . a Windows Autopilot deployment profile for self-deploying mode
- E . a Windows Autopilot deployment profile for user-driven mode
BE
Explanation:
B: Automatic MDM enrollment in the Intune admin center
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
You have a Microsoft Entra tenant named contoso.com.
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a provisioning package
- B . automatic enrollment
- C . an unattend.xml answer file
- D . a Windows Autopilot deployment profile for self-deploying mode
- E . a Windows Autopilot deployment profile for user-driven mode
BE
Explanation:
B: Automatic MDM enrollment in the Intune admin center
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
You have a Microsoft Entra tenant named contoso.com.
You plan to purchase 25 computers that run Windows 11. You plan to deliver the computers directly to users.
You need to ensure that during the out-of-box experience (OBE), users are prompted to sign in, and then the computers are configured to use Microsoft Intune.
Which two components should you configure? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . a provisioning package
- B . automatic enrollment
- C . an unattend.xml answer file
- D . a Windows Autopilot deployment profile for self-deploying mode
- E . a Windows Autopilot deployment profile for user-driven mode
BE
Explanation:
B: Automatic MDM enrollment in the Intune admin center
Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure portal.
You need to assign the same deployment profile to all the computers that are configured by using Windows Autopilot.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . Create a Microsoft Entra group that has dynamic membership rules and uses the ZTDID tag.
- B . Create a Microsoft Entra group that has dynamic membership rules and uses the operatingSystem tag.
- C . Assign a Windows Autopilot deployment profile to a group.
- D . Join the computers to Microsoft Entra.
- E . Create a Group Policy object (GPO) that is linked to a domain.
- F . Join the computers to an on-premises Active Directory domain.
AC
Explanation:
A: ZTDId: A unique value assigned to all imported Windows AutoPilot devices.
C: It is possibly to automatically assign a Windows AutoPilot deployment profile to Windows AutoPilot devices. That makes it a lot easier for administrators, as this prevents the administrators from potentially forgetting to assign the deployment profile to newly imported devices.
Reference: https://www.petervanderwoude.nl/post/automatically-assign-windows-autopilot-deployment-profile-to-windows-autopilot-devices/
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) deployment share that has a path of D:MDTShare.
You need to add a feature pack to the boot image.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Copy the feature pack to D:MDTShareToolsx86
Add a feature pack, DaRT 10 (part of MDOP 2015), to the boot images.
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) deployment share that has a path of D:MDTShare.
You need to add a feature pack to the boot image.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Copy the feature pack to D:MDTShareToolsx86
Add a feature pack, DaRT 10 (part of MDOP 2015), to the boot images.
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) deployment share that has a path of D:MDTShare.
You need to add a feature pack to the boot image.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Copy the feature pack to D:MDTShareToolsx86
Add a feature pack, DaRT 10 (part of MDOP 2015), to the boot images.
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) deployment share that has a path of D:MDTShare.
You need to add a feature pack to the boot image.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Copy the feature pack to D:MDTShareToolsx86
Add a feature pack, DaRT 10 (part of MDOP 2015), to the boot images.
DRAG DROP
You have a Microsoft Deployment Toolkit (MDT) deployment share that has a path of D:MDTShare.
You need to add a feature pack to the boot image.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Step 1: Copy the feature pack to D:MDTShareToolsx86
Add a feature pack, DaRT 10 (part of MDOP 2015), to the boot images.
You plan to deploy Windows 11 Pro to 200 new computers by using the Microsoft Deployment Toolkit (MDT) and Windows Deployment Services (WDS).
The company has a Volume Licensing Agreement and uses a product key to activate Windows 11.
You need to ensure that the new computers will be configured to have the correct product key during the installation.
What should you configure?
- A . an MDT task sequence
- B . the Device settings in Azure AD
- C . a WDS boot image
- D . a Windows Autopilot deployment profile
A
Explanation:
Create the deployment task sequence.
The task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. This includes: Specify Product Key: Do not specify a product key at this time
Reference: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt#a-href-idsec08astep-8-deploy-the-windows-10-client-image
HOTSPOT
You manage a Microsoft Deployment Toolkit (MDT) deployment share named DS1. DS1 contains an Out-of-Box Drivers folder named Windows 11 x64 that has subfolders in the format of {make name}{model name}.
You need to modify a deployment task sequence to ensure that all the drivers in the folder that match the make and model of the computers are installed without using PnP detection or selection profiles.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Preinstall
PREINSTALL
Completes any tasks that need to be done (such as creating new partitions) before the target operating system is deployed.
Incorrect:
* INSTALL
Installs the target operating system on the target computer.
* VALIDATION
Identifies that the target computer is capable of running the scripts necessary to complete the deployment process.
Box 2: Inject Drivers
Inject Drivers
This task sequence step injects drivers that have been configured for deployment to the target computer.
The unique properties and settings for the Inject Drivers task sequence step type are:
* Property: TypeSet this read-only type to Inject Drivers.
* Settings
Install only matching drivers: Injects only the drivers that the target computer requires and that match what is available in Out-of-Box Drivers
Install all drivers: Installs all drivers
Selection profile: Installs all drivers in the selected profile
Reference: https://docs.microsoft.com/en-us/mem/configmgr/mdt/toolkit-reference
HOTSPOT
You use the Microsoft Deployment Toolkit (MDT) to deploy Windows 11.
You need to modify the deployment share to meet the following requirements:
• Ensure that the user who performs the installation is prompted to set the local Administrator password
• Define a rule for how to name computers during the deployment.
The solution must NOT replace the existing WinPE image.
Which file should you modify for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: CustomSettings.ini
You can skip the entire Windows Deployment Wizard by specifying the SkipWizard property in CustomSettings.ini.
To skip individual wizard pages, use the following properties:
SkipAdminPassword
Etc.
Note: The CustomSettings.ini file includes for example:
AdminPassword=pass@word1
DomainAdmin=CONTOSOMDT_JD
DomainAdminPassword=pass@word1
Some properties to use in the MDT Production rules file are as follows:
DomainAdmin. The account to use when joining the machine to the domain.
DomainAdminDomain. The domain for the join domain account.
DomainAdminPassword. The password for the join domain account.
Box 2: CustomSettings.ini
Example of content in the CustomSettings.ini file:
SkipComputerName=YES
OSDComputerName=%ComputerName%
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt
https://docs.microsoft.com/en-us/mem/configmgr/mdt/samples-guide
HOTSPOT
You have a Microsoft Entra tenant that contains the following:
• Windows 11 devices that are joined to Microsoft Entra
• A user that has a display name of User1 and a UPN of user1@contoso.com
You enable Remote Desktop on the Windows 11 devices.
You need to ensure that User1 can use Remote Desktop to connect to the devices.
How should you complete the command that must be run on each device? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: "Remote Desktop Users"
Connect to remote Azure Active Directory joined device
Add users to Remote Desktop Users group
Remote Desktop Users group is used to grant users and groups permissions to remotely connect to the device. Users can be added either manually or through MDM policies:
Adding users manually:
You can specify individual Azure AD accounts for remote connections by running the following command, where <userUPN> is the UPN of the user, for example user@domain.com:
net localgroup "Remote Desktop Users" /add "AzureAD<userUPN>"
Box 2: AzureADUser1@Contoso.com
Reference: https://learn.microsoft.com/en-us/windows/client-management/client-tools/connect-to-remote-aadj-pc
HOTSPOT
You have a Microsoft 365 subscription that contains the devices shown in the following table.
All the devices will be reimaged and licensed by using subscription activation.
The devices are assigned to the users shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
Device1 has 14 GB RAM, 256 GB storage, and TPM version 1.2.
TPM 2.0 is required to run Windows 11, as an important building block for security-related features. TPM 2.0 is used in Windows 11 for a number of features, including Windows Hello for identity protection and BitLocker for data protection.
Note: Since July 28, 2016, all new device models, lines, or series (or if you’re updating the hardware configuration of an existing model, line, or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the Minimum hardware requirements page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices.
Box 2: No
Device2 has 4 GB RAM, 64 GB storage, and TPM version 2.0. This is fine.
At least 4 GB is required.
At least 64 GB storage is required.
Device2 is assigned to User2.
There is a Microsoft 365 E3 license for this assignment.
Microsoft 365 E3 is for Windows 11 Pro.
Box 3: Yes
Device3 meets the Windows 11 requirements.
There is no Windows 11 license for Device3.
Reference:
https://www.microsoft.com/en-us/windows/windows-11-specifications
https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/tpm-recommendations
You have 500 computers that run Windows 10. The computers are joined to Microsoft Entra and enrolled in Microsoft Intune.
You plan to distribute certificates to the computers by using Simple Certificate Enrollment Protocol (SCEP).
You have the servers shown in the following table.
NDES issues certificates from the subordinate CA.
You are configuring a device configuration profile as shown in the exhibit. (Click the Exhibit tab.)
You need to complete the SCEP profile.
On which server is the required root certificate located?
- A . Server1
- B . Server2
- C . Server3
- D . Server4
C
Explanation:
As NDES issues certificates from the subordinate CA located at Server3, the root certificate should be used for Server3.
HOTSPOT
You have a Microsoft Entra tenant named contoso.com that contains the devices shown in the following table.
The tenant contains the groups shown in the following table.
You add an Autopilot deployment profile as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
Device1 is not deployed by using Windows Autopilot.
Device1 is Azure AD joined.
Device1 is not enrolled in Microsoft Intune
Device1 is member of Group1.
Group1 is an included group in the Autopilot deployment profile.
Box 2: No
As Device1, but Device2 is Enrolled in Microsoft Intune and is also member of Group2 as well.
Group2 is excluded from Autopilot deployment profile.
Box 3: Yes
As Devíce1 but deployed by Windows Autopilot and Enrolled in Microsoft Intune.
Reference: https://learn.microsoft.com/en-us/autopilot/profiles
HOTSPOT
You have the Microsoft Deployment Toolkit (MDT) installed in three sites as shown in the following table.
You use Distributed File System (DFS) Replication to replicate images in a share named Production.
You configure the following settings in the Bootstrap.ini file.
You plan to deploy Windows 10 to the computers shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
Box 2: Yes
Box 3: Yes
Reference: https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment
DRAG DROP
Your on-premises network contains an Active Directory Domain Services (AD DS) domain.
You have an Azure subscription that contains a virtual network named VNet1. VNet1 contains five virtual machines and is NOT connected to the on-premises network.
You have a Microsoft 365 subscription that uses Microsoft Intune Suite.
You purchase Windows 365 Enterprise licenses.
You need to deploy Cloud PC. The solution must meet the following requirements:
• All users must be able to access their Cloud PC at any time without any restrictions.
• The users must be able to connect to the virtual machines on VNet1.
How should you configure the provisioning policy for Windows 365? To answer, drag the appropriate options to the correct settings. Each option may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Microsoft Entra hybrid join
Join type
Select a Join type:
Organizations with existing Active Directory implementations can benefit from some of the functionality provided by Microsoft Entra ID by implementing Microsoft Entra hybrid joined devices. These devices are joined to your on-premises Active Directory and registered with Microsoft Entra ID.
Microsoft Entra hybrid joined devices require network line of sight to your on-premises domain controllers periodically. Without this connection, devices become unusable. If this requirement is a concern, consider Microsoft Entra joining your devices.
Box 2: Azure network connection
Network
*-> Hybrid Microsoft Entra join: You must select an ANC (Azure network connection) to use for this policy.
Note:
* Microsoft Entra Join: You have two options for Network:
– Microsoft hosted network: Select a Geography where you want your Cloud PCs provisioned.
Then, for Region, you can select:
Automatic (Recommended): The Windows 365 service automatically chooses a region within the selected geography at the time of provisioning. This automation decreases the chance of provisioning failure.
A specific region: This option makes sure that your Cloud PCs are only provisioned in the region that you choose.
– Azure network connection: Select an ANC to use for this policy.
Box 3: Enterprise
License type
"You purchase Windows 365 Enterprise licenses."
Enterprise: Provision Cloud PCs for Windows 365 Enterprise.
Frontline: Provision Cloud PCs for Windows 365 Frontline.
Reference:
https://learn.microsoft.com/en-us/entra/identity/devices/concept-hybrid-join
https://learn.microsoft.com/en-us/windows-365/enterprise/create-provisioning-policy
HOTSPOT
Your network contains an Active Directory domain.
The domain contains four computers named Computer1, Computer2, Computer3, and Computer4 that run Windows 10.
You perform the following actions:
• On Computer1, you install Windows Admin Center and configure Windows Defender Firewall to allow incoming communication over TCP ports 80,443, and 6516.
• On Computer2, you run the Enable-PSRemoting cmdlet.
• On Computer3, you configure Windows Defender Firewall to allow Windows Remote Management (WinRM) traffic.
• On Computer4, you run the winrm quickconfig command.
You need to manage the computers remotely by using Windows Admin Center.
From which computers can you connect to Windows Admin Center, and which computers can you manage by using Windows Admin Center? To answer, select the appropriate options in the answer are. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Computer1 only
Connected from:
Computer1 – Yes
On Computer1, you install Windows Admin Center and configure Windows Defender Firewall to allow incoming communication over TCP ports 80,443, and 6516.
Networking configuration
Windows Admin Center communicates outbound securely to endpoints over TCP port 443. By default, the Windows Admin Center gateway and browser uses the default route to the internet to perform actions. You can optionally configure the gateway to use a proxy server if your network requires it.
Computer2 – No
On Computer2, you run the Enable-PSRemoting cmdlet.
Computer3 – No
On Computer3, you configure Windows Defender Firewall to allow Windows Remote Management (WinRM) traffic.
Computer4 – No
On Computer4, you run the winrm quickconfig command.
Installation and configuration for Windows Remote Management
For Windows Remote Management (WinRM) scripts to run, and for the Winrm command-line tool to perform data operations, WinRM has to be both installed and configured.
Box 2: Computer1, Computer 2, and Computer4 only
Computer 1 – Yes
On Computer1, you install Windows Admin Center and configure Windows Defender Firewall to allow incoming communication over TCP ports 80,443, and 6516.
Computer 2 – Yes
On Computer2, you run the Enable-PSRemoting cmdlet.
Windows Remote Management is one component of the Windows Hardware Management features that manage server hardware locally and remotely. These features include a service that implements the WS-Management protocol, hardware diagnosis and control through baseboard management controllers (BMCs), and a COM API and scripting objects that allow you to write applications that communicate remotely through the WS-Management protocol.
Computer3 – No
On Computer3, you configure Windows Defender Firewall to allow Windows Remote Management (WinRM) traffic.
Need to enable remote management as well.
Computer 4 – Yes
Quick default configuration
Enable the WS-Management protocol on the local computer, and set up the default configuration for remote management with the command winrm quickconfig.
The winrm quickconfig command (which can be abbreviated to winrm qc) performs these operations:
Starts the WinRM service, and sets the service startup type to auto-start.
Configures a listener for the ports that send and receive WS-Management protocol messages using either HTTP or HTTPS on any IP address.
Defines ICF exceptions for the WinRM service, and opens the ports for HTTP and HTTPS.
Reference:
https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/deploy/network-requirements
https://learn.microsoft.com/en-us/windows/win32/winrm/about-windows-remote-management
You have a Hyper-V host.
The host contains virtual machines that run Windows 10 as shown in following table.
Which virtual machines can be upgraded to Windows 11?
- A . VM1 only
- B . VM2 only
- C . VM2 and VM3 only
- D . VM1, VM2, and VM3
B
Explanation:
Before you can enable Hyper-V on your Windows 11 machine, you need to make sure that your system is compatible. Here are the system requirements for Hyper-V on Windows 11:
Windows 11 Pro or Enterprise 64-bit Operating System
A 64-bit processor with Second Level Address Translation (SLAT)
A minimum of 4 GB of RAM
BIOS-level hardware virtualization support
Incorrect:
* VM3
Need two virtual processors or more.
* VM1
Windows 11 requires generation 2.
Windows guest operating system support
The following table shows which 64-bit versions of Windows you can use as a guest operating system for generation 1 and generation 2 virtual machines.
Reference: https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/should-i-create-a-generation-1-or-2-virtual-machine-in-hyper-v
https://techcommunity.microsoft.com/t5/educator-developer-blog/step-by-step-how-to-create-a-windows-11-vm-on-hyper-v-via/ba-p/3754100
You have a Microsoft 365 subscription that has Windows 365 Enterprise licenses.
You plan to use a custom Windows 11 image as a template for Cloud PCs.
You have a Hyper-V virtual machine that runs Windows 11 and has the following configurations:
• Name: VM1
• Disk size: 64 GB
• Disk format: VHDX
• Disk type: Fixed size
• Generation: Generation 2
You need to ensure that you can use VM1 as a source for the custom image.
What should you do on VM1 first?
- A . Change the disk type to Dynamically expanding.
- B . Change the disk format to the VHD.
- C . Change the generation to Generation 1.
- D . Increase the disk size.
A
Explanation:
Windows 365 uses both default and custom operating system images to automatically create the virtual Cloud PCs that you provide to your end users. The default images are available from the gallery in Microsoft Intune as a part of creating your provisioning policy. You can also upload custom images that you create.
Image requirements
Both marketplace and custom images must meet the following requirements:
* Windows 10 Enterprise version 21H2 or later.
* Windows 11 Enterprise 21H2 or later.
(not C) * Generation 2 images.
Note
We recently made the change to generation 2 (Gen2) virtual machine images. Newly created custom images must be Gen2. Existing custom images uploaded based on generation 1 will remain active.
* Generalized VM image.
* Single Session VM images (multi-session isn’t supported).
* No recovery partition. For information about how to remove a recovery partition, see the Windows Server command: delete partition.
(A) *-> Default 64-GB OS disk size. The OS disk size is automatically adjusted to the size specified in SKU description of the Windows 365 license.
A custom image must also meet the following extra requirements:
Exist in an Azure subscription.
* Is stored as a managed image in Azure.
* Storing a managed image on Azure incurs storage costs. However, customers can delete the managed image from Azure once they’ve successfully uploaded it as a Custom Image to Microsoft Intune.
Reference: https://learn.microsoft.com/en-us/windows-365/enterprise/device-images
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
Your on-premises network contains an Active Directory domain named contoso.com.
The domain contains a user account named Admin1 and the resources shown in the following table.
You have a Microsoft 365 E5 subscription.
You have a Microsoft Entra tenant that syncs with contoso.com.
Admin1 plans to use Windows Autopilot to deploy 100 Windows 11 devices.
The deployment must meet the following requirements:
• The devices must be Microsoft Entra hybrid joined during the deployment.
• Computer objects must be created in OU1.
You need to configure Server1 and Active Directory delegation to support the deployment. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Install the Intune Connector for Active Directory Server1
Deploy Microsoft Entra hybrid joined devices by using Intune and Windows Autopilot Intune connector server prerequisites
The Intune Connector for Active Directory must be installed on a computer that’s running Windows Server 2016 or later with .NET Framework version 4.7.2 or later.
The server hosting the Intune Connector must have access to the internet and your Active Directory.
Box 2: OU1
Resource
The organizational unit that has the rights to create computers must match:
The organizational unit entered in the Domain Join profile.
If no profile is selected, the computer’s domain name for your domain.
HOTSPOT
You have a Microsoft Entra tenant that contains the devices shown in the following table.
The tenant contains the groups shown in the following table.
You create a Windows Autopilot deployment profile as shown in the Deployment Profile exhibit. (Click the Deployment Profile tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
No – Device1 is registered for Autopilot.
Device1 is Microsoft Entra Registered, which prevent it from being registered for Autopilot.
Note: Important
The following type of devices shouldn’t be registered as a Windows Autopilot device:
* -> Microsoft Entra registered devices, also known as "workplace joined" devices.
* Intune MDM-only enrollment devices.
These options are intended for users to join personally owned devices to their organization’s network.
Windows Autopilot registered devices are registered as corporate owned devices.
If a device is already one of these two types of devices, to register is as a Windows Autopilot device, first remove it from Microsoft Intune and Microsoft Entra ID.
Box 2: Yes
Yes – Device2 is registered for Autopilot.
Device2 is Microsoft Entra joined.
Device2 is Windows 10, and ownership is Corporate.
Device2 is in Group1.
Note Profile:
Profile includes Group1, and excludes Group2.
Box 3: No
No – Device3 is registered for Autopilot.
Device3 is Microsoft Entra joined.
Device3 is Windows 11, and ownership is Corporate.
Device3 is in Group2.
The profile excludes Group2.
Note: Windows Autopilot registration
Reference: https://learn.microsoft.com/en-us/autopilot/registration-overview
You have a Microsoft 365 Business Standard subscription and 100 Windows 10 Pro devices that are joined to Microsoft Entra.
You purchase Microsoft 365 E5 licenses for all users.
You need to upgrade the Windows 10 Pro devices to Windows 10 Enterprise. The solution must minimize administrative effort.
Which upgrade method should you use?
- A . a Microsoft Deployment Toolkit (MDT) lite-touch deployment
- B . Subscription Activation
- C . an in-place upgrade by using Windows installation media
- D . Windows Autopilot
B
Explanation:
Windows 10/11 Subscription Activation
Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5.
Reference: https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation
You have a Microsoft 365 E5 subscription.
You need to enroll Android Enterprise devices in Microsoft Intune by using zero-touch enrollment.
What should you do first?
- A . From the Microsoft Intune admin center, configure enrollment restrictions.
- B . From the Microsoft Intune admin center, create a zero-touch configuration.
- C . From the Microsoft Intune admin center, link a Managed Google Play account.
- D . From the zero-touch enrollment portal, create a zero-touch configuration.
C
Explanation:
Before you can enroll Android Enterprise devices using zero-touch enrollment in Microsoft Intune, the first step is to link a Managed Google Play account to Microsoft Intune. This is necessary because Android Enterprise management, including zero-touch enrollment, relies on the Managed Google Play account to manage and deploy apps and policies to Android devices. After linking the account, you can proceed with setting up the zero-touch configuration.
DRAG DROP
You have a Microsoft 365 E5 subscription that is linked to a Microsoft Entra tenant named contoso.com.
The subscription contains a user named User1 and a new Windows 11 device named Device1.
User1 must enroll Device1 in Microsoft Intune automatically.
You need to ensure that all other users cannot use automatic enrollment.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
The correct sequence of actions is:
Create a group named Group1 and add User1 to Group1.
Configure the mobile device management (MDM) user scope.
Instruct User1 to join Device1 to contoso.com.
Create a group named Group1 and add User1 to Group1: This step ensures that User1 is in a group that can be targeted for enrollment settings.
Configure the mobile device management (MDM) user scope: Configure the MDM scope to include only Group1. This will allow only members of Group1 (in this case, User1) to automatically enroll devices into Intune.
Instruct User1 to join Device1 to contoso.com: After configuring the MDM scope and adding User1 to the appropriate group, User1 can then join Device1 to Microsoft Entra, which will trigger the automatic enrollment in Intune.
You have a Microsoft 365 E5 subscription.
You need to ensure that when a Windows device is joined to the Microsoft Entra tenant, the device is enrolled automatically in Microsoft Intune.
What should you configure?
- A . the Windows Information Protection (WIP) user scope
- B . the Enterprise State Roaming settings
- C . the Microsoft Entra join and registration settings
- D . the mobile device management (MDM) user scope
D
Explanation:
To ensure that Windows devices are automatically enrolled in Microsoft Intune when they are joined to the Microsoft Entra tenant, you need to configure the MDM user scope. By setting the MDM user scope to include specific users or groups, devices joined to the Microsoft Entra tenant by those users will be automatically enrolled in Microsoft Intune for management.
Manage identity and compliance
Testlet 1
Case study
Overview
Contoso, Ltd. is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
Contoso has the users and computers shown in the following table.
The company has IT, human resources (HR), legal (LEG), marketing (MKG), and finance (FIN) departments.
Contoso recently purchased a Microsoft 365 subscription.
The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from home.
Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Azure AD.
All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.
The computers are managed by using Microsoft Configuration Manager. The mobile devices are managed by using Microsoft Intune.
The naming convention for the computers is the department acronym, followed by a hyphen, and then four numbers, for example FIN-6785. All the computers are joined to the on-premises Active Directory domain.
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer account is in the Computers OU of its respective department.
Intune Configuration
The domain has the users shown in the following table.
User2 is a device enrollment manager (DEM) in Intune.
The devices enrolled in Intune are shown in the following table.
The device compliance policies in Intune are configured as shown in the following table.
The device compliance policies have the assignments shown in the following table.
The device limit restrictions in Intune are configured as shown in the following table.
Requirements
Planned changes
Contoso plans to implement the following changes:
• Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.
• Implement co-management for the computers.
Technical Requirements
Contoso must meet the following technical requirements:
• Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.
• Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
• Create a provisioning package for new computers in the HR department.
• Block iOS devices from sending diagnostic and usage telemetry data.
• Use the principle of least privilege whenever possible.
• Enable the users in the MKG department to use App1.
• Pilot co-management for the IT department.
HOTSPOT
You are evaluating which devices are compliant.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
Policy3, which requires encryption, applies to Device1.
Box 2: Yes
Policy1, which has no encryption requirement, applies to Device3.
Box 3: Yes
Policy2, which has no encryption requirement, applies to Device4.
Manage identity and compliance
Testlet 2
Case study
Overview
ADatum Corporation is a consulting company that has a main office in Montreal and branch offices in Seattle and New York.
ADatum has a Microsoft 365 E5 subscription.
Environment
Network Environment
The network contains an on-premises Active Directory domain named adatum.com.
The domain contains the servers shown in the following table.
ADatum has a hybrid Azure AD tenant named adatum.com.
Users and Groups
The adatum.com tenant contains the users shown in the following table.
All users are assigned a Microsoft Office 365 license and an Enterprise Mobility + Security E3 license.
Enterprise State Roaming is enabled for Group1 and GroupA.
Group1 and Group2 have a Membership type of Assigned.
Devices
ADatum has the Windows 10 devices shown in the following table.
The Windows 10 devices are joined to Azure AD and enrolled in Microsoft Intune.
The Windows 10 devices are configured as shown in the following table.
All the Azure AD joined devices have an executable file named C:AppA.exe and a folder named D:
Folder1.
Microsoft Intune Configuration
Microsoft Intune has the compliance policies shown in the following table.
The Automatic Enrolment settings have the following configurations:
• MDM user scope GroupA
• MAM user scope: GroupB
You have an Endpoint protection configuration profile that has the following Controlled folder access settings:
• Name: Protection1
• Folder protection: Enable
• List of apps that have access to protected folders: CVAppA.exe
• List of additional folders that need to be protected: D:Folderi1
• Assignments – Included groups: Group2, GroupB
Windows Autopilot Configuration
ADatum has a Windows Autopilot deployment profile configured as shown in the following exhibit.
Currently, there are no devices deployed by using Windows Autopilot.
The Intune connector for Active Directory is installed on Server1.
Requirements
Planned Changes
ADatum plans to implement the following changes:
• Purchase a new Windows 10 device named Device6 and enroll the device in Intune
• New computers will be deployed by using Windows Autopilot and will be hybrid Azure AD joined.
• Deployed a network boundary configuration profile that will have the following settings:
– Name: Boundary1
– Network boundary: 192.168.1.0/24
– Scope tags: Tag1
– Assignments:
* Included groups: Group1, Group2
• Deploy two VPN configuration profiles named Connection1 and Connection2 that will have the following settings:
– Name: Connection1
– Connection name: VPN1
– Connection type: L2TP
– Assignments:
* Included groups: Group1, Group2, GroupA
* Excluded groups: —
– Name: Connection2
– Connection name: VPN2
– Connection type: IKEv2
– Assignments:
* Included groups: GroupA
* Excluded groups: GroupB
Technical Requirements
ADatum must meet the following technical requirements:
• Users in GroupA must be able to deploy new computers.
• Administrative effort must be minimized.
Which devices are registered by using the Windows Autopilot deployment service?
- A . Device1 only
- B . Device3 only
- C . Device1 and Device3 only
- D . Device1, Device2, and Device3
C
Explanation:
* Device1 – yes
Device1 is Corporate-owned, and is member of Group1.
Group1 have a Membership type of Assigned.
The Windows Autopilot deployment profile Profile1 has assignments:
Included Groups: Group1
* Device2 – No
Device2 is Corporate-owned, and is member of Group1 and of Group1.
Group1 and Group2 have a Membership type of Assigned.
The Windows Autopilot deployment profile Profile1 has assignments:
Included Groups: Group1
Excluded Groups: Group2
The excluded Group takes precedence.
* Device3 C Yes
Device3 is Personally-owned, and is member of Group1.
Group1 have a Membership type of Assigned.
The Windows Autopilot deployment profile Profile1 has assignments:
Included Groups: Group1
Note: Supported device scenarios
Microsoft Intune enables mobile device management for:
Personal devices, including personally owned phones, tablets, and PCs. Corporate-owned devices, including phones, tablets, and PCs owned by your organization and distributed to employees and students for use at work or school.
Reference: https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: No
Device1 has BitLocker: Yes, Secure Boot: No.
Device1 is member of Group1.
Group1 is assigned Policy1 and Policy2.
Policy1 is require Bitlocker only. OK.
Policy2 is require Secure Boot only. Not OK.
Box 2: No
Device4 has BitLocker: No, Secure Boot: Yes.
Device4 is member of Group2.
Group2 is assigned Policy3.
Policy3 is require Bitlocker and Secure Boot. Not OK.
Box 3: Yes
Device5 has BitLocker: Yes, Secure Boot: No.
Device5 is member of Group3.
Group3 is assigned not assigned any policies.
Manage identity and compliance
Question Set 3
HOTSPOT
You have a Microsoft 365 subscription.
You use Microsoft Intune Suite to manage devices.
You have the iOS app protection policy shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.
Explanation:
iOS app protection policy settings
This applies to the app protection policy settings for iOS/iPadOS devices.
Box 1: PIN only
Timeout (minutes of inactivity) C here it is 30
Specify a time in minutes after which either a passcode or numeric (as configured) PIN will override the use of a fingerprint or face as method of access. This timeout value should be greater than the value specified under ‘Recheck the access requirements after (minutes of inactivity).
Note: PIN type
Set a requirement for either numeric or passcode type PINs before accessing an app that has app protection policies applied. Numeric requirements involve only numbers, while a passcode can be defined with at least 1 alphabetical letter or at least 1 special character.
Box 2: reset the Device PIN
Max PIN attempts. Here it is 5. Action: Reset PIN
App PIN when device PIN is set. Here it is Require
Note:
App PIN when device PIN is set
Select Disable to disable the app PIN when a device lock is detected on an enrolled device with Company Portal configured.
Max PIN attempts
Specify the number of tries the user has to successfully enter their PIN before the configured action is taken. If the user fails to successfully enter their PIN after the maximum PIN attempts, the user must reset their pin after successfully logging into their account and completing a multi-factor authentication (MFA) challenge if required. This policy setting format supports a positive whole number. Actions include: Reset PIN – The user must reset their PIN.
Wipe data – The user account that is associated with the application is wiped from the device. Default value = 5
Reference: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios
DRAG DROP
You have a Microsoft 365 subscription that includes Microsoft Intune.
You need to implement a Microsoft Defender for Endpoint solution that meets the following requirements:
• Enforces compliance for Defender for Endpoint by using Conditional Access
• Prevents suspicious scripts from running on devices
What should you configure? To answer, drag the appropriate features to the correct requirements. Each feature may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: An Intune connection
Enforces compliance for Defender for Endpoint by using Conditional Access
Configure Conditional Access in Microsoft Defender for Endpoint Take the following steps to enable Conditional Access:
Step 1: Turn on the Microsoft Intune connection from Microsoft 365 Defender
Step 2: Turn on the Defender for Endpoint integration in Intune
Step 3: Create the compliance policy in Intune
Step 4: Assign the policy
Step 5: Create an Azure AD Conditional Access policy
Box 2: An Attack surface reduction (ASR) policy rule
Prevents suspicious scripts from running on devices
Attack surface reduction policy for endpoint security in Intune
When Defender antivirus is in use on your Windows 10/11 devices, you can use Intune endpoint security policies for Attack surface reduction to manage those settings for your devices.
Attack surface reduction policies help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks.
In particular:
Attack Surface Reduction Rules C Configure settings for attack surface reduction rules that target behaviors that malware and malicious apps typically use to infect computers, including:
Executable files and scripts used in Office apps or web mail that attempt to download or run files Obfuscated or otherwise suspicious scripts
Behaviors that apps don’t usually start during normal day-to-day work Reducing your attack surface means offering attackers fewer ways to perform attacks.
Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-conditional-access
https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy
Your network contains an on-premises Active Directory domain and an Azure AD tenant.
The Default Domain Policy Group Policy Object (GPO) contains the settings shown in the following table.
You need to migrate the existing Default Domain Policy GPO settings to a device configuration profile.
Which device configuration profile type template should you use?
- A . Administrative Templates
- B . Endpoint protection
- C . Device restrictions
- D . Custom
C
Explanation:
Deploy Password Policies using Intune Configuration Profiles | Device Restriction
We can use Intune device restriction profile to deploy password policies for Intune managed Windows 10 devices.
Reference: https://howtomanagedevices.com/intune/2409/password-policies-using-intune/
You have 100 computers that run Windows 10 and connect to an Azure Log Analytics workspace.
Which three types of data can you collect from the computers by using Log Analytics? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
- A . failure events from the Security log
- B . the list of processes and their execution times
- C . the average processor utilization
- D . error events from the System log
- E . third-party application logs stored as text files
CDE
Explanation:
E: The Custom Logs data source for the Log Analytics agent in Azure Monitor allows you to collect events from text files on both Windows and Linux computers. Many applications log information to text files instead of standard logging services, such as Windows Event log or Syslog. After the data is collected, you can either parse it into individual fields in your queries or extract it during collection to individual fields.
D: Collect Windows event log data sources with Log Analytics agent
Windows event logs are one of the most common data sources for Log Analytics agents on Windows virtual machines because many applications write to the Windows event log. You can collect events from standard logs, such as System and Application, and any custom logs created by applications you need to monitor.
C: Summary of data sources
The following table lists the agent data sources that are currently available with the Log Analytics agent. Each agent data source links to an article that provides information for that data source. It also provides information on their method and frequency of collection.
* Performance counters
Performance counters in Windows and Linux provide insight into the performance of hardware components, operating systems, and applications. Azure Monitor can collect performance counters from Log Analytics agents at frequent intervals for near real time analysis. Azure Monitor can also aggregate performance data for longer-term analysis and reporting.
* Etc.
Log queries with performance records
The following table provides different examples of log queries that retrieve performance records. Example, CPU utilization across all computers
Query: Perf | where ObjectName == "Processor" and CounterName == "% Processor Time" and InstanceName == "_Total" | summarize AVGCPU = avg(CounterValue) by Computer Average
B: The following table lists the objects and counters that you can specify in the configuration file. More counters are available for certain applications.
* Processor, % Processor Time
* Processor, % User Time
* Etc.
Incorrect:
Not A: Not from the Security log.
Important
You can’t configure collection of security events from the workspace by using the Log Analytics agent. You must use Microsoft Defender for Cloud or Microsoft Sentinel to collect security events. The Azure Monitor agent can also be used to collect security events.
Reference:
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-custom-logs
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-performance-counters
You use Microsoft Intune and Intune Data Warehouse.
You need to create a device inventory report that includes the data stored in the data warehouse.
What should you use to create the report?
- A . the Company Portal app
- B . Endpoint analytics
- C . the Azure portal app
- D . Microsoft Power BI
D
Explanation:
Super easy start with reporting and the Intune Data Warehouse
Method 1: Load data using OData URL
The first method is loading data by using the OData URL. Method 2: Load data and reports using Power BI file (pbix)
The second method is loading data and prebuilt reports using a downloaded Power BI file (pbix). That file contains the connection information for the tenant and contains a set of prebuilt reports based on the Intune Data Warehouse data model.
Reference: https://www.petervanderwoude.nl/post/super-easy-start-with-reporting-and-the-intune-data-warehouse/
Your network contains an Active Directory domain named contoso.com. The domain contains a computer named Computer1 that runs Windows 10.
You have the groups shown in the following table.
Which groups can you add to Group4?
- A . Group2 only
- B . Group1 and Group2 only
- C . Group2 and Group3 only
- D . Group1, Group2, and Group3
D
Explanation:
What is group nesting?
AD group nesting, simply put, is the process of putting one group inside another group. Nested groups inherit the permissions and privileges of the group they are put under, and hence this makes privilege administration easier. However, not all groups can be nested within other groups, and this depends on the types of groups in AD, and their scope of nesting.
The following table contains the various groups and their scopes.
* Domain local groups
Members who can be part of this group:
Accounts and global groups, from any domain in the same forest or any trusted domains
Universal groups from any domain in the same forest
Other Domain Local groups from the same domain
* Etc.
Reference: https://www.windows-active-directory.com/nesting-groups-in-active-directory.html
DRAG DROP
You have a Microsoft 365 subscription. The subscription contains computers that run Windows 11 and are enrolled in Microsoft Intune.
You need to create a compliance policy that meets the following requirements:
• Requires BitLocker Drive Encryption (BitLocker) on each device
• Requires a minimum operating system version
Which setting of the compliance policy should you configure for each requirement? To answer, drag the appropriate settings to the correct requirements. Each setting may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Explanation:
Device Compliance settings for Windows 10/11 in Intune
As part of your mobile device management (MDM) solution, use these settings to require BitLocker, set a minimum and maximum operating system, set a risk level using Microsoft Defender for Endpoint, and more.
Box 1: Device Health
Device Health
Windows Health Attestation Service evaluation rules
Require BitLocker:
Windows BitLocker Drive Encryption encrypts all data stored on the Windows operating system volume. BitLocker uses the Trusted Platform Module (TPM) to help protect the Windows operating system and user data. It also helps confirm that a computer isn’t tampered with, even if its left unattended, lost, or stolen. If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys can’t be accessed until the TPM verifies the state of the computer.
Not configured (default) – This setting isn’t evaluated for compliance or non-compliance. Require – The device can protect data that’s stored on the drive from unauthorized access when the system is off, or hibernates.
Box 2: Device Properties
Requires a minimum operating system version
Device Properties
Operating System Version
To discover build versions for all Windows 10/11 Feature Updates and Cumulative Updates (to be used in some of the fields below), see Windows release information. Be sure to include the appropriate version prefix before the build numbers, like 10.0 for Windows 10 as the following examples illustrate.
Minimum OS version:
Enter the minimum allowed version in the major.minor.build.revision number format. To get the correct value, open a command prompt, and type ver.
Etc.
Reference: https://learn.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-windows
HOTSPOT
You have a Microsoft 365 E5 subscription that uses Microsoft Intune.
You have the Windows 11 devices shown in the following table.
You deploy the device compliance policy shown in the exhibit. (Click the Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Yes
Device1 has BitLocker enabled.
Device1 is member of Group1.
We see for Policy1:
Require BitLocker
Included groups: Group1, Group3
Excluded groups: Group2
Box 2: No
Device2 has BitLocker disabled.
Device2 is member of Group1 and Group3.
Box 3: No
Device3 has BitLocker enabled.
Device3 is member of Group1, Group2.
Group1 is included, while Group2 is excluded.
Note: Exclusion takes precedence over inclusion in the following same group type scenarios:
Including user groups and excluding user groups when assigning apps Including device groups and excluding device group when assigning apps
Reference:
https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
https://docs.microsoft.com/en-us/intune/apps/apps-inc-exl-assignments