Microsoft Microsoft Certifications MS-100 Questions & Answers

• Question 171:

  HOTSPOT

  You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com.

  You have three applications App1, App2, App3. The Apps use files that have the same file extensions.

  Your company uses Windows Information Protection (WIP). WIP has the following configurations:

  1.

  Windows Information Protection mode: Silent

  2.

  Protected apps: App1

  3.

  Exempt apps: App2

  From App1, you create a file named File1.

  What is the effect of the configurations? To answer, select the appropriate options in the answer area.

  Hot Area:

  

  Correct Answer:

  

  Exempt apps: These apps are exempt from this policy and can access corporate data without restrictions.

  Windows Information Protection mode: Silent: WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps

  inappropriately trying to access a network resource or WIP-protected data, are still stopped.

  Reference:

  https://docs.microsoft.com/en-us/intune/apps/windows-information-protection-policy-create https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure

• Question 172:

  HOTSPOT

  You have a Microsoft Azure Active Directory (Azure AD) tenant.

  Your company implements Windows Information Protection (WIP).

  You need to modify which users and applications are affected by WIP.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully

  managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device.

  The MAM User scope determines which users are affected by WIP. App protection policies are used to configure which applications are affected by WIP.

  Reference:

  https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure

• Question 173:

  HOTSPOT

  You have three devices enrolled in Microsoft Intune as shown in the following table.

  

  The device compliance policies in Intune are configured as shown in the following table.

  

  The device compliance policies have the assignment shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Device 1:

  No because Device1 is in group3 which has Policy1 assigned which requires BitLocker.

  Device 2:

  No because Device2 is in group3 which has Policy1 assigned which requires BitLocker. Device2 is also in Group2 which has Policy2 assigned but the BitLocker requirement is not configured in Policy2.

  Device3:

  Yes because Device3 is in Group2 which has Policy2 assigned but the BitLocker requirement is not configured in Policy2.

  Reference:

  https://blogs.technet.microsoft.com/cbernier/2017/07/11/windows-10-intune-windows-bitlocker-management-yes/

• Question 174:

  HOTSPOT

  You have a Microsoft 365 subscription.

  You need to implement Windows Defender Advanced Threat Protection (ATP) for all the supported devices enrolled devices enrolled on mobile device management (MDM).

  What should you include in the device configuration profile? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  You can integrate Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Microsoft Intune as a Mobile Threat Defense solution. Integration can help you prevent security breaches and limit the impact of breaches within an organization. Microsoft Defender ATP works with devices that run Windows 10 or later.

  When you establish a connection from Intune to Microsoft Defender ATP, Intune receives a Microsoft Defender ATP onboarding configuration package from Microsoft Defender ATP. This package is deployed to devices by using a device configuration profile.

  Reference: https://docs.microsoft.com/en-us/intune/advanced-threat-protection

• Question 175:

  HOTSPOT

  You have a new Microsoft 365 subscription.

  A user named User1 has a mailbox in Microsoft Exchange Online.

  You need to log any changes to the mailbox folder permissions of User1.

  Which command should you run? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  To enable auditing for a single mailbox (in this example, belonging to Holly Sharp), use this PowerShell command: Set-Mailbox username -AuditEnabled $true

  References: https://support.microsoft.com/en-us/help/4026501/office-auditing-in-office-365-for-admins https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/set-mailbox?view=exchange-ps

• Question 176:

  HOTSPOT

  Your company has a Microsoft 365 tenant.

  You plan to allow users from the engineering department to enroll their mobile device in mobile device management (MDM).

  The device type restrictions are configured as shown in the following table.

  

  The device limit restrictions are configured as shown in the following table.

  

  What is the effective configuration for the members of the Engineering group? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  When multiple policies are applied to groups that users are a member of, only the highest priority (lowest number) policy applies.

  In this case, the Engineering users are assigned two device type policies (the default policy and the priority 2 policy). The priority 2 policy has a higher priority than the default policy so the Engineers’ allowed platform is Android only.

  The engineers have two device limit restrictions policies applied them. The priority1 policy is a higher priority than the priority2 policy so the priority1 policy device limit (15) applies.

  Reference:

  https://docs.microsoft.com/en-us/intune/enrollment/enrollment-restrictions-set

• Question 177:

  HOTSPOT

  You have a Microsoft 365 subscription.

  You are configuring permissions for Security and Compliance.

  You need to ensure that the users can perform the tasks shown in the following table.

  

  The solution must use the principle of least privilege.

  To which role should you assign each user? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Security Reader: Members can manage security alerts (view only), and also view reports and settings of security features.

  Security Administrator, Compliance Administrator and Organization Management can manage alerts. However, Security Administrator has the least privilege.

  References:

  https://docs.microsoft.com/en-us/office365/securitycompliance/permissions-in-the-security-and-compliance-center#mapping-of-role-groups-to-assigned-roles

• Question 178:

  HOTSPOT

  You have several devices enrolled in Microsoft Intune.

  You have a Microsoft Azure Active Directory (Azure AD) tenant that includes the users shown in the following table.

  

  The device type restrictions in Intune are configured as shown in the following table.

  

  You add User3 as a device enrollment manager in Intune.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1:

  No. User1 is in Group1. The two device type policies that apply to Group1 are Policy3 and the Default (All Users) policy. However, Policy3 has a higher priority than the default policy so Policy3 is the only effective policy. Policy3 allows the

  enrolment of Android and iOS devices only, not Windows.

  Box 2:

  No. User2 is in Group1 and Group2. The device type policies that apply to Group1 and Group2 are Policy2, Policy3 and the Default (All Users) policy. However, Policy2 has a higher priority than Policy 3 and the default policy so Policy2 is the

  only effective policy. Policy2 allows the enrolment of Windows devices only, not Android.

  Box 3:

  Yes. User3 is a device enrollment manager. Device restrictions to not apply to a device enrollment manager.

  Reference:

  https://docs.microsoft.com/en-us/intune/enrollment/enrollment-restrictions-set

• Question 179:

  HOTSPOT

  You have a Microsoft Azure Active Directory (Azure AD) tenant that contains the users shown in the following table.

  

  Your company uses Windows Defender Advanced Threat Protection (ATP). Windows Defender ATP contains the roles shown in the following table.

  

  Windows Defender ATP contains the device groups shown in the following table.

  

  For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1:

  Yes. User1 is in Group1 which is assigned to Role1. Device1 is in the device group named ATP1 which Group1 has access to. Role1 gives Group1 (and User1) View Data Permission. This is enough to view Device1 in Windows Security

  Center.

  Box 2:

  Yes. User2 is in Group2 which is assigned to Role2. Role2 gives Group2 (and User2) View Data Permission. This is enough to sign in to Windows Security Center.

  Box 3:

  Yes. User3 is in Group3 which is assigned the Windows ATP Administrator role. Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and

  the Azure AD user groups assignments.

  Reference:

  https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/user-roles

  https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/rbac

• Question 180:

  HOTSPOT

  You have the Microsoft Azure Active Directory (Azure AD) users shown in the following table.

  

  Your company uses Microsoft Intune.

  Several devices are enrolled in Intune as shown in the following table.

  

  The device compliance policies in Intune are configured as shown in the following table.

  

  You create a conditional access policy that has the following settings: The Assignments settings are configured as follows:

  -Users and groups: Group1

  -Cloud apps: Exchange Online

  -Conditions: Include All device state, exclude Device marked as compliant Access controls is set to Block access.

  For each of the following statements, select yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1:

  Yes. User1 is in Group1. The Conditional Access Policy applies to Group1. The Conditional Access Policy blocks access unless the device is marked as compliant.

  BitLocker is disabled for Device1. Device1 is in Group3 which is assigned device Policy1. The BitLocker policy in Policy1 is ‘not configured’ so BitLocker is not required.

  Therefore, Device1 is compliant so User1 can access Exchange online from Device1.

  Box 2:

  No. User1 is in Group1. The Conditional Access Policy applies to Group1. The Conditional Access Policy blocks access unless the device is marked as compliant.

  BitLocker is disabled for Device2. Device2 is in Group4 which is assigned device Policy2. The BitLocker policy in Policy2 is ‘Required so BitLocker is required.

  Therefore, Device2 is not compliant so User1 cannot access Exchange online from Device2.

  Box3:

  Yes. User2 is in Group2. The Conditional Access Policy applies to Group1. The Conditional Access Policy does not apply to Group2. So even though Device2 is non-compliant, User2 can access Exchange Online using Device2 because

  there is no Conditional Access Policy preventing him/her from doing so.

  Reference:

  https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions