Microsoft Microsoft Certifications MD-102 Questions & Answers

• Question 221:

  HOTSPOT

  You have a Microsoft 365 tenant and an internal certification authority (CA).

  You need to use Microsoft Intune to deploy the root CA certificate to managed devices.

  Which type of Intune policy and profile type template should you use? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Configuration profile Create a trusted certificate profile.

  Box 2: Trusted certificate When using Intune to provision devices with certificates to access your corporate resources and network, use a trusted certificate profile to deploy the trusted root certificate to those devices. Trusted root certificates establish a trust from the device to your root or intermediate (issuing) CA from which the other certificates are issued.

  Reference: https://docs.microsoft.com/en-us/mem/intune/protect/certificates-trusted-root

• Question 222:

  HOTSPOT

  Your company uses Microsoft Defender for Endpoint. Microsoft Defender for Endpoint includes the device groups shown in the following table.

  

  You onboard a computer to Microsoft Defender for Endpoint as shown in the following exhibit.

  

  What is the effect of the Microsoft Defender for Endpoint configuration? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machine-groups

• Question 223:

  HOTSPOT

  You have a Microsoft 365 subscription that uses Microsoft Intune and contains 100 Windows 10 devices.

  You need to create Intune configuration profiles to perform the following actions on the devices:

  1.

  Deploy a custom Start layout.

  2.

  Rename the local Administrator account.

  Which profile type template should you use for each action? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Device restriction

  Customize Start Menu Custom and Taskbar

  Here is a quick step-by-step guide to help you to deploy the prepared XML file. This Intune policy helps to customize the start menu and taskbar for Windows 10 devices.

  Logon to Microsoft Endpoint Manager Portal.

  Navigate to Devices -> Windows -> Configuration Profiles.

  Select Platform -> Windows 10 and later.

  Select Profile Type -> Template.

  Search with “device” and select Device Restrictions.

  Click on Create button.

  Box 2: Identity protection

  Use an Identity protection profile to manage Windows Hello for Business on groups of devices in Microsoft Intune. Windows Hello for Business is a method for signing in to Windows devices by replacing passwords, smart cards, and virtual

  smart cards. Intune includes built-in settings so Administrators can configure and use Windows Hello for Business.

  Incorrect:

  *

  Delivery Optimization settings for your Windows devices to reduce bandwidth consumption when those devices download applications and updates. Configure Delivery Optimization as part of your device configuration profiles.

  *

  With Intune, you can use device configuration profiles to manage common Endpoint protection security features on devices, including:

  Firewall BitLocker Allowing and blocking apps Microsoft Defender and encryption For example, you can create an Endpoint protection profile that only allows macOS users to install apps from the Mac App Store. Or, enable Windows SmartScreen when running apps on Windows 10/11 devices.

  Reference: https://www.anoopcnair.com/start-menu-taskbar-custom-layout-intune-cloudpc/ https://docs.microsoft.com/en-us/mem/intune/protect/identity-protection-configure

• Question 224:

  HOTSPOT

  You have a Microsoft 365 subscription.

  You plan to enable Microsoft Intune enrollment for the following types of devices:

  1.

  Existing Windows 11 devices managed by using Configuration Manager

  2.

  Personal iOS devices

  The solution must minimize user disruption.

  Which enrollment method should you use for each device type? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Co-management

  Existing Windows 11 devices managed by using Configuration Manager

  Co-management enrollment

  If you use Configuration Manager, and want to continue to use Configuration Manager, then co-management enrollment is for you. Co-management manages Windows 10/11 devices using Configuration Manager and Microsoft Intune

  together. You cloud-attach your existing Configuration Manager environment to Intune. This enrollment option runs some workloads in Configuration Manager, and other workloads in Intune.

  Box 2: User enrollment

  Personal iOS devices

  BYOD: User and Device enrollment

  These iOS/iPadOS devices are personal or BYOD (bring your own device) devices that can access organization email, apps, and other data. Starting with iOS 13 and newer, this enrollment option targets users or targets devices. It doesn't

  require resetting the devices.

  Note: Enroll iOS and iPadOS devices in Microsoft Intune

  Personal and organization-owned devices can be enrolled in Intune. Once they're enrolled, they receive the policies and profiles you create. You have the following options when enrolling iOS/iPadOS devices:

  Automated device enrollment (ADE)

  Apple Configurator

  BYOD: User and Device enrollment

  Incorrect:

  *

  Automated Device Enrollment Automated Device Enrollment (ADE) (supervised) Previously called Apple Device Enrollment Program (DEP). Use on devices owned by your organization. This option configures settings using Apple Business Manager (ABM) or Apple School Manager (ASM). It enrolls a large number of devices, without you ever touching the devices. These devices are purchased from Apple, have your preconfigured settings, and can be shipped directly to users or schools. You create an enrollment profile in the Intune admin center, and push this profile to the devices.

  *

  Apple Configurator Apple Configurator enrollment Use on devices owned by your organization, and includes Direct Enrollment. This option requires you to physically connect iOS/iPadOS devices to a Mac computer using the USB port.

  Reference: https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-windows https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-enrollment-ios-ipados

• Question 225:

  HOTSPOT

  You have an Azure AD Premium P2 subscription that contains the users shown in the following table.

  

  You purchase the devices shown in the following table.

  

  You configure automatic mobile device management (MDM) and mobile application management (MAM) enrollment by using the following settings:

  1.

  MDM user scope: Group1

  2.

  MAM user scope: Group2

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/mem/intune/enrollment/android-enroll https://powerautomate.microsoft.com/fr-fr/blog/mam-flow-mobile/

• Question 226:

  HOTSPOT

  You have the MDM Security Baseline profile shown in the MDM exhibit. (Click the MDM tab.)

  

  You have the ASR Endpoint Security profile shown in the ASR exhibit. (Click the ASR tab.)

  

  You plan to deploy both profiles to devices enrolled in Microsoft Intune.

  You need to identify how the following settings will be configured on the devices:

  Block Office applications from creating executable content

  Block Win32 API calls from Office macro

  Currently, the settings are disabled locally on each device.

  What are the effective settings on the devices? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Audit mode

  According to the ASR Endpoint Security profile and to the MDM Security Baseline profile, Block Office applications from creating executable content is set to Audit mode.

  Box 2: Disable

  Block Win32 API calls from Office macro: According to MDM Security Baseline profile it is set to disable. According to the ASR Endpoint Security profile it is set to Audit mode.

  The profiles are merged. The Baseline profile overrides the Endpoint Security profile.

  Note:

  When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don't conflict are added to the superset policy that applies to a device.

  Attack surface reduction rule merge behavior is as follows:

  Endpoint security > Security baselines > Microsoft Defender for Endpoint Baseline > Attack Surface Reduction Rules.

  MDM Security Baseline profile ASR Endpoint Security profile.

  Reference:

  https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-asr-policy

• Question 227:

  HOTSPOT

  You have computers that run Windows 10 and are configured by using Windows Autopilot.

  A user performs the following tasks on a computer named Computer1:

  1.

  Creates a VPN connection to the corporate network

  2.

  Installs a Microsoft Store app named App1

  3.

  Connections to a Wi-Fi network

  You perform a Windows Autopilot Reset on Computer1.

  What will be the state of the computer when the user signs in? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Retained and the passphrase will be retained

  The Windows Autopilot Reset process automatically keeps information from the existing device:

  *

  Wi-Fi connection details.

  Box 2: Removed Windows Autopilot Reset:

  *

  Removes personal files, apps, and settings.

  Box 3: Removed

  Windows Autopilot Reset:

  Removes personal files, apps, and settings.

  Reapplies a device's original settings.

  Sets the region, language, and keyboard to the original values.

  Maintains the device's identity connection to Azure AD.

  Maintains the device's management connection to Intune.

  The Windows Autopilot Reset process automatically keeps information from the existing device:

  Wi-Fi connection details.

  Provisioning packages previously applied to the device.

  A provisioning package present on a USB drive when the reset process is started.

  Azure Active Directory device membership and MDM enrollment information.

  Reference:

  https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset

• Question 228:

  HOTSPOT

  You have a Microsoft Deployment Toolkit (MDT) solution that is used to manage Windows 11 deployment tasks.

  MDT contains the operating system images shown in the following table.

  

  You need to perform a Windows 11-place upgrade on several computers that run Windows 10.

  From the Deployment Workbench, you open the New Task Sequence Wizard.

  You need to identify which task sequence template and which operating system image to use for the task sequence. The solution must minimize administrative effort.

  What should you identify? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Standard Client Upgrade Task Sequence

  Use Template: Standard Client Upgrade Task Sequence

  In-place upgrade is the preferred method to use when migrating from Windows 10/11 to a later release of Windows 10/11, and is also a preferred method for upgrading from Windows 7 or 8.1 if you do not plan to significantly change the

  device's configuration or applications. MDT includes an in-place upgrade task sequence template that makes the process really simple.

  Box 2: Install.wim

  In-place upgrade differs from computer refresh in that you cannot use a custom image to perform the in-place upgrade.

  Reference:

  https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit

• Question 229:

  HOTSPOT

  You have a Microsoft 365 subscription.

  You need to enable passwordless authentication for all users. The solution must meet the following requirements:

  1.

  Users in the research department cannot use mobile devices and must authenticate from unmanaged Linux devices by using an alternative method.

  2.

  To access services, users in the sales department must authenticate by using their mobile phone.

  3.

  Administrative effort must be minimized.

  Which authentication method should you use for each department? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-phone https://learn.microsoft.com/en-us/azure/active-directory/authentication/fido2-compatibility

• Question 230:

  HOTSPOT

  You have a Microsoft 365 subscription.

  Users have iOS devices that are not enrolled in Microsoft Intune.

  You create an app protection policy for the Microsoft Outlook app as shown in the exhibit. (Click the Exhibit tab.)

  

  You need to configure the policy to meet the following requirements:

  Prevent the users from using the Outlook app if the operating system version is less than 12.0.0.

  Require the users to use an alphanumeric passcode to access the Outlook app.

  What should you configure in an app protection policy for each requirement? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Conditional launch

  Configure conditional launch settings to set sign-in security requirements for your access protection policy.

  By default, several settings are provided with pre-configured values and actions. You can delete some of these, like the Min OS version. You can also select additional settings from the Select one dropdown.

  Note: There are three categories of policy settings: Data relocation, Access requirements, and Conditional launch.

  Box 2. Access requirements

  Access requirements include:

  PIN for access: Select Require to require a PIN to use this app. The user is prompted to set up this PIN the first time they run the app in a work or school context. The PIN is applied when working either online or offline.

  You can configure the PIN strength using the settings available under the PIN for access section.

  Reference:

  https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios