MD 101
MD 101
MD 101
208q
Number: MD-101
Passing Score: 800
Time Limit: 120 min
File Version: 16.0
MD-101
Version 16.0
Deploy and Update Operating Systems
Testlet 1
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be
additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the
time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits
and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in
this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next
section of the exam. After you begin a new section, you cannot return to this section.
General Overview
Litware, Inc. is an international manufacturing company that has 3,000 employees. The company has sales, marketing, research, human resources (HR),
development, and IT departments.
Litware has two main offices in New York and Los Angeles. Litware has five branch offices in Asia.
Existing Environment
During discovery, the company discovers a process where users are emailing bank account information of its customers to internal and external recipients.
Current Environment
The network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD). The functional level of the forest and the domain
is Windows Server 2012 R2. All domain controllers run Windows Server 2012 R2.
Litware has the computers shown in the following table.
Most of the employees in the sales department are contractors. Each contractor is assigned a computer that runs Windows 10. At the end of each contract, the
computer is assigned to a different contractor. Currently, the computers are re-provisioned manually by the IT department.
Problem Statements
Litware identifies the following issues on the network:
Employees in the Los Angeles office report slow Internet performance when updates are downloading. The employees also report that the updates frequently
consume considerable resources when they are installed. The Update settings are configured as shown in the Updates exhibit. (Click the Updates button.)
Management suspects that the source code for the proprietary applications in Azure DevOps in being shared externally.
Re-provisioning the sales department computers is too time consuming.
Requirements
Business Goals
Litware plans to transition to co-management for all the company-owned Windows 10 computers.
Prevent the sales department employees from forwarding email that contains bank account information.
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Prevent employees in the research department from copying patented information from trusted applications to untrusted applications.
Technical Requirements
Litware identifies the following technical requirements for the planned deployment:
Exhibits
Updates
QUESTION 1
You need to capture the required information for the sales department computers to meet the technical requirements.
A. Install-Module WindowsAutoPilotIntune
B. Install-Script Get-WindowsAutoPilotInfo
C. Import-AutoPilotCSV
D. Get-WindowsAutoPilotInfo
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices
QUESTION 2
What should you configure to meet the technical requirements for the Azure AD-joined computers?
A. Windows Hello for Business from the Endpoint Management admin center.
B. The Accounts options in an endpoint protection profile.
C. The Password Policy settings in a Group Policy object (GPO).
D. A password policy from the Microsoft 365 admin portal.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-manage-in-organization
QUESTION 3
HOTSPOT
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
From the scenario:
Ensure that the company name and logo appears during the Out of Box Experience (OOBE) when using Windows AutoPilot.
Reference:
https://blogs.technet.microsoft.com/mniehaus/2017/12/22/windows-autopilot-azure-ad-branding/
QUESTION 4
HOTSPOT
Which two settings should you configure from the Azure Active Directory blade? To answer, select the appropriate settings in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset
https://docs.microsoft.com/en-za/azure/active-directory/fundamentals/customize-branding#add-company-branding-to-your-directory
QUESTION 5
HOTSPOT
You need to resolve the performance issues in the Los Angeles office.
How should you configure the update settings? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The Los Angeles office has 500 developers. The developers work flexible hours ranging from 11 AM to 10 PM.
Deploy and Update Operating Systems
Testlet 2
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be
additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the
time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits
and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in
this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next
section of the exam. After you begin a new section, you cannot return to this section.
Overview
Contoso, Ltd, is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
Contoso has the users and computers shown in the following table.
The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.
Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.
The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from home.
Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active Directory (Azure AD).
All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.
The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are managed by using Microsoft Intune.
The naming convention for the computers is the department acronym, followed by a hyphen, and then four numbers, for example, FIN-6785. All the computers
are joined to the on-premises Active Directory domain.
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer account is in the Computers OU of its respective
department.
Intune Configuration
The device compliance policies in Intune are configured as shown in the following table.
The device compliance policies have the assignments shown in the following table.
The device limit restrictions in Intune are configured as shown in the following table.
Requirements
Planned Changes
Contoso plans to implement the following changes:
Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.
Start using a free Microsoft Store for Business app named App1.
Implement co-management for the computers.
Technical Requirements
Contoso must meet the following technical requirements:
Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.
Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
Monitor the computers in the LEG department by using Windows Analytics.
Create a provisioning package for new computers in the HR department.
Block iOS devices from sending diagnostic and usage telemetry data.
Use the principle of least privilege whenever possible.
Enable the users in the MKG department to use App1.
Pilot co-management for the IT department.
QUESTION 1
HOTSPOT
You need to meet the technical requirements for the new HR department computers.
How should you configure the provisioning package? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-accounts
QUESTION 2
You need to prepare for the deployment of the Phoenix office computers.
A. Extract the hardware ID information of each computer to a CSV file and upload the file from the Microsoft Endpoint Management admin center.
B. Extract the serial number information of each computer to a XML file and upload the file from the Microsoft Endpoint Management admin center.
C. Extract the serial number information of each computer to a CSV file and upload the file from the Microsoft Endpoint Management admin center.
D. Generalize the computers and configure the Device settings from the Azure Active Directory admin center.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To manage devices through Microsoft Store for Business and Education, you'll need a .csv file that contains specific information about the devices. You should be
able to get this from your Microsoft account contact, or the store where you purchased the devices. Upload the .csv file to Microsoft Store to add the devices.
Reference:
https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices
QUESTION 3
You need to prepare for the deployment of the Phoenix office computers.
A. Generalize the computers and configure the Mobility (MDM and MAM) settings from the Azure Active Directory admin center.
B. Extract the hardware ID information of each computer to a CSV file and upload the file from the Microsoft Intune blade in the Azure portal.
C. Extract the hardware ID information of each computer to an XML file and upload the file from the Devices settings in Microsoft Store for Business.
D. Extract the serial number information of each computer to a CSV file and upload the file from the Microsoft Intune blade in the Azure portal.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/existing-devices
Deploy and Update Operating Systems
Question Set 3
QUESTION 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company uses Windows Autopilot to configure the computer settings of computers issued to users.
A user named User1 has a computer named Computer1 that runs Windows 10. User1 leaves the company.
You need to ensure that when User2 first starts the computer, User2 is prompted to select the language setting and to agree to the license agreement.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset-remote
QUESTION 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company uses Windows Autopilot to configure the computer settings of computers issued to users.
A user named User1 has a computer named Computer1 that runs Windows 10. User1 leaves the company.
You need to ensure that when User2 first starts the computer, User2 is prompted to select the language setting and to agree to the license agreement.
A. Yes
B. No
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven
QUESTION 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company uses Windows Autopilot to configure the computer settings of computers issued to users.
A user named User1 has a computer named Computer1 that runs Windows 10. User1 leaves the company.
You need to ensure that when User2 first starts the computer, User2 is prompted to select the language setting and to agree to the license agreement.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/self-deploying
QUESTION 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that feature and quality updates install automatically on a Windows 10 computer during a maintenance window.
Solution: In Group policy, from the Maintenance Scheduler settings, you configure Automatic Maintenance Random Delay.
A. Yes
B. No
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates
QUESTION 5
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that feature and quality updates install automatically on a Windows 10 computer during a maintenance window.
Solution: In Group policy, from the Windows Update settings, you enable Configure Automatic Updates, select 4-Auto download and schedule the install,
and then enter a time.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates
QUESTION 6
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that feature and quality updates install automatically on a Windows 10 computer during a maintenance window.
Solution: In Group policy, from the Maintenance Scheduler settings, you configure Automatic Maintenance Activation Boundary.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates
QUESTION 7
DRAG DROP
Your company has a computer named Computer1 that runs Windows 10.
You plan to repurpose Computer1 and assign the computer to a new user. You need to redeploy Computer1 by using Windows AutoPilot.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in
the correct order.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-autopilot
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset
QUESTION 8
HOTSPOT
You need to ensure that the new computers are joined automatically to Azure AD by using Windows Autopilot.
What should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-autopilot
QUESTION 9
Your company purchases new computers that run Windows 10. The computers have cameras that support Windows Hello for Business.
You configure the Windows Hello for Business Group Policy settings as shown in the following exhibit.
What are two valid methods a user can use to sign in? Each correct answer presents part of the solution.
A. Facial recognition
B. A smartwatch that is Bluetooth-enabled
C. A PIN
D. A USB key
Correct Answer: AC
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://community.windows.com/en-us/stories/windows-sign-in-options
https://fossbytes.com/how-to-unlock-windows-10/
QUESTION 10
You have 10 computers that run Windows 8.1 and have the following configurations:
You need to ensure that the computers can use Secure Boot.
Which two actions should you perform? Each correct answer presents part of the solution.
Correct Answer: AE
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-bios-mode
QUESTION 11
Your network contains an Active Directory domain. The domain contains 2,000 computers that run Windows 10.
You implement hybrid Microsoft Azure Active Directory (Azure AD) and Microsoft Intune.
You need to automatically register all the existing computers to Azure AD and enroll the computers in Intune. The solution must minimize administrative effort.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Autopilot-Hybrid-Azure-AD-join-and-automatic/ba-p/286126
QUESTION 12
HOTSPOT
Your network contains an Active Directory domain. The domain contains computers that run Windows 10 and are enrolled in Microsoft Intune. Updates are
deployed by using Windows Update for Business.
Update installations must occur any day only between 00:00 and 05:00.
Updates must be downloaded from Microsoft and from other company computers that already downloaded the updates.
You need to configure the Windows 10 Update Rings settings in Intune to meet the requirements.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://github.com/MicrosoftDocs/IntuneDocs/blob/master/intune/windows-update-settings.md
https://docs.microsoft.com/en-us/intune/delivery-optimization-windows#move-from-existing-update-rings-to-delivery-optimization
QUESTION 13
Your network contains an Active Directory domain named contoso.com.
You create a provisioning package named Package1 as shown in the following exhibit.
What is the maximum number of devices on which you can run Package1 successfully?
A. 1
B. 10
C. 25
D. unlimited
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The device name uses a single random number (applied by %RAND:1%). This allows for 10 unique values (0 – 9).
QUESTION 14
HOTSPOT
You have computers that run Windows 10 and are configured by using Windows Autopilot.
What will be the state of the computer when the user signs in? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset
QUESTION 15
HOTSPOT
Your network contains an Active Directory domain named constoso.com that is synced to Microsoft Azure Active Directory (Azure AD). All computers are enrolled
in Microsoft Intune.
Which computers can you reset by using each action? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-fresh-start
https://docs.microsoft.com/en-us/intune/devices-wipe
QUESTION 16
You have the 64-bit computers shown in the following table.
You plan to perform an in-place upgrade to the 64-bit version of Windows 10.
Which computers can you upgrade to the 64-bit version of Windows 10 in their current state?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios
QUESTION 17
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (AD) and enrolled in Microsoft Intune.
You need to enable self-service password reset on the sign-in screen.
Which settings should you configure from the Microsoft Endpoint Manager admin center?
A. Device configuration
B. Device compliance
C. Device enrollment
D. Conditional access
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create
https://www.inthecloud247.com/restrict-which-users-can-logon-into-a-windows-10-device-with-microsoft-intune/
QUESTION 18
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
The research department has several computers that have specialized hardware and software installed.
You need to prevent the video drivers from being updated automatically by using Windows Update.
Solution: From the Device Installation and Restrictions settings in a Group Policy object (GPO), you enable Prevent installation of devices using drivers that
match these device setup classes, and then you enter the device GUID.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000024
QUESTION 19
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
The research department has several computers that have specialized hardware and software installed.
You need to prevent the video drivers from being updated automatically by using Windows Update.
Solution: From the Settings app, you clear the Give me updates for other Microsoft products when I update Windows check box.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000024
QUESTION 20
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
The research department has several computers that have specialized hardware and software installed.
You need to prevent the video drivers from being updated automatically by using Windows Update.
Solution: From the Device Installation settings in a Group Policy object (GPO), you enable Specify search order for device driver source locations, and then
you select Do not search Windows Update.
A. Yes
B. No
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000024
QUESTION 21
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You need to ensure that feature and quality updates install automatically during a maintenance window.
Solution: In Group policy, from the Windows Update settings, you enable Configure Automatic Updates, select 3 – Auto download and notify for Install, and
then enter a time.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/sum/deploy-use/automatically-deploy-software-updates
QUESTION 22
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have 20 computers that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).
You plan to replace the computers with new computers that run Windows 10. The new computers will be joined to Azure AD.
You need to ensure that the desktop background, the favorites, and the browsing history are available on the new computers.
A. Yes
B. No
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settings-reference
QUESTION 23
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have 20 computers that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).
You plan to replace the computers with new computers that run Windows 10. The new computers will be joined to Azure AD.
You need to ensure that the desktop background, the favorites, and the browsing history are available on the new computers.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles
QUESTION 24
You have a Microsoft Azure subscription that contains an Azure Log Analytics workspace.
You deploy a new computer named Computer1 that runs Windows 10. Computer1 is in a workgroup.
You need to ensure that you can use Log Analytics to query events from Computer1.
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows
QUESTION 25
Your company has a Microsoft Azure Active Directory (Azure AD) tenant.
The company has a Volume Licensing Agreement and uses a product key to activate Windows 10.
You plan to deploy Windows 10 Pro to 200 new computers by using the Microsoft Deployment Toolkit (MDT) and Windows Deployment Services (WDS).
You need to ensure that the new computers will be configured to have the correct product key during the installation.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt#a-href-idsec08astep-8-deploy-the-windows-
10-client-image
QUESTION 26
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD). The domain contains 500 laptops that run
Windows 8.1 Professional. The users of the laptops work from home.
Your company uses Microsoft Intune, the Microsoft Deployment Toolkit (MDT), and Windows Configuration Designer to manage client computers.
The company purchases 500 licenses for Windows 10 Enterprise.
You verify that the hardware and applications on the laptops are compatible with Windows 10.
The users will bring their laptop to the office, where the IT department will deploy Windows 10 to the laptops while the users wait.
You need to recommend a deployment method for the laptops that will retain their installed applications. The solution must minimize how long it takes to perform
the deployment.
A. an in-place upgrade
B. a clean installation by using a Windows Configuration Designer provisioning package
C. Windows AutoPilot
D. a clean installation and the User State Migration Tool (USMT)
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios#in-place-upgrade
QUESTION 27
You have a computer named Computer5 that has Windows 10 installed.
You need to ensure that config.ps1 runs after feature updates are installed on Computer5.
A. Unattend.xml
B. Unattend.bat
C. SetupConfig.ini
D. LiteTouch.wsf
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.joseespitia.com/2017/06/01/how-to-run-a-post-script-after-a-windows-10-feature-upgrade/
QUESTION 28
HOTSPOT
You have computers that run Windows 10. The computers are in a workgroup and are enrolled in Intune. The computers are configured as shown in the following
table.
On each computer, the Select when Quality Updates are received Group Policy setting is configured as shown in the following table.
You have Windows 10 update rings in Intune as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 29
Your network contains an Active Directory forest. The forest contains a single domain and three sites named Site1, Site2, and Site3. Each site is associated to
two subnets. Site1 contains two subnets named SubnetA and SubnetB.
All the client computers in the forest run Windows 10. Delivery Optimization is enabled.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Delivery Optimization allows updates from other clients that connect to the Internet using the same public IP as the target client (NAT).
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-delivery-optimization
QUESTION 30
HOTSPOT
Your network contains an Active Directory domain. The domain contains 1,200 computers that run Windows 8.1.
You deploy an Upgrade Readiness solution in Microsoft Azure and configure the computers to report to Upgrade Readiness.
You need to filter the view to show only applications that can run successfully on Windows 10.
How should you configure the filter in Upgrade Readiness? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-readiness-resolve-issues
QUESTION 31
HOTSPOT
You have two computers that run Windows 10. The computers are enrolled in Microsoft Intune as shown in the following table.
Windows 10 update rings are defined in Intune as shown in the following table.
What is the effect of the configurations on Computer1 and Computer2? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Note: The term "Exclude" is misleading. It means that the ring is not applied to that group, rather than that group being blocked.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-wufb-intune
https://allthingscloud.blog/configure-windows-update-business-using-microsoft-intune/
QUESTION 32
Your company standardizes on Windows 10 Enterprise for all users.
Some users purchase their own computer from a retail store. The computers run Windows 10 Pro.
You need to recommend a solution to upgrade the computers to Windows 10 Enterprise, join the computers to Microsoft Azure Active Directory (Azure AD), and
install several Microsoft Store apps. The solution must meet the following requirements:
What is the best recommendation to achieve the goal? More than one answer choice may achieve the goal. Select the BEST answer.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package
to a device running Windows 10.
Incorrect Answers:
A: Microsoft Deployment Toolkit (MDT) allows you to automate the deployment of Windows operating systems in your organization. It is not used to upgrade to
Windows 10 Enterprise.
B: Windows Deployment Services (WDS) is the revised version of Remote Installation Services (RIS). WDS enables the deployment of Windows operating
systems. You can use it to set up new computers using network-based installations. It is not used to upgrade to Windows 10 Enterprise.
D: Windows Autopilot is a user-driven mode designed to minimize intervention of the IT administrator.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/upgrade/windows-10-edition-upgrades
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package
QUESTION 33
You install a feature update on a computer that runs Windows 10.
A. 5
B. 10
C. 14
D. 30
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Microsoft has changed the time period associated with operating system rollbacks with Windows 10 version 1607, decreasing it to 10 days. Previously, Windows
10 had a 30-day rollback period.
Reference:
https://redmondmag.com/articles/2016/08/04/microsoft-shortens-windows-10-rollback-period.aspx
QUESTION 34
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
The research department has several computers that have specialized hardware and software installed.
You need to prevent the video drivers from being updated automatically by using Windows Update.
Solution: From the Windows Update settings in a Group Policy object (GPO), you enable Do not include drivers with Windows Updates.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000024
QUESTION 35
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains 500 computers that run Windows 8.1. Some of the computers are
used by multiple users.
You plan to refresh the operating system of the computers to Windows 10.
You need to retain the personalization settings to applications before you refresh the computers. The solution must minimize network bandwidth and network
storage space.
Which command should you run on the computers? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-scanstate-syntax#how-to-use-ui-and-ue
QUESTION 36
HOTSPOT
You have a hybrid Microsoft Azure Active Directory (Azure AD) tenant.
You configure a Windows Autopilot deployment profile as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-autopilot
QUESTION 37
DRAG DROP
You plan to deploy Windows 10 to the computers by performing a wipe and load installation.
You need to recommend a method to retain the user settings and the user data.
Which three actions should you recommend be performed in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios
http://itproguru.com/expert/2016/01/step-by-step-how-to-migrate-users-and-user-data-from-xp-vista-windows-7-or-8-to-windows-10-using-microsoft-tool-usmt-user-
state-migration-toolkit/
QUESTION 38
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company uses Windows Autopilot to configure the computer settings of computers issued to users.
A user named User1 has a computer named Computer1 that runs Windows 10.
You need to ensure that when User2 first starts the computer, User2 is prompted to select the language setting and to agree to the license agreement.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-reset
QUESTION 39
You have a Microsoft 365 subscription.
A remote user purchases a laptop from a retail store. The laptop is intended for company use and has Windows 10 Pro edition installed.
The solution must minimize how long it takes for the user to apply the configurations.
What should you do?
A. Create a custom Windows image (.wim) file that contains an image of Windows 10 Enterprise and upload the file to a Microsoft
B. Create a provisioning package (.ppkg) file and email the file to the user
C. Create a Windows To Go workspace and ship the workspace to the user
D. Create a Sysprep Unattend (.xml) file and email the file to the user
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-packages
QUESTION 40
You have a Microsoft 365 subscription. All devices run Windows 10.
You need to prevent users from enrolling the devices in the Windows Insider Program.
What should you configure from Microsoft 365 Device Management? Each correct answer presents part of the solution.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 41
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD).
Existing on-premises computers are managed by using Microsoft Endpoint Configuration Manager. You configure contoso.com for co-management.
You deploy 100 new devices that run Windows 10. The devices are joined to Azure AD and enrolled in Microsoft Intune.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
For new internet-based devices, you need to create an app in Intune. Deploy this app to Windows 10 devices that aren't already Configuration Manager clients.
This scenario is when you have new Windows 10 devices that join Azure AD and automatically enroll to Intune. You install the Configuration Manager client to
reach a co-management state.
Reference:
https://docs.microsoft.com/en-us/configmgr/comanage/how-to-prepare-win10
QUESTION 42
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD).
The Active Directory domain contains 200 computers that run Windows 10. The computers are managed by using Microsoft System Center Configuration
Manager (Current Branch).
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The Pilot Intune setting switches the associated workload only for the devices in the pilot collection.
Note: When you enable co-management, you'll assign a collection as a Pilot group. This is a group that contains a small number of clients to test your co-
management configurations. We recommend you create a suitable collection before you start the procedure. Then you can select that collection without exiting
the procedure to do so.
Reference:
https://docs.microsoft.com/en-us/configmgr/comanage/tutorial-co-manage-new-devices
QUESTION 43
HOTSPOT
You network contains an Active Directory domain. The domain contains 200 computers that run Windows 8.1. You have a Microsoft Azure subscription.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 44
You have a Microsoft 365 subscription.
You have 20 computers that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).
You plan to replace the computers with new computers that run Windows 10. The new computers will be joined to Azure AD.
You need to ensure that the desktop background, the favorites, and the browsing history are available on the new computers.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settings-reference
QUESTION 45
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Solution: From the Settings app, you select Access work or school, and then you select Add or remove a provisioning package.
A. Yes
B. No
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To install a provisioning package, navigate to Settings > Accounts > Access work or school > Add or remove a provisioning package > Add a package, and select
the package to install.
Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package
QUESTION 46
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Solution: From File Explorer, you go to C:\Folder1, and then you double-click the Package1.ppkg file.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To install a provisioning package, navigate to Settings > Accounts > Access work or school > Add or remove a provisioning package > Add a package, and select
the package to install.
Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package
QUESTION 47
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Solution: At a command prompt, you change the current folder to C:\Folder1, and then you run the RegSvr32.exe Package1.ppkg command.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
To install a provisioning package, navigate to Settings > Accounts > Access work or school > Add or remove a provisioning package > Add a package, and select
the package to install.
Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package
QUESTION 48
You manage 1,000 computers that run Windows 10. All the computers are enrolled in Microsoft Intune. You manage the servicing channel settings of the
computers by using Intune.
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/windows-update-compliance-reports
QUESTION 49
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to use Windows Autopilot to configure the Windows 10 devices shown in the following table.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/self-deploying
QUESTION 50
HOTSPOT
Your network contains an on-premises Active Directory forest named contoso.com that syncs to Azure Active Directory (Azure AD). Azure AD contains the users
shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation
QUESTION 51
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named adatum.com that contains the users shown in the following table.
Which users should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin
QUESTION 52
You use Microsoft Intune to manage client computers. The computers run one of the following operating systems:
Windows 8.1
Windows 10 Pro
Windows 10 Enterprise
Windows 10 Enterprise LTSC
You plan to manage Windows updates on the computers by using update rings.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/windows-update-for-business-configure
QUESTION 53
HOTSPOT
You are creating a Windows Autopilot deployment profile named Profile1 as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven#:~:text=Windows%20Autopilot%20user%2Ddriven%20mode%20is%
20designed%20to%20enable%20new,personnel%20ever%20touch%20the%20device.
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/white-glove
QUESTION 54
You have a computer named Computer1 that runs Windows 8.1.
You plan to perform an in-place upgrade of Computer1 to Windows 10 by using an answer file.
You need to identify which tool to use to create the answer file.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://thesleepyadmins.com/2019/05/31/create-windows-10-answer-file/
QUESTION 55
Your network contains an Active Directory domain. The domain contains 10 computers that run Windows 8.1 and use local user profiles.
You deploy 10 new computers that run Windows 10 and join the computers to the domain.
You need to migrate the user profiles from the Windows 8.1 computers to the Windows 10 computers.
A. From the Windows 8.1 computer of each user, run imagex.exe/capture, and then from the Windows 10 computer of each user, run imagex.exe/apply.
B. Configure roaming user profiles for the users. Instruct the users to first sign in to and out of their Windows 8.1 computer and then to sign in to their Windows
10 computer.
C. From the Windows 8.1 computer of each user, run scanstate.exe, and then from the Windows 10 computer of each user, run loadstate.exe.
D. Configure Folder Redirection for the users. Instruct the users to first sign in to and out of their Windows 8.1 computer, and then to sign in to their Windows 10
computer.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The ScanState command is used with the User State Migration Tool (USMT) 10.0 to scan the source computer, collect the files and settings, and create a store.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-scanstate-syntax
https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-loadstate-syntax
QUESTION 56
You have computers that run Windows 8.1 or Windows 10. All the computers are enrolled in Microsoft Intune, Endpoint Configuration Manager, and Desktop
Analytics. Co-management is enabled for your environment.
You need to identify which Windows 8.1 computers do NOT have supported Windows 10 drivers.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/about-deployment-plans
QUESTION 57
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Solution: From the Settings app, you use the Recovery options.
A. Yes
B. No
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/how-to-recover-restore-your-previous-version-of/94368560-9c64-4387-92b9-
82a9234216ad
QUESTION 58
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Solution: You restart the computer to Windows Recovery Environment (Windows RE) and use the Advanced options.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 59
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Solution: From Windows Update in the Settings app, you use the Advanced options.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 60
DRAG DROP
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the
correct order.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd
QUESTION 61
HOTSPOT
You upgrade three computers from Windows 8.1 to Windows 10 as shown in the following table.
The in-place upgrade settings used to perform the upgrade are shown in the following table.
After the upgrade, you perform the following actions on each computer:
Add a local user account named LocalAdmin1.
Install Microsoft Office 2019.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.infoworld.com/article/3033806/how-to-roll-back-your-windows-10-upgrade.html
QUESTION 62
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain. The domain contains member computers that run Windows 8.1 and are enrolled in Microsoft Intune.
Solution: From the Microsoft Endpoint Manager admin center, you create a device compliance policy and assign the policy to the computers. After 24 hours, you
view the Device compliance report in Intune.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 63
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain. The domain contains member computers that run Windows 8.1 and are enrolled in Microsoft Intune.
Solution: From Windows on the Devices blade of the Microsoft Endpoint Manager admin center, you create a filter and export the results as a CSV file.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 64
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain. The domain contains member computers that run Windows 8.1 and are enrolled in Microsoft Intune.
Solution: You install the Microsoft Assessment and Planning Toolkit. From the Microsoft Assessment and Planning Toolkit, you collect inventory data and run the
Windows 10 Readiness scenario.
A. Yes
B. No
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.techielass.com/using-maps-azure-readiness/
QUESTION 65
You have a Microsoft 365 tenant that uses Microsoft Intune for mobile device management (MDM).
You purchase an app named Appl from the Microsoft Store for Business.
You need to ensure that Appl can be deployed by using Intune.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business
QUESTION 66
HOTSPOT
Your network contains an on-premises Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD).
A user named User1 uses the domain-joined devices shown in the following table.
In the Azure Active Directory admin center, you assign a Windows 10 Enterprise E5 license to User1.
You need to identify what will occur when User1 next signs in to the devices.
What should you identify for each device? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-10-subscription-activation
QUESTION 67
You have a server that runs the Microsoft Deployment Toolkit (MDT). You have computers that run Windows 8.1 or Windows 10.
You have a Microsoft 365 tenant. Microsoft 365 Enterprise E5 licenses are assigned to all users.
You need to recommend a strategy to install Windows 10 on the Windows 8.1 computers. The installation must retain the user files, settings, and supported
applications.
A. Refresh the Window 8.1 computers by using Windows 10 and use the User State Migration Tool (USMT).
B. Perform an in-place upgrade of Windows 8.1 to Windows 10.
C. Refresh the Window 8.1 computers by using Windows 10 and use Windows Autopilot white glove service to finalize the installation.
D. Refresh the Window 8.1 computers by using Windows 10 and use Windows Autopilot user-driven mode.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-m365
https://docs.microsoft.com/en-us/windows/deployment/upgrade/windows-10-upgrade-paths
QUESTION 68
You use the Microsoft Deployment Toolkit (MDT) to deploy Windows 10.
You create a new task sequence by using the Standard Client Task Sequence template to deploy Windows 10 Enterprise to new computers. The computers have
a single hard disk.
You need to modify the task sequence to create a system volume and a data volume.
A. Preinstall
B. State Restore
C. Initialization
D. Postinstall
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.prajwaldesai.com/create-extra-partition-in-mdt/
QUESTION 69
HOTSPOT
You have the Microsoft Deployment Toolkit (MDT) installed in three sites as shown in the following table.
You use Distributed File System (DFS) Replication to replicate images in a share named Production.
[Settings]
Priority=DefaultGateway, Default
[DefaultGateway]
10.1.1.1=NewYork
10.5.5.1=London
[NewYork]
DeployRoot=\\MDT1\Production$
[London]
DeployRoot=\\MDT2\Production$
KeyboardLocale=en-gb
[Default]
DeployRoot=\\MDT3\Production$
KeyboardLocale=en-us
You plan to deploy Windows 10 to the computers shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment
QUESTION 70
You are replacing 100 company-owned Windows devices.
You need to use the Microsoft Deployment Toolkit (MDT) to securely wipe and decommission the devices. The solution must meet the following requirements:
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit
QUESTION 71
HOTSPOT
Compatibility insights
App usage insights
Which devices should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/compat-assessmenthttps://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/
compat-assessment
https://azure.microsoft.com/en-us/updates/application-insights-adds-support-for-ios-and-android-apps-improved-java-app-support-and-fine-time-selection/
Policies and Profiles
Testlet 1
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be
additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the
time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits
and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in
this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next
section of the exam. After you begin a new section, you cannot return to this section.
General Overview
Litware, Inc. is an international manufacturing company that has 3,000 employees. The company has sales, marketing, research, human resources (HR),
development, and IT departments.
Litware has two main offices in New York and Los Angeles. Litware has five branch offices in Asia.
Existing Environment
During discovery, the company discovers a process where users are emailing bank account information of its customers to internal and external recipients.
Current Environment
The network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD). The functional level of the forest and the domain
is Windows Server 2012 R2. All domain controllers run Windows Server 2012 R2.
Litware has the computers shown in the following table.
Most of the employees in the sales department are contractors. Each contractor is assigned a computer that runs Windows 10. At the end of each contract, the
computer is assigned to a different contractor. Currently, the computers are re-provisioned manually by the IT department.
Problem Statements
Litware identifies the following issues on the network:
Employees in the Los Angeles office report slow Internet performance when updates are downloading. The employees also report that the updates frequently
consume considerable resources when they are installed. The Update settings are configured as shown in the Updates exhibit. (Click the Updates button.)
Management suspects that the source code for the proprietary applications in Azure DevOps in being shared externally.
Re-provisioning the sales department computers is too time consuming.
Requirements
Business Goals
Litware plans to transition to co-management for all the company-owned Windows 10 computers. Whenever possible, Litware wants to minimize hardware and
software costs.
Prevent the sales department employees from forwarding email that contains bank account information.
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Prevent employees in the research department from copying patented information from trusted applications to untrusted applications.
Technical Requirements
Litware identifies the following technical requirements for the planned deployment:
Exhibits
Updates
QUESTION 1
What should you use to meet the technical requirements for Azure DevOps?
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/manage-conditional-access?view=azure-devops
QUESTION 2
What should you upgrade before you can configure the environment to support co-management?
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/comanage/tutorial-co-manage-clients
QUESTION 3
You need to meet the device management requirements for the developers.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Litware identifies the following device management requirements:
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Enterprise State Roaming allows for the synchronization of Microsoft Edge browser setting, including favorites and reading list, across devices.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-windows-settings-reference
Policies and Profiles
Testlet 2
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be
additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the
time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits
and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in
this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next
section of the exam. After you begin a new section, you cannot return to this section.
Overview
Contoso, Ltd, is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
Contoso has the users and computers shown in the following table.
The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.
Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.
The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from home.
Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active Directory (Azure AD).
All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.
The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are managed by using Microsoft Intune.
The naming convention for the computers is the department acronym, followed by a hyphen, and then four numbers, for example, FIN-6785. All the computers
are joined to the on-premises Active Directory domain.
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer account is in the Computers OU of its respective
department.
Intune Configuration
The device compliance policies in Intune are configured as shown in the following table.
The device compliance policies have the assignments shown in the following table.
The device limit restrictions in Intune are configured as shown in the following table.
Requirements
Planned Changes
Contoso plans to implement the following changes:
Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.
Start using a free Microsoft Store for Business app named App1.
Implement co-management for the computers.
Technical Requirements
Contoso must meet the following technical requirements:
Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.
Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
Monitor the computers in the LEG department by using Windows Analytics.
Create a provisioning package for new computers in the HR department.
Block iOS devices from sending diagnostic and usage telemetry data.
Use the principle of least privilege whenever possible.
Enable the users in the MKG department to use App1.
Pilot co-management for the IT department.
QUESTION 1
You need to meet the technical requirements for the iOS devices.
A. A compliance policy
B. An app protection policy
C. A deployment profile
D. A device configuration profile
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Scenario: Technical requirements include: Block iOS devices from sending diagnostic and usage telemetry data.
Intune includes device restriction policies that help administrators control Android, iOS, macOS, and Windows devices. These restrictions let you control a wide
range of settings and features to protect your organization's resources. For example, administrators can:
QUESTION 2
HOTSPOT
To which devices do Policy1 and Policy2 apply? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-profile-assign
QUESTION 3
HOTSPOT
What is the maximum number of devices that User1 and User2 can enroll in Intune? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 4
You need to meet the technical requirements for the IT department.
A. From the Azure Active Directory blade in the Azure portal, enable Seamless single sign-on.
B. From the Configuration Manager console, add an Intune subscription.
C. From the Azure Active Directory blade in the Azure portal, configure the Mobility (MDM and MAM) settings.
D. From the Microsoft Intune blade in the Azure portal, configure the Windows enrollment settings.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/comanage/tutorial-co-manage-clients
QUESTION 5
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 6
HOTSPOT
You create a new conditional access policy that has an assignment for Office 365 Exchange Online.
You need to configure the policy to meet the technical requirements for Group4.
Which two settings should you configure in the policy? To answer, select the appropriate settings in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The policy needs to be applied to Group4 so we need to configure Users and Groups.
Note: When a device enrolls in Intune, the device information is updated in Azure AD to include the device compliance status. This compliance status is used by
conditional access policies to block or allow access to e-mail and other organization resources.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions
https://docs.microsoft.com/en-us/intune/device-compliance-get-started
Policies and Profiles
Question Set 3
QUESTION 1
HOTSPOT
You have unrooted devices enrolled in Microsoft Intune as shown in the following table.
In Intune, you create a device compliance location that has the following configurations:
Name: Network1
IPv4 range: 192.168.0.0/16
In Intune, you create a device compliance policy for the Android platform. The policy has following configurations:
Name: Policy1
Device health: Rooted devices: Block
Locations: Location: Network1
Mark device noncompliant: Immediately
Assigned: Group1
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
https://docs.microsoft.com/en-us/intune/device-compliance-get-started
QUESTION 2
You have an Azure Active Directory (Azure AD) tenant named adatum.com. The tenant contains Windows 10 devices that are enrolled in Microsoft Intune.
You create an Azure Log Analytics workspace and add the Device Health Solution to the workspace.
You need to create a custom device configuration profile that will enroll the Windows 10 devices in Device Health.
A. ./Vendor/MSFT/DMClient/Provider/MS DM Server/Push
B. ./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID
C. ./Vendor/MSFT/DMClient/Provider/MS DM Server/ManagementServerAddressList
D. ./Vendor/MSFT/DMClient/Provider/MS DM Server/Push/ChannelURI
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://allthingscloud.blog/monitor-windows-10-updates-for-intune-mdm-enrolled-devices/
QUESTION 3
HOTSPOT
You have 100 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.
Which two settings should you configure in Device restrictions? To answer, select the appropriate settings in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview
QUESTION 4
HOTSPOT
You have computers that run Windows 10 as shown in the following table.
In a Group Policy object (GPO) linked to the domain, you enable the Computer Configuration/Administrative Templates/Windows Components/Search/Allow
Cortana setting.
In an Intune device configuration profile that is assigned to an Azure Active Directory group that includes Computer2 and Computer3, you configure the following:
Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP to a value of 1
Experience/AllowCortana to a value of 0.
Each of the following statement, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/
QUESTION 5
Your company plans to deploy Windows 10 to devices that will be configured for English use and other devices that will be configured for Korean use.
You need to create a single multivariant provisioning package for the planned devices.
What should you do next to add the language settings to the package?
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Follow these steps to create a provisioning package with multivariant capabilities.
1. Build a provisioning package and configure the customizations you want to apply during certain conditions.
2. After you've configured the settings, save the project.
3. Open the project folder and copy the customizations.xml file to any local location.
4. Use an XML or text editor to open the customizations.xml file.
5. Edit the customizations.xml file to create a Targets section to describe the conditions that will handle your multivariant settings.
6. In the customizations.xml file, create a Variant section for the settings you need to customize.
7. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step.
8. Use the Windows Configuration Designer command-line interface to create a provisioning package using the updated customizations.xml.
Reference:
https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-multivariant
QUESTION 6
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD).
You need to configure the policy to prevent access to Exchange Online unless a user is connecting from a device that is hybrid Azure AD-joined.
Which settings should you configure?
A. Locations
B. Device platforms
C. Sign-in risk
D. Device state
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/conditions#device-state
QUESTION 7
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.
A. Saved Games
B. Documents
C. Music
D. Downloads
E. Favorites
F. AppData
G. Videos
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders
QUESTION 8
You have a Microsoft 365 subscription.
You have a conditional access policy that requires multi-factor authentication (MFA) for users in a group name Sales when the users sign in from a trusted
location. The policy is configured as shown in the exhibit. (Click the Exhibit tab.)
You create a compliance policy.
You need to ensure that the users are authenticated only if they are using a compliant device.
A. a condition
B. a session control
C. a cloud app
D. a grant control
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The device state condition can be used to exclude devices that are hybrid Azure AD joined and/or devices marked as compliant with a Microsoft Intune
compliance policy from an organization's Conditional Access policies.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-state
QUESTION 9
You have an Azure Active Directory (Azure AD) tenant that contains a user named User1. User1 has the device shown in the following table.
Enterprise State Roaming is configured for User1.
You need to identify on which devices User1 will have a changed desktop.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The requirements of Enterprise State Roaming are:
Windows 10, with the latest updates, and a minimum Version 1511 (OS Build 10586 or later) is installed on the device.
The device is Azure AD joined or hybrid Azure AD joined.
Ensure that Enterprise State Roaming is enabled for the tenant in Azure AD.
The user is assigned an Azure Active Directory Premium license.
The device must be restarted and the user must sign in again to access Enterprise State Roaming features.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-troubleshooting
QUESTION 10
HOTSPOT
You have a workgroup computer named Computer1 that runs Windows 10 and has the users shown in the following table.
You are creating a file named Kiosk.xml that specifies a lockdown profile for a multi-app kiosk.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps#config-for-group-accounts
QUESTION 11
HOTSPOT
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD). The domain contains the users shown in
the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Box 1: No
Computer2 runs Windows 8.1.
Enterprise State Roaming requires Windows 10, with the latest updates, and a minimum Version 1511 (OS Build 10586).
Also, Enterprise State Roaming is enabled for User2, not for User1.
Box 2: No
The device must be Azure AD joined or hybrid Azure AD joined.
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD), in other words, a hybrid Azure AD.
Also, Enterprise State Roaming is enabled for User2, not for User1.
Box 3: Yes
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/enterprise-state-roaming-troubleshooting
QUESTION 12
HOTSPOT
Your company has computers that run Windows 8.1, Windows 10, or macOS.
You need to create an Intune profile to configure Windows Hello for Business on the computers that support it.
Which platform type and profile type should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Windows Hello for Business is a method for signing in to Windows devices by replacing passwords, smart cards, and virtual smart cards. Intune includes built-in
settings so Administrators can configure and use Windows Hello for Business. For example, you can use these settings to:
Enable Windows Hello for Business for devices and users
Set device PIN requirements, including a minimum or maximum PIN length
Allow gestures, such as a fingerprint, that users can (or can't use) to sign in to devices
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/identity-protection-configure
QUESTION 13
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Directory group named Group1 that contains Windows 10 Enterprise devices and Windows 10 Pro devices.
From Microsoft Intune, you create a device configuration profile named Profile1.
You need to ensure that Profile1 applies to only the Windows 10 Enterprise devices in Group1.
Solution: You create an Azure Active Directory group that contains only the Windows 10 Enterprise devices. You assign Profile1 to the new group.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create
QUESTION 14
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Directory group named Group1 that contains Windows 10 Enterprise devices and Windows 10 Pro devices.
From Microsoft Intune, you create a device configuration profile named Profile1.
You need to ensure that Profile1 applies to only the Windows 10 Enterprise devices in Group1.
Solution: You create a scope tag, and then you add the scope tag to the Windows 10 Enterprise devices. You edit the settings of Profile1.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create
QUESTION 15
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Directory group named Group1 that contains Windows 10 Enterprise devices and Windows 10 Pro devices.
From Microsoft Intune, you create a device configuration profile named Profile1.
You need to ensure that Profile1 applies to only the Windows 10 Enterprise devices in Group1.
Solution: You configure an applicability rule for Profile1. You assign Profile1 to Group1.
A. Yes
B. No
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-create
QUESTION 16
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains a user named User1. User1 has the devices shown in the following
table.
On September 5, 2019, you create and enforce a terms of use (ToU) in contoso.com. The ToU has the following settings:
Name: Terms1
Display name: Terms1 name
Require users to expand the terms of use: Off
Require users to consent on every device: On
Expire consents: On
Expire starting on: October 10, 2019
Frequency: Monthly
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use#frequently-asked-questions
QUESTION 17
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the devices shown in the following table.
All devices contain an app named App1 and are enrolled in Microsoft Intune.
You need to prevent users from copying data from App1 and pasting the data into other apps.
Which type of policy and how many policies should you create in Intune? To answer, select the appropriate options in the answer area.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies-configure-windows-10
QUESTION 18
Your company has an internal portal that uses a URL of http://contoso.com.
The network contains computers that run Windows 10. The default browser on all the computers is Microsoft Edge.
You need to ensure that all users only use Internet Explorer to connect to the internal portal. The solution must ensure that Microsoft Edge can be used to connect
to all other websites.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility
QUESTION 19
Your company uses Microsoft Intune.
More than 500 Android and iOS devices are enrolled in the Intune tenant.
You plan to deploy new Intune policies. Different policies will apply depending on the version of Android or iOS installed on the device.
You need to ensure that the policies can target the devices based on their version of Android or iOS.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/compliance-policy-create-android
https://docs.microsoft.com/en-us/intune/compliance-policy-create-ios
QUESTION 20
You have computers that run Windows 10 Pro. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://blogs.technet.microsoft.com/skypehybridguy/2018/09/21/intune-upgrade-windows-from-pro-to-enterprise-automatically/
QUESTION 21
You are creating a device configuration profile in Microsoft Intune.
A. Identity protection
B. Custom
C. Device restrictions
D. Device restrictions (Windows 10 Team)
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://blogs.technet.microsoft.com/senthilkumar/2018/05/21/intune-deploying-admx-backed-policies-using-microsoft-intune/
QUESTION 22
HOTSPOT
You have an Azure Active Directory (Azure AD) tenant named contoso.com that contains the users shown in the following table.
In Intune, you create the app protection policies shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy
QUESTION 23
Your network contains an Active Directory named contoso.com. The domain contains two computers named Computer1 and Computer2 that run Windows 10.
Folder Redirection is configured for a domain user named User1. The AppData\Roaming folder and the Desktop folder are redirected to a network share.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview
QUESTION 24
HOTSPOT
File1.docx in C:\Users\User1\Desktop
File2.docx in C:\Users\Public\Public Desktop
File3.docx in C:\Users\Default\ Desktop
User3 then signs in to Computer1 and creates a file named File4.docx in C:\Users\User3\Desktop.
User2 has never signed in to Computer1.
How many DOCX files will appear on the desktop of each user the next time each user signs in? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 25
Your network contains an Active Directory domain named contoso.com. The domain contains 200 computers that run Windows 10.
Folder Redirection for the Desktop folder is configured as shown in the following exhibit.
The target is set to Server1.
You plan to use known folder redirection in Microsoft OneDrive for Business.
You need to ensure that the desktop content of users remains on their desktop when you implement known folder redirection.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Clear the Grant the user exclusive rights to Desktop check box.
B. Change the Policy Removal setting.
C. Disable Folder Redirection.
D. Clear the Move the contents of Desktop to the new location check box.
Correct Answer: AB
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders
QUESTION 26
HOTSPOT
You have business requirements for securing your Windows 10 environment as shown in the following table.
What should you implement to meet each requirement? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
QUESTION 27
HOTSPOT
Your company has computers that run Windows 10. The employees at the company use the computers.
You plan to monitor the computers by using the Update Compliance solution.
You need to configure the computers to send enhanced Update Compliance data.
Which two Group Policy settings should you configure? To answer, select the appropriate settings in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-configuration-manual
QUESTION 28
HOTSPOT
You have devices enrolled in Configuration Manager as shown in the following table.
In Configuration Manager, you enable co-management and configure the following settings:
In Configuration Manager, you configure co-management staging to have the following settings:
In Configuration Manager, you configure co-management workloads as shown in the following exhibit.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/comanage/workloads
QUESTION 29
You have an Azure Active Directory group named Group1. Group1 contains two Windows 10 Enterprise devices named Device1 and Device2.
You create a device configuration profile named Profile1. You assign Profile1 to Group1.
A. Scope (Tags)
B. Settings
C. Applicability Rules
D. Assignments
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-assign
QUESTION 30
Your network contains an on-premises Active Directory domain and an Azure Active Directory (Azure AD) tenant.
The Default Domain Policy Group Policy Object (GPO) contains the settings shown in the following table.
You need to migrate the existing Default Domain Policy GPO settings to a device configuration profile.
Which type of device configuration profile should you create?
A. Custom
B. Endpoint protection
C. Administrative Templates
D. Device restrictions
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://danielchronlund.com/2018/11/27/how-to-replace-your-old-gpos-with-intune-configuration-profiles/
QUESTION 31
Your company plans to deploy tablets to 50 meeting rooms.
The tablets run Windows 10 and are managed by using Microsoft Intune. The tablets have an application named App1.
You need to configure the tablets so that any user can use App1 without having to sign in. Users must be prevented from using other applications on the tablets.
A. Kiosk
B. Endpoint protection
C. Identity protection
D. Device restrictions
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app
QUESTION 32
HOTSPOT
Your network contains an Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD). The domain contains computers that run
Windows 10. The computers are configured as shown in the following table.
You configure the following Maintenance Scheduler settings in the Default Domain Policy:
In Intune, you create a device configuration profile named Profile1 that has the following OMA-URI settings:
How are the active hours configured on Computer1 and Computer2? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict
QUESTION 33
HOTSPOT
You have 25 Microsoft Surface Hub devices that you plan to manage by using Microsoft Endpoint Manager.
Which profile types should you configure? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/identity-protection-windows-settings?toc=/intune/configuration/toc.json&bc=/intune/configuration/
breadcrumb/toc.json
https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/
toc.json
QUESTION 34
DRAG DROP
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD). All computers are joined to the domain and
registered to Azure AD.
The network contains a Microsoft System Center Configuration Manager (Current Branch) deployment that is configured for co-management with Microsoft
Intune.
All the computers in the finance department are managed by using Configuration Manager. All the computers in the marketing department are managed by using
Intune.
You install new computers for the users in the marketing department by using the Microsoft Deployment Toolkit (MDT).
You need to install App1 on the finance department computers and the marketing department computers.
How should you deploy App1 to each department? To answer, drag the appropriate deployment methods to the correct departments. Each deployment method
may be used once, more than once, or not at all. You may need to drag the split bat between panes or scroll to view content.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/apps-add
https://docs.microsoft.com/en-us/sccm/apps/get-started/create-and-deploy-an-application
QUESTION 35
Your company has a Microsoft 365 subscription.
The company uses conditional access to restrict access to Microsoft 365 services for devices that do not comply with the company’s security policies.
You need to identify which devices will be prevented from accessing Microsoft 365 services.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
QUESTION 36
HOTSPOT
Remove the Microsoft News and the Xbox Microsoft Store apps.
Add a VPN connection to the corporate network.
Which two customizations should you configure? To answer, select the appropriate customizations in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-connectivityprofiles
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions
https://docs.microsoft.com/en-us/windows/configuration/wcd/wcd-policies
QUESTION 37
You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You are creating a conditional access policy named Policy1 to assign a cloud app named App1 to the users in contoso.com.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/require-tou
QUESTION 38
HOTSPOT
You have devices enrolled in Microsoft Intune as shown in the following table.
You create device configuration profiles in Intune as shown in the following table.
You assign the device configuration profiles to groups as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
If a compliance policy evaluates against the same setting in another compliance policy, then the most restrictive compliance policy setting applies.
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot
QUESTION 39
HOTSPOT
You are designing a reporting solution that will provide reports on the following:
You need to recommend a data source and a data visualization tool for the design.
What should you recommend? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/developer/reports-nav-create-intune-reports
https://docs.microsoft.com/en-us/mem/intune/developer/reports-proc-get-a-link-powerbi
QUESTION 40
HOTSPOT
In Microsoft Intune, you have the device compliance policies shown in the following table.
The Intune compliance policy settings are configured as shown in the following exhibit.
On June 1, you enroll Windows 10 devices in Intune as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/actions-for-noncompliance
QUESTION 41
HOTSPOT
You create the Windows Autopilot deployment profile-shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/user-driven
QUESTION 42
You need to assign the same deployment profile to all the computers that are configured by using Windows Autopilot.
Which two actions should you perform? Each correct answer presents part of the solution.
Correct Answer: BF
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.petervanderwoude.nl/post/automatically-assign-windows-autopilot-deployment-profile-to-windows-autopilot-devices/
QUESTION 43
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All users have computers that run Windows 10. The computers are
joined to Azure AD and managed by using Microsoft Intune.
You need to ensure that you can centrally monitor the computers by using Windows Analytics.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.scconfigmgr.com/2019/03/27/windows-analytics-onboarding-with-intune/
QUESTION 44
HOTSPOT
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.
You need to set a custom image as the wallpaper and sign-in screen.
Which two settings should you configure in Device restrictions? To answer, select the appropriate settings in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Sign-in screen, or Locked screen, image is set under Locked screen experience
Reference:
https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10
QUESTION 45
Your company has a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All users have computers that run Windows 10. The computers are
joined to Azure AD and managed by using Microsoft Intune.
You need to ensure that you can centrally monitor the computers by using the Update Compliance solution.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.jeffgilb.com/update-compliance-with-intune/
QUESTION 46
HOTSPOT
You have a Microsoft Intune subscription that has the following device compliance policy settings:
On January 1, you enroll Windows 10 devices in Intune as shown in the following table.
On January 4, you create the following two device compliance policies:
Name: Policy1
Platform: Windows 10 and later
Require BitLocker: Require
Mark device noncompliant: 5 days after noncompliance
Scope (Tags): Tag1
Name: Policy2
Platform: Windows 10 and later
Firewall: Require
Mark device noncompliant: Immediately
Scope (Tags): Tag2
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Box 1: No.
Policy1 and Policy2 apply to Group1 which Device1 is a member of. Device1 does not meet the firewall requirement in Policy2 so the device will immediately be
marked as non-compliant.
Box 2: No
For the same reason as Box1.
Box 3: Yes
Policy1 and Policy2 apply to Group1. Device2 is not a member of Group1 so the policies don’t apply.
The Scope (tags) have nothing to do with whether the policy is applied or not. The tags are used in RBAC.
QUESTION 47
HOTSPOT
You have 100 Windows 10 devices that are managed by using Microsoft Endpoint Manager.
You plan to sideload an app to the devices.
Which device profile type and setting should you configure? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10
QUESTION 48
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure Directory group named Group1 that contains Windows 10 Enterprise devices and Windows 10 Pro devices.
From Microsoft Intune, you create a device configuration profile named Profile1.
You need to ensure that Profile1 applies to only the Windows 10 Enterprise devices in Group1.
Solution: You create a scope tag, and then you add the scope tag to the Windows 10 Enterprise devices and Profile1.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
QUESTION 49
Your company has a System Center Configuration Manager deployment that uses hybrid mobile device management (MDM). All Windows 10 devices are Active
Directory domain-joined.
Which two actions should you perform? Each correct answer presents part of the solution.
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/migrate-hybridmdm-to-intunesa
https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/migrate-prepare-intune
https://docs.microsoft.com/en-us/sccm/mdm/deploy-use/change-mdm-authority
QUESTION 50
Your company has 200 computers that run Windows 10. The computers are managed by using Microsoft Intune.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/delivery-optimization-windows
QUESTION 51
You have 500 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.
You plan to distribute certificates to the computers by using Simple Certificate Enrollment Protocol (SCEP).
You have the servers shown in the following table.
You are configuring a device profile as shown in the exhibit. (Click the Exhibit tab.)
A. Server1
B. Server2
C. Server3
D. Server4
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
QUESTION 52
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.
A. Saved Games
B. Desktop
C. Music
D. Downloads
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders
QUESTION 53
You have a Microsoft Azure Active Directory (Azure AD) tenant. All corporate devices are enrolled in Microsoft Intune.
You have a web-based application named App1 that uses Azure AD to authenticate.
You need to prompt all users of App1 to agree to the protection of corporate data when they access App1 from both corporate and noncorporate devices.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/terms-of-use
QUESTION 54
You are creating a device configuration profile in Microsoft Intune.
A. Identity protection
B. Custom
C. Device restrictions (Windows 10 Team)
D. Device restrictions
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/custom-settings-windows-10
QUESTION 55
DRAG DROP
You have an Azure Active Directory (Azure AD) tenant that syncs to an on-premises Active Directory domain.
The tenant contains computers that run Windows 10. The computers are hybrid Azure AD joined and enrolled in Microsoft Intune. The Microsoft Office settings on
the computers are configured by using a Group Policy Object (GPO).
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in
the correct order.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/configuration/administrative-templates-windows
QUESTION 56
HOTSPOT
Your network contains an on-premises Active Directory forest named contoso.com. The forest contains a user named User1 and two computers named
Computer1 and Computer2 that run Windows 10.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a
mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections,
and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is
assigned.
The .man extension causes the user profile to be a read-only profile.
Reference:
https://docs.microsoft.com/en-us/windows/client-management/mandatory-user-profile
Manage and Protect Devices
Testlet 1
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be
additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the
time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits
and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in
this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next
section of the exam. After you begin a new section, you cannot return to this section.
Overview
Contoso, Ltd, is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
Contoso has the users and computers shown in the following table.
The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.
Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.
The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from home.
Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active Directory (Azure AD).
All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.
The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are managed by using Microsoft Intune.
The naming convention for the computers is the department acronym, followed by a hyphen, and then four numbers, for example, FIN-6785. All the computers
are joined to the on-premises Active Directory domain.
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer account is in the Computers OU of its respective
department.
Intune Configuration
The device compliance policies in Intune are configured as shown in the following table.
The device compliance policies have the assignments shown in the following table.
The device limit restrictions in Intune are configured as shown in the following table.
Requirements
Planned Changes
Contoso plans to implement the following changes:
Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.
Start using a free Microsoft Store for Business app named App1.
Implement co-management for the computers.
Technical Requirements
Contoso must meet the following technical requirements:
Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.
Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
Monitor the computers in the LEG department by using Windows Analytics.
Create a provisioning package for new computers in the HR department.
Block iOS devices from sending diagnostic and usage telemetry data.
Use the principle of least privilege whenever possible.
Enable the users in the MKG department to use App1.
Pilot co-management for the IT department.
QUESTION 1
DRAG DROP
You need to meet the technical requirements for the LEG department computers.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in
the correct order.
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-azure-portal
https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started
Manage and Protect Devices
Question Set 2
QUESTION 1
HOTSPOT
Your network contains an Active Directory domain. Active Directory is synced with Microsoft Azure Active Directory (Azure AD).
There are 500 Active Directory domain-joined computers that run Windows 10 and are enrolled in Microsoft Intune.
You need to create a custom Microsoft Defender Exploit Guard policy, and then distribute the policy to all the computers.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml#manage-or-deploy-a-
configuration
https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection
QUESTION 2
You have 100 devices that run Windows 10 and are joined to Microsoft Azure Active Directory (Azure AD).
You need to prevent users from joining their home computer to Azure AD.
A. From the Device enrollment blade in the Intune admin center, modify the Enrollment restriction settings.
B. From the Devices blade in the Azure Active Directory admin center, modify the Device settings.
C. From the Device enrollment blade in the Intune admin center, modify the Device enrollment manages settings.
D. From the Mobility (MDM and MAM) blade in the Azure Active Directory admin center, modify the Microsoft Intune enrollment settings.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/enrollment-restrictions-set
QUESTION 3
Your company has a Microsoft 365 subscription.
A new user named Admin1 is responsible for deploying Windows 10 to computers and joining the computers to Microsoft Azure Active Directory (Azure AD).
Several days later, Admin1 receives the following error message: “This user is not authorized to enroll. You can try to do this again or contact your system
administrator with the error code (0x801c0003).”
You need to ensure that Admin1 can join computers to Azure AD and follow the principle of least privilege.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal
QUESTION 4
Your network contains an Active Directory domain named contoso.com. The domain contains computers that run Windows 10 and are joined to the domain.
The domain is synced to Microsoft Azure Active Directory (Azure AD).
You create an Azure Log Analytics workspace and deploy the Update Compliance solution.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Microsoft uses a unique commercial ID to map information from user computers to your Azure workspace. Copy your commercial ID key from any of the
Windows Analytics solutions you have added to your Windows Portal, and then deploy it to user computers.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-get-started
QUESTION 5
You have an Azure Active Directory (Azure AD) tenant and 100 Windows 10 devices that are Azure AD joined and managed by using Microsoft Intune.
You need to configure Microsoft Defender Firewall and Microsoft Defender Antivirus on the devices. The solution must minimize administrative effort.
Which two actions should you perform? Each correct answer presents part of the solution.
A. To configure Microsoft Defender Antivirus, create a device configuration profile and configure the Endpoint protection settings.
B. To configure Microsoft Defender Firewall, create a device configuration profile and configure the Device restrictions settings.
C. To configure Microsoft Defender Firewall, create a Group Policy Object (GPO) and configure Microsoft Defender Firewall with Advanced Security.
D. To configure Microsoft Defender Antivirus, create a Group Policy Object (GPO) and configure Microsoft Defender Antivirus settings.
E. To configure Microsoft Defender Antivirus, create a device configuration profile and configure the Device restrictions settings.
F. To configure Microsoft Defender Firewall, create a device configuration profile and configure the Endpoint protection settings.
Correct Answer: AF
Section: (none)
Explanation
Explanation/Reference:
Explanation:
F: With Intune, you can use device configuration profiles to manage common endpoint protection security features on devices, including:
Firewall
BitLocker
Allowing and blocking apps
Microsoft Defender and encryption
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-configure
https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-security-policy#create-an-endpoint-security-policy
QUESTION 6
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD). The domain contains computers that run
Windows 10. The computers are enrolled in Microsoft Intune and Windows Analytics.
You need to identify non-approved apps that attempt to open corporate documents.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/wip-learning
QUESTION 7
HOTSPOT
Your company uses Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Microsoft Defender ATP includes the machine groups shown in
the following table.
You onboard a computer to Microsoft Defender ATP as shown in the following exhibit.
What is the effect of the Microsoft Defender ATP configuration? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
QUESTION 8
Your company has computers that run Windows 10. The company uses Microsoft Intune to manage the computers.
You have an app protection policy for Microsoft Edge. You assign the policy to a group.
You need to verify whether Microsoft Edge on Computer1 is protected by the app protection policy.
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context
https://www.itpromentor.com/win10-mam-wip/
QUESTION 9
HOTSPOT
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.
You need to configure an Intune device configuration profile to meet the following requirements:
Which two settings should you configure in Endpoint protection? To answer, select the appropriate settings in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10
QUESTION 10
HOTSPOT
You need to configure access to Microsoft Office 365 for unmanaged devices. The solution must meet the following requirements:
Allow only the Microsoft Intune Managed Browser to access Office 365 web interfaces.
Ensure that when users use the Intune Managed Browser to access Office 365 web interfaces, they can only copy data to applications that are managed by
the company.
Which two settings should you configure from the Microsoft Intune blade? To answer, select the appropriate settings in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/app-configuration-managed-browser#application-protection-policies-for-protected-browsers
QUESTION 11
Your company implements Microsoft Azure Active Directory (Azure AD), Microsoft 365, Microsoft Intune, and Azure Information Protection.
A. a data loss prevention (DLP) policy from the Security & Compliance admin center
B. a supervision policy from the Security & Compliance admin center
C. an app protection policy from the Endpoint Management admin center
D. a device configuration profile from the Endpoint Management admin center
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/app-protection-policy
QUESTION 12
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several Windows 10 devices.
When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.
You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10 devices to contoso.com.
Solution: From the Azure Active Directory admin center, you configure the Authentication methods.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Instead, from the Azure Active Directory admin center, you configure automatic mobile device management (MDM) enrollment. From the Endpoint Management
admin center, you configure the Windows Hello for Business enrollment options.
Reference:
https://docs.microsoft.com/en-us/intune/protect/windows-hello
QUESTION 13
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several Windows 10 devices.
When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.
You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10 devices to contoso.com.
Solution: From the Azure Active Directory admin center, you configure automatic mobile device management (MDM) enrollment. From the Endpoint
Management admin center, you configure the Windows Hello for Business enrollment options.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Hello for Business is an alternative sign-in method that uses Active Directory or an Azure Active Directory account to replace a password, smart card, or a virtual
smart card. It lets you use a user gesture to sign in, instead of a password. A user gesture might be a PIN, biometric authentication such as Windows Hello, or an
external device such as a fingerprint reader.
Reference:
https://docs.microsoft.com/en-us/intune/protect/windows-hello
QUESTION 14
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has several Windows 10 devices that are enrolled in Microsoft Intune.
You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.
Solution: From Computer1, you sign in to https://endpoint.microsoft.com and use the Windows enrollment blade.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Use MDM enrolment.
MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined PC into Intune. Users enroll from Settings on the
existing Windows PC.
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods
QUESTION 15
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several Windows 10 devices.
When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.
You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10 devices to contoso.com.
Solution: From the Azure Active Directory admin center, you configure automatic mobile device management (MDM) enrollment. From the Endpoint
Management admin center, you create and assign a device restrictions profile.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Instead, from the Azure Active Directory admin center, you configure automatic mobile device management (MDM) enrollment. From the Endpoint Management
admin center, you configure the Windows Hello for Business enrollment options.
Reference:
https://docs.microsoft.com/en-us/intune/protect/windows-hello
QUESTION 16
Your company has a Microsoft Azure Active Directory (Azure AD) tenant. All users in the company are licensed for Microsoft Intune.
You need to ensure that the users enroll their iOS device in Intune.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-ios
QUESTION 17
You use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) to protect computers that run Windows 10.
You need to assess the differences between the configuration of Microsoft Defender ATP and the Microsoft-recommended configuration baseline.
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score
QUESTION 18
HOTSPOT
A company named A.Datum Corporation uses Microsoft Endpoint Configuration Manager, Microsoft Intune, and Desktop Analytics.
A.Datum purchases a company named Contoso, Ltd. Contoso has devices that run the following operating systems:
Windows 8.1
Windows 10
Android
iOS
You need to identify which devices can be monitored by using Desktop Analytics and how to add the devices to Desktop Analytics.
What should you identify? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/overview
QUESTION 19
Your company uses Microsoft Intune to manage devices. You need to ensure that only Android devices that use Android work profiles can enroll in Intune.
Which two configurations should you perform in the device enrollment restrictions? Each correct answer presents part of the solution.
Correct Answer: AD
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/InTune/enrollment-restrictions-set
QUESTION 20
You have a Microsoft Azure Log Analytics workplace that collects all the event logs from the computers at your company.
You have a computer named Computer1 than runs Windows 10. You need to view the events collected from Computer1.
A. Event
| where Computer = = "Computer1"
B. ETWEvent
| where SourceSystem = = "Computer1"
C. ETWEvent
| where Computer = = "Computer1"
D. Event
| where SourceSystem = = "Computer1"
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events
QUESTION 21
HOTSPOT
You have 1,000 computers that run Windows 10 and are members of an Active Directory domain.
You need to capture the event logs from the computers to Azure.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows
QUESTION 22
You have 200 computers that run Windows 10. The computers are joined to Microsoft Azure Active Directory (Azure AD) and enrolled in Microsoft Intune.
You need to ensure that only applications that you explicitly allow can run on the computers.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-
defender-application-control
QUESTION 23
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has several Windows 10 devices that are enrolled in Microsoft Intune.
You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.
Solution: From Computer1, you sign in to https://portal.manage.microsoft.com and use the Devices tab.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Use MDM enrolment.
MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined PC into Intune. Users enroll from Settings on the
existing Windows PC.
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods
QUESTION 24
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has several Windows 10 devices that are enrolled in Microsoft Intune.
You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.
Solution: You install the Company Portal app on Computer1 and use the Devices tab from the app.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Use MDM enrolment.
MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined PC into Intune. Users enroll from Settings on the
existing Windows PC.
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods
QUESTION 25
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has several Windows 10 devices that are enrolled in Microsoft Intune.
You deploy a new computer named Computer1 that runs Windows 10 and is in a workgroup.
You need to enroll Computer1 in Intune.
Solution: From the Settings app on Computer1, you use the Connect to work or school account settings.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Use MDM enrolment.
MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined PC into Intune. Users enroll from Settings on the
existing Windows PC.
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods
QUESTION 26
HOTSPOT
You plan to enroll devices in Microsoft Endpoint Manager that have the platforms and versions shown in the following table.
Ensure that only devices that have approved platforms and versions can enroll in Endpoint Manager.
Ensure that devices are added to Microsoft Azure Active Directory (Azure AD) groups based on a selection made by users during the enrollment.
Which device enrollment setting should you configure for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/enrollment/enrollment-restrictions-set
https://docs.microsoft.com/en-us/mem/intune/enrollment/device-group-mapping
QUESTION 27
HOTSPOT
Your company has 1,000 Windows 10 devices that are enrolled in Windows Analytics.
Which Windows Analytics solutions should you use? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Note: Windows Analytics is now known as Desktop Analytics and Windows Defender is now known as Microsoft Defender Antivirus
QUESTION 28
Your network contains an on-premises Active Directory domain named contoso.com that syncs to Azure Active Directory (Azure AD).
Which two actions should you perform? Each correct answer presents part of the solution.
Correct Answer: CE
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Microsoft Intune.
Co-management requires Configuration Manager version 1710 or later and enrollment in Microsoft Intune.
Windows 10 devices must be hybrid Azure AD joined.
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview
QUESTION 29
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might
meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com that contains several Windows 10 devices.
When you join new Windows 10 devices to contoso.com, users are prompted to set up a four-digit pin.
You need to ensure that the users are prompted to set up a six-digit pin when they join the Windows 10 devices to contoso.com.
Solution: From the Azure Active Directory admin center, you modify the User settings and the Device settings.
A. Yes
B. No
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Instead, from the Azure Active Directory admin center, you configure automatic mobile device management (MDM) enrollment. From the Endpoint Management
admin center, you configure the Windows Hello for Business enrollment options.
Reference:
https://docs.microsoft.com/en-us/intune/protect/windows-hello
QUESTION 30
Your network contains an Active Directory domain named contoso.com. The domain contains computers that run Windows 10 and are joined to the domain.
You create an Azure Log Analytics workspace and deploy the Device Health solution.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Microsoft uses a unique commercial ID to map information from user computers to your Azure workspace. Copy your commercial ID key from any of the
Windows Analytics solutions you have added to your Windows Portal, and then deploy it to user computers.
Reference:
https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started
QUESTION 31
DRAG DROP
You use the Antimalware Assessment solution in Microsoft Azure Log Analytics.
From the Protection Status dashboard, you discover the computers shown in the following table.
You verify that both computers are connected to the network and running.
What is a possible cause of the issue on each computer? To answer, drag the appropriate causes to the correct computers. Each cause may be used once, more
than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/ga-ie/azure/security-center/security-center-install-endpoint-protection
QUESTION 32
You have a shared computer that runs Windows 10.
You discover that a malicious TTF font was used to compromise the computer.
You need to prevent this type of threat from affecting the computer in the future.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
QUESTION 33
DRAG DROP
Your company has a Microsoft Azure Active Directory (Azure AD) tenant.
The company uses Microsoft Intune to manage iOS, Android, and Windows 10 devices.
The company plans to purchase 1,000 iOS devices. Each device will be assigned to a specific user.
You need to ensure that the new iOS devices are enrolled automatically in Intune when the assigned user signs in for the first time.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in
the correct order.
Select and Place:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/device-enrollment-program-enroll-ios
QUESTION 34
Your network contains an Active Directory domain. The functional level of the forest and the domain is Windows Server 2012 R2.
The domain contains 500 computers that run Windows 10. All the computers are managed by using Microsoft System Center 2012 R2 Configuration Manager.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Co-management requires Configuration Manager version 1710 or later.
Reference:
https://docs.microsoft.com/en-us/sccm/comanage/overview#prerequisites
QUESTION 35
HOTSPOT
Your company uses Microsoft Intune to manage Windows 10, Android, and iOS devices.
You need to tell the users how to enroll their device in Intune.
What should you instruct the users to use for each device? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The Intune Company Portal app is used to enroll Android, iOS, macOS, and Windows devices
Reference:
https://docs.microsoft.com/en-us/intune-user-help/enroll-device-android-company-portal
https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-ios
https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-macos-cp
QUESTION 36
HOTSPOT
Your company has a Microsoft Azure Active Directory (Azure AD) tenant and computers that run Windows 10.
The Azure AD tenant has the users shown in the following table.
The device type restrictions in Intune are configured as shown in the following table:
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune-user-help/enroll-your-device-in-intune-android
QUESTION 37
HOTSPOT
Your network contains an Active Directory domain. Active Directory is synced with Microsoft Azure Active Directory (Azure AD).
There are 500 Active Directory domain-joined computers that run Windows 10 and are enrolled in Microsoft Intune.
You need to create a custom Microsoft Defender Exploit Guard policy, and then distribute the policy to all the computers.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml#manage-or-deploy-a-
configuration
https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection
QUESTION 38
HOTSPOT
Your company has computers that run Windows 10 and are Microsoft Azure Active Directory (Azure AD)-joined.
You need to collect Windows events from the Windows 10 computers in Azure. The solution must enable you to create alerts based on the collected events.
What should you create in Azure and what should you configure on the computers? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/log-analytics-agent
QUESTION 39
You have a public computer named Public1 that runs Windows 10.
You need to view events associated with website phishing attacks on Public1.
A. Applications and Services Logs > Microsoft\Windows > DeviceGuard > Operational
B. Applications and Services Logs > Microsoft > Windows > Security-Mitigations > User Mode
C. Applications and Services Logs > Microsoft > Windows > SmartScreen > Debug
D. Applications and Services Logs > Microsoft > Windows > Microsoft Defender > Operational
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview#viewing-windows-
event-logs-for-microsoft-defender-smartscreen
QUESTION 40
You have a hybrid Microsoft Azure Active Directory (Azure AD) tenant, a Microsoft System Center Configuration Manager (Current Branch) environment, and a
Microsoft 365 subscription.
You have computers that run Windows 10 as shown in the following table.
A. Computer3 only
B. Computer1 and Computer2 only
C. Computer2 only
D. Computer1, Computer2, and Computer3
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/comanage/overview
QUESTION 41
You have a computer named Computer1 that runs Windows 10.
You need to ensure that when User1 opens websites from untrusted locations by using Microsoft Edge, Microsoft Edge runs in an isolated container.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard
QUESTION 42
You have computers that run Windows 10 and are managed by using Microsoft Intune.
You need to ensure that only a trusted list of applications is granted write access to D:\Folder1.
Explanation/Reference:
Reference:
https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
QUESTION 43
HOTSPOT
Your company uses Microsoft Endpoint Configuration Manager and purchases a Microsoft 365 subscription.
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/configmgr/desktop-analytics/connect-configmgr
https://en.wikipedia.org/wiki/Microsoft_System_Center_Configuration_Manager
QUESTION 44
You need to enable Microsoft Defender Credential Guard on computers that run Windows 10.
A. Hyper-V
B. Microsoft Defender Application Guard
C. a guarded host
D. containers
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
QUESTION 45
DRAG DROP
You have a Microsoft Intune subscription that is configured to use a PFX certificate connector to an on-premises Enterprise certification authority (CA).
You need to use Intune to configure autoenrollment for Android devices by using public key pair (PKCS) certificates.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in
the correct order.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/protect/certificates-pfx-configure
QUESTION 46
HOTSPOT
You have a Microsoft 365 tenant that uses Microsoft Intune to manage personal and corporate devices. The tenant contains three Windows 10 devices as shown
in the following exhibit.
How will Intune classify each device after the devices are enrolled in Intune automatically? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register
Manage Apps and Data
Testlet 1
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be
additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the
time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits
and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in
this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next
section of the exam. After you begin a new section, you cannot return to this section.
General Overview
Litware, Inc. is an international manufacturing company that has 3,000 employees. The company has sales, marketing, research, human resources (HR),
development, and IT departments.
Litware has two main offices in New York and Los Angeles. Litware has five branch offices in Asia.
Existing Environment
During discovery, the company discovers a process where users are emailing bank account information of its customers to internal and external recipients.
Current Environment
The network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD). The functional level of the forest and the domain
is Windows Server 2012 R2. All domain controllers run Windows Server 2012 R2.
Litware has the computers shown in the following table.
Most of the employees in the sales department are contractors. Each contractor is assigned a computer that runs Windows 10. At the end of each contract, the
computer is assigned to a different contractor. Currently, the computers are re-provisioned manually by the IT department.
Problem Statements
Litware identifies the following issues on the network:
Employees in sales department computers is too time the Los Angeles office report slow Internet performance when updates are downloading. The
employees also report that the updates frequently consume considerable resources when they are installed. The Update settings are configured as shown in
the Updates exhibit. (Click the Updates button.)
Management suspects that the source code for the proprietary applications in Azure DevOps in being shared externally.
Re-provisioning theconsuming.
Requirements
Business Goals
Litware plans to transition to co-management for all the company-owned Windows 10 computers. Whenever possible, Litware wants to minimize hardware and
software costs.
Prevent the sales department employees from forwarding email that contains bank account information.
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Prevent employees in the research department from copying patented information from trusted applications to untrusted applications.
Technical Requirements
Litware identifies the following technical requirements for the planned deployment:
Exhibits
Updates
QUESTION 1
HOTSPOT
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Prevent the sales department employees from forwarding email that contains bank account information.
Ensure that Microsoft Edge Favorites are accessible from all computers to which the developers sign in.
Prevent employees in the research department from copying patented information from trusted applications to untrusted applications.
Box 1:
Employees in the research department must be prevented from copying patented information from trusted applications to untrusted applications. This requires an
App protection policy.
App protection policies make sure that the app-layer protections are in place. For example, you can:
Require a PIN to open an app in a work context
Control the sharing of data between apps
Prevent the saving of company app data to a personal storage location
Box 2:
Employees in the sales department must be prevented from forwarding email that contains bank account information.
Azure Information Protection is a cloud-based solution that helps an organization to classify and optionally, protect its documents and emails by applying labels.
Labels can be applied automatically by administrators who define rules and conditions, manually by users, or a combination where users are given
recommendations.
Reference:
https://docs.microsoft.com/en-us/intune/app-protection-policy
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
Manage Apps and Data
Testlet 2
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be
additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the
time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits
and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in
this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next
section of the exam. After you begin a new section, you cannot return to this section.
Overview
Contoso, Ltd., is a consulting company that has a main office in Montreal and two branch offices in Seattle and New York.
Contoso has the users and computers shown in the following table.
The company has IT, human resources (HR), legal (LEG), marketing (MKG) and finance (FIN) departments.
Contoso uses Microsoft Store for Business and recently purchased a Microsoft 365 subscription.
The company is opening a new branch office in Phoenix. Most of the users in the Phoenix office will work from home.
Existing Environment
The network contains an Active Directory domain named contoso.com that is synced to Microsoft Azure Active Directory (Azure AD).
All member servers run Windows Server 2016. All laptops and desktop computers run Windows 10 Enterprise.
The computers are managed by using Microsoft Endpoint Configuration Manager. The mobile devices are managed by using Microsoft Intune.
The naming convention for the computers is the department acronym, followed by a hyphen, and then four numbers, for example, FIN-6785. All the computers
are joined to the on-premises Active Directory domain.
Each department has an organizational unit (OU) that contains a child OU named Computers. Each computer account is in the Computers OU of its respective
department.
Intune Configuration
The device compliance policies in Intune are configured as shown in the following table.
The device compliance policies have the assignments shown in the following table.
The device limit restrictions in Intune are configured as shown in the following table.
Requirements
Planned Changes
Contoso plans to implement the following changes:
Provide new computers to the Phoenix office users. The new computers have Windows 10 Pro preinstalled and were purchased already.
Start using a free Microsoft Store for Business app named App1.
Implement co-management for the computers.
Technical Requirements
Contoso must meet the following technical requirements:
Ensure that the users in a group named Group4 can only access Microsoft Exchange Online from devices that are enrolled in Intune.
Deploy Windows 10 Enterprise to the computers of the Phoenix office users by using Windows Autopilot.
Monitor the computers in the LEG department by using Windows Analytics.
Create a provisioning package for new computers in the HR department.
Block iOS devices from sending diagnostic and usage telemetry data.
Use the principle of least privilege whenever possible.
Enable the users in the MKG department to use App1.
Pilot co-management for the IT department.
QUESTION 1
You need to meet the requirements for the MKG department users.
A. Assign the MKG department users the Purchaser role in Microsoft Store for Business
B. Download the APPX file for App1 from Microsoft Store for Business
C. Add App1 to the private store
D. Assign the MKG department users the Basic Purchaser role in Microsoft Store for Business
E. Acquire App1 from Microsoft Store for Business
Correct Answer: E
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-from-your-private-store
Manage Apps and Data
Question Set 3
QUESTION 1
Your company has a main office and six branch offices. The branch offices connect to the main office by using a WAN link. All offices have a local Internet
connection and a Hyper-V host cluster.
The company has a Microsoft Endpoint Configuration Manager deployment. The main office is the primary site. Each branch office has a distribution point.
All computers that run Windows 10 are managed by using both Configuration Manager and Microsoft Intune.
You plan to deploy the latest build of Microsoft Office 365 ProPlus to all the computers.
You need to minimize the amount of network traffic on the company’s Internet links for the planned deployment.
A. From Intune, configure app assignments for the Office 365 ProPlus suite. In each office, copy the Office 365 distribution files to a Microsoft Deployment
Toolkit (MDT) deployment share.
B. From Intune, configure app assignments for the Office 365 ProPlus suite. In each office, copy the Office 365 distribution files to a Configuration Manager
distribution point.
C. From Endpoint Configuration Manager, create an application deployment. Copy the Office 365 distribution files to a Configuration Manager cloud distribution
point.
D. From Endpoint Configuration Manager, create an application deployment. In each office, copy the Office 365 distribution files to a Configuration Manager
distribution point.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/deployoffice/deploy-office-365-proplus-with-system-center-configuration-manager-2012r2#distribute-the-office-365-proplus-
application-to-distribution-points-in-configuration-manager
QUESTION 2
HOTSPOT
Your company has a computer named Computer1 that runs Windows 10 Pro.
The company develops a proprietary Universal Windows Platform (UWP) app named App1. App1 is signed with a certificate from a trusted certification authority
(CA).
What should you do? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://www.windowscentral.com/how-enable-windows-10-sideload-apps-outside-store
https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10
QUESTION 3
DRAG DROP
Your company uses Microsoft Intune. You have a Microsoft Store for Business account.
You need to ensure that you can deploy Microsoft Store for Business apps by using Intune.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in
the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business
QUESTION 4
Your company has a Microsoft 365 subscription.
All the users in the finance department own personal devices that run iOS or Android. All the devices are enrolled in Microsoft Intune.
The company develops a mobile application named App1 for the finance department users.
You need to ensure that only the finance department users can download App1.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/apps-add
QUESTION 5
HOTSPOT
You have a Microsoft Azure Active Directory (Azure AD) tenant named contoso.com. All Windows 10 devices have apps named App1, App2 and App3 installed
and are enrolled in Microsoft Intune.
What apps should you identify? To answer, select the appropriate options in the answer area,
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune
https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune#exempt-apps-from-wip-
restrictions
QUESTION 6
You have devices enrolled in Microsoft Intune as shown in the following table.
You create an app protection policy named Policy1 that has the following settings:
Platform: Windows 10
Protected apps: App1
Exempt apps: App2
Network boundary: Cloud resources, IPv4 ranges
You assign Policy1 to Group1 and Group2. You exclude Group3 from Policy1.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Policy1 is applied to all devices in Group1 and Group2. It is not applied to any devices in Group3, unless those devices are also members of Group1 or Group2.
Note: The phrase "You exclude Group3 from Policy1" is misleading. It means that Policy1 is not applied to Group3, rather than Group3 being blocked.
Incorrect answers:
B: Policy1 applies to Device2 as Policy1 is assigned to Group2.
C: Policy1 applies to Device1 as Policy1 is assigned to Group1. Policy1 also applies to Device2 as Policy1 is assigned to Group2.
D: Device3 is a member of Group3 only. Policy1 is not assigned to Group3.
Reference:
https://docs.microsoft.com/en-us/intune/app-protection-policies
QUESTION 7
HOTSPOT
Your network contains an Active Directory domain that is synced to Microsoft Azure Active Directory (Azure AD).
You have a Microsoft Office 365 subscription. All computers are joined to the domain and have the latest Microsoft OneDrive sync client (OneDrive.exe) installed.
On all the computers, you configure the OneDrive settings as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Box 1:
Silently move known folders to OneDrive is enabled. Known folder include:
Desktop, Documents, Pictures, Screenshots, and Camera Roll
Box 2:
OneDrive Files On-Demand enables users to view, search for, and interact with files stored in OneDrive from within File Explorer without downloading them and
taking up space on the local hard drive.
Reference:
https://docs.microsoft.com/en-us/onedrive/redirect-known-folders
https://docs.microsoft.com/en-us/onedrive/plan-onedrive-enterprise
QUESTION 8
HOTSPOT
Users have iOS devices that are not enrolled in Microsoft 365 Device Management.
You create an app protection policy for the Microsoft Outlook app as shown in the exhibit. (Click the Exhibit tab.)
You need to configure the policy to meet the following requirements:
Prevent the users from using the Outlook app if the operating system version is less than 12.0.0.
Require the users to use an alphanumeric passcode to access the Outlook app.
What should you configure in an app protection policy for each requirement? To answer, select the appropriate options in the answer area.
Hot Area:
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/intune/app-protection-policy-settings-ios
QUESTION 9
You manage a Microsoft 365 environment that has co-management enabled.
All computers run Windows 10 and are deployed by using the Microsoft Deployment Toolkit (MDT).
You need to recommend a solution to deploy Microsoft Office 365 ProPlus to new computers. The latest version must always be installed. The solution must
minimize administrative effort.
What is the best tool to use for the deployment? More than one answer choice may achieve the goal. Select the BEST answer.
A. Microsoft Intune
B. Microsoft Deployment Toolkit
C. Office Deployment Tool (ODT)
D. a Group Policy object (GPO)
E. Microsoft System Center Configuration Manager
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/deployoffice/overview-of-the-office-2016-deployment-tool
QUESTION 10
You have a Microsoft 365 subscription.
You have 10 computers that run Windows 10 and are enrolled in mobile device management (MDM).
You need to deploy the Microsoft 365 Apps for enterprise suite to all the computers.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/windows/client-management/mdm/enterprise-app-management#application-management-goals
QUESTION 11
You have a Microsoft 365 subscription.
You need to deploy Microsoft 365 Apps for enterprise applications to Windows 10 devices.
A. From Microsoft Azure Active Directory (Azure AD), create an app registration.
B. From the Endpoint Manager admin center, create an app.
C. From the Endpoint Manager admin center, create an app configuration policy.
D. From the Endpoint Manager admin center, enable Microsoft Store for Business synchronization.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add-office365
QUESTION 12
You have Windows 10 devices that are managed by using Microsoft Intune. Intune and the Microsoft Store for Business are integrated.
You need to deploy the Remote Desktop modern app as an automatic install to the Windows 10 devices without user interaction.
Which three actions should you perform? Each correct answer presents part of the solution.
https://docs.microsoft.com/en-us/mem/intune/apps/apps-deploy
https://docs.microsoft.com/en-us/mem/intune/apps/windows-store-for-business
https://docs.microsoft.com/en-us/mem/intune/apps/apps-add
QUESTION 13
You have devices enrolled in Microsoft Intune as shown in the following table.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
App configuration policies are only required for iOS/iPadOS or Android apps
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview
QUESTION 14
You have a Microsoft Intune subscription.
What is the minimum number of app configuration policies required to manage App1?
A. 1
B. 2
C. 3
D. 4
E. 5
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-policies-overview
QUESTION 15
HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains Windows 10 devices that are managed
by using Microsoft Endpoint Configuration Manager.
You plan to deploy Microsoft 365 Apps for enterprise to the devices by using Configuration Manager.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Correct Answer:
Section: (none)
Explanation
Explanation/Reference:
Reference:
https://docs.microsoft.com/en-us/deployoffice/office-deployment-tool-configuration-options
https://docs.microsoft.com/en-us/deployoffice/overview-update-channels#semi-annual-enterprise-channel-overview