Microsoft Microsoft Certifications MD-102 Questions & Answers

• Question 21:

  Your company has a Microsoft 365 subscription.

  All the users in the finance department own personal devices that run iOS or Android. All the devices are enrolled in Microsoft Intune.

  The finance department adds new users each month.

  The company develops a mobile application named App1 for the finance department users.

  You need to ensure that only the finance department users can download App1.

  What should you do first?

  A. Register App1 in Azure AD.

  B. Add App1 to the vendor stores for iOS and Android applications.

  C. Add App1 to a Microsoft Deployment Toolkit (MDT) deployment share.

  D. Add App1 to Intune.

  Correct Answer: D

  Before you can configure, assign, protect, or monitor apps, you must add them to Microsoft Intune.

  Reference: https://docs.microsoft.com/en-us/intune/apps-add

• Question 22:

  You have a Microsoft 365 subscription.

  You use app protection policies to protect corporate data on Android devices.

  You need to ensure that any user connecting from an Android device can only access the corporate data if they connect from an app that supports mobile application management (MAM).

  What should you configure?

  A. an app configuration policy

  B. a Conditional Access policy

  C. a device configuration profile

  D. a device compliance policy

  Correct Answer: B

  Mobile Application Management (MAM)

  Common Conditional Access policy: Require approved client apps or app protection policy

  In Conditional Access policy, you can require that an Intune app protection policy is present on the client app before access is available to the selected applications. These mobile application management (MAM) app protection policies allow

  you to manage and protect your organization's data within specific applications.

  To apply this grant control, Conditional Access requires that the device is registered in Microsoft Entra ID, which requires using a broker app. The broker app can be either Microsoft Authenticator for iOS or Microsoft Company Portal for

  Android devices. If a broker app isn't installed on the device when the user attempts to authenticate, the user is redirected to the app store to install the broker app. App protection policies are generally available for iOS and Android, and in

  public preview for Microsoft Edge on Windows

  Reference:

  https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-app-protection-policy

• Question 23:

  You have the devices shown in the following table.

  

  You plan to implement Microsoft Defender for Endpoint.

  You need to identify which devices can be onboarded to Microsoft Defender for Endpoint.

  What should you identify?

  A. Device1 only

  B. Device2 only

  C. Device1, Device2 only

  D. Device1, Device2, and Device3 only

  E. Device1, Device2, Device3, and Device4

  Correct Answer: D

  The Windows versions and Android are supported.

  Note: You can onboard the following Windows operating systems:

  Windows 8.1 Windows 10, version 1607 or later Windows 11 Windows Server 2012 R2 Windows Server 2016 Windows Server Semi-Annual Channel (SAC), version 1803 or later Windows Server 2019 Windows Server 2022

  Note 2: By default, Microsoft Defender for Endpoint for Android includes and enables the web protection feature. Web protection helps to secure devices against web threats and protect users from phishing attacks. While this protection is enabled by default, there are valid reasons to disable it on some Android devices.

  Incorrect:

  * Not Device4

  Network protection for macOS is now available for all Mac devices onboarded to Defender for Endpoint.

  Reference:

  https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#bkmk_os

  https://learn.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection-manage-android

  https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-whatsnew

• Question 24:

  You have 200 computers that run Windows 10. The computers are joined to Azure AD and enrolled in Microsoft Intune. You need to enable self-service password reset on the sign-in screen.

  Which settings should you configure from the Microsoft Intune admin center?

  A. Device configuration

  B. Device enrollment

  C. Conditional access

  D. Device compliance

  Correct Answer: A

  To enable the self service password reset option with Intune.

  Use the Azure portal to create a new configuration policy. Open Microsoft Intune, choose Device Configuration, Profiles and Create profile.

  Reference:

  https://www.inthecloud247.com/enable-self-service-password-reset-feature-on-the-windows-logon-screen/

• Question 25:

  You are implementing Microsoft Intune Suite.

  You enroll devices in Intune as shown in the following table.

  

  The performance of which devices can be analyzed by using Endpoint analytics?

  A. Device1 only

  B. Device1 and Device2 only

  C. Device1, Device2, and Device3 only

  D. Device1, Device2, and Device4 only

  E. Device1, Device2, Device3, and Device4

  Correct Answer: B

  Endpoint analytics Prerequisites You can enroll devices via Configuration Manager or Microsoft Intune.

  To enroll devices via Intune requires:

  *

  Intune enrolled or co-managed devices running the following: Windows 10 version 1903 or later July 2021 cumulative update or later

  *

  Pro, Pro Education, Enterprise, or Education. Home and long-term servicing channel (LTSC) aren't supported.

  *

  Windows devices must be Azure AD joined or hybrid Azure AD joined. Workplace joined or Azure AD registered devices aren't supported. Network connectivity from devices to the Microsoft public cloud.

  Note: Endpoint analytics is part of the Microsoft Adoption Score. These analytics give you insights for measuring how your organization is working and the quality of the experience you're delivering to your users. Endpoint analytics can help identify policies or hardware issues that may be slowing down devices and help you proactively make improvements before end-users generate a help desk ticket.

  Reference: https://learn.microsoft.com/en-us/mem/analytics/overview

• Question 26:

  You have a Microsoft 365 subscription that uses Microsoft Intune Suite.

  You use Microsoft Intune to manage Windows 11 devices.

  You create a new policy set named Set and add five device configuration profiles for Windows 10 and later.

  You create a device compliance policy named Policy1.

  You need to ensure that when users are assigned the device configuration profiles in Set1, they are always assigned Policy1 also.

  What should you configure?

  A. the assignments of Policy1

  B. the Policy1 configurations

  C. the assignments of Set1

  D. the Set1 configurations

  Correct Answer: D

• Question 27:

  You have a Windows 10 device named Computer1 enrolled in Microsoft Intune.

  You need to configure Computer1 as a public workstation that will run a single customer-facing, full-screen application.

  Which configuration profile type template should you use in Microsoft Intune admin center?

  A. Shared multi-user device

  B. Device restrictions

  C. Kiosk

  D. Endpoint protection

  Correct Answer: C

  On Windows 10/11 devices, you can configure these devices to run in single-app kiosk mode. On Windows 10 devices, you can configure these devices to run in multi-app kiosk mode.

  Single app, full-screen kiosk

  Runs only one app on the device, such as a web browser or Store app.

  *

  Select a kiosk mode: Choose Single app, full-screen kiosk.

  *

  Etc.

  Reference: https://docs.microsoft.com/en-us/mem/intune/configuration/kiosk-settings-windows

• Question 28:

  You have a workgroup computer named Client1 that runs Windows 11 and connects to a public network.

  You need to enable PowerShell remoting on Client1. The solution must ensure that PowerShell remoting connections are accepted from the local subnet only.

  Which PowerShell command should you run?

  A. Set-PSSessionConfiguration -AccessMode Local

  B. Enable-PSRemoting -SkipNetworkProfileCheck

  C. Enable-PSRemoting -Force

  D. Set-NetFirewallRule -Name “WINRM-HTTP-In-TCP-PUBLIC” -RemoteAddress Any

  Correct Answer: B

  The Enable-PSRemoting cmdlet configures the computer to receive PowerShell remote commands that are sent by using the WS-Management technology. WS-Management based PowerShell remoting is currently supported only on Windows platform.

  Syntax

  Enable-PSRemoting [-Force] [-SkipNetworkProfileCheck] [-WhatIf] [-Confirm] []

  Parameters include:

  * -SkipNetworkProfileCheck

  Indicates that this cmdlet enables remoting on client versions of the Windows operating system when the computer is on a public network. This parameter enables a firewall rule for public networks that allows remote access only from

  computers in the same local subnet.

  Reference:

  https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting

• Question 29:

  You have a Microsoft 365 subscription that contains a user named User1 and uses Microsoft Intune Suite.

  You use Microsoft Intune to manage devices that run Windows 11.

  You need to remove User1 from the local Administrators group on all enrolled devices.

  What should you configure?

  A. a device compliance policy

  B. an account protection policy

  C. an app configuration policy

  Correct Answer: B

  Account protection policy for endpoint security in Intune

  Use Intune endpoint security policies for account protection to protect the identity and accounts of your users and manage the built-in group memberships on devices.

  Manage local groups on Windows devices

  Use the Local user group membership (preview) profile to manage the users that are members of the built-in local groups on devices that run Windows 10 20H2 and later, and Windows 11 devices.

  Reference:

  https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-account-protection-policy

• Question 30:

  You have a Microsoft Intune subscription associated to an Azure AD tenant named contoso.com.

  Users use one of the following three suffixes when they sign in to the tenant: us.contoso.com, eu.contoso.com, or contoso.com.

  You need to ensure that the users are NOT required to specify the mobile device management (MDM) enrollment URL as part of the enrollment process. The solution must minimize the number of changes.

  Which DNS records do you need?

  A. one TXT record only

  B. three CNAME records

  C. three TXT records

  D. one CNAME record only

  Correct Answer: B

  To simplify enrollment, create a domain name server (DNS) alias (CNAME record type) that redirects enrollment requests to Intune servers. Otherwise, users trying to connect to Intune must enter the Intune server name during enrollment.

  If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com. For example, users at Contoso use the following formats as their email/UPN:

  [email protected] [email protected] [email protected]

  Reference: https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#simplify-windows-enrollment-without-azure-ad-premium