Microsoft Microsoft Certifications MD-102 Questions & Answers

• Question 141:

  You have an Azure AD tenant and 100 Windows 10 devices that are Azure AD joined and managed by using Microsoft Intune.

  You need to configure Microsoft Defender Firewall and Microsoft Defender Antivirus on the devices. The solution must minimize administrative effort.

  Which two actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. To configure Microsoft Defender Antivirus, create a Group Policy Object (GPO) and configure the Windows Defender Antivirus settings.

  B. To configure Microsoft Defender Firewall, create a device configuration profile and configure the Device restrictions settings.

  C. To configure Microsoft Defender Antivirus, create a device configuration profile and configure the Endpoint protection settings.

  D. To configure Microsoft Defender Antivirus, create a device configuration profile and configure the Device restrictions settings.

  E. To configure Microsoft Defender Firewall, create a device configuration profile and configure the Endpoint protection settings.

  F. To configure Microsoft Defender Firewall, create a Group Policy Object (GPO) and configure Windows Defender Firewall with Advanced Security.

  Correct Answer: DE

  https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/create-windows-firewall-rules-in-intune https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus

• Question 142:

  You have an Azure AD group named Group1. Group1 contains two Windows 10 Enterprise devices named Device1 and Device2.

  You create a device configuration profile named Profile1. You assign Profile1 to Group1.

  You need to ensure that Profile1 applies to Device1 only.

  What should you modify in Profile1?

  A. Assignments

  B. Settings

  C. Scope (Tags)

  D. Applicability Rules

  Correct Answer: A

• Question 143:

  Your network contains an on-premises Active Directory domain and an Azure AD tenant.

  The Default Domain Policy Group Policy Object (GPO) contains the settings shown in the following table.

  

  You need to migrate the existing Default Domain Policy GPO settings to a device configuration profile. Which device configuration profile type template should you use?

  A. Administrative Templates

  B. Endpoint protection

  C. Device restrictions

  D. Custom

  Correct Answer: C

  Deploy Password Policies using Intune Configuration Profiles | Device Restriction

  We can use Intune device restriction profile to deploy password policies for Intune managed Windows 10 devices.

  Reference:

  https://howtomanagedevices.com/intune/2409/password-policies-using-intune/

• Question 144:

  You have a Microsoft 365 E5 subscription that contains 500 macOS devices enrolled in Microsoft Intune.

  You need to ensure that you can apply Microsoft Defender for Endpoint antivirus policies to the macOS devices. The solution must minimize administrative effort.

  What should you do?

  A. Onboard the macOS devices to the Microsoft Purview compliance portal.

  B. From the Microsoft Intune admin center, create a security baseline.

  C. Install Defender for Endpoint on the macOS devices.

  D. From the Microsoft Intune admin center, create a configuration profile.

  Correct Answer: D

  https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac On macOS 11 (Big Sur) and above, Microsoft Defender for Endpoint requires additional configuration profiles. If you are an existing customer upgrading from earlier versions of macOS, make sure to deploy the additional configuration profiles listed on New configuration profiles for macOS Big Sur and newer versions of macOS.

• Question 145:

  You have a Microsoft 365 E5 subscription that contains 10 Android Enterprise devices. Each device has a corporate-owned work profile and is enrolled in Microsoft Intune.

  You need to configure the devices to run a single app in kiosk mode.

  Which Configuration settings should you modify in the device restrictions profile?

  A. Users and Accounts

  B. General

  C. System security

  D. Device experience

  Correct Answer: D

  Android Enterprise device settings list to allow or restrict features on corporate-owned devices using Intune

  Device experience Use these settings to configure a kiosk-style experience on your dedicated devices, or to customize the home screen experiences on your fully managed devices. You can configure devices to run one app, or run many apps. When a device is set with kiosk mode, only the apps you add are available.

  Note: You can control and restrict on Android Enterprise devices owned by your organization. As part of your mobile device management (MDM) solution, use these settings to allow or disable features, run apps on dedicated devices, control security, and more.

  This feature applies to:

  1.

  Android Enterprise corporate-owned work profile (COPE)

  2.

  Android Enterprise corporate owned fully managed (COBO)

  3.

  Android Enterprise corporate owned dedicated devices (COSU)

  Reference: https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-android-for-work

• Question 146:

  You have a Microsoft 365 subscription that uses Microsoft Intune Suite.

  You use Microsoft Intune to manage devices.

  You need to review the startup times and restart frequencies of the devices.

  What should you use?

  A. Azure Monitor

  B. Intune Data Warehouse

  C. Microsoft Defender for Endpoint

  D. Endpoint analytics

  Correct Answer: D

  Restart frequency in endpoint analytics.

  In endpoint analytics startup performance, we've provided insights into PC boot times, and how to improve the reboot times of poorly performing devices. Reboot frequency can be just as impactful to the user experience since a device that

  reboots daily because of Stop errors will have a poor user experience even if the boot times are fast. We've recently added insights into restart frequencies within your organization to help you identify problematic devices.

  Prerequisites

  Devices are enrolled in endpoint analytics.

  Enroll Configuration Manager devices

  Enroll Intune devices

  After enrollment, client devices require a restart to fully enable all analytics.

  Etc.

  Reference:

  https://learn.microsoft.com/en-us/mem/analytics/restart-frequency

• Question 147:

  You have computers that run Windows 10 and connect to an Azure Log Analytics workspace. The workspace is configured to collect all available events from the Windows event logs.

  The computers have the logged events shown in the following table.

  

  Which events are collected in the Log Analytics workspace?

  A. 1 only

  B. 2 and 3 only

  C. 1 and 3 only

  D. 1, 2, and 4 only

  E. 1, 2, 3, and 4

  Correct Answer: D

  Collect Windows event log data sources with Log Analytics agent

  Windows event logs are one of the most common data sources for Log Analytics agents on Windows virtual machines because many applications write to the Windows event log. You can collect events from standard logs, such as System

  and Application, and any custom logs created by applications you need to monitor.

  Incorrect:

  Not 3: Not Security events.

  Reference:

  https://learn.microsoft.com/en-us/azure/azure-monitor/agents/data-sources-windows-events

• Question 148:

  You have a Microsoft 365 subscription that uses Microsoft Intune Suite.

  You use Microsoft Intune to manage devices.

  You have a Windows 11 device named Device1 that is enrolled in Intune. Device1 has been offline for 30 days.

  You need to remove Device1 from Intune immediately. The solution must ensure that if the device checks in again, any apps and data provisioned by Intune are removed. User-installed apps, personal data, and OEM-installed apps must be retained.

  What should you use?

  A. a Delete action

  B. a Retire action

  C. a Fresh Start action

  D. an Autopilot Reset action

  Correct Answer: A

  Only two actions remove the device from Intune/Azure AD - Retire or Delete. Retire removes the device object 180 days after retire action so Delete remains only option. Delete is only action which acts once the device checks in and remove corp data specifically and doesn't touch personal

• Question 149:

  You have a Microsoft 365 subscription.

  You have 10 computers that run Windows 10 and are enrolled in mobile device management (MDM).

  You need to deploy the Microsoft 365 Apps for enterprise suite to all the computers.

  What should you do?

  A. From the Microsoft Intune admin center, create a Windows 10 device profile.

  B. From Azure AD, add an app registration.

  C. From Azure AD, add an enterprise application.

  D. From the Microsoft Intune admin center, add an app.

  Correct Answer: D

  Add Microsoft 365 Apps to Windows 10/11 devices with Microsoft Intune

  Before you can assign, monitor, configure, or protect apps, you must add them to Intune. One of the available app types is Microsoft 365 apps for Windows 10 devices. By selecting this app type in Intune, you can assign and install Microsoft

  365 apps to devices you manage that run Windows 10.

  Select Microsoft 365 Apps

  Sign in to the Microsoft Intune admin center.

  Select Apps > All apps > Add.

  Select Windows 10 in the Microsoft 365 Apps section of the Select app type pane.

  Click Select. The Add Microsoft 365 Apps steps are displayed.

  Reference:

  https://learn.microsoft.com/en-us/mem/intune/apps/apps-add-office365

• Question 150:

  You have a Microsoft 365 E5 subscription that contains a user named User1 and a web app named App1.

  App1 must only accept modern authentication requests.

  You plan to create a Conditional Access policy named CAPolicy1 that will have the following settings:

  Assignments

  -Users or workload identities: User1

  -Cloud apps or actions: App1 Access controls

  -Grant: Block access

  You need to block only legacy authentication requests to App1.

  Which condition should you add to CAPolicy1?

  A. Filter for devices

  B. Device platforms

  C. User risk

  D. Sign-in risk

  E. Client apps

  Correct Answer: E

  Create a Conditional Access policy (see step 7 below).

  The following steps will help create a Conditional Access policy to block legacy authentication requests. This policy is put in to Report-only mode to start so administrators can determine the impact they'll have on existing users. When

  administrators are comfortable that the policy applies as they intend, they can switch to On or stage the deployment by adding specific groups and excluding others.

  Sign in to the Azure portal as a Conditional Access Administrator, Security Administrator, or Global Administrator.

  Browse to Azure Active Directory > Security > Conditional Access.

  Select New policy.

  Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

  Under Assignments, select Users or workload identities.

  Under Include, select All users.

  Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication. Exclude at least one account to prevent yourself from being locked out. If you don't exclude any account, you won't

  be able to create this policy.

  6.

  Under Cloud apps or actions, select All cloud apps.

  7.

  Under Conditions > Client apps, set Configure to Yes.

  Check only the boxes Exchange ActiveSync clients and Other clients.

  Select Done.

  8.

  Under Access controls > Grant, select Block access.

  Select Select.

  9.

  Confirm your settings and set Enable policy to Report-only.

  10.

  Select Create to create to enable your policy.

  After confirming your settings using report-only mode, an administrator can move the Enable policy toggle from Report-only to On.

  Reference: https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy