Microsoft Microsoft Certifications MD-102 Questions & Answers

• Question 211:

  HOTSPOT

  You have a Microsoft 365 subscription that uses Microsoft Intune Suite.

  You use Microsoft Intune to manage devices.

  You plan to create Windows 11 device builds for the marketing and research departments. The solution must meet the requirements:

  Marketing department devices must support Windows Update for Business.

  Research department devices must have support for feature update versions for up to 36 months from release.

  What is the minimum Windows 11 edition required for each department? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 212:

  HOTSPOT

  Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure AD tenant.

  You have a Microsoft 365 subscription.

  You plan to use Windows Autopilot to deploy new Windows devices.

  You plan to create a deployment profile.

  You need to ensure that the deployment meets the following requirements:

  1.

  Devices must be joined to AD DS regardless of their current working location.

  2.

  Users in the marketing department must have a line-of-business (LOB) app installed during the deployment.

  The solution must minimize administrative effort.

  What should you do for each requirement? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Deploy Always on VPN.

  Devices must be joined to AD DS regardless of their current working location.

  Off-premises/Internet scenarios and VPN connectivity

  Windows Autopilot user-driven hybrid Azure AD join supports off-premises/Internet scenarios where direct connectivity to Active directory and domain controllers isn't available. However, an off-premises/Internet scenario doesn't eliminate the

  need for connectivity to Active Directory and a domain controller during the domain join. In an off-premises/Internet scenario, connectivity to Active Directory and a domain controller can be established via a VPN connection during the

  Autopilot process.

  For off-premises/Internet scenarios requiring VPN connectivity, the only change in the Autopilot profile would be in the setting Skip AD connectivity check. In the Create and assign user-driven hybrid Azure AD join Autopilot profile section, the

  Skip AD connectivity check setting should be set to Yes instead of to No. Setting this option to Yes prevents the deployment from failing since there's no direct connectivity to Active Directory and domain controllers until the VPN connection is

  established.

  In addition to changing the Skip AD connectivity check setting to Yes in the Autopilot profile, VPN support also relies on the following prerequisites:

  The VPN solution can be deployed and installed with Intune.

  The VPN solution needs to support one of the following options:

  Let's the user manually establish a VPN connection from the Windows sign-in screen.

  Automatically establishes a VPN connection as needed.

  The VPN solution would need to be installed and configured via Intune during the Autopilot process. Configuration would need to include deploying any required device certificates if needed by the VPN solution. Once the VPN solution is

  installed and configured on the device, the VPN connection can be established, either automatically or manually by the user, at which point the domain join can occur.

  Box 2: Create a Microsoft Intune app deployment

  Users in the marketing department must have a line-of-business (LOB) app installed during the deployment.

  Add a Windows line-of-business app to Microsoft Intune A line-of-business (LOB) app is one that you add from an app installation file. This kind of app is typically written in-house. The following steps provide guidance to help you add a

  Windows LOB app to Microsoft Intune.

  Step 1 - App information

  Step 2 - Select scope tags (optional)

  Step 3 - Assignments

  Step 4 - Review + create

  Select the app type

  Sign in to the Microsoft Intune admin center.

  Select Apps > All apps > Add.

  In the Select app type pane, under the Other app types, select Line-of-business app.

  Click Select. The Add app steps are displayed.

  Step 1 - App information

  Select the app package file

  Etc.

  Incorrect:

  * Modify the Autopilot deployment profile

  Reference: https://learn.microsoft.com/en-us/autopilot/tutorial/pre-provisioning/hybrid-azure-ad-join-autopilot-profile https://learn.microsoft.com/en-us/mem/intune/apps/lob-apps-windows

• Question 213:

  HOTSPOT

  You have devices that are not rooted enrolled in Microsoft Intune as shown in the following table.

  

  The devices are members of a group named Group1.

  In Intune, you create a device compliance location that has the following configurations:

  1.

  Name: Network1

  2.

  IPv4 range: 192.168.0.0/16

  In Intune, you create a device compliance policy for the Android platform. The policy has the following configurations:

  1.

  Name: Policy1

  2.

  Device health: Rooted devices: Block

  3.

  Locations: Location: Network1

  4.

  Mark device noncompliant: Immediately

  5.

  Assigned: Group1

  The Intune device compliance policy has the following configurations:

  1.

  Mark devices with no compliance policy assigned as: Compliant

  2.

  Enhanced jailbreak detection: Enabled

  3.

  Compliance status validity period (days): 20

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 214:

  HOTSPOT

  You have a Microsoft 365 subscription.

  All computers are enrolled in Microsoft Intune.

  You have business requirements for securing your Windows 11 environment as shown in the following table.

  

  What should you implement to meet each requirement? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: A conditional access policy

  Box 2: A device compliance policy

  Compliance policies in Intune:

  Define the rules and settings that users and devices must meet to be compliant.

  Include actions that apply to devices that are noncompliant. Actions for noncompliance can alert users to the conditions of noncompliance and safeguard data on noncompliant devices.

  Can be combined with Conditional Access, which can then block users and devices that don't meet the rules.

  Reference:

  https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started

• Question 215:

  HOTSPOT

  You have a Microsoft 365 subscription that contains two security groups named Group1 and Group2. Microsoft 365 uses Microsoft Intune Suite.

  You use Microsoft Intune to manage devices.

  You need to assign roles in Intune to meet the following requirements:

  1.

  The members of Group1 must manage Intune roles and assignments.

  2.

  The members of Group2 must assign existing apps and policies to users and devices.

  The solution must follow the principle of least privilege.

  Which role should you assign to each group? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Intune Service Administrator

  The members of Group1 must manage Intune roles and assignments.

  Role-based access control (RBAC) helps you manage who has access to your organization's resources and what they can do with those resources. By assigning roles to your Intune users, you can limit what they can see and change. Each

  role has a set of permissions that determine what users with that role can access and change within your organization.

  To create, edit, or assign roles, your account must have one of the following permissions in Azure AD:

  Global Administrator

  Intune Service Administrator (also known as Intune Administrator)

  Box 2: Help desk operator

  The members of Group2 must assign existing apps and policies to users and devices.

  Microsoft Intune built-in roles

  Built-in roles use pre-defined rules based on common Intune scenarios. Alternatively, custom roles are built upon rules that are strictly defined by you.

  Here are the built-in roles that you can assign:

  Help desk operator

  Assign the help desk operator role to users who assign apps and policies to users and devices.

  Incorrect:

  Policy and profile manager

  Assign the policy and profile manager role to users manage compliance policy, configuration profiles and Apple enrollment.

  Etc.

  Reference:

  https://learn.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control

  https://learn.microsoft.com/en-us/microsoft-365/business-premium/m365bp-intune-admin-roles-in-the-mac

• Question 216:

  HOTSPOT

  You have devices enrolled in Microsoft Intune as shown in the following table.

  

  Intune includes the device compliance policies shown in the following table.

  

  The device compliance policies has the assignments shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: No

  Device1 is in Group1. Policy1 is assigned to Group1. Policy2 is also assigned to Group1. Device1 is compliant to Policy1, but not compliant to Policy2 (fails on Secure Boot).

  By default, each device compliance policy includes the action to mark a device as noncompliant if it fails to meet a policy rule.

  Box 2: Yes

  Device2 is in Group2. Policy2 is assigned to Group2. Device2 is compliant to Policy2 (Secure boot met).

  Box 3: Yes

  Device3 is in Group 3. Policy3 and Policy4 are assigned to Group3. Policy3 is for Windows 10 so it is disregarded. Device3 is compliant to Policy4.

  Reference:

  https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started

• Question 217:

  HOTSPOT

  You have a Microsoft 365 subscription that contains a user named User1. The subscription contains devices enrolled in Microsoft Intune as shown in the following table.

  

  Microsoft Edge is available on all the devices.

  Intune has the device compliance policies shown in the following table.

  

  The Compliance policy settings are configured as shown in the exhibit. (Click the Exhibit tab.)

  

  You create the following Conditional Access policy:

  Name: Policy1 Assignments

  -Users and groups: User1

  -Cloud apps or actions: Office 365 SharePoint Online Access controls

  -Grant: Require device to be marked as compliant Enable policy: On

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Yes

  Device1 is member of Group1.

  No compliance policy applies to Group1.

  From the Compliance policy settings exhibit we see: Mark devices with no compliance policy assigned as: Compliant

  Device1 is marked as compliant.

  Policy1 is assigned to User1.

  User1 on Device1 will be granted access to SharePoint online through Policy1.

  Box 2: Yes

  Device2 is member of Group2.

  Compliance1 is applied to Group2.

  Compliance1 requires encryption of data storage on device.

  Device2 has disk encryption configured.

  Compliance1 marks Device2 as compliant.

  User1 on Device2 will be granted access to SharePoint online through Policy1.

  Box 3: No

  Device3 is member of Group3.

  Compliance2 is applied to Group3.

  Compliance2 requires encryption of data storage on device.

  Device3 has not disk encryption configured.

  Compliance1 marks Device3 as non-compliant.

  Policy1 will not grant User1 access through Device3.

  Reference:

  https://learn.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started

• Question 218:

  HOTSPOT

  You have a Microsoft 365 subscription that uses Microsoft Intune Suite.

  You use Microsoft Intune to manage devices.

  You need to configure an update ring that meets the following requirements:

  1.

  Fixes and improvements to existing Windows functionality can be deferred for 14 days but will install automatically seven days after that date.

  2.

  The installation of new Windows features can be deferred for 90 days but will install automatically 10 days after that date.

  3.

  Devices must restart automatically three days after an update is installed.

  How should you configure the update ring? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 219:

  HOTSPOT

  You have a Microsoft 365 E5 subscription.

  You need to review and implement Microsoft 365 Defender device onboarding. The solution must meet the following requirements:

  1.

  View onboarded devices that have the Chromium-based version for Microsoft Edge installed.

  2.

  Download an onboarding package for a Windows 11 device.

  3.

  Minimize administrative effort.

  Which two settings should you use in the Microsoft 365 Defender portal? To answer, select the appropriate settings in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-business/mdb-manage-devices https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machines-view-overview https://learn.microsoft.com/en-us/microsoft-365/security/defender-business/mdb-onboard-devices

• Question 220:

  HOTSPOT

  You have 1,000 computers that run Windows 10 and are members of an Active Directory domain.

  You need to capture the event logs from the computers to Azure.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Log Analytics

  Box 2: Install the Azure Monitoring Agent

  Azure Monitor agent currently supports the following core functionality:

  Collect guest logs and metrics from any machine in Azure, in other clouds, or on-premises. Azure Arc-enabled servers are required for machines outside of Azure.

  Centrally manage data collection configuration using data collection rules, and management configuration using Azure Resource Manager (ARM) templates or policies.

  Use Windows event filtering or multi-homing for Windows or Linux logs.

  Improved extension management.

  Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration